All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled an... See more...
I am using Splunk Enterprise V8.2.3.2. I am trying to alert when a scheduled search becomes disabled. The problem is that I have four systems using the same app but with different searches enabled and disabled for each of the systems. I need to dynamically determine which system the alert is running on and get the corresponding list of searches that are supposed to be enabled from a lookup table. I have done that. Now I need to see if the disabled search name matches one of the search names in the lookup table list. List is like: Searches that should be enabled(fieldname searches):  apple tart,blueberry pie,carrot cake,cupcake Search found to be disabled(fieldname disabled): carrot cake I would like to do something like: eval failed=if(in(disabled,searches),"Failed","Passed") where disabled in(searches) or,  search disabled IN searches However, none of these approaches have worked. Any advice? Thanks in advance.      
I am very new to Splunk and trying to gain as much knowledge as possible. I found there is an App called Splunk Global Threat Lankscape/Ip Watch List which I installed but I am getting zero results. ... See more...
I am very new to Splunk and trying to gain as much knowledge as possible. I found there is an App called Splunk Global Threat Lankscape/Ip Watch List which I installed but I am getting zero results. I most definitely feel I should be seeing some type of results. Is anyone familiar with this app that can provide some feedback? 
Attempting to send events/incidents to ServiceNOW from Splunk.  We've completed all of the configuration steps on the SNOW side, and when we open up the SNOW app (inside Splunk Cloud) and try to add ... See more...
Attempting to send events/incidents to ServiceNOW from Splunk.  We've completed all of the configuration steps on the SNOW side, and when we open up the SNOW app (inside Splunk Cloud) and try to add the ServiceNOW account we get the message: "An error occurred while trying to authenticate.  Please try again." These are the log entries that are showing up in TA_Snow_Error_Output.  Has anyone seen this before and/or seen a way through it? 2022-01-14 19:27:00,053 ERROR pid=27053 tid=MainThread file=splunk_ta_snow_rh_oauth.py:handleEdit:106 | Error occurred while getting access token using auth code 2022-01-14 19:19:40,670 ERROR pid=17428 tid=MainThread file=splunk_ta_snow_account_validation.py:validate:119 | Failure occurred while verifying username and password. Response code=403 (Forbidden)
Hi all, I have a question about scheduling pdf delivery option of a dashboard. I have some daily scheduled dashboards for pdf delivery but they sometimes don't have results. I want to configure the p... See more...
Hi all, I have a question about scheduling pdf delivery option of a dashboard. I have some daily scheduled dashboards for pdf delivery but they sometimes don't have results. I want to configure the pdf delivery option to send email only on the days with results. Is there a way to do this? Thanks.
Splunk DB connect connection to AWS Athena. Does anyone used that yet?
Hello, My application will generate a daily log file with the file name App_YYYYMMDD.log.  Example App_20220118.log, App_20220119.log.   I am trying to write a query which should return a table with... See more...
Hello, My application will generate a daily log file with the file name App_YYYYMMDD.log.  Example App_20220118.log, App_20220119.log.   I am trying to write a query which should return a table with single column having value as '0',  if the file for current week day is not generated.  The query should also have an condition to  wait for certain time before returning '0'. For example, let's say query should wait for 8 hours from the start of the day (12 AM) before returning the result.  Can you please share if you have written similar query.   Regards, Syed
I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10.    | rex field=_raw "(?<Message>Security\sviolati... See more...
I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10.    | rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)" | eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S") | rename JOBNAME as Jobname Time as Date | eval Workload = substr(Jobname,1,3) | stats count(Message) as "Security Violations" by Jobname User   Resulting table User Security Violations ABC 1 DEF 4 GHI 12 JKL 3 XYZ` 20   Thank you,
I am actually new to splunk and trying to learn . Is there a way to group by the results based on a particular string. Although i found some of the answers here already, but its confusing for me. It ... See more...
