All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Basically my query should search an index for an ip in the last 4 hours and return 1 event. Then it should left join on IP to a second index and search for results over the last 7 days. The IP i am... See more...
Basically my query should search an index for an ip in the last 4 hours and return 1 event. Then it should left join on IP to a second index and search for results over the last 7 days. The IP i am searching exists in both indexes. Why are no results being returned? earliest=-4h latest=now() index=data1 Source_Network_Address=10.1.1.1 | head 1 | rename Source_Network Address as IP | join type=left IP max=5 [search earliest=-7d latest=now() index=data2 | fields IP, DNS] | table index, _time, IP, DNS
This is my example log file: -- Daily Prod Started 7/28/2022 12:36:05 PM 0.762 sec -- BegMo='06/01/2022' 7/28/2022 12:36:05 PM 0.049 sec -- BegDate='06/01/2022' 7/28/2022 12:36:05 PM 0 sec --... See more...
This is my example log file: -- Daily Prod Started 7/28/2022 12:36:05 PM 0.762 sec -- BegMo='06/01/2022' 7/28/2022 12:36:05 PM 0.049 sec -- BegDate='06/01/2022' 7/28/2022 12:36:05 PM 0 sec -- EndDate='07/28/2022' 7/28/2022 12:36:05 PM 0 sec -- EndMidNight='07/29/2022' 7/28/2022 12:36:05 PM 0 sec -- Data Collection Start=7/28/2022 12:36:05 PM 7/28/2022 12:36:05 PM 0 sec How do I pick up the timestamp on lines 2-5 - where there is a date with quotes, and lines 1 and 6, where there is not?  
I am trying to create a logic to choose a value to use from multiple fields based on a priority I can define. I have 3 fields which may have values in them and I want to create a 4th field to represe... See more...
I am trying to create a logic to choose a value to use from multiple fields based on a priority I can define. I have 3 fields which may have values in them and I want to create a 4th field to represent the best best choice of the 3. I always trust field3 more than field2 and always trust field2 more than field1.  I want the logic to be -  - if field3 has value, always use it -if field3 has no value, use field2's value -if field3 and field2 have no values, use field1's value - if fields3, 2 and 1 all have no values, leave blank (or "unknown", etc.) These are 3 examples of what this may look like and what I want to see field4 be based on the presence of values in the other fields. Example 1 field1=<value1> field2=<value2> field3=<value3> field4=<value3> Example 2 field1=<value1> field2=<value2> field3= field4=<value2> Example3 field1=<value1> field2= field3= field4=<value1>   I feel like this is probably a pretty pretty simple eval command, but I can't seem to find an example. Thank you in advance!          
Hi All, I already have a search that gives me a result.  But what I desire to have is we want the results only if another event is NOT true for the user. So for example below gives me result: E... See more...
Hi All, I already have a search that gives me a result.  But what I desire to have is we want the results only if another event is NOT true for the user. So for example below gives me result: EventID=4625 earliest=-4h@h latest=-3h@h | table User IPAddress EventID Message Desire is to only show results if there was no 4724 for a specific period.  Would I do it something like this? EventID=4625 earliest=-4h@h latest=-3h@h | table User IPAddress EventID Message earliest=-4h@h latest=-3h@h | append [search NOT EventID=4724 earliest=-7d@d latest=now ]    
I have been asked to check with Splunk Support on whether we can run 2 different Splunk add-ins for "Splunk Add-on for Microsoft Cloud Services". Can we have one connect to Azure Commercial while the... See more...
I have been asked to check with Splunk Support on whether we can run 2 different Splunk add-ins for "Splunk Add-on for Microsoft Cloud Services". Can we have one connect to Azure Commercial while the other connects to Azure Government event hubs? Or is this a case in which we would need 2 separate splunk servers to support that? What else could we do? IE.  could we set it up on the heavy forwarder in the FTI subscription for Government for server 1 and use the existing server for commercial?
This is my 2nd follow-up regarding this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...   My question now is about the search fiel... See more...
This is my 2nd follow-up regarding this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...   My question now is about the search field (that contains the actual Splunk query behind each alert).  Does this field require any special handling? If I need to use this field for filtering purposes inside a search command, would it be different than using any other field like title. Or can I simply use something like following:   |rest/servicesNS/-/-/saved/searches | search alert.track=1 AND title="prefix*" AND search="index=someindex*"    
Hi All,   We have a requirement where the end user would be uploading CSV to our HF, and from there, jobs would process it. In the case of Lookup Editor, it gives a view to all the CSVs, whic... See more...
