All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Db connect output cron job not run on schedule after day light saving

by in Deployment Architecture
‎03-16-2022 02:37 PM
‎03-16-2022 02:37 PM
I am running db connect version 3.4.2 on Splunk 8.2.4. I have many splunk db connect output cron jobs scheduled at 6 AM EST but after the day light shifting  the jobs are not running at 6 AM but at 7... See more...
I am running db connect version 3.4.2 on Splunk 8.2.4. I have many splunk db connect output cron jobs scheduled at 6 AM EST but after the day light shifting  the jobs are not running at 6 AM but at 7 AM. The OS date and time already shift to day light saving time. Any one having this issue. 
Labels

How many Sybase databases can be onboarded on a single DB connect server

by in Installation
‎03-16-2022 02:08 PM
‎03-16-2022 02:08 PM
How many Sybase database servers can be onboarded on a single DB connect server. Is there any limit in the number of stanzas configured in db_inputs.conf for configuration of new Sybase database ser... See more...
How many Sybase database servers can be onboarded on a single DB connect server. Is there any limit in the number of stanzas configured in db_inputs.conf for configuration of new Sybase database servers in the DB connect app.
Labels

Splunk Security Essentials: Scheduled Tasks

by in All Apps and Add-ons
‎03-16-2022 02:07 PM
‎03-16-2022 02:07 PM
I hope this is the right place to post this if not please let me know where to post it. There are multiple use-cases for Task Scheduler in the SSE app, my question pertains to all that are based on E... See more...
I hope this is the right place to post this if not please let me know where to post it. There are multiple use-cases for Task Scheduler in the SSE app, my question pertains to all that are based on EventID=4698 None of these searches seem to work in my environment out of box, I checked and my Windows TA is up to date. Not sure if there is another TA required? Here is on as an example and how I fixed it: `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`   To fix this query I ended up changing line 2 to: | xmlkv TaskContent And line 4 to: | stats count min(_time) as firstTime max(_time) as lastTime by dest, TaskName, Command, Author, Enabled, Hidden, Arguments I dont know if I am missing something or if this is broken out of the box, if so is there somewhere to report this?  
Labels

How do I override field extraction from json?

by in Getting Data In
‎03-16-2022 01:00 PM
‎03-16-2022 01:00 PM
Hi, I send email data to http event collector in JSON format like this : { "sender-domain":"domain.com", "sender":"sender.test@domain.com", "recipient":"Name1 Surname1<name1.surname1@domain.com>,... See more...
Hi, I send email data to http event collector in JSON format like this : { "sender-domain":"domain.com", "sender":"sender.test@domain.com", "recipient":"Name1 Surname1<name1.surname1@domain.com>, "Name2 Surname2<name2.surname2@domain.com>" } I would like to extract email addresses from recipient field and save it as multivalue field with the same name (field recipient will be used in email data model). Do you have any idea what can i do this?  The only idea which I have is use sedcmd to change name for recipient  to another field name and next use regex to do extraction from this fields email adresses as recipient field. The Regex is:   SOURCE_KEY = changed_recipient_field_name REGEX = (?<recipient>[\w\d\.\-\=\+]+\@[\w\d\.\-]+) FORMAT = recipient::$1 What is the best solution for this? Thank you in advance.  
Labels

How to create a lookup subsearch with NOT IN

by in Splunk Search
‎03-16-2022 12:56 PM
‎03-16-2022 12:56 PM
I am facing following challenge. I have a lookup table myids.csv with ID's in it: ID 1 2 3 I have and index also with IDs in it (less than in the lookup): ID 1 2 I am lookup for a way to... See more...
I am facing following challenge. I have a lookup table myids.csv with ID's in it: ID 1 2 3 I have and index also with IDs in it (less than in the lookup): ID 1 2 I am lookup for a way to only show the ID from the lookup that is not present in the index. ID 3 Any suggestions?    
Labels

Federated Search -How do I create lookup file with results?

by in Getting Data In
‎03-16-2022 12:47 PM
‎03-16-2022 12:47 PM
We are working with several remote datasets that are combined to give our end user a specific result.  Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information... See more...
We are working with several remote datasets that are combined to give our end user a specific result.  Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information from another remote source via a REST API.  The following search works:   index=federated:remote_dataset userid="cn=" | \ eval dn=lower(userid) | \ dedup dn | \ table dn   The idea is to use a scheduled search to populate a csv with a list of DNs at the top of every hour, then use a cron job to spawn a python script which generates a new CSV that contains the DN and the enhancing data from the REST API source. Our python script is working, however when we add "|outputlookup dn.csv append=true" to the otherwise functional SPL, we get nothing. This fails:   index=federated:remote_dataset userid="cn=" | \ eval dn=lower(userid) | \ dedup dn | \ table dn | \ outputlookup dn.csv append=true   Is this a limitation of Federated Search? Thank you
Labels

