All Topics

Top

All Topics

I have an existing add-on app. I need to add a new field in the configuration section in add Account (please check attached screenshot). The field should be of type radio select. Based on the select... See more...
I have an existing add-on app. I need to add a new field in the configuration section in add Account (please check attached screenshot). The field should be of type radio select. Based on the selected option, I need to make different API calls to pull the data. I tried adding new field in the globalConfig.json, deleted existing app, created tar.gz of the updated app and installed, restarted splunk but I don't see the new field in the UI. Could you please suggest what's wrong here. Also if there is any better way to modify the UI and python code, kindly suggest.  
Hello, I have a search (timechart) with a dynamic span (minspan=1h) Is there a way (token ?) to get the span used to use it in drilldown ? Thanks  
Hi Splunkers, I was wondering if this is possible on tstats command. Get the dynamic value from savedsearch result or lookup? savedsearch or lookup is updating every hour.   | tstats max(_... See more...
Hi Splunkers, I was wondering if this is possible on tstats command. Get the dynamic value from savedsearch result or lookup? savedsearch or lookup is updating every hour.   | tstats max(_time) as last_updated WHERE index=* BY index, host   To avoid wildcard.. I was thinking it will be efficient if that is possible. Appreciate any response.. Thanks!
Hi All,      I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParamete... See more...
Hi All,      I'm trying to extract the username from the _raw field using regex, how do I extract the username. The username comes after some parameters, the parameters look like (\"requestParameters\": {\"userName\": <username>)
Hello, I'm trying to use ldapfilter to add some info to events I collect from MS Exchange but as soon as my ldapfilter query is dynamic (makes use of $field$) it does not return anything. My init... See more...
Hello, I'm trying to use ldapfilter to add some info to events I collect from MS Exchange but as soon as my ldapfilter query is dynamic (makes use of $field$) it does not return anything. My initial search looks like this:     index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";" | mvexpand SMailboxes| top SMailboxes limit=50 | rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)" | eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16 | table SMailboxes,conv     And the result looks like this: SMailboxes conv 7409c768-ed1b-45dd-8d5d-d36e65af77c1 \\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1   All good. Things get wrong when I add ldapfilter:     index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";" | mvexpand SMailboxes| top SMailboxes limit=50 | rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)" | eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16 | table SMailboxes,conv | ldapfilter debug=true domain="default" basedn="..." search="(msExchMailboxGuid=$conv$)" attrs="name"     -> the result is empty. In the ldapfilter, if I replace "$conv$" with "\\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1" then the query works and attribute "name" is properly returned and added to the table. How can I make things work with $conv$ in order to have proper results (and not the same static "name" for every event) ? I've tried so many combinations: from 1 to 4 \, with or without quotes/simple quotes, making $conv$ the whole "search" value, etc. Nothing works.
I recently upgraded the estreamer addon from version 3.0.0 to the 5.1.0 on our Splunk Heavy Forwarder. Since there were no specific upgrade steps mentioned to upgrade from old version to latest... See more...
I recently upgraded the estreamer addon from version 3.0.0 to the 5.1.0 on our Splunk Heavy Forwarder. Since there were no specific upgrade steps mentioned to upgrade from old version to latest, I installed the addon over the existing one.    However, after installing the new addon, we stopped receiving logs from IPS and got the below error when I ran following cmd  /opt/splunk/etc/apps/TA-eStreamer/bin/splencore.sh test ERROR below Traceback (most recent call last):   File "./estreamer/preflight.py", line 34, in <module>     import estreamer.crossprocesslogging   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/__init__.py", line 28, in <module>     from estreamer.connection import Connection   File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 23, in <module>     import ssl   File "/opt/splunk/lib/python3.7/ssl.py", line 98, in <module>     import _ssl # if we can't import it, let the error propagate ImportError: /opt/splunk/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so: undefined symbol: SSL_CTX_get0_param
Here is what is on Splunkbase (maybe others, too): Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub) Cisco Umbrella Add-On for Splunk: https://splunkbase.spl... See more...
Here is what is on Splunkbase (maybe others, too): Umbrella Add-on for Splunk Enterprise: https://apps.splunk.com/app/3629/ (also on GitHub) Cisco Umbrella Add-On for Splunk: https://splunkbase.splunk.com/app/3926/ Cisco Umbrella Investigate Add-on: https://splunkbase.splunk.com/app/3324/ (https://developer.cisco.com/docs/cloud-security/#!umbrella-investigate-add-on-for-splunk/set-up-credentials) Cisco Cloud Security Umbrella Add-on for Splunk: https://splunkbase.splunk.com/app/5557/ There is clearly a great deal of duplication and I am VERY confused about what is what and which to use. There are at least 2 things to be done: 1: Data Input: Pull in security events. 2: Ad-Hoc Lookup: Enrich Splunk events with threat detail. I am hoping for 2 kinds of help: 1: A suggestion on which apps to use. 2: Step-by-step details on how to set each up.
Hi There, How do I showcase only US on the choropleth map for the dashboard? That is the dashboard panel should have two views - one US and one the world view.  I know we can zoom out and in but yo... See more...
