All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Again - it's not _where_ it's processed. It's when and how it's processed. Things are processed in search-time on indexers. And no, you cannot use indexed extractions on data where whole events aren... See more...
Again - it's not _where_ it's processed. It's when and how it's processed. Things are processed in search-time on indexers. And no, you cannot use indexed extractions on data where whole events aren't fully well-formed structured data.
many thanks to Ryan McGinn
In Splunk_TA_microsoft_sysmon\default\app.conf or Splunk_TA_microsoft_sysmon\local\app.conf add the following then deploy the SHC bundle  [shclustering] deployer_lookups_push_mode = always_overwrit... See more...
In Splunk_TA_microsoft_sysmon\default\app.conf or Splunk_TA_microsoft_sysmon\local\app.conf add the following then deploy the SHC bundle  [shclustering] deployer_lookups_push_mode = always_overwrite In the app.conf seems the best way for the sysmon TA
the -preserve-lookups true option when we did the SHC bundle push and the add-on's 3.x version of the lookup had a different field name (record_type ) vs the version in 4.x which is record_type_id.
 WE updated the Sysmon add-on from 3.x to 4.0.1 (latest) on a search head cluster. After, we're getting errors about how the node we're on and the indexers can't load a lookup (Could not load looku... See more...
 WE updated the Sysmon add-on from 3.x to 4.0.1 (latest) on a search head cluster. After, we're getting errors about how the node we're on and the indexers can't load a lookup (Could not load lookup=LOOKUP-record_type).
Disregard, issue resolved
@PickleRick I am looking for options on the indexer to convert the data to a structured format not on the search head
@kamlesh_vaghela . I want to get full event to splunk. The below sedcmd will remove first few lines and then the remaining event is viewed as json format. I want to keep full event as it is. Is there... See more...
@kamlesh_vaghela . I want to get full event to splunk. The below sedcmd will remove first few lines and then the remaining event is viewed as json format. I want to keep full event as it is. Is there a way we can apply props/transform in which splunk identifies both structured(json) and unstrutured formatted data.
Windows logs are... tricky. Whichever way you want to peocess them. If you want to use third party solution that pushes to Splunk, you have tons of problems with parsing. If you want to use Splunk to... See more...
Windows logs are... tricky. Whichever way you want to peocess them. If you want to use third party solution that pushes to Splunk, you have tons of problems with parsing. If you want to use Splunk to forward events to a third party receiver you get issues like this. Unfortunately, syslog receivers don't play nice with multiline events. What you could try is change the format of windows events to xml (which is advised anyway), do a copy of your windows events with CLONE_SOURCETYPE, remove line ends from the event with a transform applied to that new sourcetype and route that sourcetype to your syslog output. Might work, might not, just an idea from the top of my head.
you might be able to narrow down which users were on the system at the time (also any searches that might have done it even if scheduled) by running   index=_audit login attempt | table _time us... See more...
you might be able to narrow down which users were on the system at the time (also any searches that might have done it even if scheduled) by running   index=_audit login attempt | table _time user   you might have  a lot of "internal_observability" user hits that you can exclude, but then it should be broken down into actions of success or search, the search should show if any user had an outputlookup mess up the lookup file, and any of the success should just be people logging in/opening a new tab.  It might not be a smoking  gun but it will narrow down who could have  done it.
Hi I need to do observability on different web applications on Windows workstations  For example i need to mesure response time or error code of the webapp Is it possible to collect these metrics ... See more...
Hi I need to do observability on different web applications on Windows workstations  For example i need to mesure response time or error code of the webapp Is it possible to collect these metrics in splunk? How? With Splunk APM? Website monitoring? Other question : how to collect events from the Windows event viewer? Thanks 
Use an empty alternative | rex field=MESSAGE "aaa(?<FIELD1>bbb|)" | rex field=MESSAGE "ccc(?<FIELD2>ddd|)"
You can use '| append [ | noop ]' as a workaround: | from federated <> | append [ | noop ] | outputlookup <>.csv  
Let's say I have the following SPL query.  Ignore the regexes, thery're not important for the example: index=abc | rex field=MESSAGE "aaa(?<FIELD1>bbb)" | rex field=MESSAGE "ccc(?<FIELD2>ddd)" stat... See more...
Let's say I have the following SPL query.  Ignore the regexes, thery're not important for the example: index=abc | rex field=MESSAGE "aaa(?<FIELD1>bbb)" | rex field=MESSAGE "ccc(?<FIELD2>ddd)" stats count by FIELD1, FIELD2   Right now, the query doesn't return a result unless both fields match, but I still want to return a result if only one field matches.  I just want to return an empty string in the field that doesn't match.  Is there a way to do this? Thanks!
