All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level | stats count by techGroupLevel problem_detai... See more...
It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level | stats count by techGroupLevel problem_detail | eventstats sum(count) as total by techGroupLevel
Hello Splunkers!! Splunk is receiving the data from my Qracle database table from DBconnect. All of the events are being created correctly when the query is run in the SQL editor. Some events are ... See more...
Hello Splunkers!! Splunk is receiving the data from my Qracle database table from DBconnect. All of the events are being created correctly when the query is run in the SQL editor. Some events are missing when they arrive in Splunk. What can be done if certain occurrences are missed? Please assist me in determining possible causes. Note : My current "Max Rows to Retrieve" is on 10000.
2. Search head must be able to contact CM, indexers and LM could you please tell me where to check the search head is connected with CM, indexers and LM in the existing old server  and when we ... See more...
2. Search head must be able to contact CM, indexers and LM could you please tell me where to check the search head is connected with CM, indexers and LM in the existing old server  and when we are migrating to the new server where to make the configurations changes  to contact  CM, indexers and LM
Hi @jan , as also @PickleRick said: it seems that you want to configure a CM as a slave and it isn't possible, maybe you runned the wrong command. Ciao. Giuseppe
Morning All    appreciate some guidance on a spl i'm working on and just cant get the information i require my dataset is tickets on our helpdesk . Im looking for the total number of ticket each t... See more...
Morning All    appreciate some guidance on a spl i'm working on and just cant get the information i require my dataset is tickets on our helpdesk . Im looking for the total number of ticket each team has for each different request type.  team is called techGroupLevel request type is call problem_detail here's my search so far and it's just note right.  | table _time id displayClient location_Name problem_detail detail bookmarkableLink status priority techGroupId techGroupLevel tech_Name reportDateUtc lastUpdated closeDate | stats values(problem_detail) as problem_detail count(problem_detail) as total by techGroupLevel under the i'm getting the following      you can see that the figure returned on total is the combined total for all problem_details for each team  i'd prefer to see a separate figure for each problem detail and then perhaps a total sum under each team but dont know how to go about this  for example techGroupLevel                                        problem_detail         Sub-Total                   Total  Systems & Network                                 Email                               10                                     20                                                                           Server                               5                                                                          Shared Drive                   5     appreciate some guidance  thanks    Paula   
One of the SFR from Security Target of https://www.niap-ccevs.org/products/11330 claims the below. FIA_X509_EXT.1 X.509 Certificate Validation . . The application shall validate the extendedKeyUsage... See more...
One of the SFR from Security Target of https://www.niap-ccevs.org/products/11330 claims the below. FIA_X509_EXT.1 X.509 Certificate Validation . . The application shall validate the extendedKeyUsage (EKU) field according to the following rules: . . Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the EKU field.   So, I am assuming that this validation is handled only in Splunk enterprise's  common criteria mode.   
Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console ... See more...
Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console 1- License Master is it possible to have the Search head in 9.0.3 version and the remaining Splunk server to be upgrade to 9.1.0  the search head role is provided to other servers also in our environment
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the value... See more...
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the values that were passed to the search but I weren't unable to change the values that were present in input dropdown. <input type="radio" token="field3" searchWhenChanged="true"> <label>Condition_1</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search" searchWhenChanged="true"> <label>All Fields Search_1</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field4"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field6" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Condition_2</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search2" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>All Fields Search_2</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field14" depends="$field4$"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field15" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field16" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Condition_3</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search12" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>All Fields Search_3</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="reset_all_field_search" searchWhenChanged="true"> <label>Reset All field search</label> <choice value="reset_all_field_search">Yes</choice> <delimiter> </delimiter> <change> <condition value="reset_all_field_search"> <unset token="search"></unset> <set token="search">*</set> <unset token="search2"></unset> <set token="search2">*</set> <unset token="search12"></unset> <set token="search12">*</set> <unset token="field4"></unset> <set token="field4">*</set> <unset token="field5"></unset> <set token="field5">*</set> </condition> </change> </input> please help me to fix this. Thanks!
1. That's good. You should use search-time extractions as I said from the beginning. 2. And as I said before, without additional configurations indexed fields are not searchable the same way search-... See more...
