All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h... See more...
Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" | rex field=user_activity "(?<user_activity_event>.+?)\;" | fillnull value="null" | search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM | table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event Any help will be appreciated.
You may have better results by un-checking the "Global account settings" in Add-on setup parameters in the Add-On Builder and then adding your own Add-on Setup Components like a Text field for Client... See more...
You may have better results by un-checking the "Global account settings" in Add-on setup parameters in the Add-On Builder and then adding your own Add-on Setup Components like a Text field for Client ID and a Password field for Client Secret, rather than attempting to re-name the account username and password.
Create a multi-value field using mvappend (there are other ways, too). | eval mitre_category=mvappend("persistence","Defense_Evasion") | eval apt=mvappend("apt1","apt2","apt3") The search command, ... See more...
Create a multi-value field using mvappend (there are other ways, too). | eval mitre_category=mvappend("persistence","Defense_Evasion") | eval apt=mvappend("apt1","apt2","apt3") The search command, however, doesn't work well with multi-value fields so this probably will not solve your problem.  What problem are you trying to solve, exactly?  Tell us about the root problem so we can offer other possible answers.
I think @gcusello 's answer is the best scalable approach. If it's something quick and small, you could do something like this to keep it all in the SPL without needing a lookup:   index=brandprote... See more...
I think @gcusello 's answer is the best scalable approach. If it's something quick and small, you could do something like this to keep it all in the SPL without needing a lookup:   index=brandprotection name IN (ali, ahmad, elias, moayad) | stats count BY name | append [| makeresults | eval name="ali, ahmad, elias, moayad" | eval name=split(name, ", ") | mvexpand name | eval count=0 | fields name count] | stats sum(count) AS count BY name  
Hi On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time. Here is old post which tell how you could try to identi... See more...
Hi On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time. Here is old post which tell how you could try to identify which is alert and which is report. https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-export-all-alerts-to-csv-or-pdf/m-p/629226#M9319 r. Ismo
It is not clear what you are trying to do. Are you trying to search for events where the field may have one of a number of different values? | search apt IN ("apt1","apt2","apt3")
After you have pasted whole url and token, please remove that token and generate a new one. Otherwise you could surprise how many will try it! It’s best to anonymous both url (host part) and token be... See more...
After you have pasted whole url and token, please remove that token and generate a new one. Otherwise you could surprise how many will try it! It’s best to anonymous both url (host part) and token before you post those to community.
The easiest way is setup HF on your own site to do it.
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i... See more...
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i get `apt2` or `apt3` instead of searching for `apt1,apt2,apt3`. I would like to know if there is a way to do this via one query instead of several if at all possible.
@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multip... See more...
@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multiple indexers for redundancy and high availability. When a Cluster Master pushes configuration changes through an index cluster bundle, all index peers receive the same settings to ensure consistent operation across the cluster. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Basicclusterarchitecture https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howclusteredindexingworks If this Helps, Please Upvote and Mark as solved.  
@meirclaroty Did you find an answer for this?
Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try. | rest splunk_server=local /servicesNS/-/... See more...
Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try. | rest splunk_server=local /servicesNS/-/search/saved/searches | rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=search"
Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpf... See more...
Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpful. 
Your URL is short. https://http-inputs-<customer>.splunkcloud.com/services/collector/raw or https://mysplunkserver.example.com:8088/services/collector/event
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that commu... See more...
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other. Let me be more specific. I know that, for such kind of search, the base string is: | rest splunk_server=local /servicesNS/-/-/saved/searches | table title Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case). So, if I execute above search, I got more or less 450 results. So, what about if I need to filter? Very simple: | rest splunk_server=local /servicesNS/-/<app name here>/saved/searches | table title That should return all and only saved searches for requested app (a custom one in my cases).  Problem: app I need info has 119 saved searches (checked on GUI in related page) Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps.  Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need.  So, my question is: what can be the root cause of this behavior, if searches ownership is correct?
Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/
I'm assuming DATATYPE_CONFIG=CURRENT is a typo and the real setting is DATETIME_CONFIG=CURRENT. Try changing the props stanza name to [csv] (the sourcetype). FWIW, Splunk recommends not changing th... See more...
I'm assuming DATATYPE_CONFIG=CURRENT is a typo and the real setting is DATETIME_CONFIG=CURRENT. Try changing the props stanza name to [csv] (the sourcetype). FWIW, Splunk recommends not changing the source value in inputs.conf.  
Hi @hahhhaxin , for csv files, put the props.conf and transforms.conf  also on UF. Ciao. Giuseppe
Hi @msalghamdi , if you have the list of names to check, you can put them in a lookup (called e.g. names.csv and with one field "name") and run a search like the following: index=brandprotection na... See more...
Hi @msalghamdi , if you have the list of names to check, you can put them in a lookup (called e.g. names.csv and with one field "name") and run a search like the following: index=brandprotection name IN (ali, ahmad, elias,moayad) | stats count BY name | append [ | inputlookup names.csv | eval count=0 | fields name count ] | stats sum(count) AS count BY name Ciao. Giuseppe
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | sta... See more...
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | stats count by brand however sometimes in the logs Elias and Moayad names isn't there but i need to have it in the table, so i need the output to be like this   user count ahmad 7 ali 4 elias 0 moayad 0   i need a search that would show the results like the table above.     thanks