All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to convert multiples data field using xyseries and sort data Month wise?

by in Splunk Search
‎06-06-2022 06:49 AM
‎06-06-2022 06:49 AM
Hi, My data is in below format I am trying to add the total of all the columns and show it as below Please help me on how can i achieve this and also i am trying to sort by rename... See more...
Hi, My data is in below format I am trying to add the total of all the columns and show it as below Please help me on how can i achieve this and also i am trying to sort by rename 1 2 as JAN FEB so on but after renaming it is sorting by alphabetical order. How can i sort based on month wise?
Labels

Ingesting Incidents from MS Sentinel

by SplunkTrust in Getting Data In
‎06-06-2022 06:45 AM
‎06-06-2022 06:45 AM
Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)? I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Securi... See more...
Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)? I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Security which is supposed to be a "middleware" of sorts between different kinds of security events but on the other hand I find that data pulled this way is very limited in terms of details. So I thought about callind Sentinel API directly. There is supposedly API we could use, it has PowerShell module, I'm not sure about decent "curlable" docs but I didn't look very hard for it. Yet. The question however is are we doomed to write something completely from scratch or is there anything ready that I could use?

How to measure the server down time based on host and server status?

by in Splunk Search
‎06-06-2022 05:13 AM
‎06-06-2022 05:13 AM
Sample Event:  sent=1 received=0 packet_loss=100 min_ping=NA avg_ping=NA max_ping=NA jitter=NA return_code=1 dest=SHTCE***   Tried code: index=network | eval Availability= case(received="1", 100... See more...
Sample Event:  sent=1 received=0 packet_loss=100 min_ping=NA avg_ping=NA max_ping=NA jitter=NA return_code=1 dest=SHTCE***   Tried code: index=network | eval Availability= case(received="1", 100,received="0", 0) | stats avg(Availability) by dest | sort +avg(Availability) | rename avg(Availability) as "Availability %" | streamstats current=f latest(packet_loss) as packet_loss latest(_time) as last_checked latest(_raw) AS prevEvent by dest | eval downtime = _time - last_checked | rename dest as Host | table Host  
Labels

Compare github repos using splunk?

by in Splunk Enterprise
‎06-06-2022 04:59 AM
‎06-06-2022 04:59 AM
Hi , Thanks in Advance, We have requirement that the  two github repos are in two (eg: USA and Canada)different country.so every day we replicate code. The monitoring script would be created, which... See more...
Hi , Thanks in Advance, We have requirement that the  two github repos are in two (eg: USA and Canada)different country.so every day we replicate code. The monitoring script would be created, which will compare the USA and Canada repositories. This script will be executed as part of code replication pipelines. The comparison result generated by script, would be saved in a log file. This log file would then be sent to Splunk using Splunk Forwarder. . Alerts would be created in Splunk to send automated email. These alerts would get triggered if any differences are identified b/w the repositories based on the log data sent to Splunk. Is there any way to compare two repos using splunk app directly  

How to highlight a table cell based on query?

by in Dashboards & Visualizations
‎06-06-2022 04:35 AM
‎06-06-2022 04:35 AM
i have a table case id severity open date status age 3241765 critical 6/5/2022 awaiting 30 days 9847636 high  1/6/2022 pending 5 days   i want to... See more...
i have a table case id severity open date status age 3241765 critical 6/5/2022 awaiting 30 days 9847636 high  1/6/2022 pending 5 days   i want to highlight the table by queries like those: if severity=critical AND status=awaiting or pending - highlight the values critical and awaiting in red if severity=critical AND status=awaiting or pending more than 30 days- highlight the row in red if case is open more then 30 days - mark the cell in red.

How to create a report that shows Active Directory activity carried out?

by in Reporting
‎06-06-2022 03:18 AM
‎06-06-2022 03:18 AM
Hi all, I need some assistance please, I am trying to create a report which shows all Active Directory activities carried out. Should contain columns as follows: Login, Account, Domain, Group, iH... See more...
Hi all, I need some assistance please, I am trying to create a report which shows all Active Directory activities carried out. Should contain columns as follows: Login, Account, Domain, Group, iHost and Date. The Group column shows the name of the Add group which has been added or removed and the Host is the Domain Controler. The Account column is the asset number of the machine.   Thanks in advance!

