All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

After upgrade to 8.2.5 we suffer from another issue with visualliation and showing dramatic wrong data... built this morning at 11:30 Dashboard/panel shows after some time (here ca 30m) compl... See more...
After upgrade to 8.2.5 we suffer from another issue with visualliation and showing dramatic wrong data... built this morning at 11:30 Dashboard/panel shows after some time (here ca 30m) completely different avg-visual but more concerning completely wrong data for 'count_pm' metric : Please see attached  my xml code, what do I miss here?
Hi All,  We have our custom app and while performing the cloud vetting process on that app, we are getting the following error mentioned below.  We have already updated the Jquery in all our XML (ver... See more...
Hi All,  We have our custom app and while performing the cloud vetting process on that app, we are getting the following error mentioned below.  We have already updated the Jquery in all our XML (version="1.1") . The error doesnt show the name of the file but we suspect it might be caused by one of the visualization JS files not related to XML. What best can be done to resolve these errors ?  Thanks.   check_for_vulnerable_javascript_library_usage 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS XSS in the `of` option of the `.position()` util XSS Vulnerability on text options of jQuery UI datepicker XSS in the `altField` option of the Datepicker widget Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Hi all, I am using a Heavy Forwarder for a few API related integration Methods of various data sources. I have to consider an integration with HEC Integration now for a new source. Is it possible ... See more...
Hi all, I am using a Heavy Forwarder for a few API related integration Methods of various data sources. I have to consider an integration with HEC Integration now for a new source. Is it possible to use a Heavy Forwarder and add a HEC input to it? Or should a HEC be a seperate machine? Best, O.    
Hi everyone, I am trying to develop some apps in spunk with React and JS. I want to access Splunk lookup and get data from lookup but I do not see and function in SDK to help collect the lookup fil... See more...
Hi everyone, I am trying to develop some apps in spunk with React and JS. I want to access Splunk lookup and get data from lookup but I do not see and function in SDK to help collect the lookup file. https://docs.splunk.com/Documentation/JavaScriptSDK  So how can I get the lookup file?. I think I can make a new search "| inputlookup" and get the search result.
Hello, We don't get data from service status and service messages from January with version 2.1 for the Add-on for Microsoft Office 365. Do you know if the new version (3.0) of this error is fixed?... See more...
Hello, We don't get data from service status and service messages from January with version 2.1 for the Add-on for Microsoft Office 365. Do you know if the new version (3.0) of this error is fixed? Thanks
Hello I have to find all the alerts and dashboards queries by sourcetype i saw this query but it is not contains the query inside the dashboard\alert   | union [| rest splunk_server="l... See more...
Hello I have to find all the alerts and dashboards queries by sourcetype i saw this query but it is not contains the query inside the dashboard\alert   | union [| rest splunk_server="local" "/servicesNS/-/-/data/ui/views" | search "eai:data"="*index=*" | eval Type="Dashboards" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/admin/macros" | search definition="*index=*" | eval Type="Macros" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write] [| rest splunk_server="local" "/servicesNS/-/-/saved/searches" | search search="*index=*" | eval Type="Saved Searches/Alerts/Reports" | table Type title eai:acl.app author eai:acl.perms.read eai:acl.perms.write]   maybe there is another way to achieve my goal ?     thanks
Hi All, I'm trying to extract the card details in  my logs. Just confused how to extract the two or more card details or thier respective fields using rex command. Example : Visa card numbers regex... See more...
Hi All, I'm trying to extract the card details in  my logs. Just confused how to extract the two or more card details or thier respective fields using rex command. Example : Visa card numbers regex is ^4[0-9]{12}(?:[0-9]{3})?$                     JCB card numbers regex is ^(?:2131|1800|35\d{3})\d{11}$ I just want to extract the Visa and JCB fileds to check my card details. Is thier a way to create named grouped fields for the above cards using rex command in a single search? Help me with the query guys. Thanks in advance.
