All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team , How to get below output using Splunk SPL query from below input . INPUT : _time url scannedissues 1-Feb abc.com issue1 1-Feb abc.com issue2 1-Feb abc.com issue3 ... See more...
Hi Team , How to get below output using Splunk SPL query from below input . INPUT : _time url scannedissues 1-Feb abc.com issue1 1-Feb abc.com issue2 1-Feb abc.com issue3 1-Feb abc.com issue4 5-Feb abc.com issue1 5-Feb abc.com issue3 5-Feb abc.com issue4 7-Feb abc.com issue1 7-Feb abc.com issue3 10-Feb abc.com issue1 10-Feb abc.com issue2 10-Feb abc.com issue3 14-Feb abc.com issue1 14-Feb abc.com issue2 14-Feb abc.com issue5   Expected OUTPUT       url scannedissues LatestTime Earliest Time abc.com issue1 14-Feb 1-Feb abc.com issue2 14-Feb 10-Feb abc.com issue5 14-Feb 14-Feb   can someone guide on the SPL command logic to achieve above output. Thanks in advance!
Hi There, I am looking to produce an output where the field with maximum count is display based on another field. for, eg I am looking something command like  | stats max(count(errors) by status ... See more...
Hi There, I am looking to produce an output where the field with maximum count is display based on another field. for, eg I am looking something command like  | stats max(count(errors) by status time                                       status             errors                    count 2022-03-02 05:30 100 not found 100 2022-03-02 05:30 200 success 300 2022-03-02 05:30 300 failed 500 2022-03-02 06:30 100 not found 400 2022-03-02 06:30 200 success 500 2022-03-02 06:30 300 failed 600 2022-03-02 07:30 100 not found 200 2022-03-02 07:30 200 success 700 2022-03-02 07:30 300 failed 200   What I am looking for is the max count each status and error time                                       status           errors                    count 2022-03-02 05:30 100 not found 400 2022-03-02 06:30 200 success 700 2022-03-02 07:30 300 failed 600   I tried many thing but with no luck, if someone could help with this.
is there anyway to create a file with a list of IP's that i can use in the search field? i am trying to search for IP's that are not in this specific list but i don't want to create the list for ever... See more...
is there anyway to create a file with a list of IP's that i can use in the search field? i am trying to search for IP's that are not in this specific list but i don't want to create the list for every search. For instance if i want to look through zeek conn.log for bad_guy IP's from a predefined list of bad guy IP's. Thank you for any help.
Hi Experts, my SPL query, ...| eval elapse_range=case( TOTAL_ELAPSE>0 AND TOTAL_ELAPSE<4, "Green", TOTAL_ELAPSE>4 AND TOTAL_ELAPSE<8, "Yellow", TOTAL_ELAPSE>8, "Red") |chart values(TOTAL_ELAP... See more...
Hi Experts, my SPL query, ...| eval elapse_range=case( TOTAL_ELAPSE>0 AND TOTAL_ELAPSE<4, "Green", TOTAL_ELAPSE>4 AND TOTAL_ELAPSE<8, "Yellow", TOTAL_ELAPSE>8, "Red") |chart values(TOTAL_ELAPSE) as TOTAL_ELAPSE over JOBID by elapse_range Statistics table: JOBID                         Green                 Red                    Yellow SZ146BKP                                              8.2 SZ11BKP                                                 8.6                         7.9 SZ16BKP                                                 8.6 SZSWTCNT                                            8.7 SZ00D                          T39                                                                     9.5                                                                     9.8                                                                     9.9 SZ24                                                                    10.6                                                                     11.0 SZ07                                  1.7                12.7 SZ04                                                        59.6 SZ22                                                                    66.6                                                                     69.2   The grouped by values i.e Highlighted Values coming in statistical table but not showing in chart     Chart not showing the values 66.6, 69.2 etc
Hi All, Splunk Enterprise 8.2.4 Clustered I have an issue where I have an existing app with a lookup listing all devices we are monitoring and I have a new app where I pull a subset of these devi... See more...
Hi All, Splunk Enterprise 8.2.4 Clustered I have an issue where I have an existing app with a lookup listing all devices we are monitoring and I have a new app where I pull a subset of these devices to provide a dashboard for the team that supports them. The underlying search "| inputlookup NocIP.csv | search Datasource="Eaton" OR Datasource="eltek" Works fine within the original app and works fine from the new app using my "General user" which has admin rights but using a user set up for the support team using the new app the search fails with the following result the lookup table file has the following permissions set The lookup definition permissions are set like this The role for the support team is cloned from the role that uses the original app Inheritance Cababilities This app doesn't use any indexes and there are no Restrictions in place The resources are The user is  with the Config This is doing my head in because it looks like it should work but isn't, can anyone see what I have missed? Cheers Mike
hello   I use this timechart   index=tutu sourcetype=titi | timechart span=15min dc(s) as "Uniq"    Now i would like to display 2 more lines with min and max for "s" field is it possible
Hi, I want to implement a custom command in spluk. So I created an add-on using splunk add-on builder and copied code for my custom command in to add-on. While validating add-on from the add-on b... See more...
