All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a log I am am trying to parse one of the responses Field Value Test Response Response Test Testing_Response For the value "Testing_Response" I would like it to display "Testing" in t... See more...
I have a log I am am trying to parse one of the responses Field Value Test Response Response Test Testing_Response For the value "Testing_Response" I would like it to display "Testing" in the results.
Hey there Splunk community. I'm new here and I would appreciate some help if it is possible. I'm running a Python script that generates a 4 line event inside my Splunk app. The strange thing about i... See more...
Hey there Splunk community. I'm new here and I would appreciate some help if it is possible. I'm running a Python script that generates a 4 line event inside my Splunk app. The strange thing about it is that it always generates the same amount of characters (spread across 4 lines) and my events still break into 2 linecounts 20% of the time. I don't see any pattern whatsoever. Is there a way to solve this?
Hi All thank you all so much for helping me. this is a great forum to learn. I have 2 date fields and I'd like to get the difference in days and if they are over certain thresholds <30 ,>30, >60,... See more...
Hi All thank you all so much for helping me. this is a great forum to learn. I have 2 date fields and I'd like to get the difference in days and if they are over certain thresholds <30 ,>30, >60, >120 For Example Current-Date Open-Date Diff Days  Metric 4/25/2022 4/23/2022 2 <30 4/25/2022 3/15/2022 41 >30 4/25/2022 2/15/2022 69 >60 4/25/2022 12/25/2021 121 >120 4/25/2022 4/1/2022 ?? ?? 4/25/2022 11/25/2021 ?? ?? 4/25/2022 1/15/2022 ?? ??
Background I would like to create a dashboard with dropdowns that allow underlying queries to create chart to filter differently depending on dropdown values. For performance reasons, I'd also want t... See more...
Background I would like to create a dashboard with dropdowns that allow underlying queries to create chart to filter differently depending on dropdown values. For performance reasons, I'd also want the dashboard's to be powered by saved searches. Setup: - Drop downs - Saved searches on unfiltered queries, - Chain searches to referencing saved searches and filter by drop down value   Problem:  When I did the chain search with the drop down token value, the token does not get translated into a value. For instance: My dropdown's token is called "dd". When I did my chain search by " | search myfield="$dd$", the query does not return anything. If I open the entire search query, it shows I am trying to do: <saved search query> | search myfield="$dd$" The expectation would be instead <saved search query> | search myfield="<my dd value>" Is this not supported?
Hi Team Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Se... See more...
Hi Team Currently Splunk offers the 3.3.0 Add on for Symantec Endpoint Protection (aka SEP), this is an onpremise product, but Symantec also has a completely Cloud based solution called Endpoint Security  (aka SES) that requires an integration with an API, I would like to know how Splunk is managing this kind of integration, my questions are: 1. Is there an Add on available that enables Splunk to collect data from the SES Cloud-API? 2. If not,  What is the recommendation from Splunk to address the SES logs into the SIEM? 3. When is going to be available an agent even for a intermediate connection? Best Regards
When will this app be updated to support Python 3/jQuery 3.5?
When will this app be updated to support Python 3/jQuery 3.5?
Hey, I am working on making a dashboard and wanted to know how can I subtract two dates that are in iso 8601 format.  Please refer to the snippet of json below: { "startTime": "2022-04-25T01:02:19.... See more...
Hey, I am working on making a dashboard and wanted to know how can I subtract two dates that are in iso 8601 format.  Please refer to the snippet of json below: { "startTime": "2022-04-25T01:02:19.221Z", "endTime": "2022-04-25T01:57:59.417Z"}
When will this app be updated to be compliant with jQuery 3.5?
Hey there Splunk community. I'm new here and I would appreciate some help if it is possible. So, I have to create a Splunk app that runs a Python script each day and it should generate random log ev... See more...
Hey there Splunk community. I'm new here and I would appreciate some help if it is possible. So, I have to create a Splunk app that runs a Python script each day and it should generate random log events and index them into Splunk. I'm not sure what's the best approach for this. I already wrote a custom script and successfully tested it by implementing it in Splunk (Data Inputs > Scripts...) but I don't know how to run it once a day and get x amount of log events. I did use Cron schedule for scheduling it once a day but I only get one log event. Is there a way Splunk can run a script x amount of times at once? Thank you!
Hi, All  Since the last Splunk update I've noticed some unexpected behavior when it comes to tokens with Splunk Dashboard Studio. If you have an input (dropdown or multiselect) with a default valu... See more...
