All Topics

Top

All Topics

hello In my dashboard, I need to compare 2 single panel value between 2 different times The first single panel stats the events on the last 15 minutes like this   | stats max(sys_session_coun... See more...
hello In my dashboard, I need to compare 2 single panel value between 2 different times The first single panel stats the events on the last 15 minutes like this   | stats max(sys_session_count) as session by host | stats sum(session) as session | table session   Now, what I need to do is to compare this current single panel value with the results one week before during the same slot time For example, today is the 13 of June and the current hour is 8:15 AM So in the second single panel, I need to display result for the 6 of June at 8:15 Here is what I am doing   `index` sourcetype="system" earliest=-7d@d+7h latest=-7d@d+19h | bin _time span=15m | eval time=strftime(_time,"%H:%M") | stats max(sys_session_count) as session by host time | stats sum(session) as session by time | eval current=now() | bin current span=15m | eval current=strftime(current,"%H:%M") | where time=current | table session time   But I think it's not good because whatever the time is (8:15, 8:30, 8:45...), the results is almot the same So is anybody have an idea in order to answer to my need correctly? thanks
Splunk not receiving data from forwarders. Host os Windows Server 2012 R2. 1. Restart Splunk forwarder not working, getting some error message on CMD prompt. 2. Re-install Splunk forwarder, data ... See more...
Splunk not receiving data from forwarders. Host os Windows Server 2012 R2. 1. Restart Splunk forwarder not working, getting some error message on CMD prompt. 2. Re-install Splunk forwarder, data start indexing for a few minutes and stopped again 3. Checked Splunk forwarder service, all the time it is running state  Getting below error(smaple part of the error) when restart forwarder: No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_hostservice360-windows_adc_win-x86-64_iis\local\props.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf Invalid key in stanza [WinHostMon://Host OperatingSystem] in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf, line 172: showZeroValue (value: 1). Did you mean 'source'? Did you mean 'source type'? Invalid key in stanza [WinHostMon://Host Processor] in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk-TA-acn_infra360host_adc_win-x86-64\local\inputs.conf, line 179: showZeroValue (value: 1). Did you mean 'source'?
I'am trying to fetch the app's configuration using: const appNamespace = {  owner: "admin",  app: appName,  sharing: "app"  }; const http = new splunkjs.SplunkWebHttp(); console.log(http... See more...
I'am trying to fetch the app's configuration using: const appNamespace = {  owner: "admin",  app: appName,  sharing: "app"  }; const http = new splunkjs.SplunkWebHttp(); console.log(http); const service = new splunkjs.Service(http, appNamespace,); console.log(service); stage = 'Retrieving configurations SDK collection'; const configCollection = service.configurations(appNamespace); console.log(configCollection) await configCollection.fetch()      // Adding this line is what's causing the error. But I'm getting an error of "[SPLUNKD] Action Forbidden" when I look at the browser's console. The app's read permission is set to "Everyone".
How do I push apps an TA from the Deployer server  to SH cluster and then to Indexers
I have to exclude ~ character from on or the field. below is the example   field1=C:\program~\test~.txt
My i know how to set ping how many times fail or success , then only it will send alert? Currently I was told tht it only ping 1 time in 5mins, then it will send out alert if DOWN. which I think 1 ... See more...
My i know how to set ping how many times fail or success , then only it will send alert? Currently I was told tht it only ping 1 time in 5mins, then it will send out alert if DOWN. which I think 1 time ping is too short to conclude the IP is DOWN. I wanted to change it to 5 times ping , if 100% only consider IP is DOWN. May I know how to do it ?  
Hello Team, I am new to splunk and have requirement to create table based on raw data This is how the data looks in splunk Date  threadId=ABC123   eventType=”InMsg” data=”<rootrq><a>hi</a></rootr... See more...
Hello Team, I am new to splunk and have requirement to create table based on raw data This is how the data looks in splunk Date  threadId=ABC123   eventType=”InMsg” data=”<rootrq><a>hi</a></rootrq>” Date  threadId=ABC123   eventType=”thirdPartyReq” data=”<root1req><a>hi</a></root1req>” Date  threadId=ABC123   eventType=” thirdPartyRes” data=”<root1res><a>hi</a></root1res>” Date  threadId=ABC123   eventType=”OutMsg” data=”<rootrs><a>hi</a></rootrs>”   and wanted to create table like below. Please can some one help? threadId is common for all four records.   index=test |    date threadId InMsg OutMsg thirdPartyreq thirdprtyRes date ABC123   <rootrq><a>hi</a></rootrq> <rootrs><a>hi</a></rootrs> <root1req><a>hi</a></root1req> <root1res><a>hi</a></root1res>
Hello everyone,   I'm looking to make a simple search form with a few text inputs and a drop-down box to search for firewall logs. I would like the output to be shown as events. My company has Pa... See more...
