All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Could you please try: transforms.conf [add_hostname] REGEX=.* FORMAT=host::$1 $0 SOURCE_KEY=MetaData:Host DEST_KEY=_raw      
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc.. try and use this , the max value essentially will do ... See more...
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc.. try and use this , the max value essentially will do nothing and not change the value, but it allows the metric to be saved as you use an aggregation function SELECT max(toInt((toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30 SELECT max(toInt((tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30 Let me know if this works
The REST API gives you also globally shared searches back. You could try: 1.  filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call t... See more...
The REST API gives you also globally shared searches back. You could try: 1.  filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call the api  
Hey Everyone,  i got information if Wazuh can send data to Splunk, i want reverse it.  Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send d... See more...
Hey Everyone,  i got information if Wazuh can send data to Splunk, i want reverse it.  Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send data to Splunk, then i want forward it to Wazuh.  Maybe if using third party like Logstash / Elastic / etc ?  Did anyone know about it? because i never read about it before..  Thanks    
@PaulPanther    Just side experiment & wondering if it’s possible 
Hi @M2024X_Ray , for the moment, only Splunk Support can give you an official  answer. Ciao. Giuseppe
Check out: Install on Linux - Splunk Documentation Start Splunk Enterprise for the first time - Splunk Documentation Configure Splunk Enterprise to start at boot time - Splunk Documentation
Hello, from which Splunk Universal Forwarder version is Windows Server 2025 supported? Best regards and thanks for cooperation   M2024X_Ray
Haven installed splunk to this point what do i have to do next to get it running  
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange ... See more...
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange reason, i can't locate, list gets also some other apps Here we are,   curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u   ... and here what it came from,   <s:key name="app">MYAPP</s:key> <s:key name="app">MYAPP_backup</s:key> <s:key name="app">ANOTHER_APP</s:key> <s:key name="app">search</s:key>     I expect only "<s:key name="app">MYAPP</s:key>" entries, or not? What's wrong??? Linux OS SPLUNK ENTERPRISE 8.2.12 SHC 3 Nodes (all nodes reponses the same output) Thanks.
Hi @masakazu , I don't live in US so I never installed Splunk in FIPS Mode, but reading the related documentation ( https://docs.splunk.com/Documentation/Splunk/9.3.2/Security/SecuringSplunkEnterpri... See more...
Hi @masakazu , I don't live in US so I never installed Splunk in FIPS Mode, but reading the related documentation ( https://docs.splunk.com/Documentation/Splunk/9.3.2/Security/SecuringSplunkEnterprisewithFIPs ), I don't see any known issue on ES or KV-Store. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors Ciao. Giuseppe
Hi @Thomas2 , conferming what @bowesmana pointed out,  let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S... See more...
Hi @Thomas2 , conferming what @bowesmana pointed out,  let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors
Hi @Amira , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points... See more...
Hi @Amira , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I think it is because commands like dir, ls, cd are internal commands but commands like ping, ipconfig are external commands and they are executable files also (ping.exe, tracert.exe) and they don't ... See more...
I think it is because commands like dir, ls, cd are internal commands but commands like ping, ipconfig are external commands and they are executable files also (ping.exe, tracert.exe) and they don't create any process. so I think we can't get internal commands logs. If there are any way please let me know
@winter4 wrote: thanks @PaulPanther  I am trying to add the uf host name to the raw event so trying to manipulate the raw event to have something like “HOSTNAME — _raw_events”    I am trying... See more...
@winter4 wrote: thanks @PaulPanther  I am trying to add the uf host name to the raw event so trying to manipulate the raw event to have something like “HOSTNAME — _raw_events”    I am trying to configure this on the heavyforwarder and not trying to go into each uf to make configuration changes  Why would you do this? What is your usecase at the end? If you do it like this you have to touch every individual event.
thanks @PaulPanther  I am trying to add the uf host name to the raw event so trying to manipulate the raw event to have something like “HOSTNAME — _raw_events”    I am trying to configure this o... See more...
thanks @PaulPanther  I am trying to add the uf host name to the raw event so trying to manipulate the raw event to have something like “HOSTNAME — _raw_events”    I am trying to configure this on the heavyforwarder and not trying to go into each uf to make configuration changes 
Try to set  sendCookedData=false for the second HF output in your outputs.conf and then apply your props.conf on your second HF.   
