All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to get an alert and run it but there are items I wanted to remove.   | rest "/servicesNS/-/-/saved/searches" | search title="SomeAlert" | fields qualifiedSearch   So far I am able to g... See more...
I want to get an alert and run it but there are items I wanted to remove.   | rest "/servicesNS/-/-/saved/searches" | search title="SomeAlert" | fields qualifiedSearch   So far I am able to get my search but there is a line in there I want to remove, and then display my result. For example if the following was a line in qualifiedSearch.   | rename test1 as test, rename operation1 as operation   Is there an easy way I can use rex or something else to find this string in qualifiedSearch and remove it?
I have a dropdown in a dashboard that uses a lookup table with columns X and Y.  The values in X are unique; the values in Y are not.  I am using X in "Field for Label" and Y in "Field for Value". ... See more...
I have a dropdown in a dashboard that uses a lookup table with columns X and Y.  The values in X are unique; the values in Y are not.  I am using X in "Field for Label" and Y in "Field for Value". The problem is that when I do not dedup Y, I get an error below the dropdown that says, Duplicate values causing conflict. The search string I'm using is this: | inputlookup LT | fields X, Y When I change it to this: | inputlookup LT | fields X, Y | dedup Y sortby X ...the error disappears. What I would like is to retain all the values of X instead of removing some with the dedup operation.  Is this possible?
Hello Everyone. I wonder if anyone could help me with a report I'm trying to make. Below is my sample logs format. log1 example. ipfield sessionfield - - timefield urlfield methodfield  log... See more...
Hello Everyone. I wonder if anyone could help me with a report I'm trying to make. Below is my sample logs format. log1 example. ipfield sessionfield - - timefield urlfield methodfield  log2 example datefied midfield sessionfield2 sessionfield3 userfield functionfield ipfield2 rolefield.   what I want to do is search log2 if the sessionfield in log1 exists, then print out a table that has  userfield from log2, ipfield from log1orlog2, all sessionfield from log1 and log2,   userfield from log2, urlfield and mehtodfield and the counts of methodfield.   I have something like this  (index=1 log2) OR (index=1 log1)| eval sessionfield=coalesce(sessionfield,sessionfield2,sessionfield3) | stats values(sessionfield) values(ipfield2) by sessiontuser I got the sessionfield(s) to print but it did not print the sessionfield in log1. I could not figure out how to print the other fields that I needed  I don't have much experience in Splunk search so any guidance or help would be excellent. thank you.    
Hi, Is there any way we could find the daily average of volume of data(not from transaction summary standpoint but from the daily size standpoint).
In my splunk logs, i have 2 IPs in 1 field name. I want to extract both IPs create a new field as IP1 & IP2. Please help here. The user XYZ was involved in an impossible travel incident. The user... See more...
In my splunk logs, i have 2 IPs in 1 field name. I want to extract both IPs create a new field as IP1 & IP2. Please help here. The user XYZ was involved in an impossible travel incident. The user connected from two countries within 280 minutes, from these IP addresses: United States (205.000.000.0) and Italy (37.000.000.00). If any of these IP addresses are used by the organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.   Example IP1 - 205.000.000.0 IP2 - 37.000.000.00
This search will display port numbers from the Endpoint datamodel | tstats 'summariesonly ' count from datamodel=EndPoint.Port.dest_port  I would like to create a search that will show other fiel... See more...
This search will display port numbers from the Endpoint datamodel | tstats 'summariesonly ' count from datamodel=EndPoint.Port.dest_port  I would like to create a search that will show other fields like dest_bunit with the port. Without the datamodel I could just do a stats count by dest port.  I'm not sure how to replicate this query using the datamodel. 
How can I pull 3 tokens from a single dropdown search? - I would like our users to select the case_idz, and have the _time value populate from the same dropdown (I know I can append this to the indiv... See more...
How can I pull 3 tokens from a single dropdown search? - I would like our users to select the case_idz, and have the _time value populate from the same dropdown (I know I can append this to the individual searches with the case_idz token, but that seems very brute force and inelegant.) Here is the populating search: | tstats count WHERE index=cases BY source, _time | fields source, _time | rex field=source max_match=0 "^[A-Z]:\\\\([^\\\\]*)\\\\([^\\\\]*)\\\\(?P<case_idz>[^\\\\]*)" | stats count by case_idz, _time | fields case_idz, _time | stats earliest(_time) AS earliest_event, latest(_time) AS latest_event by case_idz | convert ctime(earliest_event) ctime(latest_event) Which gives a table of: case_idz earliest_event latest_event I would like to turn each of these into a token: $case_idz$ $earliest_event$ $latest_event$ The case_idz is the value that they need to pivot off of, and the earliest_event and latest_event are the second and third tokens that I would like to leverage to set the earliest and latest time values for the searches. Other than taking components of this search and adding it to each and every dashboard, how can I have the three variables trigger in one pass?
