All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Automatically change a field value from lookup table

by SplunkTrust in Splunk Search
‎09-18-2023 11:56 AM
1 Karma
‎09-18-2023 11:56 AM
1 Karma
You can create a lookup with a WILDCARD match type.

Re: Can't connect to heavy forwarder GUI

by SplunkTrust in Deployment Architecture
‎09-18-2023 11:52 AM
‎09-18-2023 11:52 AM
If there are no new entries in your access log it could signal storage problems. Did you check your free disk space?

Re: Help needed on splunk query to find the dates where the host is not sending logs to splunk

by SplunkTrust in Splunk Search
‎09-18-2023 11:38 AM
‎09-18-2023 11:38 AM
What do you mean by "added"? @ITWhisperer 's search should be run on its own, not added to your search. Alternatively, you can try to count splitting by time so you can limit your search to a partic... See more...
What do you mean by "added"? @ITWhisperer 's search should be run on its own, not added to your search. Alternatively, you can try to count splitting by time so you can limit your search to a particular month or week (I think with a day resolution it could still run but go more densely and you won't visualize it reasonably). | tstats prestats=t count where index=<your_index> host=<your_host> by _time span=1w | timechart span=1w count  

Re: Help needed on splunk query to find the dates where the host is not sending logs to splunk

by in Splunk Search
‎09-18-2023 11:09 AM
‎09-18-2023 11:09 AM
Hello @ITWhisperer  I added the host name to the query provided and ran a search but i am not seeing any results under statistics tab. Is result=0 means that the host is reporting and that is the ... See more...
Hello @ITWhisperer  I added the host name to the query provided and ran a search but i am not seeing any results under statistics tab. Is result=0 means that the host is reporting and that is the reason we are not seeing results? Can you please confirm?   Thanks

How to automatically change a field value from lookup table?

by in Splunk Search
‎09-18-2023 11:03 AM
‎09-18-2023 11:03 AM
I have logs with a Customer field where the name of the customer is not consistent.     customer=Bobs Pizza   customer=Bob's Pizza   customer=Bobs Pizzeria I want to use an automatic lookup to ... See more...
I have logs with a Customer field where the name of the customer is not consistent.     customer=Bobs Pizza   customer=Bob's Pizza   customer=Bobs Pizzeria I want to use an automatic lookup to change all to a standard name without needing to changing existing searches.   customer_lookup.csv   customer_name,standard_customer_name   Bobs Pizza,Bob's Pizza   Bobs Pizzeria,Bob's Pizza I am trying to do this with a lookup table in the search before I try to make it an automatic lookup.  | lookup customer_lookup customer_name as Customer output standard_customer_name AS Customer This lookup only works if the Customer returned in the search is actually in the lookup table.  So Customer="Bobs Pizza" is in the result, but Customer="Frank's   Artichokes" is not.  I can't add all customers to the table.  I have tried many forms of the lookup.  I can get a list with the original Customer name and the standard customer name in one exists, but that won't work for current searches.      Can this be done?  I would think it could cause problems since someone could add an automatic lookup to hide certain things if needed.  
Labels

Unable to install appdynamics lib 23.7 via npm

by in Splunk AppDynamics
‎09-18-2023 10:58 AM
‎09-18-2023 10:58 AM
We are trying to use the appdynamics node dependency and are currently unable to resolve it. It appears that it's unavailable at the expected AppDynamics CDN location. Last week, version 23.5 was suc... See more...
We are trying to use the appdynamics node dependency and are currently unable to resolve it. It appears that it's unavailable at the expected AppDynamics CDN location. Last week, version 23.5 was successfully found and downloaded, but today neither 23.5 nor 23.7 appears to be available: npm install appdynamics npm ERR! code E404 npm ERR! 404 Not Found - GET https://cdn.appdynamics.com/packages/nodejs/23.7.0.0/appdynamics-native-node.tgz npm ERR! 404 npm ERR! 404 'appdynamics-native@https://cdn.appdynamics.com/packages/nodejs/23.7.0.0/appdynamics-native-node.tgz' is not in this registry. npm ERR! 404 npm ERR! 404 Note that you can also install from a npm ERR! 404 tarball, folder, http url, or git url. Has anyone else been able to resolve this issue, or is there a known issue resolving this dependency?
Labels

Re: ScriptRunner - "Couldn't start child process" error when trying to execute a custom alert action script?

by in All Apps and Add-ons
‎09-18-2023 10:30 AM
‎09-18-2023 10:30 AM
I was getting this error from a scripted input after upgrading from 8.2.10 to 9.0.6, and resolved it by removing python.version = python2 from the restmap.conf file that someone had manually added.

