All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi! I'm having a struggle trying to get Splunk to recognize a file that's in Asterisk Delimited Format. I have the props.conf set like this below, running on a Splunk 7.3.8 HF, sending the cooked dat... See more...
Hi! I'm having a struggle trying to get Splunk to recognize a file that's in Asterisk Delimited Format. I have the props.conf set like this below, running on a Splunk 7.3.8 HF, sending the cooked data to a 8.1.72 Search Peer. Nothing I've tried will get the data to parse correctly. Everything I'm reading, this should work. I've opened a support case, but I'm going around in circles with them, so if anyone has any thought here, I would appreciate it!       [ sourcetype ] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false FIELD_DELIMITER=* FIELD_NAMES=timestamp,..... TRUNCATE=50000       Thanks, Stephen 
Hi All,  We have concern raised by one of our application team as they could see incorrect data in their dashboard, When validated the same by looking into the source of the file where the splunk is ... See more...
Hi All,  We have concern raised by one of our application team as they could see incorrect data in their dashboard, When validated the same by looking into the source of the file where the splunk is reading it, we noticed that there is no actual data present in the log source. Problem:  Getting incorrect data ingested into Splunk in the status field value [13/Apr/2022:06:33:03 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8444 status=2 [13/Apr/2022:04:30:01 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=2 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=2 [12/Apr/2022:09:11:37 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8444 status=2 Actual data present in the application server  Path:/var/mware/logs/xxx/localhost_access_log.2022-04-12.11.log [12/Apr/2022:11:10:26 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=216 response=1 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=216 response=1 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=219 response=1 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=216 response=0 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=219 response=0 [12/Apr/2022:11:10:27 +0000] fip="10.X.X.X" ip="10.X.X.X" method="POST" url="/xxx/service/decrypt" port=8443 status=200 size=216 response=1 Monitoring Stanza details: [monitor:///var/mware/logs/*/*localhost*] sourcetype = access_combined index = test disabled = 0 ignoreOlderThan = 1d blacklist=\.(gz)$ Splunkd.log : There is no significant ERROR|WARN|INFO related to this issue found. So could you please guide me what will be the reason why Splunk is ingesting an incorrect information when there is no actual data present in the source and also guide me how to troubleshoot this issue.
Hi Everyone, thanks to "kamlesh_vaghela" for helping me with importing the userid into the search query. But I am having trouble to convert the data to dataframe pandas, because of jsondecode error  ... See more...
Hi Everyone, thanks to "kamlesh_vaghela" for helping me with importing the userid into the search query. But I am having trouble to convert the data to dataframe pandas, because of jsondecode error      import requests import json import requests import urllib3 from base64 import b64encode import urllib.parse from csv import reader urllib3.disable_warnings() data=[] def fetch_data_using_userid(userid): url = "https://localhost:8089/servicesNS/admin/search/search/jobs/export" payload = { 'search': f'search index=_internal earliest=-1h sourcetype="{userid}" | stats count by sourcetype', 'output_mode': 'json' } safe_payload = urllib.parse.urlencode(payload) userAndPass = b64encode(b"admin:admin123").decode("ascii") headers = { 'Authorization': 'Basic %s' % userAndPass, 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=safe_payload, verify=False) return response.text # open file in read mode with open('user_data.csv', 'r') as read_obj: # pass the file object to reader() to get the reader object csv_reader = reader(read_obj) header = next(csv_reader) if header is not None: # Iterate over each row in the csv using reader object for row in csv_reader: # row variable is a list that represents a row in csv print(row) response_text = fetch_data_using_userid(row[0]) data.append(response_text) print(response_text)       the result which I am appending is not the the correct json format somehow, and because of that while converting it to dataframe, I am unable to separate the cells into different columns.  Has someone already worked with this, can suggest some ideas. thanks.
I cant seem to find an example parsing a json array with no parent. Meaning, I need to parse: [{"key1":"value2}, {"key1", "value2}]. But I only see examples with: "{"MyList" : [{"key1":"value2}, ... See more...
