All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I am displaying a table as a result from the Search, however I would like to add an additional column with static values based on the existing column. For example, S.No    Name    Dept 1    ... See more...
Hi, I am displaying a table as a result from the Search, however I would like to add an additional column with static values based on the existing column. For example, S.No    Name    Dept 1          Andy      IT 2          Chris      Bus 3          Nike        Pay   In the above table, I would like to add another column called Company and map value based on Dept column as below If Dept is IT, then the value for Company as XXXX If Dept is Bus, then the value for Company is YYYY If Dept is Pay, then the value for Company is ZZZZ and the final table should look like S.No    Name    Dept    Comp 1          Andy      IT           XXXX 2          Chris      Bus       YYYY 3          Nike        Pay       ZZZZ   @ITWhisperer Dashboard 
@Meett Hello, thank you for your kind reply. I am glad to hear that you know the case that plug-in is used with v14.2. I'll be researching more and find what to do next. 
Hi @splunk_user_99  You can get network/log data from Team Red/Blue exercises "Boss of the SOC" found at https://github.com/splunk/securitydatasets These come in Splunk ready format for you to add ... See more...
Hi @splunk_user_99  You can get network/log data from Team Red/Blue exercises "Boss of the SOC" found at https://github.com/splunk/securitydatasets These come in Splunk ready format for you to add into your instance and work on.
Thanks you for your explanation, it work very well.   KR Théo
Hi @harishsplunk7  I can't see that as an option so I don't think so. You could add an action to email you if the search fails so you can investigate.
Hi @sekarjegan93  When you add a visualisation, it's given an auto generated name such as "viz_XQInZkvE". The code snippet you shared does not include an element ID. Did you change the name of this... See more...
Hi @sekarjegan93  When you add a visualisation, it's given an auto generated name such as "viz_XQInZkvE". The code snippet you shared does not include an element ID. Did you change the name of this element in the code? Maybe you deleted that element? Are you trying to refresh a single visualusation or the whole dashboard?
Hi @zksvc  Looks like a binary file was read there. Have you followed the steps here https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata ?
Thank you so much for the explanation. This make so much sense when you describe it (and something I should be able to think of my self). 
hi @BalajiRaju  Can you provide the base search you're using in Splunk and the Python code for us to see?
Here's the context, I've created a splunk add-on app in splunk enterprise trial version and after creating it and creating also the input using modular python code and API as source, I use the valida... See more...
Here's the context, I've created a splunk add-on app in splunk enterprise trial version and after creating it and creating also the input using modular python code and API as source, I use the validation&package then downloaded the package to get a .spl file, after getting the spl file I uploaded it in a splunk cloud environment and it pushes through without error but have warnings which is it let me push to install the uploaded app, then after installing and restarted the cloud environment I created an input using the installed app and created a new index for it, and run the search index, after that after waiting it to generate more events based on the interval I set because its interval is 10mins, it shows the warning below after incrementing10mins as time passes by. As my thought the events are redirected in the lastchanceindex, but when I try creating an input and index in the splunk enterprise version where I created the app it generates accordingly and doesn't redirect events in the lastchanceindex. In this scenario what could be the issue and how to solve it? I've been checking other questions here in the community and I think there's none related to this scenario. I hope someone could help. Thanks! "Search peer idx-i-0c2xxxxxxxxxx1d15.xxxxxx-xxxxxxxx.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=xxx with source="xxx" host="host::xxx" sourcetype="sourcetype::xxx" into the LastChanceIndex. So far received events from 15 missing index(es)."
Hi @Karthikeya , as you can read at https://splunkbase.splunk.com/app/4353, it isn't possible to use this app in clusters, because conf files are aligned by the Cluster Manager (Indexers Cluster) an... See more...
Hi @Karthikeya , as you can read at https://splunkbase.splunk.com/app/4353, it isn't possible to use this app in clusters, because conf files are aligned by the Cluster Manager (Indexers Cluster) and by the Deployer or the Captain (Search Head Cluster) and it isn't possible to modify conf files of one component. Ciao. Giuseppe
Hi @Nawab , you should use the sourcetypes used in the add-on. Add-on should be installed in the Forwarder used to ingest data and on the Search Heads, used for search tipe parsing activities. Cia... See more...