Hi, I want to implement a custom command in spluk. So I created an add-on using splunk add-on builder and copied code for my custom command in to add-on. While validating add-on from the add-on builder, I see  one failure (194 tests passed and one failure)  as "Detect usage of JavaScript libraries with known vulnerabilities" When I expand the error clicking on it, I see the solution column mentioned as below solution: 3rd party CORS request may execute parseHTML() executes scripts in event handlers jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution Regex in its jQuery.htmlPrefilter sometimes may introduce XSS Regex in its jQuery.htmlPrefilter sometimes may introduce XSS reDOS - regular expression denial of service Regular Expression Denial of Service (ReDoS) Regular Expression Denial of Service (ReDoS) Can I get help how to resolve this javascript issue ?? Also, when I download the spl file and install the app, it is not giving "launch app" option in the manage apps page as shown in below snapshot. Is it because of installation of non-validated package??
Hi Splunkers! I have a problem with props.conf and tranforms.conf I face with this error in Linux Servers.   multipathd[212317]: sdb: failed to get sgio uid: No such file or directory multip... See more...
Hi Splunkers! I have a problem with props.conf and tranforms.conf I face with this error in Linux Servers.   multipathd[212317]: sdb: failed to get sgio uid: No such file or directory multipathd[212317]: sdb: add missing path   So I set props.conf and transforms.conf to get rid of this messages. It seems correct and I can't figure out why this doesn't work?!   props.conf [syslog] TRANSFORMS-null = setnull     transorms.conf [setnull] REGEX = multipathd DEST_KEY = queue FORMAT = nullQueue   I also tried these REGEXs   REGEX = .*multipathd.* REGEX = (.+multipathd.+)   But nothing happened So where did I make a mistake? appreciate for your time
Getting error " [CANNOT EVALUATE: Could not find specified method = [XXX()]" while try to do datacollection. I have done the live preview and data is there in XXX(). Please advise a solution for the ... See more...
Getting error " [CANNOT EVALUATE: Could not find specified method = [XXX()]" while try to do datacollection. I have done the live preview and data is there in XXX(). Please advise a solution for the same,
hi I use a timechart which is linked to a "today" token time  On the x axis, I need only to display events between 7h and 19h I tried this but the x axis go to 0.00h from the current time How... See more...
hi I use a timechart which is linked to a "today" token time  On the x axis, I need only to display events between 7h and 19h I tried this but the x axis go to 0.00h from the current time How to do for the x axis begin only a 7h00? thanks   index=toto | eval local_time=strftime('_time', "%H%M") | search local_time >="0700" AND local_time <="1900" | timechart span=15min dc(s) as user by type    
functionality of these add-ons ?   ・Trend Micro Deep Security for Splunk ・Splunk Add on for Amazon Web Services ( all reply will appreciated with karma )
Hello  All, Our Ldapsearch command is not pulling in the manager Name of employees even though i have explicitly called out manager in attrs as shown below.  Any suggestion why ?   |" ldapsearch... See more...
Hello  All, Our Ldapsearch command is not pulling in the manager Name of employees even though i have explicitly called out manager in attrs as shown below.  Any suggestion why ?   |" ldapsearch domain="XXXX.COM" search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,userAccountControl" | table...    
hi I use a lookup with a field corresponding to a site name | inputlookup site.csv | search site=*paris*  In this lookup field, the site can be called in many way : "PARIS 1", "Paris 2", "Paris XX... See more...
hi I use a lookup with a field corresponding to a site name | inputlookup site.csv | search site=*paris*  In this lookup field, the site can be called in many way : "PARIS 1", "Paris 2", "Paris XX"... I use this lookup in a join command in order to cross data index=toto sourcetype=tutu | stats count as Pb by site | join type=left site [| inputlookup site.csv ] | table site the problem I have is that in my main search the site for PARIS is always called "Paris" So what I need is to cross all the events which starts by "Paris" with my lookup where there is a lot of different "Paris" syntax How to do this please?
hi, i a total newbie i need to do a search in splunk matching the domain in my lookup table (master_lookup.csv) my table have the columns indicators, published_date , last_update, labels my index... See more...
hi, i a total newbie i need to do a search in splunk matching the domain in my lookup table (master_lookup.csv) my table have the columns indicators, published_date , last_update, labels my index is below ((index=bcoat_logs AND sourcetype=bluecoat:proxysg:access:file ) OR (index=nanolog_906062_zscaler AND sourcetype=zscalernss-web)) how do i have the output when it match the indicators my desired output will include _time, indicators, published_date , last_update, labels
Hi I use this CSS code in order to enlarge the size of the data values in the bars chart Now I also need to enlarge the x and the y axis label size How to do this please? <style> #myHighChart... See more...
Hi I use this CSS code in order to enlarge the size of the data values in the bars chart Now I also need to enlarge the x and the y axis label size How to do this please? <style> #myHighChart g.highcharts-data-label text { fill: white !important; font-weight: bold !important; font-size: 20px !important; } </style>  
Hi,  I've found a bug in the Splunk Add-on Builder and I've tried to report it but I'm not having much luck. From my Splunk account I try to open a ticket and get this message:  "It appears you do ... See more...
