All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Had to take an indexer down for several days while a SSD was replaced, I used the "splunk offline --enforce-counts" command to allow the data to replicate back out to the other indexers (we have repl... See more...
Had to take an indexer down for several days while a SSD was replaced, I used the "splunk offline --enforce-counts" command to allow the data to replicate back out to the other indexers (we have replication factor of 1).  I'm curious now after the SSD has been replaced, what is the best option to rejoin this host back to the cluster?
Hi everyone! Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command. The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception... See more...
Hi everyone! Since I've never done | rex command, I would like to parse the ip_address out of the raw event using rex command. The event is: org.apache.sor.client.soj.impl.HttpSorClient$Exception: Error from server at https://pimcv.sps.g:443/sor: Failed handshake due to exhausted 12 seconds timeout on channel [id: 0x2c132bc6, L:/56.201.42.175:42 - R:/56.201.45.41:86]. Can somebody help do this please!
I need help in displaying the input radio button option based on previous input radio button option selection. If i have below options created as inputs :   <input type="Radio" token="envi... See more...
I need help in displaying the input radio button option based on previous input radio button option selection. If i have below options created as inputs :   <input type="Radio" token="environment"> <label >ENV<label> <choice value="site1">s1</choice> <choice value="site2">s2</choice> <choice value="site3">s3</choice> </input> <input type="Radio" token="sub-environment"> <label >S-ENV<label> <choice value="site1-Area1">s1A1</choice> <choice value="site1-Area2">s1A2</choice> <choice value="site1-Area3">s1A3</choice> <choice value="site2-Area1">s2A1</choice> <choice value="site2-Area2">s2A2</choice> <choice value="site2-Area3">s2A3</choice> <choice value="site3-Area1">s3A1</choice> <choice value="site3-Area2">s3A2</choice> <choice value="site3-Area3">s3A3</choice> <choice value="*">All</choice> </input>   I wan to dynamically display the input fields based on the first radio button option selection.     if user selects site1 radio button option automatically display radio button option labels  labels s1A1,s1A2, s1A3 and All    if user selects site2 radio button option automatically display radio button option labels  labels s2A1,s2A2, s2A3 and All    if user selects site3 radio button option automatically display radio button option labels  labels s3A1,s3A2, s3A3 and *  
hi I am fairly new to Splunk and inherited an environment and would like to know why some of our Dashboards source code starts with the <dashboard> tag where others don't have that tag and start with... See more...
hi I am fairly new to Splunk and inherited an environment and would like to know why some of our Dashboards source code starts with the <dashboard> tag where others don't have that tag and start with the <form> tag furthermore if I add the <dashboard> tag above the <form> tag (of course terminate it at the end of the code as well with </dashboard>) I get the following Alerts / error: This dashboard has no panels. Start editing to add panels.
Hello, All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).   On the syslog server we have the Splunk Heavy Forwarded installe... See more...
Hello, All our Windows Application, Security & System logs are being forwarded to a central syslog-ng server (1 line per event).   On the syslog server we have the Splunk Heavy Forwarded installed and I have been forwarding the logs on to Splunk Indexer. I'm trying to use the Windows TA Add-on and it requires the sourcetype to be WinEventLog and the source to be one of WinEventLog:Application, WinEventLog:Security or WinEventLog:System. So in the inputs.conf on the heavy forwarder I added the lines to each input; [monitor:///app/syslog-ng/logs/production-logs/siem_win_sec_log] sourcetype=WinEventLog source=WinEventLog:Security _TCP_ROUTING = SIEMIndexer [monitor:///app/syslog-ng/logs/production-logs/siem_win_app_log] sourcetype=WinEventLog source=WinEventLog:Application _TCP_ROUTING = SIEMIndexer [monitor:///app/syslog-ng/logs/production-logs/siem_win_sys_log] sourcetype=WinEventLog source=WinEventLog:System _TCP_ROUTING = SIEMIndexer Now when I search in the search head I am seeing that 2 or 3 or 4 log entries are being grouped as 1 big entry.  I played around with the source/sourcetype fields and found that the problem is only there when the source starts with WinEventLog. I found the [source::WinEventLog...] in props.conf and tried commenting it out partially or completely and it did not make any difference.  This was on the indexer and heavy forwarded in the /etc/system/local/props.conf. Is there anyway to get Windows Event Logs in syslog format in to Splunk in a way that the Windows TA Addon will recognize?  The will eventually be feeding in to Security Essentials.   Thank you, Dean
Hello Splunkers,  I have a query as follows    My query blah blah blah |stats latest(description) as description latest(result) as result latest(object) as object by host source _time   which gi... See more...
