I have a table with some basic fields , where the events represent items that need to have an action taken. I would like to have a drop down menu as the last item in the list with the desired action. The action to be taken could be a link to an external page, or even another splunk search that just has to be executed, but not displayed.  For example: Action 1 or Action 2 would result in either a separate Search Being Run, or a separate link being "clicked". In both cases I'd like the drop down to be replaced with a static image, like a checkmark. (Indicating which action had been taken.) I realize this is pretty custom stuff that's going to require javascript or something else, I just have no idea where to start. Has anybody else tried to do anything like this? Thanks!

The documenation says that loggers that implement ILogger are supported, but no where does it describe how to capture those messages.  Our on-prem controller is version 21.4 and our agents are all 22.1 or later.  We have the .net Microsoft.Extensions.Logging.Console logger setup and it is outputting messages.  How do we configure AppD to capture those messages?

I had a situation where I wanted to know if the mstats p90(cpu) over 5 minutes of a host was above a certain value; but needed to extend it to 10 minutes for some hosts. I figured rather than make two searches I could use span=5m and search back 10 minutes: (Search Window: -10m@m to @m) | mstats p90(_value) AS p90A WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=5m Except this was often producing 3 events per host, because unless I'm mistaken  mstats span always aligns to UTC 0, so if I'm running the search on a minute not divisible by 5 (say every 3 minutes) I'll end up with 3 data points per host instead of 2. So I thought, maybe using prestats + bin + stats will work; I can get 10 samples and use bin aligntime=earliest to force them to just 2 time bins. I think this works, a quick check says that the P90 values are the same up until 4 decimal places if the times are aligned: (Search Window: @h-10m to @h) | mstats p90(_value) AS p90A WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=5m | join host, _time [| mstats p90(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=1m | bin _time span=5m aligntime=earliest | stats p90(_value) AS p90B BY host, _time ] | where round(p90A,4) != round(p90B,4) So this search should work for any two 5 minute intervals aligned to any minute of the day. | mstats p90(_value) prestats=true WHERE metric_name="Processor.%_Processor_Time" AND instance="_Total" BY host span=1m | bin _time span=5m aligntime=earliest | stats p90(_value) AS p90 BY host, _time | where p90 > 80 | stats list(p90), count by host | where count == 2 OR match(host, "prod") I ended up not needing it when I realized my alert was already locked to every 5 minutes. Has anyone else tried doing this? Know a better way without creating two searches?

Hi all,  I have a JSON payload that contains as 'custom_fields' section that is made up of a set of title:keyname and value:value. This is because the tool has varying formats of key/value pairs that it outputs.  Per the screenshot, i'm trying to figure out a way to extract any values where the key is title:Mode but can't for the life of me work out how to do it.  The Mode key will have 1 of 2 values (Monitored or Remediated) and wanting to show this in a table that includes other values from the overall json packet (e.g. _time, description etc.) Any ideas would be greatly appreciated as spent several hours trying!

Hi, How do I add an addition numeric value to the show source dropdown list in version 8.1.6. I would like to add 2000. By default max is 1000. In version 7.3.5 is was just a matter of adding another line to the xml with 2000. But in 8.1.6 the xml looks like this : <?xml version="1.0"?> <view template="pages/app.html" type="html" isDashboard="False"> <label>Show Source</label> </view>   7.3.5 looked like this : <view isVisible="false" template="search.html" isDashboard="False"> <label>Show source</label> <module name="AccountBar" layoutPanel="appHeader"> <param name="mode">popup</param> </module> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="clearOnJobDispatch">True</param> <param name="maxSize">1</param> <module name="SoftWrap" layoutPanel="pageControls"> <param name="enable">False</param> <module name="Count" layoutPanel="pageControls"> <param name="options"> <list> <param name="text">25</param> <param name="value">25</param> </list> <list> <param name="text">50</param> <param name="selected">True</param> <param name="value">50</param> </list> <list> <param name="text">100</param> <param name="value">100</param> </list> <list> <param name="text">200</param> <param name="value">200</param> </list> <list> <param name="text">500</param> <param name="value">500</param> </list> <list> <param name="text">1000</param> <param name="value">1000</param> </list> <list> <param name="text">2000</param> <param name="value">2000</param> </list> </param> <module name="ShowSource" layoutPanel="resultsAreaLeft"> </module> </module> </module> </module> </view>