Hi, All  Since the last Splunk update I've noticed some unexpected behavior when it comes to tokens with Splunk Dashboard Studio. If you have an input (dropdown or multiselect) with a default value set to None. After loading the dashboard page, then setting the input value, The base searches in the dashboard that use the input token will update,  but any chain searches of that base search do not. It does however update if you either refresh the page with the tokens set in the url, or a change to the input for a second time. (any other action which causes the page to refresh in some way eg: editing page will update the dashboard and the chain search will update) is this behaviour a bug, and is there currently a way to fix this behaviour? Thanks Daniel  Below is a self contained minimal example to demonstrate this. Splunk Dashboard Studio: Absolute/Full control layout   { "visualizations": { "viz_cdPoxmBV": { "type": "splunk.table", "dataSources": { "primary": "ds_CJTH14Fk" }, "title": "Base" }, "viz_t4aAHmKH": { "type": "splunk.table", "title": "Chain", "dataSources": { "primary": "ds_aqLh17e3" } } }, "dataSources": { "ds_CJTH14Fk": { "type": "ds.search", "options": { "query": "| makeresults\n| eval a=\"$input$\"\n| table a ", "queryParameters": { "earliest": "0", "latest": "" } }, "name": "Search_Base" }, "ds_aqLh17e3": { "type": "ds.chain", "options": { "extend": "ds_CJTH14Fk", "query": "| eval a=a+\"_END\"" }, "name": "Search_1" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_aXQ6s8I2": { "options": { "items": [ { "label": "All", "value": "*" }, { "label": "Item 1", "value": "item001" }, { "label": "Item 2", "value": "item002" } ], "token": "input" }, "title": "Dropdown Input Title", "type": "input.dropdown" } }, "layout": { "type": "absolute", "options": { "display": "auto-scale" }, "structure": [ { "item": "viz_cdPoxmBV", "type": "block", "position": { "x": 10, "y": 10, "w": 410, "h": 140 } }, { "item": "viz_t4aAHmKH", "type": "block", "position": { "x": 430, "y": 10, "w": 400, "h": 140 } } ], "globalInputs": [ "input_aXQ6s8I2" ] }, "description": "", "title": "Test_Token" }  
  Hi people. I'm attempting to submit an event over HEC to an index called dev_game-publishing. This looks like: curl -k 'https://so1:8088/services/collector/event?index=dev_game-publishing' ... See more...
  Hi people. I'm attempting to submit an event over HEC to an index called dev_game-publishing. This looks like: curl -k 'https://so1:8088/services/collector/event?index=dev_game-publishing' -H "Authorization: Splunk 11111111-2222-3333-4444-555555555555" -d '{"event": "hello world unique"}'; echo {"text":"Success","code":0} Or: curl -k 'https://so1:8088/services/collector/event' -H "Authorization: Splunk 11111111-2222-3333-4444-555555555555" -d '{"event": "hello world unique"}'; echo {"text":"Success","code":0} I've of course changed my token to nonsense. Those "Success" strings sound to me like the submission has worked. However, when I go to Search in the web interface and look for "index=*" (for All time), I see only a small number of my test events, and they're all on the main index.   The token I'm using defaults to the dev_game-publishing index. I believe I'm using a Trial license. What do I need to do to get Splunk to accept events on the dev_game-publishing index? Thanks!
Hi everyone! We want to get the new errors that don't appear yesterday. For example, if an action named A. Its yesterday's error codes are A1, A2, A3. But its today's error codes are A1, A2, A4, A5. ... See more...
Hi everyone! We want to get the new errors that don't appear yesterday. For example, if an action named A. Its yesterday's error codes are A1, A2, A3. But its today's error codes are A1, A2, A4, A5. A4 and A5 are new errors. The fields we use in Splunk is below: application: the name of an application transId: the name of an action in our system errorCode: the error code of an action once an exception occurred The result we want to get for the example above is like below: application transId errorCode exp A A4 exp A A5   I've tried subsearch but it doesn't work well! Subsearch will be auto-finalized after 60s!
Hello all, I suspect I am missing something obvious, but where are all the CIM fields for ESXi audit logs?   - I have VMware logs being sent to a syslog port. Have a mix of vmware 7.0 and 6.7 v... See more...
