All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello,  I have lookup table which contain fields as below.   user                       shortname email 1                     name1 email 2                     name2 I wanted to search s... See more...
Hello,  I have lookup table which contain fields as below.   user                       shortname email 1                     name1 email 2                     name2 I wanted to search specific index and find whether the users in the lookup table logged in to any app for past 1 month.   I am trying something like this and not getting exact match with users in the lookup table. Please help here.   | inputlookup users_list.csv |join user type=outer [|search index="my_index" sourcetype="my_sourcetype" | fields app action signinDateTime user shortname ] |table app action signinDateTime user shortname
Hi,  Yes, you read it right. One of my small lab is planning to migrate their Splunk deployment from RHEL to Windows. Their main reason is, they do not have a Linux admin.    I am going to help ... See more...
Hi,  Yes, you read it right. One of my small lab is planning to migrate their Splunk deployment from RHEL to Windows. Their main reason is, they do not have a Linux admin.    I am going to help them migrate but I am Linux admin and never done any migration from one platform to another. Has anyone done that? Any tips on how to go about doing it?
As per the subject, I'm attempting to convert a rex expression in my search into a proper field extraction using the Field Extractor so I can drop the rex and use the field in my base search directly... See more...
As per the subject, I'm attempting to convert a rex expression in my search into a proper field extraction using the Field Extractor so I can drop the rex and use the field in my base search directly. The rex expression works perfectly but requires the use of max_match=0 in order to get all the results. Unless I'm mistaken(which is very posible), I don't have that option available in the Field Extractor, and because of that, the regex only picks up one value instead of multiple. I've tested the regex on regex101, and it works fine there, grabbing all the values properly. It's just in the Field Extractor that it isn't grabbing stuff. The rex expression itself does use a specific field rather than just running on _raw, but the search does work when running on _raw(I verified) The rex expression is placed below followed by the regex itself.     rex field=AttachmentDetails max_match=0 "(?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)"         (?:'(?<attachments>.*?)'.*?'fileHash': '(?<sha256>\w+)'}.*?\{.*?\}\}[,\}]\s?)         Below, I've placed some test data you can use on regex101 to verify the expression above. It captures both fields on the site, but just not in Splunk, and I can't tell why. Perhaps I've misunderstood how grouping works in regex. orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, {'NotSecrets!!.txt': 'fileHash': 'a3b9adaee5b83973e8789edd7b04b95f25412c764c8ff29d0c63abf25b772646'}, {}}, 'Secrets!!.txt': 'fileHash': 'c092a4db704b9c6f61d6a221b8f0ea5f719e7f674f66fede01a522563687d24b'}, {}}} orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc,
It’s best to use local splunk user for this even all other users are SAML or SSO users. User needs to have role (unless you can use only predefined reports which are run as owner) and if/when user ha... See more...
It’s best to use local splunk user for this even all other users are SAML or SSO users. User needs to have role (unless you can use only predefined reports which are run as owner) and if/when user has role in splunk he/she can always log in. So @richgalloway ‘s solution solve this issue.
Or you can do it on cli also https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/LicenserCLIcommands There are other license stuff also behind above link too.
The license file only needs to be installed on the License Manager (your SHCD).  Sign in to the Deployer and go to Settings->Licensing.  Then click the Add License button and follow the prompts to up... See more...
The license file only needs to be installed on the License Manager (your SHCD).  Sign in to the Deployer and go to Settings->Licensing.  Then click the Add License button and follow the prompts to upload to copy-paste the license file.  That's it.  Once the new license is installed, you'll see it on the License page.
I think that as those are usually ingested directly in windows nodes via correct input method, this is not a normal use case. Those who needs to investigate those files later usually already knows how... See more...
I think that as those are usually ingested directly in windows nodes via correct input method, this is not a normal use case. Those who needs to investigate those files later usually already knows how this can do.
Create an authentication token for the API user and give them only that.  Without a password (which must be defined, but doesn't have to be disclosed), the user cannot log in to the UI.