Hello Splunkers,  I have a query as follows    My query blah blah blah |stats latest(description) as description latest(result) as result latest(object) as object by host source _time   which gives the result as follows    As highlighted with yellow color on the above results there are two different time values one under _time and the other under description.    Now I want to filter the results for the hosts that has more than 24 hours in the difference between _time and the time in the description. Something like below  difference time = (_time - time_in_the_description) > 24 hours 
Hello, The Customer I'm supporting wants to configure splunk to ingest MECM data and generate reports form it.   I've tried looking through the splunk.doc's website but cant seem to find anything. ... See more...
Hello, The Customer I'm supporting wants to configure splunk to ingest MECM data and generate reports form it.   I've tried looking through the splunk.doc's website but cant seem to find anything.  Should I just use the SCCM doc as a guide or does anyone else know of any resources.  Thank you
Dear Community, I would like to get some assistance and/or clarification regarding Splunk’s base-search/post-processing functionality. I have read it/heard that using one base-search and post proce... See more...
Dear Community, I would like to get some assistance and/or clarification regarding Splunk’s base-search/post-processing functionality. I have read it/heard that using one base-search and post processing instead of several similar queries is cost effective, we can save SVCs (splunk virtual computes) with it. In practice, unfortunately I have experienced quite the opposite: Let’s say, I have a dashboard (call it “A”) with these queries:       index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..." index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total" index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users" index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason       I cloned this “A” dashboard (let’s call the clone “B”). I got some issues, like I got no data, or the numbers were different on “B” than “A”, but after some googling, reading Splunk community, I managed to get the same results on “B” with: A base search:       index="myIndex" "[OPS] [INFO] event=\"asd\"" | stats count by user_id is_aaaaa_login environment result reason _time       Post-processes:       search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..." search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total" search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users" search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason       I have added ‘refresh=”180”’ to the top of these two dashboards and leave them open in my browser for about one hour (and the common date-picker was set to “last 24 hours”). After this, I was surprised when I saw that dashboard “A” in “Splunk App for Chargeback” consumed around 5 SVCs while dashboard “B” used around 15 SVCs. So the dashboard with the base-search was way more expensive than the “normal” one. I thought that it will be much cheaper. Why is that? Did I construct my base/post-process queries badly? If yes, what should I change? I searched a lot, I found only one comment on Splunk community here: https://community.splunk.com/t5/Dashboards-Visualizations/Base-Search-for-dashboard-optimization/m-p/348795 “However, I do not recommend it when dealing with large data because base search is slow.” which implies that maybe base search is not always a cheaper solution?! So I executed only my base-search in Splunk for a 24 hours interval, it gave back a table with around 3,000,000 rows. Does this mean a large data set? Should I forget using base-searches? Thank you very much for your help!
Hi to All, I need help with creating an Active Directory changes report.  I used Win Events like 4728, 4729, 4730 but could not print to PDF  Is there a search that will return all changes crea... See more...
Hi to All, I need help with creating an Active Directory changes report.  I used Win Events like 4728, 4729, 4730 but could not print to PDF  Is there a search that will return all changes creation, deletion of global groups?  Thank you!
Need some help. I can't wrap my head around this. Need to lookup a csv which contains clientip, and compare against my results with IP also in field clientip to show in a new column as matching or ... See more...
Need some help. I can't wrap my head around this. Need to lookup a csv which contains clientip, and compare against my results with IP also in field clientip to show in a new column as matching or not matching  | index=foo  .... [|inputlookup IPlist.csv | fields clientip | rename clientip AS knownIP] | eval isMatching = if(clientip == knownIP, "matching", "notmatch") | table clientip, field x, field y, field z, isMatching Am I way off base here? Should I be looking at other commands? I get zero results with this. Without it, my main search runs fine and many events with IPs show. Much appreciated
Hi Splunkers, I spent a long time trying to figure out this story where:  I need to create a new alert under name (failed-handshake) in the custom email template to notify tech arch teams if we rec... See more...
Hi Splunkers, I spent a long time trying to figure out this story where:  I need to create a new alert under name (failed-handshake) in the custom email template to notify tech arch teams if we receive handshake errors in the web logs. The base search: index=X sourcetype=Y "Failed handshake due to 15 seconds timeout on channel"   I had some of these errors on 6/10, so I need to adjust the time range to build/test search and alert. The alert should display: 1) the host  2) the number of handshake errors 3) the time of the first instance of the error on the host 4) the time of the most recent instance of the error on the host Is there anybody can help with  this please?  
