All Topics

Top

All Topics

Hello Splunk team, I have two doubts please help me with details, 1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days ... See more...
Hello Splunk team, I have two doubts please help me with details, 1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days we have configured. For example Hot - 90 days Warm- 90 days like this data how to get to know from Splunk GUI, I have used "| dbinspect" in search query but I am unable to get the timing for how many days we have kept Hot, warm etc.,  2. While using a search query we can see the time range "All Time", so here what does it actually mean. Is this mean from when we have configured Splunk or from when logs got ingested or else only the Hot & Warm buckets database data. Thanks in advance for letting me know the details.
Hi Folks, I'm very new at syslog server configuration but I have a question about this. I have an IF (universal forwarder) and I want it to act as a syslog server as well. I want it to receive th... See more...
Hi Folks, I'm very new at syslog server configuration but I have a question about this. I have an IF (universal forwarder) and I want it to act as a syslog server as well. I want it to receive the syslog logs on a different port (not 514). The port 30001 for example.  That port should be open from the Splunk side or from my network side? I appreciate any comment or documents to further understand this. Thanks.
Hi! I have a log like this eventtype=000111 msg=malicious srcip=11.11.22.22 eventtype=123 msg=traffic srcip=11.11.22.22 hostname=MyMachine Both lines are on the same index, would like to get ... See more...
Hi! I have a log like this eventtype=000111 msg=malicious srcip=11.11.22.22 eventtype=123 msg=traffic srcip=11.11.22.22 hostname=MyMachine Both lines are on the same index, would like to get something like this eventtype=000111 msg=malicious srcip=11.11.22.22 hostname=MyMachine I´ve tryied using joins, but they just could get results when indexes are different. because the initial condition of eventtype doesn´t match with the second event. this is the query which doesn´t work index=index_ logid=1122 | fields * | join srcip [search index=index_ | table hostname ] | table eventtype msg srcip hostname Can you help me? Thanks!!
We currently have our Splunk Enterprise instance all running on a stand-alone vm but are looking to add an additional vm for some sort of replication sort of a hot cold standby option or whatever the... See more...
We currently have our Splunk Enterprise instance all running on a stand-alone vm but are looking to add an additional vm for some sort of replication sort of a hot cold standby option or whatever the best practice may be.  Has anyone had experience doing this and what were your steps? 
Hi everyone, I need to remover users that leave the company. I´ve already remove them from company AD, but the remains on the Splunk Cloud. Someone know how can I delete/remove them from Splunk Clo... See more...
Hi everyone, I need to remover users that leave the company. I´ve already remove them from company AD, but the remains on the Splunk Cloud. Someone know how can I delete/remove them from Splunk Cloud ? Thank you. Clecimar
Hello All -  Using version 1.7.6 on Splunk Enterprise 8.2.3: Search Error: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents... See more...
Hello All -  Using version 1.7.6 on Splunk Enterprise 8.2.3: Search Error: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. | tstats summariesonly=t count from datamodel=Web WHERE (*) sourcetype="websense:cg:kv" Web.mid IN (*) Web.id IN (*) Web.user IN ("**") Web.action IN ("*") Web.src IN ("**") Web.status IN ("*") Web.http_method IN ("*") Web.category IN ("*") Web.dest IN ("***") Web.http_user_agent IN ("**") by Web.http_user_agent | rename Web.* as * | stats sum(count) as "count" by http_user_agent | lookup user_agents http_user_agent | table count ua_family http_user_agent | sort 0 -count From Job Inspector: 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': File "/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py", line 54 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': results = user_agent_parser.Parse(http_user_agent) 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': ^ 08-30-2022 14:30:38.150 ERROR ScriptRunner [53774 StatusEnforcerThread] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py http_user_agent ua_os_family ua_os_major ua_os_minor ua_os_patch ua_os_patch_minor ua_family ua_major ua_minor ua_patch ua_device': TabError: inconsistent use of tabs and spaces in indentation 08-30-2022 14:30:38.153 ERROR ExternalProvider [53774 StatusEnforcerThread] - Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. 08-30-2022 14:30:38.153 ERROR SearchStatusEnforcer [53774 StatusEnforcerThread] - StatusEnforcerThread failed with error: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. 08-30-2022 14:30:38.153 INFO ReducePhaseExecutor [53774 StatusEnforcerThread] - ReducePhaseExecutor=1 action=CANCEL 08-30-2022 14:30:38.153 INFO DispatchExecutor [53774 StatusEnforcerThread] - User applied action=CANCEL while status=0 08-30-2022 14:30:38.153 ERROR SearchStatusEnforcer [53774 StatusEnforcerThread] - sid:_amFzb25faG90Y2hraXNzQGFvLnVzY291cnRzLmdvdg_amFzb25faG90Y2hraXNzQGFvLnVzY291cnRzLmdvdg_bmxzX1VJX2Rldg__search32_1661869827.397931_B7BA11EF-467A-4E74-B057-FC9CAC03F269 Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'. Any suggestions on how to fix this?  Thank you.
Hello all, I know this has been asked many different ways but, I cant seem to get the search correct.  I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a wh... See more...
Hello all, I know this has been asked many different ways but, I cant seem to get the search correct.  I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a whitelist via a look table, the idea here is we add IP's or URL that show no threat, so want to stop seeing alerts coming in. But - we want to recheck the data again in 10 days. This is my test search, But it still shows IP or URL's in the lookup table.       | from datamodel:"Threat_Intelligence"."Threat_Activity" | search NOT [| inputlookup my_whitelist.csv | fields threat_match_value] | where lastSeen>=relative_time(now(),"-10d") AND _time<=now() | table _time threat_match_value       My look table fields are 