I cant seem to find an example parsing a json array with no parent. Meaning, I need to parse: [{"key1":"value2}, {"key1", "value2}]. But I only see examples with: "{"MyList" : [{"key1":"value2}, {"key1", "value2}]}   This is the json I have:           [{ "id": "123", "percentage": 25.0, "active": true, "second_id": "456", "creation time": "2022-04-13T09:30:06.517", "event_age": { "hours": 3, "minutes": 4, "seconds": 2 } }, { "id": "789", "percentage": 56.0, "active": true, "second_id": "222", "creation time": "2022-04-13T09:30:06.517", "event_age": { "hours": 6, "minutes": 2, "seconds": 2 } }]           I need to filter only the records which their event_age>4 and present it in a table. id percentage active second_id creation time event_age 789 56 true 222 2022-04-13T09:30:06.517 hours: 6, minutes :6, seconds: 2   Thanks! 
hi all, i try to run a cmd script on a UF.  it's located in %SPLUNK_HOME%\etc\apps\log4jscan\bin\log4jscan.cmd and the content is ..\static\log4j2-scan.exe --all-drives --scan-log4j1 --scan-logbac... See more...
hi all, i try to run a cmd script on a UF.  it's located in %SPLUNK_HOME%\etc\apps\log4jscan\bin\log4jscan.cmd and the content is ..\static\log4j2-scan.exe --all-drives --scan-log4j1 --scan-logback --csv-log-path "%SPLUNK_HOME%\var\log\log4jscan"  the inputs.conf is in %SPLUNK_HOME%\etc\apps\log4jscan\default and looks like this: (interval will be changed to run once per month) [script://..\bin\log4jscan.cmd] disabled = False interval = 600 i added> debug.txt 2>&1 to the script, but no file is created. any ideas? thanks...
Hi, I am trying to work with splunks ESS. Currently I am stuck. Is there any way we can alert user once he/she is added in investigation as a collaborator?
I am trying to run splunk for the first time using  C:\Program Files\splunk\bin>splunk start in windows cmd, but I am getting this error   Warning: cannot create "C:\Program Files\splunk\etc\licens... See more...
I am trying to run splunk for the first time using  C:\Program Files\splunk\bin>splunk start in windows cmd, but I am getting this error   Warning: cannot create "C:\Program Files\splunk\etc\licenses\download-trial" please help
i want to have an overview of malicious network traffic in my network and i decided to filter out all the "good" traffic to find the bad ones. I need a database of all the trusted IP addresses that c... See more...
i want to have an overview of malicious network traffic in my network and i decided to filter out all the "good" traffic to find the bad ones. I need a database of all the trusted IP addresses that contain the IPs of companies like social media (facebook, twitter etc), news (cnn, nbc etc), and all the other trusted websites that we often visit. is there a public database where all these IP addresses are kept so i can implement it on my splunk environment?
Hi everyone, I just watched an excellent demo / tutorial ( https://my.phantom.us/video/78/ ) by someone called Ian Forrest. During the video ( at about 45 minutes ) he demo's an excellent Custom Fu... See more...
Hi everyone, I just watched an excellent demo / tutorial ( https://my.phantom.us/video/78/ ) by someone called Ian Forrest. During the video ( at about 45 minutes ) he demo's an excellent Custom Function that looks in the cached SOAR internals for the cached results from previous executions of a specific app/action. He did mention that this was a 'work in progress' and I can't find this CF in Community Hub nor on Github anywhere.  Does anyone know what the status of his Custom Function is? Cheers, Mark.
I am trying to set timestamp for the event : ======== Sat Mar 19 16:33:08 2022 -05:00 LENGTH : '228' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' ========= The rules I used are: TIME... See more...
I am trying to set timestamp for the event : ======== Sat Mar 19 16:33:08 2022 -05:00 LENGTH : '228' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' ========= The rules I used are: TIME_FORMAT = %a %b %d %H:%M:%S %Y %:z TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 32 It is catching the timestamp correctly. However showing the error "could not use strptime to parse timestamp from LENGTH : '228' " I am not sure how to resolve the error.
