All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succe... See more...
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month  
@mvasquez21  You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b ... See more...
@mvasquez21  You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
@mvasquez21  makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query... See more...
@mvasquez21  makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query.   
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" ... See more...
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month my results don't show the username:  
I have tried this option, no luck. Can we have a call to discuss this ?
@mvasquez21  Try this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart cou... See more...
@mvasquez21  Try this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month  
@mvasquez21  | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval... See more...
@mvasquez21  | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month
could i ask of you to paste that so my bad typing doesn't mess it up? Thanks so much!  
@mvasquez21   
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instru... See more...
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instrumentation won't work with .NET6 or .NET7--you'd have to try downgrading to 1.8. "OTEL_SERVICE_NAME": "MyDotNet6WebApi"
I have this search to see logins to our splunk environment:   index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of ... See more...
I have this search to see logins to our splunk environment:   index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing. Here is an example of the individual entry: Audit:[timestamp=03-03-2025 09:10:52.577, user=xxxxxx, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" clientip=xxx.xxx.xxx.x" method=LDAP" session=17a169464fada764a1bac7310cac4c47] columns should be:  user   monthA    monthB   monthc with the counts under each month Thanks!
In my case I disabled PYTHONHTTPSVERIFY on splunk-launch.conf and this fixed my issue. In case it helps, a positive Karma is appreciated.
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working... See more...
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working to remove.
Hi @malimahesh25  Firstly, I just want to mention that it is generally not advised to run Splunk as root.  Regarding your issue - the reason that the inputs.conf is not being updated is that the au... See more...
Hi @malimahesh25  Firstly, I just want to mention that it is generally not advised to run Splunk as root.  Regarding your issue - the reason that the inputs.conf is not being updated is that the authentication to Splunk failed. Do you know your Splunk credentials for the forwarder? This is the Splunk admin auth user, NOT the system user credentials. If you do not know the password then you can reset it by following these steps: Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory. In the file add the following text: [user_info] USERNAME = admin PASSWORD = NEW_PASSWORD In the place of "NEW_PASSWORD" insert the password you would like to use. Restart Splunk After restarting Splunk you should now be able to run the command, logging in with the new credentials. For more info see https://docs.splunk.com/Documentation/Splunk/9.4.0/admin/User-seedconf Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi team,  I am unable to send logs to server by using "splunk add monitor <filename>" command with forwarder version 9.4.0 Splunk is running as root user. add monitor command is asking for credenti... See more...
Hi team,  I am unable to send logs to server by using "splunk add monitor <filename>" command with forwarder version 9.4.0 Splunk is running as root user. add monitor command is asking for credentials. And the inputs.conf file is not getting updated with the log file name that is added to monitor. sudo splunk add monitor Test.log Warning: Attempting to revert the SPLUNK_HOME ownership Warning: Executing "chown -R root:root /opt/splunkforwarder" Splunk username: Password: Login failed Tested with forwarder version 9.0.0 and it worked. That time also it asked for credentials but inputs.conf got updated and logs sent to server without providing the credentials. I want to send logs to server using forwarder 9.4.0 What changes should I do to make it work. Please suggest...
https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges "To delete an app that you previously pushed, remove it from the configuration bundle. When you next p... See more...
https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges "To delete an app that you previously pushed, remove it from the configuration bundle. When you next push the bundle, each member will delete it from its own file system. Note: If you need to remove an app, inspect its app.conf file to make sure that state = enabled. If state = disabled, the deployer will not remove the app even if you remove it from the configuration bundle."
I see what you're trying to do but be aware that whole process is flawed here. 1. You're relying on a file with 666 permissions. This way anyone can manipulate this file's contents in any way they s... See more...
I see what you're trying to do but be aware that whole process is flawed here. 1. You're relying on a file with 666 permissions. This way anyone can manipulate this file's contents in any way they see fit. They can remove contents, counting on race condition so that UF won't pick it up, they can inject any contents. And you're not able to tell whether it's legitimate or not. 2. The $PROMPT_COMMAND is only run at prompt time. Which means that when there is no prompt, the command is not run. And there is a lot of situations like that. 3. You're relying on bash being spawned as a shell and being the only shell for a user. That is not true. It's trivial to spawn any other shell or any other process in a non-tracked way. 4. You're also relying that startup scripts are run for a bash session. That also doesn't have to be true. (see your "su" case). So if it's your way of providing accountability... that's not gonna work very well. For that you're gonna need other tools. For example very limited sudo configuration. (with sudo you have logging included). Or a whole user session monitoring tool but that's completely out of scope here. If it's just so that you have some form of tracking what people are doing for future reference and to avoid situaitions like "how did we do that???", that might be a way to do so. In fact I'm doing a similar thing on my computers but I use logger in my $PROMPT_COMMAND so that it gets pushed to system-wide syslog. Yes, it also has some of the aforementioned issues but the log is a bit less easy to manipulate after it's been written to. As a side remark - you have several mistakes in your script. For example, your grep -q will find _any_ PROMPT_COMMAND and even if it's commented out or being just part of an echoed string. Possible issues with the file monitoring (
Please share your current SimpleXML source demonstrating the issue.
Hi, Thanks! This almost worked -  the alignment is now all rows including panel title, input text, html text and events.    Is there a way to leave title as is and have just input and html tags si... See more...
Hi, Thanks! This almost worked -  the alignment is now all rows including panel title, input text, html text and events.    Is there a way to leave title as is and have just input and html tags side by side with events coming down to both of them? Now all of them are in a row with title, input, html and events all are next to next.
For the first case, try something like this | append [| makeresults | addinfo | rename info_min_time as _time | fields _time | eval state="System unknown"] | sort 0 - _time | str... See more...
For the first case, try something like this | append [| makeresults | addinfo | rename info_min_time as _time | fields _time | eval state="System unknown"] | sort 0 - _time | streamstats last(state) as previousState window=1 current=f | eval state=if(state!="System unknown",state,if(previousState=="System Stop", "System Start", "System Stop"))