Hello everyone,   I'm looking to make a simple search form with a few text inputs and a drop-down box to search for firewall logs. I would like the output to be shown as events. My company has Palo Alto and Cisco ASA firewalls. All logs are sent to splunk.  Input text boxes would be:  1.) Source  2.) Destination 3.) Port Drop-down box would be: 1.) allow  2.) not equal to allow **For the text inputs I would like all of the fields to be optional in case I don't want to use all 3**   Is there an easy way to accomplish this?   Thank you in advance.     
Hello All, I am stuck on one problem and I am not able to find the solution of it so far so need all your expertise to help me out. My splunk setup which I have problem with: Splunk UF --> Splunk... See more...
Hello All, I am stuck on one problem and I am not able to find the solution of it so far so need all your expertise to help me out. My splunk setup which I have problem with: Splunk UF --> Splunk HF --> Splunk cloud On splunk UF, I have a inputs configured to monitor a file. I am trying to configure SSL for data transfer between  Splunk UF and Splunk HF. I have placed Root CA and Server/Client certificate in SPLUNK_HOME/etc/certs directory. Below are my inputs (on HF) and outputs on (Splunk UF). For sslRootCAPath path in inputs.conf and outputs.conf, I have been told by my client that even though the name is different (on HF and UF) but they are essentially same.  Inputs.conf (on HF): [splunktcp-ssl:9997] #sslPassword = password disabled = 0 requireClientCert = false serverCert = /opt/splunk/etc/certs/Cert_HF.pem sslRootCAPath = /opt/splunk/etc/certs/XXXX_Root_CA.pem   Outputs.conf (on UF): [tcpout] defaultGroup=spl_hfs [tcpout:spl_hfs] server = INDEXER_1:9997, INDEXER_2:9997 clientCert = C:\Program Files\SplunkUniversalForwarder\etc\certs\Cert_UF.pem sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\XXXX_Root.pem #sslPassword = password   When I configure above settings and restart UF and HF, I see below error in HF Splunkd.log and none of the data (not even _internal from UF via HF) is indexed. I can see HF to Splunk cloud communication is working as expected. But my UF to HF is throwing below error. Error:  ERROR TcpInputProc [1899734 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=369295616 bytes from src=XXXXXX:38998 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.   I have tried to look on google and see even read through splunk pages, tried configs/changes as suggested but I am still struggling to find a working solution for me. Any help in pointing me in right direction is highly appreciated. Also, my few other questions are: As my client mentioned that even though, root CA name on HF (XXXX_Root_CA.pem) and UF (XXXX_Root.pem) are different but they are same, is there any way/command using which, I can confirm that whether they are really same or different? Does we need to have SAME root CA certificate distributed to HF and UFs for SSL communications or can they be different? I have been told that there is no sslpassword attached with the certificates, is there any way/command I can confirm this myself rather than taking their word for it? What else I can change/try in .conf files to see if this SSL config work? Any replies on my issue is highly appreciated Thanks Vikas
Hi. I have a query A: index="idx"  "*Processed*" | table phoneNumber + query B: index="idx"  "*Sent*" | table phoneNumber I need to get all the phoneNumbers from A which are not in B. How ... See more...
Hi. I have a query A: index="idx"  "*Processed*" | table phoneNumber + query B: index="idx"  "*Sent*" | table phoneNumber I need to get all the phoneNumbers from A which are not in B. How can I build the whole query ? Thanks in advance!
Q): How to detect ransomware using Splunk?,  please give query also to create alert in ransomware, 
I want to save some meta-data (operational history of the alert (beyond the text description)) along with alert as a json object in a field.  This is from automated  pipelines using sdk (nodejs/pytho... See more...
I want to save some meta-data (operational history of the alert (beyond the text description)) along with alert as a json object in a field.  This is from automated  pipelines using sdk (nodejs/python) and POST API  to splunk servers.
Hi, I am struggling with the configuration pxGrid on Splunk for Rapid Threat Containment with ISE. I just installed a new instance of Splunk Enterprise 8.2.6 with Cisco ISE add-on module 4.1.0. Per... See more...
