All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi  We are planning to upgrade Splunk to 8.2.6.1 but I am unable to find the release notes in the Splunk site. And what is the difference between 8.2.6.1 version with the latest splunk 9.0 version. ... See more...
Hi  We are planning to upgrade Splunk to 8.2.6.1 but I am unable to find the release notes in the Splunk site. And what is the difference between 8.2.6.1 version with the latest splunk 9.0 version. Current Splunk version is 8.2.2 (On-Prem)  Please provide me the exact link to find this details.  
I have been seeing containers without any artefacts with jira 'on poll'. After comparison against those successfully ingested and failed, it appears to be caused by attachment(s) on the jira tickets.... See more...
I have been seeing containers without any artefacts with jira 'on poll'. After comparison against those successfully ingested and failed, it appears to be caused by attachment(s) on the jira tickets. If all attachments are removed from the tickets, then the ingestion would succeed. This is seen for failures using manual poll. /builds/phantom/phantom/alchemy/connectors/spawn3/spawn3.cpp : 978 : JiraConnector :Downloading from: .../screenshot-1.png 2022-07-27T02:46:06.524696 PID:28743 TID:28743 : DEBUG: SPAWN3 : /builds/phantom/phantom/alchemy/connectors/spawn3/spawn3.cpp : 978 : JiraConnector :Could not connect to url to download attachment: Error Code:Error code unavailable. Error Message:HTTPSConnectionPool(host='domain', port=443): Max retries exceeded with url:  .../screenshot-1.png (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7ff09d00b190>: Failed to establish a new connection: [Errno -2] Name or service not known'))   The asset is running through an automation broker , polling a on-prem Jira instance Jira; Publisher: SplunkApp; version: 3.4.0; Python version: 3; Product vendor: Atlassian
Is there a way to integrate Forcepoint One with Splunk
Hi! I have a stream of (Syslog) data coming from my Router via UDP into my workstation that is received and parsed by Splunk into fields, to identify (mostly) attempts to breach my router’s firewall... See more...
Hi! I have a stream of (Syslog) data coming from my Router via UDP into my workstation that is received and parsed by Splunk into fields, to identify (mostly) attempts to breach my router’s firewall by outside servers. Unfortunately the syslog stream consistently omits a space or Tab between the MAC address ‘item‘ and the source ip ‘item‘ like this: …OUT= MAC=00:00:00:00:00:00:8484:26:2b:9b:ea:bd:src=31.220.1.83… which causes all SRC IP address field to remain unparsed. If I could instruct Splunk to look instead for “:src=xx.xxx.xxx.xxx” or cleanse the data stream by converting all “:src=“ into “: src=“ (note the space) I think my Splunk Search will begin interpreting these ‘rogue’ Source IP fields and reveal some interesting attempts to access my network. Does anyone know how to adjust the parser in Splunk to look for things without a space or to cleanse the datastream before it is parsed? Thanks, Rob
Hi All, I see a strange issue on my Splunk, There is a scheduled alert to run every 15 minutes and I got an undeliverable alert for a user. When I go back to check, the user's email is not configur... See more...
Hi All, I see a strange issue on my Splunk, There is a scheduled alert to run every 15 minutes and I got an undeliverable alert for a user. When I go back to check, the user's email is not configured/maybe removed by someone but I still get the undeliverable email every time the schedule runs. Is there any place where I can check why it is triggering?
Hello everyone,  The time modifiers don't seem seem to work for this search, am I doing something wrong?  |union [search query.. earliest=-15m@m latest=now |join type=inner x[query..] |join type=... See more...
Hello everyone,  The time modifiers don't seem seem to work for this search, am I doing something wrong?  |union [search query.. earliest=-15m@m latest=now |join type=inner x[query..] |join type=inner x[query..] |dedup x |stats count(x) as total1] [search query.. earliest=-15m latest=now |join type=inner x[query..] |join type=inner x[query..] |join type=inner x[query..] |dedup x |stats count(x) as total2] [search query.. earliest=-1d-15m@m latest=-1d |join type=inner x[query..] |join type=inner x[query..] |dedup x |stats count(x) as total3] [search query.. earliest=-1d-15m@m latest=-1d join type=inner x[query..] |join type=inner x[query..] |join type=inner x[query..] |dedup x |stats count(x) as total4] |stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4 |eval y1=eval1-eval2 |eval y2=eval3-eval4 |eval z1=round((y1/eval1)*100, 2) |eval z1=round((y2/eval3)*100, 2) |table eval1, eval2, eval3, eval4, y1, y2, z1, z2   The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening. 
Hi -  I am trying to get the Splunk App for AWS Security Dashboards working. Apparently the default index the app is using is "main".   I need to change this. I know I could change the index name ... See more...
Hi -  I am trying to get the Splunk App for AWS Security Dashboards working. Apparently the default index the app is using is "main".   I need to change this. I know I could change the index name by editing the xml but that would require a lot of changes. I am hoping someone knows where the central change location is located.   Thank you.
