All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks @gcusello!! But those are Single Line Events, so I can't perform REX before stats.
Hi @Newbie_punk, SPL (Splunk Programming Language) isn't a procedural language, so you havent a construct like if then else. But you can assign a value to a field  based on the condition you define... See more...
Hi @Newbie_punk, SPL (Splunk Programming Language) isn't a procedural language, so you havent a construct like if then else. But you can assign a value to a field  based on the condition you defined, e.g. if the same field has different name (e.g. metricA and metricB), you can use: index=aData OR index=bData | eval metric=coalesce(metricA,metricB) | table metric or use the if condition in the eval command index=aData OR index=bData | eval metric=if(index=indexA,metricA,metricB) | table metric Adapt ths approach to your condition. Ciao. Giuseppe
Hi @Thulasinathan_M, did you tried to invert the two commands? index=xxx | bin span=1h _time | rex "(?<Events>(\<Interested.*)((\n.*)?)+\<Ends Here\>)" | stats values(Events) AS Events BY _time I... See more...
Hi @Thulasinathan_M, did you tried to invert the two commands? index=xxx | bin span=1h _time | rex "(?<Events>(\<Interested.*)((\n.*)?)+\<Ends Here\>)" | stats values(Events) AS Events BY _time In addition, when you use _time as grouping key, usa always a bin command to group _time values or use timechart command, otherwise you'll have too many results. Ciao. Giuseppe
Hi @mofonguero, as I said, disable any personal firewall you have. Then see at "C:\Program Files\Splunk\var\log\splunk" if there's some log file about the installation. Ciao. Giuseppe
Hi Splunk Experts, I'm trying to list all the events on same timestamp and trying to capture only the required lines. But I'm not getting the expected results, seems like there is no "\n" in the ag... See more...
Hi Splunk Experts, I'm trying to list all the events on same timestamp and trying to capture only the required lines. But I'm not getting the expected results, seems like there is no "\n" in the aggregated event eventhough it breaks into new lines. Kindly shred some lights. Thanks in advance!!   I've events something like below, after aggregating them by _time:   Line1 blablabla Line2 blablabla <Interested line1> <Interested line2> <Interested line3> <Ends Here> Unwanted Line blablabla   Query Using:   index=xxx | reverse | stats list(_raw) as raw by _time | rex field=raw "(?<Events>(\<Interested.*)((\n.*)?)+\<Ends Here\>)"   Result for the Above query:   <Interested line1>    
Hi all, I created a lookup 6 months ago and now i have hundreds of lookup and i forgot what was it's name. I am looking for an IP address in which lookup it is but i couldn't find a way to do this. ... See more...
Hi all, I created a lookup 6 months ago and now i have hundreds of lookup and i forgot what was it's name. I am looking for an IP address in which lookup it is but i couldn't find a way to do this. I want to find out which lookup an IP address is in. Any help would be appreciated!
we do have access to all the logs, we have PowerShell , sysmon and linux ... we need to know is any user is uploading file through PowerShell or sysmon or any data source that usually the SOC can mo... See more...
we do have access to all the logs, we have PowerShell , sysmon and linux ... we need to know is any user is uploading file through PowerShell or sysmon or any data source that usually the SOC can monitor. we need to create a dashboard that shows any files activity @ITWhisperer thank you in advance 
index=winsec sourcetype=XmlWinEventLog EventCode=4743 NOT SubjectUserName="Win_Dir" | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(Targe... See more...
index=winsec sourcetype=XmlWinEventLog EventCode=4743 NOT SubjectUserName="Win_Dir" | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as Computer_user_deleted, values(TargetDomainName) as User_Domain dc(TargetUserName) as computeruser_count by _time SubjectUserName |rename SubjectUserName as Deleted_by_User | where computeruser_count > 10 | append [search index=winsec sourcetype=XmlWinEventLog EventCode=4726 NOT (SubjectUserName = "EC_Okta") | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(object) as User_account_deleted , dc(object) as User_account_deleted_count by _time, SubjectUserName | rename SubjectUserName as src_user | where User_account_deleted_count > 10] | append [search index=winsec sourcetype=XmlWinEventLog EventCode=4725 NOT (SubjectUserName = "EC_Okta" OR SubjectUserName = "Win_Dir") | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as disabled_account, values(TargetDomainName) as User_Domain dc(TargetUserName) as disabledaccount_count by _time SubjectUserName | rename SubjectUserName as src_user | where disabledaccount_count > 10]
..
Describing problems in generic terms is not always helpful as it just leads to more questions about what you are trying to do and with what. For example, one way of interpreting what you have said c... See more...
