All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Try something like this index=firewall [ search index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time | rename login_time as earliest | rename logout_time as latest ] | stats... See more...
Try something like this index=firewall [ search index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time | rename login_time as earliest | rename logout_time as latest ] | stats count by destination_ip
Hello!  Wanted to ask if anyone has experience with receiving SNMPv2 trap alerts in Splunk 8.2.5 (Win 2019)?  Background: we have an environment monitor device that sends high/low temperature alerts ... See more...
Hello!  Wanted to ask if anyone has experience with receiving SNMPv2 trap alerts in Splunk 8.2.5 (Win 2019)?  Background: we have an environment monitor device that sends high/low temperature alerts to the local SNMP Trap svc, from there picked up by a generic WMI SNMP provider, from which Splunk pulls the data.   "wmi.conf":       [WMI:SNMP]namespace = \\.\root\snmp\localhost interval = 10wql = SELECT * FROM SnmpNotification disabled = 0 index = snmpindex current_only = 1         Problem we're running into is that when the data is ingested, Splunk has an issue translating the "VarBindList" object it gets from WMI, containing the SNMP variable binding ("varbind") info that describes the SNMP trap alert from the device (ticks, OID, text msg of what alert was tripped).   Sample Splunk search result from "snmpindex": (see: VarBindList=<unknown variant result type 8205> below):       20241007120551.314854 AgentAddress=10.2.13.19 AgentTransport Address=10.2.13.19 AgentTransportProtocol=IP Community=alispub Identification=1.3.6.1.4.1.20916.1.13.2.1 SECURITY_DESCRIPTOR=NULL TIME_CREATED=133727763449700336 TimeStamp=1894 VarBindList=<unknown variant result type 8205> wmi_type=SNMP host=MS source=WMI:SNMP sourcetype=WMI:SNMP       Been trying various Splunk configs/transforms, XML, etc. but all are basically contingent on getting good data into "_raw", and "_raw" col just has that msg.  Our RoomAlert3S device we need to upgrade to only sends SNMPv2 or v3.  Everything seems to work fine when the trap is v1 (from past behavior/our test util).
I'm still learning Splunk and would like to learn how to combine some searches. Goal: Use the VPN search results to perform firewall searches according to how many VPN records found. Example: ... See more...
I'm still learning Splunk and would like to learn how to combine some searches. Goal: Use the VPN search results to perform firewall searches according to how many VPN records found. Example: 1. Search the vpn index to get a table of assigned_ip and the login/logout time:   index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time     assigned_ip login_time logout_time 10.255.111.112 1728409500 1728459000 10.255.119.199 1728392083 1728401383   2. Use the result above to do a firewall search (I'd like to use results from step 1 instead of the hardcoded values. I also want to append separate rows found in step 1 to find firewall records during different ip assignments):   index=firewall source_ip=10.255.111.112 earliest=1728409500latest=1728459000 | append [ search index=firewall source_ip=10.2555.119.199 earliest=1728392083 latest=1728401383 ] | stats count by destination_ip     The closest I got so far is using separate subsearch returns, which takes longer to run and doesn't seem to return more than 1 value:   index=firewall source_ip=[ search index=vpn computer_name=Desktop_1 | return $assigned_ip ] latest=[ search index=vpn computer_name=Desktop_1 | return $logout_time ] earliest=[ search index=vpn computer_name=Desktop_1 | return $login_time] | stats count by destination_ip     Is there a way to do this? I also tried to use tojson(), but it returns 1 table row into its own json object that I can't use together for the firewall search. Thank you so much in advance
I tried to run the Indexing Performance: Instance dashboard but was not getting any data, on exploring the search I found out index=_internal is not doing the field extractions for this data in the l... See more...
I tried to run the Indexing Performance: Instance dashboard but was not getting any data, on exploring the search I found out index=_internal is not doing the field extractions for this data in the log: group=per_host_thruput, ingest_pipe=1, series="splunkserver.local", kbps=8.451, eps=32.903, kb=261.974, ev=1020, avg_age=2.716, max_age=3 If I manually extract the fields using rex I can view it in the search but the dashboard still doesn't show the results. Is there a way to extract these fields for the internal index? Thanks!
Just want to say I love your extension and use it everywhere I can.