Hi, I want to make a report or a CSV file from a search result. However, the search result is more than 7 million. So now I have a few queries: I am trying to save the search; however, whenever... See more...
Hi, I want to make a report or a CSV file from a search result. However, the search result is more than 7 million. So now I have a few queries: I am trying to save the search; however, whenever I try to open that search to show people how many and what type of events were found, it does not show. How can I make a report or CSV file for more than 7 million events? Please advise. Thanks & regard, Osama Faheem
Hi Experts,   I have an issue with the search string, I have a url text like below and I need to filter that out using regex. I am not able to create a regex that would give the count if the url ... See more...
Hi Experts,   I have an issue with the search string, I have a url text like below and I need to filter that out using regex. I am not able to create a regex that would give the count if the url string has two question mark symbols, not consecutive though. /shop/us/aabc-abc-aaa?filtered=true&rows=240&start=0&facet=ads_f42001_ntk_cs:(%22aaa-Babbab%22)&cmp=DIS:SPR22:HCo:M:US:PSP:TT:X:X:X:JEANS:X:JEAN:X:JanWk4AABBBs15s   Thanks
Hi everyone, I am facing a problem with the drop downs. I have 2 drop downs one is a group and other one is subgroup. The first drop down has a list of the group names. In the second drop down it wil... See more...
Hi everyone, I am facing a problem with the drop downs. I have 2 drop downs one is a group and other one is subgroup. The first drop down has a list of the group names. In the second drop down it will show the sub groups of the groups we selected from the first one. I want to include the option "All" in the second drop down. I want to pass only the values of those sub groups of respective group selected to the queries. But if i use "*" for all it is giving all the subgroups together irrespective of the group selected. Anyone knows how to solve this?
Hi splunkers, i know how we can restrict users from export data in splunk web.  Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?
Hi All, Plesae help me with the below, How to integrate SAAS app logs into splunk? Miro app to be integrated with Splunk but we dont want 3rd party apps, we need only splunk provided apps to in... See more...
Hi All, Plesae help me with the below, How to integrate SAAS app logs into splunk? Miro app to be integrated with Splunk but we dont want 3rd party apps, we need only splunk provided apps to integrate. Is there any other method that can be followed to ingest the SAAS app logs?  
I have the following table that I would like to summarize as total logins and total token creations by creating a new table with two rows  showing  CLIENT_LOGIN + LOGIN  and CODE_TO_TOKEN + REFRESH... See more...
I have the following table that I would like to summarize as total logins and total token creations by creating a new table with two rows  showing  CLIENT_LOGIN + LOGIN  and CODE_TO_TOKEN + REFRESH_TOKEN how do I sum two rows?   Thanks CLIENT_LOGIN 81392 CLIENT_LOGIN_ERROR 290 CODE_TO_TOKEN 2984 CODE_TO_TOKEN_ERROR 13 CUSTOM_REQUIRED_ACTION_ERROR 3 INTROSPECT_TOKEN 33 LOGIN 10559 LOGIN_ERROR 1240 LOGOUT 2 REFRESH_TOKEN 51 REFRESH_TOKEN_ERROR 126
I'm looking at designing a Splunk data catalogue that captures all source types (and metadata) that are currently being ingested, so that we can quickly see what the current state of the workspace. E... See more...
I'm looking at designing a Splunk data catalogue that captures all source types (and metadata) that are currently being ingested, so that we can quickly see what the current state of the workspace. E.g. a customer who wants access to event X can use the catalogue to check that source type Y exists already. Has anyone done something similar to this or have suggestions? I'm quite new to Splunk but it seemed like it could be a common 'nice to have' for Splunk users.  Thanks. 
Hi, In the top menu at the Splunk level (black bar) there is a `Find` text box.  Is the contents of this made available as a token, such that I can use it in a dashboard ?   I want to change... See more...
