All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, I'm working on a use case called explicit logins with of collecting eventid 4648. I'm wondering whether this event id tracking clear text passwords or direct logins? I can't tell from the e... See more...
Hi All, I'm working on a use case called explicit logins with of collecting eventid 4648. I'm wondering whether this event id tracking clear text passwords or direct logins? I can't tell from the event information as it didn't say anything relates to logon type. Could anyone shed some light on this?  Thanks in advance.
Hi All, We are checking if there is anyway we can monitor if we can find out the account used for sql start up on the servers.
I have installed splunk universal forwarder on a linux box. I want to forward a log file. This version (9) will not forward to my Splunk indexer. Version 8.24 does forward to my indexer. Does T... See more...
I have installed splunk universal forwarder on a linux box. I want to forward a log file. This version (9) will not forward to my Splunk indexer. Version 8.24 does forward to my indexer. Does TLS have to be configured for version 9 to work? How can I disable the TLS requirement, or what do I have to do to get this to work?   Thanks, eholz1
Hello, _metrics is written on our clustered indexers since latest Splunk versions however it's not shown on our DMC Index Detail page  or Manager node Indexer Clustering page. I think repFactor=0... See more...
Hello, _metrics is written on our clustered indexers since latest Splunk versions however it's not shown on our DMC Index Detail page  or Manager node Indexer Clustering page. I think repFactor=0 by default so it means it's not replicated? Is it really used by Splunk? DMC? Internal usage only? Should we declare it on our clustered indexers like any other user index? Thanks for your help. Splunk Enterprise 8.2.2
  Hello, I want to perform the above operation. I have a first search (A), and want to remove elements in it (in this case a field called id) from a second search B. What is the most clean ... See more...
  Hello, I want to perform the above operation. I have a first search (A), and want to remove elements in it (in this case a field called id) from a second search B. What is the most clean way of implementing this such search?   
I'm very new to splunk.  What I'm trying to search for is the next log entry after the entry I search for.  For example, I have this log entry from a search: search: index=dhcp DHCPREQUEST result... See more...
I'm very new to splunk.  What I'm trying to search for is the next log entry after the entry I search for.  For example, I have this log entry from a search: search: index=dhcp DHCPREQUEST result:  8/1/22 10:00:00.000 AM   Aug 1 10:00:00 b826c80c7n dhcpd[23809]: DHCPREQUEST for 10.23.1.131 from 00:50:56:9e:82:3e via eth0 host = nss.wright.edu monitor_fast index = dhcp linecount = 1 source = /var/log/clients/130.108.128.199/dhcpd sourcetype = isc:dhcp   What I'm trying to find is the next log entry after this.  Any suggestions would help.
Good day I am trying to create a map for various regions, as lookups. The original format of the map is in GeoJSON, however, when converting to KML using an online converter, the polygon is being s... See more...
Good day I am trying to create a map for various regions, as lookups. The original format of the map is in GeoJSON, however, when converting to KML using an online converter, the polygon is being simplified into straight lines (creating a block).  Is there a way to create a map directly from the GeoJSON file, instead of converting to KML? Kind regards    
Hello everyone. I have a Dropdown token being used as the <valuePrefix> in a Multiselect input. The Multiselect seems to only set the <valuePrefix> tag's value during dashboard initialization. I can ... See more...
Hello everyone. I have a Dropdown token being used as the <valuePrefix> in a Multiselect input. The Multiselect seems to only set the <valuePrefix> tag's value during dashboard initialization. I can get a change in the dropdown to take effect on the Multiselect when refreshing the page in the web browser, but not when changing the Dropdown value or when refreshing the panel. This same behaviour applies to the Checkbox input.  Here is my code for the panel in question:  <panel depends="$Global_Tok$"> <title>CPU</title> <input type="multiselect" token="CPU_Field_Global_Multi"> <label>Fields</label> <choice value="(pctUser) AS User">User</choice> <choice value="(pctIdle) AS Idle">Idle</choice> <choice value="(Load) AS &quot;Load (-Idle)&quot;">Load</choice> <choice value="(pctIowait) AS IO_Wait">IO_Wait</choice> <choice value="(pctNice) AS Nice">Nice</choice> <choice value="(pctSystem) AS System">System</choice> <default>"(Load) AS ""Load (-Idle)""",(pctUser) AS User,(pctIdle) AS Idle,(pctIowait) AS IO_Wait,(pctNice) AS Nice,(pctSystem) AS System</default> <initialValue>(Load) AS "Load (-Idle)",(pctUser) AS User,(pctIdle) AS Idle,(pctIowait) AS IO_Wait,(pctNice) AS Nice,(pctSystem) AS System</initialValue> <valuePrefix>$Global_Function$</valuePrefix> <delimiter> </delimiter> </input> <input type="checkbox" token="CPU_Fields_Cbx"> <label>Fields</label> <choice value="(pctUser) AS User">User</choice> <choice value="(pctIdle) AS Idle">Idle</choice> <choice value="(Load) AS &quot;Load (-Idle)&quot;">Load</choice> <choice value="(pctIowait) AS IO_Wait">IO_Wait</choice> <choice value="(pctNice) AS Nice">Nice</choice> <choice value="(pctSystem) AS System">System</choice> <valuePrefix>$Global_Function$</valuePrefix> </input> <chart> <search> <query>host=$HOST_SELECTION$ source=cpu | multikv | search CPU=$CPU_Core_Global_Tok$ | eval Load=(pctIdle-100)*-1 | timechart span=$Global_Span$ $CPU_Fields_Cbx$</query> <earliest>$Global_Time.earliest$</earliest> <latest>$Global_Time.latest$</latest> <refresh>1m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleY.text">CPU Util (%)</option> <option name="charting.axisY.maximumNumber">100</option> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> In this example code, the panel is only using the Checkbox input token for the search, but the same issue is applied when I use the Multiselect as well. The token I am updating with the Dropdown input is "$Global_Function$".  The code for the Global Function dropdown input is as follows: <input type="dropdown" token="Global_Function" depends="$Global_Tok$"> <label>Function</label> <choice value="avg">Average</choice> <choice value="max">Maximum</choice> <default>avg</default> <initialValue>avg</initialValue> </input> I have not been able to get the Multiselect or Checkbox inputs to change their initial <valuePrefix> value upon the Function Dropdown changing. So if anyone has suggestions on how to accomplish this, then I am all ears.
