All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I just created an APP in Splunk Cloud and I'd like to create a new read-only role accordingly, which contains capabilities as less as possible. I hope users of this role can only read in-app d... See more...
Hi, I just created an APP in Splunk Cloud and I'd like to create a new read-only role accordingly, which contains capabilities as less as possible. I hope users of this role can only read in-app dashboards. Neither editing searches nor changing settings is welcomed. Which capabilities should I add to it ?   Please help and many thanks!
Hi I just created an APP consists of a couple of dashboards made from Dashboard Studio. I'm new to Splunk dashboard studio so I wonder how can I edit the view to hide the Splunk Bar on top. Many ... See more...
Hi I just created an APP consists of a couple of dashboards made from Dashboard Studio. I'm new to Splunk dashboard studio so I wonder how can I edit the view to hide the Splunk Bar on top. Many thanks! P.S. When I say "Splunk Bar" I mean this menu bar down below. I understand this been called "Splunk Bar" in Dashboard Classic. Please correct me if is not in Dashboard Studio.
I have elasticsearch database installed on one server. I am trying to pull data from elasticsearch to phantom SOAR. Connectivity between elasticsearch app and phantom is working fine but, I am gett... See more...
I have elasticsearch database installed on one server. I am trying to pull data from elasticsearch to phantom SOAR. Connectivity between elasticsearch app and phantom is working fine but, I am getting following error while pulling data from elasticsearch.   Loaded action execution configuration Successfully added containers: 0, Successfully added artifacts: 0 1 action failed Unable to load query json. Error: Expecting value: line 1 column 1 (char 0)   Configuration:  
Hi Team, I have installed the .net agent on the windows server and it shows waiting for a connection. When I checked in AgentLog it shows the below error, please help how to fix this issue. 202... See more...
Hi Team, I have installed the .net agent on the windows server and it shows waiting for a connection. When I checked in AgentLog it shows the below error, please help how to fix this issue. 2022-03-15 09:55:34.1093 29580 AppDynamics.Coordinator 1 28 Warn MachineAgentManager Metrics Error sending metric data to controller:System.Net.WebException: The remote name could not be resolved: '[Redacted].saas.appdynamics.com'    at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) ^ Post edited by @Ryan.Paredez to redact Controller name. Please do not share your Controller name or URL for security and privacy purposes. 
  ++EXT-ID[05] FLD[Wallet Provider Device..] FRMT[TLV] LL[1] LEN[32] DATA[4AD74D9421FE60B5688EF727F1BC7488] ++EXT-ID[06] FLD[Wallet Provider Accoun..] FRMT[TLV] LL[1] LEN[32] DATA[4AD74D9421FE60B56... See more...
  ++EXT-ID[05] FLD[Wallet Provider Device..] FRMT[TLV] LL[1] LEN[32] DATA[4AD74D9421FE60B5688EF727F1BC7488] ++EXT-ID[06] FLD[Wallet Provider Accoun..] FRMT[TLV] LL[1] LEN[32] DATA[4AD74D9421FE60B5688EF727F1BC7488] ++EXT-ID[07] FLD[Wallet Provider Reason..] FRMT[TLV] LL[1] LEN[32] DATA[30DA9557329255041D0B5FC268651435]   I wanted to identify the list where FLD[Wallet Provider Device..]  and FLD[Wallet Provider Accoun..]  are present but FLD[Wallet Provider Reason..] is missing In the above examples all three fields are present. I wanted to identify Field 1, Field 2 received but field 3 is missing
Hi I would like to dis play a trend indicator between these 2 different relative time Is it possible?     index=toto sourcetype=tutu earliest=-8d@d+7h latest=-8d@d+19h OR earliest=@d+7h latest=... See more...
Hi I would like to dis play a trend indicator between these 2 different relative time Is it possible?     index=toto sourcetype=tutu earliest=-8d@d+7h latest=-8d@d+19h OR earliest=@d+7h latest=@d+19h | timechart count as "erreurs" span=1d     Thanks
Hello all,  Thank you for taking the time to consider my question, I'm mainly seeking to find if it's possible to better enrich the data that is obtained from Windows hosts running Splunk UF v8.2.5... See more...
Hello all,  Thank you for taking the time to consider my question, I'm mainly seeking to find if it's possible to better enrich the data that is obtained from Windows hosts running Splunk UF v8.2.5, namely [WinEventLog:Security] and [WinNetMon] capabilities.  Currently we monitor for all new process run, as well as collect logs for unfamiliar IPv4 addresses reached out to by creating a inputs.conf blacklist for internal IPv4s and common websites. I'm curious if we can further enrich this data by using powershell scripts to lookup these IPv4s according to that hosts DNS resolution, (not retroactively resolving them at the point of analysis, which can lead to different results if the endpoint's DNS cache was compromised).  Additionally, I'm wondering if it's possible to use something like a powershell script to retrieve the SHA256 file hash of new processes run with the parsed log. It could be that what I need to do is just run Sysmon and monitor that, and I'm very much for that, but I've heard from more veteran employees at the company I'm currently at that sysmon killed performance and isn't feasible on endpoints. I'm very much a rookie and wasn't in a position to argue otherwise, but as far as I know sysmon has a rather light footprint in comparison to it's robust capabilities.  Any advice on these topics is greatly appreciated, and will be rewarded with karma!
