All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

use dashboard date filter for an embedded report

by in Other Usage
‎12-17-2021 05:25 AM
‎12-17-2021 05:25 AM
I have a dashboard that has date filter. I have embedded a report to this dashboard. Here is how my report part of dashboard looks like <panel> <table> <title>My Test Report</title> <search ref=... See more...
I have a dashboard that has date filter. I have embedded a report to this dashboard. Here is how my report part of dashboard looks like <panel> <table> <title>My Test Report</title> <search ref="my_test_report"></search> </table> </panel> So how can I use the dashboard date filter with this embedded report too.
Labels

Remove syslog data in transforms.com

by in All Apps and Add-ons
‎12-17-2021 04:16 AM
‎12-17-2021 04:16 AM
I have a Splunk Heavy Forwarder server that is a rsyslog server as well. When Splunk sees the syslog data, it sets the source type, then the index name before its sent to indexing. props.conf   [... See more...
I have a Splunk Heavy Forwarder server that is a rsyslog server as well. When Splunk sees the syslog data, it sets the source type, then the index name before its sent to indexing. props.conf   [rsyslog] TRANSFORMS-force_vmware = force_sourcetype_vmware, force_ix_vmware    transforms.conf   force_sourcetype_vmware] SOURCE_KEY = MetaData:Host REGEX = ^host::(10\.30\.31\.\d+) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::esxi [force_ix_vmware] SOURCE_KEY = MetaData:Sourcetype REGEX = ^sourcetype::(?i)esxi$ DEST_KEY = _MetaData:Index FORMAT = vmware     This works fine. I now like to remove all lines (that are from vmware) that starts with:   <134>2021..... <166>2021.....     To do so, I made a regex like this:   REGEX = ^<(134|166)>2021     I know that to remove some, I should use:   DEST_KEY = queue FORMAT = nullQueue     But I do not get it to work.  How to make sure only remove correct data from vmware only?
Labels

how to define a generic sourcetype regex for service status

by in Splunk Search
‎12-17-2021 03:45 AM
‎12-17-2021 03:45 AM
Hi, I have a script which can pull the service status for each of the service, I have defined it to be a common sourcetype, LINBREAK - regex pattern   ([\r\n]+)\w+\=\"\w+\"\,\w+\=\"\w+\"\,\w+\=\d... See more...
Hi, I have a script which can pull the service status for each of the service, I have defined it to be a common sourcetype, LINBREAK - regex pattern   ([\r\n]+)\w+\=\"\w+\"\,\w+\=\"\w+\"\,\w+\=\d\,\w+\=\"\w+\"     on the script it would output as below sample   service_name="XXXX",os_service="jboss",status_value=1,status="Running"     It was alright until I started monitoring microservices which breaks the above pattern on the os_service field Sample output, If you see the issue here, the os_service now has "-" in between and it varies for each of the sub services or os_service,. Is there any generic way to capture anything under os_service with a common regex so if we pass any os_service name it would handle both the normal os_service as above in example and also be used for microservices os_service.    service_name="Microservices",os_service="xx-xx-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-application-service",status_value=1,status="Running" service_name="Microservices",os_service="buxx-service",status_value=1,status="Running" service_name="Microservices",os_service="xx-cuxxxxxx-service",status_value=1,status="Running" service_name="Microservices",os_service="xxxx-organisation-service",status_value=1,status="Running" service_name="Microservices",os_service="xxxx-event-service",status_value=1,status="Running" service_name="Microservices",os_service="coxx-xxx-check-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-bxx-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-pxxx-sanXXXXX-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-core-application-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-core-cuxxxxxx-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-core-organisation-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-core-event-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-core-xxx-check-service",status_value=1,status="Running" service_name="Microservices",os_service="gateway-service",status_value=1,status="Running" service_name="Microservices",os_service="xxx-bxx-service",status_value=1,status="Running"    
Labels

