All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi , I am using splunk in monitoring of http status code responses from a server and I want to be alerted when the request to the server takes much time in returning back to the client the client I... See more...
Hi , I am using splunk in monitoring of http status code responses from a server and I want to be alerted when the request to the server takes much time in returning back to the client the client I am using has a timeout window of 55 seconds so when the server takes more than 55 sec to respond, the client sends a timeout error  I want to be alerted when the percentage of the times when the request takes more than 55 sec exceeds 10 %
Hi , I am using splunk in monitoring the http status code response from a server and I want to get alerted when the percentage of 504 or 500 exceeds 10%  
Hello all, kindly help with Regex.. I am seeing the below messages in splunkd logs. Though values are actually being extracted properly, below messages are annoying and I want to get rid of those.... See more...
Hello all, kindly help with Regex.. I am seeing the below messages in splunkd logs. Though values are actually being extracted properly, below messages are annoying and I want to get rid of those. Need urgent help to construct a better Regex to avoid these messages. I have increased MATCHLIMIT in transforms.conf, but still seeing these messages. 11-17-2021 17:12:34.927 +1100 ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex 11-17-2021 17:12:34.927 +1100 WARN regexExtractionProcessor - Regular expression for stanza security_index exceeded configured PCRE match limit. One or more fields might not have their values extracted, which can lead to incorrect search results. Fix the regular expression to improve search performance or increase the MATCH_LIMIT in props.conf to include the missing field extractions. Part of my regex looks like this. I have repeated the same regex corresponding to different VM and file combinations. Can someone please help with a better Regex. REGEX=(\VNFCs\"\:\".*(ops|opslb|ntf|ntfsync|telemetry|diagnostic|db|lb).*class\"\:\"(/var/log/auth.log|/var/log/messages.log|/var/log/syslog.log|/var/log/firewall/firewall.log|/var/log/audit/audit.log)\").. followed by \VNFCs\"\:\".*(ops|opslb|ntf).*class\"\:\"(/opt/function/applicatio.log)\").. etc... My Sample event is as below. There are more than 10 type of VM's (like ops,db,sync,etc), more than 300 VM's and 250 different files and I made a Single regex. I need to create regex considering below two criteria:  1) The VM's : "xyz001vm002400-ops-vm01","xyz002vm002400-db-vm01", etc. 2) Log file beginning with a class keyword : "class":"/var/log/syslog.log , "class":"/opt/cat/audit.log , etc. Sample Event 1: {"VNFType":"xyz","VNFs":"xyz001vm002400","VNFCType":"ops","VNFCs":"xyz001vm002400-ops-vm01","event":{"log_message":"2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz001vm002400, xyz001vm002400-ops-vm01, ops, ops, info, cron, xyz001vm002400-ops-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n","class":"/var/log/syslog.log","log_event_time_stamp":"2021-11-18T02:45:08+10:00"}} Sample Event 2: {"VNFType":"xyz","VNFs":"xyz002vm002400","VNFCType":"db","VNFCs":"xyz002vm002400-db-vm01","event":{"log_message":"2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n2021-11-18T02:45:01.085777+10:00, xyz002vm002400, xyz002vm002400-db-vm01, db, db, info, cron, xyz002vm002400-db-vm01, CROND[16311]:, (root) CMD (/usr/sbin/KillIdleSessions)\n","class":"/opt/cat/audit.log","log_event_time_stamp":"2021-11-18T02:45:08+10:00"}} @chrisyounger @harsmarvania57  - Any help is much appreciated.
When pushing the Windows add on for Splunk using a deployment server, my inputs.conf files on the clients are not updating. The clients are regularly checking in with the deployment server, and splun... See more...
