All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList'... See more...
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.12/2/2024, 5:40:52 AM 2)  I have noticed this error around 2 or 3 months ago, but as its a simple and low priority / functionality related one, i ignored it. 3) last week as we Splunkers were discussing in our usergroup meeting about this, one of my friend asked - ok, this is a low priority issue for you, but for an organizations infosec perspective this could be a medium/big issue. 4) He suggested me that - the default config files should be configured to keep things in secured fashion(similar to that "zero-trust" security policy), giving a warning message isnt enough, right. i had to agree with him.  5) Screenshot attached for your note:
Yes  @PickleRick  the docs require bit more detailed info.  I see the docs are not updated yet(screenshot attached) (even after my idea request https://ideas.splunk.com/ideas/EID-I-2176) and my bug ... See more...
Yes  @PickleRick  the docs require bit more detailed info.  I see the docs are not updated yet(screenshot attached) (even after my idea request https://ideas.splunk.com/ideas/EID-I-2176) and my bug report to Splunk (i spent few hrs on multiple conference calls with Splunk Support, but no fruitful results) (New readers, could you pls spend a min and upvote that idea 2176, so at least i can tell my friends that i have found a bug on Splunk and suggested an idea of worth 100 upvotes   ) okies, sure, agreed that its not a big show stopper for Splunk.  ----- i have submitted the docs feedback just now.  ----- next steps - around 3 or 4 months i worked on an app creations (following the footsteps of @tscroggins 's superb suggestions), but i got stuck at the app packaging areas.  ------ working on this "small task" again now, let me update you all the progress soon, thanks. 
@karthi2809 I tend to use a text box where I can insert a where clause, like this <row id="button_row"> <panel> <input id="events_where" type="text" token="where_clause" searchWhenChange... See more...
@karthi2809 I tend to use a text box where I can insert a where clause, like this <row id="button_row"> <panel> <input id="events_where" type="text" token="where_clause" searchWhenChanged="true"> <label>Event filter where clause</label> <default></default> </input> <event> <search> <query> index=_internal host=bla | where $where_clause$ </query> <earliest>$selection.earliest$</earliest> <latest>$selection.latest$</latest> </search> </event> </panel> </row> it gives you flexibility to construct whatever you want, so as long as you know how to write valid SPL queries, you can use whatever eval statements you like, e.g.   You can do it with a search clause, but I find more flexibility to use eval based filters. You can also make your text box nice and wide using the id="xxx" in the <input> and then add this css <row depends="$CSS$"> <panel> <html> <style> #events_where .splunk-textinput { width: 400px !important; } </style> </html> </panel> </row>
As an additional exercise, we can compare diff with combinations of inputlookup. The following searches should return the same results: A | set diff [| inputlookup test.csv ] [| inputlookup test2.c... See more...
As an additional exercise, we can compare diff with combinations of inputlookup. The following searches should return the same results: A | set diff [| inputlookup test.csv ] [| inputlookup test2.csv ] B | inputlookup test.csv where NOT [| inputlookup test2.csv ] | inputlookup append=t test2.csv where NOT [| inputlookup test.csv ]
Hi @munang, The set command and the join command perform overlapping but different functions. set diff returns the symmetric difference of the subsearches: I.e. set diff returns all events in ... See more...
Hi @munang, The set command and the join command perform overlapping but different functions. set diff returns the symmetric difference of the subsearches: I.e. set diff returns all events in either subsearch A or subsearch B but not both: A url A_field https://www.splunk.com/ A_value https://www.appdynamics.com/ A_value   B url A_field https://www.appdynamics.com/ A_value https://www.cisco.com/ A_value   diff url A_field https://www.splunk.com/ A_value https://www.cisco.com/ A_value   Both join type=left and join type=outer perform a left outer join by joining all fields in all events in the base search with all fields from the first (default: max=1) matching event in the subsearch: I.e.: A url A_field https://www.splunk.com/ A_value https://www.appdynamics.com/ A_value   B url B_field https://www.appdynamics.com/ B_value1 https://www.appdynamics.com/ B_value2   join url A_field B_field https://www.splunk.com/ A_value (null) https://www.appdynamics.com/ A_value B_value1   As written, your join search is equivalent to join type=inner. The where command removes all events from the base search that were not joined to an event in the subsearch. To return the difference using the join command, the command would need to support a full outer join, and it does not.