Is it possible to get dropdown token display name and value?

by in Splunk Search
‎06-06-2022 02:50 AM
‎06-06-2022 02:50 AM
Hi  I have a dropdown in my dashboard studio which has some static values like TokenName: appName Display Name Value App1 Value1 App2 Value2   In my search que... See more...
Hi  I have a dropdown in my dashboard studio which has some static values like TokenName: appName Display Name Value App1 Value1 App2 Value2   In my search query, i need to use both display name and value. We can get the value using $appName$ but is it possible to also get display name? Hoping for a help. Thanks  

How to set up Splunk Cloud Free Trial with Rest API?

by in Splunk Cloud Platform
‎06-06-2022 12:49 AM
‎06-06-2022 12:49 AM
My Splunk Cloud Free Trial allow me to login, also offer option to upload test data. We need to check out the REST API provided by Splunk for Search for use by our own test application from computer ... See more...
My Splunk Cloud Free Trial allow me to login, also offer option to upload test data. We need to check out the REST API provided by Splunk for Search for use by our own test application from computer Please advice how Splunk Cloud Free Trial can be setup for REST API access from internet.
Labels

How Do I get HTTP Request methods(GET,POST,DELETE) and Status Code(200) in data collectors

by in Splunk AppDynamics
‎06-06-2022 12:24 AM
‎06-06-2022 12:24 AM
Hello All, I have integrated spring boot application with AppDynamics. I need to collect Request methods(GET,POST,DEL) and Status Codes(200..) in my data collectors. I am able to collect User-Agent,... See more...
Hello All, I have integrated spring boot application with AppDynamics. I need to collect Request methods(GET,POST,DEL) and Status Codes(200..) in my data collectors. I am able to collect User-Agent, Host using  HTTP Request Data Collectors but not Request Methods and Status codes.  
Labels

How to create dropdown list to remove * option?

by in Dashboards & Visualizations
‎06-05-2022 11:12 PM
‎06-05-2022 11:12 PM
I have a dropdown list with manually specified choices - A, C, D and All, but somehow splunk will auto populate another option * as default in my dropdown list after saving it. The reason why I do ... See more...
I have a dropdown list with manually specified choices - A, C, D and All, but somehow splunk will auto populate another option * as default in my dropdown list after saving it. The reason why I do not want * to be representing All in my dashboard is because Type might content B data that I want to exclude from being shown on my dashboard.   Anyone knows how to remove this * option?  Thank you     <input type="dropdown" token="contentType"> <label>Type</label> <choice value="A">A</choice> <choice value="C">C</choice> <choice value="D">D</choice> <choice value="ALL" OR content_type="C" OR content_type="D">All</choice> <prefix>(</prefix> <suffix>)</suffix> <default>"A" OR content_type="C" OR content_type="D"</default> <initialValue>""A" OR content_type="C" OR content_type="D"</initialValue> </input>        
Labels

DMC Alert - Why is search peer not responding?

by SplunkTrust in Alerting
‎06-05-2022 07:50 PM
‎06-05-2022 07:50 PM
Hi,  The DMC got an alert "DMC Alert - Search Peer Not Responding".. it works fine when a search peer goes down, but then when it come back, we should get an alert/notification saying "Search Peer ... See more...
Hi,  The DMC got an alert "DMC Alert - Search Peer Not Responding".. it works fine when a search peer goes down, but then when it come back, we should get an alert/notification saying "Search Peer up now", right, but, somehow the DMC/Splunk developers missed to consider this situation/condition.  i can check the "DMC Alert - Search Peer Not Responding" alert's search query and modify it to create the opposite.. like "DMC Alert - Search Peer Responding Fine" Now the question is...the "DMC Alert - Search Peer Responding Fine" alert should work only after the first SH down alert. hope you got this issue. Please suggest how we can achieve this, thanks.   
Labels

How to use an evaluated field in search command?

by in Splunk Search
‎06-05-2022 11:28 AM
‎06-05-2022 11:28 AM
Could you please let me know how to use an evaluated field in search command index=main sourcetype="access_combined" | eval field1="search-val1|search-val2" | eval searchval=mvindex(split(field... See more...
Could you please let me know how to use an evaluated field in search command index=main sourcetype="access_combined" | eval field1="search-val1|search-val2" | eval searchval=mvindex(split(field1,"|"),1) | search "*search-val2*" I am trying to create a dashboard with one of the search as above. I get the field1 value from dropdown list in dashboard. Something like  | eval field1 = $searchkey$ The above works with the static value in search command but I am trying to use searchval field in search command like | search 'searchval' Can someone help? Thanks for the help.    
Labels

Why is extracted field not showing up in the results page?

by in Splunk Search
‎06-05-2022 11:28 AM
‎06-05-2022 11:28 AM
I have a search criteria with extraction, It seems to be extracting the value. But it's showing up in it's own column.      index=moogsoft "Return from ServiceNow (" | rex "Return from ServiceN... See more...
I have a search criteria with extraction, It seems to be extracting the value. But it's showing up in it's own column.      index=moogsoft "Return from ServiceNow (" | rex "Return from ServiceNow \((?<delay>\d+) seconds\)"     In the results page, I am only seeing the timestamp, the event, the extracted delay variable below the event. How do I display so the delay shows up in it's own column next to the event.    
Labels

How to create rex for multiple fields?

