All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Splunk Enterprise specifically lists Windows OS requirements being Windows Server 2016 and Server 2019.  Is Windows Server 2022 supported yet and if not, does anyone know why it will be added?
Hi, I am trying to convert the result of applying the CorrelationMatrix algorithm which is given in a confusion matrix form like:         AA     BB     CC AA   1        0.1    0.2 BB    0.1     1... See more...
Hi, I am trying to convert the result of applying the CorrelationMatrix algorithm which is given in a confusion matrix form like:         AA     BB     CC AA   1        0.1    0.2 BB    0.1     1      0.3   CC   0.2     0.3    1 And I would like to convert it to a tabular form like: AA BB 0.1 AA CC 0.2 BB AA 0.1  BB CC 0.3 .... So far I tried with the untable command without success. Below you can see a sample of the code I have.     index="someIndex" | timechart span=1m count by someField | fillnull value=0 | fit CorrelationMatrix method=pearson * | untable a, b, c       Any help would be much appreciated,  Thanks!  
I am making a list of Splunk critical services to be notified about after hours & weekends to revive Splunk in case it is goes down & stay down until Monday !! We had an incident that a Splunk instan... See more...
I am making a list of Splunk critical services to be notified about after hours & weekends to revive Splunk in case it is goes down & stay down until Monday !! We had an incident that a Splunk instance went down Friday night & we found out on Monday !! I am including Splunkd down, CPU on an instance going up/running at 95%. What other critical items would you add to this list please? I have a large environment, have Splunk Ent. ES & clustered environment. 
Hello,  Hope you are  doing well! I have updated exiting correlation alert in Splunk as  notable event which previously used to send email notification to 'x'. I have selected 'Default Owner' as 'l... See more...
Hello,  Hope you are  doing well! I have updated exiting correlation alert in Splunk as  notable event which previously used to send email notification to 'x'. I have selected 'Default Owner' as 'leave as system default' (i.e. unassigned) but still when it trigger alerts in Splunk - Incident Review page, it showing owner as 'x'  (same as email owner) not as default owner i.e. unassigned. Can someone help me with this?   Thanks in advance!
hi, I want to create an alert that will trigger when 1 user (no specific user name, just one persong from the organization), deletes more than 5 files from DropBox. I tried setting the following que... See more...
hi, I want to create an alert that will trigger when 1 user (no specific user name, just one persong from the organization), deletes more than 5 files from DropBox. I tried setting the following query: host="ip-of-the-host-as-arrives-in-splunk" "event_type..tag"=file_delete | where count > 5 but how do I add the 1 user part ?   will love to get some help, I am new at this 
What is the best way (globally for all apps) to detect and report on either the creation of a new file in a /appname/local/ directory of an app OR when a file has been updated within a local director... See more...
What is the best way (globally for all apps) to detect and report on either the creation of a new file in a /appname/local/ directory of an app OR when a file has been updated within a local directory of an app.  Thanks!
I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into o... See more...
I am currently in the process of building out a custom application which will include an adaptive response action that uses a python script to update a system's group based on events that come into our incident review page. I have all of the logic working (Correlation search identifies an event, creates a notable, from there I can select the AR action, input this systems GUID into the text box and it will go from there). My issue is that I cannot get the correct configuration to have this field prepopulated when the menu is brought up based on the event in the notable. The configuration files I believe need to be updated are the alert_actions.conf, alert_actions.conf.spec, savedsearches.conf.spec, and <alert_action_name>.html files. I have found some similar posts about this but nothing that gives details about the syntax needed for each file: https://community.splunk.com/t5/Splunk-Enterprise-Security/Does-the-service-now-integration-work-as-an-ad-hoc-adaptive/m-p/437270 https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Is-it-possible-to-prepopulate/m-p/251952 In my various config files I have the following lines: alert_actions.conf: param.hostname = $result.hostname$ param.connector_guid =$result.connector_guid$ alert_actions.conf.spec param.hostname = <string> param.cguid = <string> savedsearches.conf.spec param.hostname = <string> param.cguid = <string> <alert_action_name>.html <form class="form-horizontal form-complex"> <div class="control-group"> <label class="control-label" for="custom_app_hostname">Hostname <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.hostname" value="$hostname$" id="custom_app_hostname"/> <span class="help-block">Verify this is the correct hostname, if not then input from the alert.</span> </div> </div> <div class="control-group"> <label class="control-label" for="custom_app_cguid">Connector GUID <span class="required">*</span> </label> <div class="controls"> <input type="text" name="action.custom_app.param.connector_guid" value="$connector_guid$" id="custom_app_cguid"/> </div> </div> </form> Below is the screenshot of the menu I am referring to needing to be prepopulated:  
Bom dia Comunidade, Aonde encontro todos os cursos gratuitos referentes oa monitoramento de painéis ? Estou procurando cursos gratuitos que ensinam a usar os painéis, existem uma sequência para ess... See more...
