All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It looks that way - what configurations are you using?
Just a note on your use of dedup, you will only end up with a single event from ONE of the indexes (whichever is found first), which is one of the reasons why your search is not working as expected. ... See more...
Just a note on your use of dedup, you will only end up with a single event from ONE of the indexes (whichever is found first), which is one of the reasons why your search is not working as expected. You COULD use | dedup index src_ip dest_ip which would leave you one event from EACH index, however, as @yuanliu has said, fields + stats + rename is generally the optimal way to do the grouping. However, consider what exactly do you want to see in the other fields, using dedup would only give you ONE value from the event that remains after the dedup, but the stats values(*) as * would give you all values from all events for each of the src_ip grouping. Avoid join - it's not a Splunk way to do things, has significant limitations and will silently discard data leading to variable results. stats is always the way to join data sets.
Thanks for your support and help. I worked more with my search, and I found a way to craft the search with some additional limiting material to extract what I want. The next step that was to join ... See more...
Thanks for your support and help. I worked more with my search, and I found a way to craft the search with some additional limiting material to extract what I want. The next step that was to join the material with the results from this subsearch, and even that was successful, so right now it looks like I have been able to solve the problems I had. In any case, the core of my original problem was related to using localize and map in a saved search, and that has now been resolved. In addition I managed to improve my search, so I think we can both be happy about it.
When using OR, you cannot dedup src_ip dest_ip immediately after search.  That should be performed after stats, like what you do with join. Using the same structure @gcusello proposed, you can do  ... See more...
When using OR, you cannot dedup src_ip dest_ip immediately after search.  That should be performed after stats, like what you do with join. Using the same structure @gcusello proposed, you can do   (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | fields src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | stats values(*) AS * BY dest_ip | dedup src_ip, dest_ip ``` most likely this is unnecessary after stats ``` | rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC"    
Just use this in the drilldown <eval token="form.Tail">if($click.name2$=$form.Tail$, "*", $click.name2$)</eval> So, if the clicked value is the same as the current form value, then it sets the form... See more...
Just use this in the drilldown <eval token="form.Tail">if($click.name2$=$form.Tail$, "*", $click.name2$)</eval> So, if the clicked value is the same as the current form value, then it sets the form value to * (which in my example is the value for the All dropdown option) otherwise it sets the form value to the clicked legend. Full working example below <form version="1.1" theme="light"> <label>Tail</label> <fieldset submitButton="false"> <input type="dropdown" token="Tail" searchWhenChanged="true"> <label>Tail</label> <choice value="*">All</choice> <choice value="1">1</choice> <choice value="2">2</choice> <choice value="3">3</choice> <default>*</default> </input> </fieldset> <row> <panel> <chart> <search> <query>| makeresults count=60 | eval Tail=random() % 3 | streamstats c | eval r=random() % 100 | eval source=random() % 10 | search Tail=$Tail$ | chart count over source by Tail</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> <drilldown> <eval token="form.Tail">if($click.name2$=$form.Tail$, "*", $click.name2$)</eval> </drilldown> </chart> </panel> </row> </form>  
Hi @dmngaya , at first, as @yuanliu said, please share also samples in text format (using the Insert/Edit Code Sample button). Then don't use the search command after the main search because your s... See more...
Hi @dmngaya , at first, as @yuanliu said, please share also samples in text format (using the Insert/Edit Code Sample button). Then don't use the search command after the main search because your search will be slower: if possible, put all the search terms in the main search. then, in your search I don't see the login failed condition (e.g. EventCode=4625 in Windows) and you need it in the main search. Then, I suppose that you need to check the condition for each host in your infrastructure and each account. Anyway, you have to use the stats command to aggregate results and the where command to filter them, something like this: (for the login failed condition I use the one from Windows, replace it with your condition) index=nprod_database sourcetype=tigergraph:app:auditlog:8542 host=VCAUSC11EUAT* userAgent OR "actionName":"login" "timestamp":"2025-01-07T*" EventCode=4625 | stats count BY user host | where count>3 Adapt it to your real case. Ciao. Giuseppe
Hi @sdcig , I simplified the search, in the stats command replace the values(*) As * with the five fields you want: (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index=... See more...
