All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the chan... See more...
Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the change via terminal. i tried deleting and redownloading from Splunk but doesnt work. please tell me someone has an answer or a way to reset the directories for the version i once had i had so much data and apps to practice with. P.S. even if there isnt a way to get my old version back, i still would like to know why its not working when i try to redownload a new instance.
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per e... See more...
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per event, and my hope is to get each line to ingest as a separate event. I have tried all kinds of different props.conf configurations including SHOULD_LINEMERGE, LINE_BREAKER, BREAK_ONLY_BEFORE, etc. I'll paste a sample of the log file below. In this example, Splunk is ingesting lines 1 & 2 as an event, and then 3 & 4 as an event. When I turn on more verbose logging, it will lump even more lines into an event, sometimes 10+ 21:23:310 Common\FileUtil.cpp:796 I[COMMON]: CreateSysDirectoryPath: Setting to C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Sys/ 21:23:323 DolphinQt\Translation.cpp:155 W[COMMON]: Error reading MO file 'C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Languages/en_US.mo' 21:24:906 UICommon\AutoUpdate.cpp:212 I[COMMON]: Auto-update JSON response: {"status": "up-to-date"} 21:24:906 UICommon\AutoUpdate.cpp:227 I[COMMON]: Auto-update status: we are up to date.  
No, the anchor is the pattern for the place in the text that you want to appear before and/or after the field you want extract. For example, if your event contain "Event of type X with user id: abc12... See more...
No, the anchor is the pattern for the place in the text that you want to appear before and/or after the field you want extract. For example, if your event contain "Event of type X with user id: abc123" and you wanted to extract the user id, you regex might be something like "X.* user id: (?<userid>\w+)". The "user id: " part would be the anchor for the field you are going to extract. You could also argue that the "X" is also an anchor as it ensures that the pattern will only match if the field being extracted from contains "X".
https://ideas.splunk.com/ideas/PLECID-I-670
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "... See more...
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode. Acct Enable: index="wineventlog " EventCode=4720 | dedup user | _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)" | stats count Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.    I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as: (Set $token_eventcode$ = $click.value$) in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:    Acct Enable: index="wineventlog " EventCode=$token_eventcode$ | table _time, user, src_user, EventCodeDescription As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value.  Any assistance with be greatly appreciated.
Yeah i been testing on regex 101 seem to be some delta in how splunk processes the regex however. For example this is what i have so far https://regex101.com/r/95JbuG/1  but when i add another ... See more...
Yeah i been testing on regex 101 seem to be some delta in how splunk processes the regex however. For example this is what i have so far https://regex101.com/r/95JbuG/1  but when i add another event to this the regex stops working
In Regex 1, you seem to have .* backwards (*.) in two instances, where the one near the end is particularly problematic, so if you have: (%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited... See more...
In Regex 1, you seem to have .* backwards (*.) in two instances, where the one near the end is particularly problematic, so if you have: (%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*. Then it will match strings like %%1936, 0 or more times, so it will match events which don't include %%1936 or the other strings.  Try removing the *. near the end. Also I recommend testing the regex on a site like regex101.com to make sure your regex is working before you put it in your splunk config.
I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the... See more...
I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts. My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, T... See more...
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, TokenElevationTypeDefault, TokenElevationTypeLimited. So far i have written these regular expressions 1. REGEX = ((?s).*EventCode=4688*.)((?si).*(%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*.) 2. REGEX = EventCode=4688.*TokenElevationType=(%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) When using 1, All eventcodes 4688 come to the specified index when i only wanted 1936 and 1938. I wanted to leave the %%1937 token in its original index. When using 2, no data at all comes to the index even though its seems to be a much simpler regex. What am i missing to ensure 4688 is properly filter using transforms and props?
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new ap... See more...
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new app: https://pan.dev/splunk/docs/tune-or-reduce-firewall-logs/ I would expect that at least one of the Palo Alto Apps would include a dashboard and field extractions for pan:* sourcetypes.
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help:... See more...
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help: https://splunkbase.splunk.com/app/6859 or https://splunkbase.com/app/4342/#/details Cheers! If you find this helpful,  Please UpVote.
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Sp... See more...
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Splunk Ideas, then it is more likely that the Splunk company will work on it. https://ideas.splunk.com/ideas/EID-I-1913
Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be se... See more...
Does the time range picker need to be a time range picker? You could set it up as a dropdown with 2 options: 24h and 1month, then make 2 panels in your dashboard which each depend on a token to be set when the dropdown option is selected. Then set the panels to have searches whose <earliest> time is -24h and -1mon respectively. Only one panel will display at a time.   <form version="1.1" theme="dark"> <label>2 Time Picker Dashboard</label> <fieldset submitButton="false"> <input type="dropdown" token="field1"> <label>timerange</label> <choice value="1">24h</choice> <choice value="2">1month</choice> <change> <eval token="dp1">if($value$="1",true(),null())</eval> <eval token="dp2">if($value$="2",true(),null())</eval> </change> <default>1</default> <initialValue>1</initialValue> </input> </fieldset> <row depends="$dp1$"> <panel> <table> <search> <query>search index=* | head 5</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row depends="$dp2$"> <panel> <table> <search> <query>search index=* | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data... See more...
@yuanliu can you try clicking inspect on the magnifying glass and see  if that might help? If thats the case looks like a new bug to me. <button data-test="open-search-button" type="button" data-disabled="false" data-clickable="true"  
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up... See more...
You can gently tell the indexers to go offline using "/opt/splunk/bin/splunk offline" . They will stop indexing, roll hot buckets to warm and upload them to remote storage, then you can bring them up again and they will rejoin the cluster. Ref: https://docs.splunk.com/Documentation/Splunk/9.3.1/Indexer/Takeapeeroffline
What replaces Splunk TV?
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Ope... See more...
@sainag_splunk Working dashboards and problematic dashboards are both created inside Dashboard Studio in 9.2.2 in the same server.  This is why it is so puzzling.  Is there a setting to grey out "Open in Search" that I may accidentally enable?
Hi @hazem , if you're using the Add-on for WorkspaceOne, you should search the default sourcetype in props.conf, that should be taworkspaceone:log. Ciao. Giuseppe 
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !importan... See more...
Are you able to use the ID of the div containing the text input to apply the border style? E.g. my test input has id=input1_11212 , so using: #input1_11212 { border: 2px solid #f6685e !important; } Results in a red border:  
Hi @Nawab , what's the local time of the user you're using? you can find it in the menu bar at preferences. Ciao. Giuseppe