Hi There, How do I showcase only US on the choropleth map for the dashboard? That is the dashboard panel should have two views - one US and one the world view.  I know we can zoom out and in but you'll have to do that each time you load the dashboard for the US related view.    Appreciate the help. 
Hi  I am trying to build a multi-input textbox dashboard based on a KVstore lookup. My query is like this   | inputlookup <some-host-detail-kvlookup> | search $computer_name$ OR $computer_number$... See more...
Hi  I am trying to build a multi-input textbox dashboard based on a KVstore lookup. My query is like this   | inputlookup <some-host-detail-kvlookup> | search $computer_name$ OR $computer_number$ OR $computer_id$ | fields computerName computerNumber ComputerId ...   each token has a prefix i.e. <fieldName> =  (which is the column header field in the lookup) each token also has an initial value = null  thus the query runs like this      | search computerName=null OR computerNumber=null OR ComputerId=null | search computerName=FOO OR computerNumber=null OR ComputerId=null     as you can see setting  the <fieldName> to null allows the search to run without breaking, but after a user enters FOO for the computerName value, they need to reset the blank search inputs back to null.   Otherwise if a blank is passed like    | search computerName= OR computerNumber=null OR ComputerId=null   the search breaks.   Any suggestions how to ignore the empty inputs or a way to reset the initial values to null again is greatly appreciated.  OR if anyone has a suggestion to do this another way, I would very much like to hear. Thank you
Hi guys, I'm a Splunk beginner and I'm having some trouble making a specific query. I have a health check log, I want to know how many times the user restarts my app. The first health check log i... See more...
Hi guys, I'm a Splunk beginner and I'm having some trouble making a specific query. I have a health check log, I want to know how many times the user restarts my app. The first health check log is when the user logs in for the first time and the next is the times that the user restarts my app.   This is my current query:   index=myIndex Title=Healthcheck | stats count by Data.Ip   With the result of this query I have the total times the user opened my app, but I want to remove just 1 from the count of each user current result: Data.IP count 4.21.28.39 5 21.224.60.37 3 expected result: Data.IP count 4.21.28.39 4 21.224.60.37 2
I'm in a situation where by sourcetype, I'm already having a nested JSON array broken into 2 fields: DeviceProperties{}.Name and DeviceProperties{}.Value  there are 16 elements in each array. I'm ... See more...
I'm in a situation where by sourcetype, I'm already having a nested JSON array broken into 2 fields: DeviceProperties{}.Name and DeviceProperties{}.Value  there are 16 elements in each array. I'm trying to simply create a field name that is the value of the second element in DeviceProperties{}.Name and the Value is the value of the second element in DeviceProperties{}.Value.  In this scenario I think I can get away with just creating a field with just DeviceProperties{1}.Value but I haven't been successful in doing that. I've tried using the json_extract function, but I think I am getting the syntax wrong, and I havent found any examples yet that are trying to do this exact scenario where the json array was already created as a multivalue field.
I tried looking around to see if anyone else has encountered the same issue as me and I couldn't find anything. On Splunk Cloud when I attempt to install an app from the "Browse More Apps" page it ... See more...
I tried looking around to see if anyone else has encountered the same issue as me and I couldn't find anything. On Splunk Cloud when I attempt to install an app from the "Browse More Apps" page it pops up the login for half a second then refreshes the page to a specific keyword search. I have tried in two different browsers and have experienced the same behavior. I am not sure what to do as I need to install apps and can't. Any help is appreciated.
Hello, I've a requirement to populate the "Time2" time picker to be updated automatically based on the selection of "Time1" time picker. The "Time2" time picker should be = Time1- 1 day. for exampl... See more...
Hello, I've a requirement to populate the "Time2" time picker to be updated automatically based on the selection of "Time1" time picker. The "Time2" time picker should be = Time1- 1 day. for example, if I choose Today in Time1 then Time2 should be automatically populated as "Last 1 day". If I choose Yesterday in Time1 then Time2 should be automatically populated as "Last 2 days" (starting from 12:00 AM day before yesterday till end of yesterday.) @bowesmana 
Hi I need to extract only name values (first word value eg:james) from the below Name filed I tried with  rex field=Name mode=sed "s/\W+\s\w.*//g" but not working Name james buildingA jack ... See more...
Hi I need to extract only name values (first word value eg:james) from the below Name filed I tried with  rex field=Name mode=sed "s/\W+\s\w.*//g" but not working Name james buildingA jack buildingB firstfloor   Can you please help me with this.  
Hello, I'm trying to pull the final value for a product name. In a single event, we make multiple calls to an API for the product name and the product may change with each API call. I'm trying to b... See more...
Hello, I'm trying to pull the final value for a product name. In a single event, we make multiple calls to an API for the product name and the product may change with each API call. I'm trying to build out a table for the final product name (the field doesn't change), but can't figure out what command to use. Here's what I have so far.      index=conversation crm_accounts_phone__product_name=* | rename crm_accounts_phone__product_name as product | stats latest(product) | table product      Appreciate any help!