Bom dia Comunidade, Aonde encontro todos os cursos gratuitos referentes oa monitoramento de painéis ? Estou procurando cursos gratuitos que ensinam a usar os painéis, existem uma sequência para esses cursos ? E se para pago, existe uma sequência ideal para seguir, para quem quer trabalhar com monitoramento de painéis ? Obrigado por ajuda.  
Hi, Do Appdynamics APIs support pagination? ^ Post edited by @Ryan.Paredez for a more searchable title.
Hi all, I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right ... See more...
Hi all, I have a question about macros: suppose I must use, inside a search, multiple macros. Those macros can be related between them by simple logical condition like AND and OR; what is the right syntax to tell to search to use more than one macro? Is the append command or other? UPDATE Let me modify the post, after @ITWhisperer explaination. The current desiderd behavior is to perform security check with rules that uses multiple macros. We don't know if it is the best way and/or absolutely required by customer, but at writing time is our guideline. We have the following situation: 1. Two or more macros linked with AND operator. Consider the following macros: `remote to local` = | eval (All_traffic.src) as src from datamodel="Network traffic"| eval (All_traffic.dest) as dest from datamodel="Network traffic" |where ( src!=10.0.0.0/8 AND src!=172.16.0.0/12 AND src!=192.168.0.0/16) AND ( dest=10.0.0.0/8 OR dest=172.16.0.0/12 OR dest=192.168.0.0/16) set to use Data Model instead of raw events and that evaluate if the connection is from internet to local network. The other one is the following: `successfull communication` = | eval(All_traffic.bytes_in/All_traffic.packets_in) as input_rate from datamodel="Network traffic" | eval(All_traffic.bytes_out/All_traffic.packets_out) as output_rate from datamodel="Network traffic" | where input_rate > 80 and output_rate > 80 which try to understand if the communication between source and dest works fine counting the bytes/packets rate. What about if, in my  rules, I have to use them linked with AND and used as filter? I mean, the final rule structure is something like that: <my search>....| where `remote to local` AND `successfull communication` 2. The Macros should be putted togheter with OR. This becaus the rule try multiple way to understand if something is happening or not. Consider this macros: `IRC Check with Firewalls`=|tstats count values(All_traffic.src) as source by source from datamodel=Network_Traffic|where All_traffic.protocol = tcp AND All_traffic.action = allowed | search All_traffic.dest = NOT [| inputlookup WhiteListIP.csv | table dest] All_traffic.dest_port IN [| inputlookup IRCPorts.csv | table dest_port]  that try to check if a IRC server is in execution checking some network data, like firewall pass, tcp protocol, destination port present in IRCPorts.csv file and excluding some authorized server putted in WhitelistIP.csv. Then, we must make a macros that try to find if an IRC client is in execution; currently we don't know how to realize this, so let me put here simply its name:  `IRC Client Detected` So, the final search whant use this 2 macros as filter and trigger if one of them is true; something like: <some search>...| where `IRC Check with Firewalls` OR `IRC Client Detected`   3. Any combination between AND and OR. Using the above macros, something like: <some search>...| where `remote to local` AND (`IRC Check with Firewalls` OR `IRC Client Detected`)  
I am using a cell renderer, and when assigning the cell value to a var used by my script, the var shows as undefined, even though the celldata.value shows a valid string.  The basics of the js code a... See more...
I am using a cell renderer, and when assigning the cell value to a var used by my script, the var shows as undefined, even though the celldata.value shows a valid string.  The basics of the js code are: canRender: function (cellData) { console.log("cellData.field ", cellData.field); if (cellData.field === 'audiofiles') { return true; } else { return false; } render: function ($td, cellData) { console.log("cellData.value ", cellData.value); var mysoundfiles = cellData.value.tostring; console.log("mysoundfiles ", mysoundfiles);   and the results from the console log are: cellData.field last_audio        cellData.field audiofiles cellData.value (3) ['LOWRATES.wav RES1.wav', 'RES1.WAV CATSTROP.WAV', 'TLPRESNAP.wav'] mysoundfiles undefined when trying to use the cellData.value,  it always returns 'undefined' Oddly, this code was working at one time, then just stopped working for some reason.  Any help is greatly appreciated! .. 
Hello my friends.    I have a report that uses the "ldapsearch" command. He works every day    The problem is that the report can be executed. and the next day the report is in the "running" ... See more...