Hi @sdcig , I simplified the search, in the stats command replace the values(*) As * with the five fields you want: (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | dedup src_ip, dest_ip | fields src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | stats values(src_zone) AS From values(src_ip) AS Source, values(dest_zone) AS To values(server_name) AS SNI values(transport) AS Protocol values(dest_port) AS Port values(app) AS Application values(rule) AS Rule values(action) AS Action values(session_end_reason) AS "End Reason" values(packets_out) AS "Packets Out" values(packets_in) AS "Packets In" values(src_translated_ip) AS "Egress IP" values(dvc_name) AS DC values(src_zone) AS src_zone BY dest_ip | rename dest_ip AS Destination if there are fields with different names between the two indexes, use eval coalesce to have the same field name. Ciao. Giuseppe
Please do not use screenshot to show text data.  Use text box. Show example(s) of complete event, anonymize as needed.  If complete event is too long with lots of repetitive structures, show a comp... See more...
Please do not use screenshot to show text data.  Use text box. Show example(s) of complete event, anonymize as needed.  If complete event is too long with lots of repetitive structures, show a complete structure. "events like Authentication failed , such as exceeding X number of failed logins over Y time." Is this condition per user or in total? What counts as 1 number?  One event?  Each entry in an event?  Each user failure in an event?
In the end the problem I have is is that the eventID is far from unique for reasonable search windows  Yes, you mentioned this earlier and I forgot.  So, it sounds like starttimeu and endtimeu a... See more...
In the end the problem I have is is that the eventID is far from unique for reasonable search windows  Yes, you mentioned this earlier and I forgot.  So, it sounds like starttimeu and endtimeu are not preexisting fields that you can search on but they signal a desire to limit each subsearch's search window.  Is this correct? (In the other thread, the purpose was also to limit search window, using simply earliest and latest.) If earliest and latest is what you want, you can do this and it should work the same way as your original search: search index=ix1 [search index=ix2 eventStatus="Successful" | return 1000 eventID ] [search index=ix2 eventStatus="Successful" | localize timeafter=0m timebefore=1m | fields starttime endtime | rename starttime as earliest, endtime as latest | format] | stats values(client) values(port) values(target) by eventID
No. Your understanding is wrong. At each step of the search pipeline Splunk only has the data from the previous step in the pipe. So when you filter your data with | search, it onky retains the resul... See more...
No. Your understanding is wrong. At each step of the search pipeline Splunk only has the data from the previous step in the pipe. So when you filter your data with | search, it onky retains the results matched by your command. The data from before that command is no longer there so stats cannot use it to group by. So how should it know what are the possible values? Splunk cannot find what is not there so it cannot generate a zero result for a potential non-existing by-field value because it doesn't know what value that would be. The only case when stats do return a zero value is when you do an overall stats count and you have no results at all.
Hello @bishida, Thank you for taking the time to look into it and for all your help and support. It's truly appreciated.
Hi, My understanding is the data is there somewhere, Splunk decided to not display 0 when using stats count. Thanks
And how is Splunk supposed to know that there should be something there if there isn't? You have to tell it somehow. If you know that there is alway something with the 2 at the end and it is to be t... See more...
And how is Splunk supposed to know that there should be something there if there isn't? You have to tell it somehow. If you know that there is alway something with the 2 at the end and it is to be the base of your count, that's a completely different use case and can be done by some groupping and filtering.
Hi all, I have this use case below: Need to create a splunk alert for this scenario: Detections will be created from Splunk logs for specific events like Authentication failed , such as exceeding X... See more...
Hi all, I have this use case below: Need to create a splunk alert for this scenario: Detections will be created from Splunk logs for specific events like Authentication failed , such as exceeding X number of failed logins over Y time.  Below search splunk i am using:           index=nprod_database sourcetype=tigergraph:app:auditlog:8542 host=VCAUSC11EUAT* | search userAgent OR "actionName":"login" "timestamp":"2025-01-07T*"| sort -_time           I am not able to write the correct search query to find Authentication failed exceeding, for example 3 times. Attached screenshot. Thanks for your help. Dieudonne.
OK. The important thing here is _why_ you're not getting results so this is a learning experience. Let's dig into your search (which is actually pretty close to being OK for the task).     index=... See more...
