All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How splunk calculates health score of any servicebased on KPIS, does it use any AI model or weightage formula for health score  ?? 
Hi all, I am having two fields as eventfield2and eventfield3with values of eventfield3= LHCP , RHCP ,LHCP & values of eventfield2= RHCP , RHCP ,LHCP . I want a result like as shown .          T... See more...
Hi all, I am having two fields as eventfield2and eventfield3with values of eventfield3= LHCP , RHCP ,LHCP & values of eventfield2= RHCP , RHCP ,LHCP . I want a result like as shown .          Thanks for your time in advance.      
I'm sure this has been asked before but can't find the answer. I'm looking to use SPLUNK to provide better metrics from Tenable. The data that is sent into SPLUNK from tenable has two source types th... See more...
I'm sure this has been asked before but can't find the answer. I'm looking to use SPLUNK to provide better metrics from Tenable. The data that is sent into SPLUNK from tenable has two source types that I'm interested in. Asset data and vuln data - I need to combine the two of them (UUID is the common field) so that I can then filter the data set down to specific tags that have been applied to the assets. This way, I can start creating better historical dashboards and reports.  I think what I need to do, is match the UUID's from both SourceTypes, which hopefully will then take all the vuln data and list it under the one unique UUID. From there, I need to be able to filter based on the tags created in tenable. Is this possible? Thanks
I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts. can anyone help me write it.
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping. ... See more...
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping.
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restar... See more...
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restarting service does not recreate it.  How do you renew this certificate?
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is t... See more...
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is the actual text found in the string as i cant predict which event will contain which combination
Hi How can I check the cherrypy version for Splunk 7.3.8? There are no cherrypy related files in splunk/share/3rdparty. Thank you.
Hi, I have a log source (/logs/abc/def). I want to know what are the apps  using this log source in their inputs.conf.   Can someone provide me the search query?
i have events that contains a specific field that sometimes contain a very long field which make the rest of the event be truncated, i want to remove this field or change it "long field detected". t... See more...
i have events that contains a specific field that sometimes contain a very long field which make the rest of the event be truncated, i want to remove this field or change it "long field detected". the problematic field call "file" and i should catch it's last appearnce, also i want the data after it so i should stop the removal after the first "," (comma). also the event contains nested fields. i've tried props.conf+transform conf like that:ete but it doesn't work. here is an example for 1 event: deleted due to security reasons 
Hi, I wonder the easiest way to monitor the deletion of files/folders in a CIFS netapp using splunk. I saw an Add-on available, could someone share any experience with this use case? I have a SC4S... See more...
Hi, I wonder the easiest way to monitor the deletion of files/folders in a CIFS netapp using splunk. I saw an Add-on available, could someone share any experience with this use case? I have a SC4S in place so I thought to configure syslog in NetApp to be sent to SC4S and start digging into the logs. Is there any App I could leverage to ease the pain? many thanks  
Hello everyone, I'm facing a persistent issue with executing a script via a playbook in Splunk SOAR that uses WinRM. Here's the context: I've created a playbook that is supposed to isolate a host v... See more...
Hello everyone, I'm facing a persistent issue with executing a script via a playbook in Splunk SOAR that uses WinRM. Here's the context: I've created a playbook that is supposed to isolate a host via WinRM. The script works perfectly when I run it manually using the "Run Script" action from Splunk SOAR: the host gets isolated. However, when the same script is executed by the playbook, the execution is marked as "successful," but none of the expected outcomes occur: the host is not isolated. To be more precise: I added an elevation check in the script, which relaunches in administrator mode with -Verb RunAs if necessary. This works perfectly for the manual action. The script writes to a log file located in C:\Users\Public\Documents to avoid permission issues, but the log file is not created when executed by the playbook. I've tried other directories and even simplified the logic to just disable a network adapter with Disable-NetAdapter, but nothing seems to work. In summary, everything works fine when done manually, but not when automated via the playbook. I have the impression that there's a difference in context between manual execution and playbook execution that's causing the issue, perhaps related to permissions or WinRM session restrictions. Does anyone have any idea what might be preventing the playbook from executing this script correctly, or any suggestions for workarounds? I'm really running out of ideas and any help would be greatly appreciated. Thanks in advance!
I am trying to configure Splunk to ingest only application, system and security logs from my local machine. But I can't find "Local event log collection" on my Splunk enterprise on my MacBook.  But ... See more...
I am trying to configure Splunk to ingest only application, system and security logs from my local machine. But I can't find "Local event log collection" on my Splunk enterprise on my MacBook.  But on my former laptop, which was a windows OS, I could find the "Local event log collection" option in the data input section.  Please how can I go about this?  
Hi Community, Trying to build regex that can help me reduce the size of an EventCode in my case this is 4627 The idea is to use props and transforms: props.conf [XmlWinEventLog:Security] TRANSFO... See more...