C++ Application controller settings

by in Splunk AppDynamics
‎03-16-2022 12:01 PM
‎03-16-2022 12:01 PM
I am trying to configure controller settings in a C++ application in unix environment. I see these configuration settings in the example - const char APP_NAME[] = "SampleC"; const char TIER_NAME... See more...
I am trying to configure controller settings in a C++ application in unix environment. I see these configuration settings in the example - const char APP_NAME[] = "SampleC"; const char TIER_NAME[] = "SampleCTier1"; const char NODE_NAME[] = "SampleCNode1"; const char CONTROLLER_HOST[] = "controller.somehost.com"; const int CONTROLLER_PORT = 8080; const char CONTROLLER_ACCOUNT[] = "customer1"; const char CONTROLLER_ACCESS_KEY[] = "MyAccessKey"; const int CONTROLLER_USE_SSL = 0; Is a node name necessary to have in configuration. And where can i find the controller account and controller access key?
Labels

Why am I getting an error when installing splunk enterprise security on Windows 10?

by in All Apps and Add-ons
‎03-16-2022 11:54 AM
‎03-16-2022 11:54 AM
hi dear ,  Am facing a issue while installing splunk enterprise security on my windows10 system it showing error called  "Splunk enterprise Setup Wizard ended Prematurely" plz tell me the solutio... See more...
hi dear ,  Am facing a issue while installing splunk enterprise security on my windows10 system it showing error called  "Splunk enterprise Setup Wizard ended Prematurely" plz tell me the solution for this.......!
Labels

How to modify concatenate and split?

by in Dashboards & Visualizations
‎03-16-2022 11:53 AM
‎03-16-2022 11:53 AM
Hi All,  I have the below query which gives the columns : Name.    Count.    Percentage.    ControlID   | spath evaluation_results | search gear_name | spath input=evaluation_results | forea... See more...
Hi All,  I have the below query which gives the columns : Name.    Count.    Percentage.    ControlID   | spath evaluation_results | search gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlID',mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion')))] | top 50 NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval NonCompliance=mvindex(split(NonCompliance,":"),0) | rename NonCompliance as "Name"   I have modified the above query to add a new column which shows RiskRating.    | spath evaluation_results | search gear_name | spath input=evaluation_results | foreach *.compliant [| eval Compliance=if('<<FIELD>>'="Compliant",if(isnull(Compliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating',mvappend(Compliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',mvappend(Compliance,"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')),Compliance) | eval NonCompliance=if('<<FIELD>>'="Compliant",NonCompliance,if(isnull(NonCompliance),"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlID',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating',mvappend(NonCompliance,"<<MATCHSEG1>>".":".'<<MATCHSEG1>>.controlVersion',"<<MATCHSEG2>>".":".'<<MATCHSEG2>>.riskRating')))] | top 50 NonCompliance | eval controlVersion=mvindex(split(NonCompliance,":"),1) | eval riskRating=mvindex(split(NonCompliance,":"),2) | eval NonCompliance=mvindex(split(NonCompliance,":"),0) | rename NonCompliance as "Name"   Unfortunately the query doesn't execute. Can someone please help with where I got it wrong and what needs to be modified? The output columns should show as below: Name.    Count.    Percentage.    ControlID.    Risk Rating. Below is my raw source   | makeresults | eval _raw="{\"job_id\": \"abc123\", \"gear_event_id\": \"aaaa\", \"event_id\": \"7cf6-4ff0\", \"execution_start\": \"2021-10-06 13:29:31.143\", \"execution_end\": \"2021-10-06 13:29:50.104\", \"gear_version\": \"3.0.16\",\"gear_name\": \"sns\", \"resource_type\": [\"sns_topic\"], \"event_status\": \"SUCCESS\", \"compliance_result\": \"Compliant\", \"evaluation_results\": {\"Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"\", \"riskRating\": \"Low\"}, \"Tags\": {\"compliant\": \"Compliant\", \"controlVersion\": \"1.0\", \"evaluationDetails\": \"not approved\", \"riskRating\": \"Low\"}, \"correlation_id\": \"4362-47fb\", \"service\": \"biosevent\", \"timestamp\": \"2021-10-06 13:29:31.143\", \"version\": \"3.0.16\", \"duration\": 18.961}}"  
Labels

