All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You would therefore use "vs_name" in-place of "_raw" in the replace command. You can use multiple transforms on a single sourcetype - even if you're already using an INGEST_EVAL. For example == pr... See more...
You would therefore use "vs_name" in-place of "_raw" in the replace command. You can use multiple transforms on a single sourcetype - even if you're already using an INGEST_EVAL. For example == props.conf == [yourSourcetype] TRANSFORMS-defineIndex =.defineIndex TRANSFORMS-extractServerId =.extractServerId ... etc ... Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Sure @jialiu907  Just to mention, by default rex works on the _raw field, however you can specify field=<fieldName> to run it against a different field. Breakdown of the rex (regular expression): ... See more...
Sure @jialiu907  Just to mention, by default rex works on the _raw field, however you can specify field=<fieldName> to run it against a different field. Breakdown of the rex (regular expression): \)\: Matches a literal ) followed by a :. The backslash (\) escapes the closing parenthesis ) since it's a special character in regex. \s Matches a single whitespace character (space, tab, or newline). (?<Disconnect>SSLSocket Disconnected from Cloud) This is a named capturing group called Disconnect which means it creates your new Splunk field called "Disconnect". It captures the exact phrase "SSLSocket Disconnected from Cloud". - If there is no exact match (Case-Sensitive) then it will not match! The (?<name>pattern) syntax is used to name the capturing group and extract the field. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @MichalDerySam  I had this issue previously - I would recommend sending an email to splunkbase-admin@splunk.com with the details of your app and let them know you have submitted a new version and... See more...
Hi @MichalDerySam  I had this issue previously - I would recommend sending an email to splunkbase-admin@splunk.com with the details of your app and let them know you have submitted a new version and they will be able to un-archive it for you.  Their turnaround is usually relatively quick!   Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will  
All the private apps on my splunk installation pass the jQuery and Python readiness.  It is just the public Config Explorer that failed the Python readiness.  I checked for customized code and editin... See more...
All the private apps on my splunk installation pass the jQuery and Python readiness.  It is just the public Config Explorer that failed the Python readiness.  I checked for customized code and editing of any files; by using the Linux CLI, I compared all the files in the etc/apps/config_explorer/...  with another splunk server that had the app installed that did not get the python incompatibility.  i compared filename, size, and date of the files and all the files were the same on each server; since one server flags config_explorer with a python version incompatibility, I wonder now if the Upgrade Readiness App has code in need of updating.   The wget command recommended in the link ".../9.4.0/UpgradeReadiness/ResultsPython" that will "undo dismissed apps" was helpful in reversing the effect of "Dismiss App Alert", but the Config Explorer now fails the python scan because "This newly installed App has not completed the necessary scan." instead of the Python incompatibility.  I don't know if the wget that reverses the dismiss app alert and the new error from upgrade readiness are related.
my app has been archived , i uploaded a new version today "Compatibility Report" passed all checks  but it didn't help the app is still in "archived" mode. any idea what i need to do to solve it an... See more...
my app has been archived , i uploaded a new version today "Compatibility Report" passed all checks  but it didn't help the app is still in "archived" mode. any idea what i need to do to solve it and to be able to activate it again? Thanks
I think this "admin_all_objects" privilege is needed by the app to access the client secret stored in the app, which is used to authenticate the advanced hunting requests. There is another app (http... See more...
I think this "admin_all_objects" privilege is needed by the app to access the client secret stored in the app, which is used to authenticate the advanced hunting requests. There is another app (https://splunkbase.splunk.com/app/6463) which appears to do the same thing albeit with a differently named command "defkqlg". It says in the Details tab that you can use the "edit_storage_passwords" capability instead of "admin_all_objects" if your Splunk Enterprise version is later than 9.1.0. It might also be possible to use edit_storage_passwords privilege instead on the MS Defender Advanced Hunting app, but it would need to be tested.
Turns out the issue was the break and inspect from the corporate firewall. Standard global git config fix didn't work, as it seems that as part of the install process, SOAR changes the config key to ... See more...
Turns out the issue was the break and inspect from the corporate firewall. Standard global git config fix didn't work, as it seems that as part of the install process, SOAR changes the config key to http.sslcainfo=$SOAR_HOME/etc/cacerts.pem. Modifying that cacerts.pem file to add the full chain of certs you get when navigating to GitHub from a browser on the same network ended up working to get SOAR to install successfully.
Our Security partners at work recently determined that their analyst need the ability to run the custom command:  advhunt (TA_ms_advanced_hunting) The custom command indicates: To use this a... See more...
