All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Folks , Need help. Every day new file generates with a FileSizeBytes value, I need to compare the yesterday's FileSizeBytes value with today's FileSizeBytes value. and store the result value o... See more...
Hello Folks , Need help. Every day new file generates with a FileSizeBytes value, I need to compare the yesterday's FileSizeBytes value with today's FileSizeBytes value. and store the result value on a new field. Ex:      _time                                                                        FileSizeBytes             2021-11-13 02:21:51.327                             116786105            2021-11-12 02:15:18.357                              116757352 Job runs from Tue- Sat
I am looking to identify specific assets that have not been logged into in over a set time. I am fairly new to all of this and trying to learn in a more hands on way. I was wondering what would be th... See more...
I am looking to identify specific assets that have not been logged into in over a set time. I am fairly new to all of this and trying to learn in a more hands on way. I was wondering what would be the best way to accomplish this? I was thinking something like this but I don't think this is right: EventCode=4624 AND [|inputlookup append=t Computers.csv] NOT [inputlookup append=t Dont_search.csv] | dedup host | table _time,host,user | sort host Computers.csv - Specific computers that I want to track. Dont_search.csv - Accounts that I DO NOT want to track.  I am hoping to show all computers on my list regardless of whether they were logged in too. Any help would be greatly appreciated!!!
Hi, I have a pro trial and I am trying to create a schema to send custom events through Analytics Events API. Currently, I do not see the Analytics tab at controller UI. Thus, I was not able to cr... See more...
Hi, I have a pro trial and I am trying to create a schema to send custom events through Analytics Events API. Currently, I do not see the Analytics tab at controller UI. Thus, I was not able to create API Key. Is it possible to help me with that? Thanks in advance! My kindest regards, -Yigit
Hi, I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire) i am doing outer join to get data from both sourcetypes for comparing whether agents are in... See more...
Hi, I have 2 sourcetypes with same index like ( index=A sourcetype= compare and index=A sourcetype= Fire) i am doing outer join to get data from both sourcetypes for comparing whether agents are installed in machines in both sourcetypes .How to check a newly added machine in a sourcetype in Sourcetype=Compare and not in Sourcetype=Fire which is a old one.Currently i am not seeing the newly added machines from Compare sourcetype My code : index=A sourcetype=Compare | fillnull value="" | join type=outer Name [ search index=A sourcetype=Fire | fillnull value=""] | table Name Agent        
Hi at all, I installed the following apps on Splunk 8.2.2: Lookup Editor App 3.5.0, Machine Learning ToolKit 5.3.0. but, from the Python Upgrade Readiness App, I'm receiving the following warni... See more...
Hi at all, I installed the following apps on Splunk 8.2.2: Lookup Editor App 3.5.0, Machine Learning ToolKit 5.3.0. but, from the Python Upgrade Readiness App, I'm receiving the following warning message: "The app is not compatible with Python3" for both these apps. Had anyone found the same problem? how to solve it? Thank you and Ciao. Giuseppe
Greetings,  I have set the following configuration stanza on my inputs.conf but I am getting failures for using ignoreOlderThan key because it is a Windows related monitor path and apparently is not... See more...
Greetings,  I have set the following configuration stanza on my inputs.conf but I am getting failures for using ignoreOlderThan key because it is a Windows related monitor path and apparently is not accepted. [WinEventLog://Microsoft-Windows-DNSServer/Audit] sourcetype = MSAD:NT6:DNS disabled = 0 whitelist1 = EventCode="537" ignoreOlderThan = 7d index = test I only want the latest amount x days of logs to be indexed instead of going for the oldest logs in the hosts. Is this possible? Indexing of current logs after server class reload is also an option but haven't found out how. Thanks, Regards,
Hi all, I'm testing multisite indexer clustering with below configuration and found an undesired behaviour in the case of a site failure. available_sites = site1,site2 site_replication_factor = or... See more...
Hi all, I'm testing multisite indexer clustering with below configuration and found an undesired behaviour in the case of a site failure. available_sites = site1,site2 site_replication_factor = origin:2,site1:2,site2:2,total:4 site_search_factor = origin:1,site1:1,site2:1,total:2 As you can see I have configured the replication factor "origin:2,site1:2,site2:2,total:4" so that I will have 2 replicas in both sites. But, in the case of a site failure, I am observing that splunk will try to replicate locally in the site that is up and complete the 'total:4' condition. I think this can be a problem when the available disk space on the machines is less. Let's say site2 indexer machines are at 80% disk space usage and site1 fails - now when splunk tries to create 4 replicas in the same site (site2) due to site failure, it can easily exhaust the disks. As per update from splunk support, this is default behaviour, but I feel there needs to be additional control over this. Any advise or suggestions around this issue will be really helpful. Thank you.