This is probably a stupid question where can I find the <host> for the HEC URI  <protocol>://<host>:<port>/<endpoint>  I am using the server name in the server.conf  for <host>but that isn't work... See more...
This is probably a stupid question where can I find the <host> for the HEC URI  <protocol>://<host>:<port>/<endpoint>  I am using the server name in the server.conf  for <host>but that isn't working. Also tried the IP address of my instance  and that isn't working either.  What am I missing?   Thanks
Hello, I am using dashboard studio on Splunk Cloud - 8.2.2203.2 where I have a base search and 2 chained searches that reference the base search. The base search is using the Global Time Range (glo... See more...
Hello, I am using dashboard studio on Splunk Cloud - 8.2.2203.2 where I have a base search and 2 chained searches that reference the base search. The base search is using the Global Time Range (global_time) as a time range input when searching. The chain searches should also inherent the same value that the base search is getting from global_time as shown below.   "Time Range Currently using Global Time Range input $global_time.earliest$ - $global_time.latest$"   However, when I am changing the time input, the panel that is using one of the chain search does not load automatically and would only work if I refresh the entire page. In addition, when I click on the magnifying glass (Open in search) for the panel, it takes me to a search page but does not return any results because of the error "Invalid earliest_time". I then manually select "Last 24 hours" for the time range in the search query drop down button and that resolve the error and returned results. This tells me that the search query itself is good but there may have been issue with the time range value not being passed from the base search to the chain search. If my panel is referencing a base search directly, the time range value works perfectly, the dashboard re-search when I change the time, and have no error when I click "Open in Search".   I also noted that in the URL after I click "Open in Search" for the panel that is using a chain search, it had this in the URL: "earliest=%24global_time.earliest%24&latest=%24global_time.latest%24". This tells me that the value that global_time was holding did not get pass onto the chain search. I confirmed this by manually selecting the "Last 24 hours" for the time range in the search query drop down button and noted this in the URL: "earliest=-24h%40h&latest=now", something along this line should have been in the URL when I click "Open in Search" instead of variable name.    Can someone please help to see if this is a bug or is there something special that needs to be configured for a chain search to inherent value from a time range token?   Thank you
I would like to have a report emailed to me a few minutes after an alert goes off.  While the alert can include the results, it is based on something specific and will not have all the information I ... See more...
I would like to have a report emailed to me a few minutes after an alert goes off.  While the alert can include the results, it is based on something specific and will not have all the information I need.  Let's say the alert is set up to catch too many host communication  errors to a specific endpoint.  Errors>100.  Currently I either go to the alert and alter it to make a time chart to see any trends, or go to a specific dashboard that shows communication errors with other endpoints, network status, response times, etc.  When the problem goes away I take all the Splunk graphs and make an incident report.   I would like to have a report with graphs and other info based on the dashboard emailed to me at the time of the alert and 10 minutes after.   Sometimes I can get to my email, but not to Splunk.   This would also help with the incident report and make them more uniform.  Is this possible?  I have not worked with reports much.  Can a report be triggered by a separate search?  I could not find that answer online so I believe it can't.  I could write a query that looks at the last time an alert went off and have that trigger the associated report if possible.  I would like some type of PDF that I can just attach to the incident report.  More importantly I would like to have much more detail emailed to me after an alert.  I'm not even sure what an emailed report looks like.  I could google that, but If I can't trigger it there is no need for the report.  Although in reading about reports I want to use them more with dashboards.  Thanks         
I have 3 filters for servers like this: (the tokens from these filters are used in the query) Server1 : Bridge_API, Bridge_UAT, Bridge_UAT_API Server2:  PG_API, PG_UAT, PG_UAT_API Server 3:  P... See more...
I have 3 filters for servers like this: (the tokens from these filters are used in the query) Server1 : Bridge_API, Bridge_UAT, Bridge_UAT_API Server2:  PG_API, PG_UAT, PG_UAT_API Server 3:  PA_API, PA_UAT, PA_UAT_API When I select a server type from any of the dropdown for e.g. if I select Bridge_API from Server1 dropdown, the other filters should switch to *_API and query the data. (if I select a server from the Server 2, the corresponding suffix server should be updated) Similarly for Bridge_UAT others should switch to PG_UAT and PA_UAT. How can I achieve this?
I am trying to use a colon ( : ) in my js file; however, I do not see results when I use the colon.  I verified that the command works with the colon when I run it within a Search window.   I also ha... See more...
I am trying to use a colon ( : ) in my js file; however, I do not see results when I use the colon.  I verified that the command works with the colon when I run it within a Search window.   I also have it working without the colon in the js file.  I just can't seem to use the colon in the js file.  The following code in my js file does not work.   ... | search (path IN (\"*:\\windows\\*\")) | stats count     The following code in my js file works.   ... | search (path IN (\"*\\windows\\*\")) | stats count     I tried to escape it like I did the double-quotes, but that did not work.  Is there a way to use the colon in the js file?   Thanks 
Hi All, I need your help to get list of all field names in a dropdown filter from SPL results at runtime.  Description: - I have a SPL in panel section of the dashboard. I need to get the column ... See more...
