All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi SMEs, What should be the MemoryLimit value for *nix UF max? I think usually UF takes max to 5% of the memory for normal input config and processing however customer don't want to be messed up in... See more...
Hi SMEs, What should be the MemoryLimit value for *nix UF max? I think usually UF takes max to 5% of the memory for normal input config and processing however customer don't want to be messed up in worst scenario where UF is eating all memory. Thanks
Hi Team,   I would like to retrieve following info through Splunk search    1. List of all splunk searches performed on a single index along with the user list along with timestamp of search ... See more...
Hi Team,   I would like to retrieve following info through Splunk search    1. List of all splunk searches performed on a single index along with the user list along with timestamp of search performed for a given period ( 1 month or 1 year )    
Hi Team,   Is there any way to pull last 1000 searches performed on a particular index along with the user who performed that search 1. Splunk Query i am looking for    2. Rest Query i am l... See more...
Hi Team,   Is there any way to pull last 1000 searches performed on a particular index along with the user who performed that search 1. Splunk Query i am looking for    2. Rest Query i am looking for    I am running on Splunk 8.0 
Hi, I have a few queries regarding data ingestion from a .csv file. I am interested in knowing the following: 1. What is the most optimal way to bring the data from a .csv file into Splunk? 2. ... See more...
Hi, I have a few queries regarding data ingestion from a .csv file. I am interested in knowing the following: 1. What is the most optimal way to bring the data from a .csv file into Splunk? 2. Are there any pre-requisites to be satisfied before indexing a .csv file? 3. Are there any limitations in indexing data from a .csv file? 4. Are there any restrictions in indexing data from a .csv file (maximum file size allowed, maximum rows or maximum columns that can be placed in a single .csv file, maximum number of the file allowed, etc.) 5. Is there any Splunk documentation available about this requirement? If so, please share the link for the same. Thanks much!
Hi All, I need to create a Use Case that would detect Admin user/s changing their own password. So far I have: index=XXX EventCode=4724 | where user=src_user AND src_user_category="privileged... See more...
Hi All, I need to create a Use Case that would detect Admin user/s changing their own password. So far I have: index=XXX EventCode=4724 | where user=src_user AND src_user_category="privileged" AND  user_category="privileged" not sure how to go around as this is not doing the search I want. Any help much appreciated! Thanks all
hi I need to filter events in my dashboard from 2 different time picker I use a classic time range picker   <input type="time" token="field1" searchWhenChanged="true"> <label>Période<... See more...
hi I need to filter events in my dashboard from 2 different time picker I use a classic time range picker   <input type="time" token="field1" searchWhenChanged="true"> <label>Période</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input>   and a custom time range picker   <input type="dropdown" token="release" searchWhenChanged="true"> <label>Release</label> <choice value="26-27 Janvier">26-27 Janvier</choice> <choice value="16_17 Février">16-17 Février</choice> <change> <condition label="26-27 Janvier"> <set token="custom_earliest">1643151600</set> <set token="custom_latest">1643324400</set> </condition> <condition label="16-17 Février"> <set token="custom_earliest">1644966000</set> <set token="custom_latest">1645138800</set> </condition> </change> <default>26-27 Janvier</default> <initialValue>26-27 Janvier</initialValue> </input>    now I need to link my search with these 2 different time range picker I added | search release=$release$ in my search but it doesnt works how to do this please?  
we have added below line in the env_file, so that events will be catpured and ease to identifier the sourcetype. SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug In version version 1.110.0, we could see al... See more...
we have added below line in the env_file, so that events will be catpured and ease to identifier the sourcetype. SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug In version version 1.110.0, we could see all the incoming sourcetype on it as below $ ls cisco_asa fortinet_fortios nix_syslog sc4s_events sc4s_fallback vmware_esx zscaler_web But in version 2.0 till 2.28.0, we failed to see any sourcetype listed on it with same configuration in above,  the "debug" folder is not create even after restart the sever [DEV][archive] $ ls [DEV][archive] $ pwd /apps/sc4s/archive Any hints what the change in between the version 1 and version 2 that possible caused the debug mode failed? (events are showing in Splunk) *we just do in place upgrade from version 1 to version 2 on same working servers. IF we moved back to version 1, the debug directories will showed agai
Data looks like  src:10.124.4.151] and i want to remove this bracket and data should look like 10.124.4.151 I am try SED and regex  but unable to solve.  Kindly help
Hello Splunk Admins, What solutions you use to get notified on mobile about internal Splunk issues in out of office hours? I mean when e.g. splunkd goes down on indexers, data is not indexed anym... See more...
Hello Splunk Admins, What solutions you use to get notified on mobile about internal Splunk issues in out of office hours? I mean when e.g. splunkd goes down on indexers, data is not indexed anymore for any reason etc. We need something free of charge. There is no other team except of us who needs to be notified about the issue. I have heard about Splunk On Call solution but seems to be a bit complex. Anyone having any experience with it? Hope to get some inspirations Many greetings, Justyna
Hi Splunkers. I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website: https://www.bitdefender.com/bus... See more...
