All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

so if i am getting below data This below using spath for message field: 2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.... See more...
so if i am getting below data This below using spath for message field: 2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.api.RStability@36464gf 2025-02-11 20:20:46 [com.bootstrapserver.runtim] DEBUG Stability run result :com.cmp.bootstrapserver.runtime.interndal.api.RStability@373638cgf This below using props and transforms for message field:   2025-02-11 20:20:46.192 [com.bootstrapserver.runtim] DEBUG Stability run result com.cmp.bootstrapserver.runtime.internal.api.RStability@36464gf 2025-02-11 20:20:46 [com.bootstrapserver.runtim] DEBUG Stability run result :com.cmp.bootstrapserver.runtime.interndal.api.RStability@373638cgf Both way got same data so is it correct or wrong? or it should be different after using transforms and props i need to know this first and if not then what?
Excellent - post back here if you need any further help - I don't use the MISP app so not sure how it is expected to run but the _audit index should certainly give you some insight into those searche... See more...
Excellent - post back here if you need any further help - I don't use the MISP app so not sure how it is expected to run but the _audit index should certainly give you some insight into those searches Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
Hi @livehybrid,   I think that is a good place to start. I am going to tinker with that and report back. I have also challenged our success engineer at Splunk for any input, so I will report back w... See more...
Hi @livehybrid,   I think that is a good place to start. I am going to tinker with that and report back. I have also challenged our success engineer at Splunk for any input, so I will report back with those findings too.   Have a great day! Antoine
Is your intention to query Splunk using some external python code, or are you building a Splunk add-on and using the inbuilt Splunk python? You may gain some benefits from using the sdk if connectin... See more...
Is your intention to query Splunk using some external python code, or are you building a Splunk add-on and using the inbuilt Splunk python? You may gain some benefits from using the sdk if connecting to Splunk API from outside Splunk using the SDK, such as pagination, error catching, validation etc. It can also help abstract away from the particular API endpoints needed for interacting with the REST API and be maintained to reflect changes in Splunk through version updates to the SDK libraries. Let me know if you have a particular use-case and we can see if there is a particular benefit/drawback to using the SDK and/or requests library. Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@Sathish28  As @livehybrid  said, please check this.  [capability::change_authentication] * Lets a user change authentication settings through the authentication endpoints. * Lets the user reload ... See more...
@Sathish28  As @livehybrid  said, please check this.  [capability::change_authentication] * Lets a user change authentication settings through the authentication endpoints. * Lets the user reload authentication. and also,  This seems to work to reload it, and is available through the management port. curl -k -u admin:changeme https://splunkserver:8089/services/authentication/providers/services/_reload You can use this simple Splunk command to do this: ./splunk _internal call /authentication/providers/services/_reload -auth  QUERYING: 'https://127.0.0.1:8089/services/authentication/providers/services/_reload' Your session is invalid. Please login. Splunk username: Password: HTTP Status: 200. Content: <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>auth-services</title> <id>https://127.0.0.1:8089/services/authentication/providers/services</id> <updated>2014-04-02T08:39:45+02:00</updated> <generator build="163460" version="5.0.3"/> <author> <name>Splunk</name> </author> <link href="/services/authentication/providers/services/_reload" rel="_reload"/> <opensearch:totalResults>0</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> </feed>  
Hi @noiiaz  You might be able to find the logs you are looking for in _audit, if you know the name of the search then try    index=_audit savedsearch_name=<yourSearchName> info=completed action=se... See more...
Hi @noiiaz  You might be able to find the logs you are looking for in _audit, if you know the name of the search then try    index=_audit savedsearch_name=<yourSearchName> info=completed action=search   Which should give you some more info about the search query, and useful info such as the number of events searches and results output (e.g. event_count=134, result_count=67) Would this help provide the info you are looking for? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@SN1  Here is one conf presentation which you probably could use to check if there is local issue or where the issue could be. https://conf.splunk.com/files/2019/slides/FN1570.pdf
It looks like your user role doesnt have `change_authentication = enabled` which is required for this task. Do you have access to an admin account, or maybe a break-glass account that you can execut... See more...
It looks like your user role doesnt have `change_authentication = enabled` which is required for this task. Do you have access to an admin account, or maybe a break-glass account that you can execute the CLI reload with? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
@SN1  Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwa... See more...
@SN1  Even though telnet is connecting, there might still be network issues or firewall rules affecting the Splunk traffic. Ensure that there are no firewalls blocking the traffic between the forwarders and indexers. Make sure all your indexers are running and reachable. You can use the Splunk monitoring console to view the status of your indexers. Check the resource usage on your forwarders and indexers. High CPU or memory usage can sometimes cause forwarding issues. Then are you using an SSL certificate? If yes, check the validity and the password of your certificate and that the certificate is used on UFs and IDXs.
Recently we migrated a server from Virtual Machine to Physical server We use LDAP authentication for user access for Splunk The users were able to login but did not have the same privileges when mo... See more...
Recently we migrated a server from Virtual Machine to Physical server We use LDAP authentication for user access for Splunk The users were able to login but did not have the same privileges when moved from VM to physical server I am able to login into Splunk Web UI but as a admin I am not able to view with admin privileges, So i tried to run the below command in the search head server  ./splunk reload auth I got the below error Authorization Failed: b'<?xml version="1.0" encoding="UTF-8"?>\n<response>\n  <messages>\n    <msg type="ERROR">You (user=88888888) do not have permission to perform this operation (requires capability: change_authentication).</msg>\n  </messages>\n</response>\n' Client is not authorized to perform requested action
Hi guys,   I am looking to build a query/dashboard that would monitor the status of the connection of the splunk API to the MISP42 instance.   I am unsure how to go about this, I can't find anyth... See more...