Hi Community, Trying to build regex that can help me reduce the size of an EventCode in my case this is 4627 The idea is to use props and transforms: props.conf [XmlWinEventLog:Security] TRANSFORMS-reduce_raw = reduce_event_raw transforms.conf [reduce_event_raw] REGEX = <Event[^>]*>.*?<System>.*?<Provider\s+Name='(?<ProviderName>[^']*)'\s+Guid='(?<ProviderGuid>[^']*)'.*?<EventID>(?<EventID>\d+)</EventID>.*?<Version>(?<Version>\d+)</Version>.*?<Level>(?<Level>\d+)</Level>.*?<Task>(?<Task>\d+)</Task>.*?<Opcode>(?<Opcode>\d+)</Opcode>.*?<Keywords>(?<Keywords>[^<]*)</Keywords>.*?<TimeCreated\s+SystemTime='(?<SystemTime>[^']*)'.*?<EventRecordID>(?<EventRecordID>\d+)</EventRecordID>.*?<Correlation\s+ActivityID='(?<ActivityID>[^']*)'.*?<Execution\s+ProcessID='(?<ProcessID>\d+)'\s+ThreadID='(?<ThreadID>\d+)'.*?<Channel>(?<Channel>[^<]*)</Channel>.*?<Computer>(?<Computer>[^<]*)</Computer>.*?<EventData>.*?<Data\s+Name='SubjectUserSid'>(?<SubjectUserSid>[^<]*)</Data>.*?<Data\s+Name='SubjectUserName'>(?<SubjectUserName>[^<]*)</Data>.*?<Data\s+Name='SubjectDomainName'>(?<SubjectDomainName>[^<]*)</Data>.*?<Data\s+Name='SubjectLogonId'>(?<SubjectLogonId>[^<]*)</Data>.*?<Data\s+Name='TargetUserSid'>(?<TargetUserSid>[^<]*)</Data>.*?<Data\s+Name='TargetUserName'>(?<TargetUserName>[^<]*)</Data>.*?<Data\s+Name='TargetDomainName'>(?<TargetDomainName>[^<]*)</Data>.*?<Data\s+Name='TargetLogonId'>(?<TargetLogonId>[^<]*)</Data>.*?<Data\s+Name='LogonType'>(?<LogonType>[^<]*)</Data>.*?<Data\s+Name='EventIdx'>(?<EventIdx>[^<]*)</Data>.*?<Data\s+Name='EventCountTotal'>(?<EventCountTotal>[^<]*)</Data>.*?<Data\s+Name='GroupMembership'>(?<GroupMembership>.*?)</Data>.*?</EventData>.*?</Event> FORMAT = ProviderName::$1 ProviderGuid::$2 EventID::$3 Version::$4 Level::$5 Task::$6 Opcode::$7 Keywords::$8 SystemTime::$9 EventRecordID::$10 ActivityID::$11 ProcessID::$12 ThreadID::$13 Channel::$14 Computer::$15 SubjectUserSid::$16 SubjectUserName::$17 SubjectDomainName::$18 SubjectLogonId::$19 TargetUserSid::$20 TargetUserName::$21 TargetDomainName::$22 TargetLogonId::$23 LogonType::$24 EventIdx::$25 EventCountTotal::$26 GroupMembership::$27 DEST_KEY = _raw Then I will be able to pick which bits from the raw data to be indexed It looks like the regex would not pick up on fields correctly There is the raw event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'> %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384}</Data></EventData></Event Any help t-shoot the problem will be highly valued. Thank you in advance!
Dear All, I am facing difficulty in loading all the evtx files in a folder to Splunk. I am using free Splunk version for learning. My folder has 306 files, Splunk loaded only 212 files. In another ... See more...
Dear All, I am facing difficulty in loading all the evtx files in a folder to Splunk. I am using free Splunk version for learning. My folder has 306 files, Splunk loaded only 212 files. In another case my folder has 47 files, but Splunk loaded only 3 files. I am having this issue even after trying multiple times while the count of files loaded successfully keeps changing. Kindly help me with the possible reasons of this happening. MMM 
Hi Splunkers, I have an HWF that collects the firewall logs. For cost-saving reasons, some events are filtered, not injected into the indexer. For example, I have props.conf [my_sourcetype] TRA... See more...
Hi Splunkers, I have an HWF that collects the firewall logs. For cost-saving reasons, some events are filtered, not injected into the indexer. For example, I have props.conf [my_sourcetype] TRANSFORMS-set = dns, external  and transforms.conf [dns] REGEX ="dstport=53" DEST_KEY = queue FORMAT = nullQueue [external] REGEX = "to specific external IP range" DEST_KEY = queue FORMAT = nullQueue So my HWF drops those events and the "rest" is ingested to the indexer. (on-prem). - so far so good... One of our operational teams requested that I ingest "their" logs to their Splunk Cloud instance. How I can technically do this?  1. I want to keep all the logs on the on-prem indexer with the filtering 2. I want to ingest events from a specific IP range to Splunk Cloud without filtering BR,  Norbert
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figu... See more...
Hello, My apologies, I hope this makes sense, still learning.  I have events coming in that look like this: I need to create an alert for when state = 1 for name = VZEROP002.  But, I can't figure out how to write the query to only look at the state for VZEROP002.  The query I'm running is: index=zn | spath "items{1}.state" | search "items{1}.state"=1   But, the search results still return events where VZEROP002 has a state of 2, and VZEROP001 has the state of 1. I hope that makes sense, and thanks in advance for any help with this. Thanks, Tom    
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it po... See more...
I usually have to make document of splunk dashboard and its really time consuming as well , so I was thinking maybe I can automate it. So that it can make a simple document of any dashboard. Is it possible?
Hi All I there any way to freeze the tile in the dashboard when we scroll down in the dashboard.   
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the da... See more...
Hi  Any help or use case for the below question ?? How do i share a dashboard to the internal team as an URL link , where it won't ask to enter user name and password and login directly into the dashboard as Read only ( Dashboard Studio).