Try something like this (in SimpleXML of course!) <row id="banner"> <panel> <html> <style> div[id="banner"].dashboard-row { top: 0; position: st... See more...
Try something like this (in SimpleXML of course!) <row id="banner"> <panel> <html> <style> div[id="banner"].dashboard-row { top: 0; position: sticky; z-index: 9999; } div[id="banner"] div { background-color: yellow; } </style> <h1>Your banner panel</h1> </html> </panel> </row>
Hi @munang  May i know if Splunk Enterprise or Splunk Cloud and the Splunk version number pls.  Let me try to recreate this situation and see how do we troubleshoot this issue. thanks. 
I assume you are using compatible versions of all the components. If not then ensure they are at the right versions. ( https://docs.splunk.com/Documentation/DSDL/5.1.2/User/InstallDSDL ) DSDL - 5.1.... See more...
I assume you are using compatible versions of all the components. If not then ensure they are at the right versions. ( https://docs.splunk.com/Documentation/DSDL/5.1.2/User/InstallDSDL ) DSDL - 5.1.2 MLTK - 5.4.0 PSC - 3.1.0, 4.1.0, or 4.1.2 Splunk - 8.1.x+ Another test you can do is to try connecting to your docker container outside of Splunk to see if the issue is due to restrictions on accessing localhost.
Does calls on C++ layer are considered in overall calls ? Suppose there is one transaction which flows from Web Server to Java to Node.Js then it will counted as 3 calls or one call? 
Is there any pattern between the ticket type and the values appearing? E.g. does the Customer value always appear in Normal Tickets but never in Error Tickets? Or does it look random? Also when you ... See more...
Is there any pattern between the ticket type and the values appearing? E.g. does the Customer value always appear in Normal Tickets but never in Error Tickets? Or does it look random? Also when you say that "In Splunk, it is confirmed that the value exists", can you say it definitely exists for all records, even for the tickets that say it doesn't exist? Try running your alert search, but looking for rows where the field does not have a value. <yoursearch> | search NOT Client=*
It seems that your alert job is successfully running. When you say "the test email was successful", do you mean a test email from Splunk or from a different interface? If it was not Splunk that sent... See more...
It seems that your alert job is successfully running. When you say "the test email was successful", do you mean a test email from Splunk or from a different interface? If it was not Splunk that sent the test email, could you test it with a search like this? It should either send you a simple test email or give you errors indicating what is going wrong: | makeresults | sendemail to="<youremailaddress>" subject="test splunk email"
Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else. E.g. if Splunk sees the time "17:22:2... See more...
Ultimately Splunk needs a date to know where to file your event. If the date is missing from the logs, then you need to supply or assume it from somewhere else. E.g. if Splunk sees the time "17:22:29.875", then do you want Splunk to assume that the date is the day of indexing? So if yesterday, then the full timestamp would be 2024-30-11 17:22:29.875
@bowesmana    The two methods you provided also produce different results. Is there a reason why I get different results even if I exclude fields with underscores?
According to the docs, you should use the sourcetype based on the configured event hub. Select the source type based on the configured Event Hub. Supported source types are mscs:azure:eventhub, azur... See more...
According to the docs, you should use the sourcetype based on the configured event hub. Select the source type based on the configured Event Hub. Supported source types are mscs:azure:eventhub, azure:monitor:aad, azure:monitor:resource and azure:monitor:activity. The default sourcetype is mscs:azure:eventhub https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Configureeventhubs/ It seems that this add-on contains a props.conf stanza for the sourcetype "ms:o365:management" to CIM-normalize data from that sourcetype, but it does not contain any inputs.conf or scripts in bin which pull in the data. It is not clear why it is bundled that way. I would expect this CIM-normalizing config to be bundled in an add-on which also pulls the ms:o365:management data.  
I am curious about this, could you say which TA is trying to initialize the modular input even if the inputs.conf stanzas are disabled?
In my case i need to search in textbox with dynamic values from message field not with predefined values. Dynamic doesn't mean it should be free text.  This next example gives you two inputs, on... See more...
