All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Using transaction is rarely a good solution, as it has numerous limitations and results will silently disappear, as you have noticed. It seems you're looking for the same msg within a 5 minute windo... See more...
Using transaction is rarely a good solution, as it has numerous limitations and results will silently disappear, as you have noticed. It seems you're looking for the same msg within a 5 minute window, that has a syscall and not from certain comm types, but given that audit messages are typically time based, can you elaborate on what you're trying to do here. You are asking Splunk to hold 5 minutes of data in memory for every msg combination, so if your data volume is large then lots of those combinations will get discarded. Whenever you use transaction, you should filter out as much data as possible before you use it. Can you give an example of what groups of events you are trying to collect together - the stats command is generally a much better way of doing this task and does not have limitations. Also, note that sort by date is not valid SPL as "by" is treated here as a field and not a command word - just use sort date    
If you want to add these fields to a table you are creating but don't know what the fields are called, then you can use @ITWhisperer technique, but change it slightly so that it is ... | eval cust_f... See more...
If you want to add these fields to a table you are creating but don't know what the fields are called, then you can use @ITWhisperer technique, but change it slightly so that it is ... | eval cust_field_{name}=value | table fields_you_want cust_field_* | rename cust_field_* as * which will effectively give you cust_field_fieldA and so on with that consistent prefix, then you can use the table statement to table out the fields you want and all those custom fields and then use wildcard rename to get rid of the prefix.  
Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what ... See more...
Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)
Hi Paul Thanks for the information. However, the below heading it's not actually a single table it's a markdown text. The below highlighted are individual markdown text   Where i don't f... See more...
Hi Paul Thanks for the information. However, the below heading it's not actually a single table it's a markdown text. The below highlighted are individual markdown text   Where i don't find any option       
i want to find out which IP address, hostname or username has failed multiple time to login to multiple accounts. I am trying to detect brute force attack.
Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what ... See more...
Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)
Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we... See more...
Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we can suggest the correct field extractions for you.
I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts. can anyone help me write it.
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can ... See more...
@corti77 Just curious, have you set up the API calls to Netapp using the Splunk_TA_ontap and SA-Hydra app? We are setting it up currently and have been running into an issue we can't resolve and can not find much help online.
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping. ... See more...
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping.
I am trying to write an spl query to detect an event of a single source IP address  or user a fail multiple time to login to mutiple account. can anyone help me write it.
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restar... See more...
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restarting service does not recreate it.  How do you renew this certificate?
this is awesome, but is there a way to make the results columns (additional fields on my results)
This is better option. You should remember that when you configure two outputs on splunk and when one of them stalls then also other stops quite soon.
If you want it, you can vote up my proposal on Splunk Ideas. https://ideas.splunk.com/ideas/EID-I-2441
This is a very large limitation.  Know that we would like to see more ways to customize Markdown content as well. Thanks!
There are no timestamps in the lookup table. When I plug one in, I get the desired results.   
Assuming your data is in the _raw field | eval parts=split(_raw, " ") | mvexpand parts | eval name=mvindex(split(parts,":"),0) | eval value=mvjoin(mvindex(split(parts,":"),1,2),":") | eval {name}=va... See more...
Assuming your data is in the _raw field | eval parts=split(_raw, " ") | mvexpand parts | eval name=mvindex(split(parts,":"),0) | eval value=mvjoin(mvindex(split(parts,":"),1,2),":") | eval {name}=value
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version.  You will need the index defined on the in... See more...
https://docs.splunk.com/Documentation/CIM/6.0.0/User/Install There is still one outstanding index defined in the app as of the most recent install version.  You will need the index defined on the indexes, you can do this full app or custom app to the indexers.
Do you mean? fieldA fieldB fieldC 1:10 1:3 1:2 1:10   1:2 1:10   1:2     1:1