| makeresults | eval _raw = "user_name machine_name event_name logon_time user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22" | multikv forceheader=1 | eval _time = strptime(logon_time, "%m/%d/%Y %H:%M") ```| reverse``` | fields - _raw linecount | eval login_time = if (event_name == "logon", logon_time, null()), logout_time = if (event_name == "logoff", logon_time, null()) | transaction endswith=(event_name=logon) startswith=(event_name=logoff) user_name machine_name ```| transaction startswith=(event_name=logon) endswith=(event_name=logoff) user_name machine_name``` | eval session_duration = tostring (duration, "duration") | rename login_time as logon_time | table user_name machine_name event_name logon_time logout_time session_duration how do i repplace the below section of query with results from a query _raw = "user_name machine_name event_name logon_time user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22 my base query yields data like below wic needs go to _raw index=foo source = bar | fields user_name, macine_name, event_name, logon_time this query will result 1000s of rows that may look like belwo data user1 machine1 logon 12/9/2021 7:20 user1 machine1 logoff 12/9/2021 7:22 user1 machine1 logon 12/9/2021 8:20 user1 machine1 logoff 12/9/2021 8:22 I need to feed those thousands of events to _raw to makeresults. Any help is much appreciated. thanks

Hey I am having difficulties trying to extract fields from my splint logs. They are in the format of ’{“field”: “value1”, “field2”: “value2”}’  I’ve tried using spath but it doesn’t seem to work. I think the issue is that the json object is enclosed in single quotes so splunk doesn’t recognise it as json. 

I am encountering an issue when using a subsearch in a tstats query. Specifically, I am seeing the count of events increase as well as taking much longer to run than a query without the subsearch (1.5s vs 85s). Note that in my case the subsearch is only returning one result, so I wouldn't expect such a pronounced performance impact. The examples below use Splunk's own data model that searches over the _audit index, so the performance issue is not as apparent since there is not as many events as in my use-case. | tstats count FROM datamodel=internal_audit_logs WHERE Audit.action="add"  Returns a count of 33. | tstats count FROM datamodel=internal_audit_logs WHERE [ | makeresults annotate=f | fields -_time | eval Audit.action="add" ] Returns a count of 46. This issue is not reproducible with index queries.

Hello Fellow Splunkers! Can someone please explain the need for deploying Splunk with the minimum hardware requirements? If the specs are reduced is their data loss or just lagging? I constantly get this question and have not been able to find anything on it in the Splunk documentation.   Thanks in advance for the help!

I am following the docs and when it asks for logging level it only allows you to choose 1 level.   What if I wanted multiple levels?   It only seems to allow one to be selected. Select a new logging level from the drop-down menu. Change logging level On Splunk Web, go to the Splunk Add-on for Cisco Meraki, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Cisco Meraki. Click the Configuration tab. Click the Logging tab. Select a new logging level from the drop-down menu. Click Save to save your configurations.

Edit: After working with Splunk support, this issue is fixed in TA version 8.5.0.   I recently upgraded our Windows TA from 8.0.0 to 8.2.0. I've noticed that with the Event IDs relating to users being removed or added to groups (4728, 4729, 4732) the user removed or added is logged by Windows with their full DN. Splunk before the upgrade was pulling the full DN and extracting it into the user field. Now it seems to not be doing the same. Our DNs contain "Lastname, Firstname" with the log having that first comma escaped.       12/09/2021 00:00:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4732 EventType=0 Type=Information ComputerName=domaincontroller TaskCategory=Security Group Management OpCode=Info RecordNumber=1111111111 Keywords=Audit Success Message=A member was added to a security-enabled local group. Subject: Security ID: CONTOSO\user_admin Account Name: user_admin Account Domain: CONTOSO Logon ID: 0xD5D5D5DA Member: Security ID: CONTOSO\FLastname Account Name: CN=Lastname\, Firstname,OU=Users,DC=CONTOSO,DC=com Group: Security ID: CONTOSO\Group_RW Group Name: Group_RW Group Domain: CONTOSO         This is extracted correctly into the Account_Name field, though both the Subject and Member users are placed into Account_Name as an mv field. For some reason, when this same value is extracted into user, it gets extracted only as "Lastname\"   I've done a diff on the default\props and transforms and didn't see any changes to the extractions of this field that I can find, and I had no customization here. I'm at a bit of a loss as to why this would even change. We are using the WinEventLog:Security sourcetype as well. Other extractions seem to be working as intended.