In my case i need to search in textbox with dynamic values from message field not with predefined values. Dynamic doesn't mean it should be free text.  This next example gives you two inputs, one a truly dynamic, multiselect, the other a free text if you absolutely want to go that route.   <form version="1.1"> <label>Multivalue input</label> <description>https://community.splunk.com/t5/Splunk-Search/How-to-filter-events-using-text-box-values/m-p/704698</description> <fieldset submitButton="false"> <input type="multiselect" token="multiselect_tok" searchWhenChanged="true"> <label>select all applicable</label> <choice value="*">All</choice> <initialValue>*</initialValue> <fieldForLabel>log_level</fieldForLabel> <fieldForValue>log_level</fieldForValue> <search> <query>index = _internal log_level = * | stats count by log_level</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="multivalue_text_tok" searchWhenChanged="true"> <label>enter comma separated</label> <default>*</default> </input> </fieldset> <row> <panel> <event> <title>Using &gt;$multiselect_tok$&lt;</title> <search> <query>index = _internal log_level IN ($multiselect_tok$)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> <panel> <event> <title>Using &gt;$multivalue_text_tok$&lt;</title> <search> <query>index = _internal [| makeresults | fields - _time | eval log_level = upper(trim(split("$multivalue_text_tok$", ",")))]</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>   The problem with free text is that people make far more mistakes than machines do.  My code tries to cope with that as much as possible.  But unless you have a use case that uses free text in a meaningful way, forget comma delimited input.
Is there any solution ...
1. 2. Honestly, that's surprising. Normally the events are ingested as either WinEventLog or XmlWinEventLog. See https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdat... See more...
1. 2. Honestly, that's surprising. Normally the events are ingested as either WinEventLog or XmlWinEventLog. See https://docs.splunk.com/Documentation/AddOns/released/Windows/SourcetypesandCIMdatamodelinfo The naming where you used the channel name in the sourcetype was used in old versions of TA_windows as far as I know. But for ages now it's deprecated and TA_windows does a rewrite to the normalized version. Anyway, there is one more thing worth taking into consideration - You're rewriting your event data into a completely different format. So the normal TA_windows extractions won't work. You might recast the events into another sourcetype but then you'd have to adjust all CIM-mappings and such to make this sourcetype properly working with stuff like ES. Honestly, I'd go for preprocessing this with some external tool before ingestion and try to retain the original format while cutting "unnecessary" data.
Hi @PickleRick, Thank you for the clarification and yes you are correct I am addressing the same issue. Here's the updated response that reflects the correct sequence of events: 1. Component Place... See more...
Hi @PickleRick, Thank you for the clarification and yes you are correct I am addressing the same issue. Here's the updated response that reflects the correct sequence of events: 1. Component Placement The Universal Forwarder (UF) is responsible only for collecting and forwarding data and does not perform parsing or transformations. SEDCMD settings in props.conf must therefore be applied on the indexers, where parsing occurs. Since there are no Heavy Forwarders in the architecture, the indexers were the correct location for these configurations. 2. Stanza Naming and Testing I confirm that the XmlWinEventLog: Security stanza was the correct choice for this configuration. Each SEDCMD was tested separately in this stanza: The first SEDCMD partially worked, applying some transformations but not entirely meeting the expected output. The second SEDCMD, tested independently, caused Event ID 4627 to stop being indexed altogether. These results confirm that XmlWinEventLog: Security is the appropriate naming convention, as the configuration was correctly recognised and applied. Additionally, I tested other stanzas, including WinEventLog: Security, and none worked as intended, further validating that XmlWinEventLog: Security is the correct stanza to use 3. Configuration Location For quick validation during testing, the configurations were initially placed in system/local. For production deployment, they have been moved into dedicated apps, ensuring better organisation, ease of updates, and compliance with Splunk’s best practices. 4. Regex Validation Both SEDCMD regex directives were validated using | makeresults with the raw event data. The partial success of the first and the indexing failure of the second highlight that the regex logic itself or environmental factors need adjustment for consistent application in production I hope this clears up any concerns and confirms the steps taken during testing and deployment. Let me know if there’s anything else you’d like me to elaborate to be able to resolve the issue Best regards, Dan
Every solution based on CLONE_SOURCETYPE quickly gets ugly because CLONE_SOURCETYPE is not discrimintative so you have to not only process both event streams duplicating your definitions for particul... See more...
Every solution based on CLONE_SOURCETYPE quickly gets ugly because CLONE_SOURCETYPE is not discrimintative so you have to not only process both event streams duplicating your definitions for particular sourcetype so the index-time settings are applied also for the new sourcetype you also have to rewrite the sourcetype at the end to the old one. And have to filter both streams to only work on subsets of the events. Very, very ugly and quickly gets unmaintainable. And if you by any chance manage to make a loop, you'll crash your splunkd.