We have some events coming in to Splunk that show as following: time="09/10/2024 11:41:15" URL="[Redacted String]" Name="[Redacted String]" Issuer="[Redacted String]" Issued="27/10/2023 13:27:22" E... See more...
We have some events coming in to Splunk that show as following: time="09/10/2024 11:41:15" URL="[Redacted String]" Name="[Redacted String]" Issuer="[Redacted String]" Issued="27/10/2023 13:27:22" Expires="26/10/2025 12:27:22" Splunk is using ingest time instead of the time field. In props.conf for this sourcetype I have the following: SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TIME_PREFIX = time= TIME_FORMAT = "%d/%m/%Y %H:%M:%S" CHARSET = UTF-8 KV_MODE = none DISABLED = false However the time isn't being extracted properly, what do I need to change / add? Thanks.
Sorry, my notebook ran out of battery. To test the dashboard you only have to enter the ip (range) with either prefix = or ! = to black or white list the ip (range). The entered value in the text bo... See more...
Sorry, my notebook ran out of battery. To test the dashboard you only have to enter the ip (range) with either prefix = or ! = to black or white list the ip (range). The entered value in the text box will be passed to the multiselect field. For the multiselect input you only have to change the prefix from "clientip" to the desired field that you wanna filter. The search in the search panel can be replaced by your search  That should be enough to verify if it is a proper solution for your problem. 
Don't use wildcards or at least not for the -1 -2 -3 part - currently in your screenshot all the names are fixed
Thanks for responding but the solution given there is different use case. The query and tokens mentioned in the XML code are very confusing to understand. 
I tried creating a default app.conf file with the stanza: [install] state = disabled but it didn't disable the app. Then I removed the app from etc/apps altogether, but it came back. We run s... See more...
I tried creating a default app.conf file with the stanza: [install] state = disabled but it didn't disable the app. Then I removed the app from etc/apps altogether, but it came back. We run splunk as user "splunk" so then I removed the app and created a directory etc/apps/learned owned by root with permissions 500 (r-x------) so splunk couldn't recreate it.  That worked.
Hi @ITWhisperer  As CurrentWeek* is calculated dynamically , how can i put that field in the table command.  If i use the below table command , it shows me the result in the same order.  How can i... See more...
Hi @ITWhisperer  As CurrentWeek* is calculated dynamically , how can i put that field in the table command.  If i use the below table command , it shows me the result in the same order.  How can i reverse the order of the CurrentWeek columns ???  | table A B C DAY_OF_WEEK Start_Time CurrentWeek* Deviation  
Hi.   Thank you for your effort, I hope you find something.   Kind regards
Hello Team We have a usecase where we want to integrate cloudwatch metrics to AppDynamics. What could be the best suggested way here to proceed? Regards Gaurav
Based on this solution Solved: How do I add a textbox value to a multiselect inpu... - Splunk Community please try following xml: <form version="1.1"> <label>IP List dynamically added to multiselec... See more...
Based on this solution Solved: How do I add a textbox value to a multiselect inpu... - Splunk Community please try following xml: <form version="1.1"> <label>IP List dynamically added to multiselect based on textbox input</label> <fieldset submitButton="false" autoRun="true"> <input type="text" token="tkn_ip"> <label>Enter a IP (range)</label> </input> <input type="multiselect" token="iplist"> <label>IP List</label> <valuePrefix>clientip</valuePrefix> <delimiter> OR </delimiter> <fieldForLabel>field3</fieldForLabel> <fieldForValue>field3</fieldForValue> <search> <query>| makeresults | eval previplist="$form.iplist$" | eval newiplist="$tkn_ip$" | makemv delim="," previplist | makemv delim=" " newiplist | eval field3=mvappend(previplist,newiplist) | eval valcount= mvcount(field3) | eval field3=if(valcount&gt;1,mvfilter(NOT match(field3,"all")),field3) </query> <done> <condition match="$job.resultCount$&gt;0"> <eval token="form.iplist">case(isnotnull($result.field3$),$result.field3$)</eval> </condition> </done> <finalized> <condition match="$job.resultCount$&gt;0"> <unset token="tkn_ip"></unset> </condition> </finalized> </search> <choice value="=*">All</choice> <change> <eval token="form.iplist">if(mvcount('form.iplist')=0,"=*",if(mvcount('form.iplist')!=1,mvfilter('form.iplist'!="=*"),'form.iplist'))</eval> <unset token="form.tkn_ip"></unset> </change> <default>=*</default> <initialValue>=*</initialValue> </input> </fieldset> <row> <panel> <event> <search> <query>index=_internal $iplist$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>  
You could try changing the order of the text field and the check boxes. Alternatively, you might be able to apply some CSS to modify the width of the check box panel (although this might get a bit me... See more...
