All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi,  Can anyone please help advise there is any quick way to find list of servers not managed by deployment server but transmitting data to Splunk on deployment server or SH itself.  Thanks
I found a solution by editing the inputs.conf file as follows.   [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true index= sysmon source = XmlWinEventLog:Microso... See more...
I found a solution by editing the inputs.conf file as follows.   [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true index= sysmon source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
@gcusello  where I need to put this EBNCStatus=*  Below is my query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl -... See more...
@gcusello  where I need to put this EBNCStatus=*  Below is my query: index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus="ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day | table EBNCStatus True Day
We use an asset file correctly configured on ES but we noticed that the enrichment based on "asset_lookup_by_cidr" is not working correctly because the lookup is not sorted by CIDR class. For example... See more...
We use an asset file correctly configured on ES but we noticed that the enrichment based on "asset_lookup_by_cidr" is not working correctly because the lookup is not sorted by CIDR class. For example in the following sample the sorting is base on "lexicographic" order instead of the real CIDR classes logic: 1.2.30.0/26 1.2.30.128/25 1.2.31.0/24 1.2.32.0/24 1.2.33.0/25 1.2.33.128/25 We tried to solve the problem creating a saved search that automatically performs the right sort but soon after the execution the lookup "asset_lookup_by_cidr" is replaced with "lexicographic" order. My saved search: | inputlookup asset_lookup_by_cidr | eval ip=replace(ip,"\s+","") | eval sorted=case(match(ip,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{2}"),substr(ip,-2),match(ip,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1}"),substr(ip,-1),1=1,"0") | sort limit=0 - sorted | fields - sorted | outputlookup asset_lookup_by_cidr Is there a quick solution to this problem? Because it is a big trouble for notable based on IP addresses.
How to create top 10 DB queries in AppD dashboards and reports.
I 'm trying to accomplish  the presence of splunk in all the machines in our environment by creating a shell script and find out the system with out splunk.
Hi all, there is a way to disable the audience restriction verification on SAML response? because in our case, base on Siteminder configuration, is the only way to resolve. Thank you!
hi! Esteemed Legend  I thank know Manually changing files for uf /etc/system/local/deploymentclient, and restar splunkd.exe it can change deployment server but  i use deployment server push a ... See more...
hi! Esteemed Legend  I thank know Manually changing files for uf /etc/system/local/deploymentclient, and restar splunkd.exe it can change deployment server but  i use deployment server push a newpath a deploymentclient.conf to UF is Not effective     
Make sure the path, type, and reg fields are not null.  The stats command will not return results for null groupBy fields.
@gcusello  This query is not working for me index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced succe... See more...
@gcusello  This query is not working for me index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")| dedup EBNCStatus Day | table EBNCStatus True Day
What are you trying to accomplish?  What do you mean by "validate Splunk"?
Hi @SplunkSN, ok, but the logs you're using for the alert, come from two different hosts, one active and one passive. So, if I correctly understood, you want to use only host1 if host1 is the activ... See more...
Hi @SplunkSN, ok, but the logs you're using for the alert, come from two different hosts, one active and one passive. So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one. One question, can you have both logs from host1 and host2? if yes, are they different? if they are the same you could dedup results using the duplicated fields that you have in your alert. or you could group results so the host value isn't relevant, could you share your alert search? Ciao. Giuseppe check if the host field in the results of your alarm is only the active host, in this case you can 
Depending on what you mean by "cross", the search command may do the job. index=toto event_id=4688 | eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1") | search [| inputlookup test w... See more...
Depending on what you mean by "cross", the search command may do the job. index=toto event_id=4688 | eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1") | search [| inputlookup test where software=pm | table pm | rename pm as file_name | format] | stats values(file_name) as file_name.....
Hi @gcusello , Thank you for the reply. Both the hosts are on same Splunk server. We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSit... See more...
Hi @gcusello , Thank you for the reply. Both the hosts are on same Splunk server. We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.    
Hi everyone I got a question regarding the configuration of the app Microsoft Teams Add-on for Splunk. When I configure a Webhook, a TeamsSubscription, and a CallRecord according to this guide, M... See more...