Hi guys,   I am looking to build a query/dashboard that would monitor the status of the connection of the splunk API to the MISP42 instance.   I am unsure how to go about this, I can't find anything interesting in _internal index to fetch or look at or a heartbeat that would indicate a successful handshake.   To my understanding, a search is ran every X days (we set it up once a day) to write the data we have in our MISP instance to lookups. Those different lookups are then used for Threat Intelligence and is mapped.   Maybe I should monitor the search to see if it did not write any updates? I am trying to get notified or a query that would let me know there is an issue with the feed.   Thanks,
Hi everyone,  we are currently in a migration project and want to process NetFlow data within Splunk. For this purpose, we are using Splunk Stream and the associated apps (Add-On for Stream Forwarde... See more...
Hi everyone,  we are currently in a migration project and want to process NetFlow data within Splunk. For this purpose, we are using Splunk Stream and the associated apps (Add-On for Stream Forwarders/Add-On for Stream Wire Data) and we are receiving a lot of data from the respective system. Unfortunately, many fields in this data remain empty, even though they can be read from the same system using the current NetFlow tool. We selected every possible field from the configuration within the GUI changed the NetFlow version from 5 to 9 and IPFIX without any positive outcome. The fields which are interessting for us are the following: interface name app app_desc protocol (tcp or udp)   Are there any additional configuration options available or did anyone experienced this issue ?   Thanks in advance 
Is there any particular reason for using Python splunk-sdk over standard restful API libraries or tools (such as Python requests library)? Using standard Python, you should be able to import data int... See more...
Is there any particular reason for using Python splunk-sdk over standard restful API libraries or tools (such as Python requests library)? Using standard Python, you should be able to import data into pandas with 3 lines:   response = requests.get(url) data = response.json() pd.DataFrame(data)   What does splunk-sdk have that Python requests does not?   Thanks!
understood, so my el basicallly hands me an index today and tells me to investigate it. My anxiety is going through the roof. Please...and tips and advice and best practice?  
do anyone have an spare trial version license. I know its a very odd request . it will be really helpful if anyone can share 
Hi @Jeewan  I can understand your urgecny , I dont think you can get it immedialty. I would suggest to send an email to devinfo@splunk.com. or you might need to request new license. 
I'm having some issues with my on-prem deployment of Splunk SOAR 6.3.1and would like to revert to 6.2.2. Should I just follow the steps for upgrading even though I'm reverting to a previous version? ... See more...
I'm having some issues with my on-prem deployment of Splunk SOAR 6.3.1and would like to revert to 6.2.2. Should I just follow the steps for upgrading even though I'm reverting to a previous version? https://docs.splunk.com/Documentation/SOARonprem/6.2.2/Install/UpgradeSOARInstance
Thanks! I must have missed that one field by not wrapping it. Glad to know it didn't matter in this case, though lol. I'll make sure to look into how I can use FOREACH going forward.   You've been ... See more...
Thanks! I must have missed that one field by not wrapping it. Glad to know it didn't matter in this case, though lol. I'll make sure to look into how I can use FOREACH going forward.   You've been a great help!
Hi Team,  is there a way get immediate Splunk Developer/ Trial license. I was using the the developer license and its expired I need it for some more time for today. is there a way to get it  c... See more...
Hi Team,  is there a way get immediate Splunk Developer/ Trial license. I was using the the developer license and its expired I need it for some more time for today. is there a way to get it  can somebody pls provide the Splunk Developer/ Trial license #Splunk Trial account 
I am setting up Cloud360 45c version in my dev environment which is standalone server. I have configured all the files and look ups but when i am trying to run the main.py script it is giving me belo... See more...
I am setting up Cloud360 45c version in my dev environment which is standalone server. I have configured all the files and look ups but when i am trying to run the main.py script it is giving me below error: splunk@s-9ee55895 scripts]$ /opt/splunk/bin/splunk cmd python3 main.py METRIC Traceback (most recent call last):   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/indexes/base.py", line 3361, in get_loc     return self._engine.get_loc(casted_key)   File "pandas/_libs/index.pyx", line 76, in pandas._libs.index.IndexEngine.get_loc   File "pandas/_libs/index.pyx", line 108, in pandas._libs.index.IndexEngine.get_loc   File "pandas/_libs/hashtable_class_helper.pxi", line 5198, in pandas._libs.hashtable.PyObjectHashTable.get_item   File "pandas/_libs/hashtable_class_helper.pxi", line 5206, in pandas._libs.hashtable.PyObjectHashTable.get_item KeyError: 'enabled'   The above exception was the direct cause of the following exception:   Traceback (most recent call last):   File "main.py", line 12, in <module>     from aws_manager import Cloud360_AWS_Manager   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/aws_manager.py", line 10, in <module>     import aws_detail_structure_processor as DetailStructureProcessor   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/aws_detail_structure_processor.py", line 50, in <module>     raw_metric_catalog_df = raw_metric_catalog_df[raw_metric_catalog_df['enabled'] == 0]   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/frame.py", line 3458, in __getitem__     indexer = self.columns.get_loc(key)   File "/opt/splunk/etc/apps/acn_cloud360-aws_edc_rhel_7.x_tenant01/bin/scripts/../../lib/pandas/core/indexes/base.py", line 3363, in get_loc     raise KeyError(key) from err KeyError: 'enabled' Can anyone help me what i am missing here ?