All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I try to use the query   eval ID = if(ORG="MC",ID=substr(ID,-6),0)   Basically, I want in my result, if ORG="MC", I want to extract the last 6 characters of the field ID that go with it, otherwis... See more...
I try to use the query   eval ID = if(ORG="MC",ID=substr(ID,-6),0)   Basically, I want in my result, if ORG="MC", I want to extract the last 6 characters of the field ID that go with it, otherwise stay the same. But the result table always show ID as False if ORG="MC" How do I fix my query or have to go the other way?
Hi, I have a field called "catgories" whose value is in the format of a JSON array. The array is a list of one or more category paths. The paths are in the form of a comma separated list of one or mo... See more...
Hi, I have a field called "catgories" whose value is in the format of a JSON array. The array is a list of one or more category paths. The paths are in the form of a comma separated list of one or more (category_name:category_id) pairs.   Three example events have the following category data:  "categories":"[{"categ_name_a":"categ_id_a","categ_name_b":"categ_id_b","categ_name_c":"categ_id_c"},{"categ_name_m":"categ_id_m","categ_name_n":"categ_id_n"},{"categ_name_z":"categ_id_z"}]"  "categories":"[{"categ_name_d":"categ_id_d","categ_name_e":"categ_id_e"}]"  "categories":"[{"categ_name_f":"categ_id_f"}]" For each event, I am trying to extract the list of " >> " separated category_ids in each path into a multivalued field. So using the examples above I want to get a list of category paths: event # category_paths 1 "categ_id_a >> categ_id_b >> categ_id_c" "categ_id_m >> categ_id_n" "categ_id_z" 2 "categ_id_d >> categ_id_e" 3 "categ_id_f"   I have no way of knowing what the category names or ids will be or how many (category_name:category_id) pairs there will be in each category path. I also won't know how many category paths are in the categories JSON array. I have tried a bunch of ways to get at the data (spath, json_extract, regex) but I am new to this type of nested extraction. | makeresults | eval categories="[{\"categ_name_a\":\"categ_id_a\",\"categ_name_b\":\"categ_id_b\",\"categ_name_c\":\"categ_id_c\"},{\"categ_name_m\":\"categ_id_m\",\"categ_name_n\":\"categ_id_n\"},{\"categ_name_z\":\"categ_id_z\"}]" | spath input=categories output=category_paths path={} Can anyone help me? Thanks!!!   
Hi Guys, I am quite new to splunk. I was looking around to see any splunk documents pertaining to Data Fabric Search (DFS) as there is an impact since it leverages Log4j. However, I can't seem to fi... See more...
Hi Guys, I am quite new to splunk. I was looking around to see any splunk documents pertaining to Data Fabric Search (DFS) as there is an impact since it leverages Log4j. However, I can't seem to find how to check if my Splunk Enterprise is using it. Is there a setting that I can check from SearchHead, Indexer, etc if DFS is enabled?  Also, does it mean if I did not install DFS Manager App, I am not using the DFS functionality? Thank you, Rafiuddin
Hi, We need to move certain indexes to a completely different deployment. I need to make an estimate on how many heavy forwarders are currently being used to process data to these indexes. Your adv... See more...
Hi, We need to move certain indexes to a completely different deployment. I need to make an estimate on how many heavy forwarders are currently being used to process data to these indexes. Your advice will be very helpfull   Thanks
Hello, I have the following query. <base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" | where http_status=200 OR http_status=401 | eval event_date=strftime(_time, "%x") | chart cou... See more...
Hello, I have the following query. <base query> | rex field=msg "HTTP/1.1\\\" (?<http_status>\d{3})" | where http_status=200 OR http_status=401 | eval event_date=strftime(_time, "%x") | chart count over event_date by http_status | eval "401 percentage" = round('401'*100/('200'+'401'),2)."%"   that gives me the following table event_date 200 401 401 percentage ========== === === ============== 11/28/21 61 24 28.24% 11/29/21 295 96 24.55% However, when I go to Visualization, I don't see "401 percentage" on the line chart, but I see the "401 percentage" legend. Any idea why and how to get "401 percentage" to show up on the chart? Also, currently, the column header for http_status is the value 200 & 401. How do I change the column headers to "HTTP 200" & "HTTP 401"? Thank you. I'd greatly appreciate the help!