Hi, In the top menu at the Splunk level (black bar) there is a `Find` text box.  Is the contents of this made available as a token, such that I can use it in a dashboard ?   I want to change how this field works within certain applications, so it can be used within a search in my dashboard and not used by the Splunk Application its self. tia
I'm using Splunk Enterprise 8.2.5 on Windows and using deployment server to push apps. There is currently no indexer configured in /etc/system/local/outputs.conf as we do all this in the app.  Our se... See more...
I'm using Splunk Enterprise 8.2.5 on Windows and using deployment server to push apps. There is currently no indexer configured in /etc/system/local/outputs.conf as we do all this in the app.  Our security team want our forwarders to start shipping up the events over TLS 1.2. As a quick test I have the following with non-deployment server app: Indexer listening for TLS 1.2 using my PKI signed cert on TCP port 9998 Forwarder using default server.pem cert and verifying the indexer cert This works fine but now I have the issue of how to deploy apps from deployment server. If I use the default, a self-signed or PKI signed client cert at the forwarder I must secure the private key with a password and specify that password in the outputs.conf. Therefore if specifying the indexer for a given app (not all apps have the same indexer!) I need to specify the password for that app in the <app>/outputs.conf file at the deployment server. I tested this but one issue is the password does not get encrypted on the deployment server or the target UF. I'd realistically needs the same client certificate on all forwarders to make this manageable. Should I be defining all indexers outside of deployment server apps in /etc/system/local/outputs.conf and then routing to them in the <app>/outputs.conf instead? Note: Although it states here that if the password is specified in a conf file outside /etc/system/local/ it will not be encrypted I have tested and it is! This whole area of config is very confusing IMO  
Using Splunk Enterprise 8.2.4 on Windows and trying to configure my forwarders to use SSL to forward events to my indexers. Client certificate verification is not enabled on the indexer. Reading the ... See more...
Using Splunk Enterprise 8.2.4 on Windows and trying to configure my forwarders to use SSL to forward events to my indexers. Client certificate verification is not enabled on the indexer. Reading the guide here it states some config aspects that don't seem to be true from testing: sslPassword = <password> * The password associated with the Certificate Authority certificate (CAcert). Is this  not the password for the client cert (server.pem by default) rather than CACert? Also, is states: useSSL = <true|false|legacy> * Whether or not the forwarder uses SSL to connect to the receiver, or relies on the 'clientCert' setting to be active for SSL connections. * You do not need to set 'clientCert' if 'requireClientCert' is set to "false" on the receiver. This appears to indicate that you can use SSL without a client certificate (which would be great!). However, if I simply add  useSSL=true to my forwarder outputs.conf the SSL connection does not come up and the following is showing splunkd.log indicating it is looking for a client certificate file: 03-30-2022 23:39:47.933 +0100 ERROR SSLCommon [31888 parsing] - Can't read certificate file errno=33558528 error:02001000:system library:fopen:system library My outputs.conf is as follows: [tcpout:test-ssl-1] disabled = 0 server = indexer1.mydomain.com:9998 useSSL = true useClientSSLCompression = true sslVerifyServerCert = false This outputs.conf does work: [tcpout:test-ssl-1] disabled = 0 server = indexer1.mydomain.com:9998 useSSL = true useClientSSLCompression = true sslVerifyServerCert = false sslCommonNameToCheck = indexer1 sslAltNameToCheck = indexer1.mydomain.com sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\MyPKIChain.pem  I have no idea why the 2nd config works! sslVerifyServerCert  is false.   
How to manually download the IP database and add it to Splunk User Behavior Analytics (UBA)?
I need to configure Splunk Enterprise using the reporting and notification tools to create a report with notification of the following events: Loss of communication with hosts and devices Logs n... See more...
I need to configure Splunk Enterprise using the reporting and notification tools to create a report with notification of the following events: Loss of communication with hosts and devices Logs no longer being collected. How would I go about crafting a search for these requirements?