All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have 2 queries: Query1: Message1,EventCode,Status aaaaa,4625,0XC0000234 Query2: Status,EventCode,action 0xC0000234,4625,denied 0XC0000234,4776,failure *note the lower and uppe... See more...
Hi, I have 2 queries: Query1: Message1,EventCode,Status aaaaa,4625,0XC0000234 Query2: Status,EventCode,action 0xC0000234,4625,denied 0XC0000234,4776,failure *note the lower and uppercase "x". Case sensitive In Query1, the status field is always uppercase (e.g. 0XC0000234 and not 0xC0000234 nor 0xc0000234) When i perform a search and lookup: index=a host=b | table Message1,EventCode,Status  | lookup blabla.csv Status OUTPUT action I'm getting the output: Message1,EventCode,Status,action aaaaa,4625,0XC0000234,failure Above is incorrect as 4625 should return "denied" instead of "failure" How do i do a lookup to first: Check the EventCode Return the corresponding action field with case insensitive Or is there a better way aside from the 2 points i mentioned above? Appreciate the help!  
I have events from a device sent to splunk every day seen in the example below. Here is an example of that I want to happen: If I ran a search on 2022-05-02, my result would show "Event 1" because... See more...
I have events from a device sent to splunk every day seen in the example below. Here is an example of that I want to happen: If I ran a search on 2022-05-02, my result would show "Event 1" because the "last_fixed" date is older than "last_found" date. But if I run the same search on 2022-05-04 it will show event 5 because the "last_fixed" date is newer than "last_found" date. I am trying to search the last 30 days for all events to see what device still needs attention. I want to show the oldest event that has "last_found" date unless there's a newer event with the "last_fixed" date newer than "last_found" My Search: index=01  | dedup Device IP_Address  sortby +_time | table dest ip_address Event 1:  Time: 2022-04-29 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-29T05:52:57.742Z Event2:  Time: 2022-04-30 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-04-30T05:52:11.663Z Event3:  Time: 2022-05-01 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-01T05:53:36.270Z Event4:  Time: 2022-05-02 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-04-04T21:07:01.592Z last_found: 2022-05-02T05:55:02.180Z Event5:  Time: 2022-05-03 Device: aaa.local IP_Address: 10.10.10.5 last_fixed: 2022-05-03T05:54:03.611Z last_found: 2022-05-02T05:55:02.180Z   Would the best way to do this is by using eval? 
I want to create a custom alert action that when the alert fires, it takes the host from the search results, and uses it is a token to remotely restart a host. I can get the REST URL right, but how d... See more...
I want to create a custom alert action that when the alert fires, it takes the host from the search results, and uses it is a token to remotely restart a host. I can get the REST URL right, but how do I get the alert to use host as a token?
Hi Team, Following is my data: SS TT DT DA LT LA TO TA a xxx 4 3 2 3 7 6 a yyy 2 2 2 3 4 5 b xxx 1 1 1 1 3 3 ... See more...
Hi Team, Following is my data: SS TT DT DA LT LA TO TA a xxx 4 3 2 3 7 6 a yyy 2 2 2 3 4 5 b xxx 1 1 1 1 3 3 b yyy 1 1 1 1 1 1   following is the graph i can  populate in excel Following is the graph I was able  to populate in splunk           My problem is I can "SS" written in the Splunk graph, also I can see "a" "b" written in the graph....but along from these i also need  "xxx"  "yyy" to appear as legend under all 4 graphs. how can we do that?  MY QUERY FOR DATA  |stats sum(* ) by SS,TT |foreach sum* [eval <<FIELD>> = round(('<<FIELD>>' * 1000),2) ] |rename sum(*) as * |stats values(*) by SS,TT |rename values(*) as * |table SS,TT,DT,DA,LT,LA,TO,TA
Hi, so my team is currently has some data on Splunk cloud.  My task is to use your REST API to get this data using python. On Splunk web I get this data by using the following query:   | from i... See more...
