All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How do list multiple sources in a query: sourcetype=xml source="/wealthsuite/tti/current/*"?
status=Auto, Manual car= BMW, Honda, Audi index * | stats count(status) as Total by car Is there anyway I can get the results as shown in attached picture.            
Hello fellow Splunkers, I've recently run into a bit of an issue while working on an automation process. For context, I have already reviewed the following without success: Solved: Re: Generate PDF... See more...
Hello fellow Splunkers, I've recently run into a bit of an issue while working on an automation process. For context, I have already reviewed the following without success: Solved: Re: Generate PDF from View in REST API - Splunk Community Can I Export PDF Via Rest? - Splunk Community In short, when do not ship the modified XML in my GET request I get the following response: PDF endpoint must be called with one of the following args: 'input-dashboard=<dashboard-id>' or 'input-report=<report-id>' or 'input-dashboard-xml=<dashboard-xml>' Which is more or less expected. However when I do send the modified XML in my GET request, this is what comes back: I know the endpoint is functioning as I'm able to manually export the dashboard results utilizing the web interface without issue. However the manual process tie up half my day, and is not scalable moving forward. Any advice from those who have been able to solve this would be greatly appreciated Thanks in advance    
Upgraded to Splunk 9.0.1 from Splunk 8.2.1 MS-Windows AD Objects received the dashboard error, upgraded to MS-Windows AD Objects 4.1.1 which claims to be compatible with 9.0. But even after upgrading... See more...
Upgraded to Splunk 9.0.1 from Splunk 8.2.1 MS-Windows AD Objects received the dashboard error, upgraded to MS-Windows AD Objects 4.1.1 which claims to be compatible with 9.0. But even after upgrading the same error persists. Does MS-Windows AD Objects use jQuery 3.5, does 9.0.1 not work with it or am I spinning my wheels trying to make this thing work? Have the same issue with other apps but figured I would start here. Looked through the boards found stuff on jquery 3.5 but nothing specific to AD objects 4.1.1.  Seems like most things work with the App it just always throws the error? Also tried the " clone the dashboard in the new studio option", no joy there.  Any help is appreciated   
I want to use the map command to add the total event times for each day during the time interval from 6am-6pm. For each day.... the "earliest" token in my map command = start of each day+6hours (... See more...
I want to use the map command to add the total event times for each day during the time interval from 6am-6pm. For each day.... the "earliest" token in my map command = start of each day+6hours (Start1) the "latest" token in my map command = start of each day+18 hours(End 1) Using the tokens I use the map command to search over my set Splunk search timeframe. In my map command...    1. For each day, I subtract each events  Endtime from its starttime = Diff    2. To get the total event time for each day, I sum the time differences (sum(diff)) to get  the "total_time_of_events"    3. Next I take the info_max_time - info_min_time for each search (for each earliest and latest token searches) to get the time value for each 12 hour day. 4.  Finally I divide the total_event_time by the (search_time_span*100) for each search to get the total time percentage of events being pulled into Splunk by day YET it is not working!! My search returns "No results found". May I please have help? What am I doing wrong? CODE: |table BLANK hour date_mday date_month date_year |bin span=1d _time |eval Month=case(date_month="august","8") |eval Start=Month+"/"+date_mday+"/"+date_year |eval start= strptime(Start,"%m/%d/%y") |eval Start1=start+21600 |eval End1=start+64800 |map search="search (index...) earliest=$Start1$ latest=$End1$ |bin span=1d _time|dedup _time |eval timeend=strptime(DateEnd,\"%m/%d%Y %I:%M:%S %p\") |eval timestart=strptime(DateStart,\"%m/%d/%Y %I:%M:%S %p\") |eval diff=round(timeend-timestart)|stats sum(diff) as total_time_of_events by BLANK |addinfo |eval IntTime= info_max_time-info_min_time |eval prcntUsed=round((total_time_of_events/(IntTime))*100) |rename prcntUsed as Percent_of_event_time"
Please let me know if anyone has experience bringing Guardicore data in other than using a Heavy Forwarder. Thank you!  
Hello, Data in CyberArk comes through the Syslog Server and CyberArk TA needs to be installed into Search head (or search head cluster) based on the SPLUNK web site (https://docs.splunk.com/Documen... See more...
