All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a list of products  (that i have in a csv lookup) with fields such as prod_name, product_ID, price_tag look up name : myproduct.csv I want to compare  all my products from my lookup, if t... See more...
I have a list of products  (that i have in a csv lookup) with fields such as prod_name, product_ID, price_tag look up name : myproduct.csv I want to compare  all my products from my lookup, if they are "price tagged" or not ?   I have an index and sourcetype that contains events of all the products that are "price tagged." index=all sourceype=all_price_tagged_poducts Fields : prod_ID (same as product_ID of the lookup) If the product_ID value from my lookup is present in any of the events in the sourcetype=all_price_tagged_poduct, then I know that all products in my .csv lookup are 'price tagged'  Need help to write a query for it.
Hello, I have a field that does not appear in the list of fields on the left when doing a search. I have looked for information on the internet about what could be the cause and the solution to thi... See more...
Hello, I have a field that does not appear in the list of fields on the left when doing a search. I have looked for information on the internet about what could be the cause and the solution to this problem, but in my case it is not because I do not make the search in "Verbose mode", it does not appear in less than 1% of events and it is not because I have not chosen All Fields in the "X more fields" section, which apparently are the reasons why most people have this problem. What surprises me is that when I create another "Extraction field" the field I need appears in the list of available fields, so I can't create another field that collects the same as the field in question (from the GUI). The only solution I have found, which in principle does not work for me because I need it to be visible in the list I mentioned before, is to do the search using the rex command or the extract reload=T command. So, my question is, do I have to make any changes in any configuration file or could I do something to make the field I need available in the list of available fields I mentioned above (the one in the left when you make a search)? Thanks in advance and best regards.
Hi, We would like to ingest some metrics from a third party to AppsDynamics. I would like to know if it is possible. I was thinking about the API but I have seen that we can't do it based on the of... See more...
Hi, We would like to ingest some metrics from a third party to AppsDynamics. I would like to know if it is possible. I was thinking about the API but I have seen that we can't do it based on the oficial information - Ingesting Events is the unique posibility to ingest something. Thanks, Carlos
Hello, My alert result is a table like this I set recipent as token $result.EMAIL_LIST$ and Trigger is [For each result], but for each row it send an email as expected. I want it to send to th... See more...
Hello, My alert result is a table like this I set recipent as token $result.EMAIL_LIST$ and Trigger is [For each result], but for each row it send an email as expected. I want it to send to the corresponding recipent their own block of data (Inline in email), for example NASB 1 row, COOBACK 4 rows, SEAB 9 rows, etc. I'm thinking about grouping them by EMAIL_LIST but the table don't look good and neat anymore. Does anyone have a solution for this. Thanks in advance.
I am configuring Splunk_TA_fortinet_fortigate and no data is indexed  what might be the issue  ?   the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder  input is defined  [splun... See more...
I am configuring Splunk_TA_fortinet_fortigate and no data is indexed  what might be the issue  ?   the Splunk_TA_fortinet_fortigate is installed on Heavy Forwarder  input is defined  [splunk@ilissplfwd09 local]$ cat inputs.conf [udp://GS-J7-FAZ3K-01-10g.corp.amdocs.com:55555] connection_host = none index = test sourcetype = fortigate_log [splunk@ilissplfwd09 local]$ from default/props.conf [fgt_log] TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true   from logs   06-13-2022 12:44:04.870 +0300 INFO Metrics - group=udpin_connections, xxxxxxxxxx:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000 component = Metrics date_zone = 180 event_message = group=udpin_connections, xxxxxxxxxxxxx:55555, sourcePort=55555.000, _udp_bps=0.000, _udp_kbps=0.000, _udp_avg_thruput=0.000, _udp_kprocessed=0.000, _udp_eps=0.000 host = xxxxxxx index = _internal log_level = INFO source = /opt/splunk/var/log/splunk/metrics.log sourcetype = splunkd splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_C7623105-1D08-4451-8FC9-DCCE1F03C748   no data is indexed and no error message are generated in internal indexes 
Hi There, I am having windows server 2008 without AD. would like to forward wineventlogs from windows server 2008 to Heavy forwarder running on Linux. Have tried  1. Native WEF 2. Syslog-Ng 3... See more...
Hi There, I am having windows server 2008 without AD. would like to forward wineventlogs from windows server 2008 to Heavy forwarder running on Linux. Have tried  1. Native WEF 2. Syslog-Ng 3.NXLog All are not working since it all requires domain subscription and i dont have AD. Have written powershell script to export wineventlogs but dont know how to forward this log to HF running on RHEL. Kindly let me know how to proceed. Thanks in Advance
I want to have multiple links between two nodes like below   Node1                      Node2 ###--------------------### ###--------------------###
If the data present in json format {[]} get extracted, however when data present in {} as shown below doesn't behave same. How fields and values can be extracted from data in {} _raw data: {"Aler... See more...
