All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a problem where an admin role user cannot see another analyst user to assign specific notable events to. However, I do not have any problems when I as another admin user try to assign the anal... See more...
I have a problem where an admin role user cannot see another analyst user to assign specific notable events to. However, I do not have any problems when I as another admin user try to assign the analyst user that the other admin role cannot see. I have checked notable_owners_lookup and it was filled correctly with the expected users. What could be the issue here and where should we check?
The link below provides the following paragraph: "...HEC responds with the status information to the client. The body of the reply contains the status of each of the requests that the client queried... See more...
The link below provides the following paragraph: "...HEC responds with the status information to the client. The body of the reply contains the status of each of the requests that the client queried. A true status indicates that the event that corresponds to that ackID was replicated at the desired replication factor. A true status does not guarantee that the event was indexed, because the parsing pipeline might drop events that can't be parsed. A false status indicates that there is no status information for that ackID, or that the corresponding event has not been indexed." Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/AboutHECIDXAck This seems contradictory. How can the event for the ackID be replicated at the desired replication factor if it does not guarantee that the event was indexed? However, I noticed that earlier in the documentation, with indexer acknowledgement turned off, it states: "By default, when HEC receives an event successfully, it immediately sends an HTTP Status 200 code to the sender of the data. However, this only means that the event data appears to be valid, and HEC sends the status message before the event data enters the processing pipeline." Does the lack of guarantee only refer to when acknowledgement is NOT enabled? I.e. does an ackID value of "True" guarantee that the data has been indexed (and replicated) successfully?
hi, I have a local server on my network and would like to send data from this local host to the cloud instance. I have followed the instructions here, https://docs.splunk.com/Documentation/Forwarder... See more...
hi, I have a local server on my network and would like to send data from this local host to the cloud instance. I have followed the instructions here, https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/ConfigSCUFCredentials and installed the splunkclouduf.spl obtained from my cloud instance profile. However I seem to be getting the following errors: 11-12-2021 13:56:53.874 +0800 WARN X509Verify [30879 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates> 11-12-2021 13:56:53.901 +0800 INFO UiHttpListener [30942 WebuiStartup] - Web UI disabled in web.conf [settings]; not starting 11-12-2021 13:56:54.039 +0800 INFO TcpOutputProc [30923 parsing] - _isHttpOutConfigured=NOT_CONFIGURED 11-12-2021 13:56:54.040 +0800 ERROR TcpOutputProc [30923 parsing] - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf. 11-12-2021 13:56:58.961 +0800 WARN TailReader [30932 tailreader0] - Could not send data to output queue (parsingQueue), retrying...   I thought that once we deploy via the splunkclouduf.spl, we need not configure any outputs.conf file?   Any assistance is greatly appreciated.
I have a two VIP names, and I would like to know the number of hits to it. I am new to splunk, and not sure on how to write a query. Could anyone help?
Hi All, I am using wildcard in inputs.conf since very long but recently when I am giving below path with wildcard splunk is not able to capture all the files: [monitor://C:\logdir\*\*\Katre\log\*.l... See more...
Hi All, I am using wildcard in inputs.conf since very long but recently when I am giving below path with wildcard splunk is not able to capture all the files: [monitor://C:\logdir\*\*\Katre\log\*.log] Around 178 files  should get selected with about monitor stanza but splunk forwarder is only send 20-30 files logs.  Am I hitting any limit or there is any limitation.    
Newly upgraded Splunk to 8.1.5 from 7.3.x and seeing the below error message on DMC Search Activity:Instance   Multiple renames to field 'Type' detected. Only the last one will appear, and previo... See more...
Newly upgraded Splunk to 8.1.5 from 7.3.x and seeing the below error message on DMC Search Activity:Instance   Multiple renames to field 'Type' detected. Only the last one will appear, and previous 'from' fields will be dropped.   Any ideas or suggestions on how to fix this ?  