Hi, so my team is currently has some data on Splunk cloud.  My task is to use your REST API to get this data using python. On Splunk web I get this data by using the following query:   | from inputlookup:"cloud_accountList"    I have written a simple python script to get the data:   splunkTenant = 'avc3' splunkURL = { 'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234", } splunkCredentials = { 'user': 'test_user', 'password': 'SplunkIsGreat' } searchString = f"| from inputlookup:\"cloud_accountList\"" search = { 'search': searchString, 'output_mode': 'json' } splunkEndpoints = { 'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}", } cacertpath = '/Users/***/Downloads/cacert.pem' searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs" splunk_response = requests.post( url=searchURL, auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])), verify=cacertpath data=search)     When I run this script I get an error.  Can someone please help me out?    Regards
I am looking through our current alerts and we have a few evaluations that occur like below. Total_Trade: 129 Total_Value: 300 Total_Amount: 1000 I have a rex like below:       | rex ... See more...
I am looking through our current alerts and we have a few evaluations that occur like below. Total_Trade: 129 Total_Value: 300 Total_Amount: 1000 I have a rex like below:       | rex max_match=0 Total_(?<Type>\w+):(?<amount>\w+)       Doing this though I get two fields with multiple events like below. Type amount Trade Value Amount 129 300 1000   What I wanted was each of these to be separate though/ Type amount Trade 129 Value 300 Amount 1000    
Hi! Hope all are fine, and thanks in advance for any help I'm having problems ingesting Linux Audit Log. For some reason, a weird field delimiter is not being correctly interpreted by Splunk. I'm p... See more...
Hi! Hope all are fine, and thanks in advance for any help I'm having problems ingesting Linux Audit Log. For some reason, a weird field delimiter is not being correctly interpreted by Splunk. I'm pasting the examples How can I get rid of this and get fields "data" and "UID" correctly separated?    
I am trying to create an alert which will compare yesterday and today for a particular field and show what is the difference.   I want to count the total for field called "id" for today and compa... See more...
I am trying to create an alert which will compare yesterday and today for a particular field and show what is the difference.   I want to count the total for field called "id" for today and compare the count with yesterday and show the count difference and the id's which are different .
Hi All, i am using IF function like  |eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0") its working wherever i have single value in fields like  Example:-1 status... See more...
Hi All, i am using IF function like  |eval xxx= if ( status =="1","A", if(status =="2","A", if(status =="3","A","0") its working wherever i have single value in fields like  Example:-1 status  output 1             A 2            A 3            A   or    Example:- 2 status     output 1, 2             A 2, 3             A 1, 3             A  1,4,5,2       A   So in example 2, last values has 1 and 2 with 4 and 5,,, i want to output should be like A and 0 both. thanks in advance
Hi, I would like to show the numbers of users and also the number of unique users visiting a particular dashboard. I want to display these numbers somewhere on the dashboard. I have multiple dashbo... See more...
Hi, I would like to show the numbers of users and also the number of unique users visiting a particular dashboard. I want to display these numbers somewhere on the dashboard. I have multiple dashboards and would like to do the same for all the dashboards. Is there an in-built feature/tool in Splunk that does this? or Is using JavaScript a better option for this?  
I have a dashboard with cascading dropdowns which when a value selected in first dropdown populates the second dropdown with values based on the selection made. For example the first dropdown has v... See more...