Good afternoon! I receive messages from systems on splunk, several messages from one system line up in a message chain. As a rule, six messages from one system line up in a chain of six messages. ... See more...
Good afternoon! I receive messages from systems on splunk, several messages from one system line up in a message chain. As a rule, six messages from one system line up in a chain of six messages. By message chain, I mean that splunk receives six messages with the same field: "srcMsgId". Messages arrive one after another at different intervals, but the interval should not exceed the value of N. Tell me how can I set up Alert in splunk, in case the interval between messages in the chain exceeds the value N.
Splunk Add-on for Microsoft Office 365 -- I'm unable to index files over 7 days old. Where can this configuration be changed in the Add-on? Splunk Add-on for Microsoft Office 365 Version: 2... See more...
Splunk Add-on for Microsoft Office 365 -- I'm unable to index files over 7 days old. Where can this configuration be changed in the Add-on? Splunk Add-on for Microsoft Office 365 Version: 2.0.2 Build: 1 Splunk Version:8.1.5
Hello Experts,   We have splunk DB connect inputs configured to fetch logs from DB tables based on SQL queries. In general for unstructured data we will apply below standard props.conf setting... See more...
Hello Experts,   We have splunk DB connect inputs configured to fetch logs from DB tables based on SQL queries. In general for unstructured data we will apply below standard props.conf settings as a best practice. TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD SHOULD_LINEMERGE LINE_BREAKER TRUNCATE TIME_PREFIX do we need to configure above settings for DB connect logs as well ? if yes what will be the suggested values. Please help me to understand this.
I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname ... See more...
I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname of the Linux server I am on. Do I need to include a forwarder on the splunk server? I have never worked at the application level with splunk before so I apologize if this is a silly question.
HI, I have a standalone server which is running on 9.0.0.1 version earlier. Now it got updated to latest version of 9.0.1.  After upgrade, the upgrade readiness app scans all the apps and it showed... See more...
HI, I have a standalone server which is running on 9.0.0.1 version earlier. Now it got updated to latest version of 9.0.1.  After upgrade, the upgrade readiness app scans all the apps and it showed 2 system config failed errors in Splunk Platform Compatibility Scan. Herewith attached the error snap. any idea on this to resolve. Thanks in advance  
I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type. I'm trying to join the two queries so that I can get the percentage of each error type. Qu... See more...
I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type. I'm trying to join the two queries so that I can get the percentage of each error type. Query 1: index=app  "ResponseLoggingFilter" "Operation" | stats count as Total_Transaction Query 2: index=app "ResponseLoggingFilter" "Operation"  NOT "OK" NOT "1041" | rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)" | stats count by Error_Message
Hi, How can I make both of these panels be the same height ?  
I need the count and count % to be reflected in Available and Not Available line with the value. Appreciate if i get an help  -  |eval Status = Status." : ".count
Hi Splunkers ,   Im trying to build a dashboard to capture all the triggered alerts with some custom actions to be applied for each alert Im trying to make a table with  Alert Name , Alert trig... See more...
Hi Splunkers ,   Im trying to build a dashboard to capture all the triggered alerts with some custom actions to be applied for each alert Im trying to make a table with  Alert Name , Alert triggered Time and Alerts results URL(which we actually get in an email when we enable  email notification) I would like to know how to get url for each triggered alert results and pass that into a dashbaord....so that users can view that results by clicking that link and take actions based on that    
My data looks as follows: host col2 ---- ---- A SUCCESS A ERROR B ERROR B SUCCESS B SUCCESS C ERROR Here is the desired output: host Total_rows_for_this_host Errors_fo... See more...
My data looks as follows: host col2 ---- ---- A SUCCESS A ERROR B ERROR B SUCCESS B SUCCESS C ERROR Here is the desired output: host Total_rows_for_this_host Errors_for_this_host ErrorPercentage ---- ------------------------ -------------------- -------------- A 2 1 50 B 3 1 33 C 1 1 100 For every host, we need to find the error percentage. What query could I use? Thank you.
Hello pls I have a problem with a search. if I run this search, it has inconsistent ingestion. Here is the search I ran: index=compare_items  if I put a time range of 60mins even 7days, I do no... See more...
Hello pls I have a problem with a search. if I run this search, it has inconsistent ingestion. Here is the search I ran: index=compare_items  if I put a time range of 60mins even 7days, I do not see results. But if I put 30days, I have like million events populated. Here is the error message I got from Splunk.: configuration for xyz/123/xxx/ took longer time than expected. This usually indicate problem with underlying storage performance.  can someone help me if you had similar experience. Thanks 
je ne parviens pas à installer Splunk dans ma machine virtuelle Ubuntu
Hi I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from thi... See more...
Hi I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from this add-on? Does it enrich the data or provide prebuilt queries/dashboards? Thanks