All Topics

Top

All Topics

Hi All,  I want to create a use case where the account is inactive for 60 days and it got enable after 60 days..  I tied to draw ta logic but not sure whether query is correct or not. Can s... See more...
Hi All,  I want to create a use case where the account is inactive for 60 days and it got enable after 60 days..  I tied to draw ta logic but not sure whether query is correct or not. Can somebody please modify the query if it required some change  index=wineventlog EventCode=4624 user=”*@xyz.com" earliest= -60d latest = now() | transaction user maxspan=60d search (EventCode!=)   Thank you 
In the User Role Authority settings, the following two setting items are enabled by default. What happens if I disable each status? <Capability name> (1)list_all_objects (2)rest_apps_view Whe... See more...
In the User Role Authority settings, the following two setting items are enabled by default. What happens if I disable each status? <Capability name> (1)list_all_objects (2)rest_apps_view When I disabled (1) above, the entire account name in the menu bar in the upper right corner of the screen disappeared. Please let me know if this behavior is correct.
userロール権限設定について、以下2つの設定項目はデフォルトで有効になっていますが、これらを無効にするとそれぞれどのような制御が働くのか、詳細をご教示いただけますでしょうか。 <対象> ①list_all_objects ②rest_apps_view ※上記①を無効にした場合、画面右上メニューバーのアカウント名が丸ごと消えたのですがこれは想定通りの挙動なのか併せてご教示いただけますと... See more...
userロール権限設定について、以下2つの設定項目はデフォルトで有効になっていますが、これらを無効にするとそれぞれどのような制御が働くのか、詳細をご教示いただけますでしょうか。 <対象> ①list_all_objects ②rest_apps_view ※上記①を無効にした場合、画面右上メニューバーのアカウント名が丸ごと消えたのですがこれは想定通りの挙動なのか併せてご教示いただけますと幸いです。
Hi Splunkers, I've installed both Add-on for VMware metrics collector and Add-on for Unix and Linux. I noticed that  the same host collected by the two add-on is managed in different ways. Is ther... See more...
Hi Splunkers, I've installed both Add-on for VMware metrics collector and Add-on for Unix and Linux. I noticed that  the same host collected by the two add-on is managed in different ways. Is there a best pratice to follow in order to merge data or at least to tell ITSI we're talking about the same host? I've already tried to merge entities but without finding an acceptable solution. Can someone help me on this topic?
Hi  I want to create a splunk use case like a after getting 3 times failure the account again got enable..  I was working n below is my query but it is giving me 0 result can you please help me t... See more...
Hi  I want to create a splunk use case like a after getting 3 times failure the account again got enable..  I was working n below is my query but it is giving me 0 result can you please help me to modify the query    source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") | where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert   Thanks 
Hello folks, I have Logger lines as below: job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1, "nbPropertyPerExecution":5, "propertyEndCount":6, "nbProperty... See more...
Hello folks, I have Logger lines as below: job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1, "nbPropertyPerExecution":5, "propertyEndCount":6, "nbPropertyForCurrentExecution":5 } job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR2", "nbProperties":1345, "propertyStartCount":6, "nbPropertyPerExecution":5, "propertyEndCount":11, "nbPropertyForCurrentExecution":5 } ------These lines continue till propertyEndCount = nbProperties but sometimes it does not get equal  and stops randomly like below. This job stopped at "propertyEndCount":1076 only job MONITOR-DESYNC-3-6AQ-Q7Z: { "chain":"PR1", "nbProperties":1345, "propertyStartCount":1071, "nbPropertyPerExecution":5, "propertyEndCount":1076, "nbPropertyForCurrentExecution":5 } SPlunk query to find how many hotels got covered  for each chain . In this case Output Expected is: chain total-property  covered-property      PR1         1345                      1076      PR2          1345                   1000 I am quite new to splunk query. I think If somehow  I could fetch the value of propertyEndCount from the last event then it should work. If anyone can provide some solution to get as expected result mentioned above. Thanks in Advance.  
Hi, We are facing error when a SPL with dbxquery is run on splunk. The strange thing is the issue is intermittent and we checked the internal logs and found it only occured on just one search heads... See more...