Hi All,   We have a requirement where the end user would be uploading CSV to our HF, and from there, jobs would process it. In the case of Lookup Editor, it gives a view to all the CSVs, which is contrary to what we are trying to restrict the view.   An alternate idea we came up with is to create a custom page that has an upload button and upload it, but we are struggling how to link JS code that uploads files to the backend. 
Hi Splunkers, I have a simple drilldown on my Splunk dashboard that links to an external website. How can I get Splunk to log the URL that was clicked by the user ?  I would like to see a log of ... See more...
Hi Splunkers, I have a simple drilldown on my Splunk dashboard that links to an external website. How can I get Splunk to log the URL that was clicked by the user ?  I would like to see a log of all the URLs clicked by each user for audit purpose.   Regards.
Hi Splunkers, I have a simple drilldown configured that links to an external website. The link generated by the drilldown has data clearly visible in the URL like http[:]//site.com/name=joe Is it... See more...
Hi Splunkers, I have a simple drilldown configured that links to an external website. The link generated by the drilldown has data clearly visible in the URL like http[:]//site.com/name=joe Is it possible to POST data to an external website using drilldown I would prefer my url to be http[/]site.com and the name=joe to be set as POST parameter. Regards.
Hello everyone ! After a few hours of research i come ask your help. Here is my data : Username_column clientip_column username1 xxx.xxx.xxx.xxx username1 xxx.xxx.xxx.x... See more...
Hello everyone ! After a few hours of research i come ask your help. Here is my data : Username_column clientip_column username1 xxx.xxx.xxx.xxx username1 xxx.xxx.xxx.xxx username1 xxx.xxx.xxx.xxx username1 yyy.yyy.yyy.yyy username2 xxx.xxx.xxx.xxx username2 zzz.zzz.zzz.zzz username3 yyy.yyy.yyy.yyy username3 xxx.xxx.xxx.xxx   So, what i would like to do is to create another column called "countUsername" which contain the number of usernames by clientip without duplicates (of usernames). Here is my dream table (what i want) : Username_column clientip_column countUsername username1 xxx.xxx.xxx.xxx 3 username1 xxx.xxx.xxx.xxx 3 username1 xxx.xxx.xxx.xxx 3 username1 yyy.yyy.yyy.yyy 2 username2 xxx.xxx.xxx.xxx 3 username2 zzz.zzz.zzz.zzz 1 username3 yyy.yyy.yyy.yyy 2 username3 xxx.xxx.xxx.xxx 3   I tried various of things like : | eventstats values(count(Username_column)) as countUsername by clientip_column  creating a multivalue column and trying of mvdedup(). combine my Username_column and my clientip_column like so : | eval countUsername=Username_column. " " . clientip_column  and doing lots of things on that, if(mach)), regex, ... But everything that i tried didn't work. The best thing that i can get is : | eventstats count(Username_column) as countUsername by clientip_column  But with this line, my usernames are duplicated. (like the table bellow, i tried some things with this result but no results on my side) Username_column clientip_column countUsername username1 xxx.xxx.xxx.xxx 5 username1 xxx.xxx.xxx.xxx 5 username1 xxx.xxx.xxx.xxx 5 username1 yyy.yyy.yyy.yyy 2 username2 xxx.xxx.xxx.xxx 5 username2 zzz.zzz.zzz.zzz 1 username3 yyy.yyy.yyy.yyy 2 username3 xxx.xxx.xxx.xxx 5   Maybe you are wondering why i'm using eventstats instead of stats. The reason is that before this line, i have a large search with multiple stats commands, and if i don't use eventstats, all my others columns at the end of my large request won't show up. Kind regards,
Hi splunkers, I want to use "null"  command in below query. If the message is "null" then it should replace with the below message otherwise it should only display the already extracted message.  ... See more...
Hi splunkers, I want to use "null"  command in below query. If the message is "null" then it should replace with the below message otherwise it should only display the already extracted message.    | eval message= if(Actor="superman","super hero", if(Actor="emma watson","model")) Thanks.
I am new to Splunk and I need help to get a query that lists all the domains that are in my logs (that were accessed from my network or that accessed my network) at any given period or range
Hi everyone, I'm sure this is a question that's been answered before, but my google-fu is failing me.  I am running Splunk Cloud 8.2 (Victoria), Salesforce App for Splunk version 4.11, and Splunk Add... See more...
Hi everyone, I'm sure this is a question that's been answered before, but my google-fu is failing me.  I am running Splunk Cloud 8.2 (Victoria), Salesforce App for Splunk version 4.11, and Splunk Add-on for Salesforce version 4.4.0-1651043262.  I have the Salesforce app configured and data inputs set and I have data in my index from all the sources: What I don't have, however, is literally any data populating any of my dashboards: I'm wondering if it has anything to do with the lookup tables being broken: Could not load lookup=LOOKUP-SFDC-USER_NAME I have enabled the saved search and run it, successfully (per the Add-on docs); however, the App docs have saved Lookup searches that, when I run, don't return data: So the lookups aren't populated.  Also there are only 3 lookups, not 4 like in the docs.  I'm sure I'm missing something *very* simple; but anyone have any ideas?