by in Splunk Search
‎06-05-2022 10:33 AM
‎06-05-2022 10:33 AM
Hello Good Day! I have the events in the raw data where i want to extract the drive information  into few field and convert into gb  event1:C:\Windows\system FreeSpace DeviceID FreeSpace C: 362... See more...
Hello Good Day! I have the events in the raw data where i want to extract the drive information  into few field and convert into gb  event1:C:\Windows\system FreeSpace DeviceID FreeSpace C: 36247773184 96900616192 E: 26285309952 event2:C:\Windows\system DeviceID FreeSpace C: 36247773184 96900616192 event3:C:\Windows\system DeviceID FreeSpace C: 36247773184 event4:C: 36247773184 96900616192 E: 26285309952 My Query: index=A |rex "(?<Drive>\S+:\s+\d+)" |stats values(Drive) by host _raw My output: Host _raw Drive A1 C:\Windows\system FreeSpace DeviceID FreeSpace C: 36247773184 96900616192 E: 26285309952 C: 36247773184 A2 C:\Windows\system FreeSpace DeviceID FreeSpace C: 36247773184 96900616192   C: 36247773184 I am getting only first values .But i want to get a the values from the raw event and want to convert the digital value into gb Please help me on that Thank you Veeru "Happy Splunking"    
Labels

Why is the "Cisco Security Suite" app has not been fully configured yet?

by in All Apps and Add-ons
‎06-05-2022 02:06 AM
‎06-05-2022 02:06 AM
Hello, I'm trying to set up the Cisco Security Suite app, but it displays the 500 internal Server Error when I click to set up. Install all necessary TAs.   Thanks.
Labels

Splunk Architecture Diagram - Why is Visio stencil not loading?

by in Deployment Architecture
‎06-04-2022 10:48 PM
1 Karma
‎06-04-2022 10:48 PM
1 Karma
Hello, I am working on an architecture drawing for Splunk and when i downloaded the visio stencil from splunk docs and trying to import it, it is not loading.did anyone faced such similar issue ear... See more...
Hello, I am working on an architecture drawing for Splunk and when i downloaded the visio stencil from splunk docs and trying to import it, it is not loading.did anyone faced such similar issue earlier? Any suggestions would be appreaciated?   Thanks
Labels

Why am I unable to login to Splunk Answers?

by in Splunk Enterprise
‎06-04-2022 10:20 PM
‎06-04-2022 10:20 PM
Hello, I am unable to login to splunk answers account since past 3 weeks where it has taken my credentials this time.:) when i gave my username and password, it will send a password reset link whic... See more...
Hello, I am unable to login to splunk answers account since past 3 weeks where it has taken my credentials this time.:) when i gave my username and password, it will send a password reset link which i never received.I spoke to customer support and they have updated the email id in the backend to receive the reset link but no luck.anybody ever faced this sort of issue?if yes what are the steps that you have taken to mitigate this issue? I am not sure whether it logs me back in again.   Thanks
Labels

Why am I getting logs from unexcepted hosts?

by in Getting Data In
‎06-04-2022 10:02 PM
‎06-04-2022 10:02 PM
Hello All, I have integrated UF with splunk v8.2 but getting unnecessary host from where I'm getting logs. Not sure how they started sending logs. Is there a way I can stop and check it, why it sta... See more...
Hello All, I have integrated UF with splunk v8.2 but getting unnecessary host from where I'm getting logs. Not sure how they started sending logs. Is there a way I can stop and check it, why it started and how I can stop them? Below screenshot for reference   
Labels

How to extract Multivalue fields?

by in Splunk Search
‎06-04-2022 05:54 PM
‎06-04-2022 05:54 PM
Lets just say I have multiple events like this: names John Sam Todd favorite_colors Blue Yellow Green Each event might have a different number of field value... See more...
Lets just say I have multiple events like this: names John Sam Todd favorite_colors Blue Yellow Green Each event might have a different number of field values but the ratio of names to favorite_colors is 1:1. Is it possible to extract these into new events or display them separately in a table like this: name favourite_color John Blue Sam Yellow Todd Green   I have tried mvexpand but that only works for 1 multivalue field.
Labels

Verifying TLS 1.2 Cipher suites disabled?

by in Security
‎06-04-2022 07:19 AM
‎06-04-2022 07:19 AM
We have a PCI requirement to disable TLS1.1 or TLS1.0 cipher suites such as - TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_CAME... See more...
We have a PCI requirement to disable TLS1.1 or TLS1.0 cipher suites such as - TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLSv1.0 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLSv1.1 TLS_DHE_RSA_WITH_AES_256_CBC_SHA Among others...   I checked a few docs and tested disabling anything less then TLS 1.2 in sslVersions = tls1.2 https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/SetyourSSLversion   How can i be sure the above cipher suites are disabled and TLS 1.2 is the only allowed? from previous posts i read we can use openssl to test via and look for any errors or the full certificate response if its open? openssl s_client -connect ipaddress:port -tls1_1our currrent server.conf is as follows Here is our current server.conf [sslConfig] sslVersions = *,-ssl2 sslVersionsForClient = *,-ssl2 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
Labels