We have a list of Ips in a lookup table and we want to search events that doesn't match with them. The lookup definition "scanners_lookup" has a field called "Ip_Scanner" and the events in the index we are looking for has another called "source_ip". How do we build the search? We have tried several approachs that don't work. For instance: index=my_index | lookup scanners_lookup  Ip_Scanner | where source_ip != IP_scanner Thank you!

I am looking for an add-on/API which can help to onboard all crowdstike related information to splunk. I see that there is "CrowdStrike Falcon Devices Technical Add-On" available, it retrieves detailed data that the CrowdStrike Falcon sensor has collected about the device. It does not collect the list of software installed on those devices.   For example, We have 5000+ windows servers, and I want to check if XYZ software is installed or not ! Is there a way to collected installed software related info into splunk ? Many thanks in advance!  

Hi All, We are running an Splunk action - run query (search) on a Phantom playbook which is active on every event coming on to phantom. However, at times the action - run query (search) fails with message: Failed to acquire lock named '08' for Action: 'run query', App: 'Splunk'. Failed to acquire the lock '08'. The action - run query (search) tries to execute for 30 minutes or so and eventually fails. Any help to troubleshoot this issue is highly appreciated.   Thanks in advance  

Hello, We have a monitoring console that works great. I am able to connect directly to the server containing the console and get everything I need. However, we need to start mixing this data with other dashboards on the search heads. This is where I come up dry.   rest splunk_server=local /services/cluster/master/indexes on the (Monitoring Console Server" returns data, unformatted data, but still data.   running the below search on the search heads returns nothing. It doesn't error out, just no data is returned | rest splunk_server=(Monitoring Console Server) /services/cluster/master/indexes   Where should I go from here? Any/all help is appreciated.   Thanks!

Hi, I have a field "IT_Managed" and its values are "Yes" or "No". I need the count AND percentage of events with "YES". It appears I am not using the stats and eval commands correctly. Here is my code:   Can you please help? Thanks

Hi, I have configured a Linux server to send events to Syslog-ng but now want to use the Splunk Add-on for Unix and Linux to make the parsing easier but looking at the inputs.conf it only seems relevant to a UF install. Has anyone manipulated it so  the same results are achieved via a syslog ingest?

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input. The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message. The error is below and has been sanitized. 2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')   Any thoughts?  Its working for all other inputs. Thanks, Robert    

Hi Team, I have recently installed Splunk enterprise free trail  in my pc. Created and hec event collector and hec token. I want to send some data to my splunk instance from an external client(system). But my splunk url shows only http://<IPaddress>:<port>  using which getting connection refused or invalid server. Can you please suggest how to get the correct host name and url of my splunk system, so that i can trigger data from my client to splunk thanks, Kumar

 part 1 - I have already grouped the events based on log.level (which has values like error,info,warn,fatal) stats count(log.level) by log.level .  current output log.level  count error          3 warn          31 fatal          1 info          7 part 2 - i have a multivalue field mulVal at different levels.i need to loop all fields to find those mulVal (at different levels) and get the first not null mulVal field's value . if that field itself is not found in any levels then i need to consider it as "no value" for that event. next i need to get the mulVal (if any mulVal's value found or "no value") and group it based on log.level as shown in part-1 and need to display the mulVal 's value of latest event in each group required output log.level      mulVal           count error             sample        3 warn             hello             31 fatal            no value           1 info             value                7 thanks in advance

Hi all, We have two reverse proxies, one front, one back. They both log http requests and responses to the same index. Each request has a unique-ID that is the same on the front and back. I would like to correlate the front and back requests with the same unique-ID. So the two searches are something like this:       index=rpx proxy=front unique_id=* index=rpx proxy=back unique_id=*       Log lines would then look something like this (shortened for brevity):       proxy=front, unique_id=123456, time_taken=2ms proxy=back, unique_id=123456, time_taken=5ms       My goal is to have the delta time of the time_taken field and then display it in for instance a timechart avg. Maybe I should do the one search and correlate from the time_taken field from there?      

03 Mar 2022 10:08:18,188 GMT ERROR [dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService java.lang.IllegalArgumentException: No enum constant com.db.fx4capi.Fx4cApiLocal.TradeProcessingStatus.TRADE_STATUS_CANCELLED at java.lang.Enum.valueOf(Enum.java:238) ~[?:1.8.0_311] at com.db.fx4capi.Fx4cApiLocal$TradeProcessingStatus.valueOf(Fx4cApiLocal.java:10) ~[trade-22.1.1-8.jar:?] at com.db.fx4cash.trade.step.GetTradeReferenceAndStatusStep.step(GetTradeReferenceAndStatusStep.java:24) ~[step-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.executeIteration(TransactionDispatchService.java:275) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.startDispatch(TransactionDispatchService.java:673) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.run(TransactionDispatchService.java:91) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.ServiceThread.run(ServiceThread.java:36) [servicemanagement-22.1.1-8.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_311]     ---------------------------------------------------------------------------------------------------------------------------- in above string i need to capture string in bold ,  basically whatever comes after first line ERROR would like to capture  using below command ,  index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log* | rex field=_raw "^[^\-\n]*\-\s+(?P<Error>.$)" |table error   am getting blank record, please help 

