All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

can anyone help me with the issue I get from time to time on my dashboard built using splunk dashboard studio: for some reason this error occurs only for maps here's the query | tstats ... See more...
can anyone help me with the issue I get from time to time on my dashboard built using splunk dashboard studio: for some reason this error occurs only for maps here's the query | tstats count from datamodel=Cisco_Security.ASA_Dataset where index IN (add_on_builder_index, adoption_metrics, audit_summary, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_se, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, endpoint_summary, fw_syslog, history, ioc, main, mcd, mcd_syslog, new_index_for_endpoint, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) ASA_Dataset.event_type_filter_options IN (*) ASA_Dataset.severity_level_filter_options IN (*) ASA_Dataset.src_ip IN (*) ASA_Dataset.direction="outbound" groupby ASA_Dataset.dest | iplocation ASA_Dataset.dest | rename Country as "featureId" | stats count by featureId | geom geo_countries featureIdField=featureId | where isnotnull(geom) after reloading the page the error disappears    
I am having trouble creating the connection to Splunk Cloud from Power BI. I have downloaded the latest version of the Spunk ODBC (3.1.1), configured it with what I think my user and password is (We... See more...
I am having trouble creating the connection to Splunk Cloud from Power BI. I have downloaded the latest version of the Spunk ODBC (3.1.1), configured it with what I think my user and password is (We authenticate via an Active Directory with our tenant.), and I have access to the access token in the Splunk cloud console. The error I am getting is: Details: "ODBC: ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Timeout was reached ERROR [HY000] [Splunk][SplunkODBC] (40) Error with HTTP API, error code: Timeout was reached" Not sure how else to try configuring the ODBC connector.
This is my search.  I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventTyp... See more...
This is my search.  I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventType | eval websphere_logEventType=case(websphere_logEventType=I, "INFO",websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, DEBUG, true(),"Not Known" )   What am I missing that will bring the count and the case that the count is for instead of always the Not Known case?
Hello. I cannot find a solution to this one here... I have logs in one Splunk instance. I've exported them to CSV and want to perform a one-time ingest of that CSV into a new on-prem Splunk Enterpri... See more...
Hello. I cannot find a solution to this one here... I have logs in one Splunk instance. I've exported them to CSV and want to perform a one-time ingest of that CSV into a new on-prem Splunk Enterprise instance.  I have the CSV and can import it. However, I can't figure out how to preserve each row/event's original 'host', timestamp, and 'sourcetype' entry. When I do the import, it records the 'host' as the Splunk indexer, and the timestamp as the date of the import, which makes sense but is not the desired behavior. Here is a sample row of the CSV:   _time,host,index,source,sourcetype 2024-11-19T11:36:05.000-0500,host1.example.com,test-index,/var/log/messages,syslog 2024-11-19T11:36:05.000-0500,host2.example.com,test-index,/var/log/messages,syslog   I removed the _raw column, but I can include it if necessary. How do I import these events while preserving the event time, host, and sourcetype fields? Is this even possible?  I looked around here and can't find anyone with this scenario.  Thank you in advance!  
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 an... See more...
I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in. In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.   Here's what I've been trying, but so far doesn't seem to be working as I'd hoped: if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$")) Am I on the right track? Something I'm missing?
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorP... See more...
Here is what is needed : logLevel : INFO -> Blue logLevel : WARRNING -> Yellow logLevel : ERROR -> Red     Below code is not working for me        <format type="color"> <colorPalette type="expression"> if(match(value,"logLevel=INFO"),"#4f34eb",null), if(match(value,"logLevel=WARNING"),"#ffff00",null), if(match(value,"logLevel=ERROR"),"#53A051",null) </colorPalette> </format>        is there an options for colors similar to charting?         <option name="charting.chart">line</option> <!--[Total,Critical,Major,Minor,Notice,Healthy]--> <option name="charting.seriesColors">[17202A,C0392B,F5B041,F7DC6F,D5DBDB,3DB42A]</option> <!--[black, red, orange, yellow, grey, green]-->        
I have an employee who keeps getting locked out. I wanted to know how to put a script in to find out which device is getting locked out. 
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1"... See more...
The structure of JSON in my log events is roughly as follows     { "Info": { "Apps": { "ReportingServices": { "ReportTags": [ "Tag1" ], "UserTags": [ "Tag2", "Tag3" ] }, "MessageQueue": { "ReportTags": [ "Tag1", "Tag4" ], "UserTags": [ "Tag3", "Tag4", "Tag5" ] }, "Frontend": { "ClientTags": [ "Tag12", "Tag47" ] } } } }     The number of fields in "Apps" is unknown, as are their names. Given this structure I need to check if a given tag ("Tag1", "Tag2", ...) exists in in a given array ("ReportTags", "UserTags", [..]), regardless of parent. If it does, I need the distinct names of parent field names that contain this. Example 1: The input to the query is "ReportTags" and "Tag1". I'd expect it to output both "ReportingServices" and "MessageQueue" because both of them contain a "ReportTags" array that contains "Tag1". Example 2: The input to the query is "UserTags" and "Tag5". I'd expect it to output only "MessageQueue" because only this one contains a "UserTags" array that contains this "Tag5". I have looked at various questions on this forum, tried various combinations of mvexpand and such but I have not been able to write a query that does exactly this. Any hints and/or help would be greatly appreciated.
