All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or... See more...
I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or even from the command line. There are multiple postings on this command, but none of them talk about requiring authentication. How do we work around the account password issue? Splunk 8.2.3 command: Splunk reload deploy-server -class I tried the -auth parameter that is shown on other command options, but this one does not seem to like this option. command: splunk reload deploy-server -class results: Your session is invalid. Please login. Splunk username: admin Password: An authentication error occurred: Client is not authenticated Any guidance would be appreciated.
I would like to match/pick only the event which contains "ccexpire". sample event :- 09/Dec/2021 23:52:39,Query,"SELECT ccexpire FROM creditcard WHERE userid = 624",7   There are many events ... See more...
I would like to match/pick only the event which contains "ccexpire". sample event :- 09/Dec/2021 23:52:39,Query,"SELECT ccexpire FROM creditcard WHERE userid = 624",7   There are many events which has ccexpire would like to extract the events which has ccexpire.
Hi, I'm new to splunk. We use SplunkCloud 8.2. I install the SentinelOne App for splunk v5.1.3. Many dashboard are working fine, but not all. At "YOURS".splunkcloud.com/en-US/app/sentinelone_... See more...
Hi, I'm new to splunk. We use SplunkCloud 8.2. I install the SentinelOne App for splunk v5.1.3. Many dashboard are working fine, but not all. At "YOURS".splunkcloud.com/en-US/app/sentinelone_app_for_splunk/s1_threats_overview, there is a Panel for "Active Threats (raw)". The associate search is :   eventtype=sentinelone_threats (host="*") (siteName="*") NOT threatInfo.incidentStatus="resolved" AND threatInfo.mitigationStatus="active"   Seems "sentinelone_threats" eventtype doesn't exist. I search over all index (index=*), don't find this eventtype. My SentinelOne seems weel configured, API connection is OK, I configure all channels, but I don't have this eventtype. Any idea? Thanks
The Table in Dashboard Studio can set threshold values and change the color of text and the background color of cells. Is it possible to set the threshold value to a result obtained from another sea... See more...
The Table in Dashboard Studio can set threshold values and change the color of text and the background color of cells. Is it possible to set the threshold value to a result obtained from another search?
I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on. I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOB... See more...
I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on. I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOBAL@XYZ.com" and "Fri, Mar 11 2022 15:09:29 GMT+00:00". I have tried Regex101 site and could successfully test a Regex pattern as below for matching the value for "Requested for" but the same pattern doesn't work in Splunk. (?i) for\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\w+\-\w+:\w+\-\w+\"\>(?P<Requested_For>\S+)(?=\<\/td) I need help here to sort this out, please if anyone can share their thoughts here. Finished</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">Fri, Mar 11 2022 15:09:29 GMT+00:00</td></tr><tr><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:nowrap; font-weight:600; min-width:130px">Requested for</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">ABC.ITGLOBAL@XYZ.com</td></tr><tr><td class=""  
The search behind my chart: index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist) My dashboard displays the following Legend: - cats ... See more...
The search behind my chart: index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist) My dashboard displays the following Legend: - cats - dogs - NULL (because sometimes AnimalTypes doesn't exist)   Drilldown search:   index="myindex" | ... | search AnimalTypes=$click.name2$   If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:   index="myindex" | .. | search AnimalTypes=NULL   (doesn't work) But it want the search to look like this (which works):   index="myindex" | ... | where isnull(AnimalTypes)   How do I do this?
Hello Splunkers, I need urgent help on how to fix the below issue    I need to configure splunk DB connect to be able to connect to MSSQL later. Splunk is installed on CentOS 7 and I hav... See more...
Hello Splunkers, I need urgent help on how to fix the below issue    I need to configure splunk DB connect to be able to connect to MSSQL later. Splunk is installed on CentOS 7 and I have installed the JRE  and the path is (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/) however I still can't start the Task server and keeps failing.   I have restarted Splunk and the VM itself and issue still persist.    
Can anyone advise the SE linux configurations for the Splunk universal forwarders ? 
