All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Team, I am interested in determining the best way to count the number of case sensitive letters and special characters for each value. Examples: - PoWERshell  = 4 uppercase and 6 lowercas... See more...
Hello Team, I am interested in determining the best way to count the number of case sensitive letters and special characters for each value. Examples: - PoWERshell  = 4 uppercase and 6 lowercase and 0 special characters - Powershell = 1 uppercase and 9 lowercase and 0 special characters - Power`SHell = 3 uppercase and 7 lowercase and 1 special charater For each value in the same field, is it possible to count this and create a field value pair for it? The desired table would be the following fields: (Original Feild value) (count of uppercase letters) (count of lower case letters)  (special characters count) Example output: Power`Shell --- 2--- 8---1    
Hello,  I am trying to figure out how to rex extract from text that starts with a newline and ends with a newline.  For example:  \\nCAR PRODUCT: bat mobile\n Does anyone know a good way around t... See more...
Hello,  I am trying to figure out how to rex extract from text that starts with a newline and ends with a newline.  For example:  \\nCAR PRODUCT: bat mobile\n Does anyone know a good way around this situation so that only "bat mobile" is extracted?   Thank you for your help. Spencer
hi Expert,  i have a question for this issue. What methods are you used to detect malware? Does it have anything to do with SVM or machine learning? Please help me answer this question. Thanks and ... See more...
hi Expert,  i have a question for this issue. What methods are you used to detect malware? Does it have anything to do with SVM or machine learning? Please help me answer this question. Thanks and best regards.
Hi Everyone,  First time using Splunk Community. I have been working with Splunk for about a year and I've been doing okay but I'm trying to use Active Directory logs to identify when accounts are c... See more...
Hi Everyone,  First time using Splunk Community. I have been working with Splunk for about a year and I've been doing okay but I'm trying to use Active Directory logs to identify when accounts are created. I was looking for ways to do this. I tried using userAccountControl or pwdLastSet=0 but what I thought was a sure thing was to use uSNCreated=uSNChanged. But when I add that to the search, I get no result even though I can see that the original creation record has the same value for both.    Any suggestions are greatly appreciated. Thank you!
Hi Splunkers, I am stuck at how can I get counts for Yesterday and Last week. so ask is when select relative time from timer(in Dashboard) it should give me counts for yesterday in one panel and in... See more...
Hi Splunkers, I am stuck at how can I get counts for Yesterday and Last week. so ask is when select relative time from timer(in Dashboard) it should give me counts for yesterday in one panel and in another panel for last week.  For Example, 1) I am searching for 9pm to 10pm in my Dashboard so I want to setup a query that gives me same time data but yesterday's 9pm to 10pm (Query for Yesterday) 2) If I run same data then other panel should give me counts for last week at same time (Query for last Week) so I am looking for two separate queries for both. Basic Query:- index::name type=sample_events "service"="auth" "successReason"=VALID | stats count  
Hello! I'm working on a project where we would like to use Splunk Synthetic Monitoring to improve our monitoring of several web applications, but I'm running into issues where waiting for elements to... See more...
Hello! I'm working on a project where we would like to use Splunk Synthetic Monitoring to improve our monitoring of several web applications, but I'm running into issues where waiting for elements to be present is causing timeouts. Is there any way to set a custom wait time on a step? And if that way involves executing Javascript, what are the best practices for defining the custom wait times? Apologies if I'm posting this in the incorrect location!
If I run the below search the statistics output changes while the search is progressing and when the search is completed not all results that was seen during the search is visible.  | tstats summar... See more...
