All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi As @gcusello said, you could try to create a support case or maybe better way is create idea on https://ideas.splunk.com. Splunk's product managers are followed that forum and maybe they react it... See more...
Hi As @gcusello said, you could try to create a support case or maybe better way is create idea on https://ideas.splunk.com. Splunk's product managers are followed that forum and maybe they react it? r. Ismo
Thank you for such detailed explanation
Hi @kamlesh_vaghela, its work as expected. Thank you very much for your assist.
HI @paulkilpatrick, the Splunk Add-On for Amazon Web Services (AWS) is directly maintained by Splunk itself, so I'm not sure that's possible to contribute to its improvement, probably you could crea... See more...
HI @paulkilpatrick, the Splunk Add-On for Amazon Web Services (AWS) is directly maintained by Splunk itself, so I'm not sure that's possible to contribute to its improvement, probably you could create your own branch, but outside of this products name. Eventually you could to try to open a not technical Use case on Splunk Support to be sure about this. Ciao. Giuseppe
Hello,   We have a few updates we have made to the Splunk_TA_AWS and a few more ideas we want to implement, but are finding it harder and harder when upgrades come out to migrate and merge those ... See more...
Hello,   We have a few updates we have made to the Splunk_TA_AWS and a few more ideas we want to implement, but are finding it harder and harder when upgrades come out to migrate and merge those changes. Is there anyway to contribute to the Splunk_TA_AWS add-on via some pull requests... I found this github page, but it is 8 years old, and no PRs or issues etc etc (and is way behind the current 7.x version) https://github.com/splunk-apps/splunk-aws-addon   Thanks
Hi @lucky .. for the rex beginners, i have created this youtube playlist.. pls check it, thanks. . https://www.youtube.com/watch?v=rXT35CnWorw&list=PLIJcAov3YzES8PJSX8gZ8cTHWsjh8KeyG   Youtube cha... See more...
Hi @lucky .. for the rex beginners, i have created this youtube playlist.. pls check it, thanks. . https://www.youtube.com/watch?v=rXT35CnWorw&list=PLIJcAov3YzES8PJSX8gZ8cTHWsjh8KeyG   Youtube channel link is: https://www.youtube.com/@SiemNewbies101  
HI @AMAN0113, if you didn't do any customization you can directly do you upgrade to tha latest version. You can update using the deployment method you have in use: Deployment Server o manually. On... See more...
HI @AMAN0113, if you didn't do any customization you can directly do you upgrade to tha latest version. You can update using the deployment method you have in use: Deployment Server o manually. Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs. Ciao. Giuseppe
We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incr... See more...
We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incremental upgrade. IS there any feature that will be affected in my existing set-up due to the upgrade. Also, what are the steps that should be taken while I perform this so as to not lose any of my existing configs. Is there any documentation for this.
| rex "uriTemplate\":\"(?<uri>[^\"]+)"
HI  "citiuuid":"3faa9e6e-c66d-4e52-898e-207219e87d9a","uriTemplate":"/v1/security/onlineBanking/registrations/status","method":"GET","apiStartTimestamp":1694413789916,   I need to extract uriTempl... See more...
HI  "citiuuid":"3faa9e6e-c66d-4e52-898e-207219e87d9a","uriTemplate":"/v1/security/onlineBanking/registrations/status","method":"GET","apiStartTimestamp":1694413789916,   I need to extract uriTemplate  field  please help on this 
Hi As this sounds like you are asking answer for your course lab I just give pointers to you where you could find the answers. https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Enabl... See more...
Hi As this sounds like you are asking answer for your course lab I just give pointers to you where you could find the answers. https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Enableareceiver https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/WhatSplunkcanmonitor https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Aboutforwardingandreceivingdata I suppose that also your course material should give the answer what is missing/wrong on your configuration and how to debug it. On comment for security. You should never run UF as a root on source node. Also don't use root as a splunk's internal admin user and never use the same password than you have in OS level. r. Ismo
Hi as those are Splunk's own scripts and they should fix those by themselves, I said that the easiest way to get rid of those is just add e.g. this to your SPL | rex field=value "exited\s+with\s+co... See more...
Hi as those are Splunk's own scripts and they should fix those by themselves, I said that the easiest way to get rid of those is just add e.g. this to your SPL | rex field=value "exited\s+with\s+code\s+(?<exit_status>\d+)" ``` Add this one line ``` | where (script != ".$SPLUNK_HOME/etc/apps/splunk-dashboard-studio/bin/save_image_and_icon_on_install.py" AND script != ".$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py") | stats first(started) as started, first(stopped) as stopped, first(exit_status) as exit_status by script, stanza r. Ismo 
@jabezds - Please check what is in line no. 13 of umbrella_dashboard_api_client.py file. I think that's what is causing this error.