Hi, I am struggling with the configuration pxGrid on Splunk for Rapid Threat Containment with ISE. I just installed a new instance of Splunk Enterprise 8.2.6 with Cisco ISE add-on module 4.1.0. Per documentation, I should see a Setup action for the ISE add-on. But I don’t. Any ideas on what I missed? I installed Splunk on both Ubuntu and RedHat Linux, went through everything related to certificates and got stuck when certificates need to be moved to the correct directory. I have /opt/splunk/etc/apps/Splunk_TA_cisco-ise/ but no /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/. I am missing the bin and certs directory. Do you know what could be causing this? Maybe we have a step-by-step guide on how to do this integration for current versions of Splunk? It must be some minor bug I'm making. I'm testing it on the trial version of Splunk, but if I understand correctly the trial version has only a time limit, not a functional limit. I would be grateful for any advice
From this given log: "SQL:SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME = ? AND TABLE_NAME in (?,?,?,?,?,?,?) AND DATA_TYPE_NAME IN ('CLOB', 'NCLOB', 'BLOB')","i":1,"t":250,"s... See more...
From this given log: "SQL:SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME = ? AND TABLE_NAME in (?,?,?,?,?,?,?) AND DATA_TYPE_NAME IN ('CLOB', 'NCLOB', 'BLOB')","i":1,"t":250,"slft":250,"st":250,"m":16,"nr":0,"rt":0,"rn":8,"fs":0} 1. I want to extract the entire SQL's containing table names "TABLE_COLUMNS"   . 2. Extract their corresponding  numbers for t , slft   3. chart on:  SQL_STMT | t | slft  I need some help to get this query working:      "SELECT TABLE_NAME, COLUMN_NAME FROM TABLE_COLUMNS WHERE SCHEMA_NAME" | rex field= _raw "\"SQL:(?P<SQL_stmt>)\s*[FROM TABLE_COLUMNS]\s+\"" | rex field=_raw "SELECT \s* FROM TABLE_COLUMNS \s* ,\"t\":(?P<tvalue>[\d]) "slft":?P<slft_value>\d"| chart count over by SQL_stmt,tvalue, slft_value | sort by slft_value desc  
Hello, I'm working on showing a panel if the $env:user$ is a match based on a search. The search that I'm using works for this use case:   | rest /services/authentication/current-context splu... See more...
Hello, I'm working on showing a panel if the $env:user$ is a match based on a search. The search that I'm using works for this use case:   | rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id   This retrieves the appropriate ID (otherwise, I would just use the $evn:user$ for conditional visibility, but this never works). With the query result, I set a token envid to $result.id$ I then do a condition match where $envid$==uu_33 (uu_33 represents the user ID required to display a panel). The result of the query is always correct with "uu_33", which matches the condition I have written. I have tried following the splunk guides, and I have tried the following condition matches: <condition match="'$envid$'==&quot;uu_33&quot;"> (current) <condition match="$envid$==&quot;uu_33&quot;"> <condition match="'$envid$'==uu_33"> <condition match="$envid$==uu_33"> Nothing makes the panel show. Here is my XML.  Any help would be appreciated.   <dashboard> <label>testenvid</label> <row> <panel> <html> <b>hi. your current id is $env:user$. The current result is $envid$ is set to be equal to $result.id$.</b> </html> </panel> <panel depends="$showpanel$"> <table> <search> <finalized> <set token="envid">$result.id$</set> </finalized> <done> <condition match="'$envid$'==&quot;uu_33&quot;"> <set token="showpanel">TRUE</set> </condition> </done> <query>| rest /services/authentication/current-context splunk_server=local | fields username | rename username AS id</query> <earliest>-60m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard>    
Hello, I have a HEC with events like the following:   { "Log": { "Status": "Ordered", "Platform": { "A": { "Tracking": {"Field1": "Value1", "Fiel... See more...
Hello, I have a HEC with events like the following:   { "Log": { "Status": "Ordered", "Platform": { "A": { "Tracking": {"Field1": "Value1", "Field2": "Value2"} } } } }   When I run the query   index="my_index" AND Log.Status="Ordered" | table Log.Status Log.Platform.A.Tracking   I get all the data for Status. However my requirement is to have the JSON object Log.Platform.A.Tracking in a string format - the JSON as a String? How can I achieve this?
Hi Experts, I am Unable to install splunkforwarder-8.2.2-87344edfcdb4-x64-release.msi on window server 2012 R2. Getting -UF setup Wizard ended prematurely.        Any help much appreciated !!!!... See more...
