All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks. That was the search not the events. Do you have any evidence in logs that you have ingested into Splunk that the user is getting locked out?
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 an... See more...
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.   Here's what I've been trying, but so far doesn't seem to be working as I'd hoped: if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$")) Am I on the right track? Something I'm missing?
index=* source="activedirectory" eventtype="ad-files" Event* These are the logs I have. They give me a lot of information. However, it is not the computer name that is getting locked out or if t... See more...
index=* source="activedirectory" eventtype="ad-files" Event* These are the logs I have. They give me a lot of information. However, it is not the computer name that is getting locked out or if they are off-site.
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorP... See more...
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>        is there an options for colors similar to charting?         <option name="charting.chart">line</option> <!--[Total,Critical,Major,Minor,Notice,Healthy]--> <option name="charting.seriesColors">[17202A,C0392B,F5B041,F7DC6F,D5DBDB,3DB42A]</option> <!--[black, red, orange, yellow, grey, green]-->        
Do you have logs ingested into Splunk? Can you share some anonymised examples of the events you are trying to detect?
Something like this? | spath | foreach *.ReportTags* [| eval fields=if(isnotnull(mvfind('<<FIELD>>',"Tag1")), if(isnull(fields),"<<MATCHSEG1>>",mvappend(fields,"<<MATCHSEG1>>")), fields)]
I have an employee who keeps getting locked out. I wanted to know how to put a script in to find out which device is getting locked out. 
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <for... See more...
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>  
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1"... See more...
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1" ], "UserTags": [ "Tag2", "Tag3" ] }, "MessageQueue": { "ReportTags": [ "Tag1", "Tag4" ], "UserTags": [ "Tag3", "Tag4", "Tag5" ] }, "Frontend": { "ClientTags": [ "Tag12", "Tag47" ] } } } }     The number of fields in "Apps" is unknown, as are their names. Given this structure I need to check if a given tag ("Tag1", "Tag2", ...) exists in in a given array ("ReportTags", "UserTags", [..]), regardless of parent. If it does, I need the distinct names of parent field names that contain this. Example 1: The input to the query is "ReportTags" and "Tag1". I'd expect it to output both "ReportingServices" and "MessageQueue" because both of them contain a "ReportTags" array that contains "Tag1". Example 2: The input to the query is "UserTags" and "Tag5". I'd expect it to output only "MessageQueue" because only this one contains a "UserTags" array that contains this "Tag5". I have looked at various questions on this forum, tried various combinations of mvexpand and such but I have not been able to write a query that does exactly this. Any hints and/or help would be greatly appreciated.
I'm sure there's *someone* here who can help, but they will need some help from you first. What exactly do you mean by "is not working" (that phrase should be banned here, IMO)?  What is it (not) do... See more...
I'm sure there's *someone* here who can help, but they will need some help from you first. What exactly do you mean by "is not working" (that phrase should be banned here, IMO)?  What is it (not) doing?  How is the current behavior different from previous behavior? When did the behavior change?  What other changes happened around the same time? Is there anything in search.log for the alerts that might explain the change in behavior?
Suddenly the real-time alert is not working for Splunk, can anyone help on this how  to troubleshoot this issue
Hi @inventsekar Here are the answers to your questions : This is a dev/test instance, and my collegues are facing the same issue. I am using Splunk Enterprise (Splunk-9.2.1-78803f08aabb.x86_64.rpm... See more...
Hi @inventsekar Here are the answers to your questions : This is a dev/test instance, and my collegues are facing the same issue. I am using Splunk Enterprise (Splunk-9.2.1-78803f08aabb.x86_64.rpm) on SLES 12 SP5. Splunk is using  its built-in python 3.7. I tried reproducing the problem with several users with different level of access and it occured everytime, including with the admin account (with the most access).  Do you know where I could find the menu navigation xml file ?  Thank you for your help !   
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would ... See more...
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would like to improve this process to install Splunk from scratch and use a better setup: 1. install it in the AKS cluster  2. use docker approach 3. use terraform for iac   what would be best-suggested approach here we have a disk e.g around 1TB of data for Splunk   thank you in advance  
^ this worked for me
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, ... See more...
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, but it didn't help me. I want to combine all the results assosciated for indivual user and send them one single email as the data will be more, I don't want to spam their inbox. For example: result having 4, 5, 6 should be send in one email only to malik@gmail.com and so on for other users. Please suggest 
Thanks for the reply. I can confirm that if I set my profile preferences to "theme dark", the the default app pages like "Search", "Alerts", "Reports", etc. in my app becomes dark. So yes, the follow... See more...
Thanks for the reply. I can confirm that if I set my profile preferences to "theme dark", the the default app pages like "Search", "Alerts", "Reports", etc. in my app becomes dark. So yes, the following link is dark: https://mysplunk.com/en-GB/app/MyCustomApp/search  I checked all the 18 different dashboards in the app, and all of then are still in light mode though. I expected all of them to be in dark mode now. There are not custom CSS and such in the dashboards. Is this as intended, do I need to add some setting to all my dashboards to make them dynamically suppoert light and dark mode? I could of course manually set the dashboards to dark mode, but then they would be stuck in dark mode, if I understand correctly. I want the dashboards to change dynamically between dark and light.
@gcusello If i want to search multiple keywords using comma seperate in the same text field.
Hello @somesoni2 @lguinn2 @landen99 @jonatanjosefson any solution on this? I want to specify source::mylog_* Thanks for your help!
Thanks for your reply. I couldnt get any result on this query. if i removed the where condition i get the result i ran the query with last 4hrs like time                                     o/p1 ... See more...
Thanks for your reply. I couldnt get any result on this query. if i removed the where condition i get the result i ran the query with last 4hrs like time                                     o/p1 o/p2 2024-11-09 01:02:00  1         1 2024-11-09 02:02:00   1         1    
Hi @Ryan.Paredez , We were able to fix the problem by disabling the config.xd in the EUM snippet config.xd = {enable : false}; Example: <script charset='UTF-8'> window['adrum-start-time'] = n... See more...
Hi @Ryan.Paredez , We were able to fix the problem by disabling the config.xd in the EUM snippet config.xd = {enable : false}; Example: <script charset='UTF-8'> window['adrum-start-time'] = new Date().getTime(); (function(config){ config.appKey = 'EUM-XYZ-ABC'; config.adrumExtUrlHttp = 'https://cdn.appdynamics.com'; config.adrumExtUrlHttps = 'https://cdn.appdynamics.com'; config.beaconUrlHttp = 'https://eum.myappd.com'; config.beaconUrlHttps = 'https://eum.myappd.com'; config.xd = {enable : false}; })(window['adrum-config'] || (window['adrum-config'] = {})); </script> <script src='https://cdn.appdynamics.com/adrum/adrum-latest.js'></script> Regards, Khalid