Regex extract all matched field values per event

by in Splunk Search
‎12-17-2021 03:11 AM
‎12-17-2021 03:11 AM
Hi Splunk Community, I have run into an interesting scenario where I need to write a field extraction that will parse a specific part of WinEventLog add-on data, and return the results. This is rela... See more...
Hi Splunk Community, I have run into an interesting scenario where I need to write a field extraction that will parse a specific part of WinEventLog add-on data, and return the results. This is related to Log4j vulnerability, so it has some real value hopefully.  The issue I am running into is that the regex that I have built will match java files that contain 'log4j', but it will only extract the first instance in the body of the text that it sees vs all instances of log4j files. I believe I need a way to perform a positive lookahead (or something similar) match the results, and then continue to match results on that same event before moving on. Example Data below: Field Value Data: "C:\Something Something\Something Something Base\jre\bin\javaw.exe" -cp "C:\Something Something\Something Something Base\lib\patches.jar/;C:\Something Something\Something Something Base/classes;C:\Something Something\Something Something Base\lib/aopalliance-repackaged-2.5.0-b42.jar;C:\Something Something\Something Something Base\lib/slf4j-log4j12-1.7.5.jar;C:\Something Something\Something Something Base\lib/javax.annotation-api-1.2.jar;C:\Something Something\Something Something Base\lib/log4j-1.2-api-2.15.0.jar";C:\Something Something\Something Something Base//log/ff3ad640-9eb4-11eb-a0b2-1de605f6535b\mini_probe\23468" 101_input.txt First Extraction Query Attempt: Query - | rex field=Process_Command_Line "(?P<hasLog4>(?:([\/log4j]{6}.*?(?=;))))" Result - /log4j-1.2-api-2.15.0.jar The problem with the above extraction is that while it will match 'log4j' files, it will only match the first occurrence of it in the field value above and then move on the next event. I need it to essentially read through the entire string and extract all instances of the matched regex before moving to the next event. Also as you can see it can miss certain types of 'log4j' files, so I will need to clean up the regex anyways to fix that. Second Extraction Query Attempt: Query - | rex field=Process_Command_Line "(?P<test>C:(.*?)(?=jar|exe))" Result - C:\Something Something\Something Something Base\jre\bin\javaw The problem with this query is that it matches immediately with the first result in the field value and then moves on to the next event and never gets to where the 'log4j' file exists in the string. 
Labels

Create a search who return status ok, or 200

by in Splunk Search
‎12-17-2021 02:28 AM
‎12-17-2021 02:28 AM
Hello, I'm working in Splunk enterprise with the search queries. I use a Website monitoring app for my website. I run a search to send my alerts where the website is not responding and is working ... See more...
Hello, I'm working in Splunk enterprise with the search queries. I use a Website monitoring app for my website. I run a search to send my alerts where the website is not responding and is working fine. How to run a query to send my alerts for that website it was down before 5 minutes now is ok? I would greatly appreciate your help. Br. ------------------------------------------------------------------------------------------------------------------------------- My search who look for errors:   

How do I create a TA CIM compliant for Qumulo?

by SplunkTrust in Getting Data In
‎12-17-2021 01:57 AM
‎12-17-2021 01:57 AM
Hi at all, I have to create a Technical Add-On to integrate Qumulo Audit logs in Enterprise Security. I found that there's an archived app but it didn't contain any useful props. So I tried to ... See more...
Hi at all, I have to create a Technical Add-On to integrate Qumulo Audit logs in Enterprise Security. I found that there's an archived app but it didn't contain any useful props. So I tried to make by myself the CIM 4.x normalization. Is there anyone that encountered and solved this problem or can give me some hint? Ciao. Giuseppe
Labels

SHC: file integrity differences and replication fault

by in Splunk Enterprise
‎12-17-2021 01:44 AM
‎12-17-2021 01:44 AM
Hello.   I have two, possibly related, problems with my three node SHC (version 8.2.2). One or both may stem from using the Deployer to push out changes to app.conf for the default apps (I was tryi... See more...
Hello.   I have two, possibly related, problems with my three node SHC (version 8.2.2). One or both may stem from using the Deployer to push out changes to app.conf for the default apps (I was trying to disable checks for updates). 1. On the DMC, each SHC node reports file differences in app.conf for default apps.  Also some files are listed as missing for splunk_essentials_8_2. I tried correcting this by reversing the work undertaken with the Deployer. Without sucesss. I then decided to make the same changes on each node manually. 2. The SHC nodes report: [date] ERROR ConfReplicationThread [13247 ConfReplicationThread] - Error pulling configurations from captain=https://shc_1:8089, consecutiveErrors=74 msg="Application does not exist: 504df959a582d73": Search head cluster member (https://shc_2:8089) is having problems pulling configurations from the search head cluster captain (https://shc_1:8089). Changes from the other memers are not replicating to this member, and changes on this member are not replicating to other members. Consider performing a destructive configuration resync on this search head cluster member. These messages are stopped with: bin/splunk resync shcluster-replicated-config However, the problem returns if the SHC nodes are restarted. I would be grateful for your help in fixing these problems.
Labels