Hi,  I've found a bug in the Splunk Add-on Builder and I've tried to report it but I'm not having much luck. From my Splunk account I try to open a ticket and get this message:  "It appears you do not have an active Support Contract or entitlement, and as a result, cannot open a Support case" From the add-on builder page I try to file a case but that just goes to:  "URL No Longer Exists You have attempted to reach a URL that no longer exists on salesforce.com." I tried calling Splunk but they put me through to sales then dropped my call. I was hoping someone might point me in the right direction to help Splunk fix this issue. Thanks.
How to check inputs.conf file to see the how the log files are being sent to splunk.    How to check forwarder is running and moved data to splunk index? 
Hi, I am unable to create a simple alert using the following documentation.  As per documentation, the required parameters are Search and name. Following code is written in Javascript Here is... See more...
Hi, I am unable to create a simple alert using the following documentation.  As per documentation, the required parameters are Search and name. Following code is written in Javascript Here is my request: const data = { "alert_comparator": "equal to", "alert_threshold": "0", "alert_type": "number of events", "cron_schedule": "*/1 * * * *", "search": "index%3D%22global-events-qa%22%20functionName%3D%22correspondence-service%22", "name": "Simple alert" } const response = await axios.post(' https://app.splunkcloud.com:8089/services/saved/searches', data,{ headers: { ...(await getAuth({region: 'ap-southeast-2'}))} }); Here is the error:  Cannot perform action "POST" without a target name to act on. Documentation Link: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch?_ga=2.62077416.557388192.1646109950-663789425.1628561939#saved.2Fsearches It will be really great if you could share some working examples somewhere in your documentation.  Thanks in advance!
Hi There, I have got some results in after running the below command my search |  | bucket _time span=1h | stats count by _time http_status | eventstats sum(count) as totalCount by _time | eval... See more...
Hi There, I have got some results in after running the below command my search |  | bucket _time span=1h | stats count by _time http_status | eventstats sum(count) as totalCount by _time | eval percent=round((count/totalCount),3)*100 | fields - count - totalCount Output is as follows time                                      status                    percent 2022-03-02 05:30:00 100 10.0 2022-03-02 05:30:00 200 30.0 2022-03-02 05:30:00 300 60.0 2022-03-02 06:30:00 100 30.0 2022-03-02 06:30:00 200 60.0 2022-03-02 07:30:00 300 10.0 2022-03-02 07:30:00 100 20.0 2022-03-02 07:30:00 200 30.0 2022-03-02 06:30:00 300 50.0   I am trying to transpose the output as below : time                                     100                        200     300  2022-03-02 05:30:00 10.0 30.0 60.0 2022-03-02 06:30:00 30.0 60.0 10.0 2022-03-02 07:30:00 20.0 30.0 50.0   please assist
Hi All,  Have searched for many months and unable to locate what i need. something i believe should be so simple is alluding me..looking for some help on this.  I am trying to change the colour o... See more...
Hi All,  Have searched for many months and unable to locate what i need. something i believe should be so simple is alluding me..looking for some help on this.  I am trying to change the colour of a bar / column chart to represent a different colour per the size of the shop and showing how many alarm incidents they have had. Visually this should allow me to see a comparison of alerts across my Large shops / my Small Shops by looking at a color only and not having to remember each shops size. ie all green shops are small.  My test table is as followed : On my Graph i would like for the Size of the Shop to be color coded - Large - blue, Medium-yellow, Small-green ( the color of the 3 sizes i am not fussy on) .  Shop Size TypeReport NoEvents A Large FrontAlarm 76 A Large BackAlarm 115 B Small FrontAlarm 37 B Small BackAlarm 132 C Medium FrontAlarm 81 C Medium BackAlarm 39 D Large FrontAlarm 159 D Large BackAlarm 110 E Small FrontAlarm 26 E Small BackAlarm 71 F Medium FrontAlarm 113 F Medium BackAlarm 49   I have tried several Evals but just do not see to be able to get this right. I have tried to follow several answers within the splunk community on this topic, but due to the answers evaluating time - its throwing me out and thus losing that last piece to the puzzle - i have been trying things such as -  | inputlookup Testcolor.csv | search TypeReport="FrontAlarm" | stats count by NoEvents | eval {NoEvents}=count | fields - count and changing the source with the below but still no luck.  <option name="charting.fieldColors">{"A":#32a838,"B":#006D9C,"C":#006D9C,"D":#32a838,"E":#006D9C,"F":#006D9 }</option> To even trying  | inputlookup Testcolor.csv | search TypeReport="FrontAlarm" | stats count by NoEvents | eval Shop="A, B, C, D, E, F" | makemv Shop delim="," | mvexpand Shop | eval count=NoEvents | table Shop count | eval {Shop}=count | fields - count   The above Seemed to get me close but no cigar. I have another 6 weeks before i really need to figure this out, any help would be appreciated.  ( Id also prefer to build this in dashboard studio if that does help my problem - i am also only using static data so times are pulled in)  Cheers