Hi, We are facing error when a SPL with dbxquery is run on splunk. The strange thing is the issue is intermittent and we checked the internal logs and found it only occured on just one search heads out of 5 in cluster. I am not sure why this is happening and what I can check at splunk end to fix this.   Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 127
Hi, I want to create an alert on traffic drop deviation. Something like if the traffic drop by 50% than what was it in last hour or if the traffic drops to zero, then I want the alert triggered. Cr... See more...
Hi, I want to create an alert on traffic drop deviation. Something like if the traffic drop by 50% than what was it in last hour or if the traffic drops to zero, then I want the alert triggered. Creating alert on 0 traffic is easy but that could give false positives as well so I am trying to find a way to alert only if there is a significant deviation. Is that possible? I have this query at the moment which looks into the incoming requests. I can run the alert every 15 or 30 minutes and want to trigger if there is a deviation.   index=myapp_prod "message.logPoint"=INCOMING_REQUEST | timechart span=30m count   Best Regards, Shashank
Hello Everyone, I have two queries  to exclude events one using NOT and other one using IN, both the queries returning same results but the query using NOT command takes less time. My question is i... See more...
Hello Everyone, I have two queries  to exclude events one using NOT and other one using IN, both the queries returning same results but the query using NOT command takes less time. My question is it should be other way around, why NOT is take less time to execute.       Time taken by Splunk using IN query Time taken by Splunk using NOT query     index = "some_index" sourcetype="some_sourec_type" app_code=XXXX a_status IN (0,1,40) AND b_status IN (2,1,10,20) index = "some_index" sourcetype="some_sourec_type" app_code=XXXX NOT a_status IN (0, -1, -2, -5) NOT b_status IN (-1, -6, -5, null)
I have installedAt field which gives the application's installation time. If I run a Splunk search for the last 7 days it shows the application installed at different times. So I want the query t... See more...
I have installedAt field which gives the application's installation time. If I run a Splunk search for the last 7 days it shows the application installed at different times. So I want the query to find the applications installed in the last 7 days.    
Hi Splunk community, I want to chart the data retrieved from index, filter the app_name field to match with ones in the lookup file. There will be some app_name values in lookup file not in the ind... See more...
Hi Splunk community, I want to chart the data retrieved from index, filter the app_name field to match with ones in the lookup file. There will be some app_name values in lookup file not in the index, and they need to be added as new rows and labeled "Not executed" for their status. My SPL looks like below:     index="my_index" | search [ inputlookup my_lookup | table "App Name" | rename "App Name" as app_name] | table app_name stage_name stage_status | eval stage_name = "Stage - " + stage_name | rename app_name as App | chart values(stage_status) by App, stage_name useother=f limit=0     Here what I got: App Stage A Stage B Stage C Stage D App_A PASSED FAILED PASSED PASSED   And I want it to look like this: App Stage A Stage B Stage C Stage D App_A PASSED FAILED PASSED PASSED App_B Not executed Not executed Not executed Not executed ... Not executed Not executed Not executed Not executed   Please help and advise, Thanks!
Hi Folks -  I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value changes over time.  My data comes from a csv file and in the csv, is in this format... See more...
Hi Folks -  I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value changes over time.  My data comes from a csv file and in the csv, is in this format: timestamp mac_address key value 20220902-153931 xx:yy:zz:aa:bb:01 counter_01 246897 20220902-153931 xx:yy:zz:aa:bb:01 counter_02 1595   Further on in the same file we see the same keys for a different device by mac_address: timestamp mac_address key value 20220902-153931 xx:yy:zz:aa:bb:02 counter_01 600 20220902-153931 xx:yy:zz:aa:bb:02 counter_02 1350   This is how the data looks in search for a single device (identified by mac_address) and a single key (counter_01) with a value of 246897.     These values are pulled via a script which runs according to a schedule, so the index will contain updated data with a new timestamp. In all there are about 20 key/value matches per device per run of the script. What I would like to achieve: A simple line chart that shows the values for device 1, showing the counter_01 key and how the value changes over time. The problem I am having is understanding how to get the chart to identify the device and then show the right stat. Once I know how to do this I'm sure I can work out how to display the other values.  As always, I'm very grateful for any help. NM
Hi, i would to create a dashboard with event ID below to application usecube  4720 A user account was created. 4722 A user account was enabled. 4723 ... See more...