If the data present in json format {[]} get extracted, however when data present in {} as shown below doesn't behave same. How fields and values can be extracted from data in {} _raw data: {"AlertEntityId": "abc@domai.com", "AlertId": "21-3-1-2-4--12", "AlertType": "System", "Comments": "New alert", "CreationTime": "2022-06-08T16:52:51", "Data": "{\"etype\":\"User\",\"eid\":\"abc@domai.com\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"abc@domai.com\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Jeff Nichols <jeff@Nichols.com>\",\"sip\":\"1.2.3.4\",\"srt\":\"1\",\"trc\":\"abc@domai.com\",\"ms\":\"Grok - AI/ML summary, case study, datasheet\",\"lon\":\"UserSubmission\"}"} When I perform query "| table Data", I get the below result, But how to get values of "eid", "tsd". {"etype":"User","eid":"abc@domai.com","op":"UserSubmission","tdc":"1","suid":"abc@domai.com","ut":"Regular","ssic":"0","tsd":"Jeff Nichols <jeff@Nichols.com>","sip":"1.2.3.4","srt":"1","trc":"abc@domai.com","ms":"Grok - AI/ML summary, case study, datasheet","lon":"UserSubmission"}
hello In my dashboard, I need to compare 2 single panel value between 2 different times The first single panel stats the events on the last 15 minutes like this   | stats max(sys_session_coun... See more...
hello In my dashboard, I need to compare 2 single panel value between 2 different times The first single panel stats the events on the last 15 minutes like this   | stats max(sys_session_count) as session by host | stats sum(session) as session | table session   Now, what I need to do is to compare this current single panel value with the results one week before during the same slot time For example, today is the 13 of June and the current hour is 8:15 AM So in the second single panel, I need to display result for the 6 of June at 8:15 Here is what I am doing   `index` sourcetype="system" earliest=-7d@d+7h latest=-7d@d+19h | bin _time span=15m | eval time=strftime(_time,"%H:%M") | stats max(sys_session_count) as session by host time | stats sum(session) as session by time | eval current=now() | bin current span=15m | eval current=strftime(current,"%H:%M") | where time=current | table session time   But I think it's not good because whatever the time is (8:15, 8:30, 8:45...), the results is almot the same So is anybody have an idea in order to answer to my need correctly? thanks
Splunk not receiving data from forwarders. Host os Windows Server 2012 R2. 1. Restart Splunk forwarder not working, getting some error message on CMD prompt. 2. Re-install Splunk forwarder, data ... See more...
Splunk not receiving data from forwarders. Host os Windows Server 2012 R2. 1. Restart Splunk forwarder not working, getting some error message on CMD prompt. 2. Re-install Splunk forwarder, data start indexing for a few minutes and stopped again 3. Checked Splunk forwarder service, all the time it is running state  Getting below error(smaple part of the error) when restart forwarder: No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\props.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf Invalid key in stanza [WinHostMon://Host OperatingSystem] in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf, line 172: showZeroValue (value: 1). Did you mean 'source'? Did you mean 'source type'? Invalid key in stanza [WinHostMon://Host Processor] in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf, line 179: showZeroValue (value: 1). Did you mean 'source'?
I'am trying to fetch the app's configuration using: const appNamespace = {  owner: "admin",  app: appName,  sharing: "app"  }; const http = new splunkjs.SplunkWebHttp(); console.log(http... See more...
I'am trying to fetch the app's configuration using: const appNamespace = {  owner: "admin",  app: appName,  sharing: "app"  }; const http = new splunkjs.SplunkWebHttp(); console.log(http); const service = new splunkjs.Service(http, appNamespace,); console.log(service); stage = 'Retrieving configurations SDK collection'; const configCollection = service.configurations(appNamespace); console.log(configCollection) await configCollection.fetch()      // Adding this line is what's causing the error. But I'm getting an error of "[SPLUNKD] Action Forbidden" when I look at the browser's console. The app's read permission is set to "Everyone".
How do I push apps an TA from the Deployer server  to SH cluster and then to Indexers
I have to exclude ~ character from on or the field. below is the example   field1=C:\program~\test~.txt
My i know how to set ping how many times fail or success , then only it will send alert? Currently I was told tht it only ping 1 time in 5mins, then it will send out alert if DOWN. which I think 1 ... See more...
My i know how to set ping how many times fail or success , then only it will send alert? Currently I was told tht it only ping 1 time in 5mins, then it will send out alert if DOWN. which I think 1 time ping is too short to conclude the IP is DOWN. I wanted to change it to 5 times ping , if 100% only consider IP is DOWN. May I know how to do it ?  
Hello Team, I am new to splunk and have requirement to create table based on raw data This is how the data looks in splunk Date  threadId=ABC123   eventType=”InMsg” data=”<rootrq><a>hi</a></rootr... See more...
