All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please post your raw event in a code block using the </> button so we can see what you are dealing with and be able to provide further guidance.
@vikashumble  | makeresults | eval json1="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-05T10:3... See more...
@vikashumble  | makeresults | eval json1="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-05T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\"],\"excludeGroups\": [],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"monitor\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 1,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}" | eval json2="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME 1\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-06T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\", \"USERGROUP3\"],\"excludeGroups\": [\"USERGROUP4\"],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"block\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 2,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}" | spath input=json1 path="displayName" output=displayName_old | spath input=json2 path="displayName" output=displayName_new | spath input=json1 path="modifiedDateTime" output=modifiedDateTime_old | spath input=json2 path="modifiedDateTime" output=modifiedDateTime_new | spath input=json1 path="conditions.users.includeGroups{}" output=includeGroups_old | spath input=json2 path="conditions.users.includeGroups{}" output=includeGroups_new | spath input=json1 path="conditions.users.excludeGroups{}" output=excludeGroups_old | spath input=json2 path="conditions.users.excludeGroups{}" output=excludeGroups_new | spath input=json1 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_old | spath input=json2 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_new | spath input=json1 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_old | spath input=json2 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_new | eval changes=mvappend( if(displayName_old!=displayName_new, "displayName, ".displayName_old.", ".displayName_new, null()), if(modifiedDateTime_old!=modifiedDateTime_new, "modifiedDateTime, ".modifiedDateTime_old.", ".modifiedDateTime_new, null()), if(includeGroups_old!=includeGroups_new, "users.includeGroups, ".includeGroups_old.", ".includeGroups_new, null()), if(excludeGroups_old!=excludeGroups_new, "users.excludeGroups, ".excludeGroups_old.", ".excludeGroups_new, null()), if(cloudAppSecurityType_old!=cloudAppSecurityType_new, "sessionControls.cloudAppSecurityType, ".cloudAppSecurityType_old.", ".cloudAppSecurityType_new, null()), if(signInFrequencyValue_old!=signInFrequencyValue_new, "signInFrequency.value, ".signInFrequencyValue_old.", ".signInFrequencyValue_new, null()) ) | mvexpand changes | rex field=changes "(?<key>[^,]+), (?<old_value>[^,]+), (?<new_value>.+)" | table key, old_value, new_value  
Hey @ITWhisperer , Can you please guide me a bit more on what you meant may be by a simpler example? It would help a lot. Also I forgot to mention that it is coming from the same event   Thanks
@kingbert_Thomas  Create and Save a Search: Create a search that returns the necessary information for your CMDB fields. Save this search as a report and schedule it to run regularly. Crea... See more...
@kingbert_Thomas  Create and Save a Search: Create a search that returns the necessary information for your CMDB fields. Save this search as a report and schedule it to run regularly. Create Lookup Definitions: Go to Settings > Lookups > Lookup definitions and create a new lookup definition. Choose the destination app and select the output lookup CSV file from your saved search. Configure Data Enrichment: In the Enterprise Security app, navigate to Configure > Data Enrichment > Asset & Identity. Create a new configuration and select the lookup name you created. Map CMDB Fields: Map the fields from your lookup to the corresponding CMDB fields like CRITICITY, ENVIRONMENT, FUNCTION, OFFER, BUSINESS UNIT, CODEREF, and DATACENTER.
@SN1  The error message "DISABLED_DUE_TO_GRACE_PERIOD" typically indicates that your Splunk instance is in a grace period due to a licensing issue Check License Server Connectivity: Ensure indexer... See more...
@SN1  The error message "DISABLED_DUE_TO_GRACE_PERIOD" typically indicates that your Splunk instance is in a grace period due to a licensing issue Check License Server Connectivity: Ensure indexers can communicate with the license server. Restart Splunk Services: Run splunk restart on your indexers. Verify License Configuration: Ensure your license is valid and not expired. Check pass4SymmKey: Ensure it matches between the license server and indexers. Ensure that your Splunk indexers can communicate with the license server. This often involves checking network connectivity and DNS resolution. Verify that the license server's address is correctly listed in the server.conf file on your indexers Solved: Receiving "DISABLED_DUE_TO_GRACE_PERIOD" - Splunk Community 
You can create these CMDB fields in Splunk by using lookup tables or event-type tagging to map metadata to new hosts. If you don’t have a CMDB, consider using an asset inventory lookup or automatic f... See more...
You can create these CMDB fields in Splunk by using lookup tables or event-type tagging to map metadata to new hosts. If you don’t have a CMDB, consider using an asset inventory lookup or automatic field extractions in props.conf to enrich incoming data.
In splunk how we create these CMDB fields mapped to any sourcetype when new host added as asset.. like the below fields, if we don't have C CRITICITY ENVIRONMENT FUNCTION OFFER BUSINESS UNIT C... See more...
