All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Search sequence knowledge object in splunk?

by in Getting Data In
‎09-27-2023 12:58 AM
‎09-27-2023 12:58 AM
I had a interview question that what is search sequence of knowledge object in splunk.Please helpme regarding this,  

How to subtract total values of 2 fields in a dashboard?

by in Splunk Search
‎09-27-2023 12:51 AM
‎09-27-2023 12:51 AM
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_C... See more...
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM     Query 2:   index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete  
Labels

Re: help on splunk index not working

by SplunkTrust in Splunk Dev
‎09-27-2023 12:26 AM
1 Karma
‎09-27-2023 12:26 AM
1 Karma
We think that you need some maintenance because you're running out of disk space. Anyway, searching for raw events across all indexes (index=*) is very ineffective and generally should not be used a... See more...
We think that you need some maintenance because you're running out of disk space. Anyway, searching for raw events across all indexes (index=*) is very ineffective and generally should not be used at all. Typically you either look for some high-level stats which can be obtained much more effectively with tstats command or you should be way way more specific about your searching criteria.

Re: Need a regex for these events

by SplunkTrust in Getting Data In
‎09-27-2023 12:23 AM
‎09-27-2023 12:23 AM
OK. That makes sense. The number of remaining blacklist entries is a valid point. You can construct a regex matchig several partially alternative branches using the A|B construct. Also remember tha... See more...
OK. That makes sense. The number of remaining blacklist entries is a valid point. You can construct a regex matchig several partially alternative branches using the A|B construct. Also remember that while using renderXml=true you need to blacklist by $XmlRegex field. So you'd end up with something like this: blacklist9 = $XmlRegex=#Data Name='ParentProcessName'>C:\\Program Files\\(AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker\.exe|Rapid7\\Insight Agent\\components\\insight_agent\\3\.2\.5\.31\\ir_agent\.exe)# You might need to escape the > sign (I never remember which solutions treated the raw '>' as literal '>' and escaped '\>' as end of the word. And which ones did the opposite. (I think vim was notorious for strangely (un)escaped characters inregexes). As usual - try your regex at regex101.com Of course if you wanted, you can combine all your 4 cases into one using the alternative grouping.

Re: help on splunk index not working

by in Splunk Dev
‎09-27-2023 12:16 AM
‎09-27-2023 12:16 AM
They have been created on indexers and the instance has been restarted The index name is the same Now i have a message issue when I am doing index=* Message "Serach not executed: The minimum free ... See more...
They have been created on indexers and the instance has been restarted The index name is the same Now i have a message issue when I am doing index=* Message "Serach not executed: The minimum free disk space (5000MB) reached for opt/splunk/var/run/splunk/dispatch/ What do you think about this?

Re: What is the CPU & memory utilization of Splunk Forwarder?

by in Getting Data In
‎09-27-2023 12:04 AM
‎09-27-2023 12:04 AM
Thank you Emily Can you talk more about your services? Im interesting in this.

Re: Need a regex for these events

by SplunkTrust in Getting Data In
‎09-26-2023 11:55 PM
‎09-26-2023 11:55 PM
Hi @AL3Z , do you want to remove all the events from the input or only the selectes part of the events? If you want to remove all the events, you could use a simple regex to blacklist them: Data N... See more...
Hi @AL3Z , do you want to remove all the events from the input or only the selectes part of the events? If you want to remove all the events, you could use a simple regex to blacklist them: Data Name\=\'ParentProcessName\'\>C:\\Program Files\\(Windows Defender Advanced Threat Protection\\MsSense\.exe)|(Windows Defender Advanced Threat Protection\\SenseIR\.exe)|(AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker\.exe)|(Rapid7\\Insight Agent\\components\\insight_agent\\3\.2\.5\.31\\ir_agent\.exe) you can check this regex at https://regex101.com/r/9lsjyz/1. Ciao. Giuseppe

