All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello. I have some KVStore collections in our cloud environment.  In some of those collections, there are boolean fields that I want to use with search logic.  Examples are called "curbside.disable... See more...
Hello. I have some KVStore collections in our cloud environment.  In some of those collections, there are boolean fields that I want to use with search logic.  Examples are called "curbside.disabled" and "curbside.offered".  I want to be able to say if curbside.offered is true, add 1 to a totalOffered field so I can get a count of all offered items offered and all items disabled.  Then I can do some math on those.  Each time I try to use one of those fields, the search failed.  When I assign a temp field to typeof(curbside.disabled), etc. it returns "invalid".  The kvstores were created in Lookup Editor and lookup definitions are created.  I can see the fields and table them.  I can't use the data in them.  What am I doing wrong?
Hi All, Is there any account lockout policy after multiple failed attempts in Splunk SOAR (on premise), i.e: The user's account get locked for 30mins after 3 continuous failed/incorrect password at... See more...
Hi All, Is there any account lockout policy after multiple failed attempts in Splunk SOAR (on premise), i.e: The user's account get locked for 30mins after 3 continuous failed/incorrect password attempts to login.  
Hello,  Thank you for taking the time to consider my question, I'm currently configuring an custom app to deploy to Windows workstations to monitor both inbound and outbound connections strictly for... See more...
Hello,  Thank you for taking the time to consider my question, I'm currently configuring an custom app to deploy to Windows workstations to monitor both inbound and outbound connections strictly for domain users, to correlate the foreign IPv4s with phishing/C2 addresses we obtain via threat intelligence.  To avoid the noise made by local or system level accounts, I would like to specify the "user" field within appName/local/inputs.conf using regex, as outlined in Splunk inputs.conf documentation, unfortunately there is no clear example of how regex can be used to do a simple restriction to only domain level accounts, which is a very common use case I'd imagine.  What I would like to accomplish is a version of the following: [WinNetMon://inbound-mon] disabled=0 <...> user=domain\* This would effectively only monitor the inbound connections made by users that are preceded with the company domain, and thus eliminate traffic/noise from the endpoint gathering updates etc.  Please advise on the best way to accomplish this, any working answer will be happily greeted with karma and accepted as the final solution, many thanks in advance!    
Hi, I need to set up an alert with the query like below. index=abc sourcetype=bcd “abc” File_name=maple.txt earliest=2h@h latest=now In the above query,the File_name,earliest & latest time has ... See more...
Hi, I need to set up an alert with the query like below. index=abc sourcetype=bcd “abc” File_name=maple.txt earliest=2h@h latest=now In the above query,the File_name,earliest & latest time has to be picked up from the lookup file. Condition - if the current time matches with latest time in the lookup file,then the query has to be run for the respective File_name for that timerange(earliest and latest time mentioned in the lookup) The lookup table to be like below: File_name earliest latest Dfg.txt 2 4 Dft.txt 5 6 Ser.txt 5 7
I have an alert table with certain values: Time (alert occurrence) | Alert Name | Severity.... Would it be possible to create a time entry the first time an alert is accessed? This would hel... See more...
I have an alert table with certain values: Time (alert occurrence) | Alert Name | Severity.... Would it be possible to create a time entry the first time an alert is accessed? This would help me to create a first response SLA. Time Alert Name Severity First reponse SLA 03/16/2022 05:20 PM Failed Login Medium 03/16/2022 05:25 PM 00:05 03/16/2022 05:30 PM Acces invalid High    
other can you please give me solution for this subject
Hello, I add an CSV data into my splunk without any timestamp and SPLUNK add automatiquely an timestamp with the format "3/16/22 4:33:55.000 PM" I would like change the date on the format "3/16/22"... See more...
Hello, I add an CSV data into my splunk without any timestamp and SPLUNK add automatiquely an timestamp with the format "3/16/22 4:33:55.000 PM" I would like change the date on the format "3/16/22" how can I do that ?    Regards,    
Unable to edit my First name and Last name on Splunk Community, Not sure How but my name is showing as Abhsekh Dandpat in Splunk Community, I have tried to update the personal information settings mo... See more...
Unable to edit my First name and Last name on Splunk Community, Not sure How but my name is showing as Abhsekh Dandpat in Splunk Community, I have tried to update the personal information settings more than 100 times and am unable to edit it..for some time it's stored as my updated name and after some time again it's automatically changing to Abhisekh Dandpat
Hello, Is the IT essentials work app able to provide all the functionalities that the now deprecated splunk app for windows infraestructure did? In detail, we use the former to alert when a user ... See more...
Hello, Is the IT essentials work app able to provide all the functionalities that the now deprecated splunk app for windows infraestructure did? In detail, we use the former to alert when a user has group membership changes in Active Directory for specific groups. The data we use for this comes from the WinEventLog:Security source. Thanks.
Hi everyone, Just wanted to know how to show alert dynamically like we use  dashboard panel to search query for every drop-down option likewise is it possible to show how many alerts are occured with... See more...
