All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

HI, We are trying to process and  ingest  aws s3 events into splunk, but noticed few events are getting split, after checking the configuration we realized this should be caused by splunk internal ... See more...
HI, We are trying to process and  ingest  aws s3 events into splunk, but noticed few events are getting split, after checking the configuration we realized this should be caused by splunk internal parsing algorithm.  Please let us know if there is any issues in my configuration or could it be something related to splunk parser? Below is the entries on props and transform.conf: props--> [proxy] REPORT-proxylogs-fields = proxylogs_fields,extract_url_domain LINE_BREAKER = ([\r\n]+) # EVENT_BREAKER = ([\r\n]+) # EVENT_BREAKER_ENABLE = true SHOULD_LINEMERGE = false CHARSET = AUTO disabled = false TRUNCATE = 1000000 MAX_EVENTS = 1000000 EVAL-product = "Umbrella" EVAL-vendor = "xyz" EVAL-vendor_product = "abc" MAX_TIMESTAMP_LOOKAHEAD = 22 NO_BINARY_CHECK = true TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = UTC   Transforms.conf --> [proxylogs_fields] DELIMS = "," FIELDS = Timestamp,policy_identities,src,src_translated_ip,dest,content_type,action,url,http_referrer,http_user_agent,status,requestSize,responseSize,responseBodySize,sha256,category,av_detection,pua,amp_disposition,amp_malwarename,amp_score,policy_identity_type,blocked_category,identities,identity_type,request_method,dlp_status,certificate_errors,filename,rulesetID,ruleID,destinationListID,s3_filename example of the events: "2022-06-27 08:57:14","wer.com","1.1.1.1","1.1.1.1","10.10.10.10","image/gif","ALLOWED","https://www.moug.net/img/btn_learning.gif","https://www.mikhgg.net/tech/woopr/0025.html","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.124 Safari/537.36 Edg/102.0.1245.44","200","","3571","3328","1a146b09676811234dddccd6dc0ee3cf11aa1803e774df17aa9a49a7370a40ec","Allow List,Fashion","","","","","","AD Users","","wer.com","AD Users,Network Tunnels","GET","ALLOWED","","btn_learning.gif","13347559","346105","15065619",2022-06-27-09-50-ade8.csv.gz   Events as seen in splunk:    
Does anyone know how I can integrate sentinel one with splunk? Is there any documentation I can follow or something?   Thank you.
Hi! Can we currently create a bar chart with a chart overlay in a dashboard studio?
Hi all, I'm trying to create a search that gives me back a table of all Apps and the amount of users that have access to it. I can generate a list with all indexes and the amount of users that ha... See more...
Hi all, I'm trying to create a search that gives me back a table of all Apps and the amount of users that have access to it. I can generate a list with all indexes and the amount of users that have access to it but I can't think of a way to do the same with Apps. I can generate who has accessed the app and when, but I can't seem to generate a list with the amount of users that have access to a specific app. Anyone with an idea?
Hi All, I want to display a panel depending on the value clicked by a user from a table of results. Let me explain the problem with below example: Say I have a dashboard which lists top 3 product... See more...
Hi All, I want to display a panel depending on the value clicked by a user from a table of results. Let me explain the problem with below example: Say I have a dashboard which lists top 3 products sold and their related figures. Panel 1 = top 3 products sold. (let products names be A, B and C) Panel 2 = this is an interactive panel which displays sales figures and more information about product A, only when a user clicks on the product A event from panel 1. Panel 3 = this is an interactive panel which displays sales figures and more information about product B, only when a user clicks on the product B event from panel 1. Panel 4 = this is an interactive panel which displays sales figures and more information about product C, only when a user clicks on the product C event from panel 1. This means at a time my dashboard would display only 2 panels, panel 1 and panel 2 or 3 or 4 (depending on the product event clicked by the user). My approach to solve this: I am trying to use drilldown on panel 1 to capture the clicked value from it and storing it in a token. Then I am using <condition> to match the value captured in that token to set and unset tokens related to panels 2, 3 and 4. Then I'm using these tokens to show (depends) and hide (rejects) panels 2,3 and 4. Doing this, I'm getting warnings such as "<set> is not allowed in condition-drilldown block" etc. Can anyone please guide me on how to solve this problem? Thanks, Sajal
Hello, I want to use "Parallel Coordinates" chart in Dashboard Studio, but no matter what size it has, it always truncate labels to 6 charts and 3 dots.  Strange is, that when I use this chart fo... See more...