Where to you wanna  exactly add the hostname of the uf? To the log event itself or do you wanna override the host metadata field?   Maybe following links could be helpful for you: Set host values ... See more...
Where to you wanna  exactly add the hostname of the uf? To the log event itself or do you wanna override the host metadata field?   Maybe following links could be helpful for you: Set host values based on event data - Splunk Documentation Set a default host for a file or directory input - Splunk Documentation   Feel free to share your configuration to double check it.
Congratulations for heeding @PickleRick's advice and repost your search in text.  Now, let me try to understand this use case.  You are trying to use a lookup file to generate SPL code for some other... See more...
Congratulations for heeding @PickleRick's advice and repost your search in text.  Now, let me try to understand this use case.  You are trying to use a lookup file to generate SPL code for some other purpose. For that generated code, you wish to use multisearch.  But that multisearch has nothing to do with the question itself.  Is this accurate? Then, you want use the returned values from inputlookup as regex to match an indexed field named Web.url in a tstats command.  Is this correct? Documentation on tstats will tell you that the where clause of this command can only accept filters applicable in search command; in fact, only a fraction of these filters.  In other words, you cannot use those regex directly in tstats command. This is not to say that your search goal cannot be achieved.  You just need to restructure the subsearches so you can use the where command instead of where clause in tstats.  But let me first point out that your text illustration of the search not only does not match your screenshot, but also is wrong because url_regex is no longer used in the field filter, therefore no longer used in formulation of the search field.  You cannot possibly get the output as your screenshot show.  There is another "transcription" error in the last eval command as well because the syntax is incorrect. Correcting for those errors and simplifying the commands, here is something you can adapt:   | inputlookup my_lookup_file where Justification="Lookup Instructions" | eval search = "[| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype=\"mysourcetype\" by Web.url Web.user | where match(Web.url, \"" . url_regex . "\")]" | stats values(search) as search | eval search = "| multisearch " . mvjoin(search, " ")   Suppose your my_lookup_file contains the following entries (ignoring description field as it is not being used; also ignore fillnull because "*" is not a useful regex to match any URL.) url_regex regex [re]gex ^regex regex$ the above search will give you search | multisearch [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "[re]gex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "^regex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "regex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "regex$")] Is this what you are looking for? Here is full emulation to get the above input and output:   | makeresults format=csv data="url_regex regex [re]gex ^regex regex$" ``` the above emulates | inputlookup my_lookup_file where Justification="Lookup Instructions" ``` | eval search = "[| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype=\"mysourcetype\" by Web.url Web.user | where match(Web.url, \"" . url_regex . "\")]" | stats values(search) as search | eval search = "| multisearch " . mvjoin(search, " ")   Play with it and compare with your real lookup.
"field for label" and "field for value" are not generic terms used in Splunk practice.  May be their meaning is clear in your context or in your organization, but for volunteers here, you need to de... See more...
"field for label" and "field for value" are not generic terms used in Splunk practice.  May be their meaning is clear in your context or in your organization, but for volunteers here, you need to define them, describe them in plain language without SPL. You need to give some example search where you are using a token, illustrate what values the token carries (you mentioned something works with a single value but not when more than one value is passed), illustrate what the result is supposed to look like (expected results) - to do this, you may also need to illustrate data given to that search, and illustrate what actual result you get when multiple values are passed to the search.  Additionally, explain the difference between actual result and expected result if that is not painfully obvious. In short, you need to follow the golden rules of asking an answerable question.  I call them Four Commandments: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search (SPL that volunteers here do not have to look at). Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.