Hello Team, I am new to splunk and have requirement to create table based on raw data This is how the data looks in splunk Date  threadId=ABC123   eventType=”InMsg” data=”<rootrq><a>hi</a></rootrq>” Date  threadId=ABC123   eventType=”thirdPartyReq” data=”<root1req><a>hi</a></root1req>” Date  threadId=ABC123   eventType=” thirdPartyRes” data=”<root1res><a>hi</a></root1res>” Date  threadId=ABC123   eventType=”OutMsg” data=”<rootrs><a>hi</a></rootrs>”   and wanted to create table like below. Please can some one help? threadId is common for all four records.   index=test |    date threadId InMsg OutMsg thirdPartyreq thirdprtyRes date ABC123   <rootrq><a>hi</a></rootrq> <rootrs><a>hi</a></rootrs> <root1req><a>hi</a></root1req> <root1res><a>hi</a></root1res>
Hello everyone,   I'm looking to make a simple search form with a few text inputs and a drop-down box to search for firewall logs. I would like the output to be shown as events. My company has Pa... See more...
Hello everyone,   I'm looking to make a simple search form with a few text inputs and a drop-down box to search for firewall logs. I would like the output to be shown as events. My company has Palo Alto and Cisco ASA firewalls. All logs are sent to splunk.  Input text boxes would be:  1.) Source  2.) Destination 3.) Port Drop-down box would be: 1.) allow  2.) not equal to allow **For the text inputs I would like all of the fields to be optional in case I don't want to use all 3**   Is there an easy way to accomplish this?   Thank you in advance.     
Hello All, I am stuck on one problem and I am not able to find the solution of it so far so need all your expertise to help me out. My splunk setup which I have problem with: Splunk UF --> Splunk... See more...
Hello All, I am stuck on one problem and I am not able to find the solution of it so far so need all your expertise to help me out. My splunk setup which I have problem with: Splunk UF --> Splunk HF --> Splunk cloud On splunk UF, I have a inputs configured to monitor a file. I am trying to configure SSL for data transfer between  Splunk UF and Splunk HF. I have placed Root CA and Server/Client certificate in SPLUNK_HOME/etc/certs directory. Below are my inputs (on HF) and outputs on (Splunk UF). For sslRootCAPath path in inputs.conf and outputs.conf, I have been told by my client that even though the name is different (on HF and UF) but they are essentially same.  Inputs.conf (on HF): [splunktcp-ssl:9997] #sslPassword = password disabled = 0 requireClientCert = false serverCert = /opt/splunk/etc/certs/Cert_HF.pem sslRootCAPath = /opt/splunk/etc/certs/XXXX_Root_CA.pem   Outputs.conf (on UF): [tcpout] defaultGroup=spl_hfs [tcpout:spl_hfs] server = INDEXER_1:9997, INDEXER_2:9997 clientCert = C:\Program Files\SplunkUniversalForwarder\etc\certs\Cert_UF.pem sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\XXXX_Root.pem #sslPassword = password   When I configure above settings and restart UF and HF, I see below error in HF Splunkd.log and none of the data (not even _internal from UF via HF) is indexed. I can see HF to Splunk cloud communication is working as expected. But my UF to HF is throwing below error. Error:  ERROR TcpInputProc [1899734 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=369295616 bytes from src=XXXXXX:38998 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.   I have tried to look on google and see even read through splunk pages, tried configs/changes as suggested but I am still struggling to find a working solution for me. Any help in pointing me in right direction is highly appreciated. Also, my few other questions are: As my client mentioned that even though, root CA name on HF (XXXX_Root_CA.pem) and UF (XXXX_Root.pem) are different but they are same, is there any way/command using which, I can confirm that whether they are really same or different? Does we need to have SAME root CA certificate distributed to HF and UFs for SSL communications or can they be different? I have been told that there is no sslpassword attached with the certificates, is there any way/command I can confirm this myself rather than taking their word for it? What else I can change/try in .conf files to see if this SSL config work? Any replies on my issue is highly appreciated Thanks Vikas
Hi. I have a query A: index="idx"  "*Processed*" | table phoneNumber + query B: index="idx"  "*Sent*" | table phoneNumber I need to get all the phoneNumbers from A which are not in B. How ... See more...
Hi. I have a query A: index="idx"  "*Processed*" | table phoneNumber + query B: index="idx"  "*Sent*" | table phoneNumber I need to get all the phoneNumbers from A which are not in B. How can I build the whole query ? Thanks in advance!
Q): How to detect ransomware using Splunk?,  please give query also to create alert in ransomware, 
I want to save some meta-data (operational history of the alert (beyond the text description)) along with alert as a json object in a field.  This is from automated  pipelines using sdk (nodejs/pytho... See more...
I want to save some meta-data (operational history of the alert (beyond the text description)) along with alert as a json object in a field.  This is from automated  pipelines using sdk (nodejs/python) and POST API  to splunk servers.