All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have created a query similar to the below host=nftHost index=paymeNow source="\\\\epamjhost\Logs\*" | rex "(Message content+\s+:+\s+|\[Handling message+\s+:+\s+|\[Handling command of type Chec... See more...
I have created a query similar to the below host=nftHost index=paymeNow source="\\\\epamjhost\Logs\*" | rex "(Message content+\s+:+\s+|\[Handling message+\s+:+\s+|\[Handling command of type CheckCommand:+\s+)(?<json>\{.*)" | spath input=json | table _time, MessageTypeDesc, CurrentState, CaseId, TaskType, Attributes{}.AttributeName, Attributes{}.JsonValue, _raw The below json is obtained from the rex expression and spath is used to parse it. { "TaskId" : "1", "CurrentState" : "COMPLETED", "RequestedAction" : null, "User" : "NFTPAYME", "Attributes" : [{ "AttributeName" : "transactionId", "AttributeType" : "int", "JsonValue" : "4" }, { "AttributeName" : "Enabled", "AttributeType" : "boolean", "JsonValue" : "false" }, { "AttributeName" : "holdType", "AttributeType" : "string", "JsonValue" : "" }, { "AttributeName" : "isSettlement", "AttributeType" : "boolean", "JsonValue" : "false" }, { "AttributeName" : "isIntraday", "AttributeType" : "boolean", "JsonValue" : "false" }, { "AttributeName" : "isReleaseReady", "AttributeType" : "boolean", "JsonValue" : "false" }, { "AttributeName" : "isStat", "AttributeType" : "boolean", "JsonValue" : "false" }, { "AttributeName" : "StatusList", "AttributeType" : "string", "JsonValue" : "" }, ], "TaskType" : "Settle", "CaseId" : "1", }   Attributes contains an array of objects so my question is how to take the attributes and create a single string from the whole array? _time MessageTypeDesc CurrentState CaseId TaskType Attributes _raw           transactionId:4 Enabled:true holdType: isSettlement:false                        
I have Power-user access only. I have a Splunk query and I enabled an alert as a Notable Event. And I also received the notable events in ES --> Incident Review. But I am not getting the Search q... See more...
I have Power-user access only. I have a Splunk query and I enabled an alert as a Notable Event. And I also received the notable events in ES --> Incident Review. But I am not getting the Search query's result in my notable events. I am only getting the Alert name. Search results of the query are not received in the notable events. I want to get all the query's search results in the notable events. Please help.   Received Notable Event with no information   Actual Query's Search Result  
Server running Ubuntu 20.04.  Splunk Enterprise 8.2.4. Splunk Add-on for Java Management Extensions: 5.2.2 I have configured it to use a custom script. Example output of the script: splunk_user@... See more...
Server running Ubuntu 20.04.  Splunk Enterprise 8.2.4. Splunk Add-on for Java Management Extensions: 5.2.2 I have configured it to use a custom script. Example output of the script: splunk_user@server$ mocjmxpids.sh 3267,PROD_process1 2341258,PROD_process2 What will happen when searching the index, is that the field jvmDescription will be correctly filled in with the PID and process name starting from process2 and onwards. Process1 will not be found and will have the server name as a jvmDescription.  The data from the jmx will be read however, so the addon is attaching to the jvm, just not setting the correct name in jvmDescription. I honestly don't see what is going wrong.  Same shell is being used for the user, no weird whitespaces I can see? I have had other issues with the app though, in the sense that the GUI creates a jmx_servers.conf that is invalid.  When selecting customscript, it still creates a pidcommand setting in the file and violates the xml.  So I had to manually rectify the config there already.  This on multiple servers, so I'm wondering if there is more bugged in this version or not.
timechart [stats count|eval app=$A$|eval search=case(app=="*","span=30m count by B",app!="*","span=30m count by C")] is not work after upgrading splunk from 8.0.6 to 8.2.5. 
Hello, everyone! During search I got table like this time host user action result 12:24:06 host1 Alex action1 success 12:48:32 host2 Michael action2 fail... See more...
Hello, everyone! During search I got table like this time host user action result 12:24:06 host1 Alex action1 success 12:48:32 host2 Michael action2 fail   I have lookup users.csv, which looks like this host user host1 Alex host2 George   I want to compare my table with lookup and if host and user matches, return my table (time, host, user, action, result), thus on this example I want to get in results table: time host user action result 12:24:06 host1 Alex action1 success   (because in second line user not matches). Thank you in advance.
