All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Have you activated eventgen's inputs on Splunk side?
I think that @livehybrid is right and this is not exactly the reason for your issue. Can you share your dashboard where this issue is with us or at least that part which generate that error? Please... See more...
I think that @livehybrid is right and this is not exactly the reason for your issue. Can you share your dashboard where this issue is with us or at least that part which generate that error? Please use code block for that dashboard (it is link/icon </> in editor). That SPL-237902 seems to be still there even in 9.4.1.
Hi @SN1  How did you get on? Let us know if you need help diagnosing issues connecting to a licenser server (if applicable) or adding a new license. For more info on how to add a new license check ... See more...
Hi @SN1  How did you get on? Let us know if you need help diagnosing issues connecting to a licenser server (if applicable) or adding a new license. For more info on how to add a new license check out https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Installalicense   Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
There are already some proposals how this could maybe do. But to understand better your situation and which solution is best for you, we should know more about your needs, used tools, environment and... See more...
There are already some proposals how this could maybe do. But to understand better your situation and which solution is best for you, we should know more about your needs, used tools, environment and what is your target for this. How you are collecting data? Are you managing all inputs? Have you some other tools where you have some kind of CMDB? How you are deploying inputs? Are you using Splunk's ARI? If you are managing all inputs then maybe the easiest way to add this is use _meta field on those inputs. Just add those values in all input stanzas and then you have those events in your data when it comes into Splunk indexers. Other options are just use e.g. tags when you are onboarding data sources into splunk as already mentioned. As you see there is many ways to do it, and without more information it's impossible to say how you should do it. r. Ismo
One comment. You should never ever put any comment with # in then end of any attribute. Splunk cannot handle those correctly (don't ask why). Put all comments always in own line!
One proposal. You should always create a splunk TA/SA or other app which contains those fixes and can be installed easily for other nodes too. Personally I avoid as much as possible to put anything i... See more...
One proposal. You should always create a splunk TA/SA or other app which contains those fixes and can be installed easily for other nodes too. Personally I avoid as much as possible to put anything into .../etc/system/local/. You cannot easily change those values after those are there Of course if you have any SM tool which can edit / install those then it's different story.
Try like this | eval time_var=strptime('payload.eventProcessedAt', "%Y-%m-%dT%H:%M:%S.%3NZ") Field names which contain special characters (including a dot) on the right hand side of an evaluate sho... See more...
Try like this | eval time_var=strptime('payload.eventProcessedAt', "%Y-%m-%dT%H:%M:%S.%3NZ") Field names which contain special characters (including a dot) on the right hand side of an evaluate should be enclosed in single quotes
This is nice feature and easier to use than using transforms to drop those events. Thanks!
Try something along these lines | makeresults format=json data="[{ \"id\": \"XXXXXX\", \"category\": \"ABCD\", \"correlationId\": \"exxxxxx0\", \"result\": \"success\", \"resultReason\": null, ... See more...
Try something along these lines | makeresults format=json data="[{ \"id\": \"XXXXXX\", \"category\": \"ABCD\", \"correlationId\": \"exxxxxx0\", \"result\": \"success\", \"resultReason\": null, \"activityDisplayName\": \"update something\", \"activityDateTime\": \"2025-02-13T10:00:54.007809Z\", \"loggedByService\": \"XXXX\", \"operationType\": \"Update\", \"targetResources\": [ { \"id\": \"XXXX\", \"displayName\": \"DISPLAYNAME\", \"type\": \"ABCD\", \"userPrincipalName\": null, \"groupType\": null, \"modifiedProperties\": [ { \"displayName\": \"abcd\", \"oldValue\": \"{\\\"id\\\":\\\"1234\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-05T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"YYYY\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[\\\"USERACTION1\\\"],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[\\\"USERGROUP1\\\",\\\"USERGROUP2\\\"],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":2,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\", \"newValue\": \"{\\\"id\\\":\\\"12345\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME 1\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-06T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"AABB\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[\\\"All\\\"],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":1,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\" } ] } ], \"additionalDetails\": [ { \"key\": \"Category\", \"value\": \"ANY CATEGORY\" } ] }]" | fields _raw | spath targetResources{}.modifiedProperties{} output=modifiedProperties | fields - _raw | spath input=modifiedProperties | eval newValueString="{\"newValueObject\":".newValue."]" | spath input=newValueString | foreach newValueObject.* [| eval _value=json_extract(oldValue,"<<MATCHSTR>>") | eval _KeyName=if('<<FIELD>>'=_value,null(),"<<MATCHSTR>>") | eval mismatch=if(isnotnull(_KeyName),if(isnotnull(mismatch),mvappend(mismatch,_KeyName."|"._value."|".'<<FIELD>>'),_KeyName."|"._value."|".'<<FIELD>>'),mismatch)] | fields - newValueObject.* newValueString _value _KeyName You should end up with a multi-value field with pipe delimited values for key, old value, new value
When you are adding search peer you must have/know admin level account on that HF. Then use it when you add a new peer.
