All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forward... See more...
Hmm, after further investigation it appears that it might not be anything to do with the throughput settings on either server. Digging into the logs, this problem always begins when the Heavy Forwarder patches. At this point the Windows server stops being able to send logs and never recovers even when the HF is available again. I wonder if this is related to v9.3.0 of the agent, because we didn't see any issues before this was upgraded. 
can you check your direct messages
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by ca... See more...
Hello @MatthewWolf, If you need the number of event counts for a particular category, you can use the following search:   index=<<index_name>> sourcetype="fraud_detection.csv" | stats count by category | sort - count This will give you output of all the categories present with event count in decreasing order (i.e. highest count first).   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated.!!
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the ne... See more...
Hello @Viral_G, You can have token value set based on the selected field/column on the table. You can then have another panel created to display the selected token and have a drilldown set on the new panel.   Thanks, Tejas.   --- If the above solution helps, an upvote is appreciated..!! 
Thank you @rohit1793, this spreadsheat is very helpfull!
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", ... See more...
event without issue " btoolTag = btool_validate_strptime" [ { "bad_strptime": "%d.%m.%Y %H:%M:%S,%3", "conf_file": "props.conf", "stanza": "lb:logs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" }, { "bad_strptime": "%y-%m-%d %H:%M:%S%", "conf_file": "props.conf", "stanza": "iislogs", "attribute": "TIME_FORMAT", "btoolTag": "btool_validate_strptime", "timestamp": "2024-08-29T06:00:04", "host": "blabla_hostname" } ] affected event " btoolTag = btool_validate_regex" [ { "bad_regex": "(?i)id_618_(?<eventfield_1>\\\\w*).*i_Media=MEDIA_(?<eventfield_2>\\\\w*).*i_Dnbits=(?<eventfield_3\\\\w*).*cs_PERString=(?<eventfield_4>\\\\w*)", "conf_file": "props.conf", "stanza": "fansfms:aaio", "attribute": "EXTRACT-AoIP_message1", "reason": "syntax error in subpattern name (missing terminator?)", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" }, { "bad_regex": "([\\i\\\\fr\\n]+---splunk-admon-end-of-event---\\r\\n[\\r\\n]*)", "conf_file": "props.conf", "stanza": "source::(....(config|conf|cfg|inii|cfg|emacs|ini|license|lng|plist|presets|properties|props|vim|wsdl))", "attribute": "LINE_BREAKER", "reason": "unrecognized character follows \\", "btoolTag": "btool_validate_regex", "timestamp": "2024-08-29T09:47:46", "host": "blabla_hostname" } ]  
Please provide the config that you've implemented on HF for the described setup.
Please check out following blog post for Dashboard studio: Dashboard Studio: How to Configure Show/Hide and Token Eval in Dashboard Studio | Splunk
Please provide the affected event and an event that is parsed correctly.
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain ho... See more...
Hi @jagan_vannala , use parenthesis: NOT (sessionId=X groupID=Y) and the AND boolean operator isn't required. if you have these doubt, I hint to follow the Splink Search Tutorial, that explain how to create your searches: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial Ciao. Giuseppe
If I want to exclude multiple fields by using NOT condition how can to use NOT query   NOT sessionId=X AND groupID=Y Is this works? please suggest
Please execute your original search without testmode=true and after the execution please click on Job --> Inspect Job. Check if you see any error message in the popup.    
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. ... See more...
Hi @jagan_vannala , sorry but it isn't still clear: to exclude particular sessionId, choose the ones to exclude and put them in a condition | search NOT sessionId IN (cond1, cond1, cond3) Ciao. Giuseppe
Hi ,   I would like to exclude particular session under multiple session ID's    
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.j... See more...
Hello Splunkers,  I have 7 files in JSON format ( the JSON format is the same for each files) , so i applied one parsing for all * On UF *     [source::/opt/splunk/etc/apps/app_name/result/*.json] INDEXED_EXTRACTIONS=json EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)     *On IDX*     [sourcetype_name] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 TIME_PREFIX=\"timestamp\"\:\s\" MAX_TIMESTAMP_LOOKAHEAD=19 TIME_FORMAT=%Y-%m-%dT%H:%M:%S TRUNCATE=999999     *on Search Head*     [sourcetype_name] KV_MODE=none       Parsing works for all files except one Here is an excerpt, timestamp with none value Can you help me on this ?   
If you only wanna see events that do not contain the field sessionId You must search as follows   host="*" NOT sessionId   
Hi @jagan_vannala , maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words: host="*" NOT sessionId=X Anyway, your two searchs has different results because w... See more...
Hi @jagan_vannala , maybe it's a mistyping, but in the solution with NOT you don't need to add !, in other words: host="*" NOT sessionId=X Anyway, your two searchs has different results because with sessionId!=X you tale all the logs where the filed sessionId is present and hasn't the value "X", instead with NOT sessionId=X you have all the events except the ones with sessionId=X , even if the sessionId field isn't present. Ciao. Giuseppe
HI Team, When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in... See more...
HI Team, When i am trying to exclude one field by inserting condition sessionId!=X its not working . even though I used "NOT" condition but the field which i am trying to exclude is still showing in results. could you please help how i can exclude  particular field host="*"  sessionId!=X  host="*" NOT sessionId!=X 
Hi @user487596 , Splunk is a search engine, so you can use it for this: you must know the rules (e.g. searching for the password word) and then apply to the indexes. At first I'd start identifying... See more...
Hi @user487596 , Splunk is a search engine, so you can use it for this: you must know the rules (e.g. searching for the password word) and then apply to the indexes. At first I'd start identifying the login and create user actions for each environment in your infrastructure (e.g. in windows these action are identifed with EventCode = 4624 and 4720), then you can run searches with those specific filters to see if there are clear text passwords. Ciao. Giuseppe
HI, @gcusello  I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splu... See more...
HI, @gcusello  I need to find secrets (passwords, api-tokens, etc.) in all data (events) in all indexes that are in splunk, the question is in the approach: how to do this so as not to overload splunk.