All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes. If you're using UF, it's gonna be UF. You need to set this for either [default] stanza or a specific input (and remember, default settings are not inherited by windows event log inputs). But t... See more...
Yes. If you're using UF, it's gonna be UF. You need to set this for either [default] stanza or a specific input (and remember, default settings are not inherited by windows event log inputs). But that will take care of creating the metadata field. Your search head tier must be aware of this field - you jeed to make an entry in fields.conf [Your_field] INDEXED=true INDEXED_VALUE=false
Hi @michael_vi, Can you please describe your desired output more clear? If you mean filtering only  the bold ones it conflicts with the definition. You want to see 3,4,0,8,0,5 etc or 3,0,8,0,5,0,8 e... See more...
Hi @michael_vi, Can you please describe your desired output more clear? If you mean filtering only  the bold ones it conflicts with the definition. You want to see 3,4,0,8,0,5 etc or 3,0,8,0,5,0,8 etc?
Hello everyone, I have found posts over the last 10 years with a specific error/bug(?). The src and dest IP addresses are swapped for the Cisco ASA event with ID 302013. If you look in the app,... See more...
Hello everyone, I have found posts over the last 10 years with a specific error/bug(?). The src and dest IP addresses are swapped for the Cisco ASA event with ID 302013. If you look in the app, it even points out that these two fields are knowingly swapped. However, for the following TearDown event of the same connection, the IPs are not swapped. I am trying to figure out why this is the case. Since this postings about this topic has been around for 10 years now and the app says: "# direction is outbound - source and destination fields are swapped" ... it can't be an error. But I can't explain it. Can anyone comment on this? Example: <166>Dec 23 2024 10:36:04: %ASA-6-302013: Built outbound TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 (172.27.252.1/8200) to fwr_sample_172.20.25.0/26:172.27.13.131/62388 (172.27.13.131/62388) Result: src=172.27.13.131 || dest = 172.27.252.1 <166>Dec 23 2024 10:36:04: %ASA-6-302014: Teardown TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 to fwr_sample_172.20.25.0/26:172.27.13.131/62388 duration 0:00:00 bytes 0 TCP FINs from fwr_sample_172.20.25.0/26 Result: src=172.27.252.1 || dest = 172.27.13.131 Thanks and best regards Jan
As per above table, considering Time as _time and # of events as count, Please try below query - | search count=0 | stats first(count) as count by _time Let me know if this is what you're aiming to... See more...
As per above table, considering Time as _time and # of events as count, Please try below query - | search count=0 | stats first(count) as count by _time Let me know if this is what you're aiming to achieve.
@PickleRick Wanted to inform you that those errors are gone once I upgraded the TA to latest version.
Hi @fl66 , if you installed from Splunkbase, the only way it to modify configurations by GUI, in other words: go in [Settings > Indexes] and add a new custom input, go in [Settings > inputs, sear... See more...
Hi @fl66 , if you installed from Splunkbase, the only way it to modify configurations by GUI, in other words: go in [Settings > Indexes] and add a new custom input, go in [Settings > inputs, search for the inputs of your app and manually (by gui) modify the index. Ciao. Giuseppe  
Thank you for such a detailed explanation. But let me ask a little bit more... Did I correctly understand that under "source forwarder" you meant UF? I am asking because I tried to set meta = te... See more...
Thank you for such a detailed explanation. But let me ask a little bit more... Did I correctly understand that under "source forwarder" you meant UF? I am asking because I tried to set meta = testfield::test_value in two different places, in the inputs.conf of the SplunkUniversalForwarder app and in the system inputs.conf, and I couldn't find this new field during the search.
 .
Hi Stephen What would be your reason for wanting to capture the thread name? Are you referring to having the Business transactions named after the threads instead of the URL's? Or do you just want ... See more...
Hi Stephen What would be your reason for wanting to capture the thread name? Are you referring to having the Business transactions named after the threads instead of the URL's? Or do you just want to extract the thread name as part of the business transaction under data collectors?
Something like this: | makeresults | eval host="sender" | eval raw = mvappend("2024-12-18 17:02:50 , file_name=XYZ.csv, file copy success", "2024-12-18 17:02:58, file_name=ABC.zip, file copy succes... See more...
