All Topics

Top

All Topics

Hi, I'm trying to add splunk access to a user. I have a search which creates lookup with hosts names. It is created based on IP from _internal logs - I have a list of IP ranges. Now I wanted to cr... See more...
Hi, I'm trying to add splunk access to a user. I have a search which creates lookup with hosts names. It is created based on IP from _internal logs - I have a list of IP ranges. Now I wanted to created a role, with restrictions to hosts from lookup. I've tried to create a event type, but I can't use pipes there, to read lookup. I've also tried to use inputlookup command in role restrictions, but no luck.   Any Idea how to do it? Maybe other way, without lookup?  
I am trying to expand the table row with BaseRowExpansionRenderer from this tutorial:  https://dev.splunk.com/enterprise/docs/developapps/visualizedata/displaydataview/howtocreatecustomtablerow/ Bu... See more...
I am trying to expand the table row with BaseRowExpansionRenderer from this tutorial:  https://dev.splunk.com/enterprise/docs/developapps/visualizedata/displaydataview/howtocreatecustomtablerow/ But whenever i expand 1 row, the other opened one will closed Is it possible to expand multiple rows at the same time (currently only one row expandable at a time) Thank you very much !
I need help coming up with a query that can help create an IDPS/Internet Content Filtering dashboard in Splunk to continuously monitor the web traffic or pull reports when asked.
Help write a request what is the volume of logs in GB / MB goes to splunk per day / month
Dear community, Do you know a way to monitor flows from my servers, to aws cloud instances from the Splunk Cloud: Version 8.2.2203.3. Commands to know, how to identify the cause route, in the cpu ... See more...
Dear community, Do you know a way to monitor flows from my servers, to aws cloud instances from the Splunk Cloud: Version 8.2.2203.3. Commands to know, how to identify the cause route, in the cpu upgrade. Thanks in advance for your efforts. Have a good day. Cordially,
Hello everybody, I have a question for the community: Is there a reverse split command? I'll explain my problem: I have a: | eval Holidays = "01 / 01.01 / 06.08 / 15.11 / 01.12 / 08.12 / 25.12 /... See more...
Hello everybody, I have a question for the community: Is there a reverse split command? I'll explain my problem: I have a: | eval Holidays = "01 / 01.01 / 06.08 / 15.11 / 01.12 / 08.12 / 25.12 / 26.05 / 01.04 / 25.06 / 02" with the holidays that I want to remove from the day count (I create it, it can be a single value or a multivalue) now I have to add the current year: | eval year = strftime (now (), "% Y") and have this day excluded from the final count: | eval dates = mvrange (C3, now (), 86400) | eval dates = mvfilter (NOT match (dates, "(Excluded)")) | convert ctime (dates) timeformat = "% A" | eval dates = mvfilter (NOT match (dates, "(Saturday | Sunday)")) | eval noOfDays = mvcount (dates) I want to create an Excluded field that has holidays with the current year as value for example: Excluded = "1640991600.000000 | 1641423600.00000 | 1660514400.000000 | ........" It's possible? Is there a reverse split command? Tks Br
Hello community After a small "snafu" with new dashboards and version number, I noticed that after the rollout in our distributed environment there was, what seemed like, a local backup present:   ... See more...
Hello community After a small "snafu" with new dashboards and version number, I noticed that after the rollout in our distributed environment there was, what seemed like, a local backup present:     /opt/splunk/etc/apps/<appname>/default.old.20220705-235555/ The date lines up with the rollout of dashboards receiving a "This dashboard view is deprecated and will be removed in future versions of Splunk software" error.  Hence, I suspect these are connected in some way. So the dashboards were "repaired" by just dropping the version number by "1", though the "backup files" are still there. The only difference I notice are the install_source_checksum and the changes made to dashboards. So, is it OK to just delete this "backup" folder? If so, is there a preferred way to do so or just remove it?
Hi All, Recently I have upgraded Splunk to the latest version (9.0.0) on the DS & HF & AIO machines I have, everything was working just fine before upgrading anything, after upgrading the whole set ... See more...
Hi All, Recently I have upgraded Splunk to the latest version (9.0.0) on the DS & HF & AIO machines I have, everything was working just fine before upgrading anything, after upgrading the whole set of machines things went wrong, the main problem is in the HF, in the "Health Status of Splunkd" the "File Monitor Input" sign is Red for almost all of them as shown in the screenshot below:  Besides the following messages:   I have noticed that in the "Monitoring Console" -> "Indexing" -> "Performance" -> "Indexing Performance: Instance" the queue fill ratio is 100% on all the pipelines as shown in the screenshot below:   The server itself is not utilized, it has the following specs: OS: Red Hat Enterprise Linux Server release 7.9 (Maipo) CPU: 8 cores RAM: 64 GB Can anybody lead me to what is the cause of this problem? Much thanks Murad Ghazzawi.
Hi  I want to link to a episode and also a specific review dashboard, So I have created a dashboard without any filters set and have obtained a link including both emid and episodeid  (and even t... See more...