Hi @Nawab , you should use the sourcetypes used in the add-on. Add-on should be installed in the Forwarder used to ingest data and on the Search Heads, used for search tipe parsing activities. Ciao. Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @Skv , as I said, Splunk Forwarders (both Universal and Heavy) have a cache mechanism so, if there's no connection with the Indexers, logs are locally stored in the Forwarder until the connection... See more...
Hi @Skv , as I said, Splunk Forwarders (both Universal and Heavy) have a cache mechanism so, if there's no connection with the Indexers, logs are locally stored in the Forwarder until the connection is re-establish. Information abou how it works and how to configure these persistent queues you can see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Usepersistentqueues . Ciao. Giuseppe
Hi Everyone, i got error since i try install new agent in new server using SplunkForwarder.  For inputs.conf i use like this    [WinEventLog://Security] disabled = 0 index = windows sourcetype = ... See more...
Hi Everyone, i got error since i try install new agent in new server using SplunkForwarder.  For inputs.conf i use like this    [WinEventLog://Security] disabled = 0 index = windows sourcetype = Wineventlog:Security [WinEventLog://System] disabled = 0 index = windows sourcetype = Wineventlog:System [WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = 0 index = windows sourcetype = WinEventLog:PowerShell   And the preview is like this in source = C:\Windows\System32\winevt\Logs\Microsoft-Windows-WFP%4Operational.evtx  This is not my first time to ingest windows, but this error just happen to me right now. And i confuse how to solved it.  
Hi @ws , you have many ways to check repetitive logs, the easiest is to save logs in a file with different names (e.g. adding data and time) and use the crcSalt = <SOURCE> option in the inputs.conf ... See more...
Hi @ws , you have many ways to check repetitive logs, the easiest is to save logs in a file with different names (e.g. adding data and time) and use the crcSalt = <SOURCE> option in the inputs.conf related stanza. Ciao. Giuseppe
Hi @Tajuddin , at first, to share something like log samples or code you can use the "Insert/Edit code sample" button. Anyway, this seems to be a json log, did you tried to use INDEXED_EXTRACTION=J... See more...
Hi @Tajuddin , at first, to share something like log samples or code you can use the "Insert/Edit code sample" button. Anyway, this seems to be a json log, did you tried to use INDEXED_EXTRACTION=JSON or spath command? Otherwise, it's possible to use a regex. Ciao. Giuseppe
Please note that there is actually in place of  . When i posted, it automatically converted to emoji.
I have the following log from splunk where i want to extract names and their respective ids. Please help with the splunk search to print the room names along with dedup ids. Log Event TIME:10/Feb... See more...