Re: Splunk query with condition verification

by SplunkTrust in Splunk Search
‎09-18-2023 09:54 AM
1 Karma
‎09-18-2023 09:54 AM
1 Karma
Look for both install and uninstall events from the same machine/program and keep the most recent event for each.  If the latest event is "uninstall" and it's been more than 30 minutes then trigger a... See more...
Look for both install and uninstall events from the same machine/program and keep the most recent event for each.  If the latest event is "uninstall" and it's been more than 30 minutes then trigger an alert. index=main source=<custom_source> (Message="<program_name> is uninstalled" OR Message="<program_name> is installed") | dedup host <program_name> Message | where Message="<program_name> is uninstalled" AND _time<relative_time(now(), "-30m")

How to create a search with condition verification?

by in Splunk Search
‎09-18-2023 09:41 AM
‎09-18-2023 09:41 AM
Hi! I am faced with the following task and do not understand which way to go. I want to create an alert that will be triggered when a certain application is deleted. For example:       inde... See more...
Hi! I am faced with the following task and do not understand which way to go. I want to create an alert that will be triggered when a certain application is deleted. For example:       index=main source=<custom_source> Message="<program_name> is uninstalled"       Everything works as it should, I use the internal event type and that's not the question. Some software generates 2 events when UPDATING OR UPGRADING, the first: the program is uninstalled and the second: the program is installed. Therefore, in this case, my alert gives a false alarm. I have generated the following alert logic to correct false positives:     Search events for the last 30 Minutes: index=main source=<custom_source> Message="<program_name> is uninstalled" Next we need to check whether there were installation events: index=main source=<custom_source> Message="<program_name> is installed" on the machines from the first request. And if there was no installation event on the machine after the uninstalled event in the last 30 minutes, then issue an alert.      I cant create a query from this logic. If you could help me with advice, I would be very grateful. P.S. We looked in the direction of events from the application log and MSI Installer Logs, but in our case this is not applicable and we must use custom source.   Thanks for you help, have a nice day.
Labels

Re: Can't connect to heavy forwarder GUI

by in Deployment Architecture
‎09-18-2023 09:36 AM
‎09-18-2023 09:36 AM
Is that the only way to get the data in? This is a production server and I don't think I will be able to disable/stop firewalld.

Re: Application action datapath 'action_result.data' missing in VPE

by in Splunk SOAR
‎09-18-2023 09:24 AM
‎09-18-2023 09:24 AM
I updated JSON and can see documentation updated as well summary.data.*.result string   that key "result" is available per action test {"identifier": "list_zones", "result_data": [{"data":... See more...
I updated JSON and can see documentation updated as well summary.data.*.result string   that key "result" is available per action test {"identifier": "list_zones", "result_data": [{"data": [{"result":...   But still in VPE I can see only 'status' and 'message' I haven't found anything special in existing apps 

Multi Select dropdown: How to create a CSV file that populates a standard dropdown?