Banner says "Loading..." when on AuthOverview (and other) pages

by in Installation
‎12-17-2021 01:41 AM
‎12-17-2021 01:41 AM
When navigating to Authentication Methods, the banner fails to load the javascript and the "LDAP settings" link is not displayed (nor any of Messages, Settings, Activity, Help on the banner) when usi... See more...
When navigating to Authentication Methods, the banner fails to load the javascript and the "LDAP settings" link is not displayed (nor any of Messages, Settings, Activity, Help on the banner) when using Chrome. When I open up Chrome console, I get the following errors: common.min.js:33956 Uncaught SyntaxError: Invalid or unexpected token i18ncatalog?autoload=1&version=%40281E8CE18DE93D7582107EA51FC4922C2368567DA901CA15529AA32D442DCF54:1 Uncaught ReferenceError: i18n_register is not defined at i18ncatalog?autoload=1&version=%40281E8CE18DE93D7582107EA51FC4922C2368567DA901CA15529AA32D442DCF54:1 (anonymous) @ i18ncatalog?autoload=1&version=%40281E8CE18DE93D7582107EA51FC4922C2368567DA901CA15529AA32D442DCF54:1 authoverview:273 Uncaught ReferenceError: $ is not defined at authoverview:273 (anonymous) @ authoverview:273 authoverview:537 Uncaught ReferenceError: $ is not defined at authoverview:537 (anonymous) @ authoverview:537 modules-c0c0a7f0612c552bdcc203c94d947b0fa5bcf748.min.js:511 ReferenceError: i18n_register is not defined at modules-c0c0a7f0612c552bdcc203c94d947b0fa5bcf748.min.js:3 modules-c0c0a7f0612c552bdcc203c94d947b0fa5bcf748.min.js:511 Uncaught ReferenceError: $ is not defined at modules-c0c0a7f0612c552bdcc203c94d947b0fa5bcf748.min.js:511 (anonymous) @ modules-c0c0a7f0612c552bdcc203c94d947b0fa5bcf748.min.js:511 authoverview:612 Uncaught TypeError: Cannot set properties of undefined (setting 'loadParams') at authoverview:612 (anonymous) @ authoverview:612 authoverview:626 Uncaught TypeError: Cannot read properties of undefined (reading 'System') at authoverview:626 (anonymous) @ authoverview:626 init.js:3 Uncaught ReferenceError: i18n_register is not defined at init.js:3 These all seem to point to issues with i18n-register -- but I'm not sure exactly what has gone on here that I would be getting these errors. It's being used as a search head. Version is 8.1.4. Thanks!!
Labels

search results expiring

by SplunkTrust in Splunk Search
‎12-17-2021 01:30 AM
‎12-17-2021 01:30 AM
Hi at all, I noted a strange thing: in a splunk 8.2.2 with ES 6.6.2, the customer scheduled some daily reports with a time period of 24 hours and I found that the dispatch.ttl for these reports has... See more...
Hi at all, I noted a strange thing: in a splunk 8.2.2 with ES 6.6.2, the customer scheduled some daily reports with a time period of 24 hours and I found that the dispatch.ttl for these reports has the default value of "2p", that should mean 2 days. But The customer also found that the search results are maintained on the Splunk server for around 30 days. Can anyone help me to understand the reasons of this behaviour and where to find the problem? and how to reduce this disk space occupation? Ciao. Giuseppe

Is Splunk Security Operations Suite available on perm or in the Cloud, or both?

by in Splunk Enterprise
‎12-16-2021 10:21 PM
‎12-16-2021 10:21 PM
is Splunk Security Operations Suite available on-perm or in the cloud? or both?
Labels

How to change color of area chart?

by in All Apps and Add-ons
‎12-16-2021 09:24 PM
‎12-16-2021 09:24 PM
The automatic color of area chart is coming grey. I want it to change to purple color as per the organization's theme.  Kindly help me on how to do it.    
Labels

Do you know whether Cisco Networks Add-on has a risk or not? Log4Shell (CVE-2021-44228 and CVE-2021-45046)

by in All Apps and Add-ons
‎12-16-2021 08:12 PM
‎12-16-2021 08:12 PM
Hello, I'm trying to find out recent CVE-2021-44228 and CVE-2021-45046( log4j). I use Cisco Networks Add-on that is not supported by splunk. We can see impacted products by CVE-2021-44228 and CVE-... See more...
Hello, I'm trying to find out recent CVE-2021-44228 and CVE-2021-45046( log4j). I use Cisco Networks Add-on that is not supported by splunk. We can see impacted products by CVE-2021-44228 and CVE-2021-45046 from below link. And I know Cisco Networks Add-on isn't written in that. Splunk Security Advisory for Apache Log4j (CVE-2021-44228 and CVE-2021-45046) | Splunk But, I'm afraid that whether Cisco Networks Add-on has a risk or not, because it isn't supported by splunk. Do you know whether Cisco Networks Add-on has a risk or not? If it has a risk, please tell me how to resolve it. Thanks.