Search to match high temp events, but ignore specific events on host that trigger within 25 seconds of each other

by in Splunk Search
‎09-26-2023 11:48 PM
‎09-26-2023 11:48 PM
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_... See more...
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_TEMP_SHUTDOWN_TIME OR CHASSISD_OVER_TEMP_CONDITION OR CHASSISD_TEMP_HOT_NOTICE OR CHASSISD_FPC_OPTICS_HOT_NOTICE OR CHASSISD_HIGH_TEMP_CONDITION OR (CHASSISD "Temperature back to normal") NOT UI_CMDLINE_READ_LINE     I'd like this Splunk alert to ignore temperature alarm events on the host router4-utah when FPC 11 = FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/* is running hot, the events always come in the following order within 25 seconds of each other:   The alarm trigger events:   Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_BLOWERS_SPEED_FULL: Fans and impellers being set to full speed [system warm] Sep 27 05:26:00 re0.router4-utah alarmd[7895]: Alarm set: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:00 re0.router4-utah craftd[7730]: Minor alarm set, Temperature Warm Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_HIGH_TEMP_CONDITION: Chassis temperature over 60 degrees C (but no fan/impeller failure detected) Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     The alarm clear events:   Sep 27 05:26:21 re0.router4-utah alarmd[7895]: Alarm cleared: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:21 re0.router4-utah craftd[7730]: Minor alarm cleared, Temperature Warm     The goal is to keep the normal temperature alert running as it always has, but somehow ignore the host router4-utah when it triggers and clears temperature alarms on FPC11. I think the easiest way to say this is any temp alarm that triggers and clears on router4-utah that is surrounded within 25 seconds of this line:   Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     Any assistance one can provide is much appreciated! Thanks.

Re: Getting a count of the number of fields associated with a sourcetype

by in Splunk Search
‎09-26-2023 11:18 PM
‎09-26-2023 11:18 PM
For my particular use case, I want to compare the difference between the count of fields extracted in windows event logs before versus after I install the Splunk TA for Windows on my search head.  I... See more...
For my particular use case, I want to compare the difference between the count of fields extracted in windows event logs before versus after I install the Splunk TA for Windows on my search head.  It fits my use case, but it might not for others if you have inconsistent configurations across your search head peers, for example.

Re: what is the use of below query?

by SplunkTrust in Splunk Search
‎09-26-2023 11:09 PM
‎09-26-2023 11:09 PM
To tell you the maximum value of the year value of an event over time. As to whether this provides useful information, that's another story...  

Re: Getting a count of the number of fields associated with a sourcetype

by SplunkTrust in Splunk Search
‎09-26-2023 11:06 PM
‎09-26-2023 11:06 PM
That's unlikely to give you a good representation of fields that actually are part of the data associated with a sourcetype, for example if you just run this on index=_audit index=_audit | stats las... See more...
That's unlikely to give you a good representation of fields that actually are part of the data associated with a sourcetype, for example if you just run this on index=_audit index=_audit | stats last(*) AS * by sourcetype | foreach * [ eval <<FIELD>>=if("<<FIELD>>" == "sourcetype", sourcetype, 1), fields=mvappend(fields, "<<FIELD>>") ] | addtotals | fields Total sourcetype fields you will get a load of fields associated with audittrail - on 3 different search heads, I get from 149 to 323 fields, most of which are just pulled in due to TAs installed on the search heads.  

Re: Getting a count of the number of fields associated with a sourcetype

by in Splunk Search
‎09-26-2023 10:55 PM
1 Karma
‎09-26-2023 10:55 PM
1 Karma
I'm ten years late, so I hope it's not urgent  But here's a solution you can run inline: #base search here | stats last(*) AS * by sourcetype | foreach * [ eval <<FIELD>>=if("<<FIELD>>... See more...
I'm ten years late, so I hope it's not urgent  But here's a solution you can run inline: #base search here | stats last(*) AS * by sourcetype | foreach * [ eval <<FIELD>>=if("<<FIELD>>" == "sourcetype", sourcetype, 1)] | addtotals | fields Total sourcetype  