by in Dashboards & Visualizations
‎09-18-2023 09:07 AM
‎09-18-2023 09:07 AM
I have a CSV file that populates a standard dropdown . The selection made, in this standard dropdown, then populates the second dropdown which is a Multi-Select. I then use the token, from the Mu... See more...
I have a CSV file that populates a standard dropdown . The selection made, in this standard dropdown, then populates the second dropdown which is a Multi-Select. I then use the token, from the Multi-Select, to perform my search. This works great when there is only one item selected in the Multi-Select dropdown, however, when multiple items are selected it returns incorrect results. Any help would be most appreciated! This is my source code:   <form version="1.1"> <label>JRD AUR Divert Zone Multi Dropdown (CSV) Counts by Downtime</label> <description>Testing for CSV Dropdown Functionality</description> <fieldset submitButton="false" autoRun="false"> <input type="time" token="field1" searchWhenChanged="true"> <label>Time Selection</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Locationid_tok" searchWhenChanged="false"> <label>Select Bins Location</label> <fieldForLabel>Locationid</fieldForLabel> <fieldForValue>Locationid</fieldForValue> <search> <query>| inputlookup AUR_Bin_Divert_Zones.csv | dedup Locationid | table "Locationid"</query> <earliest>0</earliest> <latest></latest> </search> <choice value="*">All</choice> </input> <input type="multiselect" token="Zoneid_tok" searchWhenChanged="true"> <label>Select Divert Zone(s)</label> <fieldForLabel>Zoneid</fieldForLabel> <fieldForValue>Zoneid</fieldForValue> <search> <query>| inputlookup AUR_Bin_Divert_Zones.csv | search Locationid="$Locationid_tok$" | table "Zoneid"</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <choice value="*">All</choice> <delimiter> OR </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>index=5_ip_cnv sourcetype=ftae_hmi_alarms $Zoneid_tok$ |eval Time=_time |transaction Alarm startswith=*$Zoneid_tok$",1,0,192" endswith=*$Zoneid_tok$",0,0,192" maxevents=2 |eval Downtime = strftime(duration, "%M:%S") |makemv delim=";" Message |eval EventType=mvindex(Message,0) |rename Description as EventLocation |eval Date=lower(strftime(_time,"%+")) |eval date_wday=lower(strftime(_time,"%A")) |eval date_hour_EST=tonumber(strftime(_time, "%H")) |where NOT (date_wday="saturday" OR date_wday="sunday") |where (date_hour_EST&gt;=9 AND date_hour_EST&lt;19) |rename Downtime as "Downtime in Minutes:Seconds" |sort +Time |table Date EventType EventLocation "Downtime in Minutes:Seconds" </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">60</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <format type="number" field="Time"> <option name="precision">3</option> <option name="useThousandSeparators">false</option> </format> </table> </panel> </row> </form>
Labels

PII Data scan

by in Splunk Search
‎09-18-2023 09:05 AM
‎09-18-2023 09:05 AM
Need help to write a generic query to capture PII Data ( social security numbers / credit card numbers /  email addresses )  from  application log ?
Labels

Re: Can't connect to heavy forwarder GUI

by SplunkTrust in Deployment Architecture
‎09-18-2023 09:03 AM
‎09-18-2023 09:03 AM
Hi @jmrubio, did you disabled firewalld? systemctl stop firewalld systemctl disable firewalld Ciao. Giuseppe

Re: Dashboard studio search for value that may be null - efficiently

by SplunkTrust in Dashboards & Visualizations
‎09-18-2023 08:54 AM
‎09-18-2023 08:54 AM
Yes, you don't need that - it is just a habit I have when using makeresults as it is the only field that is automatically added by makeresults.

Re: Dashboard studio search for value that may be null - efficiently

by in Dashboards & Visualizations
‎09-18-2023 08:48 AM
‎09-18-2023 08:48 AM
Genius! Thank you! I spent WAY too much time trying to find out how to do that. I skipped the "fields - _time" section. I'm not sure what that's for? It seems to work well without it.

Re: Sum of two fields from different searches

by in Splunk Search
‎09-18-2023 08:10 AM
‎09-18-2023 08:10 AM
This helped. Thanks @ITWhisperer 

Re: Can't connect to heavy forwarder GUI

by in Deployment Architecture
‎09-18-2023 07:58 AM
‎09-18-2023 07:58 AM
Hello @gcusello, I tried ss -na | grep 8000 and it returned: tcp  LISTEN  0  128  *:8000  *:*

Re: Create Reports from a seed file.

by in Splunk Search
‎09-18-2023 07:57 AM
‎09-18-2023 07:57 AM
Thanks for the feedback.  I'll see if that works for me.

Re: Application action datapath 'action_result.data' missing in VPE

by SplunkTrust in Splunk SOAR
‎09-18-2023 07:39 AM
1 Karma
‎09-18-2023 07:39 AM
1 Karma
@irom77 for each field/key you output you need to add to the JSON.  "action_result.data" is just the array after you get the results from the REST call from the App.  You need to add "action_result... See more...
@irom77 for each field/key you output you need to add to the JSON.  "action_result.data" is just the array after you get the results from the REST call from the App.  You need to add "action_result.data.*.<key>" for each value you want to use downstream in a playbook into the JSON for it to be visible as a selectable option.  You can still use the values in a playbook but you need to add the ".*.<key>" to the end of your datapath in the Playbook. But if you want it to be selectable you need to map it in the JSON outputs section.  If unsure, you can look at any of the Out of the Box apps JSON files to see how they do it.