need some help in creating regex

by in Alerting
‎12-16-2021 08:03 PM
‎12-16-2021 08:03 PM
Hi, I have few logs with data as shown below..i need to extract them as fields and create chart using those values.can anyone please help me through: 16/Dec/2021:22:20:32 +1100 [qtp1936628443-884... See more...
Hi, I have few logs with data as shown below..i need to extract them as fields and create chart using those values.can anyone please help me through: 16/Dec/2021:22:20:32 +1100 [qtp1936628443-884] [correlationId=b25d79ca-2b70-4912-93f4-1dc5f58841c8]  - 2021-12-16T11:20:32.362,,55955f24-a900-e3a7-e053-071bf40a1f09,,,PDS_ERR_API_GET_0001,API GET Call Failed with HTTP Status Code of 4xx Client Error,400,Bad Request,jbcsjhcjehcihdc i need to extract the values of "PDS_ERR_API_GET_0001" and "400" and "Bad Request" Thanks in Advance          
Labels

How to calculate time for a given day of week?

by SplunkTrust in Splunk Search
‎12-16-2021 06:08 PM
‎12-16-2021 06:08 PM
How to perform calculations on a given day of week?  Specifically, I want to compare a given time value, say given_date, with a given day of week of a given week, say, next Friday. If I want to perf... See more...
How to perform calculations on a given day of week?  Specifically, I want to compare a given time value, say given_date, with a given day of week of a given week, say, next Friday. If I want to perform the calculation, say, for a week from now, I can use if(given_date > time() + 7 * 86400, "later", "earlier") (This can be easily adjusted for beginning of day, etc.)  If today is Friday, the above will tell me whether given_date is earlier than or later than next Friday.  But if today is Monday, it only tells me whether it is earlier or later than next Monday. For event data, I can extract day of week from date_wday.  Is there a calculator/function to do that for arbitrary time value?  I suppose I can use strftime(time(), "%w")  to determine delta from desired day of week, then add/subtract whole weeks to the desired day of week. (Unlike date_wday, strftime() gives a numeric value that is easy for calculation.)  Is there a more direct way?
Labels

Need to change Splunk default buttons shape rectangular to circular shape.

by in Dashboards & Visualizations
‎12-16-2021 05:57 PM
‎12-16-2021 05:57 PM
Hi, i need to change Splunk default buttons visualization from rectangle shape to circular shape, can you please tell me the steps how to do. Below placed the sample shapes,   to this shape ... See more...
Hi, i need to change Splunk default buttons visualization from rectangle shape to circular shape, can you please tell me the steps how to do. Below placed the sample shapes,   to this shape  
Labels

Universal Forwarder - wineventlog

by in Getting Data In
‎12-16-2021 02:58 PM
‎12-16-2021 02:58 PM
Using the Splunk Universal Forwarder for windows.  Does the forwarder identify the data as wineventlog?  How is that set?
Labels

Registered for Phantom Community Registration approval pending

by in Installation
‎12-16-2021 02:03 PM
‎12-16-2021 02:03 PM
I have registered for Splunk Phantom Community edition download. I still have not received the email with the download information. 
Labels

Zscaler Add-on for Splunk inaccessible

by in Splunk Cloud Platform
‎12-16-2021 11:36 AM
‎12-16-2021 11:36 AM
We're testing Cloud to Cloud logging zscalernss-web using HEC in trial Splunk Cloud platform. We ran into an issue configure Zscaler ADD-On for Splunk app. It keep spinning without showing any data. ... See more...
We're testing Cloud to Cloud logging zscalernss-web using HEC in trial Splunk Cloud platform. We ran into an issue configure Zscaler ADD-On for Splunk app. It keep spinning without showing any data. Is it possible related to trial account with limited functionality ? Please advice  Thanks Asif   Expected output      Thanks Asif
Labels

RSA Netwitness to Splunk

by in Deployment Architecture
‎12-16-2021 10:19 AM
‎12-16-2021 10:19 AM
Hi, While moving from RSA NETWITNESS SIEM TOOL to SPLUNK SIEM tool, what are the checklists to be considered and how to ingest the logs from RSA Netwitness to Splunk.

How to project alphanumeric values on y axis in timechart?

by in Splunk Search
‎12-16-2021 08:39 AM
‎12-16-2021 08:39 AM
I have a requirement for having start and stop times with there status be projected over time as a line graph. I have the query below which provides the desired results but when I go to viz it isn't... See more...
I have a requirement for having start and stop times with there status be projected over time as a line graph. I have the query below which provides the desired results but when I go to viz it isn't showing anything since the values projected over Y axis are alphanumeric. Is there a way that I can project this on timeline? Below is my query and ss for the viz and results. <base search> | eval epochtime=_time | eval desired_time=strftime(epochtime, "%b %d %Y %H:%M:%S.%3N") | rex "INFO : (?<status>\w+)" | eval Time_and_status= desired_time + status | timechart span=20m values(Time_and_status) | fillnull value=0 values(Time_and_status) On graph I see a flat line all over. Values/Stats Viz/Graph
Labels