All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team, I want to automate my AD auditing process with splunk. Currently I have a powershell script and a free tool Pingcastle, which I uses for the process.   Is there any way I can integrate ... See more...
Hi Team, I want to automate my AD auditing process with splunk. Currently I have a powershell script and a free tool Pingcastle, which I uses for the process.   Is there any way I can integrate both with Splunk? Thanks Shivi
Hi, Can anyone guide me to setup Splunk lab in VM. I am very much passionate to learn splunk. but getting failed in setting up.
Hello Splunkers,  I'm working on Splunk dashboard and I got one problem. but I don't know it is problem or advice xD.  My point is need to add an action button to our statistic table and link to al... See more...
Hello Splunkers,  I'm working on Splunk dashboard and I got one problem. but I don't know it is problem or advice xD.  My point is need to add an action button to our statistic table and link to alert sounds like a beep or something. when alerts are triggered the will sound play, and when I clicked the action button disables the beeping sound.  How can I solve this any ref or advice?
there is raw data :  [{}]  parameters="[{"Name":"request","Type":"WithdrawalRequestedRequest","Value":{"BrandName":"Bumer","TransactionReference":"111403471","CustomerId":"00e9bc22-96ac-412f-90aa-a2... See more...
there is raw data :  [{}]  parameters="[{"Name":"request","Type":"WithdrawalRequestedRequest","Value":{"BrandName":"Bumer","TransactionReference":"111403471","CustomerId":"00e9bc22-96ac-412f-90aa-a240dc03daf9","PaymentDetails":{"Created":"2021-11-18T06:56:54.377Z","Changed":"2021-11-18T06:56:54.393Z","Amount":25.0000,"Fee":0.2500,"CurrencyCode":"GEL","BaseAmount":7.0200,"BaseFee":0.0700,"BaseCurrencyCode":"EUR","PaymentMethodName":"BOG","PublicPaymentId":"t8185jta7fEBBOG","PaymentReference":"bf28bf9e-5caa-4faa-ba4f-c1422080f83e","ExternalData":null,"AdditionalParameters":null}}]"    are we able to pick up everything between an open  [{ and  a close }] the main Fields which I need mostly are: Amount , Base Amount  are you able to help me Please
I have been trying to integrate Splunk with OCI for data collection and the Add-On provided is not working. Error: Private key provided is incorrect or passphrase is not correct.   Does anyone hav... See more...
I have been trying to integrate Splunk with OCI for data collection and the Add-On provided is not working. Error: Private key provided is incorrect or passphrase is not correct.   Does anyone have documentation reference for building Custom Add-On for troubleshooting the existing Add-On?
Dear Friends I have installed a universal forwarder on Free_PBX to forward call queue logs to Splunk enterprise, everything works probably. I  monitored the folder of logs which is located on  /var/... See more...
Dear Friends I have installed a universal forwarder on Free_PBX to forward call queue logs to Splunk enterprise, everything works probably. I  monitored the folder of logs which is located on  /var/log/asterisk  I can monitor all log files while they are updating events daily but PBX generates a new log file every day these newly generated logs I can't find on Splunk enterprise. unless I restart universal forwarder then new log files appears on the data summary ! note: FREE_PBX is a Linux CentOS Based VOIP Server Logs on Splunk   Logs on server  
i am not able differentiate which sourcetype the Name belongs too after outer join.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "No... See more...
i am not able differentiate which sourcetype the Name belongs too after outer join.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too. my query is like , index=A sourcetype=Compare| fillnull value="" | join type=outer ITAM_sysid [ search index=A sourcetype=Fire| fillnull value=""] | fillnull value="" | stats values(*) as * values(sourcetype) as sourcetype by Name | eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered") | eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version) | eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version) | eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version) | table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status
Hi  Please help me to build cron expression. thanks in advance Alert runs Every 15min from 8am to 18pm, Everyday Alert runs Every 15min from 4am to 18pm weekdays only Alert runs Every 15mi... See more...
Hi  Please help me to build cron expression. thanks in advance Alert runs Every 15min from 8am to 18pm, Everyday Alert runs Every 15min from 4am to 18pm weekdays only Alert runs Every 15min from 8am to 18pm weekdays only Alert runs Every 15min from 9am to 17pm weekdays only Alert runs Every 15min from 8am to 18:45pm weekdays only Alert runs Every 15min from 23:01 pm to 18:59pm Everyday Alert runs Every 15min from 12am to 12:59am and 6am to 6:59am Everyday Alert runs Every 15min from 8am to 8:59am and 13pm to 13:59pm Everyday Alert runs Every 15min from 10am to 6:59am Everyday Alert runs Every 15min from 7am to 23:59pm Everyday Alert runs Every 15min from 8am to 10:59am Everyday
Hi  I am not receiving the data from Universal forwarders . What could  the possible reasons be? Thanks
I want to be able to perform a search across a list of internal IPs making http/https GET and POST requests to external sources AFTER or at the SAME TIME a specific external IP is making inbound conn... See more...
I want to be able to perform a search across a list of internal IPs making http/https GET and POST requests to external sources AFTER or at the SAME TIME a specific external IP is making inbound connection attempts of any kind to them.
Hi, I am modifying my logging in my application (Java spring boot) to include: key/value pair list and a JSON string of relevant data/information I want to log to trigger Splunk's Automatic Field Ext... See more...
Hi, I am modifying my logging in my application (Java spring boot) to include: key/value pair list and a JSON string of relevant data/information I want to log to trigger Splunk's Automatic Field Extraction. Key/value pair list:   [key1=val1, key2=val2, key3=val3, etc]   and JSON string:   { "field1" : "value1", "field2" : null }     Can anyone inform me how to possible generate some dummy events like this so I can test that the Automatic Field Extraction is indeed extraction the KEY from the list and assigning the correct VALUE? Similarly for the JSON string, if it's possible. If not , I suppose I can just use the spath feature.