Hello, Data in CyberArk comes through the Syslog Server and CyberArk TA needs to be installed into Search head (or search head cluster) based on the SPLUNK web site (https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Installation). I installed this TA directly into the Syslog server, but not working as expected. How I would configure, Syslog, SHC, and CyberArk? Any help would be highly appreciated. Thank you! 
I was searing for a simple way to convert all types of mac address to "more" standard format.  Found various solution, but not a single line that I did like, so I made one. This will convert any mac... See more...
I was searing for a simple way to convert all types of mac address to "more" standard format.  Found various solution, but not a single line that I did like, so I made one. This will convert any mac format to XX:XX:XX:XX:XX:XX. (Output can be modified to format of your choice.)   | rex mode=sed field=mac "s/[^0-9a-fA-F]//g s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g y/abcdef/ABCDEF/"   s/[^0-9a-fA-F]//g remove all that are not 0-9 a-z and A-Z (all symbols are gone) s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g set the output format to xx:xx:xx:xx:xx:xx y/abcdef/ABCDEF/ change to upper case  
I have 2 roles A and B - they both inherit only from "user" role. If they create a dashboard in search they cannot edit the permissions to share the dashboard to "App" so the other role or users in... See more...
I have 2 roles A and B - they both inherit only from "user" role. If they create a dashboard in search they cannot edit the permissions to share the dashboard to "App" so the other role or users in the same role can see their dashboard. By default it is built and remains "private". If I add all capabilities under "power" role (that aren't in "user") to roles A and B they still cannot edit permissions on their own dashboard to share to "app" context so the dashboard an be shared in search app. If I add "power" to inheritance of roles A and B roles then they can edit the permissions. What am I missing?
How do I get a count of Low, Medium, High, Critical in a Splunk Search?   This is the current search I am using: `get_tenable_index` sourcetype="tenable:sc:vuln" severity=Low OR severity=Medium... See more...
How do I get a count of Low, Medium, High, Critical in a Splunk Search?   This is the current search I am using: `get_tenable_index` sourcetype="tenable:sc:vuln" severity=Low OR severity=Medium OR severity=High OR severity=Critical | dedup plugin_id, port, protocol, sc_uniqueness, source | eval key=plugin_id."_".port."_".protocol."_".sc_uniqueness."_".source | table severity, synopsis, solution, port, protocol, ip | outputlookup append=true key_field=key sc_vuln_data_lookup
Using the below query to get the daily avg user in during biz hours:  index=pan_logs sourcetype=json_no_timestamp metricname="field total user" |bin _time span=3h | stats latest(metricvalue) A... See more...
Using the below query to get the daily avg user in during biz hours:  index=pan_logs sourcetype=json_no_timestamp metricname="field total user" |bin _time span=3h | stats latest(metricvalue) AS temp_count by metricname _time | stats sum(temp_count) as "Users" by _time |eval Date=strftime(_time,"%m/%d/%y") |eval bustime=_time, bustime=strftime(bustime, "%H") |eval day_of_week = strftime(_time,"%A") |where ( bustime > 8 and bustime < 18) AND NOT (day_of_week="Saturday" OR day_of_week="Sunday") |eventstats avg(Users) as DailyAvgUsers by Date |eval DailyAvgUsers = round(DailyAvgUsers) |table Date day_of_week DailyAvgUsers but the query gives 3 counts per day  while i want only 1 for a day, when i change span to 6h , it gives me one count , but since i am counting only between 8AM to 6PM , it gives me no count when i run the search at 12PM Monday with 6h span.   How I can get one avg count per day? with time span = 3h   
Hi Experts , i want to show Column1 timestamp selected as default in Date/Time Range From not sure what i am doing wrong but when i select the different date its updating <fieldset submitButton=... See more...
