All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @fatsug ...Please update us.. 1) if you are able to receive logs from the windows host to the indexer ? index=* host=<win-hostname> | stats count by sourcetype 2) if yes, are you able to receiv... See more...
Hi @fatsug ...Please update us.. 1) if you are able to receive logs from the windows host to the indexer ? index=* host=<win-hostname> | stats count by sourcetype 2) if yes, are you able to receive windows eventlogs or not. if yes, you can try to view a single event and update us, your other queries...    Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists
Given that some lookup entries contain wildcard, it is reasonable to assume that your lookup is defined with match_type WILDCARD(host).  In the following I will make some simplifying assumptions beca... See more...
Given that some lookup entries contain wildcard, it is reasonable to assume that your lookup is defined with match_type WILDCARD(host).  In the following I will make some simplifying assumptions because I do not know the significance of comparing eventTime or LastEventTime: All you want to compare is with events in your search window.  If your search window is past 7 days, I assume that you want to keep entries that one or more events match in the past week, and that you want to drop any table entries with zero match during this same period.  But if eventTime is important, I'm sure you can adapt the solution to meet your needs. The key here is to utilize lookup; specifically, allow lookup to perform wildcard matches. | metasearch (index=os_* OR index=perfmon_*) | dedup host | eval host=lower(host) ```| eval eventTime=_time | convert timeformat="%Y/%m/%d %H:%M:%S" ctime(eventTime) AS LastEventTime | fields host eventTime LastEventTime index ^^^ the above is not calculated or used ``` | lookup host_lookup output host AS matchhost | append [inputlookup host_lookup | rename host AS tablehost] | eventstats values(matchhost) as matchhost | eval Action = if(tablehost IN matchhost, "Keep Host", "Remove from Lookup") | fields Action tablehost (Obviously you do not need to rename tablehost.  It just makes the intent obvious.) Hope this helps.
Hi @scout29 ... on your search head, you can go to Settings ---> Monitoring Console ----> "indexing" tab ----> License Usage ---- > today or historical this will give you today or last week/months l... See more...
Hi @scout29 ... on your search head, you can go to Settings ---> Monitoring Console ----> "indexing" tab ----> License Usage ---- > today or historical this will give you today or last week/months license usage conception dashboards.  Please suggest if thats what you are looking for, thanks.      Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists  
its returns very weird results:  
trying to set a token where system_id shows ABC1, ABC1-a, ABC10, ABC10-a and so on.   when I set the token for that system_id as ABC1* to return all the ABC1 and ABC1-a and so on, it also returns t... See more...
trying to set a token where system_id shows ABC1, ABC1-a, ABC10, ABC10-a and so on.   when I set the token for that system_id as ABC1* to return all the ABC1 and ABC1-a and so on, it also returns the ABC10, and ABC10-a and so on. BUt obvisouly if I just do ABC10* it will return the right result. the first portion is the problem. hope my question makes sense.  
system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token,... See more...
system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on. I need your help search guru,   I want to search for All result AA-1 NOT showing AA-10 or AA-12, YET also need them in one token.
system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, a... See more...
system_id = AA-1, AA-1-a, AA-1-b, AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on. Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.
Ah ok, another addon was more verbose. It sounds like it's a problem with either the base URL in my environment, or the redirect URI. The other addin is now working, but this app is failing with th... See more...
Ah ok, another addon was more verbose. It sounds like it's a problem with either the base URL in my environment, or the redirect URI. The other addin is now working, but this app is failing with the error:     1 action failed Error from server. Status Code: 400 Data from server: invalid_request    
Splunk has a join command that may do the job, but it's inefficient.  The typical solution is to fetch both sources and then group them together by a common field using the stats command. index="Pre... See more...
Splunk has a join command that may do the job, but it's inefficient.  The typical solution is to fetch both sources and then group them together by a common field using the stats command. index="PreProdIndex" (source="Request" "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Soup\"/>" OR "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Biscuits\"/>") OR source="Transaction") | stats values(*) as * by transaction_id | table REQUEST_DATE_TIME REQUEST *  
Hi Guys, I'm playing around with Splunk Soar on prem. No matter what I do, I can't get this addon working. I've followed the readme to the tee: https://github.com/splunk-soar-connectors/azuread/tr... See more...