Hello, I have 16 AWS rules and would like to make a dashboard/report of the frequency they fire week/month/year. Is this possible in an efficient manner? Thank You
Hi, I need to create a dashboard with errors and HTTP ERROR Codes for Mobile Application. I can find the errors per minute but actual errors I want to add in the widget for the dashboard. Can ... See more...
Hi, I need to create a dashboard with errors and HTTP ERROR Codes for Mobile Application. I can find the errors per minute but actual errors I want to add in the widget for the dashboard. Can someone guide me to the path of the HTTP Error codes and Error for Mobile application EUM?
I'm trying to create a dashboard panel that shows my F5 SSL Certificates and their expiration dates, and sorts the columns from left to right by date so the leftmost column would be the certificate e... See more...
I'm trying to create a dashboard panel that shows my F5 SSL Certificates and their expiration dates, and sorts the columns from left to right by date so the leftmost column would be the certificate expiring soonest. Here's what I have for a search: index=f5_tstream source="f5.telemetry" telemetryEventCategory=systemInfo | convert timeformat="%m/%d/%Y" ctime(sslCerts.*.expirationDate) AS *c_time | stats latest(*c_time) by host | rename host as Host My results look something like this: Host latest(Certificate#1c_time) latest(Certificate#2c_time) latest(Certificate#3c_time) latest(Certificate#4c_time) Device#1 1/1/2023   7/7/2024   Device#2   10/10/2022   9/9/2023 Device#3 1/1/2023   7/7/2024               So basically I want to sort all columns containing "latest(*c_time)" by the date they're returning. Not sure if this is possible. 
Hi, My classifier (SGDClassifier) is allowing only 100 distinct cat values. I followed the link Configure algorithm performance costs - Splunk Documentation and modified the file mlspl.conf as foll... See more...
Hi, My classifier (SGDClassifier) is allowing only 100 distinct cat values. I followed the link Configure algorithm performance costs - Splunk Documentation and modified the file mlspl.conf as follows :     [SGDClassifier] max_distinct_cat_values=2000 max_distinct_cat_values_for_classifiers=2000     However my splunk search is giving me the error : I had already change this value for another classifier (LinearSVC) and everything was fine, what did i miss here ? I just copied and pasted from it and change the Stanza name  I'm using MLTK 5.3.1
helllo   I can't receive an email alert despite having configured it correctly the alert is launched on the portal indicating the outcome but the email is absent 1- mail serer configuration! ... See more...
helllo   I can't receive an email alert despite having configured it correctly the alert is launched on the portal indicating the outcome but the email is absent 1- mail serer configuration! smptm.gmail.com: 587 I added a gmail address with password 2-alert configuration: I put a destination address: I put an outlook address   please help me to fix it
Hi I'm new to Splunk and what to create a search that shows what savedsearches where used in a dashboard? This is how far I got: | rest /servicesNS/-/-/data/ui/views splunk_server=local | s... See more...
Hi I'm new to Splunk and what to create a search that shows what savedsearches where used in a dashboard? This is how far I got: | rest /servicesNS/-/-/data/ui/views splunk_server=local | search title="test_dashboard" | rename eai:acl.app AS app, eai:data AS data | fields title app author data I have no clue how to go from this data to an actual list of savedsearches used in this dashboard. Is there anyone who can put me on a good track?
I'm trying to create a table that displays the following result Appname Amount of users with read access amount of users that have accessed in the last 2 months Open Access Protected ... See more...