I have a field properties.policies  in json format  field value: [{"fieldname":"fieldvalue","fieldname":"fieldvalue","fieldname":"fieldvalue",[priview] "fieldname":"fieldvalue",[]}] i want to rem... See more...
I have a field properties.policies  in json format  field value: [{"fieldname":"fieldvalue","fieldname":"fieldvalue","fieldname":"fieldvalue",[priview] "fieldname":"fieldvalue",[]}] i want to remove first and last [] so that other fields can populate  can some one send me the rex please ? Thanks in advance  
hello I try to do a regex for break an url after the fourth slash https://xxxx/yyyy/test could you help please?
We are developing an Android app that uses AppDynamics 20.5.0 and Firebase Bill-of-Materials 26.8.0, which includes Firebase Performance.  We recently received a report from a user who found that the... See more...
We are developing an Android app that uses AppDynamics 20.5.0 and Firebase Bill-of-Materials 26.8.0, which includes Firebase Performance.  We recently received a report from a user who found that the background network data usage of our app was extremely high, on the order of gigabytes per month. Upon investigation, we found that the call to the https://col.eum-appdynamics.com endpoint would consume a lot of data as requests were repeatedly made to it on app startup.  We went through our app release history and noticed that this behavior started around the time we added Firebase Bill-of-Materials, and after digging some more, found that the high data usage stopped when we disabled Firebase Performance. This behavior is present even when we update AppDynamics to its latest version (21.11.0) and Firebase Bill-of-Materials to its latest version (30.0.1). Is this a known issue, and if so, is there anything that can be done on the mobile app side's AppDynamics configuration to prevent the high data usage?  In the short term, we've disabled Firebase Performance in the app, but obviously it's not an optimal solution.
Hi I am sending open telemetry Log data to Splunk. I am sending 3 different types of logs to one index and to one source type (For the moment) Is it possible to receive this data into Splunk and t... See more...
Hi I am sending open telemetry Log data to Splunk. I am sending 3 different types of logs to one index and to one source type (For the moment) Is it possible to receive this data into Splunk and then create 3 different types of Sourcetypes, based on the event data, not the data? splunk_hec/logs: # pushed to splunk token: "ac3fa6bf-f9df-4757-a5e5-9ee7bf23160d" endpoint: "https://dell425srv:9088/services/collector" source: "mx" sourcetype: "otel" index: "murex_logs" tls: insecure_skip_verify: true   In the below image we can see the event data is called log.type. There can be three of them. I need to make 3 source types from these 3.   Normally I would use a transform, but I think I can only use that on the data, not the event data? Any help would be great  Thanks in advance Robbie
Hi at all, I'm trying to implement some Use Cases from Security Essentials App, using AWS data. I found the following problem: I'd like to use a Use case called "Multiple Account Deletion by an... See more...
Hi at all, I'm trying to implement some Use Cases from Security Essentials App, using AWS data. I found the following problem: I'd like to use a Use case called "Multiple Account Deletion by an Administrator" but the App tells me that there isn't the accelerated "Change" Data Model, that instead is present and accelerated. The strange thing is that the message doesn't say that there isn't data, but that there isn't an accelerated DataModel. Where could I search the problem? Thank you in advance. Ciao. Giuseppe
Hello Splunk Community, I am pretty new to Splunk and I have a use case where different subsets of logs are to be forwarded to different indexes from the same monitor location. For example all logs... See more...
Hello Splunk Community, I am pretty new to Splunk and I have a use case where different subsets of logs are to be forwarded to different indexes from the same monitor location. For example all logs matching a pattern(like a regex) should go to index1 and all other logs should go to default index. I found this Splunk documentation but this is forwarding logs from different monitor locations. I have the following in inputs.conf.. inputs.conf [monitor:///<monitor-location>] index = <my-index> sourcetype = <type> Can you please help?  
Hi there, I want to filter out some records if they match multiple criteria, for example: host   service  state ================= h1       s1            stopped h1       s2            running h... See more...