You could try changing the order of the text field and the check boxes. Alternatively, you might be able to apply some CSS to modify the width of the check box panel (although this might get a bit messy as Splunk Classic Dashboards have a habit of modifying the width of panels to optimise screen real-estate).
Thanks, i tried that it  works .    However,  it ends up looking this because as we are using 2 separate input types so there is a huge gap between the radiobox input and the Text box where user ente... See more...
Thanks, i tried that it  works .    However,  it ends up looking this because as we are using 2 separate input types so there is a huge gap between the radiobox input and the Text box where user enters the IP.  The classic dashboard doesn't let me shrink the size of these boxes .  Is there any way to merge/ bring them closer under one Title / Header - "Destination IP"  ?   Below is my code   <form version="1.1" theme="light"> <label>test</label> <fieldset submitButton="false"></fieldset> <row> <panel> <title>Destination IP</title> <input type="radio" token="condition" searchWhenChanged="true"> <label></label> <choice value="=">EQUAL</choice> <choice value="!=">NOT EQUAL</choice> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="dest_ip" searchWhenChanged="true"> <label>dest_ip</label> <default></default> </input> <table> <title>dest_ip_graph</title> <search> <query>index=aws_vpc_flow_logs aws_account_id="*60036" dest_ip$condition$$dest_ip$ | stats count(vpcflow_action) as flowCount sum(packets) as pktCount sum(bytes) as sumBytes by aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id | eval pkt(million)=round((pktCount)/10000) | eval bytes(GB)=round((sumBytes)/1024/1024/1024) | iplocation src_ip | table aws_account_id instance_id src_ip src_port dest_ip dest_port action flow_direction interface_id vpc_id City Country flowCount pkt(million) bytes(GB) | sort - bytes(GB)</query> <earliest>-15m@m</earliest> <latest>now</latest> </search> </table> </panel> </row> </form>    
After a rolling restart of peer nodes one index is not fully searchable . It seems fixup status is pending  looks like buckets is not properly sync  .   need help to sort it out 
Keep your original text boxes so that the user can enter the ip address (range) but also have either a checkbox for the equal/not equal decision or a pair of radio buttons and use the token from this... See more...
Keep your original text boxes so that the user can enter the ip address (range) but also have either a checkbox for the equal/not equal decision or a pair of radio buttons and use the token from this choice to modify your search.
Another possibility is to use the sed mode of the rex command to replace the id part with a fixed value. This would rely on the id being formatted in an identifiable pattern. You may need to work wit... See more...
Another possibility is to use the sed mode of the rex command to replace the id part with a fixed value. This would rely on the id being formatted in an identifiable pattern. You may need to work with your application designers to ensure that all ids follow a particular pattern or patterns otherwise you may end up having more rex commands to replace different formats of ids.
Hi New to Splunk On-Call , I have setup a new Team with 3 members, and I've created a rotation and shift with all three as members. I'm stuck with the best way to setup the Escalation Policy, I wan... See more...
Hi New to Splunk On-Call , I have setup a new Team with 3 members, and I've created a rotation and shift with all three as members. I'm stuck with the best way to setup the Escalation Policy, I want it to call the initial person on call and then contact the other two in turn if they don't respond e.g. Contact Member 1 Wait 10mins Contact Member 2 Wait 10mins Contact Member 3   They way I have it at the moment is having three steps in the Escalation Policy: Step 1 - Immediate - Notify the On-Duty user(s) in rotation Step 2 - Wait 10 mins - Notify the next user(s) in the current on-duty shift Step 2 - Wait 20 mins - Notify the next user(s) in the current on-duty shift   Is this the best way to do it, the text "Notify the On-Duty user(s) in rotation" has confused me as it suggests that it should call multiple members in a rotation, but I can't find anything that describes how it calls more then the initial on-call person?