Hi everyone, Just wanted to know how to show alert dynamically like we use  dashboard panel to search query for every drop-down option likewise is it possible to show how many alerts are occured with in that period  for that drop down option in dashboard panel? Please help me out with this thing.
Hello we are starting to use on call and i am attempting to integrate with zabbix 4.0 except we use a proxy and i am unable to find a way to use such a proxy to send alerts is there any way t... See more...
Hello we are starting to use on call and i am attempting to integrate with zabbix 4.0 except we use a proxy and i am unable to find a way to use such a proxy to send alerts is there any way to use a proxy with the plugin in 4.0 ? i have read that its possible with 5x but we are unable to upgrade
I have created a lookup in the LOOKUP folder placed in local. Post that I defined the lookup in transforms.conf. This is the stanza defined in transforms.conf   [lookup_name] filename = lookup... See more...
I have created a lookup in the LOOKUP folder placed in local. Post that I defined the lookup in transforms.conf. This is the stanza defined in transforms.conf   [lookup_name] filename = lookup_name.csv   All the changes are pushed to dev repository in git but when I am trying to search the lookup in search head, I am unable to find the same. Is there any additional step that I am missing out on?
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled data model acceleration because the performance of the search became poor as we used the syste... See more...
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled data model acceleration because the performance of the search became poor as we used the system. We are planning to increase the number of search heads by one in order to accommodate more users in the future. Will the data model acceleration enabled for the first search head automatically be enabled for the next search head? I do not believe that any additional configuration is necessary, especially since the .tsdix file is configured in the indexer, not in the search head. If there are any settings required to enable data model acceleration for additional search heads, please let me know.
hi everyone,    i have some doubts in indexer clustering   how to stop data replication ?   please provide splunk documentation. 
Hi All, One of our Cyber security person facing a strange issue while trying to access the data from the Splunk search portal. Initial level of troubleshooting the issue we found that Roles/Permis... See more...
Hi All, One of our Cyber security person facing a strange issue while trying to access the data from the Splunk search portal. Initial level of troubleshooting the issue we found that Roles/Permission are not syncing but later we found that Roles/Permission are auto changing frequently. We could not find any ERROR/WARN in the splunkd.log, so not sure how to troubleshoot this issue Splunk version : 8.2  OS: Linux  Authentication mode: LDAP  Environment: Splunk distributed Production Environment.  Problem statement:  Roles/Permission are not syncing properly its getting auto changed frequently.  Kindly let me know what are steps we should follow to troubleshoot this type of issue.
Hi, Is there any way to install the AppDynamics Agent into the Kubernetes in order to monitor the .NET applications and without modifying the app code in order to communicate with the agent? The k8... See more...
Hi, Is there any way to install the AppDynamics Agent into the Kubernetes in order to monitor the .NET applications and without modifying the app code in order to communicate with the agent? The k8s cluster is installed on linux OS and on-premise Thank you
hi I stats events like this But my distinct count is wrong because some events have the same site How to agregate Pb1, Pb2 and Pb3 separatively by site and to have the sum of the site please? ... See more...
hi I stats events like this But my distinct count is wrong because some events have the same site How to agregate Pb1, Pb2 and Pb3 separatively by site and to have the sum of the site please?     | stats count(eval(cit >= 40)) as Pb1, count(eval(cit2 >= 15)) as Pb2, count(eval(cit3 >= 20)) as Pb3 by site | eval Total=Pb1 + Pb2 + Pb3 | search Total > 10 | stats dc(site)        
Hi Splunkers I have 50 dashboards with each dashboard having disk metric panel, Process details, Autosys Job status, Memory Usage details, and Key word monitoring panels. Each dashboard is mapped wi... See more...
Hi Splunkers I have 50 dashboards with each dashboard having disk metric panel, Process details, Autosys Job status, Memory Usage details, and Key word monitoring panels. Each dashboard is mapped with a 3 letter appcode. Now I want to have a master dashboard to represent status of all this 50 dashboards in a single place.  If in dashboard-1 for appcode GHI my disk panel or any other panel has a critical warning(Red Colour) the GHI appcode in my master dashboard has to turn Critical(Red Colour) as well. Similar with other panels and other dashboards.   My Master dashboard should look something like this for the appcode status    
Hi Splunkers, I'm performing some searches to monitor Windows user failure attempts. The failure itself is not a problem, I know the proper windows event code to monitor failures attempts; the foc... See more...
Hi Splunkers, I'm performing some searches to monitor Windows user failure attempts. The failure itself is not a problem, I know the proper windows event code to monitor failures attempts; the focal point is that in every of this try I have to add a particular condition to check. Between these searches, two makes me some difficults: I have to monitor login failures performed by an expired account, while in another one I have to track attempts by disabled account. In my scenario, where I have the Windows addon installed on my environment, how can I track the 2 above scenarios?
Hello We are testing Splunk cloud. After installing Splunk App for Unix and Linux I got messages asking to reboot. my console https://prd-p-3qf39.splunkcloud.com Thank you