All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The query  returns no results no matter if the text field is empty or not.    I've removed the entry below from the search,  so I know the rest of the search works: where if ($PhoneNumber$ ="*", (... See more...
The query  returns no results no matter if the text field is empty or not.    I've removed the entry below from the search,  so I know the rest of the search works: where if ($PhoneNumber$ ="*", (like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$phonenumber$%" So many problems in your description.  First of all, the above search misspells the token name as $phonenumber$ in the second value when your input defines a token named PhoneNumber (with camel case).  If that's the search in your panel, Splunk will be "waiting for input" no matter what you do. Secondly, if you correct the token name, the if function contains several misplaced parentheses that will give syntax error.  If you want to include SPL snippets in question, do not make volunteers guess what you actually meant.  It is fair to modify your samples to conceal sensitive info.  But make sure the sample is error free. Correcting for the two obvious errors, your example will look like where if ($PhoneNumber$ ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%")) Here is problem 3: if you enter no text, Splunk not only returns nothing, but will also give you an error Error in 'where' command: The expression is malformed. An unexpected character is reached at '* ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%*%"))'. In an evaluation context (which where command uses), if you want to use a token as literal string, you must quote it. Correcting for this 3rd error, you get   where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%"))   While this gives you output when you enter nothing into input, it has a 4th problem that you can diagnose using @PickleRick's suggestion by clicking the magnifying glass: your second value in the if function misspells field name Wireless number and descriptions - "number" is spelled with a capital N.  I deduce that your field name contains the word "number" with lower case because you said when you enter a valid phone number your mistaken dashboard still returns nothing. (Also because in the rest of the search you used all-lower case "number". So, the least you can change to is   where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless number and descriptions',"%$PhoneNumber$%")) However, the first value in the expression is a waste because like('Wireless number and descriptions',"%") always evaluates to true.  You should tell the compiler to just do so. where if ("$PhoneNumber$" ="*", true(), like('Wireless number and descriptions',"%$PhoneNumber$%"))   But then, why invoke if function if you can just use a search term?  How about index="cellulardata" "Wireless number and descriptions" = "*$phonenumber$*" | eval Type=if(like(lower('Charge description'), "%text%") OR like(lower('Charge description'), "%ict%"), "Text", "Voice") | eval Direction=if (Type="Voice" AND 'Called city_state' = "INCOMING,CL","Incoming","Outgoing") | eval datetime =Date." ".Time | eval _time=strptime (datetime,"%m/%d/%Y %H:%M") | eval DateTime=strftime(_time, "%m/%d/%y %I:%M %p") | eval To_from=replace (To_from,"\.","") | table DateTime, "Wireless number and descriptions", To_from, Type, Direction | rename "Wireless number and descriptions" as Number | sort -DateTime  
Many thanks for your reply. Maybe I could add some clarity to the exact results I want: First inner search: index=wineventlog source=wineventlog:security EventCode=4663 Object_Name="*hello.exe" Pro... See more...
Many thanks for your reply. Maybe I could add some clarity to the exact results I want: First inner search: index=wineventlog source=wineventlog:security EventCode=4663 Object_Name="*hello.exe" Process_Name="*welcome.exe" | table _time ComputerName Object_Name Process_Name _time ComputerName Object_Name Process_Name 2025-03-19 12:00:00 ABCDE \ABC\hello.exe welcome.exe   Next, when I search EventCode=4688, this is a sample search and outcome: index=wineventlog source=wineventlog:security EventCode=4688 Process_Name="*welcome.exe" | table _time ComputerName Process_Name Initiating_Process_Name​ _time ComputerName Process_Name Initiating_Process_Name 2025-03-19 12:00:00 ABCDE welcome.exe cmd.exe   WHAT I WANT:  I want to feed this into the next search in EventCode=4688 to identify the Process Name and subsequently linking to the Initiating_Process_Name that appear as a result of the above search, i.e. Final outcome I want: _time ComputerName Object_Name Process_Name Initiating_Process_Name 2025-03-19 12:00:00 ABCDE \ABC\hello.exe welcome.exe cmd.exe   The issue is, EventCode=4688 only has Process_Name and Initiating_Process_Name and NO Object_Name, while EventCode=4663 only has Object_Name and Process_Name and NO Initiaitng_Process_Name. The common linkingfactor would be the Process_Name to correlate this two events together.   How can i do this?   
How can I leverage Splunk Cloud to: Monitor System Health & Performance – Track uptime, downtime, and resource utilization (CPU/memory) of essential infrastructure. Enhance Endpoint & Network Secu... See more...
How can I leverage Splunk Cloud to: Monitor System Health & Performance – Track uptime, downtime, and resource utilization (CPU/memory) of essential infrastructure. Enhance Endpoint & Network Security – Analyze firewall activity, VPN connections, and endpoint protection status. Utilize UEBA – Identify unusual user behavior that may signal insider threats or compromised accounts. Visualize Threat Response Metrics – Build dashboards to track the time taken for threat detection, investigation, and resolution. Analyze Cyberattack Patterns – Create dashboards to identify attack sources, detect trends, and refine mitigation strategies.  
Thanks for a quick reply. I have already validated that as well, the cert file is in the correct order. Here is an interesting finding, - reading through https://docs.splunk.com/Documentation/Splunk... See more...
