All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Using the below sample search I'm trying to get every possible combination of results between two different sets of data and interested if there are any good techniques for doing so that are relative... See more...
Using the below sample search I'm trying to get every possible combination of results between two different sets of data and interested if there are any good techniques for doing so that are relatively efficient.  At least with the production data set I'm working with it should translate to about 40,000 results.  Below is just an example to make the data set easier to understand.  Thank you in advance for any assistance. Sample search | makeresults | eval new_set="A,B,C" | makemv delim="," new_set | append [| makeresults | eval baseline="X,Y,Z" ] | makemv delim="," baseline Output should be roughly in the format below and I'm stuck on getting the data manipulated in a way that aligns with the below. new_set - baseline -- A-X A-Y A-Z B-X B-Y B-Z C-X C-Y C-Z
Hello Splunk Community,  I was wondering if anyone has been successful in setting up the Microsoft Teams Add-on for Splunk app in their Enterprise/Heavy Forwarder. This application requires configur... See more...
Hello Splunk Community,  I was wondering if anyone has been successful in setting up the Microsoft Teams Add-on for Splunk app in their Enterprise/Heavy Forwarder. This application requires configuring a Teams webhook. When reading the documentation it appears that the app is supposed to create or include the Microsoft Teams-specific webhook. However, when I attempt to search for the Webhook in the search app using:  sourcetype="m365:webhook" I don't get anything back and I'm not sure what the Webhook address is since document doesn't specify the format or go over the steps to create a Webhook address.  I followed these steps: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-on_for_Splunk If anyone has an idea on how to create the Webhook or has an idea what I am doing wrong, I would greatly appreciate it.  Thanks!
Remove Blue Dot In Dashboard Studio, my panels use a parent search which uses a multisearch. Because of this, all of the panels have this annoying informational blue dot that appears until the sea... See more...
Remove Blue Dot In Dashboard Studio, my panels use a parent search which uses a multisearch. Because of this, all of the panels have this annoying informational blue dot that appears until the search completely finishes. How can I get rid of this so it never appears? 
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this?... See more...
We have a lookup in Splunk that we are looking to send a few columns in the lookup to another product via a POST API call. My question is, are there any Splunk add-ons that i can leverage to do this? I see there is an HTTP alert action that can make a POST, however with this being a lookup (csv) i am not sure it will work correctly. 
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this at... See more...
I recently migrated from v8 to v9 for Splunk and I am having issues with ldapsearch not returning data that it had previously returned. I am trying to pull lastLogon for accurate tracking but this attribute will not return anything. lastLogontimestamp works but is too far out of sync for my requirements on reporting. I have LDAP configuration in the Active Directory add-on set to 3269 and everything else works fine except this one attribute. I setup delegation to read lastLogonTimestamp and then everything so its not a permissions issue from what I can see. Any help would be appreciated. 
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able t... See more...
Hello, I need help on passing a field value from a Dashboard table into a "Link to search" drilldown but can't figure it out. I have a table that contains a "host" field.  I am needing to be able to click on any of the returned hosts and drill into all of the events for that host.   I've tried in hopes that the $host$ would be replaced with the actual host name with this drilldown query: source="udp:514" host="$host$.doman.com" but, of course failed, it just get's replaced with "*". I'm sure I'm probably way off on how to do this, but any help would be awesome.   Thanks in advance. Tom
How to identify Stream_event function is called at time interval or during create/edit data input. 
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this i... See more...
Hello everyone, I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this in regex101 with: (?<=On-Prem - ).* But, I know in splunk we have to give it a field name.  I can't figure out the correct syntax to add the field name so it would work. In example of one I've tried without success: rex field="alert.message" "\?(?<Name><=On Prem - ).*" If possible, could someone help me out with this one ? Thanks for any help, Tom  
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware... See more...
So I want to build a dashboard with _introspection index , some of the metrics I am looking for are THP (enabled/disabled), Ulimits, CPU, Mem, Disk usage, swap usage, clocks sync (realtime & hardware) etc. I couldnt find any solid documentation for _introspection index as to under which source, component these variables will be stored also what all data is available in the index.  Can someone please point me to a doumented list of all the data points in the index if any docs exists. Also any specific component/source I can find the KPIs I mentioned above.
Hi,  I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below... See more...
