All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, exactly like this. I was beating around the bushes, but this one works perfectly. Thanks a lot @sainag_splunk  
Hello Yuanliu, Thanks so much for your suggestion. This is getting close. I did have to change the first "span=1s" to something greater than 1m in order to get any results. Most likely because the "... See more...
Hello Yuanliu, Thanks so much for your suggestion. This is getting close. I did have to change the first "span=1s" to something greater than 1m in order to get any results. Most likely because the "Query" total (and other DNS stats) are only logged once every 5 minutes with the totals for the past five minutes. As you mentioned this does not give the connection points in the graph so I had a thought; what if I use this query to generate a list of sites to use in my original query. Something like this: index=metrics host=* | rex field=host "^(?<host>[\w\d-]+)\." | lookup dns.csv sd_hostname AS host | search Site IN (*) | bin _time span=5m | stats values(Query) as QPS by Site _time | bin _time span=5m | stats avg(QPS) as QPS by Site _time | streamstats window=2 global=false current=true stdev(QPS) as devF by Site | sort Site, - _time | streamstats window=2 global=false current=true stdev(QPS) as devB by Site | where 4*devF > QPS OR devB*4 > QPS | table Site | dedup Site | mvcombine Site delim="," | nomv Site   This gives a CSV list of sites to search: Site austx.1,snavtx.1   I am using Dashboard Studio and I'm trying to figure out how to chain these results as a variable in my original search ... | search Site IN ($my-csv-list-from-above$) ...+ but so far I have not figured that out. Let me know if you have suggestions.  Thanks again for your help!
Do you mean like this ? (index=Index1 sourcetype=SourceType1) OR (index=Index2 sourcetype=SourceType2)  
Hi,    I have index called Index1 which has sourcetype called SourceType1 and another index called Index2 with sourceType called SourceType2. Some data is in combination of Index1<-> SourceType1 an... See more...
Hi,    I have index called Index1 which has sourcetype called SourceType1 and another index called Index2 with sourceType called SourceType2. Some data is in combination of Index1<-> SourceType1 and some data is in combination of Index2<->SourceType2.   How can I write a query that targets the correct index and sourceType?                                                  
Are you able to go to one of those 500 Error lines, then post 10-20 of the previous lines? If it contains sensitive data then you should sanitize it before posting.
Thanks. That helped me resolving my issue, just a small correction that it would be: target="_blank"
Did you already try this ? please refer: https://github.com/signalfx/splunk-otel-collector-chart/tree/main?tab=readme-ov-file helm install my-splunk-otel-collector --set="splunkPlatform.endpoint... See more...
Did you already try this ? please refer: https://github.com/signalfx/splunk-otel-collector-chart/tree/main?tab=readme-ov-file helm install my-splunk-otel-collector --set="splunkPlatform.endpoint=https://127.0.0.1:8088/services/collector,splunkPlatform.token=xxxxxx,splunkPlatform.metricsIndex=k8s-metrics,splunkPlatform.index=main,clusterName=my-cluster" splunk-otel-collector-chart/splunk-otel-collector
Appreciate the help.  This is working in part.  For the server path, I am getting the proper output.  However, for the drive path, I am getting a result as c:\program files\documents\ or F:\transf... See more...
Appreciate the help.  This is working in part.  For the server path, I am getting the proper output.  However, for the drive path, I am getting a result as c:\program files\documents\ or F:\transfers\program\ and not c:\program files\  or F:\transfers\.   Trying to make the output see that the drive letter is the root folder.  I should have worded it as the root location.  Also, I have done some review of rex/regex videos online and still learning and trying to decipher each part of the regular expression and how they are broken up to capture each part of the file path.  Can you explain this a bit or point me to any additional tutorial that can help me understand this more.  Much appreciated.  
  Yes, you can do it on multiple conf files in splunk for example: Serverconf Webconf  Outputsconf Please refer:   https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#TLS.2FS... See more...
  Yes, you can do it on multiple conf files in splunk for example: Serverconf Webconf  Outputsconf Please refer:   https://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf#TLS.2FSSL_Configuration_details      
Try something like this | makeresults format=csv data="_time, username, computer, printer, source_dir, status 2024-09-24 15:32 , auser, cmp_auser, print01_main1, \\\\cpn... See more...