In splunk how we create these CMDB fields mapped to any sourcetype when new host added as asset.. like the below fields, if we don't have C CRITICITY ENVIRONMENT FUNCTION OFFER BUSINESS UNIT CODEREF DATACENTER
Hi @SN1  It sounds like your license has expired or not installed correctly. Go to https://yourSplunkInstance/en-US/manager/system/licensing and check that the license is showing as valid. If your... See more...
Hi @SN1  It sounds like your license has expired or not installed correctly. Go to https://yourSplunkInstance/en-US/manager/system/licensing and check that the license is showing as valid. If your license isnt showing here, or if it cannot connect to your license server (if applicable) then you will need to resolve this before being able to search non-internal indexes Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Assuming your fields have already been extracted, try something like this | transpose 0 column_name="KeyName" | rename "row 1" as OldValue, "row 2" as NewValue | eval diff=if(OldValue!=NewValue,1,nu... See more...
Assuming your fields have already been extracted, try something like this | transpose 0 column_name="KeyName" | rename "row 1" as OldValue, "row 2" as NewValue | eval diff=if(OldValue!=NewValue,1,null()) | where diff=1
4 years????? And nothing has been done to fix it.   This part should then be removed from the code then. Here you see memory one of our HF whas upgraded from 9.3.2 to 9.4.  When all memory are us... See more...
4 years????? And nothing has been done to fix it.   This part should then be removed from the code then. Here you see memory one of our HF whas upgraded from 9.3.2 to 9.4.  When all memory are used up, it runs for some hour more and then dies.  We reported this issue just some days after 9.4.0 was released, and did get the fix just now.
Hello i am seeing this error MSE-SVSPLUNKI01] restricting search to internal indexes only (reason: [DISABLED_DUE_TO_GRACE_PERIOD,0]) how to resolve this.
Hi @uagraw01  Im not sure if the bug is related to the issue you are having, as the bug relates to the latest=now being omitted from searches where earliest=<something> is used. Is this a drilldown... See more...
Hi @uagraw01  Im not sure if the bug is related to the issue you are having, as the bug relates to the latest=now being omitted from searches where earliest=<something> is used. Is this a drilldown search from Enterprise Security? Or something else? Are you able to find the full search that was executed? It is odd that info_max_time_2 looks to contain "`bin" (according to the output) so it would be good to understand how that value could have got there! If you cant find the search, I'd look into _audit for 5 seconds eitherside of that error timestamp and start filtering down from there, maybe look for keywords like "bin" as its appears in the error. Let us know what you find so we can help further! Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @vikashumble  I think this solution on another question might work for you, instead of me copying it over, check out https://community.splunk.com/t5/Dashboards-Visualizations/How-to-find-and-show... See more...
Hi @vikashumble  I think this solution on another question might work for you, instead of me copying it over, check out https://community.splunk.com/t5/Dashboards-Visualizations/How-to-find-and-show-unique-and-missing-keys-between-two-JSON/m-p/675785 so you can get the full context. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @vikashumble  Would something like this work for you?   | makeresults | eval _raw="{\"id\": \"12345\", \"domain\": [\"test.com\",\"sample.com\",\"example.com\"]}" | eval domain=json_array_to_m... See more...
Hi @vikashumble  Would something like this work for you?   | makeresults | eval _raw="{\"id\": \"12345\", \"domain\": [\"test.com\",\"sample.com\",\"example.com\"]}" | eval domain=json_array_to_mv(json_extract(_raw,"domain")) | eval whitelistedDomains="" | foreach domain mode=multivalue [| eval whitelistedDomains=mvappend(IF(tostring(json_extract(lookup("domainallowlist.csv",json_object("domain",<<ITEM>>),json_array("isAllowed")),"isAllowed"))=="1",<<ITEM>>,null()),whitelistedDomains) ]   This relies in having an "isAllowed"=1 value in the lookup but could be adjusted to your scenario? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will  
It's https://prometheus.io/ support that was added almost 4 years ago(8.2.0). But it was disabled due to memory explosion since 8.2.1
Hello Splunkers!! We recently migrated Splunk from version 8.1.1 to 9.1.1 and encountered the following errors:   ERROR TimeParser [12568 SchedulerThread] - Invalid value "`bin" for time term ... See more...
Hello Splunkers!! We recently migrated Splunk from version 8.1.1 to 9.1.1 and encountered the following errors:   ERROR TimeParser [12568 SchedulerThread] - Invalid value "`bin" for time term 'latest' ERROR TimeParser [12568 SchedulerThread] - Invalid value "$info_max_time_2$" for time term 'latest' Upon reviewing the Splunk 9.1.1 release notes, I found that this issue is listed as a known bug. Has anyone observed and resolved this issue before? If you have implemented a fix, could you share the specific configuration changes or workarounds applied? Any insights on where to check (e.g., saved searches, scheduled reports, or specific configurations) would be greatly appreciated. Below is the screenshot of the known bug in 9.1.1   Thanks in advance for your help!