1. That's good. You should use search-time extractions as I said from the beginning. 2. And as I said before, without additional configurations indexed fields are not searchable the same way search-time fields are. It doesn't mean "transforms don't work".
Hello @Meett  In the splunkd I see a copy of the error "External handler failed with code '1' and output ''.  without any specific additional information.  Luckily I solve the issue for this ca... See more...
Hello @Meett  In the splunkd I see a copy of the error "External handler failed with code '1' and output ''.  without any specific additional information.  Luckily I solve the issue for this case: It was not an Addon problem but a Google Cloud permission issue. In fact, I did not have the Viewer permission for the Projects to execute correctly the queries from Splunk.  A very simple case, complicated by the fact that the Addon returns no details about the error. Bye, thanks
It's unlikely but not impossible that your particular setup triggers some bug in the software. What I would do: 1) compare pre- and post-upgrade configs to verify if anything changed 2) do a fresh... See more...
It's unlikely but not impossible that your particular setup triggers some bug in the software. What I would do: 1) compare pre- and post-upgrade configs to verify if anything changed 2) do a fresh reinstall of 9.1 where your 9.3 wasn't working and reapply the config 3) If you have the means, try to spin up a fresh indexer with a http input and point that UF to the new indexer. If no obvious reason pops up just raise a case with Splunk support.
Log analysis needs two things. One - as @ITWhisperer already mentioned - is the logs themselves. You must have the data to analyse. You can't analyse something you don't have. Another important thin... See more...
Log analysis needs two things. One - as @ITWhisperer already mentioned - is the logs themselves. You must have the data to analyse. You can't analyse something you don't have. Another important thing is the goal of your analysis - what you want to get from your logs. A question you want answered using the data you have. You don't just "analyse logs" for fun. You want the logs to tell you, for example - if anyone tried to log in to your network and failed. How many such attempts were made? Were someone persistent in their attempts or were there just "random" occurrences? Or you can check performance data - what connection quality your clients had. What bandwidth did they use. And so on. Of course to answer such questions you need a relevant set of data for each use case. You can't typically tell much about security from performance data and vice versa. (Sometimes anomalies in one type of data can be a hint of something happening elsewhere but that's a much more advanced topic and for now don't bother with it).
You need to start there then. This will depend on your router/modem and what capabilities you have available to you there. Essentially, you need to find a way to get your logs ingested into Splunk so... See more...
You need to start there then. This will depend on your router/modem and what capabilities you have available to you there. Essentially, you need to find a way to get your logs ingested into Splunk so you can start your analysis.
Yes, I checked the splunkd.log on HFs. Could not see anything relevant/useful
No
Have you managed to get your "wifi" logs into Splunk?
i have to get hands on experience on log analysis using home wifi and add it to my resume so this will help me get a job   
Hi there,  I am using Splunk Add-on for Symantec Endpoint Protection, according this documentation   https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Configureinputs when i login Sym... See more...
Hi there,  I am using Splunk Add-on for Symantec Endpoint Protection, according this documentation   https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Configureinputs when i login Symantec dashboard, it will show Endpoint Status like : Total Endpoints / Up-to-date / Out-of-date / Offline / Disabled / Host Integrity Failed.    Has anyone used Symantec and solved this problem?
Hey @dcgen17 What do you see in Splunkd Logs ? 
hi @gcusello  thanks for your inputs, i have some correction in my query. in the outer query i am trying to pull  the ORDERS which is Not available .I need to match the ORDERS  which is Not availab... See more...
hi @gcusello  thanks for your inputs, i have some correction in my query. in the outer query i am trying to pull  the ORDERS which is Not available .I need to match the ORDERS  which is Not available to with the ORDERS on Sub query.  Result to be displayed  ORDERS  & UNIQUEID .  common field in two query is ORDERS  Below is the query i am using  index=source "status for : *  | "status for : * " AND "Not available"  | rex field=_raw "status for : (?<ORDERS>.*?)" | join ORDERS [search Message=Request for : * | rex field=_raw "data=[A-Za-z0-9-]+\|(?P<ORDERS>[\w\.]+)" | rex field=_raw "\"unique\"\:\"(?P<UNIQUEID>[A-Z0-9]+)\""] | table ORDERS UNIQUEID