Hi everyone I got a question regarding the configuration of the app Microsoft Teams Add-on for Splunk. When I configure a Webhook, a TeamsSubscription, and a CallRecord according to this guide, MS Teams data flow into my Splunk instance. Just like the guide suggests, I use ngrok since the server my Splunk instance is running on is not accessible via HTTPS. Ngrok is fine for testing, but I want to switch it out for my actual proxy server. I tried several different settings, but there is no more data coming in. Given that data came in for as long as I used ngrok, all settings related to Azure (Tenant ID, Client ID, Client Secret) must be correct. The issue lies somewhere in the proxy server settings. Can anyone share some insights on how to configure the MS Teams Add-on as well as proxy server settings? Here is my current setup. Webhook - Name: Webhook - Interval: 30 - Index: ms_teams - Port: 4444 Subscription - Name: Subscription - Interval: 86400 - Index: ms_teams - Global Account: MSAzure - Tenant ID: mytenantidfromazure - Environment: Public - Webhook URL: myproxy.server.com <------- splunkinstanceserver.com:4444 or myproxy.server.com? - Endpoint: v1.0 CallRecord - Name: CallRecord - Interval: 30 - Index: ms_teams - Global Account: MSAzure - Tenant ID: mytenantidfromazure - Environment: Public - Endpoint: v1.0 - Max Batch Site: 5000 Proxy - Enable: checked - Host: myproxyserver.com - Port: 4444  <--------- Is this meant to be the port of my webhook or where my proxy takes https requests? - Username: userformyproxyserver - PW: userpwformyproxyserver splunkd.log ***Paths are shortened for readability. .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last): .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: File ".../TA_MS_Teams/bin/ta_ms_teams/aob_py3/solnlib/utils.py", line 148, in wrapper .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: return func(*args, **kwargs) .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: File ".../TA_MS_Teams/bin/ta_ms_teams/aob_py3/solnlib/credentials.py", line 128, in get_password .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: "Failed to get password of realm=%s, user=%s." % (self._realm, user) .../TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA_MS_Teams#configs/conf-ta_ms_teams_settings, user=proxy.
Hi, I'm trying to set a specific color to each one of 4 my dynamic labels of my 3 trellis pie charts. I already added series color option :  <option name="charting.seriesColors">[#CFD6EA,#C45AB3,#7... See more...
Hi, I'm trying to set a specific color to each one of 4 my dynamic labels of my 3 trellis pie charts. I already added series color option :  <option name="charting.seriesColors">[#CFD6EA,#C45AB3,#735CDD,#8fba38]</option> My issue is that my labels are "dynamic" and also  I don't  have a constant  number of categories ( it changes in each chart between 0-4 according to the data i receive). So my color plate sequence not aligned with the number of categories. For example, I want to set the flowing: type_A - Red type_B- Blue type_C- Green The problem is that  sometimes category "type_A" is missing from one or more of my charts and the category type_B is getting its color (Red) instead of Blue. here is my query: <---Search--> | stats dc(sessions) as Number_of_Sessions by type | sort type | eval type = type." - ".Number_of_Sessions I will very a appreciate any help i get get :-0) 10Q
| eval zip=mvzip(Cluster, mvzip(Current, Max)) | mvexpand zip | eval zip=split(zip, ","), Cluster=mvindex(zip, 0), Current=mvindex(zip, 1), Max=mvindex(zip,2) | eval threshold = Current / Max | whe... See more...
| eval zip=mvzip(Cluster, mvzip(Current, Max)) | mvexpand zip | eval zip=split(zip, ","), Cluster=mvindex(zip, 0), Current=mvindex(zip, 1), Max=mvindex(zip,2) | eval threshold = Current / Max | where threshold > 0.85
Hi @aditsss , what's the name of the first column? if it's "EBNCStatus", put the condition EBNCStatus=* at the end of the search. Ciao. Giuseppe
I forgotten a pipe before stats I need to cross the event_file field of the index (called NewProcessName) with the event_file field of the lookup
Hi @danroberts, please try this: | rex max_match=0 "(?<filename>OU_\w*\.\w*" Ciao. Giuseppe