If I run the below search the statistics output changes while the search is progressing and when the search is completed not all results that was seen during the search is visible.  | tstats summariesonly=f count from datamodel=Network_Traffic by All_Traffic.app,All_Traffic.src,All_Traffic.dest,All_Traffic.dest_port,All_Traffic.action | lookup xxxx CIDR AS All_Traffic.src OUTPUT CIDR as cidr_ip2 fullzonename as sourcenetwork ZoneType as sourcezonetype | lookup xxxx CIDR AS All_Traffic.dest OUTPUT fullzonename as destinationnetwork ZoneType as destinationzonetype | where (cidrmatch(cidr_ip2,'All_Traffic.src')) | search sourcezonetype="yyyy" AND destinationzonetype!="*zzzz" | stats count by sourcenetwork sourcezonetype destinationnetwork destinationzonetype All_Traffic.action
I have a log from an application that isn't structured in any standard format and I am struggling with dropping certain lines at index time due to the line merging configuration. This is a pseudo sa... See more...
I have a log from an application that isn't structured in any standard format and I am struggling with dropping certain lines at index time due to the line merging configuration. This is a pseudo sample of the data: ----- <application version> ----- (<timestamp>) <data> (<timestamp>) <data> ----- <application version> ----- (<timestamp>) <data> (<timestamp>) <data> ----- <application version> ----- (<timestamp>) <data> (<timestamp>) <data> <data> <data> <data> (<timestamp>) <data> As you can see, for some events the message is broken down into multiple lines, so the best way to break events would be by the timestamp, so this is the props.conf I wrote for this source type: [my_new_sourcetype] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRANSFORMS-drop_header = new_sourcetype_drop_header  And the associated transforms.conf: [new_sourcetype_drop_header] REGEX = ^-{5}.+-{5}$ DEST_KEY = queue FORMAT = nullQueue   The issue becomes that when the data is indexed, any event that would have been the <application version> header by itself is dropped, but then there are events with a linecount of 2 that look like: (<timestamp>) <data> ----- <application version> -----   How do I force it so that the <application version> header is always made into its own event so that it can be dropped by the transforms configuration?
Hello. Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an... See more...
Hello. Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things: identify potential policies with all ports enabled identify which of these policies are recieving petitions from public IP addresses So far I've come up with this query:     index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked | eventstats dc(dest_port) as ports by policyid | stats count by policyid ports | eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") | where source_ip="public"      Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid. I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case. Thanks in advance
Hello. I am making an app in the add-on builder with multiple inputs. So naturally, once I am done and have saved the add-on, I end up with something like this:   However, when I make any up... See more...
Hello. I am making an app in the add-on builder with multiple inputs. So naturally, once I am done and have saved the add-on, I end up with something like this:   However, when I make any updates to the app (adding a new input/ deleting an existing input) this drop down refuses to update. Is there another file I need to make a change to within the app? I looked in the UI/Nav folders but nothing stood out to me.  
Hi all, I have trouble connecting my test MSSQL with DB Connect. I am able to connect the DB using DBVisualizer using the credential I use for the identity. I am using the Generic MSSQL Dr... See more...
Hi all, I have trouble connecting my test MSSQL with DB Connect. I am able to connect the DB using DBVisualizer using the credential I use for the identity. I am using the Generic MSSQL Driver:   The log:     2022-05-27 21:37:44.537 +0800 [dw-59 - GET /api/connections/mssql-test/status] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=validation connection_name=mssql-test stanza_name= state=error sql='unknown' message='The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:da36105c-f9e9-44e9-aeeb-023742b9a4eb'       I don't know why the error log shows SSL error when I have not enabled SSL for the connection. Below is the db_connections.conf     [mssql-test] connection_type = generic_mssql database = master disabled = 0 host = 192.168.74.238 identity = mssql-test jdbcUseSSL = false localTimezoneConversionEnabled = false port = 1433 readonly = false timezone = Etc/GMT       Thanks in advance.  
Hello guys. Looking for some help from the experts. I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example: DE... See more...
