All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Good morning, When RHEL9 will be supported in Splunk Free/Enterprise? 
I have a field called query that's like so: (index="abc" OR index="def") (host="ghi" OR host="jkl") (sourcetype="mno" sourcetype="pqr") (source="stu" source="vwx") "*yz*" I am trying to leverage it... See more...
I have a field called query that's like so: (index="abc" OR index="def") (host="ghi" OR host="jkl") (sourcetype="mno" sourcetype="pqr") (source="stu" source="vwx") "*yz*" I am trying to leverage it in a map search:  <search that gets me the above field> | map search="search $query$"  It doesn't seem to work. How do I go about doing it if another way is possible?   Just to clarify, map doesn't have to be the only solution; I simply need a solution to use the query field to perform a search per row (in addition to stats count) to find the number of results returned for each search.
I have an existing add-on app. I need to add a new field in the configuration section in add Account (please check attached screenshot). The field should be of type radio select. Based on the select... See more...
I have an existing add-on app. I need to add a new field in the configuration section in add Account (please check attached screenshot). The field should be of type radio select. Based on the selected option, I need to make different API calls to pull the data. I tried adding new field in the globalConfig.json, deleted existing app, created tar.gz of the updated app and installed, restarted splunk but I don't see the new field in the UI. Could you please suggest what's wrong here. Also if there is any better way to modify the UI and python code, kindly suggest.  
Hello, I have a search (timechart) with a dynamic span (minspan=1h) Is there a way (token ?) to get the span used to use it in drilldown ? Thanks  
Hi Splunkers, I was wondering if this is possible on tstats command. Get the dynamic value from savedsearch result or lookup? savedsearch or lookup is updating every hour.   | tstats max(_... See more...
Hi Splunkers, I was wondering if this is possible on tstats command. Get the dynamic value from savedsearch result or lookup? savedsearch or lookup is updating every hour.   | tstats max(_time) as last_updated WHERE index=* BY index, host   To avoid wildcard.. I was thinking it will be efficient if that is possible. Appreciate any response.. Thanks!
Hi All,      I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParamete... See more...
Hi All,      I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParameters\": {\"userName\": <username>)
Hello, I'm trying to use ldapfilter to add some info to events I collect from MS Exchange but as soon as my ldapfilter query is dynamic (makes use of $field$) it does not return anything. My init... See more...
Hello, I'm trying to use ldapfilter to add some info to events I collect from MS Exchange but as soon as my ldapfilter query is dynamic (makes use of $field$) it does not return anything. My initial search looks like this:     index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";" | mvexpand SMailboxes| top SMailboxes limit=50 | rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)" | eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16 | table SMailboxes,conv     And the result looks like this: SMailboxes conv 7409c768-ed1b-45dd-8d5d-d36e65af77c1 \\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1   All good. Things get wrong when I add ldapfilter:     index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";" | mvexpand SMailboxes| top SMailboxes limit=50 | rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)" | eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16 | table SMailboxes,conv | ldapfilter debug=true domain="default" basedn="..." search="(msExchMailboxGuid=$conv$)" attrs="name"     -> the result is empty. In the ldapfilter, if I replace "$conv$" with "\\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1" then the query works and attribute "name" is properly returned and added to the table. How can I make things work with $conv$ in order to have proper results (and not the same static "name" for every event) ? I've tried so many combinations: from 1 to 4 \, with or without quotes/simple quotes, making $conv$ the whole "search" value, etc. Nothing works.
I recently upgraded the estreamer addon from version 3.0.0 to the 5.1.0 on our Splunk Heavy Forwarder. Since there were no specific upgrade steps mentioned to upgrade from old version to latest... See more...
I recently upgraded the estreamer addon from version 3.0.0 to the 5.1.0 on our Splunk Heavy Forwarder. Since there were no specific upgrade steps mentioned to upgrade from old version to latest, I installed the addon over the existing one.    However, after installing the new addon, we stopped receiving logs from IPS and got the below error when I ran following cmd  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test ERROR below Traceback (most recent call last):   File "./estreamer/preflight.py", line 34, in <module>     import estreamer.crossprocesslogging   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/__init__.py", line 28, in <module>     from estreamer.connection import Connection   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 23, in <module>     import ssl   File "/opt/splunk/lib/python3.7/ssl.py", line 98, in <module>     import _ssl # if we can't import it, let the error propagate ImportError: /opt/splunk/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so: undefined symbol: SSL_CTX_get0_param
Here is what is on Splunkbase (maybe others, too): Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub) Cisco Umbrella Add-On for Splunk: https://splunkbase.spl... See more...
Here is what is on Splunkbase (maybe others, too): Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub) Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/ Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/ (https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-credentials) Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/ There is clearly a great deal of duplication and I am VERY confused about what is what and which to use. There are at least 2 things to be done: 1: Data Input: Pull in security events. 2: Ad-Hoc Lookup: Enrich Splunk events with threat detail. I am hoping for 2 kinds of help: 1: A suggestion on which apps to use. 2: Step-by-step details on how to set each up.
Hi There, How do I showcase only US on the choropleth map for the dashboard? That is the dashboard panel should have two views - one US and one the world view.  I know we can zoom out and in but yo... See more...
Hi There, How do I showcase only US on the choropleth map for the dashboard? That is the dashboard panel should have two views - one US and one the world view.  I know we can zoom out and in but you'll have to do that each time you load the dashboard for the US related view.    Appreciate the help. 