Can confirm that it fixed memory leak that we see on our upgraded HF server. This is not fixed in the newly released 9.4.1. But what does prometheus do in splunk? Is it some new function that was a... See more...
Can confirm that it fixed memory leak that we see on our upgraded HF server. This is not fixed in the newly released 9.4.1. But what does prometheus do in splunk? Is it some new function that was added to the 9.x server and was set to disabled?  Do not find any info in server.conf docs.
Hello All,   I have a multivalue field which contains domain names (for this case, say it is in field named emailDomains and it contains 5 values). I have a lookup named whitelistdomains which cont... See more...
Hello All,   I have a multivalue field which contains domain names (for this case, say it is in field named emailDomains and it contains 5 values). I have a lookup named whitelistdomains which contains 2000+ domains names. Now, what I want is to look for these multivalue domains names field and check if that domain name is present in my lookup. Is that possible. Example and expected output is below. I did tried doing this using mvexpand but sometimes I end up with memory issues on splunk cloud and hence want to avoid this. I tried using map, mvmap to see somehow I can pass one value at a time in inputlookup command and get the output. But so far, I am not able to figure it out properly. I did achived this via a very dirty method of using appendpipe to get list of values in lookup and then eventstats to create that variable against each event for comparison. But this made search very clunky and I am sure there are better ways of doing this? So, if you can please sugesst a better way, that would be amazing.   emailDomains field: test.com sample.com example.com   whitelistdomains Lookup data: whitelist.com sample.com something.com example.com ......and so on..   Expected output: whitelistedDomains (this is a new field after looking up all multifield values against lookup) sample.com example.com  
Hello All, I have a use case where in need to compare two json objects and highlight their key value differences. This is just to ensure that we can let OSC know only about the changes that has been... See more...
Hello All, I have a use case where in need to compare two json objects and highlight their key value differences. This is just to ensure that we can let OSC know only about the changes that has been made rather than sending both old and new json as as alert. Is that doable? I tried using foreach, spath, mvexpand but not able to figure out a proper working solution. Any help on this is much appreciated. Json1: { "id": "XXXXX", "displayName": "ANY DISPLAY NAME", "createdDateTime": "2021-10-05T07:01:58.275401+00:00", "modifiedDateTime": "2025-02-05T10:30:40.0351794+00:00", "state": "enabled", "conditions": { "applications": { "includeApplications": [ "YYYYY" ], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null }, "users": { "includeUsers": [], "excludeUsers": [], "includeGroups": [ "USERGROUP1", "USERGROUP2" ], "excludeGroups": [], "includeRoles": [], "excludeRoles": [] }, "userRiskLevels": [], "signInRiskLevels": [], "clientAppTypes": [ "all" ], "servicePrincipalRiskLevels": [] }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ], "customAuthenticationFactors": [], "termsOfUse": [] }, "sessionControls": { "cloudAppSecurity": { "cloudAppSecurityType": "monitor", "isEnabled": true }, "signInFrequency": { "value": 1, "type": "hours", "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "timeBased", "isEnabled": true } } }   json2: { "id": "XXXXX", "displayName": "ANY DISPLAY NAME 1", "createdDateTime": "2021-10-05T07:01:58.275401+00:00", "modifiedDateTime": "2025-02-06T10:30:40.0351794+00:00", "state": "enabled", "conditions": { "applications": { "includeApplications": [ "YYYYY" ], "excludeApplications": [], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null }, "users": { "includeUsers": [], "excludeUsers": [], "includeGroups": [ "USERGROUP1", "USERGROUP2", "USERGROUP3" ], "excludeGroups": [ "USERGROUP4" ], "includeRoles": [], "excludeRoles": [] }, "userRiskLevels": [], "signInRiskLevels": [], "clientAppTypes": [ "all" ], "servicePrincipalRiskLevels": [] }, "grantControls": { "operator": "OR", "builtInControls": [ "mfa" ], "customAuthenticationFactors": [], "termsOfUse": [] }, "sessionControls": { "cloudAppSecurity": { "cloudAppSecurityType": "block", "isEnabled": true }, "signInFrequency": { "value": 2, "type": "hours", "authenticationType": "primaryAndSecondaryAuthentication", "frequencyInterval": "timeBased", "isEnabled": true } } }   Output expected (Based on above sample jsons): KeyName , Old Value, New Value displayName, "ANY DISPLAY NAME", "ANY DISPLAY NAME 1" modifiedDateTime, "2025-02-05T10:30:40.0351794+00:00", "2025-02-06T10:30:40.0351794+00:00" users."includeGroups", ["USERGROUP1","USERGROUP2"], ["USERGROUP1","USERGROUP2", "USERGROUP3"] "excludeGroups",[],["USERGROUP4"] sessionControls."cloudAppSecurityType","moitor","block" signInFrequency."value",1,2   Thanks  
Perhaps you need to look at why the internet connection is down for so long and invest in a more robust network architecture so that the connection is maintained for a higher percentage of the time?