All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am trying to create an Azure connection in my Splunk install in Azure Government using the Microsoft Cloud Services add-on. When I create a new Azure account and provide the client and tenant IDs a... See more...
I am trying to create an Azure connection in my Splunk install in Azure Government using the Microsoft Cloud Services add-on. When I create a new Azure account and provide the client and tenant IDs and the client secret, as directed by the documentation, it fails with the error: In handler 'passwords': cannot parse secret JSON: Unexpected EOF. Looking closely my suspicion is that this cannot handle the special characters that are in these secret keys, which includes a tilde, dash, underscore, and period. I have tried keys that only have one or two of those special characters and they still fail, and I am unable to create a key that doesn't have at least one of them. Looking for some guidance on how to proceed. If I can't create the account, I can't connect my Event Hub and ingest into Splunk.
Hi @shaunm001  How about something like this? Its not perfect but should work. Be careful using REX as can be resource intensive, although iterating over things like this is never perfect. Could be ... See more...
Hi @shaunm001  How about something like this? Its not perfect but should work. Be careful using REX as can be resource intensive, although iterating over things like this is never perfect. Could be some other ways using mvexpand too but tried to avoid that! I've added some sample data for you to see how it might work! | makeresults | eval _raw="{ \"id\": \"12345\", \"params\": [ { \"key\": \"name\", \"value\": \"Splunker1\" }, { \"key\": \"score\", \"value\": 100 }, { \"key\": \"department\", \"value\": \"support\" } ] }" | eval _raw=json_extract(_raw,"") | eval params=json_array_to_mv(json_extract(_raw,"params")) | foreach params mode=multivalue [ | eval val_<<ITER>>=mvindex(params,<<ITER>>) ] | foreach val_* [| eval fieldName=json_extract(mvindex(params, <<MATCHSTR>>),"key"), {fieldName}=json_extract(mvindex(params, <<MATCHSTR>>),"value") ] | fields - params val_*   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Thanks! It was help me A LOT to solve my SPL problem!
Thanks @richgalloway  This worked.
How can I check that? "Settings" does not have it it seems  
Are you able to check if your user has a role with the schedule_search capability? 
It seems to be unhappy that the file "linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so" is built for AMD64, not AArch64. Are you able to install and use "_cffi_backend.cpython-39-aar... See more...
It seems to be unhappy that the file "linux_x86_64/bin/lib/_cffi_backend.cpython-39-x86_64-linux-gnu.so" is built for AMD64, not AArch64. Are you able to install and use "_cffi_backend.cpython-39-aarch64-linux-gnu.so" instead?
It is a new search
This is what I see
You are likely viewing the old status dashboard (lookup_editor_status.xml) that has been superceded. Try going to the Status page in the Health dropdown and it will bring you to the updated status da... See more...
You are likely viewing the old status dashboard (lookup_editor_status.xml) that has been superceded. Try going to the Status page in the Health dropdown and it will bring you to the updated status dashboard (status.xml).
Which app are you using to implement this command, and are you able to connect to chatGPT from your Splunk machine? Perhaps the command timed out.
The REGEX attribute must contain a capturing group, even if it's not used.  Also, no need to reference _raw. [DropFirewallEvents] REGEX= ("category":\s"AZFWDnsQuery") DEST_KEY=queue FORMAT=nullQueue... See more...
The REGEX attribute must contain a capturing group, even if it's not used.  Also, no need to reference _raw. [DropFirewallEvents] REGEX= ("category":\s"AZFWDnsQuery") DEST_KEY=queue FORMAT=nullQueue  
Is the search a newly formed search or an edited Report? There should be an option for "Alert" when you make a new search and press "Save As", even in cloud.
Perhaps this method could work if the number of unique Names is not too high: <yoursearch> | eval mvs = mvzip('DeviceProperties{}.Name','DeviceProperties{}.Value',"=") | rex field=mvs "^Id=(?<Id>.*)... See more...
Perhaps this method could work if the number of unique Names is not too high: <yoursearch> | eval mvs = mvzip('DeviceProperties{}.Name','DeviceProperties{}.Value',"=") | rex field=mvs "^Id=(?<Id>.*)" | rex field=mvs "^DisplayName=(?<DisplayName>.*)" | rex field=mvs "^OS=(?<OS>.*)" | rex field=mvs "^BrowserType=(?<BrowserType>.*)" | rex field=mvs "^TrustType=(?<TrustType>.*)" | rex field=mvs "^SessionId=(?<SessionId>.*)"  
Hi everyone, We are pulling Firewall data from a Storage Account containing several categories. There is one specific category, AZFWDnsQuery which need to be dropped.  I tested the regex in the sea... See more...
