All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Can anyone help with understanding the latest openssl vulnerability CVE-2022-0778 and how/if it affects Splunk installations? https://www.cve.org/CVERecord?id=CVE-2022-0778
Hi Team, I have recently created trail account. I have received login details from splunk(admin user). Can i go-ahead using the same, just want to get confirmation. Thanks, Venkat
Hello - How do I check supplier creation date in Buying Inspector.
Dear professionals, I have a search string like this index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]" And this is the result. Th... See more...
Dear professionals, I have a search string like this index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]" And this is the result. The results have "bankAccount" value. Then I add timechart like this index="hcg_oapi_prod" relatedPersons NOT (firstName OR middleName OR lastName) | regex "\"relatedPersons\":\[\]" |timechart span=1m count as today |fields today How can I add a column for bankAccount when today = 1? Thank you
Splunkbaseに登録のアカウントについて、 登録情報を変更したいのですが、変更可能でしょうか? 会社名、メールアドレスの変更を希望します。 変更できない場合、他の対応方法をご教示いただけますでしょうか?
As the title suggests, I am trying to copy Splunk native user accounts from a standaslone SH to a search head cluster and I only need to migrate specific user accounts, for this, I am planning to cop... See more...
As the title suggests, I am trying to copy Splunk native user accounts from a standaslone SH to a search head cluster and I only need to migrate specific user accounts, for this, I am planning to copy the respective line from the /etc/passwd file of the standlone SH to the SHC. However, after checking out this doc it appears if I copy the lines to the existing /etc/passwd file on a SHC member, it won't replicate it. I would have to push the file from the deployer. However, I am not exactly sure how should I do it from the deployer ?
嗨 Splunk     时间字段提取错误,我想用第一次alert_at来搜索结果,这个怎么改
Hi ,   Is there a way to migrate current running config from local account to some other account (AD)? How to accomplish the same
Hi Splunk, Currently we are using Splunk v6.6.3 in our environment, So is there any possible to upgrade version from 6.6.3 to 8.x. If not what is procedure to follow to upgrade to Splunk v8.x Kin... See more...
Hi Splunk, Currently we are using Splunk v6.6.3 in our environment, So is there any possible to upgrade version from 6.6.3 to 8.x. If not what is procedure to follow to upgrade to Splunk v8.x Kindly given me some suggestion on this.  
  index="***" sourcetype="xaxd:*****" "GrantContributorAccess" "Assigned Contributor role to user" | rex field=Message "\[****=(?<accessId>.*?)\] - Assigned Contributor role to user (?<customerEmail... See more...
  index="***" sourcetype="xaxd:*****" "GrantContributorAccess" "Assigned Contributor role to user" | rex field=Message "\[****=(?<accessId>.*?)\] - Assigned Contributor role to user (?<customerEmail>.*?) for customerId=(?<customerId>.*?) in directoryName=(?<azureDirectory>.*?) in subscriptionId=(?<subscriptionId>.*?)$" | stats max(_time) as LATEST_ASSIGN by customerEmail | eval LATEST_ASSIGN=strftime(LATEST_ASSIGN,"%Y-%m-%d %H:%M:%S") | map maxsearches=1000 search="search index="***" sourcetype="xaxd:*****" "RevokeContributorAccess" "Deleting user $customerEmail$" earliest=$LATEST_ASSIGN$" | rex field=Message "\[RevokeContributorAccess=(?<accessId>.*?)\] - Deleting user (?<customerEmail>.*?) from AzureAD$" | stats max(_time) as LATEST_REVOKE by customerEmail | eval LATEST_REVOKE=strftime(LATEST_REVOKE,"%Y-%m-%d %H:%M:%S")   I want to use the field "LATEST_ASSIGN" in the mapping subqueries as the "earliest" time for them.  Please help. Thanks in advance.  Prem
Hi team I am trying to create a query in order to get average of all max values in a period of 10 mins for any selected time range. (7 days) per host. There are multiple hosts and searching a log... See more...
Hi team I am trying to create a query in order to get average of all max values in a period of 10 mins for any selected time range. (7 days) per host. There are multiple hosts and searching a log text in splunk. Then using the log events count I am trying to figure out how many times did the event occurred/ host was called.  For my query I want to take average of all the max values  per 10 min period over the selected time-range per host. (AVG(MAX PER 10 MIN) FOR SELECTED TIME RANGE) BY HOST
How do I list those events within a set of events(say expand the below query) wherein say 2 consecutive's event time difference is more than 0.5 secs? index=index1 * "orderid"   thank you
Dear Professional, I have a Search string like below index="hcg_oapi_prod" relatedPersons | regex "\"relatedPersons\":\[\]" And this is the result   The result have to type: Type 1:... See more...