Hi there, I am confused about the configuration steps for getting data in from Salesforce. Adding a Salesforce account, I want to use OAuth, but I am only a Splunk Admin, the configured technical us... See more...
Hi there, I am confused about the configuration steps for getting data in from Salesforce. Adding a Salesforce account, I want to use OAuth, but I am only a Splunk Admin, the configured technical user to be used is managed by our Salesforce Admin. My understanding is, that either one of us needs to have the capabilities as an admin on both instances to make it work? What we tried: Configuration of the user on Salesforce-side from another account, which is an Salesforce admin. Configuration of the add-on on Splunk-side with my admin account. The redirect link has been added to Salesforce, I tried to setup the add-on on Splunk as explained in the documentation of add-on for salesforce, but an error occurs after trying to connect them. Another hindrance is the use of LDAP. To make it work, I would need to give Salesforce admin Splunk admin capabilities or the other way around, I would need to get Salesforce admin rights. But that is something we do not want as the capabilities should remain as it is: Splunk for Splunk, Salesforce for Salesforce. Is there any other way to make it work, with the use of a technical user? Or is it just not possible with OAuth?   Best regards
Hi, I am currently working on an Adaptive Response that notifies us whenever there is a Notable in our queue of a certain urgency. The notification must include rule title and its configured urgency... See more...
Hi, I am currently working on an Adaptive Response that notifies us whenever there is a Notable in our queue of a certain urgency. The notification must include rule title and its configured urgency. I've been trying to solve this with the Add-On Builder but so far only managed to pull the rule title via helper.settings.get("search_name"). I tried to get the urgency with get_events() but that only seems to contain the details of the correlation search. Does anyone have a pointer of what Im missing? 
When exporting a PDF from the Splunk dashboard, I'm experiencing an issue where the graph appears to be truncated.Specifically, the PDF omits today's data from the graph, despite it being displayed c... See more...
When exporting a PDF from the Splunk dashboard, I'm experiencing an issue where the graph appears to be truncated.Specifically, the PDF omits today's data from the graph, despite it being displayed correctly on the Splunk portal.
I have below configurations in transforms and props config files to change the source name of my events from upd:9514 to auditd. But it doesn't seems to be working Transforms.conf [change_source... See more...
I have below configurations in transforms and props config files to change the source name of my events from upd:9514 to auditd. But it doesn't seems to be working Transforms.conf [change_source_to_auditd] SOURCE_KEY=MetaData:Source REGEX= . DEST_KEY=MetaData:Source FORMAT=source::auditd Props.conf Props.conf [source::udp:9514] TRANSFORMS-change_source=change_source_to_auditd     Below are the sample logs- Jan 23 19:06:00 172.28.100.238 Jan 23 08:05:18 LIDFP3NTF001.li.local audispd: type=EOE msg=audit(1737619518.941:2165876): Jan 23 19:06:00 172.28.100.238 Jan 23 08:05:18 LIDFP3NTF001.li.local audispd: type=PROCTITLE msg=audit(1737619518.941:2165876): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E Jan 23 19:06:00 172.28.100.238 Jan 23 08:05:18 LIDFP3NTF001.li.local audispd: type=SOCKADDR msg=audit(1737619518.941:2165876): saddr=020019727F0000010000000000000000 SADDR={ saddr_fam=inet laddr=127.0.0.1 lport=6514 } Jan 23 19:06:00 172.28.100.238 Jan 23 08:05:18 LIDFP3NTF001.li.local audispd: type=SYSCALL msg=audit(1737619518.941:2165876): arch=c000003e syscall=42 success=yes exit=0 a0=f a1=7fedf8006c20 a2=10 a3=0 items=0 ppid=1 pid=4564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A6D61696E20513A526567 exe="/usr/sbin/rsyslogd" key="network_connect_4" ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=CRED_DISP msg=audit(1737619560.680:2114873): pid=3709107 uid=985 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' UID="telegraf" AUID="unset" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=CRED_REFR