All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have multiple searchmanager objects running different searches, and we need to wait until all of them are done to execute some other code. It works using <search>.on("data") state for individual ... See more...
We have multiple searchmanager objects running different searches, and we need to wait until all of them are done to execute some other code. It works using <search>.on("data") state for individual searches, but we need a way to wait for them all. What is the best way to accomplish this? Regards. Javier.
i have parent dropdown have cc as token and in for this parent there is child multislect having different value for different country..So..it is having depends=$cc$ so how to reset the multislect whe... See more...
i have parent dropdown have cc as token and in for this parent there is child multislect having different value for different country..So..it is having depends=$cc$ so how to reset the multislect when it's cc is changing..  
Hello! I am looking to add color to a table I have in Dashboard Studio. I notice in the UI there are no coloring options when you select Column Formatting for a string type - the color formats only... See more...
Hello! I am looking to add color to a table I have in Dashboard Studio. I notice in the UI there are no coloring options when you select Column Formatting for a string type - the color formats only show for number types. So I tried to replicate the color formatting onto a string type via the source code but am not getting anywhere. Is there something I am missing? Is this possible to color strings in tables with the current release of dashboard studio? TIA!
I have data like below Date File User 1/10/2022 F1 U1 1/10/2022 F1 U2 1/10/2022 F2 U1 1/11/2022 F3 U3 1/11/2022 F1 U1 1/11/2022 F2 U2 1/11/2022 F3 U3 1/11/... See more...
I have data like below Date File User 1/10/2022 F1 U1 1/10/2022 F1 U2 1/10/2022 F2 U1 1/11/2022 F3 U3 1/11/2022 F1 U1 1/11/2022 F2 U2 1/11/2022 F3 U3 1/11/2022 F1 U1 1/12/2022 F2 U1 1/12/2022 F3 U2 1/12/2022 F1 U1 1/12/2022 F2 U1     I would like to Group the data with File & user and needs to get count for each per day as below. Please let me know how can I get like this?   File User 1/10/2022 1/11/2022 1/12/2022 F1 U1 1 2 1 F2 U1 1   2 F1 U2 1     F2 U2   1   F3 U2     1 F3 U3   2  
Hello    After running the Python readiness app and upgrading many, there are still 11 apps that show as fail. Is there a  query or ability to scan affected apps to determine if they 1) have data, ... See more...
Hello    After running the Python readiness app and upgrading many, there are still 11 apps that show as fail. Is there a  query or ability to scan affected apps to determine if they 1) have data, and 2) are being used so team can prioritize which apps need to be upgraded or removed to satisfy Upgrade to Python 3
I'm getting this issue when I'm trying to create a user in Splunk Enterprise free version. Help me guys how to solve this issue occurring to me? Thank you.
I recently set up a Splunk UF on a Windows server that did not have it. As part of that process I deployed the same deployment client that was used with all the other servers. My only goal for now is... See more...
I recently set up a Splunk UF on a Windows server that did not have it. As part of that process I deployed the same deployment client that was used with all the other servers. My only goal for now is to do file monitoring from this specific server and to start I wanted to monitor a file location of a csv.  The inputs.conf file looks like this: [default] host=SERVER1 [monitor://E:\Scripts\S_M\T_I\abipdb.csv] sourcetype=abipdb-csv index=abipdbindex disabled = 0 The outputs.conf file was copied from one of the server locations with a UF that work fine. The events should be forwarding the data to an indexer cluster: [tcpout] defaultGroup=indexers_1,indexers_2 [tcpout: indexers_1] server=10.##.##.##, 10.##.##.## [tcpout: indexers_2] server=10.##.##.##, 10.##.##.## The splunkd.log shows that the above file location was added to watch. I did deploy an app with the new abipdbindex to the indexer cluster and I can see that index in the index list for each indexer (when checking in Splunk Web). I have a props.conf file set up for that sourcetype: [abipdb-csv] FIELD_DELIMITER=, FIELD_NAMES=column1, column2, column3 etc... (column names match the column names in the csv file) All the above conf files are stored in system\local and there is no other apps set up on this UF.  However, the index has not ingested any events successfully. What could be set up incorrectly and why is the csv file not being ingested properly?  
I have a log line for when the ip is added to the blacklist and another log line with ips that were removed from the blacklist. What I need to do is search for this ip that was added in the removed ... See more...
I have a log line for when the ip is added to the blacklist and another log line with ips that were removed from the blacklist. What I need to do is search for this ip that was added in the removed line, can you help me? Here is an example of my log and my research: -------------------------------------------------------------------------------------------------------------------------------------------- index="my search" | rex field=_raw "Message: Host (?<ip>.*?) w" | rex field=_raw "Message: Hosts (?<ips>.*?) w" | eval ips=mvjoin(ips,", ") | rex mode=sed field=ips "s/, /\n/g" | table ip ips   I need to loop through the list of ips in column <ips> to find the ip of column <ip>
I am trying to create a dash which uses  tokens for different clients capturing any attachments sent externally.    I have extracted the domain name from my search using regex so I can then exclude... See more...