Dear Professional, I have a Search string like below index="hcg_oapi_prod" relatedPersons | regex "\"relatedPersons\":\[\]" And this is the result   The result have to type: Type 1: Results has value {"name":{"firstName":"xxx","middleName":"xxx","lastName":"xxx"} Type 2: Results dose not have value {"name":{"firstName":"xxx","middleName":"xxx","lastName":"xxx"} How can I filter results for type 2 only? (dose not have value {"name":{"firstName":"xxx","middleName":"xxx","lastName":"xxx"}) Thank you.
I have two separate queries that I am presenting as unique pie charts on a dashboard, the second being a further breakdown of one of the categories of the first search.  Is it possible, as in Excel,... See more...
I have two separate queries that I am presenting as unique pie charts on a dashboard, the second being a further breakdown of one of the categories of the first search.  Is it possible, as in Excel, to have a pie of pie chart where the further breakdown of one category is present within the same chart, or do they have to be two independent charts as I'm doing currently?  No code sample to demonstrate as I have no idea of the feasibility.  
Hi, I have customers running Splunk on Windows on Nutanix. I'd like to take advantage of Smart Store, which requires a Linux indexer. Can I add a Linux indexer as a search peer to a Windows search ... See more...
Hi, I have customers running Splunk on Windows on Nutanix. I'd like to take advantage of Smart Store, which requires a Linux indexer. Can I add a Linux indexer as a search peer to a Windows search head? Is this a supported configuration? This would probably be a short term solution while the environment is migrated from Windows to Linux over several months. The Windows indexer would be kept online until the old data aged out, rather than doing a data migration. Cheers,  
running the configuration wizard and trying to build the lookups AD_Obj_Domain and AD_Obj_Admin_Audit work but the rest say: Warning: No  admon events found - Change Sync Time Period I followed t... See more...
running the configuration wizard and trying to build the lookups AD_Obj_Domain and AD_Obj_Admin_Audit work but the rest say: Warning: No  admon events found - Change Sync Time Period I followed the suggestions in Review - Recollecting the admon baseline data but it hasn't helped. any ideas?    
I am trying to configure a new input in the Splunk Add-on for Microsoft Office 365.  I am receiving errors which I have not been able to fix.  Assistance would be greatly appreciated. Input Name:... See more...
I am trying to configure a new input in the Splunk Add-on for Microsoft Office 365.  I am receiving errors which I have not been able to fix.  Assistance would be greatly appreciated. Input Name: AuditLogs.Signins Input Type: Graph API   2022-03-22 12:24:38,005 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 235, in run 2022-03-22 12:24:38,004 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Error retrieving Cloud Application Security messages." exception='NoneType' object is not iterable 2022-03-22 12:24:37,999 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:476 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="There was an exception processing the response from Microsoft Graph API" exception=401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}} Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 467, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}} 2022-03-22 12:24:37,814 level=INFO pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.us/v1.0/auditLogs/signIns' params=None  
Hello everyone,  We have several reports scheduled in a SHC, one of the actions is send an email with a PDF report, nevertheless when the alert action is trigered we found this error (status=400) ... See more...
Hello everyone,  We have several reports scheduled in a SHC, one of the actions is send an email with a PDF report, nevertheless when the alert action is trigered we found this error (status=400) pdfgen GET is deprecated. Please use POST instead. I have been searching for some answers but looks like this error is not documented anywhere.    Any suggestions?
Currently my search query is: sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/... See more...
Currently my search query is: sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT" "additionalMessage.response.commissionPercentage"="0.15" | rename additionalMessage.requestBody.deviceId as device_id | stats count(message) as count by device_id | lookup ATMDeviceNames.csv device_id OUTPUT device_name | append [| inputlookup ATMDeviceNames.csv | table device_id device_name | eval count=0 ] | stats max(count) as count by device_id device_name | sort -count | rename count as "Completed Transactions" it displays a statistics table like this: device_id device_name Completed_Transactions 02f012-e0c-40d6-8ff5-2d2cba87b2 testdevice123  11 I would like to create an additional dashboard panel based on this table. I would like to swap the Completed_Transactions with a column called Total_Cash. I can see the cash amount per transaction under the name "additionalMessage.response.fiatAmount". I would like to see the total cash amount per device displayed, can't seem to make it work. Any help would be greatly appreciated.
Hello, Working with a team that is sending some custom paramters via metrics data. They are trying to include a dimension that contains a data, but Splunk is not accepting of the date. release:1... See more...
Hello, Working with a team that is sending some custom paramters via metrics data. They are trying to include a dimension that contains a data, but Splunk is not accepting of the date. release:1,component:test,team:TestTeam,repo_branch:master,version:3,eventTimestamp:2022-03-22T14:46:41.048881800 My guess is that Splunk doesn't like the colon's in the timestamp but a bit unsure. The team wants to be able to send time within the metrics for later analysis using eval commands after indexing. Is there a best practice for including a time dimension/value within metrics data? (i.e epoch/UNIX time)