Hello, I want to use "Parallel Coordinates" chart in Dashboard Studio, but no matter what size it has, it always truncate labels to 6 charts and 3 dots.  Strange is, that when I use this chart for visualization of SPL query, then labels are displayed in full length. Does anyone know, what should I change in Dashboard Studio to get labels in full length?   Best Regards Daniel
Hi, I’m looking at creating Alert for an increase in IIs requests compared to a previous date based on a percentage. just wondered if this was possible?   thanks,   joe
  I found this source somewhere in the community and it works fine: I <row> <panel> <input type="link" token="refresh" id="color_button1"> <label></label> <choice value="Yes">Ververs Overzicht</ch... See more...
  I found this source somewhere in the community and it works fine: I <row> <panel> <input type="link" token="refresh" id="color_button1"> <label></label> <choice value="Yes">Ververs Overzicht</choice> <change> <condition value="Yes"> <set token="refresh_delay">1</set> </condition> </change> </input> </panel> </row>   The colors of the button are grey with a white background. I would like to change this to colors that are more remarkable, for example a green background. I've tried several things but without the desired result. Is it possible to change the colors of the button?
Hi All, I need two input panels: dropdown and textbox, such that the dropdown gives a list of macros, and when we select one of the option, its corresponding macro definition gets loaded in the text... See more...
Hi All, I need two input panels: dropdown and textbox, such that the dropdown gives a list of macros, and when we select one of the option, its corresponding macro definition gets loaded in the textbox.  The underlying idea is to build a dashboard which helps to test and debug the code of each macro when it gets applied on the base search.  Thus, when the macro definition gets loaded in the textbox, the user will need to have ability to edit and change the code in the textbox and apply the same on base search without modifying the actual macro definition during the debugging process. Thank you
Can't find splunk enterprise rpm 7.2.6 version  download link. So if anyone can show me where can I download the 7.2 .6 version. I will be grateful   
Need to monitor a website which when gets hit shows a popup with Username and Password. Tried below possibilities till now. 1. Used Website input App but in "Enter Credentials" page , it throws "... See more...
Need to monitor a website which when gets hit shows a popup with Username and Password. Tried below possibilities till now. 1. Used Website input App but in "Enter Credentials" page , it throws "Username and Password field name not detected" Error. 2. Tried passing credentials using below but getting unauthorized error. https://URL/insecurelogin?loginType=splunk&username=EMEA\abc&password=XYZ https://URL/insecurelogin?username=EMEA\abc&password=XYZ Any one has done such monitoring , please share your valuable inputs. Thanks
 i have huge data with dynamic URL value like below, how can i give hyperlink to that ? Ex: Name  Link aris    https://aerial.behind.com/app/view/c0433334d-4418-wede2323344-2223
Please help answer this question, thank you: For these two multivalued fields, you want the value in the "Recipient" field to correspond to the value in the "recipient_status". If the receipt is s... See more...
Please help answer this question, thank you: For these two multivalued fields, you want the value in the "Recipient" field to correspond to the value in the "recipient_status". If the receipt is successful, it corresponds to ";", If it fails, it corresponds to "'550 5.1.1 resolver.adr.recipnotfound, not found'". Is there a way to segment the values of these two fields and make one-to-one correspondence? The following are the values corresponding to these two fields Recipient="@000.com @123.com @456.com @789.com", recipient_status=";;'550 5.1.1 RESOLVER.ADR.RecipNotFound; not found';"
Beginner user here. PART 1 Wanting to track documents over multiple sources to ensure they reach their destination Source 1 - Source 2 or 3 - Source 4 Start Point (Sent) - Middle Points (Accept... See more...
