All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have 2 separate queries as below: Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....) Message1, Message2, Status aaaa,bbbb,0x000006d Query2: (using... See more...
Hi, I have 2 separate queries as below: Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....) Message1, Message2, Status aaaa,bbbb,0x000006d Query2: (using inputlookup blabla.csv | table Status,Action) Status,Action 0x00006d,Failure How do i map both queries above and produce output as below: Output: Message1,Message2,Status,Action aaaa,bbbb,0x00006d,Failure Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action. Appreciate the help!    
I am ingesting some JSON events, and one of the fields is just a massive spammy "//0//0//0//0" repeated 15000+ times. I know my regexes are working fine, and I accomplished this by changing my lookah... See more...
I am ingesting some JSON events, and one of the fields is just a massive spammy "//0//0//0//0" repeated 15000+ times. I know my regexes are working fine, and I accomplished this by changing my lookahead in transforms:     [extractMessage] REGEX = "original":([\s\S]*?})}," LOOKAHEAD=100000 DEST_KEY= _raw FORMAT = $1 WRITE_META = true     BUT sedcmd doesnt listen to lookahead as defined in transforms, because it has to be called from props, and props has no lookahead! So looking at my props.conf:     [host::xx] SEDCMD-tst = s/(?:a){20,}/yoink/g     I made a bigass file of the letter "a", and counted how many chars were on each event. Then the sedcmd went in and replaced the "a"s with "yoink". Behold.... SEDCMD stops working at 4105 chars. I NEED MORE. How to expand SEDs reach?  
Hi When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a W... See more...
Hi When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance Second log: of an object.     Please your support.
Hello, everyone! I configured source from my database via splunk db connect app. Events contain field "time" and I want that Splunk _time field be equal to this, because now I have two times real... See more...
Hello, everyone! I configured source from my database via splunk db connect app. Events contain field "time" and I want that Splunk _time field be equal to this, because now I have two times real time (field "time" from event) and time when Splunk took event from database (field "_time").
Hi All, i want to finding out all sourcetype which is configured for all report in our splunk. suppose we have configured now 100 reports then i want to see with the help of query which  source t... See more...
Hi All, i want to finding out all sourcetype which is configured for all report in our splunk. suppose we have configured now 100 reports then i want to see with the help of query which  source type is configured for all this 100 reports this is my question.    Regadrs, Sanket Kaware  
Hi Team, We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is... See more...
Hi Team, We are using Splunk Enterprise SIEM tool. we want to check all the source type which is configured for all alert/dashboard/report . As we have searched and tried with below query but it is not showing expected result which we want.   index="*" | stats count by source type   We want to check all source type which is configured under the all reports or all dashboards or all alerts. if you can give me 3 different query for this then it is also fine we are not required all this in one query. Could you please suggest and help us for this .   Regards, Sanket Kaware           
Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Prod... See more...
Hi, I have following data which I use search to find from last 30 days and save it into lookup:  Customers Old Acquired Product New Acquired Product Jack Product 1 Product 2 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 5 Product 3   Now, I know every day or every few days each customers products are changing as they are acquiring new products. Here is what I want to do: Create saved search  Modifying existing lookup to ensure each customer key value update accordingly: For e.g. next day customer Jack and chris acquired new product. So saved search schedule will pick up the change and update the lookup as follow: Customers Old Acquired Product New Acquired Product Jack Product 2 Product 4 Alan  Product 4 Product 5 Chris Product 3 Product 2 Ceb Product 3 Product 2 i know i have to use outputlookup and lookup command but i have fear it is going to overwrite it. 
Hi,  I am currently running Splunk 8.1.9 Is it possible to create a role, that will allow a user to access only specific fields in an index? Example: field1, field2, field3, field4, field5 ... See more...
Hi,  I am currently running Splunk 8.1.9 Is it possible to create a role, that will allow a user to access only specific fields in an index? Example: field1, field2, field3, field4, field5 User have access to the index, but can only view data in field1, field4 and field5.   Much thanks.  
Hi, I have a chart to display value by time. Then I calculate the average of the value. I want to display the avg next to the chart, what can I do please?   Thanks in advanced!
Hello, I wanna download MS Exchange app but it's not available via https://splunkbase.splunk.com/app/1660 Where can I find version 4.0.4 of this app ?
Hi Splunk Works, For App https://splunkbase.splunk.com/app/3757/ To pull in non-default AAD User fields such as companyName and country we modified input_module_MS_AAD_user.py and works fine. h... See more...
Hi Splunk Works, For App https://splunkbase.splunk.com/app/3757/ To pull in non-default AAD User fields such as companyName and country we modified input_module_MS_AAD_user.py and works fine. https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0 (see properties section) Would like to see this as a feature for users and devices in next versions if possible please.  