msg=audit(1737619560.577:2114872): pid=3709107 uid=985 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' UID="telegraf" AUID="unset" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=USER_ACCT msg=audit(1737619560.577:2114871): pid=3709107 uid=985 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="telegraf" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' UID="telegraf" AUID="unset" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=EOE msg=audit(1737619560.577:2114870): Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=PROCTITLE msg=audit(1737619560.577:2114870): proctitle=7375646F002F7573722F7362696E2F706D63002D75002D620031004745542054494D455F5354415455535F4E50 Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=PATH msg=audit(1737619560.577:2114870): item=0 name="/etc/shadow" inode=132150 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=SYSCALL msg=audit(1737619560.577:2114870): arch=c000003e syscall=257 success=yes exit=9 a0=ffffff9c a1=7fc1d61bbe1a a2=80000 a3=0 items=1 ppid=3709106 pid=3709107 auid=4294967295 uid=985 gid=985 euid=0 suid=0 fsuid=0 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key="etcpasswd" ARCH=x86_64 SYSCALL=openat AUID="unset" UID="telegraf" GID="telegraf" EUID="root" SUID="root" FSUID="root" EGID="telegraf" SGID="telegraf" FSGID="telegraf" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=EOE msg=audit(1737619560.570:2114869): Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=PROCTITLE msg=audit(1737619560.570:2114869): proctitle=7375646F002F7573722F7362696E2F706D63002D75002D620031004745542054494D455F5354415455535F4E50 Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=PATH msg=audit(1737619560.570:2114869): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=397184 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=PATH msg=audit(1737619560.570:2114869): item=0 name="/usr/bin/sudo" inode=436693 dev=fd:00 mode=0104111 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=EXECVE msg=audit(1737619560.570:2114869): argc=6 a0="sudo" a1="/usr/sbin/pmc" a2="-u" a3="-b" a4="1" a5=4745542054494D455F5354415455535F4E50 Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=BPRM_FCAPS msg=audit(1737619560.570:2114869): fver=0 fp=0 fi=0 fe=0 old_pp=00000000000000c2 old_pi=00000000000000c2 old_pe=00000000000000c2 old_pa=00000000000000c2 pp=00000000200000c2 pi=00000000000000c2 pe=00000000200000c2 pa=0 frootid=0 Jan 23 19:06:00 172.28.100.238 Jan 23 08:06:00 LIDFP3NTF002.li.local audispd: type=SYSCALL msg=audit(1737619560.570:2114869): arch=c000003e syscall=59 success=yes exit=0 a0=7fe718b344a0 a1=7fe7186addb0 a2=7ffcc797d010 a3=3 items=2 ppid=3709106 pid=3709107 auid=4294967295 uid=985 gid=985 euid=0 suid=0 fsuid=0 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key="priv_esc" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="telegraf" GID="telegraf" EUID="root" SUID="root" FSUID="root" EGID="telegraf" SGID="telegraf" FSGID="telegraf"
I've tried to test this, but it did not work for me. The whole search was blocked and did not return any data.  No need to dig in further here, as I had anyway to turn upside down the whole dashboa... See more...
I've tried to test this, but it did not work for me. The whole search was blocked and did not return any data.  No need to dig in further here, as I had anyway to turn upside down the whole dashboard to solve performance issues. This turning upside down has also solved the issue discussed in here.  
I know this is an old post - but I also had this issue because the app creation in Splunk on-prem 9.2.1 puts the icon in the wrong place.  I opened up the browser inspector, turned off the cache, and... See more...
I know this is an old post - but I also had this issue because the app creation in Splunk on-prem 9.2.1 puts the icon in the wrong place.  I opened up the browser inspector, turned off the cache, and watched for the png requests. From there I saw it was trying to get appname/static/appIconAlt_2x.png. I made the png at that location and I can see the preview now. Happy Splunking!
Hi,  I am in need of creating a user account that has no access at all to the dashboards. The only purpose of the account is to run scheduled searches through a rest API. Does anyone know if its pos... See more...