Hi  I want to link to a episode and also a specific review dashboard, So I have created a dashboard without any filters set and have obtained a link including both emid and episodeid  (and even the tabid I want) But when used, it goes to the correct episode, but ditches the dashboard. If I omit the episodid in the link, it shows the correct dashboard. Please advise.        
Hi Community,  If i need Plot a trellis chart showing the average time spent on a website for each user session by browser what's the best approach for this ?
I am getting the following error messages after  upgrading Splunk from 8.1.5 to 9.0. The config its complaining about is part of the default/federated.conf so shouldn't be complaining in the first p... See more...
I am getting the following error messages after  upgrading Splunk from 8.1.5 to 9.0. The config its complaining about is part of the default/federated.conf so shouldn't be complaining in the first place.   Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 18: appContext (value: search). Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 19: useFSHKnowledgeObjects (value: false). Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard). Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).    
How to Config Router to Send Syslogs to Splunk
I have a data sources that shows if an order was resolved as fraudulent (data="resolutions")  and in a different data source (data="headers") i have payment_method (Visa, Mastercard, etc)  I want... See more...
I have a data sources that shows if an order was resolved as fraudulent (data="resolutions")  and in a different data source (data="headers") i have payment_method (Visa, Mastercard, etc)  I want to see a pie chart of only orders that have chargebacks on them by payment method.        data=headers | top payment_method         This works for the pie chart of payment method. I tried:       data=headers OR data=resolutions resolution_name="ACM Chargeback Received - Fraud" | top payment_method         and a few other variations, but I can't seem to get it to work.    Even if I can't do a pie chart and could figure out a table with  Payment Method | Count of Resolution Name (chargeback) that would work
I have a field called rules_tripped It returns the results like this      rules_tripped="5237260000001713515:Item Sku Fraud & Chargeback Percentage 0:0"     Rule ID : Rule Name : Rule Score I... See more...
I have a field called rules_tripped It returns the results like this      rules_tripped="5237260000001713515:Item Sku Fraud & Chargeback Percentage 0:0"     Rule ID : Rule Name : Rule Score I want to only search for rules that have a rule score of > 800  Is that possible to split the query and search for only rules with a rule score of > 800?
Hi All, my customers security engineer has left the organization and we're curious how we can migrate the dashboards he was using over to other user profiles in Splunk Cloud.  Thank you!
We have the following -    # /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1   ... See more...
We have the following -    # /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1   Trying to extract the host name from the source without much luck. Any ideas? 
Hi Team, I am a learner, so want to know about identifying the session login / logout time periods of an users and reasons for the activities.  
Good afternoon,  I am upgrading from Splunk 8 to 9. And I have a hodgepodge of UFs that are all over the place in versioning. From 6.x all the way to 8.  I know you cannot multiple version upgrad... See more...
Good afternoon,  I am upgrading from Splunk 8 to 9. And I have a hodgepodge of UFs that are all over the place in versioning. From 6.x all the way to 8.  I know you cannot multiple version upgrade, I will need to go 6 to 7 to 8 to 9.    My question is this. Are there specific versions that I cannot upgrade from? For instance, does a 6.x need to be upgraded to a specific version of 7 then a specific version of 8 or will any version in the line of upgrades work? I have tried to do some searching but I am not finding the answer to my specific question. Which makes me think the upgrade version, as long as it is in order doesn't matter but I need to make sure because we have several hundred to do.    Thanks   
Is it possible to set a hardcoded value for the "Items per page" on the Searches, Reports, and Alerts page? Each time I open the console, it resets to "10" and I would like to keep it set to 100 for ... See more...
Is it possible to set a hardcoded value for the "Items per page" on the Searches, Reports, and Alerts page? Each time I open the console, it resets to "10" and I would like to keep it set to 100 for all users at all times. 
Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Nam... See more...
Here is my query: <table id="tableColorFinalRowBasedOnData7"> <search> <query>index="xxxx" source=service (DisplayName="a*" OR DisplayName="b*") host IN (abc xyz) earliest=-60m | dedup host Name | table host Name StartMode State | sort Name | eval color=case(State="Stopped","#880808",State="Running","#008000") | foreach host Name StartMode State[eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)] | fields - color</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <format type="color"> <colorPalette type="map">{"Manual":#FF7F50}</colorPalette> </format> <format type="color" field="host"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="Name"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="StartMode"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="State"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> Service running is getting displayed as green and stopped as red but startmode manual is not setting to orange.