I have the following log from splunk where i want to extract names and their respective ids. Please help with the splunk search to print the room names along with dedup ids. Log Event TIME:10/Feb/2025:03:08:17 -0800 TYPE:INFO APP_NAME:ROOM_LOOKUP_JOBS APP_BUILD_VERSION:NOT_DEFINED CLIENT_IP:100.102.16.183 CLIENT_USER_AGENT:Unknown Browser CLIENT_OS_N_DEVICE:Unknown OS Unknow Devices CLIENT_REQUEST_METHOD:GET CLIENT_REQUEST_URI:/supporting-apps/room-lookup-job/index.php CLIENT_REQUEST_TYPE:HttpRequest CLIENT_REQUEST_CONTENT_SIZE:0 SERVER_HOST_NAME:roomlookupjob-prod.us-west-2i.app.apple.com SERVER_CONTAINER_ID:roomlookupjob-prod-5d96c45c64-w4q79 REQUEST_UNIQUE_ID:Z6neG-5vAofNnSWuA5msAQAAAAA MESSAGE="Rooms successfully updated for building - IL01: [{\"name\":\"Chiaroscuro (B277) [AVCN] (3) {R} IL01 2nd\",\"id\":\"6C30AF02-5900-480C-873F-8B0763DE95F8\"},{\"name\":\"2-Pop (N221) [AVCN] (8) {R} IL01 2nd\",\"id\":\"7853CB27-A083-454F-90A6-006854396AD1\"},{\"name\":\"Bonk (B380) [AVCN] (3) {R} IL01 3rd\",\"id\":\"88AF6D48-F930-4A98-9171-BE1FAAF0E36D\"},{\"name\":\"Montage (D203) [AVCN] (7) {R} IL01 2nd\",\"id\":\"29C44E4D-8628-4815-9AB8-CF49682A9EDC\"},{\"name\":\"Cougar - Interview Room Only (B138) (4) {R} IL01 1st\",\"id\":\"D1F40F0F-E40D-46B3-BD62-2C9A054E9E70\"},{\"name\":\"Iceman - Interview Room Only (B140) (3) {R} IL01 1st\",\"id\":\"38348FD5-021A-466E-A860-0A45CA9CD18F\"},{\"name\":\"Merlin - Interview Room Only (B136) (2) {R} IL01 1st\",\"id\":\"51211C55-94EA-4B38-97B6-2EB20369FDAF\"},{\"name\":\"Viper - Interview Room Only (B134) (10) {R} IL01 1st\",\"id\":\"940E9844-49BF-4B4E-B114-A2D734203C37\"},{\"name\":\"Maverick - Interview Room Only (B142) (4) {R} IL01 1st\",\"id\":\"6D29660F-09C3-4634-8DE5-0ECFAA5639DB\"},{\"name\":\"Vignette (R278) [AVCN] (12) {R} IL01 2nd\",\"id\":\"00265678-8775-4E95-A7CA-8454AD35C4A4\"},{\"name\":\"Broom Wagon (A317) [AVCN] (14) {R} IL01 3rd\",\"id\":\"1D1EB626-C5D2-4289-B5DA-A7F6EAA79AE8\"},{\"name\":\"Jump Cut (D211) [AVCN] (22) {R} IL01 2nd\",\"id\":\"66FF42BA-3ED6-48E6-886D-08CE18124110\"},{\"name\":\"{M} The Roundhouse (P404) (6) {R} IL01 4th\",\"id\":\"2477B40A-97BF-E2C7-4908-EF5D172D5DD3\"},{\"name\":\"Corncob (S323) [AVCN] (7) {R} IL01 3rd\",\"id\":\"F01706E7-F19B-3035-CEF4-4D13FC792B0E\"},{\"name\":\"Rouleur (Q311) [AVCN] (14) {R} IL01 3rd\",\"id\":\"D96D16CE-557E-90A0-AF65-9FCAAE406659\"},{\"name\":\"Field Sprint (S341) [AVCN] (13) {R} IL01 3rd\",\"id\":\"DA59EAC2-8491-3EE2-9B78-A54E5A3FE704\"},{\"name\":\"{M} Storyboard (C218) [AVCN] (27) {R} IL01 2nd\",\"id\":\"45C4588D-0CB5-D035-5C2E-517477B1D7CB\"},{\"name\":\"Zoetrope (S241) [AVCN] (8) {R} IL01 2nd\",\"id\":\"58750290-4C79-9AFB-B277-BDE5A219D0E5\"},{\"name\":\"Sizzle Reel (P248) [AVCN] (8) {R} IL01 2nd\",\"id\":\"DF8004E6-25B8-3B18-794D-253D83FE1279\"},{\"name\":\"Rough Cut (N213) [AVCN] (7) {R} IL01 2nd\",\"id\":\"A3792CEC-BF73-F207-DB06-3884D1042C80\"}]" index=roomlookup_prod | search "Rooms successfully updated for building - IL01" Expected results: name id Chiaroscuro (B277) [AVCN] (3) {R} IL01 2nd 6C30AF02-5900-480C-873F-8B0763DE95F8 2-Pop (N221) [AVCN] (8) {R} IL01 2nd  7853CB27-A083-454F-90A6-006854396AD1 and so on..
@splunklearner  Please check this solution.  Solved: Re: Why would INDEXED_EXTRACTIONS=JSON in props.co... - Splunk Community
@splunklearner  Verify in splunkd.log whether your Universal Forwarder (UF) or Heavy Forwarder (HF) is sending duplicate events. Check inputs.conf, make sure crcSalt = <SOURCE> is set to avoid dupl... See more...
@splunklearner  Verify in splunkd.log whether your Universal Forwarder (UF) or Heavy Forwarder (HF) is sending duplicate events. Check inputs.conf, make sure crcSalt = <SOURCE> is set to avoid duplicate ingestion.