All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is nice feature and easier to use than using transforms to drop those events. Thanks!
Try something along these lines | makeresults format=json data="[{ \"id\": \"XXXXXX\", \"category\": \"ABCD\", \"correlationId\": \"exxxxxx0\", \"result\": \"success\", \"resultReason\": null, ... See more...
Try something along these lines | makeresults format=json data="[{ \"id\": \"XXXXXX\", \"category\": \"ABCD\", \"correlationId\": \"exxxxxx0\", \"result\": \"success\", \"resultReason\": null, \"activityDisplayName\": \"update something\", \"activityDateTime\": \"2025-02-13T10:00:54.007809Z\", \"loggedByService\": \"XXXX\", \"operationType\": \"Update\", \"targetResources\": [ { \"id\": \"XXXX\", \"displayName\": \"DISPLAYNAME\", \"type\": \"ABCD\", \"userPrincipalName\": null, \"groupType\": null, \"modifiedProperties\": [ { \"displayName\": \"abcd\", \"oldValue\": \"{\\\"id\\\":\\\"1234\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-05T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"YYYY\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[\\\"USERACTION1\\\"],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[\\\"USERGROUP1\\\",\\\"USERGROUP2\\\"],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":2,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\", \"newValue\": \"{\\\"id\\\":\\\"12345\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME 1\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-06T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"AABB\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[\\\"All\\\"],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":1,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\" } ] } ], \"additionalDetails\": [ { \"key\": \"Category\", \"value\": \"ANY CATEGORY\" } ] }]" | fields _raw | spath targetResources{}.modifiedProperties{} output=modifiedProperties | fields - _raw | spath input=modifiedProperties | eval newValueString="{\"newValueObject\":".newValue."]" | spath input=newValueString | foreach newValueObject.* [| eval _value=json_extract(oldValue,"<<MATCHSTR>>") | eval _KeyName=if('<<FIELD>>'=_value,null(),"<<MATCHSTR>>") | eval mismatch=if(isnotnull(_KeyName),if(isnotnull(mismatch),mvappend(mismatch,_KeyName."|"._value."|".'<<FIELD>>'),_KeyName."|"._value."|".'<<FIELD>>'),mismatch)] | fields - newValueObject.* newValueString _value _KeyName You should end up with a multi-value field with pipe delimited values for key, old value, new value
When you are adding search peer you must have/know admin level account on that HF. Then use it when you add a new peer.
I have always that "chown -R splunk:splunk" on my ansible or other scrips which are used for installation and/or update splunk nodes. This has safe me a lot of time
This should works if and only if you are managing those saved searches on SHC's GUI not via deployer. Of course you must install those apps 1st with deployer and it installs those on both SHC: You... See more...
This should works if and only if you are managing those saved searches on SHC's GUI not via deployer. Of course you must install those apps 1st with deployer and it installs those on both SHC: You must also understand that those both SHC:s probably use same indexers and then indexers can actually be your bottleneck not SHCs?
Hi, https://docs.splunk.com/observability/en/gdi/get-data-in/rum/browser/manual-rum-browser-instrumentation.html#create-custom-spans-for-single-page-applications how to create custom events for PEG... See more...
Hi, https://docs.splunk.com/observability/en/gdi/get-data-in/rum/browser/manual-rum-browser-instrumentation.html#create-custom-spans-for-single-page-applications how to create custom events for PEGA Application instrumented in SPlunk oc. PEGA application doesn't have page wise URL'S. we need to monitor couple transactions for calculating response time for each transaction. we tried via RUM URL grouping its not worked since there is no page wise URL. So How to create custom events to monitor the transaction metrics. Please share the sample code snippets if any. Thanks.    
Hi @pedropiin , let me understand: your datetime to use to exct hours is in epochtime or human readable format? I understood that you want to extract the hours from your datetime, is it correct? t... See more...
Hi @pedropiin , let me understand: your datetime to use to exct hours is in epochtime or human readable format? I understood that you want to extract the hours from your datetime, is it correct? the strptime function is used to convert from human readable in epochtime, if you have a value in this format: 2025-02-28T14:42:25.123, you can extract the hours valu in two ways: | eval time_var=strftime(strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ"),"%H") or | eval time_var=substr(eventProcessedAt,12,2) Ciao. Giuseppe  
did you solved this @James_ACN if yes please guide me how to on-board Akamai logs to Splunk?
