All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup. Your pattern is a bit odd in that it has C:\\Wi... See more...
Splunk does not support regex patterns in lookups, ONLY wildcards, i.e. *, so your escaped . characters and \ characters should not be in the lookup. Your pattern is a bit odd in that it has C:\\Windows\\system32\\cmd\.exe*C:\\P... where the * in that, if it is a regex, is saying you need to repeat the preceding 'e' character 0 or more times. If your process field contains C:\Windows\system32\cmd.exe ...  then that should be the entry in the lookup and in the lookup entry you add * characters where you want to match any character in the data. That * wildcarding is all that is supported in lookups.
Thanks @inventsekar  I tried but no luck, Can you help me with the query to find out the search query/report/alert/dashboard where this lookup is used? May be I am doing wrong, please help me wit... See more...
Thanks @inventsekar  I tried but no luck, Can you help me with the query to find out the search query/report/alert/dashboard where this lookup is used? May be I am doing wrong, please help me with the query.    
Thanks for your response @inventsekar  Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors. I have updated those from G... See more...
Thanks for your response @inventsekar  Yes i have identified the dashboards and updated those by removing the get_tenable_sourcetype but i am still seeing these errors. I have updated those from GUI.    
You want to create a transforms entry that has something along the lines of trace_id=\\\\\"(?<trace_id>\w+)\\\\\" event=\\\\\"(?<event>[^\\\\\"]*)\\\\\" program_run_sec=(?<program_run_sec>[\d\.]*) s... See more...
You want to create a transforms entry that has something along the lines of trace_id=\\\\\"(?<trace_id>\w+)\\\\\" event=\\\\\"(?<event>[^\\\\\"]*)\\\\\" program_run_sec=(?<program_run_sec>[\d\.]*) status=\\\\\"(?<status>\w+) using the source field log, which must have already been extracted. Then create a field extraction using that transforms entry against the sourcetype for this data. Then you will get the 4 fields wanted automatically in your data.
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have created around 30 small videos on rex particularly.. pls check the playlist... See more...
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists i have created around 30 small videos on rex particularly.. pls check the playlist, thanks. 
I believe the app supports urifield as well as uri=, so just make  | eval uri="https://api.shodan.io/shodan/host/".clientIP."?key=APIKEY" | curl urifield=uri...
Hi @yuanliu, its working excellent. Thank you for your assist.
Here's a couple of ways of getting a list of Windows services and the status of these services into Splunk: Windows Host Monitoring In the inputs.conf file add a stanza like this: [WinHostMon://Se... See more...
Here's a couple of ways of getting a list of Windows services and the status of these services into Splunk: Windows Host Monitoring In the inputs.conf file add a stanza like this: [WinHostMon://Service] interval = 600 disabled = 0 type = Service index = windows This will collect a list of services, and status, every 10 minutes, from the system running the Splunk Forwarder. More documentation here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Inputsconf#Windows_Host_Monitoring WMI Create a WMI.conf file and add the following stanza: [WMI:WindowsServiceState] interval = 600 wql = select Name, DisplayName, Description, State from Win32_Service disabled = 0 index = windows This will collect the same data as the previous example, however its more customisable - for example you can use WMI to narrow down to collecting data on only specific services, or even querying a remote server. More documentation here: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wmiconf
Hi @Roy_9 ... same like that other macro issue... you should try to find out which search query/report/alert/dashboard is using that lookup's name and update that.  let us know if you are unable to ... See more...
Hi @Roy_9 ... same like that other macro issue... you should try to find out which search query/report/alert/dashboard is using that lookup's name and update that.  let us know if you are unable to find out that  search query/report/alert/dashboard, thanks. 
Around when ServiceNow and Splunk integration was done? recent or long back? Long back    the servicenow tickets auto cut(incident creation) was working fine previously Yes it was working fine  ... See more...
Around when ServiceNow and Splunk integration was done? recent or long back? Long back    the servicenow tickets auto cut(incident creation) was working fine previously Yes it was working fine  did you do any upgrades recently?(on SH, indexers, the apps, etc) No recent upgraded
so, you are having the macro.. 'get_tenable_index'  and some search queries are using the macro 'get_tenable_sourcetype'   so, please try to find out the search query/report/alert/dashboard which ... See more...
so, you are having the macro.. 'get_tenable_index'  and some search queries are using the macro 'get_tenable_sourcetype'   so, please try to find out the search query/report/alert/dashboard which is using the macro 'get_tenable_sourcetype' and edit/update that one. that should help you to remove all these internal errors. 
