All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm running into a strange behavior: For the first time opening my dashboard, the dashboard always shows no visualization for the data, as if the query for the dashboard has not been executed or the... See more...
I'm running into a strange behavior: For the first time opening my dashboard, the dashboard always shows no visualization for the data, as if the query for the dashboard has not been executed or the query produces no data.  Simply reloading the page still does not show the visualization for the queried data. However, if I edit the input field from which the query uses the token value for the query, as long as the value entered is different from the existing value, the dashboard will show the expected visual.  But if I just reload the page again, then the visual would disappear!  The dashboard uses a Splunk extension written in Javascript: But the same extension works with another dashboard without the reloading problem. How can I approach solving the mystery?
I am developing a Reporting command. However, a problem was found in the search command I made. To explain the problem, I have attached some code snippets of splunk_python_sdk. 0. First, the fin... See more...
I am developing a Reporting command. However, a problem was found in the search command I made. To explain the problem, I have attached some code snippets of splunk_python_sdk. 0. First, the final query I want to run is index=splunk_example | table test, test_results | customcommand(reporting command) However, the command was not executed properly. However, the strange thing was that this command was executed using the index stored in the search header. However, the command was not executed on the index stored in the indexer.   1. found out - So what I found out was that the map phase runs on the indexer and the rest of the reduce phase runs on the search header. - And I checked the source code provided by the SDK, and I thought that the data extracted from the indexer can be passed as records when the map function is executed after checking the following related to the map function. -> Q) Execution of the reporting command is done in two stages: map and reduce, but only  the reduce function actually executes. Is there any way to run the map function?       ## 1-1. Here is the code provided by the sdk. def map(self, records): """ Override this method to compute partial results. :param records: :type records: You must override this method, if :code:`requires_preop=True`. """ return NotImplemented def prepare(self): phase = self.phase if phase == 'map': # noinspection PyUnresolvedReferences self._configuration = self.map.ConfigurationSettings(self) return if phase == 'reduce': streaming_preop = chain((self.name, 'phase="map"', str(self._options)), self.fieldnames) self._configuration.streaming_preop = ' '.join(streaming_preop) return raise RuntimeError('Unrecognized reporting command phase: {}'.format(json_encode_string(six.text_type(phase)))) def reduce(self, records): """ Override this method to produce a reporting data structure. You must override this method. """ raise NotImplementedError('reduce(self, records)')         2. how i tried - In this code, it is suggested to enable the requires_preop option to true to run the map function.       @Configuration() class TestReportingCommand(ReportingCommand): @Configuration(requires_preop = True) def map(self, records): ... def reduce(self, records):         - commands.conf (add) requires_preop = true   So, I tried both methods, but when I took a log, only the reduce function was executed and the map function was not executed.   If you know how to use map, please share. I used a translator, so there may be some awkwardness in the text.
Hi, Is there any documentation where we check the meaning of these attributes in the adrum payload. Regards Pranjal
Hello, hoping someone can guide me here. Trying to find a way to have a single usernames dashboard session timeout be different from the group that they are in. Using Splunk enterprise and trying to ... See more...
Hello, hoping someone can guide me here. Trying to find a way to have a single usernames dashboard session timeout be different from the group that they are in. Using Splunk enterprise and trying to find a way to just change the single user's timeout. Is this possible? Can't find any resources online for this.  Thanks.
Hi all, I have a lookup instance_list, which I'm trying to use to filter my flow logs to only show the logs with the sourcetype as one of the instances I'm interested in, so: index="sample_data" [|... See more...
Hi all, I have a lookup instance_list, which I'm trying to use to filter my flow logs to only show the logs with the sourcetype as one of the instances I'm interested in, so: index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | format] | ...... There are 3-6 instances that match the search="*dc*" - running the inputlookup section on its own produces the correct list.  Unfortunately I get no results, and applying the instance names to each log then filtering results in a really slow search. Any pointers are really welcome!
Hello one of our clients would like to send us data from its Kafka cluster to our AWS enviroment consisting of Heavy Forwarders. We then forward the data to on prem team which has indexers and search... See more...
Hello one of our clients would like to send us data from its Kafka cluster to our AWS enviroment consisting of Heavy Forwarders. We then forward the data to on prem team which has indexers and searcheads.   Now from reading the documentation I am kinda lost what is needed by us. Until now we were integrating new log sources via the pull method using SNS + SQS since there was not such a large amount of data as it is now.   From my understanding in order to use a Kafka push method with Kafka Connect: 1. Require the client to install Kafka Connect on their cluster 2. Create a kafka topic But what steps are required on the Heavy Forwarder side ? How do we subscribe to that topic ? Do we only need a HEC collector with token in order to forward the data to on prem team ? Thank you.  