Hi, i would to create a dashboard with event ID below to application usecube  4720 A user account was created. 4722 A user account was enabled. 4723 An attempt was made to change an account's password. 4724 An attempt was made to reset an accounts password. 4725 A user account was disabled. 4726 A user account was deleted. 4738 A user account was changed. 4740 A user account was locked out. 4767 A user account was unlocked. 4780 The ACL was set on accounts which are members of administrators groups. 4781 The name of an account was changed:       It is possible to have a old and new value?   Thanks for your feedback. Best regards, Cédric
There are reports that run every 0 and 30 minutes. And there's a lot of reports that start every 5 minutes, 35 minutes. If the report that ran at 5 minutes is delayed and ends at 35 minutes, will the... See more...
There are reports that run every 0 and 30 minutes. And there's a lot of reports that start every 5 minutes, 35 minutes. If the report that ran at 5 minutes is delayed and ends at 35 minutes, will the report that ran at 30 minutes have an effect?
Hi Splunk Community, We have splunk enterprise 8.0.7. I would like to know the status of past splunk searches. Load, even count, time range, did the search timed out, how long did the search ran... See more...
Hi Splunk Community, We have splunk enterprise 8.0.7. I would like to know the status of past splunk searches. Load, even count, time range, did the search timed out, how long did the search ran etc. Thank you.
| eval err=if(data>80,code,"") I am composing spl using if statement. If the data value is over 80, a code is generated. However, if the value of 80 or more is maintained, a code is gener... See more...
| eval err=if(data>80,code,"") I am composing spl using if statement. If the data value is over 80, a code is generated. However, if the value of 80 or more is maintained, a code is generated only at the starting value of 80 or more, and the code does not occur until it falls below 80. What should I do?
I'm trying to troubleshoot a Connection that I made in DBConnect app, it show the error as above. I don't know if the error was on my end and my input or the info I received. Most of the answer I s... See more...
I'm trying to troubleshoot a Connection that I made in DBConnect app, it show the error as above. I don't know if the error was on my end and my input or the info I received. Most of the answer I searched for was about JDBC but that was automate in DBConnect. So what should I do in this situation? Is it on my end or should I contact the DB owner or the networking department in my org?
How can I dynamically link 3 drop down button to 3 dashboard tables. Drop down 1 is for "time", drop down button 2 is for "critical, high, low" dropdown button 3 is for "blocked, allowed, unknown".  ... See more...
How can I dynamically link 3 drop down button to 3 dashboard tables. Drop down 1 is for "time", drop down button 2 is for "critical, high, low" dropdown button 3 is for "blocked, allowed, unknown".  I have configured each table to match the dropdown input, but I want to link all 3 together. Thanks in advance for your help.
Hi Everyone, If I am searching through the past 4 weeks in one query, how can I break this data into two columns, one for previous 2 weeks, and one for latest 2 weeks, then sort by Latest 2 weeks? ... See more...
Hi Everyone, If I am searching through the past 4 weeks in one query, how can I break this data into two columns, one for previous 2 weeks, and one for latest 2 weeks, then sort by Latest 2 weeks? In general, im using stats to display the amount of objects affected by errors occurring  in a 4 week period but would like to see them displayed in two 2 week periods, sorted by the amount in the latest 2 weeks. | stats dc(objects) as OBJ by errorMessage | span -OBJ   CURRENT OUTPUT   ERROR MESSAGE OBJ message 1 1792 message 2 1210 message 3 957     DESIRED OUTPUT ERROR MESSAGE LATEST 2 WEEKS PREVIOUS 2 WEEKS message 1 967 825 message 2 872 666 message 3 103 854   Thanks all, Corey
Hi Splunkers, How to ingest binary files to splunk? i get error ," ignored due to binary file". Any help would be appreciated. Many thanks Emy