I am trying to create a dash which uses  tokens for different clients capturing any attachments sent externally.    I have extracted the domain name from my search using regex so I can then exclude the internal "to" address  so that all emails being recorded are external.  The exclusion is where I am getting stuck if anyone has any ideas?   index=test  sourcetype="messagetracker" attachments=true client_code=$client$ | eval timestamp=strftime(_time, "%m-%d-%Y %H:%M:%S") | rename fromEnv.emailAddress as from_envelope_address, fromHdr.emailAddress as from_header_address, from.displayableName as from_displayname, fromHdr.displayableName as from_header_displayname, to.displayableName as to_displayname, to{}.displayableName as to_array_displayname, from.emailAddress as from_address, fromHeader.emailAddress as from_header2_address, to.emailAddress as to_address, to{}.emailAddress as to_array_address | search from_envelope_address=* | rename to_array_address as to | rename from_envelope_address as from |search to="***" from="***" | rex field=from "\@(?<domain>[^ ]*)" |search NOT (to in domain) | dedup from,to, subject, status, info, route | fillnull value="n/a" from_header_address | table timestamp, from, to,domain, attachments, status, info, route, spamScore, client_code
hi I need to color the field "sante" in red if his value is "Etat dégradé" and green if his value os "Etat stable"     | stats count(hang_process_name) AS hang | eval sante=if(hang>0, "Etat dégr... See more...
hi I need to color the field "sante" in red if his value is "Etat dégradé" and green if his value os "Etat stable"     | stats count(hang_process_name) AS hang | eval sante=if(hang>0, "Etat dégradé", "Etat stable") | table sante | rangemap field=sante low=0-0 default=severe     what is wrong please?
Hi, We are setting up a Splunk infrastructure where we would like to redirect event coming in particular indexes to an external SOC. For example, logs from multiple firewall technologies would be p... See more...
Hi, We are setting up a Splunk infrastructure where we would like to redirect event coming in particular indexes to an external SOC. For example, logs from multiple firewall technologies would be put into the index "clientX_firewall" by an SC4S and this whole index would have to be forwarded to both my indexing tier and the external SOC, whatever the sourcetype / host / source. Is there a way to properly redirect this whole index ? Without having to specify the source / host / sourcetype involved for each type involved ?  Thanks for your help.
Hi, I have an SBC (Session Board Controller) which is doing LDAP search and write the syslog of that. I'm trying to get statistics of how long time the searches has been taken during the day. Based... See more...
Hi, I have an SBC (Session Board Controller) which is doing LDAP search and write the syslog of that. I'm trying to get statistics of how long time the searches has been taken during the day. Based on the forums discussions I end to the following search string already: "recv <-- acEV_LDAP_SEARCH_RESULT" OR "send --> LDAP SearchID" | transaction SID | table by duration So this is good and working. The extra challenge comes, when I'm not interest of all the LDAP searches only those which do have certain search (contains phone number). I tried to change the search like this: "recv <-- acEV_LDAP_SEARCH_RESULT" OR "send --> LDAP SearchID:-100 key:msRTCSIP-Line=tel:+" | transaction SID keeporphans=false  | table by duration With the idea that if there is no pair for "recv <-- acEV_LDAP_SEARCH_RESULT", then that should be skipped. But so far, no luck And alternative way I tried to use third log line as well by: "recv <-- acEV_LDAP_SEARCH_RESULT" OR "send --> LDAP SearchID" OR "Query LDAP for msRTCSIP-Line=tel:+" | transaction SID | table by duration But that did not work either to me. The SID is the thread ID (or session ID) to unify each others. Anybody have thoughts how this could be done? Can I control Transaction in a way that both (or three) log lines are mandatory?
Hello,  We have a PowerShell script job ( xyz.ps1 ) run on all hosts every 10 minutes and when it starts write message in to EV Application log as "Beginning of xyz.ps1 Execution " , We found someti... See more...
Hello,  We have a PowerShell script job ( xyz.ps1 ) run on all hosts every 10 minutes and when it starts write message in to EV Application log as "Beginning of xyz.ps1 Execution " , We found sometime that xyz.ps1 gets stuck into weird state and we didnt see message in last 60 minutes for some hosts. I was able to create alert where i get list of hosts which shows that message. But I am exactly looking for : I want to set an alert in splunk which will report host name where we dont see "Beginning of xyz.ps1 Execution" message in last 60 minutes , So that I'll get to know these hosts where script didnt execute well. search:   index= ABC source="xyz.ps1" host = WWW-*  "Beginning of xyz.ps1 Execution" | table _time host | dedup host | eval age=now()-_time | where age > 60 Is above search is correct ? Thanks for your suggestions
Hi Team, We are considering to adopt splunk-connect-for-syslog app (SC4S). Can it be install on Splunk UF or only on Splunk Heavy Forwarder?
