All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Can you give more information about this? Is this function part of a library, or app, or base Splunk functionality?
Yes, this is a security recommendation added recently. As the alert suggests, you can add email domains to your allowedDomainList by going to Server Settings > Email Settings > Email Domains. For exa... See more...
Yes, this is a security recommendation added recently. As the alert suggests, you can add email domains to your allowedDomainList by going to Server Settings > Email Settings > Email Domains. For example, if you want email alerts to only go to your company email addresses, then you can add your company domain there. This will restrict your email alerts so that users cannot accidentally or maliciously send data to unauthorized email domains.
I checked the Field Extraction section and did NOT find any reference to "Last Logon". Being new to Splunk this is where I am unsure where fields come from and how they work which is fine for now, so... See more...
I checked the Field Extraction section and did NOT find any reference to "Last Logon". Being new to Splunk this is where I am unsure where fields come from and how they work which is fine for now, something for me to research.  I switched the SPL to the following and it still doesn't return the 'lastLogon' attribute from AD, would this be expected or should it in fact return the 'lastLogon' attribute?  | ldapsearch domain=mine search="(objectClass=user)" attrs=sAMAccountName,lastLogon | table sAMAccountName,lastLogon  
Thanks,  I tried the steps, but same thing occurred.  I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works.  Looks like either an issue with Studio, of maybe it's jus... See more...
Thanks,  I tried the steps, but same thing occurred.  I then quickly set up a Classic Dashboard instead of a Dashboard Studio, and it works.  Looks like either an issue with Studio, of maybe it's just done differently.  Thanks again, Tom  
Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, t... See more...
Ok so we know row and results works in other environments.  Something should be there based upon what we have seen from your SPL and table results.  I would recommend saving the updated drill down, then log out of splunk, close browser and clear cache/cookies, log into splunk, and reload dashboards.
Hey guys, Thanks for the quick help, still stuck for some reason.  So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason.  Here's the config: ... See more...
Hey guys, Thanks for the quick help, still stuck for some reason.  So I've tried $row.host$ and $result.host$ but they both result in just passing $xxx.host$ for some reason.  Here's the config: Here's the resulting search: Here's the table query: index="netscaler" host=* | rex field="servicegroupname" "\?(?<Name>[^\?]+)" | rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)" | rename "state" AS LastStatus | eval Component = host."|".servicegroupname | search Name=* | eval c_time=strftime(Time,"%m/%d/%Y %H:%M:%S") | streamstats window=1 current=f global=f values(LastStatus) as Status by Component | where LastStatus!=Status | rename _time as "Date" | eval Date=strftime(Date, "%m/%d/%Y %H:%M:%S") | table Date, host, ServiceGroup, Name, Status, LastStatus   And, here's a screenshot of the table if helpful.     Thanks again for the help on this one, very much appreciated. Tom          
This is a better answer than mine.  $results$ will only pick up the first result rather than the row clicked.
Splunk fields are case sensitive but given the opportunity for confusion it's typically not best practice to overlap spellings.  Unless the app specifically overlaps fields with case issues then I wo... See more...
Splunk fields are case sensitive but given the opportunity for confusion it's typically not best practice to overlap spellings.  Unless the app specifically overlaps fields with case issues then I would avoid that. However, it appears the SPL is all based from a field specifically referenced as "LastLogon".  I would look to see if that field still exists after the updated application.  It's possible the information still exists but is not being extracted into the previous field name which the SPL is relying on. If so then you have the option to update the field extraction to that field name or update your SPL to reference any new fields that contain the information you require.
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fsysinfo | rest /services/server/sysinfo | table splunk_server transparent_hugepage.effective_state The above will ... See more...
https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fsysinfo | rest /services/server/sysinfo | table splunk_server transparent_hugepage.effective_state The above will get you the THP status per server, usually best to run from the DMC in a multi server environment - most if not all devices should be reported there.  Running from a SH or SHC may be limited to SH and IDX. https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTintrospect#server.2Fstatus.2Fresource-usage.2Fhostwide | rest /services/server/status/resource-usage/hostwide | table splunk_server *cpu* *mem*
That is a Splunk internal index so any documentation (if it exists) would be internal to Splunk.  You may be able to find some useful information in the Troubleshooting Manual or the REST API Referen... See more...
That is a Splunk internal index so any documentation (if it exists) would be internal to Splunk.  You may be able to find some useful information in the Troubleshooting Manual or the REST API Reference Manual.
| ldapsearch domain=mine search="objectClass=user)" | where isnull(isCriticalSystemObject) | eval Enabled=if(match(userAccountControl,".*ACCOUNTDISABLE.*"),"False","True") | eval expires=if(userAccou... See more...
| ldapsearch domain=mine search="objectClass=user)" | where isnull(isCriticalSystemObject) | eval Enabled=if(match(userAccountControl,".*ACCOUNTDISABLE.*"),"False","True") | eval expires=if(userAccountControl="DONT_EXPIRE_PASSWD","True","False") | eval "Last Logon"=strftime(strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ"),"%Y%m%d %H:%M:%S") | eval lastLogon=strptime(LastLogon, "%Y-%m-%dT%H:%M:%S.%QZ") | eval daysSincelogon=round((now()-lastlogon)/86400, 0) | table sAMAccountName,Enabled,daysSinceLogon,"Last Logon",expires   When I upgraded to version 9 I had pulled all the latest add-ons from Splunk directly. The new instance was stood up and then add-ons were installed, I pulled over lookups, etc. after the fact. I inherited this system and very green to Splunk (1 month of experience).
Hi @tdavison76 , please try this regex: | rex field="alert.message" "On-Prem - (?<your_field>[^\"]+)" that you can test at https://regex101.com/r/RWQr9a/1 Ciao. Giuseppe
1) Can you share the exact SPL search 2) Did you upgrade/refresh the Add On when you upgrade from v8 to v9
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for price... See more...
Hello Giuseppe, Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com" included.     {"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "46f22bab-2964-4294-885e-2a7bd12ddd19", "action": "Close", "productSource": "Opsgenie", "customerDomain": "domain", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "", "type": "ThousandEyes"}, "type": "oec", "receivedAt": 1720795936606, "params": {"type": "oec", "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Close", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "domain", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "receivedAt": 1720795936606, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "", "type": "ThousandEyes"}, "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}}     Here's the actual Search I am running:     Just let me know if more details are needed, and thanks again. Tom  
Awesome information - thank you for demo and tips.
Almost there - try something like this | rex field='alert.message' "On Prem - (?<Name>.*)"
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | ... See more...
Hi @tdavison76 , I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try: | rex field="alert.message" "\<\=On Prem - (?<Name>.*)" Ciao. Giuseppe
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this?... See more...
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this? I see there is an HTTP alert action that can make a POST, however with this being a lookup (csv) i am not sure it will work correctly.