All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Automatic extraction bug?

by in Splunk Search
‎01-11-2022 06:44 AM
‎01-11-2022 06:44 AM
Hi, I am facing the next problem. When having the next _raw:   process="\"C:\\Windows\\regedit.exe\" /s \"C:\\Program Files (x86)\\SAP\\RPW.reg\""   The value of the process field that I expect ... See more...
Hi, I am facing the next problem. When having the next _raw:   process="\"C:\\Windows\\regedit.exe\" /s \"C:\\Program Files (x86)\\SAP\\RPW.reg\""   The value of the process field that I expect is:   "C:\Windows\regedit.exe" /s "C:\Program Files (x86)\etc\etc.etc"   But what the automatic extraction gets is the same but without the initial and ending quotation marks:   C:\Windows\regedit.exe" /s "C:\Program Files (x86)\etc\etc.etc     Any ideas of how to get the expected value? It seems it doesn't respect the escaped characters.
Labels

Allocate a scheduled search to all searcheads in a searchead cluster

by in Splunk Enterprise
‎01-11-2022 06:41 AM
‎01-11-2022 06:41 AM
Hello there, we use an alert action that has a lot of technical dependencies. In order to make sure that all searchheads are able to perform this alert action we would like to make a regular check o... See more...
Hello there, we use an alert action that has a lot of technical dependencies. In order to make sure that all searchheads are able to perform this alert action we would like to make a regular check of all of them. Our idea was to use a simple scheduled search that triggers the alert action on a regular basis as a test, to see if everything is fine. The problem is, that we don't know if it is possible to force the searchhead captain to allocate this specific search to all members of its cluster. Otherwise we would only see if the member that coincidentally got the search functions properly. Do you know of any way to achieve, that all members of a searchead cluster run a specific search? Thanks in advance for the help.

Workload Management usage

by in Getting Data In
‎01-11-2022 06:12 AM
‎01-11-2022 06:12 AM
We have a heavy forwarder running some Add-ons, and one of them (SNow) is eating up all the memory. We have workload management enabled on our search head clusters for cpu/memory management, but wan... See more...
We have a heavy forwarder running some Add-ons, and one of them (SNow) is eating up all the memory. We have workload management enabled on our search head clusters for cpu/memory management, but wanted to see if it's possible to restrict mem/cpu usage for ingest on the HF using WM. If that's a possibility, where would I edit settings to update the configurations accordingly? 

Check if csv files have been updated to latest versions

by in Splunk Search
‎01-11-2022 04:15 AM
‎01-11-2022 04:15 AM
Is there a way of checking if the latest csv updates were successful and if they were the most up to date versions (as I have csv files updated daily) - also if they were successful when they were ru... See more...
Is there a way of checking if the latest csv updates were successful and if they were the most up to date versions (as I have csv files updated daily) - also if they were successful when they were run via scheduled tasks?
Labels

csvfile search in values

by in Splunk Search
‎01-11-2022 03:18 AM
‎01-11-2022 03:18 AM
Hi, I have csv file containing emailID and domain  and I would like to search the email exchanges between these two(emaild and domain) Csv file looks like below  emailID                           ... See more...
Hi, I have csv file containing emailID and domain  and I would like to search the email exchanges between these two(emaild and domain) Csv file looks like below  emailID                                           domain test1@company.com             abc.com test2@company.com             xyz.com test3@company.com             some.com so on .......... based on the above I need to check how many time the emails exchanged between emailID and domain, I tried with below query but unable to get the result my search.... [| inputlookup test.csv | eval emailID = mvjoin(emailID ,",") | eval domain= "*@.".domain | eval condition1 = "Sender IN (".domain.") AND Rcpt IN (".emailID .") " | return $condition1 ] | table Sender Rcpt  
Labels

How to create tickets to an in-house ticketing system using alerts

by in Alerting
‎01-11-2022 03:16 AM
‎01-11-2022 03:16 AM
I would like some guidance on creating a ticket in an in-house ticketing system when an alert is raised from Splunk.     Are there any links to documentation that would help me towards this please?
Labels

How to calculate the percentage of certain field occurence in the events ?

by in Splunk Search
‎01-11-2022 03:00 AM
‎01-11-2022 03:00 AM
In my events, there is a field called "is_interactive"  which has value of either 0 or 1. Now the thing is, not all of my events has the field "is_interactive" in them. How to do I know, how much o... See more...
In my events, there is a field called "is_interactive"  which has value of either 0 or 1. Now the thing is, not all of my events has the field "is_interactive" in them. How to do I know, how much of of my events have this field in them ?