Hello Noopur, Thank for your response. We tried the https://fra-ana-api.saas.appdynamics.com:443/_ping and it responded back pong as you suggested. So is it sill fine if we get posted error in logs... See more...
Hello Noopur, Thank for your response. We tried the https://fra-ana-api.saas.appdynamics.com:443/_ping and it responded back pong as you suggested. So is it sill fine if we get posted error in logs? BR, Abhiram
This is a very common question - there is no data in Splunk for d and e, so you need to tell Splunk that you want information about hosts it does not know about. The most normal way to do this is to... See more...
This is a very common question - there is no data in Splunk for d and e, so you need to tell Splunk that you want information about hosts it does not know about. The most normal way to do this is to create a lookup with your (5?) hosts in, e.g. my_hosts.csv host a b c d e  then do your search index=linux [ | inputlookup my_hosts.csv ] | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host | appendcols [ | inputlookup append=t my_hosts.csv | eval {host}=0 | fields - host | stats max(*) as * ] | filldown which will make the time chart and then add columns for each of the missing hosts  
Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SM... See more...
Hi @darphboubou , I haven't event samples so I cannot see the field in interesting fields panel, so, running the main search  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" which fields do you have in Interesting Fields panel? Choose the ones to use for stats searches: e.g. if you want the number for user or for host, you could run something like: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | stats count BY user or  index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | chart count OVER user BY host then choose the fields to display in a table search: index=windows EventCode=3000 source="WinEventLog:Microsoft-Windows-SMBServer/Audit" | table _time host user domain action ... As I said the most valuable job is to know what to search, then you can learn how to search in Splunk using the Search Tutorial. Saving these searches in different dashboard's panels, you'll have your dashboard, to monitor your Use Case Ciao. Giuseppe
@isoutamo  sorry for the late response. I am not sure on that part, I guess they use this -  "hybrid public key Encryption". I did install Decrypt2 on Splunk but not sure how that works.   
 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw Yes, that's exactly what a subsearch can do. index=... earli... See more...
 if the search result of "past days count=0 and today count>0" then trigger another search to show count >0 log as _time field1 _raw Yes, that's exactly what a subsearch can do. index=... earliest=-3d@d [search index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count by field _time ``` Now calculate today's value and the total ``` | stats sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by field ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 | fields field] This use of subsearch is very inefficient.  Efficiency aside, I highly doubt if raw events is of value in an E-mail alert if today's finding are going to be more than a couple of events. If I am to receive an alert like this, I would rather it simply tells me which fields are triggering this behavior so I can go back to a search window or a dashboard or a report to review event details.  If I really want a little more in the E-mail itself, aggregation of a handful of most concerned fields.  If there are going to be only a couple of events to ever satisfy the criteria, you can use an alternative to produce an ordered list of _raw - provided it is really desirable by recipients. index=... earliest=-3d@d | bin _time span=1d@d ``` Calculates the count for a field by day ``` | stats count list(_raw) as _raw by info _time ``` Now calculate today's value and the total ``` | stats list(_raw) as _raw sum(eval(if(_time=relative_time(now(), "@d"),count, 0))) as today sum(count) as total by info ``` And set a field to be TRUE or FALSE to alert ``` | where today > 0 AND total - today == 0 This way, you don't need to run two searches sequentially. BTW, last time I used field name "info" in place of "field".  This is corrected.  
Hi Splunkers Need some help with a timechart query please. index=linux host IN (a,b,c,d,e) | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host This works well if there is atleast an event ... See more...
Hi Splunkers Need some help with a timechart query please. index=linux host IN (a,b,c,d,e) | timechart span=1week eval(avg(CPU) * avg(MEM)) BY host This works well if there is atleast an event per host. But I wanted to show zero value when there are no events for a particular host. Is that possible? eg: I have events only for a,b,c but still wanted to show zero for d and e hosts. 
@Akmal57  I think you should remove numbering before stats. Can you please try this?   YOUR SEARCH |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname     My Samp... See more...
@Akmal57  I think you should remove numbering before stats. Can you please try this?   YOUR SEARCH |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname     My Sample Search :   | makeresults | eval _raw="hostname,ip_addr Host A,1) 10.0.0.0 Host A,2) 10.10.10.1 Host A,3) 10.0.0.2 Host B,1) 192.1.1.1 Host B,2) 172.1.1.1" | multikv forceheader=1 | table hostname,ip_addr |rex field=ip_addr "(?<ip>\d+\.\d+\.\d+\.\d+)" |stats values(ip) as ip by hostname           I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.