Hello,  In ES when we run the following macro for Last 30 mins or Last 24 H time range,  splunk ends up displaying results from all the way back in time as in last 6 months data as well.  Why is that... See more...
Hello,  In ES when we run the following macro for Last 30 mins or Last 24 H time range,  splunk ends up displaying results from all the way back in time as in last 6 months data as well.  Why is that so ?  Its as if its completely ignores the date/time range whatever we specify.   BTW,  This is Out of the box macro.         |`incident_review` | table _time owner rule_id rule_name status_label          My requirement is to show  the Notables triggered based on the date range we select. Secondly, does anyone know how to show  Number of Incidents (Notable alerts) worked on by each SOC analyst ?   Basically i m trying to generate performance metrics of each analyst, how many alerts they worked on, time to close each alert etc, details of each status change etc.    The default provided SOC operations dashboard sucks.
Hi I have two config files that need to monitor them, to answer these questions: Who?what?when? Change that file. Need content monitoring like git show different between versions, and history of file... See more...
Hi I have two config files that need to monitor them, to answer these questions: Who?what?when? Change that file. Need content monitoring like git show different between versions, and history of file. Any idea? Thanks
Hi All, I'm trying to get the SFTP network data protocol logs from an SFTP server (windows server) that has a universal forwarder on it, I have found the Splunk App for Stream: https://splunkbase.... See more...
Hi All, I'm trying to get the SFTP network data protocol logs from an SFTP server (windows server) that has a universal forwarder on it, I have found the Splunk App for Stream: https://splunkbase.splunk.com/app/1809/ I have configured everything in its place, but the issue here is that this app can monitor several network data protocols but not SFTP, the most relative protocol is FTP as shown below: I have enabled the FTP as shown above but I can't see any traffic from it, even though I have enabled some other protocols and I saw traffic as shown below: What can I do about this to get the SFTP logs? Thanks.
Hi, I want to transfer my classic dashboard to the dashboard studio and I have some questions regarding that. On the classic dasboard I have several search options that I want to migrate to the n... See more...
Hi, I want to transfer my classic dashboard to the dashboard studio and I have some questions regarding that. On the classic dasboard I have several search options that I want to migrate to the new dashboard:   <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> <format type="color" field="Action"> <colorPalette type="map">{"allowed":#99ff99,"blocked":#ff4d4d,"dropped":#ff4d4d,"monitor":#ffc44d}</colorPalette> </format>   When I tried to use it in the dashboard studio it didn't work.  Can someone please share with me the options list? I didn't find it on the documentation.  Moreover, the font size of the search's results is quiet huge and I want to reduce it. Which option should I use for that?  Thanks!
I am getting an error "check_hostname requires server_hostname" with Splunk 9 when using request.post() with proxy with https .   How to resolve this error?
I have the Field with id i want to  only  3 digits  id For example: if i take t0123-123 here i want remove t0 t456-456 here i want remove t t1023-023 here i want to remove t1 The excepted output... See more...
I have the Field with id i want to  only  3 digits  id For example: if i take t0123-123 here i want remove t0 t456-456 here i want remove t t1023-023 here i want to remove t1 The excepted output as shown below: ID expected ID a a t0123 123 t456 456 t1023 023
I am trying to use a search to find fields that I want to use in another search as a table field. The first search should return all fields that are used in a datamodel. This looks like this:   ... See more...
I am trying to use a search to find fields that I want to use in another search as a table field. The first search should return all fields that are used in a datamodel. This looks like this:     | datamodel "Authentication" | spath output=foo path=objects{} | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName | spath input=foo output=field path=fields{}.displayName | eval fields = mvappend(calc_field , field) | mvexpand fields | table fields         Then I want to use the list of fields in the table command. I do this for the reason to be able to check the coverage of the CIM fields in the search. Unfortunately, so far without success, so I am grateful for all ideas and any kind of input. My first guess was something like:     index="main" sourcetype="XmlWinEventLog" tag="authentication" | table [ | datamodel "Authentication" | spath output=foo path=objects{} | spath input=foo output=calc_field path=calculations{}.outputFields{}.displayName | spath input=foo output=field path=fields{}.displayName | eval fields = mvappend(calc_field , field) | mvexpand fields | format "" "" "," "" "" "" | rex mode=sed field=search "s/fields=//g" | rename search as table ]