OK. The important thing here is _why_ you're not getting results so this is a learning experience. Let's dig into your search (which is actually pretty close to being OK for the task).     index=my_index app=a     That's apparently your initial search, nothing to see here. Move along.     | table app action user     Now you're making a table containing just fields app, action and user. This is a wrong approach. On two levels. One - this is a table command which might not make much difference in a small-scale scenario, especially when everything is done on a single server but, very importantly, table is a transforming command which means that in a bigger environment, with several indexers and separate search head your search would at this point be moved from the indexer tier (when the same operation can be run in parallel by each indexer on its own part of data) to the search head. So avoid using the table command early on in your pipeline. If you want to limit processed fields, use fields command. And remember that when using fast search mode only the fields used in the search are extracted and displayed so this intermediate limiting of processed fields might be useful in more complicated searches but in this case (and we'll go back to this shortly), it doesn't make much sense. Two - and that will be important soon - after this command you are left with just those three explicitly requested fields. While the fields command by default drags along the internal fields unless you explicitly exclude them (most importantly _time and _raw), the table command only returns the explicitly specified fields.     |eval Month=strftime(_time,"%m")     The overall idea is sound - you want to get a field called Month containing a string representation of your month. The problem is that in a previous step you removed the _time field from your data. So you don't have the timestamp anymore and you have nothing to render into this month-string. BTW, whenever manipulating timestamps in a middle of a search, I prefer to use fieldformat instead of eval so that you still have your original timestamps and can do arithmetics on them without needing to parse them again or can sort them but that's a story for another time.     |stats count by user Month     And that would be a good thing but in the previous step you didn't get any values for Month. So Splunk cannot group by Month because there is no Month. So you're not getting any values at all. Since you're doing the counting quite early, you could have simply omitted the table command earlier since the stats will be limited to the count value and the "by-fields" only. And you're missing the action part - you want the actions separately, right? So you can't aggregate them for a single user. You must add the action field to the by fields. So your search could finally look like this:     index=my_index app=a |eval Month=strftime(_time,"%m") |stats count by user action Month      
Hello, We are Splunk Cloud subscribers. We want to utilize the NetApp for Splunk Add-On. We've Two on-site Deployment servers, one Windows, one Linux and an on-site Heavy Forwarder. My interpretatio... See more...
Hello, We are Splunk Cloud subscribers. We want to utilize the NetApp for Splunk Add-On. We've Two on-site Deployment servers, one Windows, one Linux and an on-site Heavy Forwarder. My interpretation of the instructions are that we install the NetApp Add-Ons (ONTAP Indexes & Extractions) within the cloud hosted search head.   The Cloud instructions leave me with the impression, that we may need to utilize the heavy forwarder as a data collection node for the NetApp Add-Ons as well. There we would manually install the app components within the splunk home /etc/apps directory. Looking within the deployment server and the heavy forwarder. Both splunk home directories installed have directory permissions set to 700.  We're hoping this method of installation does not apply to us then and the cloud installation process automated much of this and obviated the need to manually configure the heavy forwarder. Upon completing these Add-On installations via the cloud hosted search head, are there any additional steps or actions we will need to take to complete the installation aside from the NetApp Appliance configurations? Thank you, Terry
Hello, Is there any other way to do this? The data is dynamic. If I am doing this way, I have to have another process to dump a CSV file. Thanks
Typically you don't have logs from the client's side It's way way more common use case to have webserver or proxy server logs. And yes, part of normalizing your data to make it CIM-compliant is m... See more...
Typically you don't have logs from the client's side It's way way more common use case to have webserver or proxy server logs. And yes, part of normalizing your data to make it CIM-compliant is making sure the fields are properly mapped or calculated if they're not there in the original data. You can help yourself on this task at least partially with Add-On Builder.
IMO, "correct" SPL is whatever produces the desired results. Some guidelines: filter events as early as possible use non-streaming commands as late as possible use fields instead of table until ... See more...
IMO, "correct" SPL is whatever produces the desired results. Some guidelines: filter events as early as possible use non-streaming commands as late as possible use fields instead of table until the end avoid expensive commands like join, transaction, and append avoid leading wildcards in the search command I'm sure others will have more guidelines.  
If this is email-related (didn't know that there is a way to send to teams using email), I'd seek _internal for anything related to senmail.py and the destination address. I don't remember though if ... See more...
If this is email-related (didn't know that there is a way to send to teams using email), I'd seek _internal for anything related to senmail.py and the destination address. I don't remember though if this data is available on Cloud. If it is not, it's probably something you'd need to go over with support.