Describing problems in generic terms is not always helpful as it just leads to more questions about what you are trying to do and with what. For example, one way of interpreting what you have said could be resolved like this <search indexA> | appendpipe [|stats count as _count | where _count = 0 | search indexB]
Hello Giuseppe As far as I know I only have basic configurations in my firewall and anti-virus, however if there are any specific settings that you might know please let me know. I am not blocking a... See more...
Hello Giuseppe As far as I know I only have basic configurations in my firewall and anti-virus, however if there are any specific settings that you might know please let me know. I am not blocking any ports that could prevent me from downloading it either. It starts downloading but then it stops prematurely and rolls back. I tried downloading it in my desktop, then used a VM with a Linux OS and it didnt work either. Yes I am trying to download the latest version and tried different versions too. It seems like this is not for me
The best solution will depend on some other characteristics of the two datasets, and what exactly you plan to do with the surviving data.  A generic approach, however, is to use exactly "OR".  The id... See more...
The best solution will depend on some other characteristics of the two datasets, and what exactly you plan to do with the surviving data.  A generic approach, however, is to use exactly "OR".  The idea is to retrieve all data, then retain data from one of indices.  Suppose you REALLY want to present all raw data (instead of using stats for presentation), you can do index IN (aData, bData) <other criteria> | eventstats values(index) as indices | where index = mvindex(indices, 0)  
Hello  I'm trying to figure out How can I use kinda if...else condition in my Splunk query. I've set up two metrics, which are sending data to Splunk. Each matrix have different index value.  Fo... See more...
Hello  I'm trying to figure out How can I use kinda if...else condition in my Splunk query. I've set up two metrics, which are sending data to Splunk. Each matrix have different index value.  For Example: For Matrix A the index is "index=aData" and for Metric B index is "index=bData". Currently in Splunk I'm seeing duplicate data because both metrics are sending same value. So what I'm trying to achieve is:  1. First look for data if coming from "index=aData" 2. If able to see data from index "aData" show me the results  3. else check the data from "bData" (Not looking for "OR " condition)  Results should show the data only from 1 index to avoid duplicity.   
I'm asking if appdynamics requires any sort of maintenance to prevent any possible downtime for example some applications I have supported require a periodic log cleanup from the server to prevent sp... See more...
I'm asking if appdynamics requires any sort of maintenance to prevent any possible downtime for example some applications I have supported require a periodic log cleanup from the server to prevent space exhaustion so I want to know if there are any maintenance practices needed to ensure the appdynamics monitoring solution never goes down 
I don't mean real-time searches but real-time schedule type. That's the type of schedule that would skip time windows, unlike continuous schedule which would continue where it left of. That's why I ... See more...
I don't mean real-time searches but real-time schedule type. That's the type of schedule that would skip time windows, unlike continuous schedule which would continue where it left of. That's why I used longer search windows, so if a few runs are skipped, I would still query all logs from the downtime period.  The name is very confusing, TBH. 
Quite interesting advice! Real time search/alert reserve one core from all search peers. This means that you couldn’t run more than core amount of individual search peer - 3-4 which are used for inge... See more...
Quite interesting advice! Real time search/alert reserve one core from all search peers. This means that you couldn’t run more than core amount of individual search peer - 3-4 which are used for ingesting and running Splunk’s other core services. For long run this leads situation where you run out of resources and you cannot use splunk for anything else! Actually I haven’t been a situation when I have had to run real time alert. Usually there are way to use scheduled alert instead of real time. r. Ismo
Thanks ITWhisperer. This works. In the past I was adding () around my search strings due to which it didn't work. Here's the correct way to define input dropdown, I added values as follows: <inpu... See more...
Thanks ITWhisperer. This works. In the past I was adding () around my search strings due to which it didn't work. Here's the correct way to define input dropdown, I added values as follows: <input type="dropdown" token="ip_family" searchWhenChanged="true"> <label>IP Family</label> <choice value="&quot;Foo&quot; OR &quot;Bar&quot;">option1</choice> <choice value="&quot;Boo&quot; OR &quot;Baz&quot;">option2</choice>
See my answer.  The accepted answer is useless.
Hi @akulg, as I said, if you already ingested data, you have only to create your searches and saving them as dashboard's panels. You could also have an help if there's an app in Splunkbase (splunkb... See more...
Hi @akulg, as I said, if you already ingested data, you have only to create your searches and saving them as dashboard's panels. You could also have an help if there's an app in Splunkbase (splunkbase.splunk.com) regarding the technology you have to monitor; in this way you can use those dashboards or use them as a starting point to create your own; Otherwise you have to create them from scratch: remember that the main difficulty in Splunk isn't the search creating but to understand what to search, in other words, you have to well know the logs to monitor, to extract fields understaning values and choices. Ciao. Giuseppe