help on command as a token

by in Splunk Enterprise
‎01-11-2022 02:56 AM
‎01-11-2022 02:56 AM
hi   I would like to know if it is possible to ruse a comand as a token I need to replace the command "perc90"  by "perc95" from a dropdown list | stats perc90(web_dur) thanks

How to build a table from different fields from a single event

by in Splunk Search
‎01-11-2022 01:47 AM
‎01-11-2022 01:47 AM
Hello I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event. Here are the fields: severity severity... See more...
Hello I'm having this situation where I have a query returning a single event and I need to build a compound table from different fields from that event. Here are the fields: severity severity_id riskFactor riskFactor_id exploitAvailable exploitAvailable_id How can I build a table like this: Indicator Value Id Severity severity severity_id Risk Factor riskFactor riskFactor_id Exploit Available exploitAvailable exploitAvailable_id   Thanks for your help!
Labels

CRON expression

by in Alerting
‎01-11-2022 12:48 AM
‎01-11-2022 12:48 AM
How would I configure a CRON expression such that an alert was sent 50 minutes past every hour, but only between 7:50am (0750) to 4:50pm (1650) Monday to Friday? And if possible, excluding bank holid... See more...
How would I configure a CRON expression such that an alert was sent 50 minutes past every hour, but only between 7:50am (0750) to 4:50pm (1650) Monday to Friday? And if possible, excluding bank holidays. Thanks.
Labels

how to change the lables of x axis of a bar graph

by in Splunk Search
‎01-10-2022 10:54 PM
‎01-10-2022 10:54 PM
Hi all, I have to plot a bar graph in which duration in hours will be in x axis and number of tasks will be in y axis. I want to specify the label of x axis as 0-1(hr), 1-2(hr), 2-3(hr),.... Can any... See more...
Hi all, I have to plot a bar graph in which duration in hours will be in x axis and number of tasks will be in y axis. I want to specify the label of x axis as 0-1(hr), 1-2(hr), 2-3(hr),.... Can anyone please help me in doing this.
Labels

SF and RF - How much count should we keep ?

by in Deployment Architecture
‎01-10-2022 09:34 PM
‎01-10-2022 09:34 PM
What is the reason behind keeping default RF - 3 and SF - 2 ?? why splunk recommad it ?? what happen if we keep RF - 100 ??
Labels

How is data replicated in Clustering ?? What Happen if Cluster master goes down ??

by in Deployment Architecture
‎01-10-2022 09:31 PM
‎01-10-2022 09:31 PM
How is data replicated in Clustering ?? What Happen if Cluster master goes down ??
Labels

how to use one token with different evaluation for 2 panels query under different conditions.

by in Splunk Search
‎01-10-2022 07:38 PM
‎01-10-2022 07:38 PM
Hi, Splunkers, I have a dashboard with 2 panels. there is one input token,  Gucid_token, what I need is when Gucid_token is any string but not a 1 or 2 digits number, then use it as search string ... See more...
Hi, Splunkers, I have a dashboard with 2 panels. there is one input token,  Gucid_token, what I need is when Gucid_token is any string but not a 1 or 2 digits number, then use it as search string for panle1's query , in this case, this token has nothing to do with panel 2 query. panel1 <query>sourcetype="omni:ors:voice" $Gucid_token$ Panel2 <query>sourcetype="omni:ors:voice"   keyword1 keyword2  | search skilllength >1  when Gucid_token is a 1 or 2 digits number, then ignore it in panel1's query,  but for panel2's query, use this  token to build search like  search skilllength > $Gucid_token$ panel1 <query>sourcetype="omni:ors:voice"  Panel2 <query>sourcetype="omni:ors:voice"   keyword1 keyword2  | search skilllength > $Gucid_token$   thx in advance.   Kevin
Labels

get business data into splunk form Oracle database query

by in Getting Data In
‎01-10-2022 07:13 PM
‎01-10-2022 07:13 PM
we have business database, we have many query to search business data into a view. now we want put these data into splunk, so we can use the 

