All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100... See more...
| makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}" | spath input=json | spath input=SYSINFO number_of_subinterfaces | fields number_of_subinterfaces | eval keys=json_array_to_mv(json_keys(number_of_subinterfaces),false()) | mvexpand keys | eval value=json_extract(number_of_subinterfaces,keys) | fields - _time number_of_subinterfaces
Why are you using IN when you only ever have one value? Try like this <query>index=$indexToken$ source="/aws/lambda/api-data-$stageToken$-$entityTokenFirst$" msg="data:invoke" | stats count</query>
I may be wrong, but I don't think the submit button will work in the form section. I think you'd want it in the fieldset like this: <fieldset submitButton="true" autoRun="false"> For #3 - I'm n... See more...
I may be wrong, but I don't think the submit button will work in the form section. I think you'd want it in the fieldset like this: <fieldset submitButton="true" autoRun="false"> For #3 - I'm not 100% sure what you're asking, but I think you mean that you'd want "*-test-target" and "*-test-product" if test is selected from environment and "*-prod-target"/ "*-prod-product" if prod is selected? You can add conditions to change based on environment and use a base search to populate it. However, FYI this dropdown won't populate until after you hit submit if you leave the drop down in the fieldset with the submit button. <search id="token_base"> <query> | makeresults | eval token_name="name,address,ALL,Target,Product" | eval token_name=split(token_name, ",") | stats count by token_name | fields - count | eval token_value=CASE(token_name="name", "name,0", token_name="address", "address,0", token_name="ALL", "ALL", token_name="Target", "$target_tok$", token_name="Product", "$product_tok$") </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="indexToken1" searchWhenChanged="false"> <label>Environment</label> <choice value="prod,prod">PROD</choice> <choice value="np,test">TEST</choice> <change> <condition value="prod,prod"> <set token="target_tok">*-prod-target</set> <set token="product_tok">*-prod-product</set> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </condition> <condition value="np,test"> <set token="target_tok">*-test-target</set> <set token="product_tok">*-test-product</set> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </condition> </change> <default>np,test</default> </input> <input type="dropdown" token="entityToken" searchWhenChanged="false"> <label>Data Entity</label> <choice value="name,0">name</choice> <choice value="targetProduct,*-test-target">Target</choice> <choice value="product,*-test-product">Product</choice> <choice value="address,0">address</choice> <choice value="ALL">ALL</choice> <change> <condition value="ALL"> <set token="entityTokenFirst">*</set> </condition> <condition> <!-- Split the value and set tokens for both parts --> <set token="entityLabel">$label$</set> <eval token="searchName">mvindex(split($value$, ","),1)</eval> <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval> </condition> </change> </input> <input type="dropdown" token="example_tok"> <label>Example dynamic dropdown</label> <search base="token_base"> <query/> </search> <fieldForLabel>token_name</fieldForLabel> <fieldForValue>token_value</fieldForValue> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset>  
Is this doing what you're trying to do ? | makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_t... See more...
Is this doing what you're trying to do ? | makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}" |fromjson json |fromjson SYSINFO |fields number_of_subinterfaces |fromjson number_of_subinterfaces |fields - number_of_subinterfaces _time   Results : Ethernet1 10 Ethernet2 20  
Is your data is exactly like this samble, with all those : \" ??
Just to clarify - This how the data is coming into your index/source and you're trying to manipulate it via SPL? It looks something like this only an event vs a table? Just checking because I... See more...
Just to clarify - This how the data is coming into your index/source and you're trying to manipulate it via SPL? It looks something like this only an event vs a table? Just checking because I can't tell if this is one long string or an event that has multiple attributes. If it's an event, could you possibly take a screen shot? It looks like you'd have something where SYSINFO is the top level and each category below is another level. If that's the case, ideally you'd just have SYSINFO.number_of_subinterfaces as a field name you can table.
Sorry, I'm a little confused by what you want. Do you want the $entityTokenFirst$ to be set to an * when the user selects ALL? If so, add a condition to your change. <input type="dropdown" to... See more...