Hello, We are trying to modify the existing query in the "Remote Desktop Network Bruteforce" correlation search present in the Splunk ES use cases to exclude events with the same session_id. The ... See more...
Hello, We are trying to modify the existing query in the "Remote Desktop Network Bruteforce" correlation search present in the Splunk ES use cases to exclude events with the same session_id. The original query is:   | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`   We have tried using the "dedup" command and the "distinct_count" function of stats command without success. Thanks in advance, Best Regards,
hi, is it possible to get a list of all scheduled scripts on a linux UF? similar to splunk list exec, but showing the next time, the script should run?
Hi All, I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined. Is there anyway to achieve this without changing the permission in the G... See more...
Hi All, I am trying to view a lookup file that has the sharing set on this app only from another app than it is defined. Is there anyway to achieve this without changing the permission in the GUI? This is the SPL i'm running but it skips the lookup files that aren't being shared. Maybe temporary set the sharing to global and set it back or something  | rest splunk_server=local /servicesNS/-/-/data/lookup-table-files | fields title eai:acl.owner eai:acl.app | where !match(title,"\.mlmodel") | rename eai:acl.* as * | map [ | inputlookup $title$ | foreach * [ | eval b_<<FIELD>>=len(<<FIELD>>) + 1 ] | addtotals b_* fieldname=b | stats sum(eval(b/1024/1024)) as mb | eval name="$title$", owner="$owner$", app="$app$" ] maxsearches=1000
Hello, I'm a Korean beginner, Splunker index=my sourcetype=my2 sernder_ip=my3 | table _time | stats count by _time | sort - _time Here, even if the data is zero, I want to visualize the graph  ... See more...
Hello, I'm a Korean beginner, Splunker index=my sourcetype=my2 sernder_ip=my3 | table _time | stats count by _time | sort - _time Here, even if the data is zero, I want to visualize the graph    help me plz
Hello, I used below to convert seconds into D+HH:MM:SS format which is now in string format. However, I want to create charts based on duration taken to publish the turn around times. eval strSec... See more...
Hello, I used below to convert seconds into D+HH:MM:SS format which is now in string format. However, I want to create charts based on duration taken to publish the turn around times. eval strSecs=tostring(secs,"duration")  How can I use these strings to create chart or is there any way to convert seconds to HH:MM:SS format which is quantifiable and not a string?   Thanks, Deovrat
Hi All, Can someone pls assist me in extracting the different Recipients out this nested Json ?  This is from O365 logs.    I have followed https://community.splunk.com/t5/Getting-Data-In/Extract-nes... See more...
Hi All, Can someone pls assist me in extracting the different Recipients out this nested Json ?  This is from O365 logs.    I have followed https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496227#M84641  but unable to get it work against my data. Raw events:     OperationProperties: [ [-] { [+] } { [-] Name: RuleId Value: 3623734839020093442 } { [-] Name: RuleName Value: ForwardingRule01 } { [+] } { [-] Name: RuleActions Value: [{"ActionType":"Forward","Recipients":["WADRIANL@domain.com","WENDYLIM@domain.com", Forward Flags":"None"}] } ]     Note, Splunk is able to extract the field OperationProperties{}.Value as shown below but how to further extract the list of Recipients within it ? I am trying below searches but no luck      | spath output=Recipients path=OperationProperties{}.Value.Recipients OR | spath output=Recipients path=OperationProperties{}.Value{}.Recipients{}     i am +ve i am making a mistake in the path variable above.  Thanks in advance  
Hi all, I'm very new to Splunk, so apologies if the question is common knowledge. I've found a lot of different posts describing the issue - but basically none which actually offers a (for me) viab... See more...
Hi all, I'm very new to Splunk, so apologies if the question is common knowledge. I've found a lot of different posts describing the issue - but basically none which actually offers a (for me) viable solution. So I hope you can help me out. Basically we have a webhook setup which can POST data upon different events in our software. This setup is serving a lot of different customers for various needs - not just one customers' Splunk setup. I've set up a HTTP Event Collector endpoint in my Splunk Cloud to receive the data, and created a webhook to send data to my Splunk HEC endpoint. However - I can't send any data to the endpoint without disabling SSL validation, because Splunk uses self-signed certificates. I've seen a lot of different posts on how you just need to disable SSL validation, but that's not a great option in a production environment with a lot of different customers. So my question is:  - How would I setup Splunk so that we can send HTTPS requests to our different customers Splunk endpoints without disabling SSL validation? As we serve a lot of different customers, we can't have a per-customer certificate setup. We basically just need to be able to call the public HTTPS endpoint in splunk - preferably with SSL validation intact. I really hope someone can help me shed a light on this. The only answer I seem to be able to find is either to install certificates (not an option in a SaaS solution) or to disable SSL validation, which I'm very hesitant to do. Thanks a lot guys
Hi, Can someone please help me with a query to find Long DNS sessions?   