Hello my friends.    I have a report that uses the "ldapsearch" command. He works every day    The problem is that the report can be executed. and the next day the report is in the "running" status.  And it works through. somewhere right away somewhere it keeps
I have this query:   my search | rex field=line ".*customerId\":(?<customer_id>[0-9]+)" | dedup customer_id | table customer_id   That returns multiple rows and generate a table:   customer... See more...
I have this query:   my search | rex field=line ".*customerId\":(?<customer_id>[0-9]+)" | dedup customer_id | table customer_id   That returns multiple rows and generate a table:   customer_id ----------- 1 2 3 4 5   I also have another query  that returns a single row with an array  of ids:   Synced accounts: [ 1, 3, 5 ]   My questions are : 1) How can I convert the row from query 2 into a table with the ids  2) how can I do left join between the results ( that I will see on the table only the ids from query 2)?   customer_id ---------- 1 3 5   Thanks in advance  Elad
Caused by: java.sql.SQLException: Io exception: Socket closed i want to extract "java.sql.SQLException"   Can you please do the needful.
Hi all, I'm currently thinking about what to monitor on application level from Splunk Servers using Nagios. Can you give me some ideas and possibilities? I could not find any good ideas in the "Sp... See more...
Hi all, I'm currently thinking about what to monitor on application level from Splunk Servers using Nagios. Can you give me some ideas and possibilities? I could not find any good ideas in the "Splunk Add-on for Nagios" documentation. And i would like to have an overview about what is best to monitor using Nagios and what with Splunk self monitoring. I would appreciate iIf you can point me to the right direction.  Best, Oj.
Hello, We have a problem with the monitoring of a simple file with five fields. The problem is on the date field that Splunk can't match as shown in the attached image. Thanks in advance for you... See more...
Hello, We have a problem with the monitoring of a simple file with five fields. The problem is on the date field that Splunk can't match as shown in the attached image. Thanks in advance for your help. Best regards.  
" ERROR'>=' not supported between instances of 'HTTPError' and 'int', we got this error on one HF, but it works fine on other HFs. I tried reinstalled this add-on still didn't work. Do you have any... See more...
" ERROR'>=' not supported between instances of 'HTTPError' and 'int', we got this error on one HF, but it works fine on other HFs. I tried reinstalled this add-on still didn't work. Do you have any ideas? 
I have a field message which have values has json format need to extract all the values in the json.   { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b... See more...
I have a field message which have values has json format need to extract all the values in the json.   { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   here from message field need to extract kind, stage, requestURI... and these fields inside json are dynamic(it can be more in other event). need help in extracting these fields in index time using props and transforms   Thanks
I was trying to install the UF in one of the windows server but it’s getting failed 11-17-2021 10:18:53.591 +0300 FATAL HTTPServer - Could not bind to port 8089 deploymentclient.conf :  [target-br... See more...
I was trying to install the UF in one of the windows server but it’s getting failed 11-17-2021 10:18:53.591 +0300 FATAL HTTPServer - Could not bind to port 8089 deploymentclient.conf :  [target-broker:deploymentServer] targetUri = x.x.x.x:8089 [deployment-client] clientName = xxxxx
Hi I write the Splunk query below to monitor server log index="abc" sourcetype="abc" login "response.status"=200 source="abc.log" | timechart span=2m count | timewrap d series=short | addtotals ... See more...
Hi I write the Splunk query below to monitor server log index="abc" sourcetype="abc" login "response.status"=200 source="abc.log" | timechart span=2m count | timewrap d series=short | addtotals s* | eval daysAvg=round(Total/14.0,0) | eval yesterday_time=strftime(_time,"%H:%M") | table _time, yesterday_time, s0, daysAvg,s6 | outputlookup openapi_login_last_days_lam.csv   However, my query is rely on time range to count daysAvg value, for example in this case time range is 14 day so eval daysAvg=round(Total/14.0,0). I want to calculate daysAvg dynamic. That means I don't need to change time range value when I apply other range. To achieve that, I wrote code to calculate time range like this index="abc" sourcetype="abc" login "response.status"=200 source="abc.log"    | stats earliest(_time) as earliest_time    | eval latest_time=now()    | eval difference=floor((latest_time-earliest_time)/(3600*24))    | table earliest_time, latest_time, difference   Finally, I combine two search like this index="abc" sourcetype="abc" login "response.status"=200 source="abc.log" | timechart span=2m count | timewrap d series=short | addtotals s* | append     [ search index="abc" sourcetype="abc" login "response.status"=200 source="abc.log"         | stats earliest(_time) as earliest_time         | eval earliest=earliest_time     ] | eval latest_time=now() | eval daysAvg=round(Total/14.0,0) | eval yesterday_time=strftime(_time,"%H:%M") | table _time, yesterday_time, s0, daysAvg, s6, latest_time, earliest   But earliest from subsearch did not pass to outer search. Please help me. Thank you