Hello guys. Looking for some help from the experts. I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example: DEVICE_TYPE VULNERABLE_COMPONENT COUNT recipient Linux Server OS Vendor Patches 5 team1@mydomain.com Linux Server Oracle WebLogic 6 team2@mydomain.com Linux Server Other 4 team3@mydomain.com Windows Server OS Vendor Patches 3 team1@mydomain.com Windows Server Oracle WebLogic 12 team2@mydomain.com Windows Server Other 3 team3@mydomain.com   So I want the team1@mydomain.com to receive the alert with the corresponding records,  DEVICE_TYPE VULNERABLE_COMPONENT COUNT recipient Linux Server OS Vendor Patches 5 team1@mydomain.com Windows Server OS Vendor Patches 3 team1@mydomain.com   and so on for the other recipients. I tried with "|sendemail to:$results.recipient$" command I've seen in other posts but it didn't work. thanks in advance for any help you can provide.
Hello, As a part of capacity planning we need to calculate Avg & Max calls per min for each BT. When we tried plotting max values for call per min then its not allowing us to plot it from metric bro... See more...
Hello, As a part of capacity planning we need to calculate Avg & Max calls per min for each BT. When we tried plotting max values for call per min then its not allowing us to plot it from metric browser, but when I exported the CSV I can see the max values but those are not actual max value for a BT. Later I came to know from documentation that for node-level metrics only, min and max values are available and not visible for tier- and application-level metrics. https://docs.appdynamics.com/22.5/en/appdynamics-essentials/metrics-and-graphs/metric-browser#Metric... In this case how can we find max calls per min for individual BT for a month as i have 25 nodes in a tier. Thanks, Rahul
Hello, I am looking for the timechart option where I can get data for last 7 days for a particular time range. Ex :- if I select time range as 01:00:00 to 02:00:00 AM then should show data for la... See more...
Hello, I am looking for the timechart option where I can get data for last 7 days for a particular time range. Ex :- if I select time range as 01:00:00 to 02:00:00 AM then should show data for last 7 days for the same time range. Date/Time range Count 2022-05-27 01:00:00 02:00:00 A 2022-05-26 01:00:00 02:00:00 B 2022-05-25 01:00:00 02:00:00 C 2022-05-24 01:00:00 02:00:00 D 2022-05-23 01:00:00 02:00:00 E 2022-05-22 01:00:00 02:00:00 F 2022-05-21 01:00:00 02:00:00 G   Thanks  
Hi, I work on a dashboard with several charts. All these charts use the same customized fieldColors option but I have to repeat the option charting.fieldColors in each chart. Question :  Is t... See more...
Hi, I work on a dashboard with several charts. All these charts use the same customized fieldColors option but I have to repeat the option charting.fieldColors in each chart. Question :  Is there a way to specify the option just one time and reuse it in each chart ? Thank you
Hello Team, As per the below screen . I need to segregated payment method like  below graph in Splunk. How can I achieve this in Splunk . Below screenshot belongs to NewRelic.      
 Is it possible for a search head cluster to search multiple index clusters?  A Solo Searchhead can do so, but I'm not sure with the Searchhead Cluster. 
Hi All, I am using base search , I want to use time picker(earliest and latest) in other panel which is using this base search. How can I achieve that ? Reference query :     <form versio... See more...
Hi All, I am using base search , I want to use time picker(earliest and latest) in other panel which is using this base search. How can I achieve that ? Reference query :     <form version="1.1" theme="dark"> <label>Test Dashboard</label> <description>Dashboard created for testing purpose</description> <search id="base_12"> <query> index=test_index </query> <earliest>0</earliest> <latest></latest> </search> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time"> <label>Time Picker</label> <default> <earliest>-7d@w0</earliest> <latest>@w0</latest> </default> </input> <search base="base_12"> <query>| search (($app$) AND ($environment$))| stats count by test | fields test</query> </search>     Regards, NVP
Hi all I am having issues trying to script enabling and disabling maintenance mode with a hashed password. The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepasswor... See more...
Hi all I am having issues trying to script enabling and disabling maintenance mode with a hashed password. The command is /opt/splunk/bin/splunk enable maintenance -mode - auth admin: somepassword Is there a way I can hash the password. I have tried the hash-passwd and user-seed.conf but it does not seem to hash my clear text password upon restarting splunk  
I want to run Heavyforwarder in autoscaling group in stateless mode, Can I do it without worrying about data directory /opt/splunk?