Sorry, I'm a little confused by what you want. Do you want the $entityTokenFirst$ to be set to an * when the user selects ALL? If so, add a condition to your change. <input type="dropdown" token="entityToken" searchWhenChanged="false"> <label>Data Entity</label> <choice value="name,0">name</choice> <choice value="targetProduct,*-test-target">Target </choice> <choice value="product,*-test-product">Product </choice> <choice value="address,0">address</choice> <choice value="ALL">ALL</choice> <change> <condition value="ALL"> <set token="entityTokenFirst">*</set> </condition> <condition> <!-- Split the value and set tokens for both parts --> <set token="entityLabel">$label$</set> <eval token="searchName">mvindex(split($value$, ","),1)</eval> <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval> </condition> </change> </input>  
Hi Experts, I have the following data.  { "TIMESTAMP": 1742677200, "SYSINFO": "{\"number_of_notconnect_interfaces\":0,\"hostname\":\"test\",\"number_of_transceivers\":{\"10G-LR\":10,\"100G-CWDM4\... See more...
Hi Experts, I have the following data.  { "TIMESTAMP": 1742677200, "SYSINFO": "{\"number_of_notconnect_interfaces\":0,\"hostname\":\"test\",\"number_of_transceivers\":{\"10G-LR\":10,\"100G-CWDM4\":20},\"number_of_bfd_peers\":10,\"number_of_bgp_peers\":10,\"number_of_disabled_interfaces\":10,\"number_of_subinterfaces\":{\"Ethernet1\":10,\"Ethernet2\":20},\"number_of_up_interfaces\":1}" } I would like to create the table as below, but Ethernet1 or Ethernet2 is a dynamic key (it can be like Ethernet3 or Ethernet4). Ethernet1 10 Ethernet2 20   Could someone tell me how to write query to achieve this?
Hi  I have dashboard with Data Entity drop down ,i want to add a drop drown "ALL" ,if i select ALL and hit submit button,  It shows for all data api "/aws/lambda/api-data-$stageToken$-*" <query>... See more...
Hi  I have dashboard with Data Entity drop down ,i want to add a drop drown "ALL" ,if i select ALL and hit submit button,  It shows for all data api "/aws/lambda/api-data-$stageToken$-*" <query>index=$indexToken$  source IN ("/aws/lambda/api-data-$stageToken$-$entityTokenFirst$") msg="data:invoke" <form version="1.1" theme="dark" submitButton="true"> <label>Stats</label> <fieldset> <input type="dropdown" token="indexToken1" searchWhenChanged="false"> <label>Environment</label> <choice value="prod,prod">PROD</choice> <choice value="np,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> <default>np,test</default> </input> <input type="dropdown" token="entityToken" searchWhenChanged="false"> <label>Data Entity</label> <choice value=“name,0”>name</choice> <choice value="targetProduct,*-test-target">Target </choice> <choice value="product,*-test-product">Product </choice> <choice value=“address,0”>address</choice> <change> <!-- Split the value and set tokens for both parts --> <set token="entityLabel">$label$</set> <eval token="searchName">mvindex(split($value$, ","),1)</eval> <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval> </change> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Distinct Consumer Count</title> <single> <search> <query>index="np" source="**" | spath path=$stageToken$.nsp3s{} output=nsp3s | mvexpand nsp3s | spath input=nsp3s path=Name output=Name | spath input=nsp3s path=DistinctAdminUserCount output=DistinctAdminUserCount | search Name=$searchName$ | sort -_time | head 1 | appendpipe [ stats count | eval Name=if(count==0 OR isnull("$searchName$") OR "$searchName$"=="", "No NSP", "$searchName$") | fields DistinctAdminUserCount ]</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <title>Event Processed</title> <single> <search> <query>index="$indexToken$" source="publish-$entityTokenFirst$-$stageToken$-nsp" * Published to NSP3 objectType* | stats count</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> <row> <panel> <title>Total Request :</title> <single> <search> <query>index=$indexToken$ source IN ("/aws/lambda/api-data-$stageToken$-$entityTokenFirst$") msg="data:invoke" | stats count</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> <refresh>60m</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">317</option> <option name="rangeColors">["0xcba700","0xdc4e41"]</option> <option name="rangeValues">[200]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.size">large</option> <option name="unitPosition">after</option> <option name="useColors">1</option> </single> </panel> </row> </form>  
Sorry I should have included updated data.  Here is a sample USER JOBNAME TRAN TRANNUM PHAPPLID PHTRAN PHTRANNO USRCPUT_MICROSEC   APP3 CSMI 43856 APP7 QZ81 70322 72   APP5 ... See more...