When pushing the Windows add on for Splunk using a deployment server, my inputs.conf files on the clients are not updating. The clients are regularly checking in with the deployment server, and splunk has been restarted on both deployment and client servers several times. This is creating an issue because updates to inputs.conf stored in the local folder are not being updated across my clients. If anyone has any further troubleshooting ideas to get the clients to fluently sync up to the proper inputs.conf from the deployment server please let me know.  If it matters - The specific changes (simply enabling them by changing disabled=1 to 0) were made to the scripted inputs below. The timestamp on inputs.conf on the client is much older than the changes and still left at disabled=1.  ###### Scripted Input (See also wmi.conf) [script://.\bin\win_listening_ports.bat] disabled = 0 ## Run once per hour interval = 3600 sourcetype = Script:ListeningPorts [script://.\bin\win_installed_apps.bat] disabled = 0 ## Run once per day interval = 86400
A while ago i set up the monitoring console. However, I am seeing I have some screens working well and others are just blank. For example.CPU disk information I can access all that   However,... See more...
A while ago i set up the monitoring console. However, I am seeing I have some screens working well and others are just blank. For example.CPU disk information I can access all that   However, if I want to see the Monitoring Console - > search > Search activity: instance and see the skipped searches. It's all blank. So is there something else I need to do? I am on 1 SH 3 Indexes Cluster + 1 MN.  
So there is a query on my splunk cloud instance. Which is below: index=windows EventCode=4688     [| inputlookup "lotl_commands.csv"     | rename suscmd as search ]     NOT Account_Name=*$     N... See more...
So there is a query on my splunk cloud instance. Which is below: index=windows EventCode=4688     [| inputlookup "lotl_commands.csv"     | rename suscmd as search ]     NOT Account_Name=*$     NOT (net "use ")     NOT InteractionScripter.NET.exe     NOT (Account_Name=itreports sqlcmd.exe)     NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)     NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)     NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")     NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)     NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)     NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`     NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`     NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`     NOT (Account_Name="SRV_Lansweep_4Server" csc.exe) | table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line | sort _time   Whenever it runs, it triggers an alert for file path: C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe C:\Windows\SysWOW64\schtasks.exe Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks.
Tried upgrading my splunk add-on for amazon web services on my heavy forwarder 3 times and each time I have the same issue when upgrading to 5.2.0 Started with version 5.0.3 disabled all inputs - n... See more...
Tried upgrading my splunk add-on for amazon web services on my heavy forwarder 3 times and each time I have the same issue when upgrading to 5.2.0 Started with version 5.0.3 disabled all inputs - no pycache dir upgrade to 5.2.0 - and restart no visible errors until try to launch - the account tab spins forever and never opens - all other tabs fine rolled back to tar backup 5.0.3 Tried again - same rolled back to tar backup 5.0.3 download 5.0.4 and upgraded, restarted - all tabs in add-on fine download 5.1.0 and upgraded, restarted - all tabs in add-on fine download 5.2.0 and upgraded, restart, same issues as before.... anyone else encountered this and know the fix - i have opened a ticket with support but still waiting...  
|eval SNOW_Description=case(EMGC_ADMINSERVER_Status!="k1","Java Process EMGC_ADMINSERVER data not available in splunk on host, EMGC_ORACLE_Status!="k2","Java Process EMGC_ORACLE data not available in... See more...
|eval SNOW_Description=case(EMGC_ADMINSERVER_Status!="k1","Java Process EMGC_ADMINSERVER data not available in splunk on host, EMGC_ORACLE_Status!="k2","Java Process EMGC_ORACLE data not available in splunk on host)   Here I am trying to use multiple fields inside case statement. I am not getting correct output. How can this be achieved?
I have a Splunk query:   index=my_index cf_app_name=$app_name$ msg!="*Hikari*" $log_type$ | sort -_time | table msg   It populates Splunk with results.  Now, the msg field has log_type as INFO, ... See more...
I have a Splunk query:   index=my_index cf_app_name=$app_name$ msg!="*Hikari*" $log_type$ | sort -_time | table msg   It populates Splunk with results.  Now, the msg field has log_type as INFO, ERROR, WARNING. Example:   2021-11-17 15:03:34.921 INFO 22 --- [ taskExecutor-1] c.c.p.r.e.EventService : Event sent to event ID: 2111 - REPRICING has finished 2021-11-16 22:23:54.905 ERROR 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure 2021-11-16 22:23:54.905 WARNING 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure   Now, My goals is to COLOR the log_type field in the "msg" to Green if it's INFO, Red if it's ERROR, and Yellow if it's WARNING.  I don't want to color the entire msg field, just the words INFO, ERROR and WARNING should be turned to those specific colors.  @scelikok @somesoni2 
Splunk Enterprise specifically lists Windows OS requirements being Windows Server 2016 and Server 2019.  Is Windows Server 2022 supported yet and if not, does anyone know why it will be added?