Our Security partners at work recently determined that their analyst need the ability to run the custom command:  advhunt (TA_ms_advanced_hunting) The custom command indicates: To use this app, users need following privileges. list_storage_passwords admin_all_objects We do not want to give all Security users the ability to admin_all_objects. What other options do we have? 
Hi @seiimonn ! Debian GNU/Linux 12 (bookworm) Splunk Enterprise 9.0.0 AME 3.0.8. Sysinfo: {"uuid":"95c6740c-9e0b-42b1-b2b9-b78067db6677","status":200,"messages":[],"payload":{"tenant_list":[{"te... See more...
Hi @seiimonn ! Debian GNU/Linux 12 (bookworm) Splunk Enterprise 9.0.0 AME 3.0.8. Sysinfo: {"uuid":"95c6740c-9e0b-42b1-b2b9-b78067db6677","status":200,"messages":[],"payload":{"tenant_list":[{"tenant_uid":"default","role":"admin"}],"is_admin":true,"is_app_admin":true,"products":[],"necessary_tasks":[],"legacy_installed":false,"environment":"on_premises","timezone":"UTC"}} There ara no errors now, if i run this script: index=_internal source=*ame* ERROR | table _time host source _raw But maybe these ara interesting in the splunkd.log: 19/02/2025 19:34:15.506   02-19-2025 19:34:15.506 +0100 WARN HttpListener [1069 HttpDedicatedIoThread-4] - Socket error from 127.0.0.1:37790 while accessing /servicesNS/nobody/alert_manager_enterprise/properties/server: Broken pipe host = splunk source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd   19/02/2025 19:34:08.828   2025-02-19 19:34:08,828 INFO [assist::supervisor_modular_input.py] [context] [build_supervisor_secrets] [22691] Secret load failed, key=tenant_id, error=[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/splunk_assist/storage/passwords/tenant_id?output_mode=json host = splunk source = /opt/splunk/var/log/splunk/splunk_assist_supervisor_modular_input.log sourcetype = splunk_assist_internal_log   19/02/2025 19:34:06.362   02-19-2025 19:34:06.362 +0100 WARN HttpListener [1068 HttpDedicatedIoThread-3] - Socket error from 127.0.0.1:52422 while accessing /servicesNS/nobody/alert_manager_enterprise/properties/server: Broken pipe host = splunk source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd   19/02/2025 19:33:56.500   2025-02-19 19:33:56.500 +0100 Trace-Id= type=METER, name=ch.qos.logback.core.Appender.error, count=3, m1_rate=3.527460396057507E-12, m5_rate=9.325633072421824E-5, m15_rate=7.016228689718483E-4, mean_rate=0.0019981503731937404, rate_unit=events/second host = splunk source = /opt/splunk/var/log/splunk/splunk_app_db_connect_health_metrics.log sourcetype = dbx_health_metrics   19/02/2025 19:33:54.415   2025-02-19 19:33:54,415 INFO [assist::supervisor_modular_input.py] [context] [build_supervisor_secrets] [22467] Secret load failed, key=tenant_id, error=[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/splunk_assist/storage/passwords/tenant_id?output_mode=json host = splunk source = /opt/splunk/var/log/splunk/splunk_assist_supervisor_modular_input.log sourcetype = splunk_assist_internal_log   I use this script, to create test alerts: | makeresults | eval user="World", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default param.tenant_uid=default I think there is nothing interesting on the browsers developer console. What do you think about that? Thanks for your helping.
Hi Andras Which OS, Splunk version and AME version are you using? Is there anything visible in the browser developer console? Can you check if something loads if you open this URL in your browser... See more...
Hi Andras Which OS, Splunk version and AME version are you using? Is there anything visible in the browser developer console? Can you check if something loads if you open this URL in your browser? https://your-splunk:8000/en-GB/splunkd/__raw/services/ame_sysinfo Are there any errors visible with  index=_internal source=*ame* ERROR | table _time host source _raw   Please open a support case if you cannot share this information publicly. Regards, Simon  
Try something like this index=* NOT index=_* host=* | stats count by host | append [| makeresults | eval host=split("host1,host2,host3....host36",",") | mvexpand host | eval count=1] | stats... See more...