Careful, the linked documentation page says not to modify that app in any way.
i write a custom alert with bash script who send values of spl query to the hive, the script create a case on the hive but with empty fields. alert_actions.conf: [alert_to_thehive] is_custom = 1 ... See more...
i write a custom alert with bash script who send values of spl query to the hive, the script create a case on the hive but with empty fields. alert_actions.conf: [alert_to_thehive] is_custom = 1 disabled = 0 label = Alert to TheHive description = Custom alert action to send alerts to TheHive icon_path = alert_icon.png payload_format = json ttl = 10 # Command to execute alert.execute.cmd = alert_to_thehive.sh # Arguments passed to the script alert.execute.cmd.arg.1 = $result.Image$ alert.execute.cmd.arg.2 = $result.CommandLine$
  (index=hcp_system OR index=hcp_logging) namespace=$env_dd$ | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MS... See more...
  (index=hcp_system OR index=hcp_logging) namespace=$env_dd$ | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>[^,]+),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#" | eval IID=if("$interface_dd$"!="", "$interface_dd$", IID), STEP=if("$step_dd$"!="", "$step_dd$", STEP), PKEY=if(isnull("$record_id$") OR "$record_id$"="", PKEY, "*" . "$record_id$" . "*"), STATE=if("$state_dd$"!="", "$state_dd$", STATE), MSG0=if(isnull("$message_1$") OR "$message_1$"="", MSG0, "*" . "$message_1$" . "*"), PROPS=if(isnull("$properties$") OR "$properties$"="", PROPS, "*" . "$properties$" . "*") | search (IID=* OR isnull(IID)) (STEP=* OR isnull(STEP)) (PKEY=* OR isnull(PKEY)) (STATE=* OR isnull(STATE)) (MSG0=* OR isnull(MSG0)) (PROPS=* OR isnull(PROPS)) | table IID STEP PKEY STATE MSG0 PROPS   How to make it show in the table values which are selected in DD and if the search field is "text field" (PKEY MSG0 and PROPS in my case) empty to show what the rex  PKEY:\s*(?P<PKEY>[^,]+) will extract. As current behavior is following: DD DropDown TF Text Field Input : -DD  IID:SF  -DD  STEP:RECEIVE_FROM_KAFKA -DD  STATE:IN_PROGRESS -TF  PKEY MSG0 and PROPS are empty Msg1:"#HLS# IID:SF, STEP:RECEIVE_FROM_KAFKA, PKEY:456, STATE:IN_PROGRESS, MSG0:Success, PROPS:YES #HLE#" Msg2: "#HLS# IID:SAP, STEP:SEND_TO_KAFKA, PKEY:52345345, STATE:IN_PROGRESS, MSG0:MOO, PROPS:FOO #HLE#" Extracted Table: STEP                                        |   PKEY             |       STATE                   |  MSG0      | PROPS RECEIVE_FROM_KAFKA |    52345345 |       IN_PROGRESS |  MOO         | YES   Resume: the result is mixed in column lines from different messages in the input of the text fields is empty, How can I make it to extract all messages with the following log pattern and then filter them based on the DD or text fields?
Hi at all, I don't know if someone else found this issue: Using for the first time 9.3.0 version I tried to customize an app menu bar. Then I found that if I try to use this app with my language (... See more...
Hi at all, I don't know if someone else found this issue: Using for the first time 9.3.0 version I tried to customize an app menu bar. Then I found that if I try to use this app with my language (it-IT) it doesn't change; if instead I run it with the default english interface (en-US) it correctly runs. Ciao. Giuseppe  
Hi, I’ve created some scheduled Splunk reports with inline tables in the email body. We're sending these reports to a Slack channel via email, but the URLs appear as plain text in Slack, while they a... See more...
Hi, I’ve created some scheduled Splunk reports with inline tables in the email body. We're sending these reports to a Slack channel via email, but the URLs appear as plain text in Slack, while they are hyperlinked in Gmail. Is there a workaround to ensure the URLs are clickable in Slack? Also how to enable hyperlinks for URLs in report(not dashboard) @ITWhisperer @gcusello @PickleRick 
I wonder if app is compatible to Python v3.9 or not as in Splunk enterprise 9.3 its hardcore to python v3.9, its also not splunk supported app. are you seeing any python related errors coming from th... See more...
I wonder if app is compatible to Python v3.9 or not as in Splunk enterprise 9.3 its hardcore to python v3.9, its also not splunk supported app. are you seeing any python related errors coming from this app ?