Hello, I have a text source file with header. Some sample events (first line is a header) and props that I wrote given below. My props is working ok, except it breaks the events at TEST\2qw123|Empl... See more...
Hello, I have a text source file with header. Some sample events (first line is a header) and props that I wrote given below. My props is working ok, except it breaks the events at TEST\2qw123|Employee, TEST\3eraa2|Employee, TEST\87xaqw|Employee, at Obj.BasePage.Page, TEST\m69xcb, at Obj.BasePage.Page, and TEST\7yxccd|Employee  instead of breaking events at  TEST\2qw123|Employee, TEST\3eraa2|Employee, TEST\87xaqw|Employee, TEST\m69xcb, and TEST\7yxccd|Employee .  So from following sample events, I should have 5 events , but getting 7 events. Any help will be highly appreciated. Thank you.  UserID|UserType|System|EventType|EventID|Subject|SessionID|SrcAddr|EventStatus|TimeStamp|AdditionalData|DeviceID|DestSrcAddr TEST\2qw123|Employee|COM|TESTUSER|NTINCheckKCase|089524234|ybzjlie3d4ayr1i2|10.212.48.121|00|20220217122935|Case Information request: (Case-170) - 201612-30|mct0ma01ma4352855|10.219.174.222 TEST\3eraa2|Employee|COM|TESTUSER|NTINCheckKCase|046453942|ybzjlie3d4ayr1i2|10.212.48.121|00|20220217123142|Case Information request: (Case -85) - 201912-30|mct0ma01ma4352855|10.219.174.222 TEST\87xaqw|Employee|COM|SYSTEM|SystemMsg||zsod0mvomcelp3hvln5smm1u|10.216.22.17|01|20220217124743|Type:'error'; Ref:'Case/CaseInventory.aspx?Query=true&Scope=ServiceWide'; Msg: experienced <br>Source: App_Web_pc<br>Message: Object reference not set to an instance of an object.<br> /Case/CaseInventory.aspx<br>Trace: at Case.CaseInventory() at Obj.BasePage.Page_Load(Object sender, EventArgs e)<br><br>Please try to login again.|mct0ma01ma4382154|10.210.174.221 TEST\m69xcb|Employee|COM|SYSTEM|SystemMsg||z0ae3c25zggbzx5p|10.215.173.231|01|20220217130933|Type:'error'; Ref:'Case/CaseInventory.aspx?Query=true&Scope=ServiceWide'; Msg: experienced a error:<br><br>Source: App_Web_pcf3kniw<br>Message: Object reference not set to an instance of an object.<br> /Case/CaseInventory.aspx<br>Trace: at Case.CaseInventory.page_load3() at Obj.BasePage.Page_Load(Object sender, EventArgs e)<br><br>Please try to login again.|mct0ma01ma4353159|10.210.174.221 TEST\7yxccd|Employee|COM|TESTUSER|NTINCheckKCase|008422123|zggbzx5pzgnw1nih|10.215.173.231|00|20220217131108|Case Information request: (Case -24) - 202112-30|mct0ma1ma4353159|10.210.174.221   [sourcename] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) INDEXED_EXTRACTIONS=psv MAX_TIMESTAMP_LOOKAHEAD=14 HEADER_FIELD_LINE_NUMBER=1 TIME_FORMAT=%Y%m%d%H%M%S TIMESTAMP_FIELDS=TimeStamp TRUNCATE=2000
Hi Splunk Members,  I am relatively new to splunk and I wanted to ask a very basic question. I would like to find out  "How  can I change the Y-axis display data labels on a scatter plot without co... See more...
Hi Splunk Members,  I am relatively new to splunk and I wanted to ask a very basic question. I would like to find out  "How  can I change the Y-axis display data labels on a scatter plot without comprising the 1 to 3 scale ? from:  1 to "low" 2 to "medium" 3  to "high" | eval Alert_Level = case(Alert_Level = "Very Poor", 1, Alert_Level = "Poor", 2, Alert_Level = "Fair" , 3 ) | table Xaxis Yaxis  Alert_Level    This is incorrect as this plot thinks it is a string rather then number. | eval Alert_Level2 = case(Alert_Level = 1, "low", Alert_Level = 2, "medium", Alert_Level = 3 , "high" ) | table Xaxis Yaxis  Alert_Level2 or else i was trying the below but not sure if i am doing it in a best way HTML Source: <option name="charting.chart.showDataLabels">high</option> <option name="charting.axisTitleY.visibility">1:"Low", 2:"Medium", 3:"High"</option> Your help would be much appreciated. Thanks
I have the following data :    Service Message Service1 Hello world Service2 Another message Service1 Hello world Service1 Some other message   How can I write a query such... See more...