Hi Guys, I'm playing around with Splunk Soar on prem. No matter what I do, I can't get this addon working. I've followed the readme to the tee: https://github.com/splunk-soar-connectors/azuread/tree/next But still am not having any luck. Any ideas?
Any updates on this, have the same situation
Look at it another way.  Search the last 5 minutes.  If a ServiceDown trap was received without a matching Good trap then create an alarm. index=foo (trap=ServiceDown OR trap=Good) earliest=-6m | de... See more...
Look at it another way.  Search the last 5 minutes.  If a ServiceDown trap was received without a matching Good trap then create an alarm. index=foo (trap=ServiceDown OR trap=Good) earliest=-6m | dedup ```add a field that contains device name``` | where trap=ServiceDown AND _time <= relative_time(now(), "-5m") Trigger the alert if the search returns results.
Consider putting that into Feedback on the docs page and submitting it at https://ideas.splunk.com
For example, system_id = AA-1, AA-1-a, AA-1-b,  AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on.   Notice all the system_id starts with common 'AA-1' and * afterward. However, whe... See more...
For example, system_id = AA-1, AA-1-a, AA-1-b,  AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on.   Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.   hope this question makes sense. has anyone fix such issue before?
anything new you've found? still couldn't solved the issue.
Thank you for this answer. It is perfect. I had a lot of the right code, I just did not know how to use the <change> tag correctly. It works exactly as I envisioned.
Hopefully this will set the issue out clearly.  I have two sources, Transaction and Request. The Transaction holds the transaction id, date and time and user details of a user transaction. The Req... See more...
Hopefully this will set the issue out clearly.  I have two sources, Transaction and Request. The Transaction holds the transaction id, date and time and user details of a user transaction. The Request holds the request id, transaction id and an XML string with details of a users search.    I have a query that searches the Request and returns those searches which contain specific strings. However i need to show the user details on the results  table.  index="PreProdIndex" source="Request" "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Soup\"/>" OR "<stringCriterion fieldName=\"Product\" operator=\"equals\" value=\"Biscuits\"/>" | table REQUEST_DATE_TIME REQUEST So I need to add onto the table USER_DETAILS from the Source "Transaction" to the above query based on the common key of the Transaction ID.  In SQL I would simply put in a join on Transaction.ID=Request.Transaction_ID and all would be good but I have failed to find anything that gives a SPLUNK solution yet.   
Great, thanks Rich. It would be good if Splunk could enable the new geo-location DB that ships with SE 9.0.0 or later, dbip-city-lite.mmdb, to be updated on a regular basis instead of having to repl... See more...
Great, thanks Rich. It would be good if Splunk could enable the new geo-location DB that ships with SE 9.0.0 or later, dbip-city-lite.mmdb, to be updated on a regular basis instead of having to replace the new DB with either MaxMind's, or some other vendor's DB. Splunk could build that update functionality in behind the scenes if divulging the new vendor is top secret for some reason.   Otherwise, the update procedure for the new DB could be added to the iplocation page like for MaxMind's update procedure.
Hi All, How can we implement the wait logic in a Splunk query. We monitor the Service down traps primarily and create Splunk alerts. We have requirement now, to wait for a time interval and check ... See more...
Hi All, How can we implement the wait logic in a Splunk query. We monitor the Service down traps primarily and create Splunk alerts. We have requirement now, to wait for a time interval and check if the service UP trap received if yes then don't create alert else create an alert. How can we implement this in a single query? Any suggestion please. Example: If ServiceDown trap received:                 Wait for 5 minutes.                 If Good trap received:                                 Return                 Else:                                 Create alarm.   Thanks!
You can replace the geo-ip file with an MMDB file from any vendor, including MaxMind.  It does not have to be from the same vendor as the one that shipped with Splunk.