I was using splunk db connect app 3.6.0, at the beginning when I installed it , it running ok dbxquery is also very fast on the same Mysql database.   but I don't why the dbxquery become very slow,... See more...
I was using splunk db connect app 3.6.0, at the beginning when I installed it , it running ok dbxquery is also very fast on the same Mysql database.   but I don't why the dbxquery become very slow, the DB is ok, because I can search data very fast with other way, but use db connect, it spent a lot of time to wait, i check the job inspect , found at " dispatch.evaluate.dbxquery" the phase ,it take a very long time ,at my search head, always 48.13 seconds.   I don't know why cause it, and I want know how to solve it.
We have logs , where first few lines needs to be omitted from ingesting. We only need to on-board the events , that start with the date/time in the following format: "%m/%d/%Y@%H:%M" Appreciate al... See more...
We have logs , where first few lines needs to be omitted from ingesting. We only need to on-board the events , that start with the date/time in the following format: "%m/%d/%Y@%H:%M" Appreciate all the ideas and suggestions. Here is  the log example (there are also empty lines before first "#-----------------------------------------" and after last "#-----------------------------------------"):       #-----------------------------------------       #DATE CREATED:  11/02/2021@04:16       #SUBJECT:       REPORT ON THE GENERAL STATUS OF AUTOSYS JOBS       #ENVIRONMENT:   CBA       #-----------------------------------------       11/02/2021@04:16,CBA,OTHER,CBA_CLIENT_REPORT_BOX,OI       11/02/2021@04:16,CBA,OTHER,CBA_copy_file_job,OI       11/02/2021@04:16,CBA,OTHER,CBA_ABC_SCHEDULER_BOX,OI       11/02/2021@04:16,CBA,OTHER,CBA_ABC_REPORT_BOX,OI
The problem is a simple one: I have a base search from which I want to exclude a subset based on a criteria determined in a different dataset.  But I cannot find an efficient way to do this. So far... See more...
The problem is a simple one: I have a base search from which I want to exclude a subset based on a criteria determined in a different dataset.  But I cannot find an efficient way to do this. So far, what I am doing is     basesearch | join joinkey [set diff [ basesearch | stats count by joinkey | fields - count ] [ criteria | stats count by joinkey | fields - count ] ]     While the logic works, it feels immensely inefficient.  Without even considering that set operations is itself expensive, but basesearch is performed two times with no change. What is the proper way of doing this simple exclusion?
The doc mentions IT Essentials Work. Tried to download IT Essentials work but I get an error message during installation. "App Installation failed" "invalid app contents: archive contains more t... See more...
The doc mentions IT Essentials Work. Tried to download IT Essentials work but I get an error message during installation. "App Installation failed" "invalid app contents: archive contains more than one immediate subdirectory: and DA-ITSI-DATABASE" I still have the "Splunk add-on for amazon web services" version 5.1.0 running on a heavy forwarder collecting the data and sending it to my indexes on splunkcloud...   (5.2.0 is broken)
Seems there are many ways to edit panel styles but is it possible to edit the actual dashboards title section? Seems that area at the very top of the board is very static. Looking to add a background... See more...
Seems there are many ways to edit panel styles but is it possible to edit the actual dashboards title section? Seems that area at the very top of the board is very static. Looking to add a background image to that section (not the main body section of the dashboard).
We have logs , where first few lines start with "#" and we don't need to ingest these lines.  We tired to use different methods , that didn't work. Appreciated the help/ideas from splunkers: 1st id... See more...
We have logs , where first few lines start with "#" and we don't need to ingest these lines.  We tired to use different methods , that didn't work. Appreciated the help/ideas from splunkers: 1st idea: use PREAMBLE_REGEX = ^#.* in props.conf  on Heavy Forwarders where data are being parsed 2nd idea : use TRANSFORMS-null = setnull in props.conf  and transforms.conf on Heavy Forwarders where data are being parsed transforms.conf: [setnull] REGEX = ^#.* DEST_KEY = queue FORMAT = nullQueue example of log: #----------------------------------------- #DATE CREATED:  11/02/2021@04:16 #SUBJECT:       REPORT ON THE GENERAL STATUS OF AUTOSYS JOBS #ENVIRONMENT:   CBA #----------------------------------------- 11/02/2021@04:16,CBA,OTHER,CBA_CLIENT_REPORT_BOX,OI 11/02/2021@04:16,CBA,OTHER,CBA_copy_file_job,OI 11/02/2021@04:16,CBA,OTHER,CBA_ABC_SCHEDULER_BOX,OI 11/02/2021@04:16,CBA,OTHER,CBA_ABC_REPORT_BOX,OI
Hello, Did anyone tried to configure the alerts to trigger an audio file whenever a condition met. I have tried looking for an app or add-on in splunk base but I haven't found any. Please help me ... See more...
Hello, Did anyone tried to configure the alerts to trigger an audio file whenever a condition met. I have tried looking for an app or add-on in splunk base but I haven't found any. Please help me with your thoughts.     Thanks
Hi , I am using splunk in monitoring of http status code responses from a server and I want to be alerted when the request to the server takes much time in returning back to the client the client I... See more...
Hi , I am using splunk in monitoring of http status code responses from a server and I want to be alerted when the request to the server takes much time in returning back to the client the client I am using has a timeout window of 55 seconds so when the server takes more than 55 sec to respond, the client sends a timeout error  I want to be alerted when the percentage of the times when the request takes more than 55 sec exceeds 10 %