I have the following data :    Service Message Service1 Hello world Service2 Another message Service1 Hello world Service1 Some other message   How can I write a query such that the final output looks like :  Service : Unique message : count For example :  Service1 : Hello World :   2 Service1:Some other message : 1 Service2: Some other message
I have the following data :    Service Message Service1 Hello world Service2 Another message Service1 Hello world Service1 Some other message   How can I write a report suc... See more...
I have the following data :    Service Message Service1 Hello world Service2 Another message Service1 Hello world Service1 Some other message   How can I write a report such that the final output looks like :  Service Message : count   For example, with the data above, it should be :  Service1 Hello world : 2 Some other message : 1 Service 2 Another message : 1
Considering a field like :  field=select id from table where id In ["123","12"] limit 1 field=select id from table where id="123" limit 1   How can I write a query so ... See more...
Considering a field like :  field=select id from table where id In ["123","12"] limit 1 field=select id from table where id="123" limit 1   How can I write a query so that all the values in quotes are replaced by a placeholder? For example, an ideal output would be :  field=select id from table where id In ["xxx","xx"] limit  field=select id from table where id="xxx" limit 1   The values within quotes are alphanumeric
Hello everybody, This is actually my first post here so forgive me if I missed up or posted in the wrong section. I'm trying to compare/corelate two fields values from different source types and sa... See more...
Hello everybody, This is actually my first post here so forgive me if I missed up or posted in the wrong section. I'm trying to compare/corelate two fields values from different source types and same index. Please find two sample of event I'm trying to work on. 1) sample of the first source type index=wineventlog sourcetype=Script:ListeningPorts host=computer1 dest=172.*.*.* dest_port=50000 process_id=151111   2) sample of the second source type index=wineventlog sourcetype=WinHostMon source=process host=computer1 Path=***.exe Process=**.exe ProcessId=151111    I'm trying to corelate process_id and ProcessId fields to get the process field and make a count table. Sample output: process_id   |  dest_port  |  count   |  host               |  Path      |  process 151111               50000              1          Computer1      **.exe      **.exe   I tried this query but it didn't give me the right result index=wineventlog sourcetype=Script:ListeningPorts dest="172.*.*.*" host="Computer1" | table host process_id dest, dest_port | rename process_id as ProcessId | join type=inner host ProcessId [search index=wineventlog sourcetype=WinHostMon | table  ProcessId dest_port host Path process]    
I have been using dark theme in dashboards. Is it possible to have dark theme in embedded reports?
These are ticket platform logs with field 'lastupdated' which contains time and date [2022-04-12 12:12:17.160000+00:00] . Trying to build a weekly chart where only results that contains "lastupdated... See more...
These are ticket platform logs with field 'lastupdated' which contains time and date [2022-04-12 12:12:17.160000+00:00] . Trying to build a weekly chart where only results that contains "lastupdated" after present weeks monday should be displayed.  Something like  if ( lastupdated > monday)
hi, I have 2 source A and B (routers), they are sending the data over udp port 514. all of the sudden, the source B is not indexed anymore. I have captured the traffic (tcpdump), I can see clea... See more...
hi, I have 2 source A and B (routers), they are sending the data over udp port 514. all of the sudden, the source B is not indexed anymore. I have captured the traffic (tcpdump), I can see clearly that the traffic is reaching the Splunk server. My Splunk deployment is a free license all-in-one server. any thoughts ?   thanks.   heloma
Hi i can’t download the program it just keep downloading the page without getting me in after about 15 minutes  show me “ bad getaway”    what should I do?