Hi, I am trying to convert the result of applying the CorrelationMatrix algorithm which is given in a confusion matrix form like:         AA     BB     CC AA   1        0.1    0.2 BB    0.1     1... See more...
Hi, I am trying to convert the result of applying the CorrelationMatrix algorithm which is given in a confusion matrix form like:         AA     BB     CC AA   1        0.1    0.2 BB    0.1     1      0.3   CC   0.2     0.3    1 And I would like to convert it to a tabular form like: AA BB 0.1 AA CC 0.2 BB AA 0.1  BB CC 0.3 .... So far I tried with the untable command without success. Below you can see a sample of the code I have.     index="someIndex" | timechart span=1m count by someField | fillnull value=0 | fit CorrelationMatrix method=pearson * | untable a, b, c       Any help would be much appreciated,  Thanks!  
I am making a list of Splunk critical services to be notified about after hours & weekends to revive Splunk in case it is goes down & stay down until Monday !! We had an incident that a Splunk instan... See more...
I am making a list of Splunk critical services to be notified about after hours & weekends to revive Splunk in case it is goes down & stay down until Monday !! We had an incident that a Splunk instance went down Friday night & we found out on Monday !! I am including Splunkd down, CPU on an instance going up/running at 95%. What other critical items would you add to this list please? I have a large environment, have Splunk Ent. ES & clustered environment. 
Hello,  Hope you are  doing well! I have updated exiting correlation alert in Splunk as  notable event which previously used to send email notification to 'x'. I have selected 'Default Owner' as 'l... See more...
Hello,  Hope you are  doing well! I have updated exiting correlation alert in Splunk as  notable event which previously used to send email notification to 'x'. I have selected 'Default Owner' as 'leave as system default' (i.e. unassigned) but still when it trigger alerts in Splunk - Incident Review page, it showing owner as 'x'  (same as email owner) not as default owner i.e. unassigned. Can someone help me with this?   Thanks in advance!
hi, I want to create an alert that will trigger when 1 user (no specific user name, just one persong from the organization), deletes more than 5 files from DropBox. I tried setting the following que... See more...
hi, I want to create an alert that will trigger when 1 user (no specific user name, just one persong from the organization), deletes more than 5 files from DropBox. I tried setting the following query: host="ip-of-the-host-as-arrives-in-splunk" "event_type..tag"=file_delete | where count > 5 but how do I add the 1 user part ?   will love to get some help, I am new at this 
What is the best way (globally for all apps) to detect and report on either the creation of a new file in a /appname/local/ directory of an app OR when a file has been updated within a local director... See more...
What is the best way (globally for all apps) to detect and report on either the creation of a new file in a /appname/local/ directory of an app OR when a file has been updated within a local directory of an app.  Thanks!
I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into o... See more...
I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there). My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files. I have found some similar posts about this but nothing that gives details about the syntax needed for each file: https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-an-ad-hoc-adaptive/m-p/437270 https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible-to-prepopulate/m-p/251952 In my various config files I have the following lines: alert_actions.conf: param.hostname = $result.hostname$ param.connector_guid =$result.connector_guid$ alert_actions.conf.spec param.hostname = <string> param.cguid = <string> savedsearches.conf.spec param.hostname = <string> param.cguid = <string> <alert_action_name>.html <form class="form-horizontal form-complex"> <div class="control-group"> <label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/> <span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span> </div> </div> <div class="control-group"> <label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/> </div> </div> </form> Below is the screenshot of the menu I am referring to needing to be prepopulated:  
Bom dia Comunidade, Aonde encontro todos os cursos gratuitos referentes oa monitoramento de painéis ? Estou procurando cursos gratuitos que ensinam a usar os painéis, existem uma sequência para ess... See more...