I'm trying to create a table that displays the following result Appname Amount of users with read access amount of users that have accessed in the last 2 months Open Access Protected Access AppX <number> <number> O P   I know that I can use the rest api for most (maybe all) of this. The following tells me which apps there are and with what roles a user has read access.     | rest /servicesNS/-/-/apps/local splunk_server="local" | fields label, eai:acl.perms.read | rename eai:acl.perms.read as roles | sort by label | search label!=_searchhead_config     The following tells me what users there are and what roles they have.     | rest /services/authentication/users splunk_server=local | fields title roles | mvexpand roles | rename title as userName     What I want to do now is to combine those and by the roles, match which users have access to a certain app, and than count how many there are. I'm a newbie and I've tried all kinds of things with join, append, appendcols but it never gives me the results I need. Can someone point me in the right direction?    
Good Morning, I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless... See more...
Good Morning, I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless of their log source. The main difference between the 2 I've noticed is that the events that display proper syntax highlights only have 1 time stamp while other events with multiple time stamps will display as raw text. Multiple searches have led me to create my own local props.conf and transforms.conf files that contains this information at this current time: transforms.conf: [TranSON] SOURCE_KEY = _raw DEST_KEY = _raw REGEX = ^([^{]+)({.+})$ FORMAT = $2 props.conf [my_source_type] KV_MODE = JSON TRANSFORMS-JSON = TranSON SHOULD_LINEMERGE = false LINE_BREAKER=([\r\n\s]*)(?=\{\s*"ts":) TIME_FORMAT=%m-%d%-%Y %H:%M:%S.%4n TIME_PREFIX="timestamp":\s*" MAX_TIMESTAMP_LOOKAHEAD=25 TRUNCATE = 0 EVENT_BREAKER_ENABLE = true   Here is also 2 examples of the events ( I will write them both out in raw text), one that is displaying the syntax highlights and one that doesn't. Event that shows Syntax highlights:  {"ts":1659441156.916498,"host":"1.1.1.1","port_num":123,"port_proto":"udp","service":[""]}   Even that does not show Syntax highlights: {"ts":1659441445.280528,"id.orig_h":"1.1.1.1","id.orig_p":123,"id.resp_h":"1.1.2.2","id.resp_p":456} {"ts":1659441456.795169,"id.orig_h":"1.1.3.4","id.orig_p":789,"id.resp_h":"1.1.7.9","id.resp_p":456}   Any information would be greatly appreciated, I don't know if I'm missing something or I am approaching this wrong.  
Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.   stats values(eval(if('FAILS'=="0",0,DAT... See more...
Hi all, I have been trying to use if condition in stats values(). It is not working properly. I have used if conditions before and got results perfectly.   stats values(eval(if('FAILS'=="0",0,DATA))) as DATA   The fields "DATA" is calculated in the beginning. My requirement is that when there are no FAILS the DATA should be zero otherwise it should be the value which is calculated.  I am doing anything wrong here? Because even if the FAILS are there it is giving me result as 0. Please help me.
Hi, I am new to using Splunk and I'm looking for a bit of expertise. I've generated a timechart for CPU statistics on some of our tasks. I have then split this in the dashboard via a search term... See more...
Hi, I am new to using Splunk and I'm looking for a bit of expertise. I've generated a timechart for CPU statistics on some of our tasks. I have then split this in the dashboard via a search term which seperate the visuals into each task using Trellis view. However, I can't figure out how to get each of these fields into a different colour. When I tried to use the answers from various pages I think I might have done it wrong. The search field is called TASK. Is there any way for me to colour by TASK in a timechart?
Hello Splunkers! Receiving the below error under splunkd.log for the UFs  08-02-2022 12:41:53.695 +0200 ERROR TailReader [8108 tailreader0] - Ignoring path="D:\xx\yy\filename" due to: Bug: tried to... See more...
Hello Splunkers! Receiving the below error under splunkd.log for the UFs  08-02-2022 12:41:53.695 +0200 ERROR TailReader [8108 tailreader0] - Ignoring path="D:\xx\yy\filename" due to: Bug: tried to check/configure STData processing but have no pending metadata. Checked in splunk community answers(https://community.splunk.com/t5/Getting-Data-In/TailingProcessor-Ignoring-path-quot-path-to-xyz-quot-due-to-Bug/m-p/198762) and found that setting CHARSET for the related source/source type in related props.conf stanza to CHARSET = AUTO in UF works fine and it did work fine for some time but can any one help me out on why this ERROR is occurring in the UF? as I'm receiving this error intermittently, at times frequently for few logs. The fix provided is the answers works for some time only again that particular UF is throwing the same error, can anyone please help me on this!   Thanks in Advance! Sarah
Hi guys, When I use Splunk-search, it doesn't suggest auto-complete for fields It is crucial. It is almost impossible to know all fields, and searching for fields from the list on the left side a... See more...
Hi guys, When I use Splunk-search, it doesn't suggest auto-complete for fields It is crucial. It is almost impossible to know all fields, and searching for fields from the list on the left side and then copying them is just a waste of time, especially when the fields are JSON objects ( A.B.C{a:b,c:d,e:[a,b,c]} ) Am I missing something? Is there a feature or an add-on that provides this ability?