Hi,  I am in need of creating a user account that has no access at all to the dashboards. The only purpose of the account is to run scheduled searches through a rest API. Does anyone know if its possible to create such an account?
Hello @everyone, We have onboarded logs using add-on "Splunk Add-on for Microsoft SQL Server".  We have logs available for multiple source type.  For one KPI named created by me, "SQL Query Last ... See more...
Hello @everyone, We have onboarded logs using add-on "Splunk Add-on for Microsoft SQL Server".  We have logs available for multiple source type.  For one KPI named created by me, "SQL Query Last Elapsed Time" we have multiple SQL queries\Stored procedure showing in the entities list. Here we want to set threshold for each entity(SQL Query\Stored procedure) I did try myself but did not find solution yet. Please help on this. Thanks a lot!
Thanks for the observation. The problem is that, even if I comment the highlighted row, the event of clicking the submit button works only the first time I click, the following times it doesn't event... See more...
Thanks for the observation. The problem is that, even if I comment the highlighted row, the event of clicking the submit button works only the first time I click, the following times it doesn't event print "CLICKED". I'm more interested in solving that issue, because I don't understand why it is working like that.
currently we have Splunk enterprise 9.1.4 with 1 deployment server, 1 deployer (SH cluster), 2 cluster managers, 6 indexers (2 in each site), and 3 SHs (1 in each site), basically a 3 site cluster. ... See more...
currently we have Splunk enterprise 9.1.4 with 1 deployment server, 1 deployer (SH cluster), 2 cluster managers, 6 indexers (2 in each site), and 3 SHs (1 in each site), basically a 3 site cluster. SHCD (Deployer) acts as license master for us. Please help me with how to renew the license from the file which I will receive from my management? and do we need to push it to all other nodes or is it already configured? where to check is it configured or not? how to check is renewal successful or not?
Again, your words don't quite match your expected output, however, does this work for you? | makeresults format=csv data="raw 00012243asdsfgh - No recommendations from System A. Message - ERROR: Sys... See more...
Again, your words don't quite match your expected output, however, does this work for you? | makeresults format=csv data="raw 00012243asdsfgh - No recommendations from System A. Message - ERROR: System A | No Matching Recommendations 001b135c-5348-4arf-b3vbv344v - Validation Exception reason - Empty/Invalid Page_Placement Value ::: Input received - Channel1; ::: Other details - 001sss-445-4f45-b3ad-gsdfg34 - Incorrect page and placement found: Channel1; 00assew-34df-34de-d34k-sf34546d :: Invalid requestTimestamp : 2025-01-21T21:36:21.224Z 01hg34hgh44hghg4 - Exception while calling System A - null Exception message - CSR-a4cd725c-3d73-426c-b254-5e4f4adc4b26 - Generating exception because of multiple stage failure - abc_ELIGIBILITY 0013c5fb1737577541466 - Exception message - 0013c5fb1737577541466 - Generating exception because of multiple stage failure - abc_ELIGIBILITY b187c4411737535464656 - Exception message - b187c4411737535464656 - Exception in abc module. Creating error response - b187c4411737535464656 - Response creation couldn't happen for all the placements. Creating error response." | rex field=raw max_match=0 "(\b)(?<words>[A-Za-z'_]+)(\b|$)" | eval words = mvjoin(words, " ")
Hello, I am working with Splunk Security Essentials, and in the Analytics Advisor, there is a MITRE ATT&CK Framework dashboard which is not being populated, as can be seen on the screenshot, despite ... See more...
Hello, I am working with Splunk Security Essentials, and in the Analytics Advisor, there is a MITRE ATT&CK Framework dashboard which is not being populated, as can be seen on the screenshot, despite finishing the Data Inventory Introspection, and in other places I can see the data exists. Data models are also populated but most are not accelerated except of Authentication data model. This is a production environment and definitely has data. There should be some "Available" content there.