Hey Splunkers! Here’s your monthly Splunk Lantern update highlighting some of the top content we’ve published over the past month. Splunk Lantern is a self-help adoption resource hub providing step... See more...
Hey Splunkers! Here’s your monthly Splunk Lantern update highlighting some of the top content we’ve published over the past month. Splunk Lantern is a self-help adoption resource hub providing step-by-step, business outcome-oriented guidance to help you achieve key security and observability use cases. We also host Getting Started Guides for a range of Splunk products, a library of Product Tips, and Data Descriptor articles which help you see everything that’s possible with data sources and data types in Splunk. Here’s a full breakdown of everything we’ve published in the past month. New Data Articles This month we’ve added a number of new articles focusing on Blockchain data, thanks to a new collaboration with Splunk’s blockchain team. Our new Blockchain data page provides a complete rundown of the different ways you can work with blockchain data in Splunk. It contains a number of Getting Started guides for Splunk apps and connectors that help you ingest blockchain data, such as The Splunk App for ConsenSys Quorum. These guides walk you through everything you’ll need to know to get these configured, helping you help you gain visibility and monitoring of the blockchain and take advantage of pre-built dashboards and analytics. We’ve also added in some specific blockchain data sources, like our new page for Hyperledger Fabric, which contain step-by-steps for the configuration of these data sources plus links to use cases you can accomplish once you’ve got this data source getting ingested into your Splunk environment. New Observability Articles We’ve published several articles that, together, demonstrate a best-practice AIOps workflow. They explain how events and alerts from products across Splunk Observability Cloud can be grouped into ITSI episodes, with notifications then going to the team responsible for remediation. The articles should be viewed in sequence and feature several step-by-step videos, with an example organization used to show how you can set up the same workflow within your environment. Integrating Observability Cloud Alerts with IT Service Intelligence (ITSI) Normalizing Observability Cloud alerts into the ITSI Universal Alert Schema Configuring ITSI correlation searches to create notable events Configuring the ITSI Notable Event Aggregation Policy (NEAP) Configuring ITSI correlation searches for monitoring episodes Configuring action rules in ITSI's Notable Event Aggregation Policy (NEAP) for Splunk OnCall Integration We’ve published a couple of interesting Synthetics articles to show you how to set up checks for issues that can commonly impact the customer experience, helping you proactively resolve these issues before customers are impacted. Identifying and responding to website availability issues and Identifying service degradation issues from code changes contain videos that show you how to create these checks. Several other new observability articles have also been published this month: Detecting changes to Windows user groups Investigating user login issues and account lockouts Responding to microservice code releases using DevOps canary or blue/green deployment methodologies Using Azure DevOps integrations for Events and Alerting New Security Articles We’ve added several new Security articles this month with helpful guidance across the Splunk Security product suite. We’ve added to our library of SOAR-specific articles with Managing cases in SOAR and Responding to security incidents using SOAR, both of which demonstrate ways that SOAR can help you refine processes and cut down on MTTR. If you’re interested in assessing compliance using Splunk products then we’ve got a host of new articles you might find interesting: Using Splunk Enterprise Security to ensure PCI compliance Using Splunk Enterprise Security to ensure GDPR compliance Detecting Personally Identifiable Information (PII) in log data Detecting non-privileged user accounts conducting privileged actions Other articles we’ve published this month include: Getting Started with Splunk Security Essentials for Security Use Cases Onboarding data to Splunk Enterprise Security Using the MITRE ATT&CK framework in Splunk Enterprise Security Tell us how Splunk Lantern can help!  We’re looking to get your ideas on the type of content you’d like to see on Lantern in the future. Splunk Lantern will be at .conf22 and if you’ll be there too, we want to meet you and hear what you think! There will be a Lantern high-top table throughout the event near the "Ask the Experts" section and you can come talk to us directly about how our site helps you and what we can improve on. If you won’t be at .conf, we still want to hear from you! Click through to one or more of the following anonymous surveys to tell us what you want to see more content on: Share your Security ideas Share your Observability ideas Share your product ideas We hope you’ve found this update helpful. Thanks for reading! — Kaye Chapman, Customer Journey Content Curator
According to this article, Basic Authentication Deprecation MS is moving to modern authentication in October of 2022.  As of now, the only authentication method allowed in the app is basic.  I see ... See more...
According to this article, Basic Authentication Deprecation MS is moving to modern authentication in October of 2022.  As of now, the only authentication method allowed in the app is basic.  I see here https://splunkbase.splunk.com/app/3720/ that they will update the app.  Does anyone know an ETA for that? What I'm driving at is, I'd like to see the ability to switch between auth methods before basic auth gets deprecated by MS.  
Invalid earliest_time error on pdf  Xml tag in the source:  <earliest>-4h@h</earliest> <latest>now</latest>  
I was trying to figure out how this would work but was having a little trouble.  I was thinking that using similar logic as to what was shown here would work, however wanted to clarify to see if this... See more...
I was trying to figure out how this would work but was having a little trouble.  I was thinking that using similar logic as to what was shown here would work, however wanted to clarify to see if this would be the right track. Solved: Adding tooltip to panel on a hover - Splunk Community