Hello folks,   Our Nessus scanner detects that Splunk servers are using default certificate on port 8089. Basically it tells the SSL certificate for this service is for a different host. I have... See more...
Hello folks,   Our Nessus scanner detects that Splunk servers are using default certificate on port 8089. Basically it tells the SSL certificate for this service is for a different host. I have tried to update server.conf file with proper SSL certificate, but it still the same.   Have anyone come across this and have a workaround available for this issue?
Hi all, I am new at Splunk and trying to evaluate this query.  I have some accounts, dates(week starting) and number of browsers used  by the account for that date. I have grouped the dates and n... See more...
Hi all, I am new at Splunk and trying to evaluate this query.  I have some accounts, dates(week starting) and number of browsers used  by the account for that date. I have grouped the dates and number_of_browsers. there is 1 account but multiple dates and multiple  or single values for browser_types. My query: index="a" source type="ab"| rename Week Starting AS Date | stats sum(browser_ types) AS New_BrowserTypes by AccountID TotalUsers Date | eval New_BrowserTypes= round(New_BrowserTypes/TotalUsers,2) | stats MAX(New_BrowserTypes) as logins by AccountID Date | stats values(Date) values(logins) by AccountID which gives an output something like this: AccountID values(date) values(logins) 502 2020-07-20 20.00 102 2020-07-20 15.00   2020-08-25 18.00 304 2020-07-20 24.00   2020-08-25 18.00   2021-07-20 25.00   2021-08-25 15.00   For the final result, I want to use AccountID's where values(logins) are >1. So I want to use only those accounts where, logins are 2 or more. how do I achieve this? thank you in advance.  Please not this is only an example, my actual AccountID's are more than 500.    
We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewi... See more...
We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewing the job board. SPL index=any-index-value sourcetype=any-sourcetype-value litsearch (index=any-index-value (sourcetype=any-sourcetype-value OR sourcetype=never-mentioned-value)) This 'never-mentioned-value' is always the same regardless of index or sourcetype we place in the SPL.  Things I have checked for: - props-lookups: No 'sourcetype as x' on input side OR 'x as sourcetype' on output side - props-EVAL-sourcetype = case(x,never-mentioned-value), this exists in our prod but same config in lower environment did not trigger the same action (will be removing this shortly after next push cause I just don't like it) - TRANSFORMS - can not find any items of interest here   I have tried the following alternative searches index=any-index-value OR index=any-index-value sourcetype::any-sourcetype-value In both of the above SPL the 'extra' sourcetype key=value does not appear in the litsearch.  I do understand the differences in indexed fields and how the searches above are not triggering the addition key=value.   What I need help/direction/input is how do I track down the errant conf edit that is resulting in additional litsearch values when the SPL contains 'sourcetype='.
Hi,   Imagine the role `A` has access to index=foobar, but roles 'B' and 'C' do not. Imagine Splunk Enterprise Security creates a notable event / alert based on data in index=foobar. Is it possible... See more...
Hi,   Imagine the role `A` has access to index=foobar, but roles 'B' and 'C' do not. Imagine Splunk Enterprise Security creates a notable event / alert based on data in index=foobar. Is it possible to ensure only members in 'A' can see the alert, and 'B' and 'C' cannot? How? More broadly, is this possible outside of Enterprise Security too? How? Appreciate any help!    
Hey guys, good night, how are you? I have a big problem I created an app with the integration of a checkbox with ModalView I need to send the data shown in the modal to a lookup, but the popup.... See more...
