All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, Need help to get following results from the search.  all helps will be appreciated.  On the image below, same colors show match cases I would like to get out of my search. Here is the conditi... See more...
Hi, Need help to get following results from the search.  all helps will be appreciated.  On the image below, same colors show match cases I would like to get out of my search. Here is the condition I am looking for: Under the same pid which is all same already on image below.  example -1 ( green on the image) : pid_of_curl = 990820 pid_of_sh = 990821 If exe = curl and ( pid_of_curl + 1 ) has exe = sh exe is curl and  990820 + 1 = 990821 = pid in which exe = sh if exe is either "curl" or "wget" and its pid +1 is equal to ( bash or sh ) pid
Hi Community Members, Anyone knows whether we can use Splunk Enterprise Security to map our correlation searches against MITRE Tactics and Techniques without installing more apps like MITRE Dashboar... See more...
Hi Community Members, Anyone knows whether we can use Splunk Enterprise Security to map our correlation searches against MITRE Tactics and Techniques without installing more apps like MITRE Dashboard or Splunk Security Essentials. This mapping can help to see what security coverages we have and what requires improvements.   Many Thanks in advance.
Hi, Why do we use IF in Splunk cloud. I know HF can work as IF, then why don't we call it as HF itself?? What will happen if we don't use IF?
Hi, Indexer can do Parsing and Indexing then why do we use HF between UF and Indexer?
All,   Using the universal forwarder for windows to send to my indexer.    I have installed the Splunk app for Windows on the indexer.  How does the indexer know the difference between Security, Sys... See more...
All,   Using the universal forwarder for windows to send to my indexer.    I have installed the Splunk app for Windows on the indexer.  How does the indexer know the difference between Security, System, and Application logs?   Is that figured out automajically? Thanks, Jim
Hi  I have a single indexer in my splunk on-prem environment. I wish to take the Indexer offline so that I can perform a system upgrade. I am running on RHEL 8.3. The docs state the default restart... See more...
Hi  I have a single indexer in my splunk on-prem environment. I wish to take the Indexer offline so that I can perform a system upgrade. I am running on RHEL 8.3. The docs state the default restart period after issuing the splunk offline command is 60 seconds. I wish to change this to 60 minutes so that the upgrade will complete in time, before issuing the splunk restart command. The docs state that i can do this by issuing the command, passing 3600 as the argument. splunk edit cluster-config -restart_timeout <seconds>  However when i run this command on my indexer i get the following message: mode=disabled cannot edit config. Please pick a mode [master|slave|searchhead] to edit clustering properties Which option should i use? Im reluctant to use any of the options as I dont have clustering enabled in my environment (no clustering  for Indexing or Search heads) so dont want to make any unnecessary changes. Thanks.
The upgrade to KVStore engine wiredTiger fails with 'Search head cluster has static captain"  This is a two node search head cluster (adding a 3rd search head is not an option at this time).    So ho... See more...
The upgrade to KVStore engine wiredTiger fails with 'Search head cluster has static captain"  This is a two node search head cluster (adding a 3rd search head is not an option at this time).    So how do I upgrade the KVStore engine to wiredTiger?
Hello,   It is possible to obtain some generated data for the APM section in Obserbavility demo?
I would like to create an alert when new QID from qualys is published.  For that I'm using FIRST_FOUND_DATETIME field and comparing it with today's date. The date format for that field result is in G... See more...
I would like to create an alert when new QID from qualys is published.  For that I'm using FIRST_FOUND_DATETIME field and comparing it with today's date. The date format for that field result is in GMT. I want in PST. Also whenever the FIRST_FOUND_DATETIME  is current date it should trigger the alert or list QIDs associated to today's date. 
Hello, I am trying to write a query that will display failed logins (Account_Name, Host, Count). First Query index=wineventlog EventCode=4625 | top limit=20 Account_Name host  | where count > 9 C... See more...
Hello, I am trying to write a query that will display failed logins (Account_Name, Host, Count). First Query index=wineventlog EventCode=4625 | top limit=20 Account_Name host  | where count > 9 Con 1. Displays "-" in some of the Account_Name fields  Pro 1. Displays all the count and host fields correctly. Second Query index=wineventlog EventCode=4625  | rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Account_Name>\V+)" |top limit=30 Account_Name host| where count >=9 Con Displays all the Account_Name, count and host fields correctly but displays a lot less results on the table compared to the first query.   Pro Displays all the Account_Name, count and host fields correctly   I need a query that will displays all the Account_Name, count and host fields correctly as well as displays the same amount of results in the first query. Any help is appreciated. Thanks in advance.   