Hello! We currently have two separate alerts. One that prints a list of devices and another that prints a list of records related to those devices (I used the map command to iterate over the list o... See more...
Hello! We currently have two separate alerts. One that prints a list of devices and another that prints a list of records related to those devices (I used the map command to iterate over the list of devices to print the list of records for each device). So currently we get two emails, one right after the other. The first has the list of devices and the second has the records for those devices. Is there a way to print the list of devices and the list of all their records right below in a single email?
Anyone else ever see a 500 bad request error on the Splunk Enterprise logon page? If I clear my cookies out for the logon page and refresh that fixes the issue for a few days or longer but then it ... See more...
Anyone else ever see a 500 bad request error on the Splunk Enterprise logon page? If I clear my cookies out for the logon page and refresh that fixes the issue for a few days or longer but then it appears again. Anyone know how to fix it? Thanks in advance. Ben
Hi, I am using the network diagram viz and I need to change the color of the nodes which also have values for one specific field "SSh". Here is my current Splunk query  index=fraud_glassbox (s... See more...
Hi, I am using the network diagram viz and I need to change the color of the nodes which also have values for one specific field "SSh". Here is my current Splunk query  index=fraud_glassbox (sourcetype="gb:hit" OR sourcetype="gb:sessions") 44ead780-cf74-11ec-915e-005056b040ae | eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S") | convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M" | eval SEQUENCEto = tonumber(SEQUENCE) + 1 | strcat URL_PATH ":" SEQUENCE from | autoregress from as to | eval color = "red" | table from, to, color,Premier_RC_Code_SSH and output:   Is it possible to incorporate an IF-like statement or subsearch that would turn all such nodes blue if there is respective values for "SSH" field?
I have a sourcetype the provides results for dst if it has one result or dst{} with multiple results. I am attempting to get this into a data model to be used; however I can't get dst{} to work. ... See more...
I have a sourcetype the provides results for dst if it has one result or dst{} with multiple results. I am attempting to get this into a data model to be used; however I can't get dst{} to work. dst=dest works just fine, but dst{}=dest does not work. When doing dst{}= (IP address), the search works just fine. So I know it doesn't have an issue finding the information. I am missing something for what is needed to make it work within a data model. After researching for a couple days and failing, I thought I'd ask the community for their knowledge.
I'm having some issues getting my LINE_BREAKER configuration to work for a custom log file. I've tested the RegEx and it matches the beginning of every line, however it's still breaking extremely str... See more...
I'm having some issues getting my LINE_BREAKER configuration to work for a custom log file. I've tested the RegEx and it matches the beginning of every line, however it's still breaking extremely strangely. Here's the configuration we're running as well as a sample of the log. The screenshot at the bottom is what it's actually doing.     MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %Y-%m-%d_%I%M %p TIME_PREFIX = ^ TZ = MST SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}_\d{4} [A|P]M[\s\r\n]+\d{2} --- 2022-05-10_1120 AM 10.12.14.3 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0% 2022-05-10_1120 AM 10.12.14.4 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0% 2022-05-10_1120 AM 10.12.14.5 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0% 2022-05-10_1120 AM 10.12.14.81 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=58% 2022-05-10_1120 AM 10.12.14.82 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=73% 2022-05-10_1120 AM 10.12.14.88 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0% 2022-05-10_1120 AM 10.12.14.91 HSM device 0: HSM in NORMAL MODE. RESPONDING. Usage Level=0%          
I have a Windows .ini file that I am wanting to index on every update of the file. Right now when the file is updated it is not being re-indexed. The file doesn't have much data in it ... just about ... See more...
I have a Windows .ini file that I am wanting to index on every update of the file. Right now when the file is updated it is not being re-indexed. The file doesn't have much data in it ... just about 1K worth of data. Whenever the file is updated not much of the file is changed ... mostly just a couple values referencing the build # for the application it goes with. Ideally, I would like the whole file to be re-indexed every time any change is made to the file. Anyone tried this or have thoughts on it. I guess if all else fails I could do a scripted input on a schedule and do it that way, but that would mean I would not get the updates right away and I would also get lots of useless data since most of the scheduled polls would have no change.
Could someone help me with the Splunk configuration so that the following events show independently in the Splunk search?     [my_sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERG... See more...
Could someone help me with the Splunk configuration so that the following events show independently in the Splunk search?     [my_sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TIME_PREFIX = TIME_FORMAT =        
Hi all! I'm trying to create a table with case_number and session as the two columns.  Any event without a case_number won't show up in the table. How do I get them to show up?    index=cui botId... See more...
Hi all! I'm trying to create a table with case_number and session as the two columns.  Any event without a case_number won't show up in the table. How do I get them to show up?    index=cui botId=123456789 case_number=* session=* | table case_number session    I tried using | fields case_number instead, but this didn't work either.  Appreciate any help!