I am actually new to splunk and trying to learn . Is there a way to group by the results based on a particular string. Although i found some of the answers here already, but its confusing for me. It will be really helpful if someone can answer based on my use case.  Below is the sample log that i am getting:   [2022-01-19T13:30:15.664+00:00] [odi] [ERROR] [ODI-1134] [oracle.odi.agent] [tid: 304720] [ecid: 0000NtmXuVIC^qqMwMmZMG1XqvzZ000cRu,0:68:129:176:208:135] [oracle.odi.runtime.MrepExtId: 1501670917734] [oracle.odi.runtime.AgentName: OracleDIAgent2] [oracle.odi.runtime.ExecPhase: ExecuteTask] [oracle.odi.runtime.OdiUser: _odi] [oracle.odi.runtime.WrepName: WORKREP] [oracle.odi.runtime.ScenarioName: WEB_BOOKINGS_MV] [oracle.odi.runtime.ScenarioVer: 001] [oracle.odi.runtime.LoadPlanName: wfl_WebDataSet_MV_Refresh_2TimesAD]   I want to group the results based on oracle.odi.runtime.LoadPlanName and find the latest log of it. Could someone please assist.
Could you help us in confirming whether Splunk REST APIs supports OAuth authentication apart from the existing basic authentication(username/password) and authentication tokens(link). ? We see a lot ... See more...
Could you help us in confirming whether Splunk REST APIs supports OAuth authentication apart from the existing basic authentication(username/password) and authentication tokens(link). ? We see a lot of customers enquiring about it.  Also, is it mandatory to always use an authentication token mechanism for a service account in Splunk or can we use a username/password as well ? @sloshburch 
We just upgraded from Enterprise Security 6.4.x to 6.6.2.  In version 6.4, we were able to run real-time searches, pause the search grab and work the notable.  We upgraded to 6.6.2 and now that featu... See more...
We just upgraded from Enterprise Security 6.4.x to 6.6.2.  In version 6.4, we were able to run real-time searches, pause the search grab and work the notable.  We upgraded to 6.6.2 and now that feature no longer exists.  I don't see an auto refresh option on version 6.6.2, so my question is how can I get the Incident Review dashboard to auto refresh so we don't have to do it manually?     Thanks in advance. Scott
Hi guys  I tried installing Splunk Phantom as an underprivileged user as per the documentation: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged Although I pretty... See more...
Hi guys  I tried installing Splunk Phantom as an underprivileged user as per the documentation: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage The installation does continue and then completes (i think) I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom Has anyone experienced something similar? Also I cannot access the frontend but I assume this is because phantom is not running   
Hi, I have installed an add-on to integrate splunk with opsgenie but it is not working. After finishing the set up, none of the functionality is working like the inputs or tenant pages. Add-on inst... See more...
Hi, I have installed an add-on to integrate splunk with opsgenie but it is not working. After finishing the set up, none of the functionality is working like the inputs or tenant pages. Add-on installed : https://splunkbase.splunk.com/app/3759/  Used this link for ref : https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-splunk/#:~:text=Opsgenie%20provides%20a%20two%2Dway,forward%20Splunk%20alerts%20to%20Opsgenie Has anyone integrated Splunk with Opsgenie? If yes, please help me with the set up. Thanks in advance 
Hi all, Does anyone know if it's possible to create a file from a field in an artifact? Scenario: We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR. One of the f... See more...
Hi all, Does anyone know if it's possible to create a file from a field in an artifact? Scenario: We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR. One of the fields is a comma delimited list of ID's - this could be 1 or several hundred This kicks off a playbook to process this info and email the info to the 'owner' The ID data must be added to the sent email as an attachment I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but...... How do we get the ID data from the field in the artifact into a file? Any help would be much appreciated. Cheers, Mark.
Hi, I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request. Please see the attachments to get more insights. Image1 :... See more...
Hi, I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request. Please see the attachments to get more insights. Image1 :- Gives total count of book appointment  request count. Image2 :-  Unable to get Request count from the total book appointments. Image3 :-  Example of   Successfully getting results.   Please help me to resolve this. 
I want to check in some strings are exist in a column and if they are I want to add another column with the type of the string I found inside. For example: The column - "Company" and inside we can ... See more...