I have always that "chown -R splunk:splunk" on my ansible or other scrips which are used for installation and/or update splunk nodes. This has safe me a lot of time
This should works if and only if you are managing those saved searches on SHC's GUI not via deployer. Of course you must install those apps 1st with deployer and it installs those on both SHC: You... See more...
This should works if and only if you are managing those saved searches on SHC's GUI not via deployer. Of course you must install those apps 1st with deployer and it installs those on both SHC: You must also understand that those both SHC:s probably use same indexers and then indexers can actually be your bottleneck not SHCs?
Hi, https://docs.splunk.com/observability/en/gdi/get-data-in/rum/browser/manual-rum-browser-instrumentation.html#create-custom-spans-for-single-page-applications how to create custom events for PEG... See more...
Hi, https://docs.splunk.com/observability/en/gdi/get-data-in/rum/browser/manual-rum-browser-instrumentation.html#create-custom-spans-for-single-page-applications how to create custom events for PEGA Application instrumented in SPlunk oc. PEGA application doesn't have page wise URL'S. we need to monitor couple transactions for calculating response time for each transaction. we tried via RUM URL grouping its not worked since there is no page wise URL. So How to create custom events to monitor the transaction metrics. Please share the sample code snippets if any. Thanks.    
Hi @pedropiin , let me understand: your datetime to use to exct hours is in epochtime or human readable format? I understood that you want to extract the hours from your datetime, is it correct? t... See more...
Hi @pedropiin , let me understand: your datetime to use to exct hours is in epochtime or human readable format? I understood that you want to extract the hours from your datetime, is it correct? the strptime function is used to convert from human readable in epochtime, if you have a value in this format: 2025-02-28T14:42:25.123, you can extract the hours valu in two ways: | eval time_var=strftime(strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ"),"%H") or | eval time_var=substr(eventProcessedAt,12,2) Ciao. Giuseppe  
did you solved this @James_ACN if yes please guide me how to on-board Akamai logs to Splunk?
Hi everyone.  I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of.  The field that contains the timestamp is called "payload.event... See more...
Hi everyone.  I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of.  The field that contains the timestamp is called "payload.eventProcessedAt" Trying to parse with  | eval time_var=strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ")  doesn't work, giving my only "null/empty" values. The same occurs with "strftime". How can I do this?
Hello @livehybrid  I am trying the solutions on the link provided by you. They are not working as it is as they compare the key rather than values and I am looking to compare the values and get the ... See more...
Hello @livehybrid  I am trying the solutions on the link provided by you. They are not working as it is as they compare the key rather than values and I am looking to compare the values and get the differences. I am trying to tweak them to see how can I do that. And yes, once I have the solution, I will add karma points and accept a solution as an answer.   Thanks
Hello @ITWhisperer , below is the sample event. I am looking to compare "targetResources.modifiedProperties.oldValue" VS "targetResources.modifiedProperties.newValue". And if there are differences, t... See more...
Hello @ITWhisperer , below is the sample event. I am looking to compare "targetResources.modifiedProperties.oldValue" VS "targetResources.modifiedProperties.newValue". And if there are differences, then output the keyname, old value and new value. Hope this makes sense and apologies for confusion before  { "id": "XXXXXX", "category": "ABCD", "correlationId": "exxxxxx0", "result": "success", "resultReason": null, "activityDisplayName": "update something", "activityDateTime": "2025-02-13T10:00:54.007809Z", "loggedByService": "XXXX", "operationType": "Update", "targetResources": [ { "id": "XXXX", "displayName": "DISPLAYNAME", "type": "ABCD", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "abcd", "oldValue": "{\"id\":\"1234\",\"displayName\":\"ANY DISPLAY NAME\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-05T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"YYYY\"],\"excludeApplications\":[],\"includeUserActions\":[\"USERACTION1\"],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[],\"excludeUsers\":[],\"includeGroups\":[\"USERGROUP1\",\"USERGROUP2\"],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":2,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}", "newValue": "{\"id\":\"12345\",\"displayName\":\"ANY DISPLAY NAME 1\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-06T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"AABB\"],\"excludeApplications\":[],\"includeUserActions\":[],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[\"All\"],\"excludeUsers\":[],\"includeGroups\":[],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":1,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}" } ] } ], "additionalDetails": [ { "key": "Category", "value": "ANY CATEGORY" } ] }@   
hi @vikashumble  Let us know how you get on with the link I posted in my previous reply, or the suggestion from @ITWhisperer and then we can help tweak from there depending on the results Please... See more...
hi @vikashumble  Let us know how you get on with the link I posted in my previous reply, or the suggestion from @ITWhisperer and then we can help tweak from there depending on the results Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hello @kiran_panchavat    This does work if I the changed values are only in the fields I deleberatley changed values from. In other words, displayName, modifiedDateTime etc. BUt what I am looking ... See more...
Hello @kiran_panchavat    This does work if I the changed values are only in the fields I deleberatley changed values from. In other words, displayName, modifiedDateTime etc. BUt what I am looking for is if values are changed in any of this json object (say some events have changed values in id or something else). I think that would not be captured by your query (I have tested that). Hence I cannot accept this as a solution as of now