All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunkers, I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range. The task itself is not a problem; I followed  Configure > Content > C... See more...
Hi Splunkers, I have to schedule a Saved Search in Splunk Enterprise Security that must be executed in a specific time range. The task itself is not a problem; I followed  Configure > Content > Content Management -> Create new content -> Saved search and then, cause the search must sent a mail at every activation, I have chosen New Alert. The problem is the required time range: this alert must detect some kind of activity performed outside job office hour, so 18:01 of current day - 08:59 of day after (this every day).  So, for example, the search must be "active" starting from today at 18:01 until tomorrow at 08:59. My doubt is: how can I configure this time range?  This is the alert configuration window:   I thougth about using Crontab, but I'm not sure I can configure a time range wich has not the same day for starting and ending time. I thougth also about the All time panel but I didn't find anithing that help me to configure this particular time range.  
I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM).  But when I... See more...
I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM).  But when I re-run the same SPL between 3/13/2022 6:00 AM to 3/13/2011 8:00 AM , hoping to see the same set of events, But I see ZERO events !!    This is very strange !! Am I missing something simple  here..? Why this weird behaviour ? Additional Observation :  When I change the time range between 2/12 to 3/13 - the events shows,  But when I keep the same date 3/13 7 AM to 3/13  10 AM - It doesn't show. It works when the time range is more that 24 hours
Hi , IHAC who using Akamai SIEM Integration  to ingest data and the addon is deployed on HF. Now they are trying to move the addon to other HF. Customer thought they need to move offset also. but the... See more...
Hi , IHAC who using Akamai SIEM Integration  to ingest data and the addon is deployed on HF. Now they are trying to move the addon to other HF. Customer thought they need to move offset also. but they don't know the offset location. Anyone advice for offset location on Akamai SEIM Integration App?
Hi peeps, I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events.  I create the alert using the ... See more...
Hi peeps, I would like to trigger an alert from Splunk and send the alert to a third-party app. The third party-app can only receive and parse data by raw events.  I create the alert using the 'stats' command which generating a statistic, which means the alert are send is a  statistic to the 3rd party app. How do we send the raw event from the statistic data as an alert? Please help.
I've recently upgraded to Splunk version 8.2.2.1 and this morning Splunk sent out an email to all Splunk admins giving results of a scan from the "Python Upgrade Readiness App". I have the results o... See more...
I've recently upgraded to Splunk version 8.2.2.1 and this morning Splunk sent out an email to all Splunk admins giving results of a scan from the "Python Upgrade Readiness App". I have the results of the scan already, and can run the scan myself if I need to. How do I turn off the email alerts? Documentation (https://docs.splunk.com/Documentation/Splunk/8.2.2/UpgradeReadiness/Emails) says to do the following: Navigate to the Python or jQuery tab in the Upgrade Readiness App. Email notifications for Python and jQuery are controlled separately on their respective tabs. Select Modify Weekly Email Notification and edit your settings for each scan. But I don't have these Python or jQuery tabs in my Upgrade Readiness App. There doesn't seem to be anywhere to modify these settings. Could anyone let me know how to do this?
Hi Team, Could you help me with the complete splunk query for  list of servers which are sending data in last 14 days from the lookup and not sending in last 7 days if we write....    | eval ... See more...
Hi Team, Could you help me with the complete splunk query for  list of servers which are sending data in last 14 days from the lookup and not sending in last 7 days if we write....    | eval day=if(_time<relative_time(now(),"-7d@d"),"sentdatalastweek","didnotsenddatainthelast7days")   what does that mean?   Regards  
Is there a way to contact Splunk sales team? There's no response on +1 866.GET.SPLUNK (1 866.438.7758), questions, sent through the form on the official site, as well as emails are not answered.  ... See more...
Is there a way to contact Splunk sales team? There's no response on +1 866.GET.SPLUNK (1 866.438.7758), questions, sent through the form on the official site, as well as emails are not answered.  My country is not in the list here (https://partners.splunk.com/locator/) and I have no idea how to reach someone who can provide some info how to get the license.  Thank you.
KPI XYZ-123 XYZ-12345 Service-123 Service-12345 random_data random_data random_data random_data random_data random_data random_data random_data random_data r... See more...
KPI XYZ-123 XYZ-12345 Service-123 Service-12345 random_data random_data random_data random_data random_data random_data random_data random_data random_data random_data   I Have a dashboard like this one above , I want to enable drilldown for the columns whose field-names start with XYZ and disable drilldown for the ones that start with Service. Is there any way i can achieve this in xml ?
Post upgrading Microsoft Azure Add on for Splunk to 3.2.0 we are not receiving authentication details in Splunk. Also, non-interactive login details are not available.  Field to check if the authen... See more...
Post upgrading Microsoft Azure Add on for Splunk to 3.2.0 we are not receiving authentication details in Splunk. Also, non-interactive login details are not available.  Field to check if the authentication is success or failed is not in the raw logs, field name - authenticationDetailssucceeded. Other authentication details are also missing.
How  to find a real time job is running morethan 30 mins for example below screenshot. Here need to create an alert for which job is running more than 30 mins. Now we are manually watching this jo... See more...
How  to find a real time job is running morethan 30 mins for example below screenshot. Here need to create an alert for which job is running more than 30 mins. Now we are manually watching this job from SH -->activity-->job. Thanks in Advance.  
I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or... See more...