I want to check in some strings are exist in a column and if they are I want to add another column with the type of the string I found inside. For example: The column - "Company" and inside we can found- google inc, amazon llc, Microsoft incorporation, university of china and more. The strings I wand to check- google, amazon, Microsoft. Important thing is that I have ~100 strings that I need to check if exist.  I want to add a column "company_Type" and if one of the strings exist in the column "Company" , it will write "Technology" and if not "other".  The result I want to get: Company Company_Type google inc Technology amazon llc Technology Microsoft incorporation Technology university of china other  
I am passing in the following token host_token=$host_token$ in a URL   <link target="_blank">/app/RTPM/blackwidow_testing__technical_dashboard_19_01_2022_v2?host_token=$host_token$&amp;host_token1=... See more...
I am passing in the following token host_token=$host_token$ in a URL   <link target="_blank">/app/RTPM/blackwidow_testing__technical_dashboard_19_01_2022_v2?host_token=$host_token$&amp;host_token1=$host_token$</link>   However, the Screen that is receiving the token blackwidow_testing__technical_dashboard_19_01_2022_v2 allready has an input for host_token (As the screen can be used on its own, with out someone passing in tokens) It looks like this. Ideally if the host_token comes in from the URL, i want the value to be set to that. However that does not happy, the URL host_token seems to be ignored and the original dropdown works as if nothing happened.    <input type="dropdown" token="host_token"> <label>HOST</label> <fieldForLabel>mx.env</fieldForLabel> <fieldForValue>mx.env</fieldForValue> <search> <query>| mstats avg("mx.process.cpu.utilization") as X WHERE "index"="metrics_test" span=10s BY "mx.env" | dedup mx.env | table mx.env</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input>   As a test I pass in 2 tokens host_token and host_token1 - host_token is set to undefined. This is the one that i need to get set when it come in from the URL      Any help would be amazing - thanks - Robbie
@splunkdevelopemnt I am working on Dashboard studio and I am new to this. There is need to create the Month filter just above the panel as we can do in classic dashboard.   Kindly help me with thi... See more...
@splunkdevelopemnt I am working on Dashboard studio and I am new to this. There is need to create the Month filter just above the panel as we can do in classic dashboard.   Kindly help me with this , if we can create the filters anywhere in the dashboard studio as I can only see the global filter.   Thanks , Sudha Adhvaryu
Hey everyone, I'm a little new to Splunk so bear with me. I have an offline Windows environment (a couple servers and multiple workstations) and prior to implementation, a member of my team download... See more...
Hey everyone, I'm a little new to Splunk so bear with me. I have an offline Windows environment (a couple servers and multiple workstations) and prior to implementation, a member of my team downloaded the Infosec App to provide us with the data we need. This proved to not be the case when testing instances such as failed logons etc. I looked at the syntax and realized that nothing points to windows event logs.  Is there any known way to use the Infosec App by pointing to just the Windows Event Viewer/logs?  If not, does it work with an instance such as Sysmon and if so, how would I point it from Sysmon, to Splunk, to the Infosec App?
Hi,  I need to sum the values of durations found in the Duration_of_Errors column of each error that occur in a user in a certain work shift of the day. I am using the stats command. It happens tha... See more...
Hi,  I need to sum the values of durations found in the Duration_of_Errors column of each error that occur in a user in a certain work shift of the day. I am using the stats command. It happens that the names of my errors start like this: Technical/broken screen Technical/keyboard crashed ... Organizational/absence of personnel Organizational/change of office ..... Quality/Audit Quality/server migration ..... I want to sum the duration of each group of errors per shift and user I have used this but I can't get it to sum, what am I doing wrong? | stats sum(eval(if(Error_Text="Technical*"))) as sum_technical_duration_errors by shift user    Thanks in advance!
Dear Splunkers, I got the following message when configuring CloudTrail SQS S3 Based: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calcul... See more...
Dear Splunkers, I got the following message when configuring CloudTrail SQS S3 Based: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method. I appreciate any help!