Beginner user here. PART 1 Wanting to track documents over multiple sources to ensure they reach their destination Source 1 - Source 2 or 3 - Source 4 Start Point (Sent) - Middle Points (Accepted or Rejected) - End Point (Received)  Each document has the following ID = Unique to each document DATE \ TIME STAMP = Says what time the document arrived to that point DESCRIPTION = like a subject what the document contains All documents have a unique ID that is tracked on each source.  I want to track this ID and ensure that it has gone from source 1 ,2 or 3 and arrived at 4. If for some reason its in 2 and not in 4 display that Doc ID in a table. PART 2 - I can probably work this one out myself after I know how to link everything. After they are linked I would like to compare the time between when it was at source 1 to when it arrived at source 3. 
Hi all, i am creating a custom app which require PYTHON - Pandas module.  Can you please let me know how i can install pandas on Splunk enterprise and leverage that on my custom application.  w... See more...
Hi all, i am creating a custom app which require PYTHON - Pandas module.  Can you please let me know how i can install pandas on Splunk enterprise and leverage that on my custom application.  will this cause any issue on the splunk overall?   
How do I set a "Trigger Condition" on a Splunk report like you would  when creating an alert? My issue is that I have created a report that I want to generate an email from when Number of Results =... See more...
How do I set a "Trigger Condition" on a Splunk report like you would  when creating an alert? My issue is that I have created a report that I want to generate an email from when Number of Results = 0 ie, when no file has been uploaded/detected. Some people would argue why don't I just create an alert instead? My dilemma is, with an alert it won’t let you add a "Time Range" as I want my daily report to track the previous 7 day time range  My search string looks like this: index=it_sts_xfer_prod_us xferPath="*GIDM*" OR xferPath="*sailpnt*" OR xferPath="*identity*" OR xferPath="*InternalAudit*" xferFile="FILENAME.csv" | eval _time=_time-xferSecs | convert ctime(_time) as Time timeformat=%m/%d/%y
Working on a search where there's a field (Office Location) with about 5 different values that are stored in a lookup file. We're looking at attendance at a specific office (office 1) and differentia... See more...
Working on a search where there's a field (Office Location) with about 5 different values that are stored in a lookup file. We're looking at attendance at a specific office (office 1) and differentiating who's actually going in. Specifically, we want to isolate people assigned to office 1 and those that are assigned to a different office. The original search looks like this but it would populate all the locations rather than just office 1 or not.   index=index EVDESCR="event" READERDESC="reader" | lookup users.csv ID as EMPLOYEE_ID |timechart span=1d dc(CARDNUM) by Location limit=0     I tried using this eval statement to hopefully isolate the search to just two values. Yes, home office or no home office.      |eval Home=if(Location"office1", yes, no)      The problem is this eval statement doesn't work and I'm not sure what I'm doing wrong. Any help is appreciated. 
Hello community What is the most efficient way of retrieving a specific search performed or preferably, if possible, to regenerate a file (csv/pdf) export of results? So far I have located the sear... See more...
Hello community What is the most efficient way of retrieving a specific search performed or preferably, if possible, to regenerate a file (csv/pdf) export of results? So far I have located the search/job ID and worked my way back to a search string (SPL). Though I am curious, is it possible to “re-run” the SPL snippet and just “re-generate” the file-export for inspection? Otherwise, what is the fastest and easiest way to get from search/job ID to the actual SPL search query used to generate the file export? Best regards // G
Any advice on this search? Although it simply produces what I need, it also lumps the system name with it.   index=main s LogName=Security EventCode=4738 Account_Name="*"| table Account_Name | de... See more...
Any advice on this search? Although it simply produces what I need, it also lumps the system name with it.   index=main s LogName=Security EventCode=4738 Account_Name="*"| table Account_Name | dedup Account_Name
Hello, I have xml source files in a location where SPLUNK HF installed on it...these files are updated with new data...that means no new files are created .....when new data comes in... existing fil... See more...
Hello, I have xml source files in a location where SPLUNK HF installed on it...these files are updated with new data...that means no new files are created .....when new data comes in... existing files are appended, and new data added at the end of the existing files. I know SPLUNK has CRC to check duplicate entries based on the Hash Function. My question is.... will SPLUNK UF/HF be able to read only new data that is added at the end of existing file without any errors (or missing info) and send to the indexer.  Any recommendations/thoughts would be highly appreciated. Thank you so much for your support.