Hello, I have some text I indexing, In the middle I have csv table, and some information at end, look like this Text text text text. #begining of csv# Aa,BBC,cc,dd 22,1,444,2 44,22,11,3 #end of csv# Text text text How to index only the lines in the csv as events Thank you Dov

Hello everyone, I've just encountered a very unusual incident that I have not seen before in Splunk. I have an alert set up for the following query: index=apps host=pprd*rctrl* OutOfMemoryError startminutesago=5 It has been running perfectly well for months, along with the 80+ other alerts I have defined. Last night at 12:30:02 AM, we received an OutOfMemoryError that was properly captured and relayed to me. I resolved the issue by restarting the affected service. Problem solved, back to bed. Today at exactly 12:30:02 PM, the same alert was sent again for the exact same log entry that occurred at 12:30:02 AM this morning! I have checked the entire Splunk server cluster and the server instance and all have identical (and accurate) date and time settings. The Splunk Forwarder shows no errors and is running properly. There are no new problems on the server instance, and there hasnt even been a new log entry since about 3:00 AM. I have no idea why this happened, or how it could happen. Any ideas on what's going on?

We have integrated Jenkins -> Splunk for some time (over a year ago) where Jenkins Console Logs are forwarded to Splunk via the Splunk plugin for Jenkins, https://plugins.jenkins.io/splunk-devops/.  Console Logs were showing up in Splunk under 2 indices, index=statistics and index=jenkins_console; unfortunately, we stopped seeing logs from Pipeline jobs on the index=jenkins_console but Pipeline jobs do show on index=statistics while Freestyle jobs continue to work for both indicies (data available on both).  Does Splunk Inc. provide support for both https://plugins.jenkins.io/splunk-devops/. and https://splunkbase.splunk.com/app/3332/#/details?  We have reproduced the issue many times over, looked into Jenkins config and Splunk config; any additional suggestions we can look into?  Is Univ    

When I configure a correlation search with an Annotation of MiTRE ATT&CK and create a notable, I don't see any evidence of the Annotation in the notable.    Anyone have any ideas how I can search my platform to report on triggered notables by Mitre Attack?    

At my current position, I took over for someone who didn't take care of Splunk & Enterprise Security. It looked as if it was never configured fully (Just ran through the little beginning wizard and left it).   I've gotten familiar with making my way around Enterprise Security. But there are some items that were being detected that aren't anymore! It's only detecting inactive accounts. It used to detect much more before I upgraded Splunk Enterprise Security.   After installation, what should be configured? I installed the Security Essentials app and ran through the Data inventory check, it detected some things. How do I tell Enterprise Security to look at those indexes? I'm guessing I need to configure the CIM app? I don't know what are my next steps.

Hi! How can I configure Splunk Universal Forwarder in Linux to use FQDN - basically the result of hostname -f - as hostname automatically, i.e. without "hard-wiring" the FQDN in any of Splunk's configuration files? If no simple configuration to do this, probably there is a way to do it with a script that triggered every time I start Splunk Forwarder? I have been using host = $decideOnStartup in inputs.conf, which pick up the hostname of the machine. However for many distro hostname is just the first part of FQDN. Thank you!

Hi there, I have found issues when using the Send to Mobile action on an alert. If the condition is set to less than 1 or equals 0 then the alert does not create a push notification. ie. if an event is not generated by 9am where sourcetype=sourcetype=globalscape then create a Send to Mobile action. The push notification is not received. The only workaround i have found is to create a "Log Event" action, create a second alert and create a Send to Mobile on the Event as created in the first alert.   I think this is a bug but any help 

The latest Chrome Stable release of v96 exposed an issue with Single Value and Single Value Radial visualizations, where they aren't properly rendering icons. The icons display as expected in Table visualizations as you can see in the attached. SingleValueVisualizationIssue