Hey guys, good night, how are you? I have a big problem I created an app with the integration of a checkbox with ModalView I need to send the data shown in the modal to a lookup, but the popup.js file is unable to see the selected_values_array variable from the checkbox.js file Have you ever been through this? Can you help me? Thanks   checkbox.js       require([ 'underscore', 'jquery', 'backbone', '../app/meuapp/popup', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/ready!' ], function (_, $, Backbone, ModalView, mvc, TableView, SearchManager) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var submittedTokens = mvc.Components.get('submitted'); var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return _(['teste']).contains(cell.field); }, render: function ($td, cell) { var a = $('<div>').attr({ "id": "chk-URL" + cell.value, "value": cell.value }).addClass('checkbox').click(function () { // console.log("checked",$(this).attr('class')); // console.log("checked",$(this).attr('value')); if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } // Change the value of a token $mytoken$ } console.log(selected_values_array); }).appendTo($td); console.log(selected_values_array); } }); var detailSearch = new SearchManager({ id: "detailSearch", earliest_time: "$time$", latest_time: "$time$", preview: true, cache: false, search: "| makeresults | eval myvalue=\"$mytoken$\" | makemv delim=\",\" myvalue | stats count by myvalue | table myvalue" }, { tokens: true, tokenNamespace: "submitted" }); //List of table IDs var tableIDs = ["myTable"]; for (i = 0; i < tableIDs.length; i++) { var sh = mvc.Components.get(tableIDs[i]); if (typeof (sh) != "undefined") { sh.getVisualization(function (tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRangeRenderer()); tableView.table.render(); }); } }; $(document).ready(function () { $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); var modal = new ModalView({ title: "ModalView Window", search: detailSearch }); modal.show(); console.log(tokens); console.log(selected_values_array + " selected_values_array"); console.log(modal + " modal"); //console.log(render); }); }); });             popup.js       define([ 'underscore', 'backbone', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/simplexml/element/table', ], function(_, Backbone, $, mvc, SearchManager, TableElement) { var modalTemplate = "<div id=\"pivotModal\" class=\"modal\">" + "<div class=\"modal-header\"><h3><%- title %></h3><button class=\"close\">Close</button></div>" + "<div class=\"modal-body\"></div>" + "<div class=\"modal-footer\"><button type=\"button\" id=\"teste\" class=\"confirm\">Confirmar</button></div>" + "</div>" + "<div class=\"modal-backdrop\"></div>"; var ModalView = Backbone.View.extend({ defaults: { title: 'Not set' }, initialize: function(options) { this.options = options; this.options = _.extend({}, this.defaults, this.options); this.childViews = []; console.log('Hello from the modal window: ', this.options.title); this.template = _.template(modalTemplate); }, events: { 'click .close': 'close', 'click .modal-backdrop': 'close', 'click .confirm': 'confirm', }, render: function() { var data = { title : this.options.title }; this.$el.html(this.template(data)); return this; }, show: function() { $(document.body).append(this.render().el); $(this.el).find('.modal-body').append('<div id="modalVizualization"/>'); $(this.el).find('.modal').css({ width:'90%', height:'auto', left: '5%', 'margin-left': '0', 'max-height':'100%' }); var search = mvc.Components.get(this.options.search.id); var detailTable = new TableElement({ id: "detailTable", managerid: search.name, pageSize: "5", el: $('#modalVizualization') }).render(); this.childViews.push(detailTable); search.startSearch(); }, close: function() { this.unbind(); this.remove(); _.each(this.childViews, function(childView) { childView.unbind(); childView.remove(); }); }, confirm: function(selected_values_array) { tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); new SearchManager({ id: "envSearch", earliest_time: "$time$", latest_time: "$time$", preview: true, cache: false, search: "| makeresults | eval myvalue=\"$mytoken$\" | makemv delim=\",\" myvalue | rename myvalue as URL | stats count by URL | table URL | outputlookup append=t dev-tk" }); } }); return ModalView; });         chexkbox.css       /* The standalone checkbox square*/ .checkbox { width:20px; height:20px; border: 1px solid #000; display: inline-block; } /* This is what simulates a checkmark icon */ .checkbox.checked:after { content: ''; display: block; width: 4px; height: 7px; /* "Center" the checkmark */ position:relative; top:4px; left:7px; border: solid #000; border-width: 0 2px 2px 0; transform: rotate(45deg);         dash.xml       <dashboard script="checkbox.js" stylesheet="checkbox.css"> <label>Teste </label> <row> <panel> <table id="myTable"> <title>My Table</title> <search> <query>index=_internal | stats count by sourcetype | eval teste=sourcetype</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="count">10</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown> <condition field="*"></condition> </drilldown> </table> </panel> </row> <row> <panel> <html> <div> <input type="button" id="mybutton" value="My Button"/> </div> </html> </panel> </row> </dashboard>            
Hi,  There are many app and correlation searches in each app in Enterprise Security. I understand that I can enable/disable correlation search using ES Web Interface, but I want to manage using CLI... See more...
Hi,  There are many app and correlation searches in each app in Enterprise Security. I understand that I can enable/disable correlation search using ES Web Interface, but I want to manage using CLI about enabling/disabling correlation search. I mean, I just want to change many rules and many apps to  "disabled = 0" or "disabled =1" in savedsearch.conf using CLI(like shell). I already tried the below test after savedsearch.conf from CLI access to : https://ip:8000/en-US/debug/refresh access to : https://ip:8000/en-US/_bump However, the disable/enable changes are not reflected when I look at the web for purpose of checking. Does anyone know how to make changes to ES correlation rules(savedsearch.conf) in the CLI and update searches without rebooting Splunk?