Thanks for a quick reply. I have already validated that as well, the cert file is in the correct order. Here is an interesting finding, - reading through https://docs.splunk.com/Documentation/Splunk/latest/admin/webconf I noticed the "Default" path values. I have replaced the cert/key in the default location with the same files I am attempting to link through the explicit path - and splunk loaded them correctly, with WebUI becoming accessible. So this seems to point to the way the path to the cert/key is defined in my config? I have attempted a 'relative' path specification to $SPLUNK_HOME, with the same outcome - it fails as long as I specify the paths to the cert/key in web.conf. If I leave the paths commented out, relying on default values - splunk loads them fine somehow from the default location where I copied them.
Splunk requires the certificate file to be in PEM format with individual certificates in a specific order.  See https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/Howtoprepareyoursignedcerti... See more...
Splunk requires the certificate file to be in PEM format with individual certificates in a specific order.  See https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/HowtoprepareyoursignedcertificatesforSplunk
Hi, I am working on installing CA-signed (ssl.com) cert to a splunk enterprise instance, and keep hitting these two errors: 03-18-2025 23:32:08.751 +0000 ERROR UiHttpListener [122666 WebuiStartup] ... See more...
Hi, I am working on installing CA-signed (ssl.com) cert to a splunk enterprise instance, and keep hitting these two errors: 03-18-2025 23:32:08.751 +0000 ERROR UiHttpListener [122666 WebuiStartup] - TLS certificate is missing or invalid, please check your configuration or certificate file. 03-18-2025 23:32:08.751 +0000 ERROR UiHttpListener [122666 WebuiStartup] - Loaded TLS configurations from conf file=web, TLS cert check failed   web.conf: [settings] mgmtHostPort = 0.0.0.0:8089 enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key serverCert = /opt/splunk/etc/auth/mycerts/splunk.crt   crt file contains the server cert, as well as CA chain concatenated at the end of the file. Cert file is valid: [root@splunk mycerts]# openssl x509 -in splunk.crt -noout -enddate notAfter=Jun 16 19:25:41 2025 GMT openssl verify -CAfile splunk.ca-bundle splunk.crt splunk.crt: OK How exactly does splunk perform "TLS cert", and is there a debug method to figure out what exactly it does not like about the CA-signed cert I am trying to configure?   Permissions and cert file ownership are setup correctly (ie, 600/644 and splunk:splunk)   Thank you!
I have an alert saved that is straight forward. The search is: index=mydata action=block I have it on a cron schedule and I get results from it when manually running the searching. I can see the ... See more...
I have an alert saved that is straight forward. The search is: index=mydata action=block I have it on a cron schedule and I get results from it when manually running the searching. I can see the field asset.name is returned and it has the expected data I want in it. I configure my alert action to email me and in the body I put in $result.asset.name$.  When the email is received, it is a blank email. For troubleshooting, I tried a different field named 'id', and put in $result.id$ and $result.asset.name$ in the body of the email alert action. The id data shows up but not the asset.name. I changed my search to have |table asset.name at the end and I again see the data I want in a manual search. I tried adding an |eval dvc='asset.name' to my search and again I see dvc now has the data I want in it. But if I put $result.dvc$ in the email body, I again get a blank email. Please help me to understand what I'm doing wrong. Thanks
Oh I see, I thought this was a completely fresh install?
Try removing the port number at the end if you are using Splunk Cloud. This was the issue in my case. The documentation does not reflect this issue as of this writing.
Hi @TJLAN  As @richgalloway  mentioned, the installation should come with a trial license bundled in.  There’s only two scenarios that I can think of which would cause this issue, the first is if i... See more...
Hi @TJLAN  As @richgalloway  mentioned, the installation should come with a trial license bundled in.  There’s only two scenarios that I can think of which would cause this issue, the first is if it’s not truly a completely fresh install - if you have previous internal indexes from another install then this can cause the trial license to fail. The other scenario is if the time/date is incorrect on your server. Please could you confirm that this is correct? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Infact,an old  FreeTrial Version exists on the System before installing a new one.
Thank you all for your help, it helped me a lot in solving my problem.
Thank you for your help, it helped me a lot in solving my problem.
there was another script on the HF that updated the kvstore on the shc... so that was the mystery Thanks
A fresh installation of Splunk on a system that has never run Splunk before will have a built-in 30-day Trial license.  Once the trial license expires, it automatically becomes a Free license, which ... See more...
A fresh installation of Splunk on a system that has never run Splunk before will have a built-in 30-day Trial license.  Once the trial license expires, it automatically becomes a Free license, which has several limitations. A fresh installation of Splunk on a system that already has Splunk on it will not get a new trial license.  The instance will continue to use the current license. If the instance is not being used for Production, you can go to https://dev.splunk.com to get a Dev license.  Sign in as Admin then go to Settings->Licensing to install the license.
I'm the author and I want to say thanks for your contribution. 
Instance Type is Standalone, Platform is Linux . Please, how do I update the License?
No Sir. It is a fresh installation of Splunk 9.4.1
First thing to do in such cases is to click "open in search" and check what the actual search is being rendered into after substituting the tokens.
Instance Type - Stand Alone, Platform  - Linux