I have a dhasboard which should show buckets with number of machines by span of time.  Machine A to F is used for 2 mins Machines D-T was used for 2hrs Machine s-Z was used for more than 4hrs So my graph should show the buckets with time range as a standard set.  XAxis <5 mins, 5-30mins 30min - 2hrs 2-4hrs  > 4hrs YAxis  No of machines logged on for <2mins No of machines logged on for 5-30mins  and so on. Logon Time Logoff Time MachineName SessionTimeinMins 12/1/2021 19:33 12/1/2021 19:36 A 3 12/1/2021 16:46 12/1/2021 17:04 B 18 12/1/2021 15:35 12/1/2021 15:38 C 3 12/1/2021 11:35 12/1/2021 11:38 D 120 12/1/2021 16:35 12/1/2021 21:35 E 300   Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket.    Thanks    

Hello, I have a need to run a search for MAC OUI matches against a .csv file containing 1000+ MAC OUIs? Can anyone provide example as I have not had any luck building a search using inpulookup that works. Thank you! Splunkster21

I need to extract the contents of the message field, but the first strings must be ignored, I need to get from the stdout field. Any ideas how to do this? Examples:   message: 2021-12-02T20:06:11.541111542Z stdout F 2021-12-02 17:06:11,540 Completed 200 OK message: 2021-12-02T20:06:11.540863953Z stdout F contract: txt (truncated)...] message: 2021-12-02T20:06:11.540857713Z stdout F clientDocument: txt    

Hello, I am trying to export the results from an api search, currently I am using the curl command:  curl -k -u user:pass https://hostname:8089/services/search/jobs/export?search=$NewQ -o Output-file.csv I can see that the search completed in the splunk webclient but am not able to find the output csv file that should result from this command. I have checked the $SPLUNK_HOME/var/run/splunk/csv folder after each attempt at using this command and there has never been a file created there (which to my understanding is where this file is supposed to be created). Any help is greatly appreciated thank you.

Splunk Connect for Syslog This is Splunk’s preferred method of ingesting high volumes of data. Details can be located here → https://splunk-connect-for-syslog.readthedocs.io/en/latest/ TCP Data Input Navigate to Settings -> Data Inputs -> TCP (Add new) This brings you to following screen. In this step, we will configure Splunk to listen on TCP using port 514. NSS only supports TCP, but the destination port is configurable. Most administrators use port “514” as it is the default port for UDP based syslog. After configuring SIEM port, click next   We're following the above step but not able to find TCP / UDP  configure the port to synced with Zscaler NSS. I'm logging in Splunk Cloud portal  as trial member. Could it be restriction/privilege to my trail account ?  Please advice    Thanks Asif         

Hello everyone, I am trying to create queries to show the max and average values of inbound and outbound network traffic (unit : Gbps) of my forwarders I already configured the Splunk add on for unix and linux on my forwarders, but don't know which script to enable to collect the data needed Also, i installed the Pavo network traffic app for splunk, but don't know how to configure it For info, my splunk server is on a single instance deployment Any ideas ?    Thanks ! 

Hi All, We have two splunk environments 8.2, and I am in charge of these two. On the first environment, everything works fine. I'm trying to configure the same thing on the second for another infrastructure. To explain a little : I have two heavy forwarders behind a VIP, and then logs are forwarded to an indexer cluster of two indexers. I had configure some syslog forwarding for network devices, and everything works fine in TCP or UDP, my logs are showing in the Search Head, in the good index. But for Firepower, impossible to indexing datas, I use TCP 10000 and with a tcpdump on the HF I see logs arrives, but after that nothing... I've checked splunkd.logs (and nearly all log file on the servers), there are no errors on the HF or the Indexers and nothing is blocked by a firewall or the network. I don't use estreamer add-on and firepower add-on, and on the first infrastructure is working fine in the same configuration. Here are some configurations : On Indexers : [fw_ext] homePath = volume:primary/fw_ext/db coldPath = volume:primary/fw_ext/colddb thawedPath = $SPLUNK_DB/fw_ext/thaweddb repFactor = auto maxHotBuckets=10 On HF : [tcp://10000] index = fw_ext sourcetype = cisco:asa connection_host = ip disabled = 0 Paths are empty for the index fw_ext, so I presume that the logs don't arrives to the Indexers. On the Firepower, configuration for the first and the second infrastructures are identical, so I presume that the problem don't come from the device too. The forwarding configuration is good too since it works for every other network devices and servers.   Have you guys any ideas ? Thanks by advance.

I would like to send data (Output) from Splunk to external server/Cloud/DB, Please suggest me the best way. Everyday around 10-15k records, I would like to utilize that data in other Analytics tool for ex: Power BI

Hi Team, I have a .Net application that has N number of threads, I am using Appdynamics .Net Profiler for validating the threads measures by enabling the thread correlation. While observing the data in the controller, I have a doubt here that how the thread samples have been collected. Is it through instrumentation or through sampling technique? @Ryan.Paredez  Could you please let me know about this? Thanks in advance. ^ Post edited by @Ryan.Paredez for formatting 

Hello.  I would like to ingest data from a Fireeye HX, viewing the data either in the Fireeye app or through our own dashboards.   However, although the data is being indexed the fields are not being extracted/labelled in a useful way. I  am running Splunk 8.2.2 on Linux.   I have an indexer cluster and SH cluster. I am using the latest app version, 3.8.8. The Fireeye HX is sending data via TCP in CEF format. On the CM: # cat etc/master-apps/_cluster/local/inputs.conf <snip> [tcp://:1234] index = fe_data sourcetype = hx_ce_syslog # ls etc/master-apps/FireEye_v3 appserver bin default lookups metadata README.md static I created local versions of props.conf and transforms.conf .  In props.conf I uncommented this line as instructed (as we want the data in our own index). # Uncomment the next line to send FireEye data to a separate index called "fireeye" TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in In transforms.conf I changed entries like this to use our index: [fix_HX_CEF_in] REGEX=.*:\sCEF\:\d\|mandiant\|mso\| DEST_KEY=_MetaData:Index FORMAT=fe_data Q: Did I need to change FORMAT to use our index if I have specified the index in inputs.conf? Q: Am I right in thinking I don't need the FireEye app installed on the SHC if I don't want to use the app there?  i.e. it is enough for the indexers to use the app's conifguration to parse the data. Q: If the above is correct, does anyone know why the fields are not being extracted as, for example, cef_name?