10.40.x.x 10.4.x.x 13.x.x.x KB: Windows  aXXXX field3    Apply Security XXX. server user server   I have a table output of  a search  which look similar to the one shown above Is it... See more...
10.40.x.x 10.4.x.x 13.x.x.x KB: Windows  aXXXX field3    Apply Security XXX. server user server   I have a table output of  a search  which look similar to the one shown above Is it a possible way to conver this to the desired format mentioned   10.40.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX. server 10.4.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX. user 13.x.x.x KB4571719: Windows 7 aXXXX field3    Apply Security XXX server
I would like to know when I will install MITRE app in Enterprise Security then it will automatically populate the dashboard or I need to adjust my use case naming conventions too? For Example Right n... See more...
I would like to know when I will install MITRE app in Enterprise Security then it will automatically populate the dashboard or I need to adjust my use case naming conventions too? For Example Right now Use Cases are not mapped as per MITRE Techniques.   Example currently use case name is : "Failed Logon Accounts" but to use MITRE app for Splunk; do I need to modify the use case name to "T1110-Failed Logon Accounts"?
Hello, We are wondering if anyone else has experienced issues using a k8 cluster of heavy forwarders, to receive AWS firehose data into a GCP Splunk enterprise setup via HEC. However we are seeing lo... See more...
Hello, We are wondering if anyone else has experienced issues using a k8 cluster of heavy forwarders, to receive AWS firehose data into a GCP Splunk enterprise setup via HEC. However we are seeing lots of duplicates of the data and also a flip on that, some timeouts meaning the event is sent to the s3 bucket rather than being ingested in Splunk. We thought this was an isolated issue in our setup, so we setup a pre-prod environment with the same setup and the same problem is occurring.
Hello All,  Thought I had this down, but not quite. So here is the scenario. I have two Fields  1. "Sent Invite Time"  and 2. "Received Invite Time". Received Invite Time should happen 1440 min from... See more...
Hello All,  Thought I had this down, but not quite. So here is the scenario. I have two Fields  1. "Sent Invite Time"  and 2. "Received Invite Time". Received Invite Time should happen 1440 min from the time "Sent Invite Time occurred" and then searching for when the duration it took between those two fields is over 1440 in min.  The problem I have is that I am getting fields that are coming up as Not Received Invite this is because its not giving Field 2 "Received Invite Time" 1440 min to complete. So how can I do that - have Field 1"Sent Invite Time"  and give it 24 hours for Field 2 to occur from the start of the time that field 1 occurred  ? I was hoping to do this in the where clause....    | where Field1-Field2>1440  
My private splunk app is showing fail in python readiness app. But, My codes are compatible for python 3 with splunk 8.2.1 version. Below is the issue which is showing. I have tried updating server.c... See more...
My private splunk app is showing fail in python readiness app. But, My codes are compatible for python 3 with splunk 8.2.1 version. Below is the issue which is showing. I have tried updating server.conf file with [general] python version =python3. But, this doesn't worked.  Can someone share your suggestion .    Private Apps ABC Private App Fail Details This app is not compatible with Python 3. Application Path /opt/splunk/etc/apps/ABC Required Action Update this app or uninstall it. If you do nothing, the app will fail. Dismiss App Email Result Export Result Issue: File path designates Python 2 library.
Hello, We are facing issue while  using website monitoring APP to monitor URL's as it increases Splunk PID's and stops splunk service automatically in our HF. Is there any other way(script/addon) t... See more...
Hello, We are facing issue while  using website monitoring APP to monitor URL's as it increases Splunk PID's and stops splunk service automatically in our HF. Is there any other way(script/addon) to monitor URL's in splunk without making use of Website Monitoring App. Thanks
Hi All, I am facing some error issues with Tripwire Enterprise Add-on. So It will be helpful to me if anyone provides me with Tripwire Enterprise Add-on support Team details. Thanks in advance.   ... See more...