Hi Splunkers. I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website: https://www.bitdefender.com/business/support/en/77211-171475-splunk.html but I'm stuck in the "Enable the Splunk integration" step; In the beginning, I have tried using the "Enable the Splunk integration manually" method,  I have put everything in place and run the command in the documentation, but ended up with an error stating that "The web server with this URL must support TLS 1.2, at least" as shown in the below screenshot: I have reviewed the documenting again in this link: https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html Under the "Important" note: "Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully." But here is the thing, I think that HEC by default only supports TLSv1.2 despite sslVersions=*   $ cat /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true ackIdleCleanup=true   I have tried to use: sslVersions=tls1.2 but nothing happened, it still shows the same issue. Can someone please help me figure out how to solve this TLS issue? Afterward, I have tried to use the "Enable the Splunk integration by running a script" method, aging I have put everything in place and run the script, but ended up with an error stating that:   FAIL - server response: <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html>   as shown in the below screenshot: Any Idea why this happens? Much thanks.
Hi  We are planning to decommission splunk enterprise in our environment. We need to stop sending data to splunk . How should we proceed , from where we should start? Can we find any SOP for this d... See more...
Hi  We are planning to decommission splunk enterprise in our environment. We need to stop sending data to splunk . How should we proceed , from where we should start? Can we find any SOP for this decommision process. But we want to store the indexed data for more than 365 days .  This is new task we are handling for the first time , any proper guidance will be much appreciated.   Thanks in advance.
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart. But does not have the permission to raise a support ticket because still in the trial stag... See more...
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart. But does not have the permission to raise a support ticket because still in the trial stage. thanks  
Hello Team, We are having the Splunk  cloud licensed server, How to do rest api request calls to Splunk cloud from postman? management port is already enabled on Splunk. still I am getting timeout... See more...
Hello Team, We are having the Splunk  cloud licensed server, How to do rest api request calls to Splunk cloud from postman? management port is already enabled on Splunk. still I am getting timeout error. Pl
Hi all, This is change condition in 3 inputs       <change> <condition label="Any"> <set token="flag_1">0</set> </condition> <condition> <s... See more...
Hi all, This is change condition in 3 inputs       <change> <condition label="Any"> <set token="flag_1">0</set> </condition> <condition> <set token="flag_1">1</set> <set token="showDetails">true</set> </condition> </change> <change> <condition label="Any"> <set token="flag_2">0</set> </condition> <condition> <set token="flag_2">1</set> <set token="showDetails">true</set> </condition> </change> <change> <condition label="Any"> <set token="flag_3">0</set> </condition> <condition> <set token="flag_3">1</set> <set token="showDetails">true</set> </condition> </change>       This is the drilldown token for setting "showDetails" to "true" to display another table:       <drilldown> <condition field="RuleID"> <set token="form.ruleID_tok">$click.value2$</set> <set token="flag_1">1</set> <set token="showDetails">true</set> </condition> <condition field="RuleDescription"> <set token="form.ruleDescription_tok">$click.value2$</set> <set token="flag_2">1</set> <set token="showDetails">true</set> </condition> <condition field="RuleLevel"> <set token="form.ruleLevel_tok">$click.value2$</set> <set token="flag_3">1</set> <set token="showDetails">true</set> </condition> </drilldown>       And now, I want to unset showDetails when (flag_1, flag_2, flag_3) = 0. To hide the table depends on showDetails token.
I need to exclude events from a timechart only if they fulfill 2 conditions: the field returns 0 for ALL events in the entire day (24hours) AND the days are weekends (Saturday & Sunday) I have ... See more...
I need to exclude events from a timechart only if they fulfill 2 conditions: the field returns 0 for ALL events in the entire day (24hours) AND the days are weekends (Saturday & Sunday) I have tried  | date_wkend = strftime(_time,"%A") | search NOT (date_wkend = "Saturday" AND varA = 0) | search NOT (date_wkend = "Sunday" AND varA = 0) However this also excludes the events from a weekend that has some non-zero results for varA, and since I have to do some further calculations based on a full-day span, my calculations are inaccurate.
I'm a huge fan of the Splunk Docker container. I noticed the 'latest' tag hasn't been updated in a few months and is still Splunk Enterprise 8.2.5 even though Splunk Enterprise 8.2.6 has been release... See more...
I'm a huge fan of the Splunk Docker container. I noticed the 'latest' tag hasn't been updated in a few months and is still Splunk Enterprise 8.2.5 even though Splunk Enterprise 8.2.6 has been released. Then I noticed that even though 'latest' hasn't updated, the image for Splunk Enterprise 8.2.6 has been added to the Docker images list. See splunk/splunk tags. I'm no Docker expert so I'm guessing I am just missing some obvious thing.... Why is the splunk/splunk:latest not pointing to the latest release of splunk/splunk:8.2.6?  
Is there a way to speed up this process because I have an assignment due but i can't download the ova of free community edition of phantom because my account is in review.
Hi all, Im trying to access the API from PostMan, but  getting the error 401. My question is the user / pass this should be the user I use to connect to the URL or I have to user the API cliente? t... See more...
Hi all, Im trying to access the API from PostMan, but  getting the error 401. My question is the user / pass this should be the user I use to connect to the URL or I have to user the API cliente? thanks. 
I'm getting a bit annoyed at throttling for each, as although it works - it has a habit of resetting itself if I need to tweak the SPL,  or cron time... almost tempted to populate a kvstore and take ... See more...
I'm getting a bit annoyed at throttling for each, as although it works - it has a habit of resetting itself if I need to tweak the SPL,  or cron time... almost tempted to populate a kvstore and take control...  anyone else ?  does editing the savedsearches.conf allow you or the advanced edit option allow you to get round what I perceive as annoying behavior
Hello, How would I specify the time frame in a search to provide me the events between 7am - 5pm weekdays and all results for weekends within the same search