How to find the number of days between two dates?

by in Splunk Search
‎03-16-2022 11:53 AM
‎03-16-2022 11:53 AM
Hi All, I have logs as below to check certificate validity: Valid from: Tue Jul 13 02:51:21 EDT 2021 until: Thu Jul 13 02:51:21 EDT 2023 I have extracted the from_date and until_date by using th... See more...
Hi All, I have logs as below to check certificate validity: Valid from: Tue Jul 13 02:51:21 EDT 2021 until: Thu Jul 13 02:51:21 EDT 2023 I have extracted the from_date and until_date by using the below query: ..... | rex field=_raw "from\:\s(?P<Valid_From>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s" | rex field=_raw "until\:\s(?P<Valid_Until>\w+\s\w+\s(\s{0,1})\d+\s\d+\:\d+\:\d+\s\w+\s\d+)" Now I want to get the no. the days between these two dates to get the certificate validity. Please help me to create a query to get the desired output.
Labels

Why can't Splunk_TA_windows redirect to a custom index?

by in Getting Data In
‎03-16-2022 11:03 AM
‎03-16-2022 11:03 AM
I have added the latest version of Splunk_TA_windows to my environment using a deployment server. The app has been pushed to all windows machines, the search heads and the heavy forwarders. I h... See more...
I have added the latest version of Splunk_TA_windows to my environment using a deployment server. The app has been pushed to all windows machines, the search heads and the heavy forwarders. I have only been receiving data into the "Main" index and be unsuccessful at redirecting the data to our preferred collection points index =  wineventlog. on the deployment server i have created a  Splunk_TA_windows/local/inputs.conf file containing the following.   [WinEventLog://ForwardedEvents] index = wineventlog disabled = 0 [WinEventLog://Application] index = wineventlog disabled = 0 [WinEventLog://System] index = wineventlog disabled = 0 [XmlWinEventLog] index = wineventlog [WinEventLog] index = wineventlog   I am primarily a linux guy for splunk admin and only have 1 windows host monitored at the moment (all windows events are forwarded to and collected from this node), is there something that needs to be done differently to redirect the index for this applications? Next consideration I have is using props/transforms to change the index although am worried about the hardware impact of that on 5 million events a day.
Labels

KVStore Field returning Invalid result- How do I fix this?

by in Splunk Search
‎03-16-2022 10:41 AM
‎03-16-2022 10:41 AM
Hello. I have some KVStore collections in our cloud environment.  In some of those collections, there are boolean fields that I want to use with search logic.  Examples are called "curbside.disable... See more...
Hello. I have some KVStore collections in our cloud environment.  In some of those collections, there are boolean fields that I want to use with search logic.  Examples are called "curbside.disabled" and "curbside.offered".  I want to be able to say if curbside.offered is true, add 1 to a totalOffered field so I can get a count of all offered items offered and all items disabled.  Then I can do some math on those.  Each time I try to use one of those fields, the search failed.  When I assign a temp field to typeof(curbside.disabled), etc. it returns "invalid".  The kvstores were created in Lookup Editor and lookup definitions are created.  I can see the fields and table them.  I can't use the data in them.  What am I doing wrong?
Labels

Splunk SOAR : Account lockout after multiple login attempts

by in Splunk SOAR
‎03-16-2022 10:37 AM
1 Karma
‎03-16-2022 10:37 AM
1 Karma
Hi All, Is there any account lockout policy after multiple failed attempts in Splunk SOAR (on premise), i.e: The user's account get locked for 30mins after 3 continuous failed/incorrect password at... See more...
Hi All, Is there any account lockout policy after multiple failed attempts in Splunk SOAR (on premise), i.e: The user's account get locked for 30mins after 3 continuous failed/incorrect password attempts to login.  

