All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I'm trying to find out recent CVE-2021-44228 and CVE-2021-45046( log4j). I use Cisco Networks Add-on that is not supported by splunk. We can see impacted products by CVE-2021-44228 and CVE-... See more...
Hello, I'm trying to find out recent CVE-2021-44228 and CVE-2021-45046( log4j). I use Cisco Networks Add-on that is not supported by splunk. We can see impacted products by CVE-2021-44228 and CVE-2021-45046 from below link. And I know Cisco Networks Add-on isn't written in that. Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046) | Splunk But, I'm afraid that whether Cisco Networks Add-on has a risk or not, because it isn't supported by splunk. Do you know whether Cisco Networks Add-on has a risk or not? If it has a risk, please tell me how to resolve it. Thanks.
Hi, I have few logs with data as shown below..i need to extract them as fields and create chart using those values.can anyone please help me through: 16/Dec/2021:22:20:32 +1100 [qtp1936628443-884... See more...
Hi, I have few logs with data as shown below..i need to extract them as fields and create chart using those values.can anyone please help me through: 16/Dec/2021:22:20:32 +1100 [qtp1936628443-884] [correlationId=b25d79ca-2b70-4912-93f4-1dc5f58841c8]  - 2021-12-16T11:20:32.362,,55955f24-a900-e3a7-e053-071bf40a1f09,,,PDS_ERR_API_GET_0001,API GET Call Failed with HTTP Status Code of 4xx Client Error,400,Bad Request,jbcsjhcjehcihdc i need to extract the values of "PDS_ERR_API_GET_0001" and "400" and "Bad Request" Thanks in Advance          
How to perform calculations on a given day of week?  Specifically, I want to compare a given time value, say given_date, with a given day of week of a given week, say, next Friday. If I want to perf... See more...
How to perform calculations on a given day of week?  Specifically, I want to compare a given time value, say given_date, with a given day of week of a given week, say, next Friday. If I want to perform the calculation, say, for a week from now, I can use if(given_date > time() + 7 * 86400, "later", "earlier") (This can be easily adjusted for beginning of day, etc.)  If today is Friday, the above will tell me whether given_date is earlier than or later than next Friday.  But if today is Monday, it only tells me whether it is earlier or later than next Monday. For event data, I can extract day of week from date_wday.  Is there a calculator/function to do that for arbitrary time value?  I suppose I can use strftime(time(), "%w")  to determine delta from desired day of week, then add/subtract whole weeks to the desired day of week. (Unlike date_wday, strftime() gives a numeric value that is easy for calculation.)  Is there a more direct way?
Hi, i need to change Splunk default buttons visualization from rectangle shape to circular shape, can you please tell me the steps how to do. Below placed the sample shapes,   to this shape ... See more...
Hi, i need to change Splunk default buttons visualization from rectangle shape to circular shape, can you please tell me the steps how to do. Below placed the sample shapes,   to this shape  
Using the Splunk Universal Forwarder for windows.  Does the forwarder identify the data as wineventlog?  How is that set?
I have registered for Splunk Phantom Community edition download. I still have not received the email with the download information. 
We're testing Cloud to Cloud logging zscalernss-web using HEC in trial Splunk Cloud platform. We ran into an issue configure Zscaler ADD-On for Splunk app. It keep spinning without showing any data. ... See more...
We're testing Cloud to Cloud logging zscalernss-web using HEC in trial Splunk Cloud platform. We ran into an issue configure Zscaler ADD-On for Splunk app. It keep spinning without showing any data. Is it possible related to trial account with limited functionality ? Please advice  Thanks Asif   Expected output      Thanks Asif
Hi, While moving from RSA NETWITNESS SIEM TOOL to SPLUNK SIEM tool, what are the checklists to be considered and how to ingest the logs from RSA Netwitness to Splunk.
I have a requirement for having start and stop times with there status be projected over time as a line graph. I have the query below which provides the desired results but when I go to viz it isn't... See more...
I have a requirement for having start and stop times with there status be projected over time as a line graph. I have the query below which provides the desired results but when I go to viz it isn't showing anything since the values projected over Y axis are alphanumeric. Is there a way that I can project this on timeline? Below is my query and ss for the viz and results. <base search> | eval epochtime=_time | eval desired_time=strftime(epochtime, "%b %d %Y %H:%M:%S.%3N") | rex "INFO : (?<status>\w+)" | eval Time_and_status= desired_time + status | timechart span=20m values(Time_and_status) | fillnull value=0 values(Time_and_status) On graph I see a flat line all over. Values/Stats Viz/Graph
  Hi, this error message started popping up, on Splunk Cloud. As you already know in Splunk Cloud you do not have access by SSH to the internal files of Splunk, bin, etc. Why is it and how can I s... See more...
  Hi, this error message started popping up, on Splunk Cloud. As you already know in Splunk Cloud you do not have access by SSH to the internal files of Splunk, bin, etc. Why is it and how can I solve it?  
e.g query | makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eva... See more...
e.g query | makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application above query produces result table Table   chart looks like Question: instead of 2 stacked column ABC, i wanted 1 column(ABC) with 4 stacked values(1000,3215,478,4328) and FSD column with 2  stacked values as it is now Please help
Hello-  I'm trying to filter cisco logs so that all data shows up in it's own folder in syslog-ng.  However only some of the data is showing up and most of it is going to the catchall directory.   ... See more...