Sorry I should have included updated data.  Here is a sample USER JOBNAME TRAN TRANNUM PHAPPLID PHTRAN PHTRANNO USRCPUT_MICROSEC   APP3 CSMI 43856 APP7 QZ81 70322 72   APP5 CSMI 20634 APP7 QZ81 70322 8860   APP7 QZ81 70322 APP3 QZ81 43836 16043 GPDCFC26 APP3 QZ81 43836     0 897   APP3 CSMI 41839 APP5 QZ61 15551 51   APP3 CSMI 41838 APP5 QZ61 15551 64   APP3 CSMI 41837 APP5 QZ61 15551 79   APP5 QZ61 15551 APP3 QZ61 41835 5232 GOTLIS12 APP3 QZ61 41835     0 778   APP5 QZ61 12 APP3 QZ61 1 5232 GOTLIS12 APP3 QZ61 1     0 778   APP5 CSMI 111 APP7 QZ81 110 8860   APP7 QZ81 110 APP3 QZ81 100 16043 ABCDEF APP3 QZ81 100     0 897
Most of those questions are not about Splunk but about the other end - the Kaspersky solution. You should consult their support/community/docs. The only question related to Splunk is the last one an... See more...
Most of those questions are not about Splunk but about the other end - the Kaspersky solution. You should consult their support/community/docs. The only question related to Splunk is the last one and the general answer is - don't do it directly on Splunk component. Use an external syslog daemon - syslog-ng, rsyslog, SC4S and either send to HEC input on Splunk or write to files and read those files with UF.
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#Remote_applications_configuration_.28e.g._SplunkBase.29 This section lists all URLs Splunk uses for listing apps from Spkunkbase ... See more...
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#Remote_applications_configuration_.28e.g._SplunkBase.29 This section lists all URLs Splunk uses for listing apps from Spkunkbase and checking for updates.
Yes, rulesets are the only stuff that works on parsed data.
Hi  Submit button is not working 1.First time when i load the dashboard ,i select data Data Entity from dropdown and hit submit button .It works and fetch the result of that selecte Data Entity ... See more...
Hi  Submit button is not working 1.First time when i load the dashboard ,i select data Data Entity from dropdown and hit submit button .It works and fetch the result of that selecte Data Entity 2.Second time from dropdown selected the another entity without hitting submit button .the search started running for the selected drop down and gets the result.Help needed to fix it 3.In choice Value field "*-test-target" or *-test-product" wanted to be auto populate test or prod based on Env ($stageToken$)       <label>Data Entity</label>       <choice value=“name,0”>name</choice>       <choice value="targetProduct,*-test-target">Target </choice>       <choice value="product,*-test-product">Product </choice> <form version="1.1" theme="dark" submitButton="true"> <label>Stats</label> <fieldset> <input type="dropdown" token="indexToken1" searchWhenChanged="false"> <label>Environment</label> <choice value="prod,prod">PROD</choice> <choice value="np,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> <default>np,test</default> </input> <input type="dropdown" token="entityToken" searchWhenChanged="false"> <label>Data Entity</label> <choice value=“name,0”>name</choice> <choice value="targetProduct,*-test-target">Target </choice> <choice value="product,*-test-product">Product </choice> <choice value=“address,0”>address</choice> <change> <!-- Split the value and set tokens for both parts --> <set token="entityLabel">$label$</set> <eval token="searchName">mvindex(split($value$, ","),1)</eval> <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval> </change> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Distinct Consumer Count</title> <single> <search> <query>index="np" source="**" | spath path=$stageToken$.nsp3s{} output=nsp3s | mvexpand nsp3s | spath input=nsp3s path=Name output=Name | spath input=nsp3s path=DistinctAdminUserCount output=DistinctAdminUserCount | search Name=$searchName$ | sort -_time | head 1 | appendpipe [ stats count | eval Name=if(count==0 OR isnull("$searchName$") OR "$searchName$"=="", "No NSP", "$searchName$") | fields DistinctAdminUserCount ]</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <title>Event Processed</title> <single> <search> <query>index="$indexToken$" source="publish-$entityTokenFirst$-$stageToken$-nsp" * Published