Hello,  I am trying to do the following: I need to add all the times in ELAPSED and give the result in the Total Time Elapsed row. I also am trying to remove the sort_field and Total from my table. I have tried to use the stats, count and addtotal commands, but I am not finding the right way to use them. Can anyone help? Regards, Celine BATCH_NAME ELAPSED STAGE START_TIME sort_field Total _raw _time MCO/COB.INITIALISE 00:00:00 Application 20:18:34 1 1 20220321,A000,MCO/COB.INITIALISE,COB.EXECUTE.API,20:18:34,20:18:34,00:00:00 2022-03-21T20:18:34.200+0200 MCO/SYSTEM.SECURITIES 00:00:00 System Wide 20:35:46 2 2 20220321,S001,MCO/SYSTEM.SECURITIES,SC.EOD.SUB.ACC.CHG.POST,20:35:46,20:35:46,00:00:00 2022-03-21T20:35:46.200+0200 MCO/DATE.CHANGE 00:00:00 Start of Day 21:30:26 4 4 20220321,D000,MCO/DATE.CHANGE,B.DATE.CHANGE,21:30:26,21:30:26,00:00:00 2022-03-21T21:30:26.200+0200 MCO/RESET.CO.STATUS 00:00:00 Online 21:34:47 5 5 20220321,O000,MCO/RESET.CO.STATUS,RESET.CO.STATUS,21:34:47,21:34:47,00:00:00 2022-03-21T21:34:47.200+0200 MCO/BATCH.DATE.RESET 00:00:00 End of COB 21:35:59 6 6 20220321,O999,MCO/BATCH.DATE.RESET,BATCH.DATE.RESET,21:35:59,21:35:59,00:00:00 2022-03-21T21:35:59.200+0200 Total Time Elapsed  XX:XX:XX     18 18    

Hello, Recently we have started working with AppDynamics as we are taking it over from another team. There have been a few HealthRules already created and we are trying to understand them all. There is one that we are not sure about and it seems to generate a handful number of alerts: App Starts's value was not within baseline-based calculated value by x standard deviation(s) for x times in the last x minutes What does exactly App Starts means here? The application failed to start? Couldn't find such information in the AppDynamics docs and when following the link via alert email, it just opens the Mobile Application dashboard and I don't see any connection. Is it possible to check more details regarding this alert? Thank you in advance!

Hi, Is Apache camel framework is supported in AppDynamics? ^ Post edited by @Ryan.Paredez to move contents into the body of the post. Please make sure to include a title and a body in your discussion post. 

Hi splunk experts, Can anyone elaborate this below event and tell me why this event is getting triggered? the user name in this event has left the organization and we removed his access and transferred the knowledge objects to other person also but we are getting his name in the below event. and please help me how to avoid this type type of alerts also. 127.0.0.1 - **User name*** [30/Mar/2022:09:29:54.891 +0000] "POST /servicesNS/nobody/search/saved/searches/Single%20User%20Failed%20Attempt/notify?trigger.condition_state=1 HTTP/1.1" 200 1933 "-" "Splunk/8.1.0 (Linux 4.15.0-1023-azure; arch=x86_64)" - 2ms   this event is getting displayed when we search by using the query: index=_internal sourcetype= splunkd_access user=*.   thanks in advance.

  Hello everyone,    We recently upgraded our Splunk Enterprise from 7.x to 8.1.7.2 and we noticed some changes when we search on sourcetype. Some of our sourcetypes can contain different types of data. Let's say we have data A stored in sourcetype SRCT with some fields corresponding to this type of data: field1_A, field2_A. And data B is also stored in sourcetype SRCT with its own fields: field1_B, field2_B. If we do a simple search:   index=index sourcetype=SRCT field1_A=value1 | table * In Splunk Enterprise 7.x, the table only shows the fields that concern data A, that is to say, field1_A, field2_A. field1_A field2_A value1 value2 Now, since the upgrade, the table shows all the fields from data A and data B, even if the data we are looking for is a data A. In this case, field1_B and field2_B are empty. field1_A field2_A field1_B field2_B value1 value2     BUT: if we do not specify sourcetype=SRCT in our search:     index=index field1_A=value1 | table * It only shows the fields field1_A and field2_A. field1_A field2_A value1 value2 It's as if, searching on sourcetype makes it retrieve all the fields that this sourcetype has encountered without discarding null fields. The same can be noticed when we search on source.   Does anyone have seen this before?  What can explain this change of behavior?

Hi. I'm brand new to splunk.  I've created a table report that shows counts of columns: Time (Hour) Result: Good Result: Bad Result: Ugly After the Index and source type, my query has     |chart count over _time span=hour by data.result What do I need to add to query to calculate the Total of Good, Bad, Ugly and then use that to add a column with the percentage of Total Result to the table.  Appreciate your help.