Hi everyone, We are pulling Firewall data from a Storage Account containing several categories. There is one specific category, AZFWDnsQuery which need to be dropped.  I tested the regex in the search as well as on regex101. It is successfully matching only those specific events with this category. But once deployed, Splunk starts dropping all events from this input, including for other categories that do not match the regex.  Sample events { "time": "2025-02-27T18:46:08.307710+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":25208,"QueryId":51787,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":48,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":94,"RequestDurationSecs":0.007257565,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"} { "time": "2025-02-27T18:46:08.307329+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":62730,"QueryId":16828,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.012227477,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"} { "time": "2025-02-27T18:46:08.307262+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":45452,"QueryId":25241,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.008439891,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"} { "time": "2025-02-27T18:46:08.307129+00:00", "resourceId": "/SUBSCRIPTIONS/xxxxxx/xxx/Path", "properties": {"SourceIp":"x.x.x.x","SourcePort":14846,"QueryId":3916,"QueryType":"A","QueryClass":"IN","QueryName":"google.com","Protocol":"udp","RequestSize":35,"DnssecOkBit":false,"EDNS0BufferSize":512,"ResponseCode":"NOERROR","ResponseFlags":"qr,rd,ra","ResponseSize":68,"RequestDurationSecs":0.009026804,"ErrorNumber":0,"ErrorMessage":""}, "category": "AZFWDnsQuery"}   Regex \"category\":\s\"AZFWDnsQuery\"   Here is how props.conf and transforms.conf are configured.   [sourcetype] TRANSFORMS-null=DropFirewallEvents [DropFirewallEvents] REGEX=_raw=\"category\":\s\"AZFWDnsQuery\" DEST_KEY=queue FORMAT=nullQueue   What could be doing wrong here for Splunk to drop every event from this input? Thanks
Thank you
You're very close.  Use \d (digit) in place of \w (word).  Also, remove the '=' since there is no such character in the data. | rex "in (?<in>\d+)"  
I believe this answer is not quite correct.  The optimized query is: index=main sourcetype="access_combined_wcookie" action=purchase status=200 file="success.do" | table JSESSIONID, action, sta... See more...
I believe this answer is not quite correct.  The optimized query is: index=main sourcetype="access_combined_wcookie" action=purchase status=200 file="success.do" | table JSESSIONID, action, status | stats count by JSESSIONID, action, status | rename JSESSIONID as UserSessions   In a clustered Splunk environment, lines 1-2 execute in parallel on your indexers, the minimized data is then passed to the searchhead, and the searchhead executes line 3, and then line 4 only operates on 1 row of data. I try to always do a TABLE early in the qeury especially before doing an expensive DEDUP, STATS, or BIN.  That reduces the dataset on all your indexers, discarding unneeded fields, before it's merged on your searchead.  Instead of TABLE you could alternately do two FIELDS commands, one to include the necessary fields and another to remove _raw.  Computationally I don't know whether Splunk is more efficient handling event data from FIELDS or handling transformed data from TABLE, but TABLE makes the query simpler.
Hello, I’m trying to only pull a spefic value from the msgTxt log. In the log below, the example is 2024. This value does change and could be one digit or up to 6 digits. msgTxt = xxiskServicxxxappe... See more...
Hello, I’m trying to only pull a spefic value from the msgTxt log. In the log below, the example is 2024. This value does change and could be one digit or up to 6 digits. msgTxt = xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory | property type: Commercial | address: x RxxxDANx DR , xxxSHFIELD , xx 02xx0) Below is the search I'm trying to use but its not working. Any help would be apreseated. | eval msgTxt=" msgTxt: xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory*" | rex "in=(?<in>\w+)." | stats count by in
How do I extract these name/value elements from the "DeviceProperties" field below? Need it to be in table format such that the column names are the "Name" values and the rows of each column are the ... See more...
How do I extract these name/value elements from the "DeviceProperties" field below? Need it to be in table format such that the column names are the "Name" values and the rows of each column are the "Value" values.