Hi All, I need your help to get list of all field names in a dropdown filter from SPL results at runtime.  Description: - I have a SPL in panel section of the dashboard. I need to get the column names of the results dynamically loaded to a dropdown list in the same dashboard.  I tried searching over about it and found a similar post below: - https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-dropdown-search-on-columns-of-data-which-aren-t/m-p/165658/highlight/true  However, it tells about using a tag <populatingSearch>. When I use the above tag, I get a warning: - Legacy notation: populatingSearch. Thus, I need your help to build the same. Thank you.
Hello, I've recently upgrade from Splunk 7.0 to Splunk 9.0. One of the things that ended up breaking is the Splunk Add-on for Tenable (5.1.4). I knew it was going to stop working due to compatibili... See more...
Hello, I've recently upgrade from Splunk 7.0 to Splunk 9.0. One of the things that ended up breaking is the Splunk Add-on for Tenable (5.1.4). I knew it was going to stop working due to compatibility issues and that's fine since we really needed to upgrade Splunk. Is there any other way for our Splunk environment to receive Nessus data? We currently have Nessus Professional Version 10 and it does not seem to work with the Tenable Add-on for Splunk.  Thanks, Grant
Greetings, I have a dashboard with 2 panels. The first panel uses a simple input for userid to fuel the search.   index=foo sourcetype=bar $userid$ | table session   This will return a varying ... See more...
Greetings, I have a dashboard with 2 panels. The first panel uses a simple input for userid to fuel the search.   index=foo sourcetype=bar $userid$ | table session   This will return a varying number of session results depending on the time period specified. I want to take all the returned values and feed into a second panel search to show how many time a specific event occur for each session.   index=foo sourcetype=bar eventtype=specific $sessionid$ | stats count AS Total by session   I populate the token $sessionid$ with the following xml at the end of the first panel:   <finalized> <condition match=" 'job.resultCount' != 0"> <set token="sessionid">$result.session$</set> </condition> </finalized>   My problem is, this will only return the first value from the first search. I need it to send all values of session to search by. For example if the first search return multiple lines with session values A1, B2, C3; I would like to format the token to produce this search:   index=foo sourcetype=bar eventtype=specific session IN (A1,B2,C3) | stats count AS Total by session     Hopefully this is clear, let me know if it is not. Thanks!
We are working on webhook setup via Fivetran as we want to fetch data from Splunk to another platform. How can we change a number of lines as only 128 rows are pushed successfully?
MS Teams Alert Action add on is just sending first row from the output of Alert in MS teams. I have multiple rows in the output and want entire table to be sent to teams as an Alert. Please suggest h... See more...
MS Teams Alert Action add on is just sending first row from the output of Alert in MS teams. I have multiple rows in the output and want entire table to be sent to teams as an Alert. Please suggest how to configure that.  Thanks in advance for your responses. 
For example below is my raw data in sample.log file. This is a |AWS| test log testing.  The source of this file is opt/sample.log but I want to change my source from source= /opt/sample.log to so... See more...
For example below is my raw data in sample.log file. This is a |AWS| test log testing.  The source of this file is opt/sample.log but I want to change my source from source= /opt/sample.log to source=AWS which will be extracted from raw data  while indexing in splunk. props.conf [log] TRANSFORMS-sourcechange=replacedefaultsource   Transforms.conf [replacedefaultsource] WRITE_META = true SOURCE_KEY = _raw REGEX = \|(.*)\| DEST_KEY = MetaData:Source FORMAT= source::$1 Thank you in advance please help me.    
Does anyone have any experience using the IP Quality Score add-on in Splunk? I've been given very little information on how to actually run searches in the add-on and so far im not getting any result... See more...
Does anyone have any experience using the IP Quality Score add-on in Splunk? I've been given very little information on how to actually run searches in the add-on and so far im not getting any results. For instance I'm trying to use the IP Detection commands on our web traffic logs but I'm not getting any results. I just keep getting an error saying:   Exception at "/opt/splunk/etc/apps/TA-ipqualityscore/bin/ipdetection.py", line 127 : There are no events with ip field.    
I installed the Splunk App for SOAR Export app on Splunk, and I can see two alert options in manage alerts, namely 'Run Playbook in SOAR' and 'Send to SOAR'. However, when I go to add an alert action... See more...
I installed the Splunk App for SOAR Export app on Splunk, and I can see two alert options in manage alerts, namely 'Run Playbook in SOAR' and 'Send to SOAR'. However, when I go to add an alert action, these two are missing from there.  These options were available when I first installed the app, and then they were gone from the alert.