Hi Experts , i want to show Column1 timestamp selected as default in Date/Time Range From not sure what i am doing wrong but when i select the different date its updating <fieldset submitButton="false" autoRun="false"> <input type="time" token="field2" searchWhenChanged="true"> <label>Column 1</label> <default> <earliest>1661144400</earliest> <latest>1661230800</latest> </default> <change> <eval token="timeRangeEarliestearliest">if(isnum($field2.earliest$), $field2.earliest$, relative_time(now(), $field2.earliest$))</eval> <eval token="timeRangeLatestearliest">if(isnum($field2.latest$), $field2.latest$, relative_time(now(), $field2.latest$))</eval> <eval token="prettyPrinttimeRangeFromTimeearliest">strftime($timeRangeEarliestearliest$, "%a, %e %b %Y")</eval> <eval token="prettyPrinttimeRangeToTimeearliest">strftime($timeRangeLatestearliest$, "%a, %e %b %Y")</eval> </change> </input> <input type="time" token="field1" searchWhenChanged="true"> <label>Column 2</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> <change> <eval token="timeRangeEarliestlatest">if(isnum($field1.earliest$), $field1.earliest$, relative_time(now(), $field1.earliest$))</eval> <eval token="timeRangeLatestlatest">if(isnum($field1.latest$), $field1.latest$, relative_time(now(), $field1.latest$))</eval> <eval token="prettyPrinttimeRangeFromTimelatest">strftime($timeRangeEarliestlatest$, "%a, %e %b %Y")</eval> <eval token="prettyPrinttimeRangeToTimelatest">strftime($timeRangeLatestlatest$, "%a, %e %b %Y")</eval> </change> </input> </fieldset> <row> <panel> <html> <h3>Date/Time Range From</h3> <table> <tr> <td>From:</td> <td>$prettyPrinttimeRangeFromTimeearliest$</td> </tr> <tr> <td>To:</td> <td>$prettyPrinttimeRangeToTimeearliest$</td> </tr> </table> </html> </panel> </row> <row> <panel> <html> <h3>Date/Time Range</h3> <table> <tr> <td>From:</td> <td>$prettyPrinttimeRangeFromTimelatest$</td> </tr> <tr> <td>To:</td> <td>$prettyPrinttimeRangeToTimelatest$</td> </tr> </table> </html> </panel> </row>  
Hello guys. Im inherited an splunk enviromment and im kinda new to this, so i'm studying quite a lot.  In my scenario i have something like 100 Windows UF sending info to 01 Heavy Forwarder which ... See more...
Hello guys. Im inherited an splunk enviromment and im kinda new to this, so i'm studying quite a lot.  In my scenario i have something like 100 Windows UF sending info to 01 Heavy Forwarder which sends to 3 indexers and complete the proccess.  Now i want to filter these infos and i'm wondering if i can make a blacklist in the HF to filter these logs, if i can, which is the best way? - In local folder create a inputs.conf and changing from there? I've tried this one and i think it worked, the problem is the logs went to the main index and i could'nt figure out how to change it. - Create some filter in the Indexers? Thanks for the help so far.
How Can i just get the message alert in mail showing only the  failed job example "Job=[ADM-FILENET-DLY]] " instead of the complete log.   Note: The Job names are dynamic    My Current Alert Quer... See more...
How Can i just get the message alert in mail showing only the  failed job example "Job=[ADM-FILENET-DLY]] " instead of the complete log.   Note: The Job names are dynamic    My Current Alert Query : index=* host=*MYhost* "*IN-RCMCO-DLY*" OR "*ADJ-RECERT-DLY*" OR *AD*-*Y*" FAILED job_status2=FAILED OR status=FAILED OR status1=FAILED OR ExitCode=FAILED | rex field=_raw ".*status:\s\[(?P<status1>\S+)\]" | rex field=_raw "JOB\s(?P<job_status2>\w+)" |rex field=_raw "(exitCode=)(?<ExitCode>\w+)" | eval _raw=substr(_raw, 1, 1500) | table _time job_status2 status1 status ExitCode _raw   log  22-08-28 18:01:31,323 INFO [main] c.l.b.listener.JobCompletionListener: :::::::::::::::BATCH JOB FAILED:::::::::::JobExecution: id=21099, version=1, startTime=Sun Aug 28 18:01:29 CDT 2022, endTime=Sun Aug 28 18:01:31 CDT 2022, lastUpdated=Sun Aug 28 18:01:29 CDT 2022, status=FAILED, exitStatus=exitCode=FAILED;exitDescription=com.ltss.fw.exception.ApplicationException: Error occured while processing appDocument: In catch block, exception stackTrace,job=[JobInstance: id=21099, version=0, Job=[ADM-FILENET-DLY]], jobParameters=[{chunkSize=null, skipLimit=null, commitInterval=null, time=1661727689449, asOfDate=1661662800000}]
How can i rename the value of the policy name from = to "contains".  Instead of saying "index=tenable* sourcetype="*" policyName="*" | eval policyName=if(policyName="93e1da98-656c-5cd5-933b-ce6665fc... See more...