I have a few Threat Intelligence data that have Use-Cases applied to them but I'm trying to filter out blocked events, for example - say an asset was attempting to communicate with a malicious site a... See more...
I have a few Threat Intelligence data that have Use-Cases applied to them but I'm trying to filter out blocked events, for example - say an asset was attempting to communicate with a malicious site and it was blocked by the proxy or firewall. Do I tune the use-case search itself or modify the Threat Intelligence datamodel? All suggestions are appreciated. 
Hello Does Splunk in-memory technology work? Big data systems are using in-memory technology across Splunk platforms (data collection/transmission, storage, retrieval, etc.) I wonder if in-memor... See more...
Hello Does Splunk in-memory technology work? Big data systems are using in-memory technology across Splunk platforms (data collection/transmission, storage, retrieval, etc.) I wonder if in-memory technology is applied. If you have in-memory technology, is Splunk self-developed? Or I wonder if open-source was used. If you have any data to refer to, please share it with us.  
Hi All, May I know the different between the average response time next to tier icon in flow map and the Popup view average response time when I click on the tier icon? thanks
Hello! I'm trying to push alerts into Swimlane using the swimlane add-on. I've given full global permissions to the saved alert. There are 101 events to push but aren't getting pushed into Swimlane... See more...
Hello! I'm trying to push alerts into Swimlane using the swimlane add-on. I've given full global permissions to the saved alert. There are 101 events to push but aren't getting pushed into Swimlane. Please find logs below -  04-13-202210:50:57.393 +0200ERRORSearchScheduler - Error in 'sendalert' command:Alert script returned error code 1., search='sendalertpush_alerts_to_swimlaneresults_file="/opt/splunk/var/run/splunk/dispatch/scheduler_c3Jpa2FhbnRoLmFtcnV0aGEub3B0aXY_emZfY29ycmVsYXRpb25zX2ZpcmVleWU__RMD58b260abcef59878b_at_1649839800_2808/per_result_alert/tmp_16.csv.gz" results_link="https://mycompanyabcd.com/app/xxx_correlations_fireeye/search?q=%7Cloadjob%20scheduler_c3Jpa2FhbnRoLmFtcnV0aGEub3B0aXY_emZfY29ycmVsYXRpb25zX2ZpcmVleWU__RMD58b260abcef59878b_at_1649839800_2808%20%7C%20head%2017%20%7C%20tail%201&earliest=0&latest=now "' 04-13-202210:50:57.393 +0200WARN sendmodalert - action=push_alerts_to_swimlane- Alert action script returnederrorcode=1     Any advise appreciated. Thanks!
index=app1 [search index=app1 "orderid"| fields id] How do I modify the above query wherein "search index=app1 "orderid"| fields id" query is run and its first event's time and the last event's tim... See more...
index=app1 [search index=app1 "orderid"| fields id] How do I modify the above query wherein "search index=app1 "orderid"| fields id" query is run and its first event's time and the last event's time is take as  earliest and latest time respectively for the query, "index=app1" thus it would look sometime like index=app1 earliest=x latest=y [search index=app1 "orderid"| fields id] wherein the values x and y is the first and last event's datetime of the query, "search index=app1 "orderid"| fields id" Thank you
On searching with the criteria, earliest="07/04/2021:09:48:00" latest="07/04/2021:09:48:59" searches in my local timezone of AEST and of the format %m/%d/%Y:%H:%M:%S How do I force the above to tak... See more...
On searching with the criteria, earliest="07/04/2021:09:48:00" latest="07/04/2021:09:48:59" searches in my local timezone of AEST and of the format %m/%d/%Y:%H:%M:%S How do I force the above to take UTC timezone instead as criteria and also of the format "yyyy-mm-ddThh:mm:ss.SSSZ"   Thank you
I am currently running an on-Prem Splunk installation and am trying to figure out the best approach for ingesting data from our VMware environment. Currently i've got just a very basic setup with s... See more...
I am currently running an on-Prem Splunk installation and am trying to figure out the best approach for ingesting data from our VMware environment. Currently i've got just a very basic setup with syslogs from my ESXi hosts and vCenter going to a Syslog server and monitored by a universal forwarder on the syslog server for forwarding to my indexers. That all works reasonably well, however would like to be able to use some pre-developed dashboards. I have noted that there are a number of VMware add-ons that can be used. Also we are looking to move towards ITSI in the near future so would like to amend the way i ingest WMware data so that it is compatible with this. At a fundamental level, I think i'm struggling with understanding the difference between "Splunk add-on for VMware" and "Splunk add-on for VMware metrics". Is there a reason why i would pick one of these over the other (or do you normally install both)?