Try something like this | makeresults format=csv data="_time, username, computer, printer, source_dir, status 2024-09-24 15:32 , auser, cmp_auser, print01_main1, \\\\cpn-fs.local\data\program\..., Printed 2024-09-24 13:57 , buser, cmp_buser, print01_offic1, c:\program files\documents\..., Printed 2024-09-24 12:13 , cuser, cmp_cuser, print01_offic2, \\\\cpn-fs.local\data\transfer\..., In queue 2024-09-24 09:26, buser, cmp_buser, print01_offic1, F:\transfers\program\..., Printed 2024-09-24 09:26, buser, cmp_buser, print01_front1, \\\\cpn-fs.local\transfer\program\..., Printed 2024-09-24 07:19, auser, cmp_auser, print01_main1, \\\\cpn-fs.local\data\program\...., In queue" | rex field=source_dir "(?P<FolderPath>(\\\\\\\\|\w:\\\\)[^\\\\]+\\\\\w+)" btw, they are not really Linux paths as linux uses forward slashes "/"
Hope this documents help. helps: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Extendjoblifetimes#Change_the_default_lifetime_value_for_scheduled_searches https://docs.splunk.com... See more...
Hope this documents help. helps: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Extendjoblifetimes#Change_the_default_lifetime_value_for_scheduled_searches https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Dispatchdirectoryandsearchartifacts#Search_artifact_lifetime_in_the_dispatch_directory    
Hey, thank you very much for this query! I've decided to go with yours out of the 2 responses here as it displays just the one host in the end instead of all of them which will be nicer at a glance. ... See more...
Hey, thank you very much for this query! I've decided to go with yours out of the 2 responses here as it displays just the one host in the end instead of all of them which will be nicer at a glance.   You made it seem very simple and I appreciate that, I have a lot to learn!
Hey, I certainly agree that ChatGPT isn't the best place to learn, but it comes in handy sometimes. I need to start taking some actual training though.   Your solution did work, so thank you for sh... See more...
Hey, I certainly agree that ChatGPT isn't the best place to learn, but it comes in handy sometimes. I need to start taking some actual training though.   Your solution did work, so thank you for sharing it with me. I did then go and use GPT to help explain the details to me and I think I understand it all so that's nice. Setting sources to different values and comparing them that way is neat and I'm glad I've seen that now. 
I know for configuring all the audit events related to Github Enterprise and Github Organization from GitHub Cloud via modinputwith Account Type = Organization. the Personal Access Token also needs ... See more...
I know for configuring all the audit events related to Github Enterprise and Github Organization from GitHub Cloud via modinputwith Account Type = Organization. the Personal Access Token also needs the granted access - "admin:org".
I have a cyber security finding that states "The splunk service accepts connections encrypted using SSL 2.0 and/or SSL 3.0".  Of course SSL 2.0 and 3.0 are not secure protocols.  How do I disable SSL... See more...
I have a cyber security finding that states "The splunk service accepts connections encrypted using SSL 2.0 and/or SSL 3.0".  Of course SSL 2.0 and 3.0 are not secure protocols.  How do I disable SSL 2.0/3.0?  Can I just disable it in the browser or do I need to change a setting within splunk?
Need some assistance with creating a query where I am trying to capture the parent folder and the 1st child folder respectively from a print output log that has both windows and linux folder paths.  ... See more...