I have a dashboard with cascading dropdowns which when a value selected in first dropdown populates the second dropdown with values based on the selection made. For example the first dropdown has values A, B, and C. When A is selected from the first dropdown, the second dropdown should display A1, A2, and A3. Similarly should display B1, B2, B3 and C1, C2, C3 respectively. My dashboard is populating the dropdown correctly. I am unsetting the second dropdown tokens when the first dropdown changes, to make sure the second dropdown do not contain previous token value. But this is causing me an issue while page reload. When the page is refreshed, the second dropdown token gets unset like shown below. Before refresh After refresh If I do not unset the second dropdown tokens when the first dropdown changes, the second drop down shows the previous selected token as shown below. My xml looks like this   <form> <label>Dependent Drilldown</label> <fieldset submitButton="false"> <input type="dropdown" token="tokElement" searchWhenChanged="true"> <label>Element</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <change> <unset token="tokSubElement"></unset> <unset token="form.tokSubElement"></unset> </change> </input> <input type="dropdown" token="tokSubElement" searchWhenChanged="true"> <label>Sub Element</label> <fieldForLabel>$tokElement$</fieldForLabel> <fieldForValue>$tokElement$</fieldForValue> <search> <query>| makeresults | fields - _time | eval A="A1,A2,A3",B="B1,B2,B3",C="C1,C2,C3" | fields $tokElement$ | makemv $tokElement$ delim="," | mvexpand $tokElement$</query> </search> </input> </fieldset> </form>   I would like my second dropdown tokens to be unset when first dropdown value changes and also maintain those tokens on page refresh. Let me know if you have any thoughts.
I have a bar chart with a few categories as displayed in the below image which when clicked, drills down into its own table. I would like to highlight the clicked bar so that it is known which bar gr... See more...
I have a bar chart with a few categories as displayed in the below image which when clicked, drills down into its own table. I would like to highlight the clicked bar so that it is known which bar graph is drilled down. I am expecting it to look something similar to the below image.  
I am importing in splunk many tables of data of 500 to 10000 events each and I need to use them to enrich events with scheduled searches. At the moment I import these tables using a modular input and... See more...
I am importing in splunk many tables of data of 500 to 10000 events each and I need to use them to enrich events with scheduled searches. At the moment I import these tables using a modular input and dumping them into an index, I then join my saved searches results with the latest data from this index. The tables are imported once a day to update if something changed (they usually are mostly unchanged).     index=my_events | join type=left common_field [ search index=imported_data source=src earliest=-24h stats latest(*) as * ]     I know join is bad for performance and was wondering if importing the data in a KVStore and setting up an automatic lookup for the index with the data I want to enrich would be a better solution. in this case i would overwrite the KVStore once a day with the new data. Other solutions are welcome, these are the ones I came up with. Thanks.
Hey, I am trying to sum values based on type. I have a column of numbers and multivalues. I want to sum all the multivalues together and display the sum of all multivalues. How can I achieve this? P... See more...
Hey, I am trying to sum values based on type. I have a column of numbers and multivalues. I want to sum all the multivalues together and display the sum of all multivalues. How can I achieve this? Please refer to the diagram below: As you can see there are two column. One column displays the numbers and the other column displays the type of each cell. I want to get the sum of cell that have a multivalue type.
hello I stats events after 2 eventstats command like this     | eventstats sum(netp) as "netp1" by site | eventstats sum(netp) as "netp2" by site user | stats last(netp1) as "netp1", last("netp... See more...
hello I stats events after 2 eventstats command like this     | eventstats sum(netp) as "netp1" by site | eventstats sum(netp) as "netp2" by site user | stats last(netp1) as "netp1", last("netp2") as "netp2" by site user      But I know it's not good because I am doing  a chart and the sum of netp and the sum of netp2 are not the same because for a same site it may have many user but in my bar chart there is just one user display the bar in red correspond to netp2 and the bar in blue to ntp2 So the problem is on my bar in blue which has to have the same sum than the bar in red How to stats events for solving this problem please?
Hi, I want to use a custom component (component library) in the data input parameters when creating my splunk app. Is there any way to do this? Thanks
Hello Splunkers - I am struggling to create a table that shows distinct events that sometimes have the same timestamp: _time vulnerability asset ipAddress vendor cvssScore lastFou... See more...