Re: Evaluate search based on one index

by SplunkTrust in Getting Data In
‎09-26-2023 09:04 PM
‎09-26-2023 09:04 PM
Your table shows user2 that authenticated less than 30 days after creation, so do you want this in the output? What does "Authentications since created (After 31 days)" in your table as user2 has a p... See more...
Your table shows user2 that authenticated less than 30 days after creation, so do you want this in the output? What does "Authentications since created (After 31 days)" in your table as user2 has a positive value, but the last date within 30 days. If you're looking to find users who were created 31 days ago, but have not logged in since, then you would use this type of search, where you need to work out what is a login event and what is a created event so you can determine the logic for event_is_login in the examplke below.   index=duo earliest=-31d@d latest=@d INCLUDE_CREATED_EVENTS_AND_LOGIN_EVENTS | eval created=if(actionlabel="added user" AND _time < relative_time(now(), "-3d@d"), _time, 0) | where created=1 OR event_is_login | stats count(eval(if(event_is_login), 1, null()))) as Logins max(eval(if(event_is_login), _time, null()))) as LastLogin max(created) as created_time by object | rename object AS User | eval LastLogin=strftime(LastLogin, "%m/%d/%Y")   What state in your data indicates that the user was created, is it actionlable="added user"?    

Re: AWS Add On - SSL Validation Failed Error

by in Security
‎09-26-2023 08:06 PM
‎09-26-2023 08:06 PM
What is your SSL server cert configured as? Can you read the output of that cert using openssl? (if using the default cert)   openssl x509 -in /opt/splunk/etc/auth/server.pem -text -noout    

what is the use of below query?

by in Splunk Search
‎09-26-2023 07:59 PM
‎09-26-2023 07:59 PM
index=botsv1 sourcetype="stream:http" | timechart max(date_year)
Labels

Re: SAML Configuration not working for Splunk Heavy Forwarders.

by in Security
‎09-26-2023 07:58 PM
‎09-26-2023 07:58 PM
What SSO platform are you using? And is your licensing set properly for all hosts?

Re: how to suppress alerts during holidays

by SplunkTrust in Splunk Enterprise
‎09-26-2023 05:24 PM
‎09-26-2023 05:24 PM
Can you post the query and show what the results were?

Re: How to capture x,y data from stacked charts for drill down option

by SplunkTrust in Splunk Search
‎09-26-2023 05:23 PM
‎09-26-2023 05:23 PM
If you have values that contain spaces or other punctuation characters, then you should ensure the tokens quote the values, which is normally done with | stats values($value2|s$)... i.e. adding |s ... See more...
If you have values that contain spaces or other punctuation characters, then you should ensure the tokens quote the values, which is normally done with | stats values($value2|s$)... i.e. adding |s before the final $ sign, that tells Splunk to quote the token value. However, in the above, your values() statements are expecting FIELD NAMES, containing values, whereas the value of the $value2$ token will be the clicked duration, and so values($value2$) is meaningless. What are you actually trying to do with that stats statement - is it just to debug things?  Sometimes when debugging token things, it's useful to just add an html panel inside the dashboard where you can render the tokens, e.g. <row> <panel> <html> <h2>name1=$name1|s$</h2> <h2>value1=$value1|s$</h2> </html> </panel> </row>  

Ingest Actions error

by in Getting Data In
‎09-26-2023 04:09 PM
2 Karma
‎09-26-2023 04:09 PM
2 Karma
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection ... See more...
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection testing failed in all remote clients: [https://*.*.*.*:8089]. This can be caused by misconfiguration of secret key or event capture is not supported in those remote splunk instances.   ANy idea what is happening?

How to combine queries to use for alert?

by in Splunk Enterprise
‎09-26-2023 04:06 PM
‎09-26-2023 04:06 PM
I have 3 queries , i want to combine to one query so that i can use it for alert Query1: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs "logs started"   "tarnsac... See more...
I have 3 queries , i want to combine to one query so that i can use it for alert Query1: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs "logs started"   "tarnsaction recevied" [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "initial error logs " Query2: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs " timeouterror" AND "failed logs confirmed " [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "logs in transactions " Query3: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs " application logs continuted" [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "total failed"
Labels