Hello all, I suspect I am missing something obvious, but where are all the CIM fields for ESXi audit logs?   - I have VMware logs being sent to a syslog port. Have a mix of vmware 7.0 and 6.7 vcenters (Splunk 8.2) # https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts - I am using the latest Splunk Add-on for VMware ESXi Logs (4.2.1) - I have had to modify line breaking rules - I have an index cluster, so I had to update the DATETIME_CONFIG field (from .../apps/... to slave_apps) - I am capturing the hostname via rsyslog and putting into into the directory. I am reading it as my host value (example: /var/log/vmware/hostname/day_hour/log.log) - I am capturing logs as "vmw-syslog," logs are being renamed to things such as "vmware:esxlog:vpxd" by the TA The TA as-is captures application and message fields for most events. But I don't see any configurations that would capture a user or action field, CIM fields or tags for login events, etc. Am I missing something? I am seeing logs that look like this, but no attempt to parse CIM fields: 2022-04-21T17:37:17.686700+00:00 <host> vpxd 3115 - - Event [49110010] [1-1] [2022-04-21T17:37:17.685845Z] [vim.event.UserLogoutSessionEvent] [info] [AD\<user>] [] [49111254] [User AD\<user>@127.0.0.1 logged out (login time: Thursday, 21 April, 2022 05:27:42 PM, number of API invocations: 1, user agent: VMware vim-java 1.0)]   2022-04-21T17:27:42.654618+00:00 <host> vpxd 3115 - - Event [49109228] [1-1] [2022-04-21T17:27:42.654052Z] [vim.event.UserLoginSessionEvent] [info] [AD\<user>] [] [49104519] [User AD\<user>@127.0.0.1 logged in as VMware vim-java 1.0]
I want to implement timechart with span in db sql query. But while implementation, I am getting zero result. Basically, I want to show count with timechart. Even, I verified that data is com... See more...
I want to implement timechart with span in db sql query. But while implementation, I am getting zero result. Basically, I want to show count with timechart. Even, I verified that data is coming with the same query with created_timestamp column.   I don't know what step I am doing missing, while using timechart.
I have been avoiding RegEx for quite sometime in Splunk but I now I really need to deal with it and understand it. I really need help with this three cases; First Case: I have events that usual... See more...
I have been avoiding RegEx for quite sometime in Splunk but I now I really need to deal with it and understand it. I really need help with this three cases; First Case: I have events that usually start with things like 57A,53A and followed by other strings. I want to match 57A but the field value will be FMDKNTLA :57A:3232324646 FMDKNTLA Second Case: Another extraction example will be extracting  field 31A but the value will be "NKN" :32A:200117NKN200000000,00 Third Case: extracting field 31A but the value will be "200000000,00" :31A:200117NKN200000000,00   Any help will be appreciated
Hello I have installed and setup RADIUS Authentication radius_auth 1.4.1, all autentiction is correct and radius user are comming up with the admin role. The problem is that when searching a inde... See more...
Hello I have installed and setup RADIUS Authentication radius_auth 1.4.1, all autentiction is correct and radius user are comming up with the admin role. The problem is that when searching a index splunk is taking a long time to fetch the data, when looking through logs I found the logs below in splunkd.log, these lines appear when running a search, alot of them. Only when using radius, not when using a local user. Seems like this is the reason for search being slow, but not sure what is going on. Can anyone help ?. Thnx    4-25-2022 11:45:24.154 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~55.19 milliseconds to execute. elapsed_msec=56 04-25-2022 11:45:24.204 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~49.04 milliseconds to execute. elapsed_msec=50 04-25-2022 11:45:24.248 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~43.72 milliseconds to execute. elapsed_msec=44 04-25-2022 11:45:24.293 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~44.53 milliseconds to execute. elapsed_msec=45 04-25-2022 11:45:24.342 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~49.53 milliseconds to execute. elapsed_msec=50 04-25-2022 11:45:24.397 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~54.63 milliseconds to execute. elapsed_msec=55 04-25-2022 11:45:24.453 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~54.95 milliseconds to execute. elapsed_msec=55 04-25-2022 11:45:24.496 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~43.16 milliseconds to execute. elapsed_msec=44 04-25-2022 11:45:24.558 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~61.56 milliseconds to execute. elapsed_msec=62 04-25-2022 11:45:24.609 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~50.98 milliseconds to execute. elapsed_msec=51 04-25-2022 11:45:24.652 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~41.98 milliseconds to execute. elapsed_msec=42 04-25-2022 11:45:24.704 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.82 milliseconds to execute. elapsed_msec=52 04-25-2022 11:45:24.756 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.36 milliseconds to execute. elapsed_msec=52 04-25-2022 11:45:24.798 