I am trying to fetch data of weekly successful, failed and warning event counts. I want 5 days data to be shown daywise on line chart. I am using this query. I need modification to show it on line ch... See more...
I am trying to fetch data of weekly successful, failed and warning event counts. I want 5 days data to be shown daywise on line chart. I am using this query. I need modification to show it on line chart which represents date and count of successful, failed and warning events. Query: index=outputsolutions host=*dxr22* Error | bin _time span=1d | stats count as dailycount by _time
Hi, I'm unable to compare the result string which is having version(decimal value). While I'm using "If" condition it is not comparing.  In the above required output should be compliant... p... See more...
Hi, I'm unable to compare the result string which is having version(decimal value). While I'm using "If" condition it is not comparing.  In the above required output should be compliant... please help me with this. Thanks.
Hi Team, Need help to find the account owner for the cloud(AWS,GCP and azure) in splunk serch ?Is it possible to help in getting quirires for the same? Regards, Kushal
In the documentation on dataset literals there is an example query: FROM [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 3... See more...
In the documentation on dataset literals there is an example query: FROM [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 39557045 }, { state: "Oregon", abbreviation: "OR", population: 4190714 } ] WHERE population > 5000000 SELECT state If I try to run this or any other query with a dataset literal I get an error: Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'. Any idea why? Thanks.
My requirement is to generate alert if no file received within cut off time for set of files say around 50. I want o avoid creating alert for each file. Please suggest me the best approach
Hello all,   For some reason, I think these events are too long for me to use the field extractor so I was hoping for some help creating some regex.  I am looking to extract Account Name, Source ... See more...
Hello all,   For some reason, I think these events are too long for me to use the field extractor so I was hoping for some help creating some regex.  I am looking to extract Account Name, Source Network Address and Workstation Name. Any assistance would be much appreciated.  Sample event
I'm trying to create a statistics table for whether or not a given Linux service is running on a set of hosts.  For example, for service "rhnsd" running on hosts "my-*" ... Host State ... See more...
I'm trying to create a statistics table for whether or not a given Linux service is running on a set of hosts.  For example, for service "rhnsd" running on hosts "my-*" ... Host State my-db-1 Running my-db-2 Stopped my-web-1 Running my-web-2 Stopped   I have the ps module enabled, so I can use that as a source/sourcetype, but not sure how to eloquently display all hosts and the state of the given service like I've illustrated above.  Any help is greatly appreciated.
Having when adding the Azure App Account. Constant getting authentication Fail. Verify Client ID, Key Secret, Tenant ID with Account Class Type for Azure Government Account.  Any assistance would be ... See more...
Having when adding the Azure App Account. Constant getting authentication Fail. Verify Client ID, Key Secret, Tenant ID with Account Class Type for Azure Government Account.  Any assistance would be greatly appreciated.   Thomas 
hello I need to use a relative time in my search wich specify 8 days ago between 7h and 19h from now I try this but it doenst works   earliest=@-8d+7h latest=@-8d+19h   how to do please?
Hi everyone I'm new using AppDynamics and I need to know with which extension could I monitor one or more IP addresses? I need to get uptime and response time. I just need a ping. These IP addr... See more...
Hi everyone I'm new using AppDynamics and I need to know with which extension could I monitor one or more IP addresses? I need to get uptime and response time. I just need a ping. These IP addresses could be from servers or networks components. There is an extension for this? Thanks in advance 
How can I use splunk token to access splunk service in python?
Hello, I am working in an environment where I have to create multiple deployment servers. Here two questions came to my mind: - Is it possible for deployment servers to deploy apps without having a... See more...
Hello, I am working in an environment where I have to create multiple deployment servers. Here two questions came to my mind: - Is it possible for deployment servers to deploy apps without having any license? - Can I just add manually the license to each deployment server? or is it only possible to do this via a license master? Thank you. Regards.
Gentlemen,  Need some help with lookup command.  i have a lookup table (csv) which is a master list of user accounts. It looks something like this. user_id first last email pho... See more...
Gentlemen,  Need some help with lookup command.  i have a lookup table (csv) which is a master list of user accounts. It looks something like this. user_id first last email phone manager             I have a Scheduled search that runs daily . This search  shows only the users that been modified , updated or newly created . How can i append the results of this search to my above csv lookup file in such a way that it does not create duplicates ?   Basically  if the user record already exits in the csv and if the search finds one of his attributes has been updated ( for example: manager ),  then the outlookup should update the existing user record  in the csv rather than creating a duplicate one.  Hope i am clear. I read some posts about users recommending   to use the below command, but don't understand how does appending solve this use case ?  Should i be using this ?   | append [inputlookup <lookup_csv>]   The "Scheduled Search"  is configured to "append"  to the csv lookup in its properties.     Thanks in advance