Hi, Currently, my query produces the correct results but they are all aggregated into single cells, and I would like to have them separated depending on the results found. What I would like is to h... See more...
Hi, Currently, my query produces the correct results but they are all aggregated into single cells, and I would like to have them separated depending on the results found. What I would like is to have "Offers/Redeemed/Take_Rate"  listed and calculated for each unique combination of results found for pointBank/merchant.   So: offers  Redeemed  Pointbank   Merchant   Take_Rate 2               1                    A                       A                 50 3               1                    A                       B                 33.3 6               3                    B                       A                 50 5               1                    B                       C                 20 My current query is: host="server" source="/home/xyz.log" earliest=-1@d latest=now | fields "promotionAction" "pointBankCode" "merchantCode"| search (promotionAction="*") pointBankCode="*" merchantCode="*" | stats count(eval(promotionAction= "OFFERED")) AS Offers count(eval(promotionAction= "ACCEPTED")) as Redeemed values(pointBankCode) as PointBank values(merchantCode) as Merchant | eval Take_Rate=((Redeemed)/(Offers)*100)
I'm trying to plot the following as a scatter chart: The y-axis should be the namespace. Namespace is a small set of strings, e.g. "default", "argo" or "kube-system". The x-axis is time. Each poi... See more...
I'm trying to plot the following as a scatter chart: The y-axis should be the namespace. Namespace is a small set of strings, e.g. "default", "argo" or "kube-system". The x-axis is time. Each point should be coloured either green or red depending on whether or not the workflow succeeded or failed. Problem 1 - you cannot have non-numeric x and y axis. Time does not appear to be numeric. So how do I convert my namespace to a number? I think it should be 0..N based on it's index is the values that namespace can be. Problem 2 - how to colour points? This is how far I have gotten so far: index=foo sourcetype=eventrouter host="event-router-*" source="foo/*" event.involvedObject.kind=Workflow (event.reason=WorkflowSucceeded OR event.reason=WorkflowFailed) | convert num(_time) as x | table event.metadata.namespace x event.reason  
  I could retrieve the list of the transactions as a single event below. Transactions start with "Dashboard Load:" and end with "Total Dashboard Load Time"   | rex "Account: (?<account>[^\,]*), Si... See more...
  I could retrieve the list of the transactions as a single event below. Transactions start with "Dashboard Load:" and end with "Total Dashboard Load Time"   | rex "Account: (?<account>[^\,]*), SiteID: (?<siteID>[^\s]*) - (?<duration_in_ms>[^\s]*) milliseconds on Requestor: (?<requestor>[^\,]*)" | transaction agent endswith="Total Dashboard Load Time" | eval duration_in_sec=round(avg(duration_in_ms)/1000,2) | table agent account siteID flow duration_in_sec     I could find the delta between each event as multiple events with below   | rex "Account: (?<account>[^\,]*), SiteID: (?<siteID>[^\s]*) - (?<duration_in_ms>[^\s]*) milliseconds on Requestor: (?<requestor>[^\,]*)" | streamstats current=f last(_time) as last_time2 by agent | rename _time as current_time2 | eval delta= last_time2 - current_time2 | eval last_time =strftime(last_time2, "%m/%d, %H:%M:%S.%6N") | eval current_time =strftime(current_time2, "%m/%d, %H:%M:%S.%6N") | table agent account siteID flow duration_in_sec last_time current_time delta     I'm looking to see if I can find a delta between events in a single transaction. The transaction starts with "Dashboard Load" and ends with "Total Dashboard Load Time" Expected Result Format:   agent, account, siteID, list of flow (all 5 Dashboard Load actions), duration_in_sec, list of event times, list of delta between event time   agent - the name of the agent account - account # siteID - site# list of flow - all action flows durations_in_sec - Total Dashboard Load Time list of event times - List showing all event time list of the delta between event time - List showing 4 delta times between each flow   Below are a sample of 2 data of 5 events   2021-12-16 05:30:43,834 alpha - Dashboard Load: User Clicked on New 2021-12-16 05:30:46,498 alpha - Dashboard Load: User Clicked on AccountSearch 2021-12-16 05:31:05,420 alpha - Dashboard Load: User Clicked on Search with String abcdef 2021-12-16 05:31:08,557 alpha - Dashboard Load: User clicked on Searched Result 123456 2021-12-16 05:31:12,234 alpha - Total Dashboard Load Time for Account: 000111222, SiteID: 123- 3438.0 milliseconds on Requestor: xoxoxo     
Previously, I had set up the SSO for our controllers. This time, I need to set up the SSO for accounts portal in azure. Is there any reference or documents on how to do this?