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~42.03 milliseconds to execute. elapsed_msec=43 04-25-2022 11:45:24.851 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~52.72 milliseconds to execute. elapsed_msec=53 04-25-2022 11:45:24.898 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~47.39 milliseconds to execute. elapsed_msec=48 04-25-2022 11:45:24.954 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~54.91 milliseconds to execute. elapsed_msec=55 04-25-2022 11:45:24.996 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~41.97 milliseconds to execute. elapsed_msec=42 04-25-2022 11:45:25.041 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~44.70 milliseconds to execute. elapsed_msec=45 04-25-2022 11:45:25.085 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~43.48 milliseconds to execute. elapsed_msec=44 04-25-2022 11:45:25.135 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~50.13 milliseconds to execute. elapsed_msec=51 04-25-2022 11:45:25.183 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~47.50 milliseconds to execute. elapsed_msec=48 04-25-2022 11:45:25.237 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~54.03 milliseconds to execute. elapsed_msec=55 04-25-2022 11:45:25.290 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~52.35 milliseconds to execute. elapsed_msec=53 04-25-2022 11:45:25.334 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~43.71 milliseconds to execute. elapsed_msec=44 04-25-2022 11:45:25.388 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~53.50 milliseconds to execute. elapsed_msec=54 04-25-2022 11:45:25.439 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.03 milliseconds to execute. elapsed_msec=52 04-25-2022 11:45:25.490 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.24 milliseconds to execute. elapsed_msec=52 04-25-2022 11:45:25.534 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~42.78 milliseconds to execute. elapsed_msec=43 04-25-2022 11:45:25.587 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~53.18 milliseconds to execute. elapsed_msec=54 04-25-2022 11:45:25.641 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~53.47 milliseconds to execute. elapsed_msec=54 04-25-2022 11:45:25.686 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~44.53 milliseconds to execute. elapsed_msec=45 04-25-2022 11:45:25.729 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~43.21 milliseconds to execute. elapsed_msec=44 04-25-2022 11:45:25.775 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~45.34 milliseconds to execute. elapsed_msec=46 04-25-2022 11:45:25.829 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~53.74 milliseconds to execute. elapsed_msec=54 04-25-2022 11:45:25.882 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~52.27 milliseconds to execute. elapsed_msec=53 04-25-2022 11:45:25.924 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~41.69 milliseconds to execute. elapsed_msec=42 04-25-2022 11:45:25.976 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~52.32 milliseconds to execute. elapsed_msec=53 04-25-2022 11:45:26.032 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~55.64 milliseconds to execute. elapsed_msec=56 04-25-2022 11:45:26.084 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.54 milliseconds to execute. elapsed_msec=52 04-25-2022 11:45:26.136 +0200 INFO ScriptedAuthHelper [503966 TcpChannelThread] - Function=getUserInfo took ~51.70 milliseconds to execute. elapsed_msec=52    
I have " threatInfo.updatedAt" information in my logs. I want to get an alert if the time difference between "threatInfo.updatedAt" & "_time" is more than 4 hours.   My Search Query index=tes... See more...
I have " threatInfo.updatedAt" information in my logs. I want to get an alert if the time difference between "threatInfo.updatedAt" & "_time" is more than 4 hours.   My Search Query index=test "file_name"=* "threatInfo.incidentStatus"=unresolved |transaction threatInfo.updatedAt | table _time threatInfo.updatedAt file_name file_path category    
index=xt DONT_MATCH | spath input=log path=message.extra.dj output=dj | spath input=log output=fname path=message.msg.fname| search dj=* NOT [search EXTERNAL_API OR EXTERNAL_STATUS | spath input=log ... See more...
index=xt DONT_MATCH | spath input=log path=message.extra.dj output=dj | spath input=log output=fname path=message.msg.fname| search dj=* NOT [search EXTERNAL_API OR EXTERNAL_STATUS | spath input=log output=url path=url | dedup url | rex field=url "^(\/\w+){6}\/(?<variable>\d+)" | table url variable | stats list(variable) as variable] | stats count by fname The task here is to show the dj which is there in this event DONT_MATCH and it should not show those dj if it occurs in these 2 events EXTERNAL_API OR EXTERNAL_STATUS. So basically I want to show all the DJ which is there in DONT_MATCH and NOT IN EXTERNAL_API OR EXTERNAL_STATUS  
Hi, Anyone is using this app and is able to troubleshoot the app for me? https://splunkbase.splunk.com/app/3530/ I installed it but there was no result found, can't find any errors. @markhill... See more...
Hi, Anyone is using this app and is able to troubleshoot the app for me? https://splunkbase.splunk.com/app/3530/ I installed it but there was no result found, can't find any errors. @markhill1 wondering if you could help on this?  Thank you!