One problem is the CM does not manage indexes.  It manages indexers (search peers), buckets, and apps.  To disable an index you need to modify indexes.conf in an app in $SPLUNK_HOME/etc/cluster/apps ... See more...
One problem is the CM does not manage indexes.  It manages indexers (search peers), buckets, and apps.  To disable an index you need to modify indexes.conf in an app in $SPLUNK_HOME/etc/cluster/apps and then apply the cluster bundle. There is a REST endpoint for applying the bundle (cluster/manager/control/default/apply).  There also is a REST endpoint for installing and updating apps (apps/local), but it can't touch the etc/cluster/apps directory.
Hello, I am seeing the below error in the internal logs, I am on Splunk On premise clustered environment. 10-03-2023 23:48:50.697 +0000 ERROR SearchParser [110001 TcpChannelThread] - The search s... See more...
Hello, I am seeing the below error in the internal logs, I am on Splunk On premise clustered environment. 10-03-2023 23:48:50.697 +0000 ERROR SearchParser [110001 TcpChannelThread] - The search specifies a macro 'get_tenable_sourcetype' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. How do i need to get rid of this error from our internal logs. I have checked under Macros and all configurations and I dont see this macro. But inside the TA-tenable/local/macros.conf i see only  [get_tenable_index] definition = (index=abc) iseval = 0 Please help me with your thoughts. Thanks
Hello, I am seeing the below error in the internal logs. The lookup table XYZ does not exist or not available I have checked in Lookup table files, Lookup definitions, Automatic Lookups but didn't... See more...
Hello, I am seeing the below error in the internal logs. The lookup table XYZ does not exist or not available I have checked in Lookup table files, Lookup definitions, Automatic Lookups but didn't find this lookup.How do i need to get rid of this error, any suggestions please.   Thanks
Hi @vishwa ...  Around when ServiceNow and Splunk integration was done? recent or long back? the servicenow tickets auto cut(incident creation) was working fine previously did you do any upgrades ... See more...
Hi @vishwa ...  Around when ServiceNow and Splunk integration was done? recent or long back? the servicenow tickets auto cut(incident creation) was working fine previously did you do any upgrades recently?(on SH, indexers, the apps, etc)  
HI @inventsekar, I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at ... See more...
HI @inventsekar, I attempted to include a wildcard entry in transforms.conf, but unfortunately, it did not yield any successful results. It appears that Splunk lookup only accommodates wildcards at the start and end of a string and does not function when the wildcard is placed within the string. Exmaple below where it is working  * webex.com office* Example below where it is not working abc*def*ghi*
Hi @nina ... to learn regex/rex, i have made lot of videos.. pls check it.. thanks.  Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists
hello, thankyou so much for responding. even though i am entirely new to splunk and trying to find my way with youre recommendation, they are very useful.
Thanks! Managed to get it parsing JSON correctly using those two functions. However, do you know if it's possible to have a field present in the URI requirement for curl? The parent search has a f... See more...
Thanks! Managed to get it parsing JSON correctly using those two functions. However, do you know if it's possible to have a field present in the URI requirement for curl? The parent search has a field named clientIP which stores IP addresses depending on the client that made a request. Doesn't seem like it's possible to submit it as a concatenated string since it always needs to begin with https://. e.g. neither of the below work: index=api_test uri_path=exampleRequest | curl method=get uri=https://api.shodan.io/shodan/host/clientIP?key=APIKEY OR index=api_test uri_path=exampleRequest | curl method=get uri="https://api.shodan.io/shodan/host/" + clientIP +"?key=APIKEY"
Hello guys. This is my first post here to ask for help with extracting fields from a JSON object. Below is an example of the record: {"pod":"fmd9p","time":"2023-10-03T21:49:39.31255352Z", "source":... See more...
Hello guys. This is my first post here to ask for help with extracting fields from a JSON object. Below is an example of the record: {"pod":"fmd9p","time":"2023-10-03T21:49:39.31255352Z", "source":"/var/log/containers/fmd9p_default.log","container_id":"1ae53e1be","log": "I1003 14:49:39.312453 test_main.cc:149] trace_id=\"8aeb0\" event=\"Worker.Finish\" program_run_sec=25.1377 status=\"OK\""} How can I extract trace_id, event, program_run_sec, and status from the log section automatically by setting up a sourcetype? Is it doable? Thanks for any help and advise