All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I wouldn't recommend using ChatGPT to make Splunk searches. It usually generates nonsense and even if the SPL is valid, it tries to do bizarre stuff. It would help if you would specify what kind of ... See more...
I wouldn't recommend using ChatGPT to make Splunk searches. It usually generates nonsense and even if the SPL is valid, it tries to do bizarre stuff. It would help if you would specify what kind of visualization of logins you would like. Do you want a total of successful and failed logins over a time period? Do you want to find the top 5 users with failed logins? Would you like to see a timeline of successful and failed logins over the past 7 days?
Hi splunk team. I wonder which version of Ciber vision is supported by the API realeas v 2.0 for splunk enterprise
Please forgive me, I am new to Splunk. I'm trying to create a dashboard that visualizes successful/failures logins. I don't have anyone I work with that's a professional or even knowledgeable/expe... See more...
Please forgive me, I am new to Splunk. I'm trying to create a dashboard that visualizes successful/failures logins. I don't have anyone I work with that's a professional or even knowledgeable/experienced enough to help. So, I started to use ChatGPT to help develop these strings. After I got the base setup from ChatGPT, I tried to fill in the sourcetypes. But now I'm getting this error: Error in 'EvalCommand': The expression is malformed.  Please let me know what I need to do to fix this. Ask away please. It'll only help me get better.   index=ActiveDirectory OR index=WindowsLogs OR index=WinEventLog ( (sourcetype=WinEventLog (EventCode=4624 OR EventCode=4625)) # Windows logon events OR (sourcetype=ActiveDirectory "Logon" OR "Failed logon") # Active Directory logon events (adjust keywords if needed) ) | eval LogonType=case( EventCode=4624, "Successful Windows Login", EventCode=4625, "Failed Windows Login", searchmatch("Logon"), "Successful AD Login", searchmatch("Failed logon"), "Failed AD Login" ) | eval user=coalesce(Account_Name, user) # Combine Account_Name and user fields | eval src_ip=coalesce(src_ip, host) # Unify source IP or host | stats count by LogonType, user, src_ip | sort - count
Hi @Tiong.Koh, Have you had a chance to review the latest reply? If it answers your question, please click the "Accept as Solution" button, if not, reply back to keep the conversation going. 
To investigate the issue of missing data in Splunk for a period of 3-4 hours, where gaps were observed in the _internal index as well as in performance metrics like network and CPU data, But still ca... See more...
To investigate the issue of missing data in Splunk for a period of 3-4 hours, where gaps were observed in the _internal index as well as in performance metrics like network and CPU data, But still can't able to find out the potential root cause of data missing in Splunk. Please help me what I need to investigate more to find out the potential root cause of the data gap in Splunk. Gap into the _internal index data Network performance data gap is visible Gap in the CPU performance data      
@ITWhisperer   OK , How we can create such a line chart with  X axis as Time ( not _time)  Y axis as count1 count2 count3 
Thank you @gcusello I'll get with support!
I want to make a sound alert in my dashboard studio dashboard. Is it even possible?
No, the y-axis represents a numeric which in your example would be the values from count1, count2 and count3
Hi @jaburke1 , try it, but, as I said, I usually avoid to use automatic lookups. Ciao. Giuseppe
Hi @FPERVIL , I usually deploy on all the Forwarders an app, usually called TA_Forwarders, containing at least three files: app.conf deploymentclient.conf, outputs.conf. in this way I can cent... See more...
Hi @FPERVIL , I usually deploy on all the Forwarders an app, usually called TA_Forwarders, containing at least three files: app.conf deploymentclient.conf, outputs.conf. in this way I can centrally manage both sending data to Indexers and Conncection to Deployment Server. Ciao. Giuseppe
Hi @gcusello  ,   I believe using roles (creating a new one to run the saved search) might work.
Hi @timtekk , it's very strange because in this documentation https://docs.splunk.com/Documentation/Splunk/9.3.1/Updating/Useforwardermanagementtomanageclients#View_client_status (latest version), t... See more...
Hi @timtekk , it's very strange because in this documentation https://docs.splunk.com/Documentation/Splunk/9.3.1/Updating/Useforwardermanagementtomanageclients#View_client_status (latest version), this feature is still present. But many people in Community reported the same issu: https://community.splunk.com/t5/Deployment-Architecture/Unable-to-remove-records-from-the-Deployment-Server/m-p/698055 Open a case to Splunk Support, because there's a behavior different than documentation. Ciao. Giuseppe
Hi @waJesu , exactly define your requirement and match it to your fields, then it's easy to use commands. Ciao. Giuseppe
Hi @jaburke1 , I don't like automatic lookups! And I use them only when I must! Ciao. Giuseppe
Our Splunk Add-on app was created with python modules ( like cffi, cryptography and PyJWT) where these modules are placed under app /bin/lib folder..  this add-on is working as expected. When we try... See more...
Our Splunk Add-on app was created with python modules ( like cffi, cryptography and PyJWT) where these modules are placed under app /bin/lib folder..  this add-on is working as expected. When we try to upgrade Splunk Enterprise from 8.2.3  to 9.3,  our add-on is failing to load python modules and throwing error 'No module named '_cffi_backend'    Note: we are running on python 3.7. and updated Splunk python SD to latest 2.0.2
How do you get a Saved Search to ignore a specific automatic lookup? The reason for wanting to do this is because the lookup being used is very large and the enrichment is not needed for a specific ... See more...
How do you get a Saved Search to ignore a specific automatic lookup? The reason for wanting to do this is because the lookup being used is very large and the enrichment is not needed for a specific search. Using something like | fields - FieldA FieldB Did not not speed up the search (where FieldA and FieldB are fields that are matched on in the automatic lookup) When the automatic lookup has the permissions changed to just one app then the saved search runs very fast but I do not believe keeping it like that is an option. Ideally there would be an option that could be a setting just for this one saved search so that it would not know the automatic lookup exists. Thanks in advance for any suggestions.
HI @ITWhisperer  Can we have a line chart with  d X axis = _time  Y axis = column1   and value of count1 count2 count3 as 3 lines on the chart ?? 
Hi, I am just facing the same problem. Did you finally figured out any solution? I am dealing with this issue directly with tufin, hope to have an answer soon. I´ll come back if I have any update. 
Essentially, a line chart will be visualised from a table with the first column being the x-axis, normally a timestamp (_time), with the subsequent columns providing the values for the lines on the c... See more...
Essentially, a line chart will be visualised from a table with the first column being the x-axis, normally a timestamp (_time), with the subsequent columns providing the values for the lines on the chart. Your table does not match these criteria so you would not be able to represent your table as a line chart (without removing or combining some of your data.