I have created a dashboard panel which displays events from a firewall log.  Importantly, this panel is intended to show a request within the context of other requests around it.  Filtering isn't des... See more...
I have created a dashboard panel which displays events from a firewall log.  Importantly, this panel is intended to show a request within the context of other requests around it.  Filtering isn't desirable, as that removes the request from the context. the dashboard uses the search:        [ search index=firewall src_ip=$src$ dest_ip=$dest$ | eval earliest = min(_time)-60 | eval latest = max(_time)+60 | table earliest, latest ] index=firewall dest_zone=external src_ip=$src$ | sort _time asc | table _time src_ip dest_ip InitiatorPackets InitiatorBytes ResponderPackets ResponderBytes URL SSLServerName URLReputation URLCategory sourcetype       This search can result in many rows and the panel paginates them as expected.  However, because the panel is displaying results from both before and after the event in question, that event is likely to end up somewhere in the middle of the results and on a page after the first.  Is it possible to search within these results and have the panel automatically jump to the page where the expected result is displayed?  E.g. if the request with the matching $src$ and $dest ip addresses is on page 3, then after the panel loads the data, it auto-navigates to page 3?  As a secondary question, is it possible to add a search box to the panel which would allow searching within the table and jumping the panel to the page with the expected result?  E.g. I have some sort of text box above just that panel.  If I type 'foobar.com' in the textbox, the panel jumps to the first page where 'foobar.com' is seen in the SSLServerName column?
Hi,    i need to write a query that converts time format from    minutes to  format Xh Xmin Xs my query | eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m... See more...
Hi,    i need to write a query that converts time format from    minutes to  format Xh Xmin Xs my query | eval finish_time_epoch = strftime(strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") | eval start_time_epoch = strftime(strptime(START_TIME, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S") | eval duration_s = strptime(FINISH_TIME, "%Y-%m-%d %H:%M:%S") - strptime(START_TIME, "%Y-%m-%d %H:%M:%S") | eval duration_min = round(duration_s / 60, 2) | chart sum(duration_min) as "time" by Yd_count_data      
I want to create a query, that  would combine all the duration values into one by adding them for each Time Date.  The result should look something like this :  Duration      |    TimeDate 03:... See more...
I want to create a query, that  would combine all the duration values into one by adding them for each Time Date.  The result should look something like this :  Duration      |    TimeDate 03:59:18      |    2022-07-31 .........                 |    2022-06-30 ........                  |    2022-05-30  and so on  
Hai All, we are using splunk cloud platform and planning to upgrade deployment server to 9.0 to remediate vulnerability is it required to upgrade forwarders also currently forwarder version using 8... See more...
Hai All, we are using splunk cloud platform and planning to upgrade deployment server to 9.0 to remediate vulnerability is it required to upgrade forwarders also currently forwarder version using 8.2.4 and 8.0.0 suggest.   Thanks  
Hi, I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get ... See more...
Hi, I have Splunk 8.1.4 with Splunk Add-on for CISCO ESA 1.5.0. I also have the old  app Cisco Secuirty Suite that even though it does not support Splunk 8.1.4, it shows results so I planned to get inspired by its query for Message tracking--> Transaction details.   index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" subject="*TEST*"   I think the ESA events are getting correctly to Splunk, I use Syslog Connector for Splunk.  The test I performed is the following : 1. send an email from my corporate email to GMAIL with the subject TEST 2. simply reply from gmail. With the above query I would expect to see two events but I only see the outgoing event. I tried to filter by recipient and it thrown zero results.   index=cisco eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="xxxx@yyy.zz" dest_interface="*" policy_direction="*"   If I do a simpler query without the transaction command, I can see an event with the right internal recipient which corresponds to the incoming email that I could not find previously. But in that event there is no field subject.   index=cisco eventtype=cisco-esa recipient="xxxx@yyy.zz"   Could someone help me out with some query that consolidate inbound /outbound emails with filtering capabilities? thanks
I have a use case where once a particular datetime is entered as input on the dashboard. Need to show search log results panel from two time frames side by side.   say if the entered value is "07/06... See more...
