All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Not sure if I understand the question. You already bucketed _time.  The simplest is to just use it as groupby index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "Fi... See more...
Not sure if I understand the question. You already bucketed _time.  The simplest is to just use it as groupby index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount by _time Will this work?
Thanks @bowesmana .  I had a fleeing it was not going to be as easy as I had hoped. I'm rethinking my approach to see if I can find a way to achieve what I need. Thanks again.
Hi @eranhauser ... i am sorry, i am unable to understand your query..  you are running a search.. Would you like to know exactly when the SPL started to run and exactly when the SPL finished running... See more...
Hi @eranhauser ... i am sorry, i am unable to understand your query..  you are running a search.. Would you like to know exactly when the SPL started to run and exactly when the SPL finished running? or you want to include these values inside the search itself? Did you check the "Inspect Job" ?!?!
For your Alert, make sure the Trigger setting is Once in the Trigger Conditions section:  
I have a query that gives me four totals for a month.  I am trying to figure out how to show each four total for each day searched ? Here is what I have so far: index=anIndex sourcetype=aSourcetype... See more...
I have a query that gives me four totals for a month.  I am trying to figure out how to show each four total for each day searched ? Here is what I have so far: index=anIndex sourcetype=aSourcetype "SFTP upload finished" OR "File sent to MFS" OR "File download sent to user" OR "HTTP upload finished" earliest=-0month@month latest=now | bucket _time span=day | stats count(eval(searchmatch("SFTP upload finished"))) as SFTPCount count(eval(searchmatch("File sent to MFS"))) as MFSCount count(eval(searchmatch("File download sent to user"))) as DWNCount count(eval(searchmatch("HTTP upload finished"))) as HTTPCount | table SFTPCount MFSCount DWNCount HTTPCount SFTPCount MFSCount DWNCount HTTPCount 30843 535 1584 80   Now to show the results by each day ? I have a line to specify my bucket ?
Have you checked the Troubleshooting section of their docs?  There's some searches they have you run to see if your time settings are off.    If the visualizations aren't rendering anything, try se... See more...
Have you checked the Troubleshooting section of their docs?  There's some searches they have you run to see if your time settings are off.    If the visualizations aren't rendering anything, try seeing what search they are running (hover over viz to get the little magnifying class to see the search being ran).  Digging into that SPL a bit might give you a hint on what could be wrong. Also, if you *ust* turned on the data models there might be some lag before those behind-the-scenes things create the models from your data.  Much of that is dependent on how Palo Alto created their models and I'm not familiar with the timing of their stuff.
How can one add to the result of a Splunk query running on Splunk UI the time span i.e. the values one can put in earliest_time and latest_time (the earliest and latest time are coming only from the ... See more...
How can one add to the result of a Splunk query running on Splunk UI the time span i.e. the values one can put in earliest_time and latest_time (the earliest and latest time are coming only from the drop down of the time span in Splunk UI)
Hi @kamal5 ... the system says the command is not found.  it means, either the command is not found or you typed the command wrong.  One line reply can not help us to help you. You should provide ... See more...
Hi @kamal5 ... the system says the command is not found.  it means, either the command is not found or you typed the command wrong.  One line reply can not help us to help you. You should provide mooooore details(with screenshots if possible), the full command of what you ran, etc.  thanks, happy learning splunk. 
Firstly, it's unclear what logs we're talking about and how they relate to syslog. If it's a cloud platform it's quite unusual to send raw syslog over open internet. If it's your local part of the in... See more...
Firstly, it's unclear what logs we're talking about and how they relate to syslog. If it's a cloud platform it's quite unusual to send raw syslog over open internet. If it's your local part of the installation (like the logs from the endpoints themselves) are you sure they are configured correctly? Are they supposed to send syslog?
Without seeing your screen I am not sure if you're in the incorrect directory or just don't have Splunk installed yet.  
it's showing that command not found.
Come on. Put at least a little bit of effort into your "question". From what you wrote we could as well assume that you haven't even installed your server yet. We don't know how you installed the se... See more...
Come on. Put at least a little bit of effort into your "question". From what you wrote we could as well assume that you haven't even installed your server yet. We don't know how you installed the server, we don't know how/if you started it, we don't know if/what erors you got. And we don't know what "is not working" means.  
Is your Splunk instance up and running?  For example, assuming you are on *nix based on your URL, can you run the following from the /bin directory of the splunk install: splunk status   What does... See more...
Is your Splunk instance up and running?  For example, assuming you are on *nix based on your URL, can you run the following from the /bin directory of the splunk install: splunk status   What does your output look like? 
Since you're looking for help for syslog-ng configuration, your best bet is to join the syslog-ng community.  But, from a Splunk architecture/design perspective you are on the right track.  Typicall... See more...
Since you're looking for help for syslog-ng configuration, your best bet is to join the syslog-ng community.  But, from a Splunk architecture/design perspective you are on the right track.  Typically people use a separate syslog receiver that writes to disk (like syslog-ng), and then have Splunk monitor that.  This way you reduce the coupling for situations where you have to restart Splunk and don't want your syslog ports to be down. That being said, there is a Splunk Connect for Syslog app that can be used for receiving syslog data, but I am unsure if it can handle the decryption for you if you are in a bind.  Overall I much prefer having syslog being received outside of Splunk.  
Hi @Thulasinathan_M , i tried your xml and generated PDF the  start and end date are showing as Invalid in PDF report. And moreover can u take my xml and show me how to add tokens to the panels. so... See more...
Hi @Thulasinathan_M , i tried your xml and generated PDF the  start and end date are showing as Invalid in PDF report. And moreover can u take my xml and show me how to add tokens to the panels. so that i can see start and end date in the report.
http://centos7.linuxvmimages.local:8000
To map things, you will need to enrich your data with what the map needs to display this info.   A good place to start is the Mapping section of docs.  For example, there are some built-in lookups ... See more...
To map things, you will need to enrich your data with what the map needs to display this info.   A good place to start is the Mapping section of docs.  For example, there are some built-in lookups in Splunk for countries and US States.  Depending on your country format in your data, you might need to add additional columns (aka enrich your data) with the relevant geo-info the maps visualization needs.  Reviewing the docs for this should get you on the right path. Another place to check out is the Splunk Dashboard Examples app.  It has a lot of good visualization examples with dummy data that you can copy from.  
Hi @alex4 - Does something like this help you get to where you want to be:   index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory* | eval username=coalesce(src_user,user,user_... See more...
Hi @alex4 - Does something like this help you get to where you want to be:   index=winsec_prod EventCode=4662 ObjectName=*EncryptedDSRMPasswordHistory* | eval username=coalesce(src_user,user,user_id), Computer=coalesce(Computer,ComputerName) | stats values(dest) values(Object_Name) values(ScriptBlockText) by _time, index, sourcetype, EventCode, Computer, username     You were referring to EventID in your New Condition, but your SPL was using a field name of EventCode.  Also, it looks like the ObjectName field contains the EncryptedDSRMPasswordHistory based on the SPL you shared instead of the Properties field given in your New Condition.  Also, I removed the | search  in my SPL sample.  There's an implied search command happening for SPL, and so if you have | search as your first commmand you can collapse the boolean expression into the first implied search.     
Thank you. The first solution is exactly what I wanted to achieve 
This post covers this topic: Solved: How to implement tokens in Email alert? - Splunk Community