Hello, I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib... See more...
Hello, I would like to know if it is safe to delete below on all of our Splunk hosts: /opt/splunk/var/run/searchpeers/<hostname>-1633305600/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/ Similar files exist on a lot of our Splunk hosts and we get notifications daily about them because of log4j. So is it safe to delete the above path and similar? It is just replications right? Thanks in advance!
I wanted  to drop the log message in syslog-ng and i tried the below way to drop them but seems it doesn't work.  could you help if there is any other way.  To skip the processing of a message witho... See more...
I wanted  to drop the log message in syslog-ng and i tried the below way to drop them but seems it doesn't work.  could you help if there is any other way.  To skip the processing of a message without sending it to a destination, create a log statement with the appropriate filters, but do not include any destination in the statement, and use the final flag. Example: Skipping messages The following log statement drops all debug level messages without any further processing. filter demo_debugfilter { level(debug); }; log { source(s_all); filter(demo_debugfilter); flags(final); };
I have a list of IP addresses in a lookup table that are network scanners. I am trying to build a search that excludes the IP addresses in this lookup table, but for some reason my search keeps incl... See more...
I have a list of IP addresses in a lookup table that are network scanners. I am trying to build a search that excludes the IP addresses in this lookup table, but for some reason my search keeps including IP address values that are clearly present in the lookup.  I tried putting the quotes around the IP addresses ("1.2.3.4"), tried without quotes (1.2.3.4) but nothing works.  The raw data does not have quotes.  After having tried enough  combinations, I am hoping someone can help me.  Eventually, I'll be adding the remaining IP's to the lookup table via OUTPUTLOOKUP append=true but until I can get this working... I'm stuck.   index=foo sourcetype=bar NOT [| inputlookup network_scanners | table IpAddress] | dedup IpAddress | table IpAddress  
Hello, I am having a hard time doing the installation and running/connecting the windows agent to the portal I am having challenges locating working documentation. When I look at pre-requisites,... See more...
Hello, I am having a hard time doing the installation and running/connecting the windows agent to the portal I am having challenges locating working documentation. When I look at pre-requisites, I see some broken links to downloads like the Java  https://docs.appdynamics.com/4.5.x/en/application-monitoring/install-app-server-agents/java-agent/install-the-java-agent I used this document but seems stuck and I have no progress: https://docs.appdynamics.com/4.5.x/en/infrastructure-visibility/network-visibility/network-visibility-requirements-and-supported-environments Also if someone has any video with the correct link that would be a plus Good day
index=VulnerabilityManagement Sourcetype=* |fields dept=HR      vuln=*      PC=* |I want statistics showing a list of  HRs vulnerabilities and the associated PC. I'm new, hopefully this makes ... See more...
index=VulnerabilityManagement Sourcetype=* |fields dept=HR      vuln=*      PC=* |I want statistics showing a list of  HRs vulnerabilities and the associated PC. I'm new, hopefully this makes sense. I just want a basic statistics page that I can put on a dashboard showing the list of PC vulnerabilities in this dept. And remove any rows that are missing either the vulnerability or PC. The statistics would show: Vulnerabilities                            PC CVE-Malware Boogy              CEOPC1234
Hi, I have a search that produce the following table   Organization|Amount|AcquirerBank Or_A |2000 |1234 Or_A |4000 |2345 Or_B |1200 |3456 |4020 |4567 Or_C ... See more...
Hi, I have a search that produce the following table   Organization|Amount|AcquirerBank Or_A |2000 |1234 Or_A |4000 |2345 Or_B |1200 |3456 |4020 |4567 Or_C |1456 |5678   And then I have a csv file that provide the bank code with the bank name as a mapping csv as   AcquirerBank|BankName 1234 |BankA 2345 |BankB 4567 |BankC 5678 |BankD   The target table should look something like this   Organization|Amount|AcquirerBank|BankName Or_A |2000 |1234 |BankA Or_A |4000 |2345 |BankB Or_B |1200 |3456 | |4020 |4567 |BankC Or_C |1456 |5678 |BankD    I try to use join like this   index=index |table Organization, Amount, AcquirerBank |join AcquirerBank [inputlookup bank_mapping.csv |table AcquirerBank, BankName] |table Organization, Amount, AcquirerBank, BankName   But I encounter 2 problems: 1. My index have around a million events, and [join] have a limited number of events it can join, so my result table was lack in result. 2. Also [join] don't show enough results if the mapping csv don't have the data, as the example above, if I use [join], OrB with the field Acquirer that don't exist in mapping csv will not show up. Anyone have a alternative to [join] that can resolve above problems? Thank you in advance.