Hi All, I am facing some error issues with Tripwire Enterprise Add-on. So It will be helpful to me if anyone provides me with Tripwire Enterprise Add-on support Team details. Thanks in advance.   Best regards, Vinod kumar 
Hi, I'm using phantom v4.10.3.51237 and my VA team found a security vulnerability that is "nginx Byte Memory Overwrite RCE " Is it possible to update nginx from v1.19.2 to v1.20.1?
Hey All, I was creating an app that runs inside Splunk. I was following this tutorial , https://splunkui.splunk.com/Create/AppTutorial . When I try to make use of just a dashboard definition, I... See more...
Hey All, I was creating an app that runs inside Splunk. I was following this tutorial , https://splunkui.splunk.com/Create/AppTutorial . When I try to make use of just a dashboard definition, I think it has an issue with authentication or something like that. I could not figure out how to make use of the dashboard studio dashboard definitions to create visuals. All of the examples, show hard coded datasources. I’m stumped on how to create views that depend on Splunk query results in ReactJS.  Also, I am using Splunk Enterprise with a Developer license. To make things short:  How do i use a Splunk Query as a datasource for a Reactjs Splunk App for Splunk Enterprise?  Ted
I have a QR String that when put in our custom QR divider can took it apart nicely. But I can't use the field extraction for this. How do I use custom rex. Example: - My QR String:000201010212530370... See more...
I have a QR String that when put in our custom QR divider can took it apart nicely. But I can't use the field extraction for this. How do I use custom rex. Example: - My QR String:00020101021253037045405100005802VN38620010A0000007270132000697110001180003131000000032040208QRIBFTTA624101121000000032040821 ORD_6328416304A3AC - The string I want to take out is 00069711000118000313100000003204 and 000697 (The first 6 characters) as field1 and field2. Fortunately the 4 characters before and 4 characters behind don't chance.
I have an alert that I want to run between 23:00PM to 6:00AM, during that time, run the search "Last 24 hours", and email the result at 8:00 everyday. I have yet to found a way to trigger this.
We have an OTEL compliant exporter.  What are the required definitions in an exporter configuration to send OTEL compliant data to Splunk Observability Cloud?  We do not see examples in this list - h... See more...
We have an OTEL compliant exporter.  What are the required definitions in an exporter configuration to send OTEL compliant data to Splunk Observability Cloud?  We do not see examples in this list - https://docs.splunk.com/Observability/gdi/get-data-in/get-data-in.html We do not want to use the Observability Cloud API, we desire to send directly native OTEL compliant format data. Thank You    
Hi there, I am trying to diff the new version against the one version older record and extract the diff from them. For example, ver 1.3 against 1.2 and ver 1.2 against 1.1 to only extract the diff... See more...
Hi there, I am trying to diff the new version against the one version older record and extract the diff from them. For example, ver 1.3 against 1.2 and ver 1.2 against 1.1 to only extract the diff between them.  I hope to do it in a flexible ways as in future I may have ver 1.4 and so on... I also want to limit the results to only latest 5 version diff. For example, I got 1.1, 1.2, ..., 1.10 version, but I only want the result for 1.6, 1.7, ..., 1.10 when diff against the previous one version. Is that possible?    Currently I have data like this: records: ============================================ index=a, ver=1.1, a="halo", b="haha", c="nana" index=a, ver=1.1, a="testing", b="haha", c="nana" index=a, ver=1.1, a="halo", b="kaka", c="testing"   index=a, ver=1.2, a="halo", b="haha", c="nana" index=a, ver=1.2, a="lala", b="haha", c="nana" index=a, ver=1.2, a="halo", b="kaka", c="TESTING"   index=a, ver=1.3, a="halo", b="haha", c="nana" index=a, ver=1.3, a="lala", b="haha", c="tata" index=a, ver=1.3, a="halo", b="kaka", c="lala" index=a, ver=1.3, a="halo", b="kaka", c="kakaka" ============================================   Result expected when comparing ver 1.2 against 1.1 and ver1.3 against 1.2: ver added record (merging a b c using ",") removed record (merging a b c using ",") 1.2 lala,haha,nana halo,kaka,TESTING testing,haha,nana halo,kaka,testing 1.3 lala,haha,tata halo,kaka,lala halo,kaka,kakaka lala,haha,nana halo,kaka,TESTING