All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AL3Z, for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host). Then you can run a search like the following:... See more...
Hi @AL3Z, for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host). Then you can run a search like the following: | tstats count WHERE index=_internal BY host | eval host=lower(host) | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 in this way you have the list of UFs not sending logs. If you want a table with all hosts with their status, you could run something like this: | tstats count WHERE index=_internal BY host | eval host=lower(host) | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Missing","Present) Ciao. Giuseppe
Thank you very much, replaced where with search and that worked like a charm
Hi @merc14, probably you're meaning that you could have events without the productType, obviously these events aren't matched by the All (*) value. You could modify the input adding an additiona st... See more...
Hi @merc14, probably you're meaning that you could have events without the productType, obviously these events aren't matched by the All (*) value. You could modify the input adding an additiona static value to search the events without productType. If you could share the input code, I can be more detailed. Ciao. Giuseppe
For UF,  Can you pls provide with the search to find all the host  contains Forwarder !
You can't remove code from SPL based on input.  Nor does SPL allow for conditional execution.  The solution is to set the "All" value of $dropdown$ to a value that is valid for all productType values... See more...
You can't remove code from SPL based on input.  Nor does SPL allow for conditional execution.  The solution is to set the "All" value of $dropdown$ to a value that is valid for all productType values.  Often, this is "*".  It may be necessary to change where to search.
I have a search query that takes a search value from a drop down.  Example Drop down has values All A B Query uses  | where productType="$dropdown$" How do I remove the where clause if All is... See more...
I have a search query that takes a search value from a drop down.  Example Drop down has values All A B Query uses  | where productType="$dropdown$" How do I remove the where clause if All is selected. There is no productType - All
Hi Team,  I am trying to install the Machine Agent on a Unix Machine hosted in AWS .  Installation is fine, i can see the Appd Machine Agent service up and running. But it is not getting registered ... See more...
Hi Team,  I am trying to install the Machine Agent on a Unix Machine hosted in AWS .  Installation is fine, i can see the Appd Machine Agent service up and running. But it is not getting registered to the controller .  When i check the logs, it shows up a Timed out error.  Is there anything specific i need to do for AWS Ec2 instances that has machine agents installed there 
Oh wow, I really hadn't thought of that at all. I started the extraction via here and followed the steps shown:   ...    
Hi @AL3Z, can you run a script to check the process? Ciao. Giuseppe
For SE,  Its not possible to access the interface or check if the Splunk process is active for all other machines from my machine.
Change the time range of the search to start in July 2023.  That may be within the lift_activity_marco_1d macro.
Please share how the extracted_hostname field is extracted (with more detail than "via the GUI").  It sounds like the extraction makes an assumption that applies only with two-digit dates.
My splunk instance is running in GMT and I want to schedule an alert as per China time.  */5 21-23,0-13 * * 0-5 This is the cron. The logic is to trigger the alert every 5minutes from Monday to frid... See more...
My splunk instance is running in GMT and I want to schedule an alert as per China time.  */5 21-23,0-13 * * 0-5 This is the cron. The logic is to trigger the alert every 5minutes from Monday to friday 5AM till 10 PM china Time but the alert is getting triggered on Sunday as well. How can we cutomise the cron?  
Hi @AL3Z, are youskeaking of Splunk Enterprise or Splunk Universal Forwarder? if SE, you can try to access the interface or check if the Splunk process is active. if UF, you can see in Splunk if y... See more...
Hi @AL3Z, are youskeaking of Splunk Enterprise or Splunk Universal Forwarder? if SE, you can try to access the interface or check if the Splunk process is active. if UF, you can see in Splunk if you have internal logs (index=_internal host=<your_host>), or check if the Splunk process is active. Ciao. Giuseppe
Hi, I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProce... See more...
Hi, I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProcessname or a PowerShell script? If so, could you please provide guidance on the process? Thanks
Hi @Dustem, you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results. Ciao... See more...
Hi @Dustem, you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results. Ciao. Giuseppe  
I am experiencing the exact same issue in our deployment after upgrading from 9.0.5 to 9.1.0.2.  Most of the visualisations fail to load, and "Indexing Rate" and "Concurrent Searches" only show "N/A... See more...
I am experiencing the exact same issue in our deployment after upgrading from 9.0.5 to 9.1.0.2.  Most of the visualisations fail to load, and "Indexing Rate" and "Concurrent Searches" only show "N/A".  The new "Splunk Assist" banner at the top of the Overview page also fails to load. 
Hi, I've just come acroos this post and your trellised charts are very similar to something I am tryng the achieve. I am new to Splunk and so may be missing something, but I can;t replicate your la... See more...
Hi, I've just come acroos this post and your trellised charts are very similar to something I am tryng the achieve. I am new to Splunk and so may be missing something, but I can;t replicate your layout. - is the XML you posted necessary to get the layout you have? This is my search: index=felix_emea sourcetype="Felixapps:prod:log" Action = "Resp_VPMG" | dedup EventIndex | rex field=Message "^<b>(?<Region>.+)<\/b>" | rex "Response Codes:\s(?<responseCode>\d{1,3})" | rex field=Message ":\s(?<errCount>\d{1,4})$" | bin _time span=1h | stats count by _time, Region, responseCode | eval {responseCode}=count | fields - responseCode, region, count This is a sample of my data: Time responseCode Region errCount 21/11/2022 09:46:07 912 VPMG - Wizink PRD-E5 14 21/11/2022 09:16:31 911 Moneta IBS via VPMG 8 21/11/2022 03:02:07 912 Moneta IBS via VPMG 129 21/11/2022 02:46:59 911 Moneta IBS via VPMG 92 20/11/2022 20:31:38 911 Moneta IBS via VPMG 16 20/11/2022 19:31:36 912 Moneta IBS via VPMG 32 20/11/2022 02:26:45 911 Addiko IBS via VPMG 7   and this is the visualisation I'm trying to acheive (this is done in Power BI): Is this achieveable in Splunk? Thanks, Steve  
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is trigge... See more...
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered. The current SPL: index="xx" | bin _time span=15m | stats dc(dest_port) as dc_ports by _time src_ip dest_ip | where dc_ports > 10 | streamstats count as consecutive_triggers by src_ip dest_ip reset_on_change=Ture | where consecutive_triggers>=5   Next, I don't know how to query the trigger for the same period for three consecutive days.
We are using a query to get results based on previous month and also date range (dd-mm-yy).. But in our query, we used to get results only for previous month, not for the date range(its not acceptin... See more...
We are using a query to get results based on previous month and also date range (dd-mm-yy).. But in our query, we used to get results only for previous month, not for the date range(its not accepting the double quotes ("") for the number, when I remove "". its not accepting the string :(.. query we used for reference...   Isnum is not working with "", if I remove "". string is not working..pls suggest me the solution, tried different ways but nothing is working.. | eval lnum=if(match("1690848000","^[@a-zA-Z]+"),"str","num"), enum=if(match("1688169600","[a-zA-Z]"),"str","num") | eval latest=case(isnum(1690848000),(1690848000-60),"1690848000"="now",now(),"1690848000"="",now(),lnum!="str","1690848000",1=1,relative_time(now(), "1690848000")) | eval earliest=case(isnum(1688169600),(1688169600-60),"1688169600"="0","0",enum!="str","1688169600",1=1,relative_time(now(), "1688169600"))     I want to have same data for previous month and also date range filters...This is question..