to NSP3 objectType* | stats count</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> <row> <panel> <title>Total Request :</title> <single> <search> <query>index=$indexToken$ source IN ("/aws/lambda/api-data-$stageToken$-$entityTokenFirst$") msg="data:invoke" | stats count</query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> <refresh>60m</refresh> <refreshType>delay</refreshType> </search> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">317</option> <option name="rangeColors">["0xcba700","0xdc4e41"]</option> <option name="rangeValues">[200]</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.size">large</option> <option name="unitPosition">after</option> <option name="useColors">1</option> </single> </panel> </row> </form>  
Hi everyone, I am trying to configure Kaspersky Security Center to forward logs to Splunk using Syslog over TLS. However, I need some guidance on the following points:   How can I configure Kasp... See more...
Hi everyone, I am trying to configure Kaspersky Security Center to forward logs to Splunk using Syslog over TLS. However, I need some guidance on the following points:   How can I configure Kaspersky Security Center to send logs via Syslog over TLS? What are the steps to generate the necessary certificates for this setup? Which certificate formats or file extensions does Kaspersky Security Center accept for TLS encryption? Are there any specific configurations required on the Splunk side to properly receive and parse these logs over TLS? I would appreciate any insights, best practices, or documentation references that could help. Thank you in advance!  
Please provide new sample data that better represents your actual situation so we might be better able to assist you..
Thanks @PickleRick  - it worked out   [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_K... See more...
Thanks @PickleRick  - it worked out   [set_custom_host] REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log FORMAT = host::$1 DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Source
Hi @MichaelM1  You're right that appling the _meta on the WinEventLog props stanza on the IF may double stamp it if it has already been applied on the UF, this is why we need to use the INGEST_EVAL ... See more...
Hi @MichaelM1  You're right that appling the _meta on the WinEventLog props stanza on the IF may double stamp it if it has already been applied on the UF, this is why we need to use the INGEST_EVAL with the COALESCE eval so that if it already exists then it will use the existing value, else uses a default value. I am a bit confused as to why the props/transforms you applied did not work though. Does it apply to any of the data (e.g. just the IF's own data being sent)?  You may wish to add a 3rd "debug" field to see if that gets applied to any of your data that reaches the indexers.  One thing I dont think I asked which is probably pretty important... is your IF a HF or UF? I have been testing using HF as the IF. @PickleRick you mentioned this wouldnt work if the data comes from a HF, I think @MichaelM1 is sending from a UF here, however in my testing I tried HF->IDX with the INGEST_EVAL transform on the IDX and this does work, despite the data already being parsed by the HF. I'm fairly sure I've used INGEST_EVAL plenty of times on parsed data but I will double check, perhaps I was using it on a RULESET instead.  @MichaelM1 Let me know if your IF is a UF/HF so I can update my testing We will beat this...! Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Thanks that is really close, but the problem is I can't use PHTRAN to group them, that ID appears heaps in data, the grouping needs to be based on TRANNUM, so  43836 is the initial transaction, it st... See more...
Thanks that is really close, but the problem is I can't use PHTRAN to group them, that ID appears heaps in data, the grouping needs to be based on TRANNUM, so  43836 is the initial transaction, it starts 70322 which then runs the first 9.  This could be 4-5 layers deep.  How do I handle that and get totals at the highest level?
Thank you. if a user wants to download apps from Splunkbase and install new updates, which internet endpoints need to be accessible?