Hi  I am trying to build a multi-input textbox dashboard based on a KVstore lookup. My query is like this   | inputlookup <some-host-detail-kvlookup> | search $computer_name$ OR $computer_number$... See more...
Hi  I am trying to build a multi-input textbox dashboard based on a KVstore lookup. My query is like this   | inputlookup <some-host-detail-kvlookup> | search $computer_name$ OR $computer_number$ OR $computer_id$ | fields computerName computerNumber ComputerId ...   each token has a prefix i.e. <fieldName> =  (which is the column header field in the lookup) each token also has an initial value = null  thus the query runs like this      | search computerName=null OR computerNumber=null OR ComputerId=null | search computerName=FOO OR computerNumber=null OR ComputerId=null     as you can see setting  the <fieldName> to null allows the search to run without breaking, but after a user enters FOO for the computerName value, they need to reset the blank search inputs back to null.   Otherwise if a blank is passed like    | search computerName= OR computerNumber=null OR ComputerId=null   the search breaks.   Any suggestions how to ignore the empty inputs or a way to reset the initial values to null again is greatly appreciated.  OR if anyone has a suggestion to do this another way, I would very much like to hear. Thank you
Hi guys, I'm a Splunk beginner and I'm having some trouble making a specific query. I have a health check log, I want to know how many times the user restarts my app. The first health check log i... See more...
Hi guys, I'm a Splunk beginner and I'm having some trouble making a specific query. I have a health check log, I want to know how many times the user restarts my app. The first health check log is when the user logs in for the first time and the next is the times that the user restarts my app.   This is my current query:   index=myIndex Title=Healthcheck | stats count by Data.Ip   With the result of this query I have the total times the user opened my app, but I want to remove just 1 from the count of each user current result: Data.IP count 4.21.28.39 5 21.224.60.37 3 expected result: Data.IP count 4.21.28.39 4 21.224.60.37 2
I'm in a situation where by sourcetype, I'm already having a nested JSON array broken into 2 fields: DeviceProperties{}.Name and DeviceProperties{}.Value  there are 16 elements in each array. I'm ... See more...
I'm in a situation where by sourcetype, I'm already having a nested JSON array broken into 2 fields: DeviceProperties{}.Name and DeviceProperties{}.Value  there are 16 elements in each array. I'm trying to simply create a field name that is the value of the second element in DeviceProperties{}.Name and the Value is the value of the second element in DeviceProperties{}.Value.  In this scenario I think I can get away with just creating a field with just DeviceProperties{1}.Value but I haven't been successful in doing that. I've tried using the json_extract function, but I think I am getting the syntax wrong, and I havent found any examples yet that are trying to do this exact scenario where the json array was already created as a multivalue field.
I tried looking around to see if anyone else has encountered the same issue as me and I couldn't find anything. On Splunk Cloud when I attempt to install an app from the "Browse More Apps" page it ... See more...
I tried looking around to see if anyone else has encountered the same issue as me and I couldn't find anything. On Splunk Cloud when I attempt to install an app from the "Browse More Apps" page it pops up the login for half a second then refreshes the page to a specific keyword search. I have tried in two different browsers and have experienced the same behavior. I am not sure what to do as I need to install apps and can't. Any help is appreciated.
Hello, I've a requirement to populate the "Time2" time picker to be updated automatically based on the selection of "Time1" time picker. The "Time2" time picker should be = Time1- 1 day. for exampl... See more...
Hello, I've a requirement to populate the "Time2" time picker to be updated automatically based on the selection of "Time1" time picker. The "Time2" time picker should be = Time1- 1 day. for example, if I choose Today in Time1 then Time2 should be automatically populated as "Last 1 day". If I choose Yesterday in Time1 then Time2 should be automatically populated as "Last 2 days" (starting from 12:00 AM day before yesterday till end of yesterday.) @bowesmana 
Hi I need to extract only name values (first word value eg:james) from the below Name filed I tried with  rex field=Name mode=sed "s/\W+\s\w.*//g" but not working Name james buildingA jack ... See more...
Hi I need to extract only name values (first word value eg:james) from the below Name filed I tried with  rex field=Name mode=sed "s/\W+\s\w.*//g" but not working Name james buildingA jack buildingB firstfloor   Can you please help me with this.  
Hello, I'm trying to pull the final value for a product name. In a single event, we make multiple calls to an API for the product name and the product may change with each API call. I'm trying to b... See more...
Hello, I'm trying to pull the final value for a product name. In a single event, we make multiple calls to an API for the product name and the product may change with each API call. I'm trying to build out a table for the final product name (the field doesn't change), but can't figure out what command to use. Here's what I have so far.      index=conversation crm_accounts_phone__product_name=* | rename crm_accounts_phone__product_name as product | stats latest(product) | table product      Appreciate any help!
According to this article, Basic Authentication Deprecation MS is moving to modern authentication in October of 2022.  As of now, the only authentication method allowed in the app is basic.  I see ... See more...
According to this article, Basic Authentication Deprecation MS is moving to modern authentication in October of 2022.  As of now, the only authentication method allowed in the app is basic.  I see here https://splunkbase.splunk.com/app/3720/ that they will update the app.  Does anyone know an ETA for that? What I'm driving at is, I'd like to see the ability to switch between auth methods before basic auth gets deprecated by MS.  
Invalid earliest_time error on pdf  Xml tag in the source:  <earliest>-4h@h</earliest> <latest>now</latest>