How to narrow Scope of WinNetMon Input to Domain Users?

by in Getting Data In
‎03-16-2022 09:52 AM
‎03-16-2022 09:52 AM
Hello,  Thank you for taking the time to consider my question, I'm currently configuring an custom app to deploy to Windows workstations to monitor both inbound and outbound connections strictly for... See more...
Hello,  Thank you for taking the time to consider my question, I'm currently configuring an custom app to deploy to Windows workstations to monitor both inbound and outbound connections strictly for domain users, to correlate the foreign IPv4s with phishing/C2 addresses we obtain via threat intelligence.  To avoid the noise made by local or system level accounts, I would like to specify the "user" field within appName/local/inputs.conf using regex, as outlined in Splunk inputs.conf documentation, unfortunately there is no clear example of how regex can be used to do a simple restriction to only domain level accounts, which is a very common use case I'd imagine.  What I would like to accomplish is a version of the following: [WinNetMon://inbound-mon] disabled=0 <...> user=domain\* This would effectively only monitor the inbound connections made by users that are preceded with the company domain, and thus eliminate traffic/noise from the endpoint gathering updates etc.  Please advise on the best way to accomplish this, any working answer will be happily greeted with karma and accepted as the final solution, many thanks in advance!    

How to create an alert based on lookup file

by in Splunk Search
‎03-16-2022 09:29 AM
‎03-16-2022 09:29 AM
Hi, I need to set up an alert with the query like below. index=abc sourcetype=bcd “abc” File_name=maple.txt earliest=2h@h latest=now In the above query,the File_name,earliest & latest time has ... See more...
Hi, I need to set up an alert with the query like below. index=abc sourcetype=bcd “abc” File_name=maple.txt earliest=2h@h latest=now In the above query,the File_name,earliest & latest time has to be picked up from the lookup file. Condition - if the current time matches with latest time in the lookup file,then the query has to be run for the respective File_name for that timerange(earliest and latest time mentioned in the lookup) The lookup table to be like below: File_name earliest latest Dfg.txt 2 4 Dft.txt 5 6 Ser.txt 5 7
Labels

How do I create a new field time?

by in Splunk Search
‎03-16-2022 09:24 AM
‎03-16-2022 09:24 AM
I have an alert table with certain values: Time (alert occurrence) | Alert Name | Severity.... Would it be possible to create a time entry the first time an alert is accessed? This would hel... See more...
I have an alert table with certain values: Time (alert occurrence) | Alert Name | Severity.... Would it be possible to create a time entry the first time an alert is accessed? This would help me to create a first response SLA. Time Alert Name Severity First reponse SLA 03/16/2022 05:20 PM Failed Login Medium 03/16/2022 05:25 PM 00:05 03/16/2022 05:30 PM Acces invalid High    
Labels

How to generate a snow incident based on a Splunk dashboard?

by in All Apps and Add-ons
‎03-16-2022 09:24 AM
‎03-16-2022 09:24 AM
other can you please give me solution for this subject
Labels

How do I change a CSV timestamp?

by in Getting Data In
‎03-16-2022 08:53 AM
‎03-16-2022 08:53 AM
Hello, I add an CSV data into my splunk without any timestamp and SPLUNK add automatiquely an timestamp with the format "3/16/22 4:33:55.000 PM" I would like change the date on the format "3/16/22"... See more...
Hello, I add an CSV data into my splunk without any timestamp and SPLUNK add automatiquely an timestamp with the format "3/16/22 4:33:55.000 PM" I would like change the date on the format "3/16/22" how can I do that ?    Regards,    
Labels

Unable to edit my First name and Last name on Splunk Community

by in #Random
‎03-16-2022 08:50 AM
‎03-16-2022 08:50 AM
Unable to edit my First name and Last name on Splunk Community, Not sure How but my name is showing as Abhsekh Dandpat in Splunk Community, I have tried to update the personal information settings mo... See more...
Unable to edit my First name and Last name on Splunk Community, Not sure How but my name is showing as Abhsekh Dandpat in Splunk Community, I have tried to update the personal information settings more than 100 times and am unable to edit it..for some time it's stored as my updated name and after some time again it's automatically changing to Abhisekh Dandpat

Is the IT essentials work app able to provide all the functionalities for for windows infrastructure?

by in All Apps and Add-ons
‎03-16-2022 07:50 AM
‎03-16-2022 07:50 AM
Hello, Is the IT essentials work app able to provide all the functionalities that the now deprecated splunk app for windows infraestructure did? In detail, we use the former to alert when a user ... See more...
Hello, Is the IT essentials work app able to provide all the functionalities that the now deprecated splunk app for windows infraestructure did? In detail, we use the former to alert when a user has group membership changes in Active Directory for specific groups. The data we use for this comes from the WinEventLog:Security source. Thanks.