Hello There, I'm a bit rusty when it comes to the syntax and I am trying to get a better grasp. I have an if else function, so if lets say ABC is greater than 3600 add 21600 seconds else don't add a... See more...
Hello There, I'm a bit rusty when it comes to the syntax and I am trying to get a better grasp. I have an if else function, so if lets say ABC is greater than 3600 add 21600 seconds else don't add any time. I have 3 of these types of conditions, but they are all under the same field name. The struggle for me is combining these if else functions into one multi conditional function.  I have spent a while looking at how to do this, but I didn't run into any examples that included strftime or strptime.  Any guidance on this type of syntax is apricated.       | eval SLA_Breach=case(ABC>3600, strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +21600, "%Y-%m-%d %H:%M:%S.%6N"),"none") | eval SLA_Breach=if(DEF>2800,strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +172800, "%Y-%m-%d %H:%M:%S.%6N"),"none") | eval SLA_Breach=if(GHI>1400,strftime(strptime(releaseToCarsTime, "%Y-%m-%d %H:%M:%S.%6N") +86400, "%Y-%m-%d %H:%M:%S.%6N"),"none")        
I need help for extracting the below fields. can someone help.. reference = 205, \"sample\":12345678, \"logic\":\"AB000012\", \"status\":0, \"result_message\":null, \"end_time\":null, sample=123456... See more...
I need help for extracting the below fields. can someone help.. reference = 205, \"sample\":12345678, \"logic\":\"AB000012\", \"status\":0, \"result_message\":null, \"end_time\":null, sample=12345678 logic=AB000012 status=0 result_message=null end_time=null
In order to visual a data table with 4 columns: time, resource1, resource2, duration.  I know who to do this with data coming from different events.  However in my case, all the data is stored in a s... See more...
In order to visual a data table with 4 columns: time, resource1, resource2, duration.  I know who to do this with data coming from different events.  However in my case, all the data is stored in a single performance metric splunk event. The event would look like the blob below where measureStart node contains the start time of these tasks, and the measure node contains the durations of these tasks Splunk Event: {       measureStart: {             "super_Task1: mini task1": 2021-11-12T02:50:05.430Z,            "super_Task1: mini task2": 2021-11-12T02:50:06.430Z,            "super_Task2: mini task1": 2021-11-12T02:50:07.430Z,     },     measures: {            "super_Task1: mini task1": 50,            "super_Task1: mini task2": 100,            "super_Task2: mini task1": 80,     } } I would like to produce a table that looks like this time                                                             supertasks            tasks              duration 2021-11-12T02:50:05.430Z            super_Task1        point1                  50 2021-11-12T02:50:06.430Z            super_Task1        point2                 100 2021-11-12T02:50:07.430Z            super_Task2        point1                  80 thank you very much!
Hello,  I have events with different lengths for _raw field within the same source. I would need to limit/minimize the length of _raw field in some case. How I would limit  the  maximum length of st... See more...
Hello,  I have events with different lengths for _raw field within the same source. I would need to limit/minimize the length of _raw field in some case. How I would limit  the  maximum length of string that would display for _raw field using queries from search head. Any help will be greatly appreciated, Thank you so much
I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. ... See more...
I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events   index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure"   I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure" It looks like Its searching within all the elements in the array. How can I ensure It searches both the conditions on each element of the array and return the event which has the element satisfying both the conditions. Events :   appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: failure } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: notApplied } ] appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: notApplied } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: failure } ]  
Hi, I have the search returning the event  Nov 10 23:45:3 8888888 Tra[9100]: { EventName: "Error Occurred", BatchId: 095cehcx-87ee-43f6-9663-c2fb833677a978, CorrelationId: 5fghja26b9-fe73-78cb-342b-... See more...