Need some assistance with creating a query where I am trying to capture the parent folder and the 1st child folder respectively from a print output log that has both windows and linux folder paths.  Sample data and folder paths I am trying to get in a capture group is in bold. _time,     username,      computer,      printer,      source_dir,      status 2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\cpn-fs.local\data\program\...,          Printed 2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\documents\...,            Printed 2024-09-24 12:13 ,   cuser, cmp_cuser,  print01_offic2,   \\cpn-fs.local\data\transfer\...,            In queue 2024-09-24 09:26,    buser, cmp_buser,  print01_offic1,   F:\transfers\program\...,                           Printed 2024-09-24 09:26,    buser, cmp_buser,  print01_front1,   \\cpn-fs.local\transfer\program\...,  Printed 2024-09-24 07:19,    auser, cmp_auser,   print01_main1,   \\cpn-fs.local\data\program\....,         In queue I am currently using a Splunk query where I call these folders in my initial search, but I want to control this using a rex command so I can add an eval command to see if they were printed locally or from a server folder.  Current query is: index=printLog  source_dir IN ("\\\\cpn-fs.local\data\*", "\\\\cpn-fs.local\transfer\*",  "c:\\program files\\*", " F:\\transfer\\*" )  status== "Printed" | table status, _time, username, computer, printer, source_dir I tried using the following rex but didn't get any return:      | rex field=source_dir "(?i)<FolderPath>(?i[A-Z][a-z]\:|\\\\{1})[^\\\\]+)\\\\[^\\\\]+\\\\)" In my second effort, through Splunk I generated these two regex using the field extractor respectively.  I know I need to pipe them to add the "OR" operator when comparing the windows and Linux paths but I get an error when trying to combine them. Regex generated from windows:  c:\program files  ^[^ \n]* \w+,,,(?P<FolderPath>\w+:\\\w+) Regex generated from linux: \\cpn-fs.local\data ^[^ \n]* \w+,,,(?P<FolderPath>\\\\\w+\-\w+\d+\.\w+\.\w+\\\w+) To start, I am looking for an output which should look like what is seen below to replace the "source_dir" with the rex "FolderPath"  created _time,     username,      computer,      printer,      FolderPath,      file,    status 2024-09-24 15:32 ,   auser, cmp_auser,  print01_main1,   \\cpn-fs.local\data\,    Printed 2024-09-24 13:57 ,   buser, cmp_buser,  print01_offic1,   c:\program files\,            Printed Thanks for any help given.
I believe you are hitting the limit of extraction_cutoff for spath, maybe. If this is not working, try to set up KV_MODE=JSON on the search head as an alternative for that particular source or source... See more...
I believe you are hitting the limit of extraction_cutoff for spath, maybe. If this is not working, try to set up KV_MODE=JSON on the search head as an alternative for that particular source or sourcetype if you don't have a lot of data coming in. https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf extraction_cutoff = <integer> * For 'extract-all' spath extraction mode, this setting applies extraction only to the first <integer> number of bytes. This setting applies both the auto kv extraction and the spath command, when explicitly extracting fields. * Default: 5000  
@PickleRick , thanks for responding. 1. I just posted a sample for each of the indexes as a reply to Tred_splunk's question. Can you please check and see if that makes it clear? - https://communit... See more...
@PickleRick , thanks for responding. 1. I just posted a sample for each of the indexes as a reply to Tred_splunk's question. Can you please check and see if that makes it clear? - https://community.splunk.com/t5/Splunk-Search/How-to-join-search-results-from-two-indexes-based-on-multiple/m-p/700245/highlight/true#M237645 2. stats based search is good and I will consider your suggestion of adding only the necessary fields. However, this query is incomplete (in the sense that I am able to correlate only 1 event from index_2 to index_1 but not the other event) 3. The initial thought of renaming was to provide the distinction between two events from the same index (index_2) by identifying them as "current" and "previous" I hope I was able to clarify. Thanks
Sample form index_1 { "index1Id": "Id_1", "currEventId": "EventId_1", "prevEventId": "EventId_2" }   EventId_1 from index_2 { "eventId": "EventId_1", "eventOrigin": "EventOrigin_1", }   Ev... See more...
Sample form index_1 { "index1Id": "Id_1", "currEventId": "EventId_1", "prevEventId": "EventId_2" }   EventId_1 from index_2 { "eventId": "EventId_1", "eventOrigin": "EventOrigin_1", }   EventId_2 from index_2 { "eventId": "EventId_2", "eventOrigin": "EventOrigin_2", }   The final result I am looking for, after the search  index1Id prevEventId prevEventOrigin currEventId currEventOrigin Id_1 EventId_2 EventOrigin_2 EventId_1 EventOrigin_1   Thanks @tread_splunk 
Sure np, I have untagged you and wont tag going forward