Hi everyone.  I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of.  The field that contains the timestamp is called "payload.event... See more...
Hi everyone.  I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of.  The field that contains the timestamp is called "payload.eventProcessedAt" Trying to parse with  | eval time_var=strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ")  doesn't work, giving my only "null/empty" values. The same occurs with "strftime". How can I do this?
Hello @livehybrid  I am trying the solutions on the link provided by you. They are not working as it is as they compare the key rather than values and I am looking to compare the values and get the ... See more...
Hello @livehybrid  I am trying the solutions on the link provided by you. They are not working as it is as they compare the key rather than values and I am looking to compare the values and get the differences. I am trying to tweak them to see how can I do that. And yes, once I have the solution, I will add karma points and accept a solution as an answer.   Thanks
Hello @ITWhisperer , below is the sample event. I am looking to compare "targetResources.modifiedProperties.oldValue" VS "targetResources.modifiedProperties.newValue". And if there are differences, t... See more...
Hello @ITWhisperer , below is the sample event. I am looking to compare "targetResources.modifiedProperties.oldValue" VS "targetResources.modifiedProperties.newValue". And if there are differences, then output the keyname, old value and new value. Hope this makes sense and apologies for confusion before  { "id": "XXXXXX", "category": "ABCD", "correlationId": "exxxxxx0", "result": "success", "resultReason": null, "activityDisplayName": "update something", "activityDateTime": "2025-02-13T10:00:54.007809Z", "loggedByService": "XXXX", "operationType": "Update", "targetResources": [ { "id": "XXXX", "displayName": "DISPLAYNAME", "type": "ABCD", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "abcd", "oldValue": "{\"id\":\"1234\",\"displayName\":\"ANY DISPLAY NAME\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-05T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"YYYY\"],\"excludeApplications\":[],\"includeUserActions\":[\"USERACTION1\"],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[],\"excludeUsers\":[],\"includeGroups\":[\"USERGROUP1\",\"USERGROUP2\"],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":2,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}", "newValue": "{\"id\":\"12345\",\"displayName\":\"ANY DISPLAY NAME 1\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-06T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"AABB\"],\"excludeApplications\":[],\"includeUserActions\":[],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[\"All\"],\"excludeUsers\":[],\"includeGroups\":[],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":1,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}" } ] } ], "additionalDetails": [ { "key": "Category", "value": "ANY CATEGORY" } ] }@   
hi @vikashumble  Let us know how you get on with the link I posted in my previous reply, or the suggestion from @ITWhisperer and then we can help tweak from there depending on the results Please... See more...
hi @vikashumble  Let us know how you get on with the link I posted in my previous reply, or the suggestion from @ITWhisperer and then we can help tweak from there depending on the results Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hello @kiran_panchavat    This does work if I the changed values are only in the fields I deleberatley changed values from. In other words, displayName, modifiedDateTime etc. BUt what I am looking ... See more...
Hello @kiran_panchavat    This does work if I the changed values are only in the fields I deleberatley changed values from. In other words, displayName, modifiedDateTime etc. BUt what I am looking for is if values are changed in any of this json object (say some events have changed values in id or something else). I think that would not be captured by your query (I have tested that). Hence I cannot accept this as a solution as of now
Please post your raw event in a code block using the </> button so we can see what you are dealing with and be able to provide further guidance.
@vikashumble  | makeresults | eval json1="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-05T10:3... See more...