Try something like this index=* NOT index=_* host=* | stats count by host | append [| makeresults | eval host=split("host1,host2,host3....host36",",") | mvexpand host | eval count=1] | stats sum(count) AS event_count by host | eval status=if(event_count = 1, "Missing", "Available") | table host status | sort status, host
Hi @Andras , if you haven't the issue about the Global Sharing of the Alerts, check the macros used in the dashboards, probably you have to specify the index where Notables are located. You can do ... See more...
Hi @Andras , if you haven't the issue about the Global Sharing of the Alerts, check the macros used in the dashboards, probably you have to specify the index where Notables are located. You can do it opening the dashboard. Ciao. Giuseppe
Hi Team, I am a newbie in Splunk. I am using a basic IN clause in a search command to pull out the 36 windows server integration available or not in splunk. index=* NOT index=_* host IN ("host1", "... See more...
Hi Team, I am a newbie in Splunk. I am using a basic IN clause in a search command to pull out the 36 windows server integration available or not in splunk. index=* NOT index=_* host IN ("host1", "host2", "host3", ...., "host36") | stats count by host It gives me the servers which are available in splunk. I want to find out the missing ones and the available ones in this format- host status host1 Available host2 Available host3 Missing I am using the below query but it only gives 6 statistics. | makeresults count=1 | eval all_hosts="host1,host2,host3....host36" | makemv delim="," all_hosts | mvexpand all_hosts | rename all_hosts AS host | append [ search index=* NOT index=_* host=* | stats count by host ] | stats values(count) AS event_count by host | where host IN ("host1", "host2",....,"host36") | eval status=if(isnull(event_count), "Missing", "Available") | table host status | sort status, host  Can anyone please help me out what I am doing wrong. Thanks in Advance!!
Make sure you are using the local/default admin account and that there are no other roles associated with that account. 
Thank you @yuanliu for your insightful response! The csv file contains 3 columns, "id", "rule", and "Boolean". The id column just identifies which "rule" fired. The "id" column is just a text string ... See more...
Thank you @yuanliu for your insightful response! The csv file contains 3 columns, "id", "rule", and "Boolean". The id column just identifies which "rule" fired. The "id" column is just a text string to identify the rule that fired. The "rule" column is a Splunk rule (IE: "/user:" AND pwd)  that either contains a Boolean operator (AND, OR, NOT) or does not contain a Boolean operator. The "boolean" column just says TRUE or FALSE as to whether the preceding "rules" column contains a boolean.  I agree with you that the "map" command may not be the best command for what I am trying to do. So far this search string does generate results:  index="index1" [ inputlookup rules.csv | eval search = if(boolean="FALSE","\""+rule+"\"",rule) | return 10000 $search] | head 5 | fields _time index | eval time_token = "_time=" + _time , index_token = "index=" + index | stats values(time_token) AS time_token values(index_token) AS index_token | eval time_token=mvjoin(time_token," OR ") , index_token=mvjoin(index_token," OR ") | append [ inputlookup rules.csv | eval rule = if(boolean="FALSE","\""+rule+"\"",rule)] | eventstats first(time_token) AS time_token first(index_token) AS index_token | search rule=*   And shows a "time_token" and "index_token" for each time and index that contains a match to one of the rules in the csv file. My attempt with the "map" command was to then map the rule to the event in Splunk to identify which rule fired on which event. Do you have a suggestion for something that could work better? 
Hi @secure  How about this? | makeresults | eval GroupA = 353649273, GroupB=353648649 | append [ | makeresults | eval GroupA = 353649184, GroupB=353648566] | append [ | makeresults | eval GroupA = ... See more...
Hi @secure  How about this? | makeresults | eval GroupA = 353649273, GroupB=353648649 | append [ | makeresults | eval GroupA = 353649184, GroupB=353648566] | append [ | makeresults | eval GroupA = 353649091, GroupB=353616829] | append [ | makeresults | eval GroupA = 353649033, GroupB=353638941] | append [ | makeresults | eval GroupA = 353648797] | append [ | makeresults | eval GroupA = 353648680] | append [ | makeresults | eval GroupA = 353648745] | append [ | makeresults | eval GroupA = 353648730] | append [ | makeresults | eval GroupA = 353638941] | fields - _time | eventstats values(GroupB) AS GroupB | eval match=IF(match(GroupB,GroupA),1,0) | where match=1 Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
I have the same issue I installed it locally on Splunk local host, and the page "home" is empty   any idea?
@jialiu907  Check this   
Yes it worked perfectly thank you. Are you able to explain the syntax of the rex if possible?
I already have ingest eval in place. I only need to extract fqdn from vs_name in order to match there.