Hi All,  We'd like to build interactive behaviors with our dashboards in dashboard studio. For example, we would like to achieve the following,  - Change or hide the contents of the dashboard acco... See more...
Hi All,  We'd like to build interactive behaviors with our dashboards in dashboard studio. For example, we would like to achieve the following,  - Change or hide the contents of the dashboard according to the logged-in user's information (e.g., email address) - Set the result of a configured SPL to a given token when the dashboard is loaded We used to accomplish it using tokens with dashboard classic, however we cannnot find the way with dashboard studio. It would be very helpful of you to shed some lights on these: 1. We 'd like to change searches in dashboard  depending on the login user. (by using tokens) How and where can we set tokens? In addition to that, is it possible to hide a panel in dashboard studio? 2. We'd like to change the values of "pulldown" input depending on the login user.  (by using tokens) We used to do this by customizing search strings with tokens.  Is it possible to achieve this in dashboard studio?
Hi Does anyone have examples of how to use Splunk enterprise to investigate and contain ransomware? I would like to detect it quickly - any recommendations? Can you share any logs from real ran... See more...
Hi Does anyone have examples of how to use Splunk enterprise to investigate and contain ransomware? I would like to detect it quickly - any recommendations? Can you share any logs from real ransomware? or screenshots? I have alerts on some ransomware popular ports like 445 etc. I am just wondering what is like red frag, traffic pick etc? Many thanks
Hi, We have implemented SAML with ADFS. Now, we want to block a set of users from login into AppDynamics. Since its SSO any user in domain is able to login as there has to be at least one default r... See more...
Hi, We have implemented SAML with ADFS. Now, we want to block a set of users from login into AppDynamics. Since its SSO any user in domain is able to login as there has to be at least one default role mapped and AppDynamics has no option to show user that they are not authorized to login (When using SSO). For now, we have created a role with no permissions and mapped it with Default SAML group. How can we block particular set of users in domain from login into AppDynamics while continue to use SSO for the intended users.  Regards, Mohit
Hi All - I am working with a very simple database that stores lists of key=value pairs with a potential expiration date and provides a REST API that outputs this data in JSON. I've played with sp... See more...
Hi All - I am working with a very simple database that stores lists of key=value pairs with a potential expiration date and provides a REST API that outputs this data in JSON. I've played with spath for a few hours now and am completely stumped. Note: The JSON retrieved is not from a search or from another data input. It's from a custom curl command that creates its own results and displays them. I do not believe modifying the kv_mode on this app I'm working on would have any effect. Here is an example of the data I'm working with. Each entry in the object is an IP address, with a value and an optional expiration along with it.   { "ip_addresses": { "10.0.0.1": { "value": "some v4 ip", "expire": 1749267900 }, "2001:53f1:3:2ee:2252:12e3:228a:112a": { "value": "some v6 ip" } } }   I need to be able to display this information in a table like: Key Value Expiration 10.0.0.1 some v4 ip 1749267900 2001:53f1:3:2ee:2252:12e3:228a:112a some v6 ip     Any help on this would be greatly appreciated. Thank you!
I love the simplicity of SMFS Why was it discontinued? Security Essentials isn't really suited for the same purpose.  
As part of an TA that I am building, I have a requirement to change a few of the values in /apps/my_app/local/inputs.conf during the code run time . Scenario: My code will retrieve an oauth2_access... See more...
As part of an TA that I am building, I have a requirement to change a few of the values in /apps/my_app/local/inputs.conf during the code run time . Scenario: My code will retrieve an oauth2_access_token and oauth2_refresh_token every hour and this needs to be updated in the inputs.conf. Any insight on how to achieve this? As far as I have checked, no helper functions exist for the same.  An alternative would be to keep another file somewhere inside the TA's directory to keep the latest values for these tokens. But is there a way we could get the actual app directory path from the script? using os.get_cwd is giving me the path : "/". Is this only during testing and it will change accordingly during the actual run ?  