@vikashumble  | makeresults | eval json1="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-05T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\"],\"excludeGroups\": [],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"monitor\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 1,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}" | eval json2="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME 1\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-06T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\", \"USERGROUP3\"],\"excludeGroups\": [\"USERGROUP4\"],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"block\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 2,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}" | spath input=json1 path="displayName" output=displayName_old | spath input=json2 path="displayName" output=displayName_new | spath input=json1 path="modifiedDateTime" output=modifiedDateTime_old | spath input=json2 path="modifiedDateTime" output=modifiedDateTime_new | spath input=json1 path="conditions.users.includeGroups{}" output=includeGroups_old | spath input=json2 path="conditions.users.includeGroups{}" output=includeGroups_new | spath input=json1 path="conditions.users.excludeGroups{}" output=excludeGroups_old | spath input=json2 path="conditions.users.excludeGroups{}" output=excludeGroups_new | spath input=json1 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_old | spath input=json2 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_new | spath input=json1 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_old | spath input=json2 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_new | eval changes=mvappend( if(displayName_old!=displayName_new, "displayName, ".displayName_old.", ".displayName_new, null()), if(modifiedDateTime_old!=modifiedDateTime_new, "modifiedDateTime, ".modifiedDateTime_old.", ".modifiedDateTime_new, null()), if(includeGroups_old!=includeGroups_new, "users.includeGroups, ".includeGroups_old.", ".includeGroups_new, null()), if(excludeGroups_old!=excludeGroups_new, "users.excludeGroups, ".excludeGroups_old.", ".excludeGroups_new, null()), if(cloudAppSecurityType_old!=cloudAppSecurityType_new, "sessionControls.cloudAppSecurityType, ".cloudAppSecurityType_old.", ".cloudAppSecurityType_new, null()), if(signInFrequencyValue_old!=signInFrequencyValue_new, "signInFrequency.value, ".signInFrequencyValue_old.", ".signInFrequencyValue_new, null()) ) | mvexpand changes | rex field=changes "(?<key>[^,]+), (?<old_value>[^,]+), (?<new_value>.+)" | table key, old_value, new_value  
Hey @ITWhisperer , Can you please guide me a bit more on what you meant may be by a simpler example? It would help a lot. Also I forgot to mention that it is coming from the same event   Thanks
@kingbert_Thomas  Create and Save a Search: Create a search that returns the necessary information for your CMDB fields. Save this search as a report and schedule it to run regularly. Crea... See more...
@kingbert_Thomas  Create and Save a Search: Create a search that returns the necessary information for your CMDB fields. Save this search as a report and schedule it to run regularly. Create Lookup Definitions: Go to Settings > Lookups > Lookup definitions and create a new lookup definition. Choose the destination app and select the output lookup CSV file from your saved search. Configure Data Enrichment: In the Enterprise Security app, navigate to Configure > Data Enrichment > Asset & Identity. Create a new configuration and select the lookup name you created. Map CMDB Fields: Map the fields from your lookup to the corresponding CMDB fields like CRITICITY, ENVIRONMENT, FUNCTION, OFFER, BUSINESS UNIT, CODEREF, and DATACENTER.
@SN1  The error message "DISABLED_DUE_TO_GRACE_PERIOD" typically indicates that your Splunk instance is in a grace period due to a licensing issue Check License Server Connectivity: Ensure indexer... See more...
@SN1  The error message "DISABLED_DUE_TO_GRACE_PERIOD" typically indicates that your Splunk instance is in a grace period due to a licensing issue Check License Server Connectivity: Ensure indexers can communicate with the license server. Restart Splunk Services: Run splunk restart on your indexers. Verify License Configuration: Ensure your license is valid and not expired. Check pass4SymmKey: Ensure it matches between the license server and indexers. Ensure that your Splunk indexers can communicate with the license server. This often involves checking network connectivity and DNS resolution. Verify that the license server's address is correctly listed in the server.conf file on your indexers Solved: Receiving "DISABLED_DUE_TO_GRACE_PERIOD" - Splunk Community 
You can create these CMDB fields in Splunk by using lookup tables or event-type tagging to map metadata to new hosts. If you don’t have a CMDB, consider using an asset inventory lookup or automatic f... See more...
You can create these CMDB fields in Splunk by using lookup tables or event-type tagging to map metadata to new hosts. If you don’t have a CMDB, consider using an asset inventory lookup or automatic field extractions in props.conf to enrich incoming data.
In splunk how we create these CMDB fields mapped to any sourcetype when new host added as asset.. like the below fields, if we don't have C CRITICITY ENVIRONMENT FUNCTION OFFER BUSINESS UNIT C... See more...
In splunk how we create these CMDB fields mapped to any sourcetype when new host added as asset.. like the below fields, if we don't have C CRITICITY ENVIRONMENT FUNCTION OFFER BUSINESS UNIT CODEREF DATACENTER