Hello-  I'm trying to filter cisco logs so that all data shows up in it's own folder in syslog-ng.  However only some of the data is showing up and most of it is going to the catchall directory.   Cisco log messages start out with a %.  When adding the asterisk to the filter it seems to ignore it.  Here is a piece of the filter I use in the syslog-ng.conf: filter f_cisco_ios { message("%AUTHMGR") or message("%DOT1X") or message("%MAB") or message("%LINK") or message("%LINE") or message("%DUAL") or message("%ISDN") or message("%EPM") or message("%OSPF") or message("%AUTHPRIV") or message("%LINEPROTO*") or message("%LINK*") }; I'm trying to get any messages with %LINK* to filter to the ciscoios folder but it keeps sending to the catchall directory.  It seems like the syntax I am using is incorrect or maybe there is a better way to filter this without using "message" with filter.   
Hello, Is it possible to create a request in which we ask to give the top requested URL for each IP.   Something like : index="cisco" | foreach src_ip [stats count by cs_url_host]
I want to search for "index=*" .... what is the best way to run it  ? I tried to run "index=\*" but it's not working 
Hi All,   I am using the below search to calculate time difference between two events ie., 6006 and 6005 6006 is event start time and 6006 is event stopped time. If we find the difference we wil... See more...
Hi All,   I am using the below search to calculate time difference between two events ie., 6006 and 6005 6006 is event start time and 6006 is event stopped time. If we find the difference we will get to know the downtime of the system. This is what i have tried. To few systems it is right and for few it is wrong. index="wineventlog" host IN (xxxx) EventCode=6006 OR EventCode="6005" Type=Information | stats latest(_time) as StartUp by host | join host [ search index="wineventlog" host IN (xxxx) | stats latest(_time) as Shutdown by host ] | eval difference=StartUp-Shutdown | eval humanTime = strftime(difference*86400) | table host humanTime Thanks in advance
Hello I have my docker container running with Nodejs, and  I was reading how to install the agent but still lost. Can someone give me any tips about how to install the agent? thanks. 
I want to remove this clone option & the 3 dots option for normal users i.e. for the role = users  
Hi guys, i want to add an image in background of Splunk dashboard and i am trying with html code but i am getting below error while adding in source code. Please try to help,   below is my cod... See more...
Hi guys, i want to add an image in background of Splunk dashboard and i am trying with html code but i am getting below error while adding in source code. Please try to help,   below is my code which i used,   <dashboard version="1.1"> <label>VLS_Customer Dashboard</label> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by "DEPARTMENT CODE"</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.stackMode">default</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by STATUS</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">minmax</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <table> <search> <query>|inputlookup Samplebanking1.csv |table "CUSTOMER ID" NAME COUNTRY STATUS LENDER BORROWER BENEFICIARY GUARANTOR "DEPARTMENT CODE" "EXPENSE CODE" "BRANCH CODE"</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |stats count by STATUS BORROWER LENDER GUARANTOR BENEFICIARY COUNTRY</query> <earliest>-30m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">STATUS</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> <row> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over BORROWER by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over BENEFICIARY by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over LENDER by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> <panel> <chart> <search> <query>|inputlookup Samplebanking1.csv |chart count over GUARANTOR by STATUS</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">bar</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> <html> <head> <style> body { background-image: url('"C:\Users\narendra.jyeshta\Downloads\Splunk image.png"'); } </style> </head> <body> <h2>Background Image</h2> <p>By default, the background image will repeat itself if it is smaller than the element where it is specified, in this case the body element.</p> </body> </html> </dashboard>  
Hi I have requirement to fetch the some value like asf55-hsgf-56bj4b-rdhh-5b4f, this values are sent from the applications in two different ways like  1)message: dhgfsjd{endbjjdfg, country=hongko... See more...
Hi I have requirement to fetch the some value like asf55-hsgf-56bj4b-rdhh-5b4f, this values are sent from the applications in two different ways like  1)message: dhgfsjd{endbjjdfg, country=hongkong, server=gvfhsd, idVal=asf55-hsgf-56bj4b-rdhh-5b4f, error=gvrf hdfhdsf, errorCode=47574} The another format is 2)message: dhgfsjd{endbjjdfg, country=[hongkong], server=[gvfhsd], idVal=[asf55-hsgf-56bj4b-rdhh-5b4f], error=[gvrf hdfhdsf], errorCode=[47574]} I was suppose to extract the idval value which should satisfy the above case.   I have tried with below rex command,   |rex field = message "(idVal={1}(?P<ppid>.+?,))" | eval value =split(ppid,",") output :asf55-hsgf-56bj4b-rdhh-5b4f   the above command is working fine for first case alone but we have the logs with second case it returns output as [asf55-hsgf-56bj4b-rdhh-5b4f]
Hello everyone, I need help with regex I have search index=* | regex Commandline="my_regular_expression" How can I add one more regular expression with OR condition? something like this | r... See more...
Hello everyone, I need help with regex I have search index=* | regex Commandline="my_regular_expression" How can I add one more regular expression with OR condition? something like this | regex Commandline="my_regular_expression" OR | regex Commandline="my_regular_expression2"   Tahnk you