Hi Experts, I am Unable to install splunkforwarder-8.2.2-87344edfcdb4-x64-release.msi on window server 2012 R2. Getting -UF setup Wizard ended prematurely.        Any help much appreciated !!!!!!!!!   splunk.log file content--- sharing some last lines    Splunk> The IT Search Engine. Checking prerequisites... Checking mgmt port [8089]: open Checking kvstore port [8191]: open Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-8.2.2-87344edfcdb4-windows-64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... SplunkForwarder: Starting (pid 13848) Timed out waiting for splunkd to start. 8:17:18 AM C:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd uninstall >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" Removing service SplunkForwarder Service removed Disabled. 8:17:19 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\SplunkMonitorNoHandleDrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" 8:17:20 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splknetdrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1" 8:17:21 AM C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf >> "C:\Users\asharma\AppData\Local\Temp\splunk.log" 2>&1"  
Hi,   I need help with below query search. Below is the sample logs. Logs: Conatainer: dev_test_cluster CountRequired: 2 CountRunning: 1 FunctionName: dev_dd_app I need to write a query ... See more...
Hi,   I need help with below query search. Below is the sample logs. Logs: Conatainer: dev_test_cluster CountRequired: 2 CountRunning: 1 FunctionName: dev_dd_app I need to write a query for to compare the CountRequired and CountRunning values and show details when CountRunning is less than CountRequired. Appreciate the help.
Hi Splunk Masters, Currently stomped and couldn't find the solution through the forums. I have to chart the values from this particular column that his 50 different instances that change per differ... See more...
Hi Splunk Masters, Currently stomped and couldn't find the solution through the forums. I have to chart the values from this particular column that his 50 different instances that change per different input in the dropdown (kindly refer to the code and screenshots for reference).  Currently searching  for a way to rename the values in the legend so that I could pass it in a drilldown to another dashboard. Is there a way to do it for the single column? <edit> I would want either to rename it or add the four (4) alphanumeric characters from the dropdown plus a <space>, < - >, and <space> before the series names. For example, when the user selects D7X0, the output on the right is what the search would produce and the one on the left is my desired outcome: BATPLOW D7X0 - BATPLOW BATTLOW D7X0 - BATTLOW D7X0WGHT D7X0 - D7X0WGHT DDFTMED D7X0 - DDFTMED MQDFLT D7X0 - MQDFLT STCHI D7X0 - STCHI STCLOW D7X0 - STCLOW SYSSTC D7X0 - SYSSTC SYSTEM D7X0 - SYSTEM TSOMED D7X0 - TSOMED OTHER D7X0 - OTHER </edit> Thanks     <form theme="dark"> <label>CSC/ERSC/PSI_SRVCLASS_Report</label> <fieldset submitButton="true" autoRun="true"> <input type="dropdown" token="lpar"> <label>Select to View</label> <choice value="-LPAR-">-LPAR-</choice> <choice value="D7X0">D7X0</choice> <choice value="H7X0">H7X0</choice> <choice value="D1D0">D1D0</choice> <choice value="DAD0">DAD0</choice> <choice value="E1D0">E1D0</choice> <choice value="H1D0">H1D0</choice> <choice value="WSYS">WSYS</choice> <choice value="YSYS">YSYS</choice> <default>-LPAR-</default> </input> <input type="text" token="from"> <label>From MM/DD/YYYY</label> <default>01/01/2022</default> </input> <input type="text" token="to"> <label>To MM/DD/YYYY</label> <default>01/31/2022</default> </input> </fieldset> <row> <panel> <title>$lpar$ $from$ $to$</title> <chart> <title>Shows the Average of each Service Class</title> <search> <query>index=mainframe-platform sourcetype="mainframe:serviceclass" MVS_SYSTEM_ID=$lpar$ | eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d") | eval _time=strptime(DATE." ","%Y-%m-%d") | where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y") | chart avg(MIPS_UTIL) over DATE by SRVCLASS</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option> <option name="charting.axisLabelsY.majorUnit">200</option> <option name="charting.axisTitleX.text">Dates</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">D7X0WGHT,H7X0WGHT,D1D0WGHT,DAD0WGHT,E1D0WGHT,H1D0WGHT,WSYSWGHT,YSYSWGHT</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">top</option> <option name="height">468</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>      
I'm not sure if this is the correct board. We run Splunk 8.2.1 on Linux. Lately a number of our domain users have been logging in via MFA to Azure. These are domain users logging in using domain cr... See more...
I'm not sure if this is the correct board. We run Splunk 8.2.1 on Linux. Lately a number of our domain users have been logging in via MFA to Azure. These are domain users logging in using domain credentials, but the logon is never recorded in the domain controller logs and as a result it's not see in the Splunk reports I have not been able to get much info from the Azure folks.  I'm told that Azure, although it verifies the credentials, does not close the loop back to the domain controller.  No solution is offered.   I have to believe there is more to the story. Has anyone encountered this issue?