Hi, I have a dashboard with a number of panels. However, some panels use the final answers from other panels as inputs for their panel's calculations. I find myself reusing a lot of the existing qu... See more...
Hi, I have a dashboard with a number of panels. However, some panels use the final answers from other panels as inputs for their panel's calculations. I find myself reusing a lot of the existing queries across a number of panels as a result. Is there a more inheritable way to pass output (be it a number) from one panel and make it accessible on another panel? Would tokens be an option or a global variable? Thanks, Patrick
We setup splunkd to autostart using systemd. -> https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice but when the linux server reboot, we did no see Splunkd startin... See more...
We setup splunkd to autostart using systemd. -> https://docs.splunk.com/Documentation/Splunk/latest/Admin/RunSplunkassystemdservice but when the linux server reboot, we did no see Splunkd starting, we had to manually start it.
I have correlation searches in ES that are not generating notable events as they should be. When I click on content management and find a search that isn't working, it shows a green check mark next t... See more...
I have correlation searches in ES that are not generating notable events as they should be. When I click on content management and find a search that isn't working, it shows a green check mark next to the index but a red exclamation mark next to the sourcetype, saying that there have been no events in that sourcetype for the last 24 hours.  I want to know if this is the cause of my issue, and what I can do to troubleshoot it. I see there are events in the sourcetype/index specified, and they are visible in the search box of the ES app. 
Hello, I've been using DEV/TEST license for a while for a test splunk instance. The license had expired and I hadn't renew it for a while. Now I've requested a new license, I've applied it, but it ... See more...
Hello, I've been using DEV/TEST license for a while for a test splunk instance. The license had expired and I hadn't renew it for a while. Now I've requested a new license, I've applied it, but it is still not working. I'm getting this message in the Licensing menu: This deployment is subject to license enforcement. Search is disabled after 45 warnings over a 60-day window The new license status is: valid.  
Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening. SplunkES uses... See more...
Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening. SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR. If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users. The search that generates this list is `Threat - Notable Owners - Lookup Gen` So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen` Just remember the lookup will need two columns; owner,realname.   A modified search might look like the following. | rest splunk_server=local count=0 /services/authentication/users | search capabilities="can_own_notable_events" | rename title as owner | append [| makeresults | eval owner="unassigned" ] | eval _key=owner | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key owner realname | inputlookup append=true static_es_analysts_list | dedup owner | eval _key=owner | outputlookup notable_owners_lookup | stats count
 I see I don't have any ._*.xml files in my app, even though I have created a tar.gz file which excludes the local generated file. Still I am getting the error  Invalid xml detected in file defau... See more...
 I see I don't have any ._*.xml files in my app, even though I have created a tar.gz file which excludes the local generated file. Still I am getting the error  Invalid xml detected in file default/data/ui/views/._xmlFileName.xml at line 1   Could you pls let me know what is the workaround for the same. Thanks in advance.
Hello, This is my first time asking a question on here, so apologies if there's some format to follow. My work center doesn't have a Splunk Admin/Engineer, so they asked if I could try upgrading Sp... See more...
Hello, This is my first time asking a question on here, so apologies if there's some format to follow. My work center doesn't have a Splunk Admin/Engineer, so they asked if I could try upgrading Splunk since it's hosted on Linux and I'm a RHEL admin.  My concern is there are no clients (besides the HF) showing up under Forwarder Management on Splunk Web. Am I supposed to re-add all the clients again? Or should they have started to communicate regardless? I know the indexer is working since we can search the latest AWS logs. But any Windows/Linux box doesn't show up anymore. All apps and indexes are showing, just no "deployed clients" underneath them. The SH is the master.  Any help is greatly appreciated!
  I need to extract the Activity Score and Application UXI Average but only when the Application Name is a certain name.  It's a weird one for me because of the way data comes in. As you can... See more...
  I need to extract the Activity Score and Application UXI Average but only when the Application Name is a certain name.  It's a weird one for me because of the way data comes in. As you can see each event has multiple application names, activity scores, uxi averages and timeframes. So even when I specify for a certain app in a search, since the app name is in an event, I get the whole event which includes all the other apps and metrics. I hope what I'm explaining is clear and any help would be appreciated.