I set up an Intelligence Download for https://threatfox-api.abuse.ch/api/v1  to use with the POST argument. However I am constantly getting the error:  Caught HTTPError when querying https://threatf... See more...
I set up an Intelligence Download for https://threatfox-api.abuse.ch/api/v1  to use with the POST argument. However I am constantly getting the error:  Caught HTTPError when querying https://threatfox-api.abuse.ch/api/v1: code=405 exc=HTTP Error 405: Method Not Allowed I also see the log line: file=threatlist.py:download_csv:333 | status="CSV download starting" However this url does not return a csv. It will return a json and I am planning to use (?ms) in the extract regex to parse it. Is ES thinking that this is a csv and doing a GET instead of a POST? How do I control that? I have in the UI set the POST argument to be a json string required by the API. I am able to run curl and retrieve the output from this url.
I have a few error messages in my ES about searches being delayed. How do I find the root causes. If multiple delays are taking place at different stages. Possible to find the stops & why searches ar... See more...
I have a few error messages in my ES about searches being delayed. How do I find the root causes. If multiple delays are taking place at different stages. Possible to find the stops & why searches are being delayed? Thank you for your response.
This includes High priority mostly. How do I view a list & provide a solution please. The error indicating the delays shows up as error message on the Ent. & even the ES server we have. Thanks a mill... See more...
This includes High priority mostly. How do I view a list & provide a solution please. The error indicating the delays shows up as error message on the Ent. & even the ES server we have. Thanks a million.
Splunk Enterprise (on-prem) is reported as having a hotfix for this CVE 8.2.3.2, but I am unable to locate the hotfix. We do not run DFS but management still wants this hotfix applied. Also is there ... See more...
Splunk Enterprise (on-prem) is reported as having a hotfix for this CVE 8.2.3.2, but I am unable to locate the hotfix. We do not run DFS but management still wants this hotfix applied. Also is there a way to test for the vulnerability before and after the hotfix?
What are some best practices collecting DB logs from MSSQL server please? Are there Apps or better done manually? Please provide details if you would. Need the search / App to tell us size, source, S... See more...
What are some best practices collecting DB logs from MSSQL server please? Are there Apps or better done manually? Please provide details if you would. Need the search / App to tell us size, source, Server names, IPS and so forth.  I thank you for your reply in advance. 
Our particular on-call agreement is not 24/7 but has some periods where nobody is on call. At the moment, when a caller calls the on-call number, one of three things will happen: If an operator is... See more...
Our particular on-call agreement is not 24/7 but has some periods where nobody is on call. At the moment, when a caller calls the on-call number, one of three things will happen: If an operator is on call, and they pick up the phone, then the caller speaks with the operator. If an operator is on call, and they do not pick up the phone in time, then the caller leaves a message (which is transcribed and made into an incident, and the audio is available on twilio). If nobody is on call, the phone rings indefinitely until the caller hangs up in frustration. We would prefer that, if nobody is on call, the caller leaves a message, as in the second case. Our setup is pretty simple, with just one rotation every day from 8:00 a.m. through midnight and with a handoff every week. The escalation policy has one step: notify the on-duty user(s) in rotation. The only way I can think to fix this would be to add a bot user with some phone number that will never pick up that assumes on-call from midnight to 8 a.m., but (a) that seems pretty hacky, and (b) it doesn't appear possible to add non-human users anyway. Is what I want possible? Thanks, Matt
index=* host=* rule=corp_deny_all_to_untrust NOT dest_port=4242 | table src_ip dest_ip transport dest_port application .. I am able to get the source IP with this query .. how can I get the AWS insta... See more...
index=* host=* rule=corp_deny_all_to_untrust NOT dest_port=4242 | table src_ip dest_ip transport dest_port application .. I am able to get the source IP with this query .. how can I get the AWS instance name? there is no such interesting field as AWS instance name .. kindly help
Does splunk have a patch for CVE-2021-4428 Qualys has identified Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) on the Splunk servers. Please update impacted Splunk infrastructu... See more...