How can i rename the value of the policy name from = to "contains".  Instead of saying "index=tenable* sourcetype="*" policyName="*" | eval policyName=if(policyName="93e1da98-656c-5cd5-933b-ce6665fc0486-1948841/CIS PostgreSQL 11 (20210915)","PostgreSQL",policyName) "   I would like to say "if(policyName=*CIS PostgreSQL* it doesn't work
Just came across an interesting use case, and I'm wondering how people solve it.  Phantom talks to an internal asset via HTTP and API key. This asset has redundancy, and if it goes down a backup... See more...
Just came across an interesting use case, and I'm wondering how people solve it.  Phantom talks to an internal asset via HTTP and API key. This asset has redundancy, and if it goes down a backup comes online. Part of that is name re-direction. The data underneath is all the same but the API key changes.  My thought would be to perform a test connectivity check at the top of the playbook, and then pass the asset number down the playbook.  Is there a smarter way to handle this?  Thanks!
we have configured our server to send syslog log events to our SPLUNK collectors using syslog UDP port 514 we are not seeing the hostname listed in the ingested files. how do we get SPLUNK to displ... See more...
we have configured our server to send syslog log events to our SPLUNK collectors using syslog UDP port 514 we are not seeing the hostname listed in the ingested files. how do we get SPLUNK to display the hostname? thank you Angel
We have Monitoring of Java Virtual Machines with JMX setup on our Splunk forwarder (linux), and it's running fine when executed "./splunk start" from splunk forwarder bin with below logs. 08-29-202... See more...
We have Monitoring of Java Virtual Machines with JMX setup on our Splunk forwarder (linux), and it's running fine when executed "./splunk start" from splunk forwarder bin with below logs. 08-29-2022 09:33:57.733 -0600 INFO SpecFiles - Found external scheme definition for stanza="jmx://" from spec file="/opt/splunkforwarder/etc/apps/SPLUNK4JMX/README/inputs.conf.spec" with parameters="activation_key, config_file, config_file_dir, polling_frequency, additional_jvm_propertys, output_type, hec_port, hec_host, hec_endpoint, hec_poolsize, hec_token, hec_https, hec_batch_mode, hec_max_batch_size_bytes, hec_max_batch_size_events, hec_max_inactive_time_before_batch_flush, log_level"   However,  when I tried to start Splunk agent as a service with sudo service splunk start, everything else started fine, and I'm getting the following error in splunkd.log 08-29-2022 09:46:16.519 -0600 ERROR ModularInputs - Introspecting scheme=jmx: Unable to run "python3.7 /opt/splunkforwarder/etc/apps/SPLUNK4JMX/bin/jmx.py --scheme": child failed to start: No such file or directory 08-29-2022 09:46:16.542 -0600 ERROR ModularInputs - Unable to initialize modular input "jmx" defined in the app "SPLUNK4JMX": Introspecting scheme=jmx: Unable to run "python3.7 /opt/splunkforwarder/etc/apps/SPLUNK4JMX/bin/jmx.py --scheme": child failed to start: No such file or directory. Anyone can point me in the right direction? I've setup Splunk as a service with sudo ./splunk enable boot-start -user splunkuser I'm suspecting there is a mismatch in permission between splunkuser (splunk owner) and root, but not sure where I should go to correct that.  
Hi, Is there a way to authenticate to the API through SAML? right now, our security policy prohibits the use of local unmanaged accounts. I have SAML authentication with Azure AD configured for w... See more...
Hi, Is there a way to authenticate to the API through SAML? right now, our security policy prohibits the use of local unmanaged accounts. I have SAML authentication with Azure AD configured for web access, but when I try to use those same AD credentials to authenticate to the API it does not work. Please help with steps for configuring Azure AD to work with REST API in Splunk.  
Hello, i have to decommission a site due to datacenter dismission. Actually we have four sites with 10 indexers each. The  site decommission is well documented, what is not clear is how the map of ... See more...
Hello, i have to decommission a site due to datacenter dismission. Actually we have four sites with 10 indexers each. The  site decommission is well documented, what is not clear is how the map of decommissioned site originating data is replicated to the remaining site, using: site_mappings = site4:site2 originating data from site4 is replicated to site2, suppose there are 20TB of data, how many data every indexers on site2 receive ? Is there a sort af balancing (2TB each) or is not  predictable ? Is also not clear if the replication bucket for the dismissed site are removed by Splunk when the cluster master is restarted or can be do manually. I need this information to estimate if the actual size of file system is enough. Thanks