I am trying to run a Linux bash script on the deployment server to pull down the deployment clients. I have the Splunk command correct, but get an authentication error when this is run under cron or even from the command line. There are multiple postings on this command, but none of them talk about requiring authentication. How do we work around the account password issue? Splunk 8.2.3 command: Splunk reload deploy-server -class I tried the -auth parameter that is shown on other command options, but this one does not seem to like this option. command: splunk reload deploy-server -class results: Your session is invalid. Please login. Splunk username: admin Password: An authentication error occurred: Client is not authenticated Any guidance would be appreciated.
I would like to match/pick only the event which contains "ccexpire". sample event :- 09/Dec/2021 23:52:39,Query,"SELECT ccexpire FROM creditcard WHERE userid = 624",7   There are many events ... See more...
I would like to match/pick only the event which contains "ccexpire". sample event :- 09/Dec/2021 23:52:39,Query,"SELECT ccexpire FROM creditcard WHERE userid = 624",7   There are many events which has ccexpire would like to extract the events which has ccexpire.
Hi, I'm new to splunk. We use SplunkCloud 8.2. I install the SentinelOne App for splunk v5.1.3. Many dashboard are working fine, but not all. At "YOURS".splunkcloud.com/en-US/app/sentinelone_... See more...
Hi, I'm new to splunk. We use SplunkCloud 8.2. I install the SentinelOne App for splunk v5.1.3. Many dashboard are working fine, but not all. At "YOURS".splunkcloud.com/en-US/app/sentinelone_app_for_splunk/s1_threats_overview, there is a Panel for "Active Threats (raw)". The associate search is :   eventtype=sentinelone_threats (host="*") (siteName="*") NOT threatInfo.incidentStatus="resolved" AND threatInfo.mitigationStatus="active"   Seems "sentinelone_threats" eventtype doesn't exist. I search over all index (index=*), don't find this eventtype. My SentinelOne seems weel configured, API connection is OK, I configure all channels, but I don't have this eventtype. Any idea? Thanks
The Table in Dashboard Studio can set threshold values and change the color of text and the background color of cells. Is it possible to set the threshold value to a result obtained from another sea... See more...
The Table in Dashboard Studio can set threshold values and change the color of text and the background color of cells. Is it possible to set the threshold value to a result obtained from another search?
I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on. I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOB... See more...
I am facing challenges while extracting the data from emails, using the Microsoft O365 email add on. I want to extract the "Requested for" and "Finished" for which respective values are "ABC.ITGLOBAL@XYZ.com" and "Fri, Mar 11 2022 15:09:29 GMT+00:00". I have tried Regex101 site and could successfully test a Regex pattern as below for matching the value for "Requested for" but the same pattern doesn't work in Splunk. (?i) for\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\w+\-\w+:\w+\-\w+\"\>(?P<Requested_For>\S+)(?=\<\/td) I need help here to sort this out, please if anyone can share their thoughts here. Finished</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">Fri, Mar 11 2022 15:09:29 GMT+00:00</td></tr><tr><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:nowrap; font-weight:600; min-width:130px">Requested for</td><td class="" style="vertical-align:top; padding:10px 4px; border-bottom:solid #eaeaea 1px; text-align:left; white-space:normal; width:99%; word-break:break-word">ABC.ITGLOBAL@XYZ.com</td></tr><tr><td class=""  
The search behind my chart: index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist) My dashboard displays the following Legend: - cats ... See more...
The search behind my chart: index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist) My dashboard displays the following Legend: - cats - dogs - NULL (because sometimes AnimalTypes doesn't exist)   Drilldown search:   index="myindex" | ... | search AnimalTypes=$click.name2$   If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:   index="myindex" | .. | search AnimalTypes=NULL   (doesn't work) But it want the search to look like this (which works):   index="myindex" | ... | where isnull(AnimalTypes)   How do I do this?
Hello Splunkers, I need urgent help on how to fix the below issue    I need to configure splunk DB connect to be able to connect to MSSQL later. Splunk is installed on CentOS 7 and I hav... See more...
Hello Splunkers, I need urgent help on how to fix the below issue    I need to configure splunk DB connect to be able to connect to MSSQL later. Splunk is installed on CentOS 7 and I have installed the JRE  and the path is (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/) however I still can't start the Task server and keeps failing.   I have restarted Splunk and the VM itself and issue still persist.    
Can anyone advise the SE linux configurations for the Splunk universal forwarders ? 
Hi All,  We'd like to build interactive behaviors with our dashboards in dashboard studio. For example, we would like to achieve the following,  - Change or hide the contents of the dashboard acco... See more...
Hi All,  We'd like to build interactive behaviors with our dashboards in dashboard studio. For example, we would like to achieve the following,  - Change or hide the contents of the dashboard according to the logged-in user's information (e.g., email address) - Set the result of a configured SPL to a given token when the dashboard is loaded We used to accomplish it using tokens with dashboard classic, however we cannnot find the way with dashboard studio. It would be very helpful of you to shed some lights on these: 1. We 'd like to change searches in dashboard  depending on the login user. (by using tokens) How and where can we set tokens? In addition to that, is it possible to hide a panel in dashboard studio? 2. We'd like to change the values of "pulldown" input depending on the login user.  (by using tokens) We used to do this by customizing search strings with tokens.  Is it possible to achieve this in dashboard studio?
Hi Does anyone have examples of how to use Splunk enterprise to investigate and contain ransomware? I would like to detect it quickly - any recommendations? Can you share any logs from real ran... See more...
Hi Does anyone have examples of how to use Splunk enterprise to investigate and contain ransomware? I would like to detect it quickly - any recommendations? Can you share any logs from real ransomware? or screenshots? I have alerts on some ransomware popular ports like 445 etc. I am just wondering what is like red frag, traffic pick etc? Many thanks