All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

marnall! Thank you for your support in resolving this issue!
Inherited Splunk deployment.  Looks like authentication was setup with proxysso.  I am unfamiliar with this and we are planning on migrating the proxysso authentication to SAML.   In the past, I hav... See more...
Inherited Splunk deployment.  Looks like authentication was setup with proxysso.  I am unfamiliar with this and we are planning on migrating the proxysso authentication to SAML.   In the past, I have used the web UI for authentications like LDAP.  ProxySSO seems to be a backend conf file? Not sure on how to proceed if there will be a conflict of just adding the SAML authentication method and will it simply override the ProxySSO configurations?  Or does the ProxySSO conf need to be removed first and then saml configured?  If that is the case, what methods to remove? Thank you
Thank you @kiran_panchavat . your solution works great.
@dwangfeng  Apply this props.conf  [<sourcetype>] SEDCMD-splunktestdata = s/(?i)(<password>)[^<]+(<\/password>)/\1xxxxxxxxxxxx\2/g
Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I ne... See more...
Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I need to filter out name that contain  "2" and stats count name based on location.  I came up with this search, but the problem is it did not include location A (because the count is zero) Please suggest. I appreciate your help.  Thanks | makeresults format=csv data="location, name location A, name A2 location B, name B1 location B, name B2 location C, name C1 location C, name C2 location C, name C3" | search name != "*2*" | stats count by location Data location name location A name A2 location B name B1 location B name B2 location C name C1 location C name C2 location C name C3   Expected output: location count(name) location A 0 location B 1 location C 2
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="succe... See more...
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="success")) AS Success_Users dc( eval(action="failure")) AS Failure_Users BY Month | sort Month I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,   I am getting below error,    
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could a... See more...
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits ... See more...
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forg... See more...
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,  Here the action has two fields, Success and failure, I need to list success and failure user by month for past one year.
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps y... See more...
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
@shenoyveer You can use trellis, split by host.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
@shenoyveer  Can you check this?  The x-axis will be the first column/field in the results, so put the date as the first field after the by.        
is there any alternative to timechart?   I want to have particular date in x axis
Hello Team,    How to search specific app user successful and failure events by month for Jan to Dec? Base search,   index=my_index app=a | table app action user |eval Month=strftime(_tim... See more...
Hello Team,    How to search specific app user successful and failure events by month for Jan to Dec? Base search,   index=my_index app=a | table app action user |eval Month=strftime(_time,"%m") |stats count by user Month I am not getting any result by above search.    
@shenoyveer  If you take out the eval from the query, you must also remove the date field from it. index="vm-details" | timechart count by host
Recently our splunk security alert integration has stopped working last month (December) where we'd send an alert automatically from splunk cloud to our onmicrosoft.com@amer.teams.ms e-mail. Is th... See more...
Recently our splunk security alert integration has stopped working last month (December) where we'd send an alert automatically from splunk cloud to our onmicrosoft.com@amer.teams.ms e-mail. Is the support of this being deprecated on the Microsoft side? Or is this a whitelisting issue? Anyone else experience a similar problem?
Thank you @ITWhisperer  In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results. Then I use... See more...
Thank you @ITWhisperer  In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results. Then I used stats values(field) to extract the values for the fields I am interested in.
Tried with another query too index="testing" | eval date=strftime(_time, "%Y-%m-%d") | stats count by date, host but still its not showing hostname in dashboard