Bom dia Comunidade, Aonde encontro todos os cursos gratuitos referentes oa monitoramento de painéis ? Estou procurando cursos gratuitos que ensinam a usar os painéis, existem uma sequência para esses cursos ? E se para pago, existe uma sequência ideal para seguir, para quem quer trabalhar com monitoramento de painéis ? Obrigado por ajuda.  
Hi, Do Appdynamics APIs support pagination? ^ Post edited by @Ryan.Paredez for a more searchable title.
Hi all, I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right ... See more...
Hi all, I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right syntax to tell to search to use more than one macro? Is the append command or other? UPDATE Let me modify the post, after @ITWhisperer explaination. The current desiderd behavior is to perform security check with rules that uses multiple macros. We don't know if it is the best way and/or absolutely required by customer, but at writing time is our guideline. We have the following situation: 1. Two or more macros linked with AND operator. Consider the following macros: `remote to local` = | eval (All_traffic.src) as src from datamodel="Network traffic"| eval (All_traffic.dest) as dest from datamodel="Network traffic" |where ( src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16) AND ( dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16) set to use Data Model instead of raw events and that evaluate if the connection is from internet to local network. The other one is the following: `successfull communication` = | eval(All_traffic.bytes_in/All_traffic.packets_in) as input_rate from datamodel="Network traffic" | eval(All_traffic.bytes_out/All_traffic.packets_out) as output_rate from datamodel="Network traffic" | where input_rate > 80 and output_rate > 80 which try to understand if the communication between source and dest works fine counting the bytes/packets rate. What about if, in my  rules, I have to use them linked with AND and used as filter? I mean, the final rule structure is something like that: <my search>....| where `remote to local` AND `successfull communication` 2. The Macros should be putted togheter with OR. This becaus the rule try multiple way to understand if something is happening or not. Consider this macros: `IRC Check with Firewalls`=|tstats count values(All_traffic.src) as source by source from datamodel=Network_Traffic|where All_traffic.protocol = tcp AND All_traffic.action = allowed | search All_traffic.dest = NOT [| inputlookup WhiteListIP.csv | table dest] All_traffic.dest_port IN [| inputlookup IRCPorts.csv | table dest_port]  that try to check if a IRC server is in execution checking some network data, like firewall pass, tcp protocol, destination port present in IRCPorts.csv file and excluding some authorized server putted in WhitelistIP.csv. Then, we must make a macros that try to find if an IRC client is in execution; currently we don't know how to realize this, so let me put here simply its name:  `IRC Client Detected` So, the final search whant use this 2 macros as filter and trigger if one of them is true; something like: <some search>...| where `IRC Check with Firewalls` OR `IRC Client Detected`   3. Any combination between AND and OR. Using the above macros, something like: <some search>...| where `remote to local` AND (`IRC Check with Firewalls` OR `IRC Client Detected`)  
I am using a cell renderer, and when assigning the cell value to a var used by my script, the var shows as undefined, even though the celldata.value shows a valid string.  The basics of the js code a... See more...
I am using a cell renderer, and when assigning the cell value to a var used by my script, the var shows as undefined, even though the celldata.value shows a valid string.  The basics of the js code are: canRender: function (cellData) { console.log("cellData.field ", cellData.field); if (cellData.field === 'audiofiles') { return true; } else { return false; } render: function ($td, cellData) { console.log("cellData.value ", cellData.value); var mysoundfiles = cellData.value.tostring; console.log("mysoundfiles ", mysoundfiles);   and the results from the console log are: cellData.field last_audio        cellData.field audiofiles cellData.value (3) ['LOWRATES.wav RES1.wav', 'RES1.WAV CATSTROP.WAV', 'TLPRESNAP.wav'] mysoundfiles undefined when trying to use the cellData.value,  it always returns 'undefined' Oddly, this code was working at one time, then just stopped working for some reason.  Any help is greatly appreciated! ..