Hi, I have the search returning the event  Nov 10 23:45:3 8888888 Tra[9100]: { EventName: "Error Occurred", BatchId: 095cehcx-87ee-43f6-9663-c2fb833677a978, CorrelationId: 5fghja26b9-fe73-78cb-342b-5123f2ec167896, Payload: BusinessLogicException { Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.", Data: [], InnerException: null, TargetSite: Void Validate(uya.QueryModels.Lead), StackTrace: " at uyu.Models.Lead.Validate(Lead queriedLead)   How do i extract only the content on the Message Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.:"
Is there any method to automatically delete anomalies in Splunk UBA to maintain a total amount under the 1.5 million anomaly threshold?
Hello all!   install the splunk itis as the steps in the documentation in a sh cluster. But I see that the app that was installed from itsi says it essentials work and not it service intelligence.... See more...
Hello all!   install the splunk itis as the steps in the documentation in a sh cluster. But I see that the app that was installed from itsi says it essentials work and not it service intelligence. Did I do something wrong?
Hi,    I have a log file in splunk which reports the errors when ever something failed. Now i need to run a splunk query if a same error show up in Splunk more than 3 times in last 1 hour. If it hap... See more...
Hi,    I have a log file in splunk which reports the errors when ever something failed. Now i need to run a splunk query if a same error show up in Splunk more than 3 times in last 1 hour. If it happens i need to send an alert. Can someone suggest me the query with time in it?   Thanks.
Took some trial and error to figure out why some multivalue fields were being displayed as a single line. If the string "data:" appears in any values in multivalue field, for examples using stats va... See more...
Took some trial and error to figure out why some multivalue fields were being displayed as a single line. If the string "data:" appears in any values in multivalue field, for examples using stats values(x) AS x, the multivalue field will display as a single line. Are there any way to escape this behavior?     | makeresults | eval category="fruits" | eval name="apple,orange,strawberry,apricot,blueberry,mango" | eval name=SPLIT(name, ",") | mvexpand name | eval desc=name." is delicious!" | eval desc_data="data: ".name."is delicious!" | table category name desc desc_data | stats values(name) AS name values(desc) AS desc values(desc_data) AS desc_data by category       UPDATE: Thanks everyone for testing and help identify that this issue does not affect v8.1.2.  It appears to affect v8.2+  
| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE |appendcols [subsearch] the above one is a static column which i want to be appended at the be... See more...
| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE |appendcols [subsearch] the above one is a static column which i want to be appended at the beginning  of the resulting table in the subsearch . is there anything wrong with the order of the query, please help I'm new to splunk.
I am checking my nessus index in Splunk and I see that data stopped being ingested a month ago. Reviewing the account config, I am using Tenable.sc Credentials but it has (Deprecated) next to it. Is ... See more...
I am checking my nessus index in Splunk and I see that data stopped being ingested a month ago. Reviewing the account config, I am using Tenable.sc Credentials but it has (Deprecated) next to it. Is credentials no longer an option to connect to tenable to pull data? I am on the latest version of the add-on, 5.2.1 Thx
I am looking it a weird issue where I am trying to fix one of the panels in a dashboard, The panel has a query like below index=<index> sourcetype=log4j host=$host$  <Extracted field> != NULL | ... See more...
I am looking it a weird issue where I am trying to fix one of the panels in a dashboard, The panel has a query like below index=<index> sourcetype=log4j host=$host$  <Extracted field> != NULL | timechart span=1m count by <Extracted field> issue is we are getting inaccurate counts as this part "<Extracted field> != NULL"  in the above query is filtering out majority of the events, and when we are trying to see which events are filtered by using "<Extracted field> = NULL" we are not seeing any events. How does splunk treat extracted fields which are NULL or in what situations these fields end up as NULL. Any suggestions for the above issue? Thanks in advance!
Hey, has anyone created a search that merges an ipadd from threat intel and ipadd from azure so it'll trigger an alert if there's a match. Don't know if it's possible. Thanks, will appreciate any hel... See more...
Hey, has anyone created a search that merges an ipadd from threat intel and ipadd from azure so it'll trigger an alert if there's a match. Don't know if it's possible. Thanks, will appreciate any help or advise. I am new to ES