I have a use case where once a particular datetime is entered as input on the dashboard. Need to show search log results panel from two time frames side by side.   say if the entered value is "07/06/2022:14:00:00" 1) -1hr from the time period entered (here in this case "07/06/2022:13:00:00 -"07/06/2022:14:00:00" 2) From the time period entered to till now (here in this case "07/06/2022:14:00:00 -NOW" I am capturing the datetime entered as a timetoken how to set another time token relative to the value entered on screen in dashboard? so that i can use both these tokens as earliest and latest for the first usecase. Thanks
Hello, the request below works perfectly thanks to the help found on this forum. Now I would like to automate this request to have it every week to receive it as a weekly report. I have tested the ... See more...
Hello, the request below works perfectly thanks to the help found on this forum. Now I would like to automate this request to have it every week to receive it as a weekly report. I have tested the time range options but I have the impression that it is not consideration | inputlookup file1.csv | rename count as "file1" | append [| inputlookup file2.csv | rename count as "file2" ] | append [| inputlookup file3.csv | rename count as "file3" ] | append [| inputlookup file4.csv | rename count as "file4" ] | append [| inputlookup file5.csv | dedup _time | rename count as "file5" ] | append [| inputlookup file6.csv | rename count as "file6" ] | where _time > strptime("2022-06-26","%Y-%m-%d") AND _time < strptime("2022-07-04","%Y-%m-%d") | stats values(*) as * by _time | addtotals col=t row=f label=Total labelfield=_time   Thanks  
Problem replicating config (bundle) to search peer ' hostname:8089 ', Upload bundle="/SPLUNK/splunk/var/run/EF6-16xxx567.bundle" to peer name=hostname uri=https://hostname:8089 failed; error="Cannot ... See more...
Problem replicating config (bundle) to search peer ' hostname:8089 ', Upload bundle="/SPLUNK/splunk/var/run/EF6-16xxx567.bundle" to peer name=hostname uri=https://hostname:8089 failed; error="Cannot resolve hostname". I constantly see this error on my search head. What causes this and how do I go about fixing it. Other files are being replicate except this bundle even though size if also only 75 MB just like other bundles.
Hi All,      I am trying to fetch events by comparing two conditions where i am  unable to do that. I have sample log like this: [15:53:12.172] [WARN ] [] [c.c.n.t.e.i.T.ServiceCalloutEventData] ... See more...
Hi All,      I am trying to fetch events by comparing two conditions where i am  unable to do that. I have sample log like this: [15:53:12.172] [WARN ] [] [c.c.n.t.e.i.T.ServiceCalloutEventData] [] - channel="null", productVersion="2FE1-5634ab725", apiVersion="V1", uuid="2Fedec2-16f0-4988-b1fa-68db0c565a9f", eventDateTime="2022-07-11T05:53:12.172Z", severity="WARN", code="ServfefrventData", component="wDEGG", category="integrational-eFsdal", serviceName="Details", eventName="_RESPONSE", message="CadfSFDresponse",  start="1657518790580", stop="1657518792172", elapsed="1592", exceptionInfo="null", url="https://scdssfg.com/npp-mms/v1/mandates/actions/DVd", httpResponseCode="500", priority="NORM", servicingAgentBIC="CTBAAUSNXXX", swiftMessagePartnerBIC="RESTMP1", messageIdentification="beb727a900dd11edaf1a69ae7e224ce5", mandateIdentification="111536a1519111ec9bb20e6904f27a9e", returnCode="APS.API.6544"  I need to fetch all the events with all httpstatuscode and compare with returncode and then decide the severity type. For all statuscode type cannot differ but for only 500(httpstatus code)based on returncode the severitytype would differ. So i need to write query for httpstatus code when it hits 500 it has to check return code and for remaining no need to check any returncode.   index=a_audit |rex field=log "eventName=\"*(?<eventName>[^,\"\s]+)"|rex field=log "serviceName=\"*(?<serviceName>[^\"]+)"|rex field=log "severity=\"*(?<severity>[^\"]+)"|rex field=log "exceptionInfo=\"*(?<exceptionInfo>[^\"]+)"|rex field=log "httpResponseCode=\"*(?<httpResponseCode>[^\"]+)"|rex field=log "returnCode=\"*(?<returnCode>[^\"]+)"|stats count by eventName serviceName severity exceptionInfo httpResponseCode returnCode|search serviceName="Details" AND eventName="RESPONSE" AND (severity=ERROR OR severity=WARN) |eval severityType=(httpResponseCode=400 OR httpResponseCode=401 OR httpResponseCode=403 OR httpResponseCode=404 "FATAL") AND (httpResponseCode=500 IN (returnCode=APS.API.6544) |where count>1   i cant able to compare 2 conditions for same field.Can you help me on the same.