Hello Splunkers - I am struggling to create a table that shows distinct events that sometimes have the same timestamp: _time vulnerability asset ipAddress vendor cvssScore lastFound supportContact 2022-05-12 05:23:24 CVE-2022-1234 host1 ip1 vendor1 score1 2022-05-12 support1 2022-05-12 05:23:24 CVE-2021-5678 host2 ip2 vendor2 score2 2022-05-12 support2 2022-05-12 05:23:24 CVE-2016-1234 host3 ip3 vendor3 score3 2022-05-12 support3   I can't find the right way to search these events so that all distinct events show. Based on one of the many answers I read here, I've tried using eventstats, but it's not working as I'd hoped. Here's the query: | eventstats latest(_time) as lastFound | where lastFound=_time | table _time, vulnerability, asset, ipAddress, vendor, cvssScore, lastFound, supportContact When I run this I get a table with the latest events by _time, but it does not take into account that there are different values in the other fields. So instead of the 5,000 events I'm expecting, I get a few hundred. _time vulnerability asset ipAddress vendor cvssScore lastFound supportContact 2022-05-12 05:23:24 CVE-2022-1234 host1 ip1 vendor1 score1 lastFoundTime support1   What am I doing wrong?
Hi, after an upgrade from 7.3 (to 8.1.0 and then) to 8.2.5, there are some errors on splunkd.log. SH1:  ERROR DistHealthFetcher [115123 DistHealthReporter] - failed to execute health transact... See more...
Hi, after an upgrade from 7.3 (to 8.1.0 and then) to 8.2.5, there are some errors on splunkd.log. SH1:  ERROR DistHealthFetcher [115123 DistHealthReporter] - failed to execute health transaction to instance at uri=https://<my_uri>:8089, error=Non-200 status_code=401, uri=https://<my_uri>:8089/services/server/health/splunkd/local, status_description="Unauthorized". SH2 and SH3: ERROR DigestProcessor [107884 TcpChannelThread] - Failed signature match ERROR LMHttpUtil [107884 TcpChannelThread] - Failed to verify HMAC signature, uri: /services/server/health/splunkd/local?output_mode=json  Besides, if I try to push some apps' configurations, it doesn't work. The environment consists of a Deployment Server/Cluster Master (same instance), 3 Search Heads and 2 Indexers. All the files in server.conf in the DS/CM and SHs have the same pass4SymmKey:       [clustering] master_uri = <my_master_uri> pass4SymmKey = <my_crypted_pass>         Does anyone have an idea about what's wrong? Thanks in advance
Hi Its my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is more of what I am looking for. We turned on in the User Case Library - Access ... See more...
Hi Its my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is more of what I am looking for. We turned on in the User Case Library - Access - Short-lived Account Detected  in user cases and its causing way to many alerts. I wanted to narrow the field down to just admin accounts instead of the whole company. Anybody got ideas on how to do this? Or point me the an article I where I can edit these types of searches? In the correlation search I have got: | tstats `summariesonly` count from datamodel=Change.All_Changes where nodename="All_Changes.Account_Management" (All_Changes.action="created" OR All_Changes.action="deleted") by _time,All_Changes.dest,All_Changes.user span=1s | `drop_dm_object_name("All_Changes")` | streamstats range(_time) as delta,sum(count) as count by user,dest window=2 global=f | where count>1 AND delta<`useraccount_minimal_lifetime` | `uptime2string(delta,timestr)` | table user, dest, delta, timestr `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),"TRUE") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter`
I want to filter eventcode 4624 and user_type=computer using transforms and props.conf Transforms.conf [setnule] REGEX = \<EventID\>4624\<\/EventID\>.+\<Data\s+Name='WorkStationName'> DEST_KEY ... See more...
I want to filter eventcode 4624 and user_type=computer using transforms and props.conf Transforms.conf [setnule] REGEX = \<EventID\>4624\<\/EventID\>.+\<Data\s+Name='WorkStationName'> DEST_KEY = queue FORMAT = nullQueue props.conf [XmlWinEventLog] TRANSFORMS-set=setnule