Hi all, Please help with the below.  I am using rlog.sh (inbuilt script) provided by Splunk in TA-unix package , to apply ausearch utility for linux audit logs.     SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile_model_prod AUDIT_FILE=/opt/splunklogs_app/audit_prod/audit.log if [ -e $SEEK_FILE ] ; then SEEK=`head -1 $SEEK_FILE` else SEEK=0 echo "0" > $SEEK_FILE fi FILE_LINES=`wc -l $AUDIT_FILE | cut -d " " -f 1` if [ $FILE_LINES -lt $SEEK ] ; then # audit file has wrapped SEEK=0 fi awk -v START=$SEEK -v OUTPUT=$SEEK_FILE 'NR>START { print } END { print NR > OUTPUT }' $AUDIT_FILE | tee $TEE_DEST | /sbin/ausearch -i 2>/dev/null | grep -v "^----"       This inbuilt script is converting default format of linux audit logs by applying ausearch utility. example below:  Log input : type=TTY msg=audit(1647315634.249:442): tty pid=2962 uid=0 auid=1001 ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D Log output after using rlog.sh type=TTY msg=audit(03/15/2022 14:40:34.791:2962): tty pid=2962 uid=root auid=root ses=1368 major=136 minor=0 comm="bash" data=7669202F6574632F727375737F7F79730963090D   Now I have audit.log being generated in a different format.. like below.. My audit.log: (custom audit.log format) IP: 10.200.30.40 | <158>Mar 11 16:10:24 xxx-yyy-zzz AuditLog type=SYSCALL msg=audit(1646979024.027:1697): arch=c000003e syscall=4 success=yes exit=0 a0=7f1304042410 a1=7f13092f66a0 a2=7f13092f66a0 a3=0 items=1 ppid=1 pid=2270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="in:imfile" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) Hostname=10.200.30.40 (default audit.log format) type=USER_TTY msg=audit(1646592289.268:441): pid=2962 uid=0 auid=1001 ses=1368 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=73797374656D63746C2073746174757320727379736C6F67 Hostname=xxx so basically I will have logs of both default audit log format and this custom format being logged in audit.log. When I apply the rlog.sh/ausearch utility to this log, only logs with default audit.log type are being converted with ausearch utility and sent to output and indexed, the other logs are not even being sent to output. Please help.

Hi, The search on one of my dashboard panel is outputting log events ..... BUT it is still processing the search, even when I change the time range to just 1 minute or even 30 seconds. Is there any way I can get the search to complete as I need the option to export the panel's events to be available?   Thanks, Patrick

Hi  Splunkers ,  Can we use Splunk ITSI for health check of all network , endpoint devices etc .... or is there any app that is recommended for the health monitoring  usecase requirements. TIA  

Hi, I have setup a HEC input on a Heavy Forwarder and have a base app for all data outputs to forward to Splunk Cloud Indexers but not seeing the HEC data in Cloud. Am I missing out a particular setting that forwards HEC data Thanks,

Hello working for a client that has some older infra still on Red Hat 6 (to be changed but this is not on my side and could happen far into the future). Kernel 2.6.32 (around that). We need to connect these machines to Splunk Observability Cloud! Managed to overcome installation issues (some cheats here and there) and got RPM installed as you can see.      FATAL: kernel too old ... ... ... /usr/lib/splunk-otel-collector/agent-bundle/bin/patch-interpreter: line 15: 5818 Aborted (core dumped) ${tmproot%/}/bin/patchelf --set- [root@RHEL6 ~]# rpm -q splunk-otel-collector splunk-otel-collector-0.46.0-1.x86_64      But default conf was not created so I copied the same from RHEL7.     [root@localhost ~]# /usr/bin/otelcol --config /etc/otel/collector/splunk-otel-collector.conf 2022/03/18 06:07:28 main.go:263: Set config to /etc/otel/collector/splunk-otel-collector.conf 2022/03/18 06:07:28 main.go:346: Set ballast to 168 MiB 2022/03/18 06:07:28 main.go:360: Set memory limit to 460 MiB Error: failed to get config: cannot retrieve the configuration: unable to parse yaml: yaml: unmarshal errors: line 1: cannot unmarshal !!str `SPLUNK_...` into map[string]interface {} 2022/03/18 06:07:28 main.go:130: application run finished with error: failed to get config: cannot retrieve the configuration: unable to parse yaml: yaml: unmarshal errors: line 1: cannot unmarshal !!str `SPLUNK_...` into map[string]interface {} [root@localhost ~]# [root@localhost ~]# go version go version go1.18 linux/amd64     so all the files are in place, they look same as the ones on working system, file is read for sure as SPLUNK_ is the first value in the .conf (just proof that all the values, masked here for security of course, are in place).     [root@localhost ~]# head /etc/otel/collector/splunk-otel-collector.conf SPLUNK_CONFIG=/etc/otel/collector/agent_config.yaml SPLUNK_ACCESS_TOKEN=******* SPLUNK_REALM=us0 <and so on>     Any ideas how to overcome mapping those values properly? I dont know if other problems will not show in the next steps but I have to try. I know and acknowledge RHEL6 is not supported but the binary looks like launching and I have high hopes. TIA!

Hello. I'm wondering if there is a reasonable built-in way to get details of certificates used across the splunk environment. I have several indexers, some search-heads, many forwarders. And all the traffic is encrypted and authenticated with certificates. With several dozens (or even hundreds) of certificates it's obviously hard to track by hand which certs expire when and I'm sometimes getting into an annoying situation when a UF stops forwarding becaues it's no longer authenticated by the HFs, because its cert had just expired. I could of course prepare a completely external script which would run, let's say, once a day, do quick scan over the config files, find the certificate-related directives, extract the relevant data from the certificates and report it into some file that I'd later ingest to splunk. Other approach would be to do without the intermediate log file as scripted input but it boils down to the same thing. It's possible but it's kinda inconvenient since I'd have to prepare two separate versions of such tool (one for linuxes, one for windows), I'd have to maintain such solution separately. And I'm not a big PowerShell pro so it'd be a bit of a challenge for me to prepare the script for windows. Hence the question if splunk can report such details on its own. I didn't find anything useful so far but maybe I missed something.