Eval with stats on multiple fields

by in Splunk Search
‎01-10-2022 02:36 PM
‎01-10-2022 02:36 PM
I am looking for help on stats with eval  Input Events (each json is a event):   { "app_name": "app1","logEvent": "Received"} { "app_name": "app1","logEvent": "Received"} { "app_name": "app1","log... See more...
I am looking for help on stats with eval  Input Events (each json is a event):   { "app_name": "app1","logEvent": "Received"} { "app_name": "app1","logEvent": "Received"} { "app_name": "app1","logEvent": "Missing"} { "app_name": "app1","logEvent": "Delivered"} { "app_name": "app2","logEvent": "Received"} { "app_name": "app2","logEvent": "Delivered"}     My current query is :   index=np-dockerlogs sourcetype=sales | rename log_processed.* as * | eval logEvent =upper(logEvent) | search logEvent IN ("RECEIVED", "DELIVERED", "MISSING") | stats count by logEvent app_name   Current Output: app1 RECEIVED 2 app1 MISSING 1 app1 DELIVERED 1 app2 RECEIVED 1 app2 DELIVERED  1   Output i want to generate is to remove MISSING and subtract the count of Missing from Received. Received = Total Count of Received - Total Count of Missing Delivered = Total Count of Delivered app1 RECEIVED 1 app1 DELIVERED 1 app2 RECEIVED 1 app2 DELIVERED  1   Thank you
Labels

Need help with Heavy Forwarders stop sending data or a significant drop in it's data sending (5-10% drop of total amount

by in Splunk Enterprise
‎01-10-2022 01:18 PM
‎01-10-2022 01:18 PM
Please help with an SPL or use MC to see if / when a HF stops sending data or there is a big drop in the amount of data it usually sends like 10% of the normal data sent. How do I tell if a HF is sic... See more...
Please help with an SPL or use MC to see if / when a HF stops sending data or there is a big drop in the amount of data it usually sends like 10% of the normal data sent. How do I tell if a HF is sick & not functioning? I appreciate your time in advance. Thc
Labels

Modify Splunk health checks - The percentage of small buckets created over the last hour is high

by in Deployment Architecture
‎01-10-2022 12:38 PM
‎01-10-2022 12:38 PM
Hello all, Looking for a way to modify the Splunk Health Check for small buckets. Specifically, I would like the healthcheck to exclude certain indexes. For example, I like knowing if I am getting ... See more...
Hello all, Looking for a way to modify the Splunk Health Check for small buckets. Specifically, I would like the healthcheck to exclude certain indexes. For example, I like knowing if I am getting too many small buckets... but not if it is for my test index.  Buckets Root Cause(s): The percentage of small buckets (100%) created over the last hour is high and exceeded the red thresholds (50%) for index=test, and possibly more indexes, on this indexer. At the time this alert fired, total buckets created=6, small buckets=6 The percentage of small buckets (100%) created over the last hour is high and exceeded the red thresholds (50%) for index=test, and possibly more indexes, on this indexer. At the time this alert fired, total buckets created=5, small buckets=5

Error when polling TAXII feeds with Enterprise Security

by in Splunk Enterprise Security
‎01-10-2022 12:18 PM
‎01-10-2022 12:18 PM
I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.   The Threat Intelligen... See more...
I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.   The Threat Intelligence Audit dashboard shows "TAXII feed polling starting" The Intelligence Audit events below show an error message   2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused> Traceback (most recent call last): File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request self._send_request(method, url, body, headers, encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output self.send(msg) File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send self.connect() File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect (self.host, self.port), self.timeout, self.source_address) File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection raise err File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii taxii_message = handler.run(args, handler_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run return self._poll_taxii_11(parsed_args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11 http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout']) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2 response = urllib.request.urlopen(req, timeout=timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open response = self._open(req, data) File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open '_open', req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain result = func(*args) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open return self.do_open(self.get_connection, req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [Errno 111] Connection refused>   Any ideas??? 

Why won't External library sheetjs load in Splunk javascript?

by in Splunk Dev
‎01-10-2022 11:41 AM
1 Karma
‎01-10-2022 11:41 AM
1 Karma
Hi, we're trying to import sheetjs into a custom SplunkJS script so we can export some results into xlsx. Tried to add it in the required section at the begining of the script but is not working. ... See more...
Hi, we're trying to import sheetjs into a custom SplunkJS script so we can export some results into xlsx. Tried to add it in the required section at the begining of the script but is not working.   require([ "splunkjs/mvc", "<path to xlsx.full.min.js>", "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!" ], function( mvc, XLSX, SearchManager) { console.log(XLSX.version); } );     Here is the sheetjs documentation: https://github.com/SheetJS/sheetjs Any help ll be appreciated. Regards. Javier.
Labels