Something like this: | makeresults | eval host="sender" | eval raw = mvappend("2024-12-18 17:02:50 , file_name=XYZ.csv, file copy success", "2024-12-18 17:02:58, file_name=ABC.zip, file copy success", "2024-12-18 17:03:38, file_name=123.docx, file copy success", "2024-12-18 18:06:19, file_name=143.docx, file copy success") | append [ | makeresults | eval host="receiver" | eval raw = "2024-12-18 17:30:10 <FileTransfer status=success> <FileName>XYZ.csv</FileName> <FileName>ABC.zip</FileName> <FileName>123.docx</FileName> </FileTransfer>" ] | mvexpand raw | rename raw AS _raw | rex "^(?<_time>\S+\s+\S+)" | eval _time = strptime(_time, "%Y-%m-%d %H:%M:%S") | rex max_match=0 "(?ms)(\<FileName\>|file_name=)(?<FileName>.*?)(\<|,)" | rex "(<FileTransfer status=\"?|file copy )(?<status>[^\"\>]+)" | stats list(status) AS status_list list(host) AS host_list dc(host) AS hosts values(status) AS status BY FileName | where hosts==1 OR status="fail*"
Like this: | tstats count max(_time) AS _time WHERE index IN("_*", "*") BY index | eval which = coalesce(which, "data") | append [ | rest splunk_server=local /services/data/indexes | dedup titl... See more...
Like this: | tstats count max(_time) AS _time WHERE index IN("_*", "*") BY index | eval which = coalesce(which, "data") | append [ | rest splunk_server=local /services/data/indexes | dedup title | table title | rename title AS index | eval which = coalesce(which, "defined") ] | stats dc(which) AS which_count values(which) AS which first(count) AS count first(_time) AS _time BY index | search which_count=1
There is an app for this, too: https://splunkbase.splunk.com/app/635
I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(... See more...
I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too!  If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.
We are currently trying to integrate Zoom logs using Splunk Connect for Zoom. We have a Load Balancer (LB) in front of a Heavy Forwarder (HF) in our configuration, but the URL validation is failing ... See more...
We are currently trying to integrate Zoom logs using Splunk Connect for Zoom. We have a Load Balancer (LB) in front of a Heavy Forwarder (HF) in our configuration, but the URL validation is failing when configuring the Zoom App webhook. I could not find any reference to load balancer (LB) configuration in the documentation. Therefore, we would like to confirm whether Splunk Connect for Zoom supports configuration via an LB If so, please let us know if there are any additional settings required for LB or HF.
Hey, OP!  This is the correct answer!
Hey, OP!  This is the correct answer.
Like this: |makeresults | eval URL = mvappend("https://answers.splunk.com/answers/ask.html?foo=bar", "https://answers.splunk.com/answers/ask.html", "http://docs.splunk.com/Documentation") | rex ... See more...
Like this: |makeresults | eval URL = mvappend("https://answers.splunk.com/answers/ask.html?foo=bar", "https://answers.splunk.com/answers/ask.html", "http://docs.splunk.com/Documentation") | rex field=URL mode=sed "s/\?.*$//" Also, there is an app that does this kind of thing: https://splunkbase.splunk.com/app/2734
Hello, I am getting an error message "Sorry (170037) This folder is no longer available" when trying to register for now 3 courses including Search Under the Hood, Data Models and Introduction to Ent... See more...
Hello, I am getting an error message "Sorry (170037) This folder is no longer available" when trying to register for now 3 courses including Search Under the Hood, Data Models and Introduction to Enterprise Security. what is  going on? 
Hello,   While trying to deploy the ES using the Deployer GUI, I want to Enable SSL However I faced the below:  
I created a Splunk Macros for regular expressions for URIs or URLs. Definitions and usages are in an article below. https://qiita.com/Joh256/private/659ef65897905890ef99 I also put them in an add-... See more...
I created a Splunk Macros for regular expressions for URIs or URLs. Definitions and usages are in an article below. https://qiita.com/Joh256/private/659ef65897905890ef99 I also put them in an add-on below. https://splunkbase.splunk.com/app/6595