Hi, I'm a newbie in developing Splunk add-on. My add-on has a setup view (with a setup page).  I am using Splunkjs and follow Splunk add-on sample app on GitHub. Splunk JavaScript SDK I configur... See more...
Hi, I'm a newbie in developing Splunk add-on. My add-on has a setup view (with a setup page).  I am using Splunkjs and follow Splunk add-on sample app on GitHub. Splunk JavaScript SDK I configured with input script (call python script) and set interval to schedule run script automatic. But I want to run the python script for the first time, after completing the add-on setup. How can do that? Or can I create the button on the Setup page to manually run script input? Thank for help
I am trying to produce a table that can display 5xx status code counts per host over a timeframe (this will eventually be month, but for the purpose of this example will be by day). I downloaded th... See more...
I am trying to produce a table that can display 5xx status code counts per host over a timeframe (this will eventually be month, but for the purpose of this example will be by day). I downloaded the tutorial data  with apache logs and can see the data spans 8 days: source="access.log" host="www*" sourcetype="access_combined_wcookie" status=500 |timechart span=1d count by host I want to take this and analyze web server log files at work and increase span to 1 month. Is there a way for me to pivot /transform this data to get a breakdown that would provide the following table: Daily 500 status code dashboard host 02-25-22 02-26-22 02-27-22 etc 03-03-22 www1 13 39 35 etc 28 www2 24 31 45 etc 35 www3 18 51 34 etc 36   As stated above, I would like this by MONTH: Jan, Feb Mar etc so teams can glance at this table and see which hosts are improving/degrading or meeting SLOs etc. I do not want to create a bar chart, but rather keep the above format.  
Well  I am new to splunk enterprise  i have seen videos on how to send email via alert system i have did the mail server setting using "smtp.gmail.com:578" also username and pass i changed the ... See more...
Well  I am new to splunk enterprise  i have seen videos on how to send email via alert system i have did the mail server setting using "smtp.gmail.com:578" also username and pass i changed the google account setting less secure apps on still getting issue as +0530 ERROR sendemail:540 - SMTP AUTH extension not supported by server. while sending mail to: ********@Anonymous.com
Hello , I have installed forwarder on Linux system and able to see logs in searches but the when i open a detailed log the field & value is missing for the relevant part of raw log. All the ... See more...
Hello , I have installed forwarder on Linux system and able to see logs in searches but the when i open a detailed log the field & value is missing for the relevant part of raw log. All the useful details are missing in field. Ip address, status code, bytes, user agent name, method used etc.. are missing. can anyone guide here how to see those relevant things inside events.
Good morning,    Over the last couple weeks, we've seen that our configured inputs on in the Add-on for Salesforce Streaming API will occasionally stop with no notice. I have reviewed the logs in /... See more...
Good morning,    Over the last couple weeks, we've seen that our configured inputs on in the Add-on for Salesforce Streaming API will occasionally stop with no notice. I have reviewed the logs in /opt/splunk/var/log/splunk/ta_sfdc_streaming_api_sfdc_streaming_api_events.log and it seems like maybe there is a JSON decode error, but the PID doesn't match the one I see as connecting to that SFDC environment. If I disable and re-enable it, it comes back online. Anyone else see this issue?
 i need  the fields  extracted  by two fields  1) Detail message  = before the comma ( I need the full description) 2) Count =  after the comma ( I need the digit count) RAW Log starts from bel... See more...
 i need  the fields  extracted  by two fields  1) Detail message  = before the comma ( I need the full description) 2) Count =  after the comma ( I need the digit count) RAW Log starts from below : DETAIL MESSAGE, COUNT Index 0 out of bounds for length 0, 61 No Recipienet found in MDM based on the input parameters, 120 No record found with this document Id, 86 No Records Found with given search Criteria in DB, 52 query did not return a unique result: 2; nested exception is javax.persistence.NonUniqueResultException: query did not return a unique result: 2, 106 You do not currently manage any user roles in PERLSS there is no task data to display at this time, 96