Suddenly the real-time alert is not working for Splunk, can anyone help on this how  to troubleshoot this issue
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would ... See more...
what would be the best approach for IaC setup for Splunk enterprise?   Currently we are using Azure VM and deb installation of Splunk enterprise installation and update are done manualy. We would like to improve this process to install Splunk from scratch and use a better setup: 1. install it in the AKS cluster  2. use docker approach 3. use terraform for iac   what would be best-suggested approach here we have a disk e.g around 1TB of data for Splunk   thank you in advance  
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, ... See more...
Hi, I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, but it didn't help me. I want to combine all the results assosciated for indivual user and send them one single email as the data will be more, I don't want to spam their inbox. For example: result having 4, 5, 6 should be send in one email only to malik@gmail.com and so on for other users. Please suggest 
Hi, we use the app Splunk Add-on for Microsoft Cloud Services version 5.3.1 on our HeavyForwarder. We ingest data from an eventhub which is splitted in a lot of eventhub names for different microsof... See more...
Hi, we use the app Splunk Add-on for Microsoft Cloud Services version 5.3.1 on our HeavyForwarder. We ingest data from an eventhub which is splitted in a lot of eventhub names for different microsoft services (e.x. sharepoint, exchange etc.) The default sourcetype is "mscs:azure:eventhub" but the data isn't parsed with that. In some forums it was mentioned using the sourcetype "ms:o365:management". Someone had the same trouble finding the correct sourcetype? That app itself as a lot of config in props/transforms. Thanks  
my query is we have used timechart count by clause in the splunk query. we need to compare the dynamic field values. Query :- index=sample sample="value1" | timechart count by field1 It returns so... See more...
my query is we have used timechart count by clause in the splunk query. we need to compare the dynamic field values. Query :- index=sample sample="value1" | timechart count by field1 It returns some results like  time                                               output1 output2  2024-11-13 04:00:00                8              30 2024-11-13 04:01:00                8              30   My question here is we need to compare the output1 and output2 like if the o/p1 more than 30% of o/p2 in 10 mins of interval.  
How to filter events in the dashboard with help of search box.In the search box i have to give multiple strings like error,warning so i need to sort out only error and warning logs.      In Dashbo... See more...
How to filter events in the dashboard with help of search box.In the search box i have to give multiple strings like error,warning so i need to sort out only error and warning logs.      In Dashboard XML: <input type="text" token="Text_Token" searchWhenChanged="true"> <label>Error Search (comm-seprated)</label> </input> index=test Message="*"| eval error_list=split("$Text_Token$", ",")| table PST_Time Environment Host Component FileName Message | search Message IN ("error_list") OR Environment=QDEV Component IN (AdminServer) FileName=*| search NOT Message IN ("*null*")|sort PST_Time  
May I know where I can get Splunk Enterprise REST API OpenAPI Specification(OAS) JSON file?   Thanks
I am trying to create a dashboard. It has two input text fields. I want to run a search query based on these two inputs. If input A is null AND input B is null then no search results If input A ... See more...
I am trying to create a dashboard. It has two input text fields. I want to run a search query based on these two inputs. If input A is null AND input B is null then no search results If input A is not null AND input B is null then search using only A If input A is null AND input B is not null then search using only B If input A is null AND input B is not null then search using both A and B Following is my query. It returns no results    Properties.application="xyz.api" | spath Level | search Level!=Verbose AND Level!=Debug | eval search_condition_fnum=if(len(trim("$text_fnum$"))=0 OR isnull("$text_fnum$"), "", "RenderedMessage=\"*$text_fnum$*\"") | eval search_condition_fdate=if(len(trim("$text_fdate$"))=0 OR isnull("$text_fdate$"), "", "RenderedMessage=\"*$text_fdate$*\"") | eval combined_search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | table search_condition_fnum, search_condition_fdate, combined_search_condition | search [| makeresults | eval search_condition=mvjoin(mvfilter(search_condition_fnum!="") + mvfilter(search_condition_fdate!=""), " OR ") | fields search_condition]  
Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h... See more...
Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" | rex field=user_activity "(?<user_activity_event>.+?)\;" | fillnull value="null" | search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM | table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event Any help will be appreciated.
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i... See more...
Currently trying to get eval to give multiple returns     | eval mitre_category="persistence,Defense_Evasion" | eval apt="apt1,apt2,apt3"   I would like the values to be listed as OR. that way i get `apt2` or `apt3` instead of searching for `apt1,apt2,apt3`. I would like to know if there is a way to do this via one query instead of several if at all possible.
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that commu... See more...
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other. Let me be more specific. I know that, for such kind of search, the base string is: | rest splunk_server=local /servicesNS/-/-/saved/searches | table title Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case). So, if I execute above search, I got more or less 450 results. So, what about if I need to filter? Very simple: | rest splunk_server=local /servicesNS/-/<app name here>/saved/searches | table title That should return all and only saved searches for requested app (a custom one in my cases).  Problem: app I need info has 119 saved searches (checked on GUI in related page) Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps.  Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need.  So, my question is: what can be the root cause of this behavior, if searches ownership is correct?
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | sta... See more...
hello Splunkers i have a requirement where i need to show values in statistics even if it doesn't exist, for example here's my search: index=brandprotection name IN (ali, ahmad, elias,moayad) | stats count by brand however sometimes in the logs Elias and Moayad names isn't there but i need to have it in the table, so i need the output to be like this   user count ahmad 7 ali 4 elias 0 moayad 0   i need a search that would show the results like the table above.     thanks