Hi,  I have a log file on the server which I ingested in splunk through input app where I defined the index , sourcetype and monitor statement in inputs.conf. Log file on the server looks like below: xyz asdfoasdf asfanfafd ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: sdfsdfja agf[oija[gfojerg fgoaierr apodsifa[soigaiga[oiga[dogj ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: sadfnasd;fiasfdoiasndf'i dfdf fd garehaehseht shse thse tjst ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: asdf;nafdsknasdf asdfknasdfln asdf;nasdkfnasf asogja'fja foj'apogj aogj agf   When I try searching the log file in splunk, Logs are visible howerver events are not breaking as I expect it to come. I want events to be separated as below   Event 1: xyz asdfoasdf asfanfafd ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Event 2: sdfsdfja agf[oija[gfojerg fgoaierr apodsifa[soigaiga[oiga[dogj :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::   Event 3: sadfnasd;fiasfdoiasndf'i dfdf fd garehaehseht shse thse tjst ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Event 4: asdf;nafdsknasdf asdfknasdfln asdf;nasdkfnasf asogja'fja foj'apogj aogj agf :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::  
Hi all, I have 2 events present in a source type, with different data. There is one field which has same data in both the events but the field names are different. Can anyone suggest a method other ... See more...
Hi all, I have 2 events present in a source type, with different data. There is one field which has same data in both the events but the field names are different. Can anyone suggest a method other than JOIN to combine 2 events? I tried combining the fields by coalesce command, once i combine them i was not able to see the combined fields. I want to combine the events and do some calculations.
Good day Splunkers, We have two site/DCs, where one is production and the other a standby DR. In our current architecture, we  have intermediate forwarders that forwards the logs to Splunk Cloud. Al... See more...
Good day Splunkers, We have two site/DCs, where one is production and the other a standby DR. In our current architecture, we  have intermediate forwarders that forwards the logs to Splunk Cloud. All universal forwarders send metrics/logs to these intermediate forwarders. We also have a single deployment server. The architecture is as follows: UF -> IF -> SH (Splunk cloud) The intermediate forwarders are Heavy Forwarders, they do some indexing, and some data transformation such as anonymizing data. The search head is on the cloud. We have been asked to move from the current production-DR architectural setup to an multi-site (active-active) setup. The requirement is for both DCs to be active and servicing customers at the same time. What is your recommendation in terms of setting up the forwarding layer? Is it okay to provision two more intermediate forwarders on the other DC and have all universal forwarders send to all intermediate forwarders across the two DCs. Is there a best practice that you can point me towards. Furthermore, do we need more deployment servers. Extra Info: The network team is about to complete network migration to Cisco ACI.
How to create custom heatmap to project the overall health of all the applications deployed by platform and region vice?   which metrics we can used to project the overall application in Splunk obs... See more...
How to create custom heatmap to project the overall health of all the applications deployed by platform and region vice?   which metrics we can used to project the overall application in Splunk observability cloud. in RUM, we have only country property .Using that we are able to split application by country & environment vice. need to split by platform & region vice.      
how to create chart for Alert/Detector status to showcase overall health of application?   1.how may alerts configured for each application? 2.staus of alerts by severity    what is the metrics ... See more...
how to create chart for Alert/Detector status to showcase overall health of application?   1.how may alerts configured for each application? 2.staus of alerts by severity    what is the metrics available to showcase the above usecase in overall health dashboard in splunk observability cloud 
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList'... See more...
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.12/2/2024, 5:40:52 AM 2)  I have noticed this error around 2 or 3 months ago, but as its a simple and low priority / functionality related one, i ignored it. 3) last week as we Splunkers were discussing in our usergroup meeting about this, one of my friend asked - ok, this is a low priority issue for you, but for an organizations infosec perspective this could be a medium/big issue. 4) He suggested me that - the default config files should be configured to keep things in secured fashion(similar to that "zero-trust" security policy), giving a warning message isnt enough, right. i had to agree with him.  5) Screenshot attached for your note:
Does calls on C++ layer are considered in overall calls ? Suppose there is one transaction which flows from Web Server to Java to Node.Js then it will counted as 3 calls or one call? 
Hi Folks, Can anyone suggest or help me out on how to get prep for Splunk administration certification course and which certification is good in that case? Regards, Kanchan
Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eva... See more...
Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'> %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384}</Data></EventData></Event>" | rex mode=sed "s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\\1 Computer:\\2 SubjectUserName:\\3 SubjectDomainName:\\4 TargetUserName:\\5 TargetDomainName:\\6 LogonType:\\7/g" ---------------------------------- [XmlWinEventLog: Security] SEDCMD-reduce_4627 = s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\1 Computer:\2 SubjectUserName:\3 SubjectDomainName:\4 TargetUserName:\5 TargetDomainName:\6 LogonType:\7/g Can anyone help me identify where the problem is, please? Thank you.
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster ... See more...
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster sitting in Region B, Can one s3  Remote Object Store used with all Indexers from both Clusters?  Thanks.
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this ... See more...
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this screen saves a limited amount of information in its LOG files regarding the Internet connection.   I wanted to know, does Splunk have a solution for such situations? Perhaps there is an application that we can install on this device that will allow us to erase the necessary LOGs?   Thank you in advance for you answer