Lines in my sourcetype are not being picked up correctly at all.  Each event is being split into dozens of lines.  Also, when I go into the Settings in the UI for sourcetypes, I see all of the config... See more...
Lines in my sourcetype are not being picked up correctly at all.  Each event is being split into dozens of lines.  Also, when I go into the Settings in the UI for sourcetypes, I see all of the configs matching what I have set except for SHOULD_LINEMERGE = true.  This comes up as false.  I try resetting it in the UI and it still comes up as false even though that should not be set anywhere.  Btool shows it should be set to true, but it still comes up as false. Btool shows these settings [kube:container:applicationservice-app] BREAK_ONLY_BEFORE_DATE = true LINE_BREAKER = (\d{2}\:\d{2}\:\d{2}\.\d{3})(?:\s\[Thread) MAX_TIMESTAMP_LOOKAHEAD = 128 SHOULD_LINEMERGE = true TIME_FORMAT = %H:%M:%S.%Q  
I am working on a dashboard where my source have values like /opt/commands/abc.env, I want to print XYZ in ConfigType if my source contains commands. Right now I am using regex | rex field=source ... See more...
I am working on a dashboard where my source have values like /opt/commands/abc.env, I want to print XYZ in ConfigType if my source contains commands. Right now I am using regex | rex field=source "(?<ConfigType>commands)" and it's printing ConfigType=commands but I need to print ConfigType=XYZ
I have a dashboard with four pie charts across the top. I've set up drill downs for these that open up a new tab. However, I'm wondering if it is possible to put and events panel below them and depen... See more...
I have a dashboard with four pie charts across the top. I've set up drill downs for these that open up a new tab. However, I'm wondering if it is possible to put and events panel below them and depending upon the pie chart that is clicked dynamically build the SPL for the events panel. The four pie charts have very different searches and drill downs, so I cannot simply just populate some tokens for use with the events panel. I would need to actually dynamically build the SPL and pass that to the events panel. Is that even possible? Thanks.
It seems that the version 1.1.8 from Feb. 6, 2021still does not support Admin API v2 handlers for authentication logs according to URL: Does Duo's Splunk Connector support Admin API v2 handlers for ... See more...
It seems that the version 1.1.8 from Feb. 6, 2021still does not support Admin API v2 handlers for authentication logs according to URL: Does Duo's Splunk Connector support Admin API v2 handlers for authentication logs?  Are we supposed to use http://github.com/duosecurity/duo_log_sync/  to send to Splunk SIEM on 9997? But it seems that config.yml does not support sslPassword needed to write the logs to Splunk indexers? Could duo_splunkapp/bin/lib/duo_client 's files (client.py at version 4.1.0) be upgraded to the same version as the ones in duo_client-4.3.0-py3.7.egg/duo_client/client.py at version 4.3.0 ? Any other options or inputs?
Hi, I need to schedule an alert every 2 minute in between 8PM to 11PM in splunk cloud. Anyone could help please
Hi - I have a Splunk UF monitoring many directories on a rsyslog (receiver) server. One of the directories populated with logs as expected. However, the input stanza had the incorrect sourcetype a... See more...
Hi - I have a Splunk UF monitoring many directories on a rsyslog (receiver) server. One of the directories populated with logs as expected. However, the input stanza had the incorrect sourcetype and the data/logs did not index. Now after removing the sourcetype, I need to reset the UF to re-monitor the log files in that single directory "only".   I do NOT want to re-index everything the UF monitors. Please advise the best way to handle this... Thank you