Does splunk have a patch for CVE-2021-4428 Qualys has identified Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell) on the Splunk servers. Please update impacted Splunk infrastructure with any updates they provide.
2021-12-13T05:22:49.578070-05:00 tp-docker6 b064ec36df18[1851]: cid:d4b7ce5a71da4dc8ab1d5ce535149ce7 code_version:release-2021-49 2021-12-13 10:22:49,577 - core.external - INFO - Response status: 40... See more...
2021-12-13T05:22:49.578070-05:00 tp-docker6 b064ec36df18[1851]: cid:d4b7ce5a71da4dc8ab1d5ce535149ce7 code_version:release-2021-49 2021-12-13 10:22:49,577 - core.external - INFO - Response status: 409 Payload: b'{"status":"conflict","statusMessage":"POINTS - Transaction already computed.","transactionId":"5000-3816-8092-5283-8043","reversalTransactionId":null}' CID = d4b7ce5a71da4dc8ab1d5ce535149ce7 CodeVersion = release-2021-49 host = tp-docker6.points.com source = /logs/docker/application-platform-6b.log
I tried to setup logstash -> splunk cloud trail, but due to the ssl issue, i cannot forward, anyone has any idea?   you may open the link below and see:  https://inputs.prd-p-ij0c3.splunkcloud.com... See more...
I tried to setup logstash -> splunk cloud trail, but due to the ssl issue, i cannot forward, anyone has any idea?   you may open the link below and see:  https://inputs.prd-p-ij0c3.splunkcloud.com:8088/ the logstash http output error -> ssl certificate name mis-match   I don't have option to disable the ssl. 
I am using splunk connector for kafka. https://github.com/splunk/kafka-connect-splunk/releases  https://splunkbase.splunk.com/app/3862/#/details  The version we are using is 1.1.0 . Is this impac... See more...
I am using splunk connector for kafka. https://github.com/splunk/kafka-connect-splunk/releases  https://splunkbase.splunk.com/app/3862/#/details  The version we are using is 1.1.0 . Is this impacted by the latest Log4j RCE Vulnerability ? Please let us know  
Hi, I've set up a Splunk monitor to send some json files to Splunk, however it doesn't send invalid json files. I can see the reasoning behind this, but I'd like to keep invalid json files so that I ... See more...
Hi, I've set up a Splunk monitor to send some json files to Splunk, however it doesn't send invalid json files. I can see the reasoning behind this, but I'd like to keep invalid json files so that I can see which ones are valid/invalid on my dashboard. Is there any way to make Splunk send over all json files even if they're invalid? Thanks   Edit: For instance, could I maybe make a sourcetype which sets the sourcetype field to be "json" if valid and "invalid_json" if not valid?
Hello, I am trying this for the first time and installed sc4s in my HF server, connected the sc4s with HF using HEC URL and token. As checked I am receiving data for sc4s events from HF. However whe... See more...
Hello, I am trying this for the first time and installed sc4s in my HF server, connected the sc4s with HF using HEC URL and token. As checked I am receiving data for sc4s events from HF. However when the syslog is being forwarded from netscaler over ports not receiving any data.  Apart from installation of sc4s and updating the hec url and token, I have enabled UDP port- 514 in iptables to accept data.  Really appreciate if anyone can help me in resolving this.
Hi i installed Splunk Stream to receive IPFIX, when I generate the IPFIX log by the third-party app I can see IPFIX in Splunk, but I can't see any IPFIX Traffic Generated from NSX-T, also I can see ... See more...
Hi i installed Splunk Stream to receive IPFIX, when I generate the IPFIX log by the third-party app I can see IPFIX in Splunk, but I can't see any IPFIX Traffic Generated from NSX-T, also I can see IPFIX traffic in the Splunk's machine with Wireshark. but it doesn't show in Splunk. Has anybody faced this problem?