Hi there, I want to filter out some records if they match multiple criteria, for example: host   service  state ================= h1       s1            stopped h1       s2            running h2       s1            stopped h3       s1            running h4       s1            running h4       s2            running h4       s3            stopped So I need to filter out only hosts that have multiple services and the host with s1 service is stopped. The output should be like this: host   service  state ================= h2       s1            stopped h3       s1            running h4       s1            running h4       s2            running h4       s3            stopped Explanation: First two records with h1 are gone as it had multiple services and the one with s1 was stopped. Also, h2 is still in the output because it's running only one service - s1, so it shouldn't be filtered out even though it's stopped. Hope I could explain my problem, Huge thanks in advance
is there a way to have excel data sync to splunk? I am basically trying to have a dashboard to search up from an excel sheet ?
Hey everyone...I know there has to be an easy way to do what I want, but I just can't figure out how. It should be straightforward, but apparently I can't figure it out.  I have a dropdown and depen... See more...
Hey everyone...I know there has to be an easy way to do what I want, but I just can't figure out how. It should be straightforward, but apparently I can't figure it out.  I have a dropdown and depending on its value, I want to change my search criteria for dependent widgets. For example:  I have a single value widget on my dashboard. The default search query for that widget is  index='idx' source='src1'.... If someone picks the second element in the dropdown (label = "My Second Element", value = 'secondelement') I want the search query to change to  index='idx' source='src2'.... and for the dashboard to refresh. Similarly, when selecting the first element, I want it to go back to source = 'src1'.  I don't have any sort of submit button and am puzzled by similar answers to other questions that include a wall of xml. It seems to me that this should be doable via an if statement in the query or by parameterizing the query before its run. I'm obviously ignorant about large swaths of splunk, so please explain it like Im five.
Hi, Please let me know if you can help me get this metric (Unique User Count)? If yes, kindly let me know how to derive it. Best Regards Mohan Krishna V ^Post edited by @Ryan.Paredez post ... See more...
Hi, Please let me know if you can help me get this metric (Unique User Count)? If yes, kindly let me know how to derive it. Best Regards Mohan Krishna V ^Post edited by @Ryan.Paredez post was split off into its own post and the title changed to reflect the question. 
I am trying to create a dashboard for an allowlist. Basically the user should be able to fill in the required fields and select whether to add, remove, or reauthorize the user and update the lookup t... See more...
I am trying to create a dashboard for an allowlist. Basically the user should be able to fill in the required fields and select whether to add, remove, or reauthorize the user and update the lookup table. This is what I have so far:   <form version="1.1" theme="dark"> <label>USB BAU Allowlist</label> <description>This is a dashboard that will allow you to add and remove users to a usb allowlist with a BAU activity.</description> <fieldset submitButton="true" autoRun="false"> <input type="text" token="user_tok" searchWhenChanged="false"> <label>User</label> <default></default> </input> <input type="text" token="email_tok" searchWhenChanged="false"> <label>Email</label> <default></default> </input> <input type="text" token="description_tok" searchWhenChanged="false"> <label>Description</label> <default></default> </input> <input type="dropdown" token="revisit_tok" searchWhenChanged="false"> <label>Revisit</label> <choice value="select">Select</choice> <choice value="1 month">1 Month</choice> <choice value="2 month">2 Month</choice> <choice value="3 month">3 Month</choice> <choice value="4 month">4 Month</choice> <choice value="5 month">5 Month</choice> <choice value="6 month">6 Month</choice> </input> <input type="dropdown" token="dropdown_tok" searchWhenChanged="false"> <label>Action</label> <choice value="add">Add</choice> <choice value="remove">Remove</choice> <choice value="reauthorize">Reauthorize</choice> <search> <query> </query> </search> </input> </fieldset> <row> <panel> <title>blah Lookup Table</title> <table> <title>blah Lookup</title> <search> <query>| inputlookup blah.csv | append [ | makeresults | eval user="$user_tok$", email="$email_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$" | fields - _time ] | table user, email, description, revisit | outputlookup blah.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
I'm using Database connect V3.9.0. I'm trying use it to connect to impala Database which is external Database but I cant find the external database option to add it (as shown in the attached snapsh... See more...
I'm using Database connect V3.9.0. I'm trying use it to connect to impala Database which is external Database but I cant find the external database option to add it (as shown in the attached snapshot). Should I add another app or plugin to add external database connection feature? Thanks,
Hello everyone, I am new to splunk. I've got trouble when I was trying to get host values from the path. The directory I set is D:\14. splunk\SMT\. No matter what kind of extract function i was u... See more...
Hello everyone, I am new to splunk. I've got trouble when I was trying to get host values from the path. The directory I set is D:\14. splunk\SMT\. No matter what kind of extract function i was using: regex or segment, it doesn't work. For example, The host name of the following file should be "PCXXXXX", but it still shows the default host name . However, I already set the host name with regex on path, but it doesn't work... I also tried Segment in path, it still the same... Please help...