All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

From what you have shown so far, if the EventCode is "True", the user is locked out and you set lockout to "Yes", but you haven't shown any events where this is the case. Is this because there are no... See more...
From what you have shown so far, if the EventCode is "True", the user is locked out and you set lockout to "Yes", but you haven't shown any events where this is the case. Is this because there are no events like this?
I am having trouble creating the connection to Splunk Cloud from Power BI. I have downloaded the latest version of the Spunk ODBC (3.1.1), configured it with what I think my user and password is (We... See more...
I am having trouble creating the connection to Splunk Cloud from Power BI. I have downloaded the latest version of the Spunk ODBC (3.1.1), configured it with what I think my user and password is (We authenticate via an Active Directory with our tenant.), and I have access to the access token in the Splunk cloud console. The error I am getting is: Details: "ODBC: ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Timeout was reached ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Timeout was reached" Not sure how else to try configuring the ODBC connector.
@StanD3secI don't think there is one for enterprise yet.  ( Splunk Cloud ACS API has ) But you can use this for splunk enterprise SDKs here. https://dev.splunk.com/enterprise/downloads/ https:... See more...
@StanD3secI don't think there is one for enterprise yet.  ( Splunk Cloud ACS API has ) But you can use this for splunk enterprise SDKs here. https://dev.splunk.com/enterprise/downloads/ https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTlist If this Helps, Please Upvote.
Hello, Thank you for asking your question on the Community. I wanted to see if you were able to find new information or a solution you could share here? If you still need help with this, you can... See more...
Hello, Thank you for asking your question on the Community. I wanted to see if you were able to find new information or a solution you could share here? If you still need help with this, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
This is my search.  I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventTyp... See more...
This is my search.  I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventType | eval websphere_logEventType=case(websphere_logEventType=I, "INFO",websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, DEBUG, true(),"Not Known" )   What am I missing that will bring the count and the case that the count is for instead of always the Not Known case?
Hello. I cannot find a solution to this one here... I have logs in one Splunk instance. I've exported them to CSV and want to perform a one-time ingest of that CSV into a new on-prem Splunk Enterpri... See more...
Hello. I cannot find a solution to this one here... I have logs in one Splunk instance. I've exported them to CSV and want to perform a one-time ingest of that CSV into a new on-prem Splunk Enterprise instance.  I have the CSV and can import it. However, I can't figure out how to preserve each row/event's original 'host', timestamp, and 'sourcetype' entry. When I do the import, it records the 'host' as the Splunk indexer, and the timestamp as the date of the import, which makes sense but is not the desired behavior. Here is a sample row of the CSV:   _time,host,index,source,sourcetype 2024-11-19T11:36:05.000-0500,host1.example.com,test-index,/var/log/messages,syslog 2024-11-19T11:36:05.000-0500,host2.example.com,test-index,/var/log/messages,syslog   I removed the _raw column, but I can include it if necessary. How do I import these events while preserving the event time, host, and sourcetype fields? Is this even possible?  I looked around here and can't find anyone with this scenario.  Thank you in advance!  
Hi @Khalid.Rehan, Thank you for sharing the solution! 
_time user desc OU hostName lockout How is this for an example?
Please share anonymised examples of your log events.
SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field. In dashboards, ... See more...
SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field. In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens. <input> ... <condition $token1="-" AND $token2$="-"> <!-- not the correct syntax--> <set token="search">Field3=$token$</set> </condition> <condition> <set token="search">Field11=$token1"</set> </condition> </input> ... <search> <query>index=foo $search$</query> </search> ...
Hi All, link removed, solving this, thanks thanks and best regards, Sekar PS - my karma stats - given 2400+ and received 400+, thanks for reading ! 
That search shows some who are locked out and some people who log in to a device. It shows some of everything. I wish it would determine who is locked out instead of stating no for everything.
Thanks. That was the search not the events. Do you have any evidence in logs that you have ingested into Splunk that the user is getting locked out?
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 an... See more...
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.   Here's what I've been trying, but so far doesn't seem to be working as I'd hoped: if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$")) Am I on the right track? Something I'm missing?
index=* source="activedirectory" eventtype="ad-files" Event* These are the logs I have. They give me a lot of information. However, it is not the computer name that is getting locked out or if t... See more...
index=* source="activedirectory" eventtype="ad-files" Event* These are the logs I have. They give me a lot of information. However, it is not the computer name that is getting locked out or if they are off-site.
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorP... See more...
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>        is there an options for colors similar to charting?         <option name="charting.chart">line</option> <!--[Total,Critical,Major,Minor,Notice,Healthy]--> <option name="charting.seriesColors">[17202A,C0392B,F5B041,F7DC6F,D5DBDB,3DB42A]</option> <!--[black, red, orange, yellow, grey, green]-->        
Do you have logs ingested into Splunk? Can you share some anonymised examples of the events you are trying to detect?
Something like this? | spath | foreach *.ReportTags* [| eval fields=if(isnotnull(mvfind('<<FIELD>>',"Tag1")), if(isnull(fields),"<<MATCHSEG1>>",mvappend(fields,"<<MATCHSEG1>>")), fields)]
I have an employee who keeps getting locked out. I wanted to know how to put a script in to find out which device is getting locked out. 
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <for... See more...
Is it possible to color the FONT text of the row not the background please ?? I need it done soon as such.   logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red   <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>