All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What if we need to communicate with controller via proxy, but not with the monitored services (i.e. when using extensions for kafka etc.)? Are there any parameters like -Dappdynamics.http.nonProxyHos... See more...
What if we need to communicate with controller via proxy, but not with the monitored services (i.e. when using extensions for kafka etc.)? Are there any parameters like -Dappdynamics.http.nonProxyHost to whitelist them? Or how do we solve this problem?
Hi @davesplunk01 ,    I'm having the same senario like this, after the above steps that you had mentioned, I can see the total on the top along with the line,     I don't need line, Can yo... See more...
Hi @davesplunk01 ,    I'm having the same senario like this, after the above steps that you had mentioned, I can see the total on the top along with the line,     I don't need line, Can you please help me in this. Thanks in Advance! Manoj Kumar S
What is EventCode 4624? Is that a log on, a log off or either? If it is either, how do you distinguish between the two? If it is one or the other, which events signify the other event? Essentially, h... See more...
What is EventCode 4624? Is that a log on, a log off or either? If it is either, how do you distinguish between the two? If it is one or the other, which events signify the other event? Essentially, how can you tell from your data when a user logs on and when they log off?
Chris, That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me e... See more...
Chris, That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it. I'll just close out my question and do things the slow way with exports to Excel. Thanks, Kimsey
@Roy_9 - Are you running the search in the same App where you created the lookup definition?
So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?
@VatsalJagani @PickleRick Can you please help me with this?
@yuanliu I'm looking for previous 2 "weekday" average.  Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data.  Along with this, how can the... See more...
@yuanliu I'm looking for previous 2 "weekday" average.  Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data.  Along with this, how can the search be only limited to the time range selected from the time picker ?   
In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy. My suggestion would be to add one or more policies befo... See more...
In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy. My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-No-Enforcement-License/m-p/428446 I will update to 8 and then to 9, in the above link there was something about no enforcement license so... See more...
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-No-Enforcement-License/m-p/428446 I will update to 8 and then to 9, in the above link there was something about no enforcement license so checking if the license will still be applicable for 8.1 and later
Currently we have below license Splunk Enterprise - No Enforcement (6.5 )  , I was told this license is not supported for new users in splunk anymore. If I upgrade to 8 to 9, will this license still... See more...
Currently we have below license Splunk Enterprise - No Enforcement (6.5 )  , I was told this license is not supported for new users in splunk anymore. If I upgrade to 8 to 9, will this license still be accepted?
@P3G4SUS - You can do that like this: .... | eval empty_cells = case(isnull(A) AND isnull(B), 2, isnull(A), 1, isnull(B), 1, 1==1, 0) | stats sum(empty_cells) as total_empty_cells   I'm assuming y... See more...
@P3G4SUS - You can do that like this: .... | eval empty_cells = case(isnull(A) AND isnull(B), 2, isnull(A), 1, isnull(B), 1, 1==1, 0) | stats sum(empty_cells) as total_empty_cells   I'm assuming your two fields in the table is A and B, but you can replace that with what you have in above query and you should get your answer.   I hope this helps!!!
So, I am searching for Multiple users logged into a single machine at the same time, or even within the same hour. Initially this is my search query to display how many users log-on in 1 host. ... See more...
So, I am searching for Multiple users logged into a single machine at the same time, or even within the same hour. Initially this is my search query to display how many users log-on in 1 host. index="windows" sourcetype="WinEventLog" EventCode=4624 | search host!="*$*" | stats dc(user) as user_count by host the problem is it does not count the current user since there's log off events. hope I explained that clearly. Thanks.
Hi, I have submitted my app into Splunk Cloud Platform for vetting process and it is in "Pending" status for more then 3 weeks. Is this timespan normal?  Is there anyway to contact the team and c... See more...
Hi, I have submitted my app into Splunk Cloud Platform for vetting process and it is in "Pending" status for more then 3 weeks. Is this timespan normal?  Is there anyway to contact the team and check for a more specific status? Thanks
This is a bit vague - what events are you dealing with (please provide anonymised samples)? In general, you could assign log on events a value 1 and log off events a value -1, then do a streamstats ... See more...
This is a bit vague - what events are you dealing with (please provide anonymised samples)? In general, you could assign log on events a value 1 and log off events a value -1, then do a streamstats summing these values and when the sum is above 1 you have multiple users logged on. You would have to take care of the issue of log off events appearing without a preceding log on event, and all this tell you is the change, you might want to consider setting your start time to be when there is known to be zero users logged on.
| nomv FieldB | nomv FieldC | nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>," ")]
Please select the logs you wanted to ingest... fine-tune it. thats all. its very simple actually.  or simply, go with filesize.  order all your ingested files by their size(in DMC----license consu... See more...
Please select the logs you wanted to ingest... fine-tune it. thats all. its very simple actually.  or simply, go with filesize.  order all your ingested files by their size(in DMC----license consumed by log sources in last 24hrs dashboard)... if you see any logs in top 10, top20 which is an unwanted log file, then... remove it from inputs.conf (you may be using wildcards in inputs.conf.... if so, add a blacklist for that file)
As we are on the Splunk cloud GCP its won't supports the  null-queue.
I have data like provided below:  field A Field B Field C Field D abc.com 1 1 AB CD 1 1 xyz.com 2 2   AB CD 1 1 abc.com 1 1 AB  CD 1 1 xyz.com ... See more...
I have data like provided below:  field A Field B Field C Field D abc.com 1 1 AB CD 1 1 xyz.com 2 2   AB CD 1 1 abc.com 1 1 AB  CD 1 1 xyz.com 2 2 AB CD 1 1 def.com 1 AB CD 0   I want to group Field A values such that all abc.com value come in 1 row with associated count. I want output like field A count Field B Field C Field D abc.com 2 1 1 AB CD 1 1 xyz.com 2 2 2   AB CD 1 1 def.com 1 1 AB CD 0   if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance.