All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Based on the search results, show icons, like 1-5 stars ❤❤❤ - for result 3 ❤❤❤❤❤ - for result 5
I'm working to upload some data sets from the splunk tutorial page in order to learn how to use Splunk and am unable to get the datasets fully added and am receiving an error message of: Upload faile... See more...
I'm working to upload some data sets from the splunk tutorial page in order to learn how to use Splunk and am unable to get the datasets fully added and am receiving an error message of: Upload failed with WARN : supplied index 'Web' missing.  I have downloaded the zip files from https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchTutorial/Systemrequirements the Add Data process seems to be working fine up until the review page and when I try to Submit it I receive the above error message. I am fairly new to learning Splunk and any assistance anyone can offer would be greatly appreciated. 
Hello, On the HF of this add-on there is an Inputs configuration.  On the Content Type drop down, there is a choice of four different types for audit.  Screen shot attached. Does anyone have the li... See more...
Hello, On the HF of this add-on there is an Inputs configuration.  On the Content Type drop down, there is a choice of four different types for audit.  Screen shot attached. Does anyone have the link to documentation for what the differences are for logging the those audit.selections?
Hello! I can't set up my SVG because it's not recognizing my query as valid. I validated my svg on validator.w3.org/check I think the issue is with my query, but it results in one column wit... See more...
Hello! I can't set up my SVG because it's not recognizing my query as valid. I validated my svg on validator.w3.org/check I think the issue is with my query, but it results in one column with the ids, and one column with a number SPL:     <blah blah blah initial search> | eval shield-one_to_ten=if(percent>0, 1, 0), shield-ten_to_twenty=if(percent>=0.1, 1, 0), shield-twenty_to_thirty=if(percent>=0.2, 1, 0), shield-thirty_to_forty=if(percent>=0.3, 1, 0), shield-forty_to_fifty=if(percent>=0.4, 1, 0), shield-fifty_to_sixty=if(percent>=0.5, 1, 0), shield-sixty_to_seventy=if(percent>=0.6, 1, 0), shield-seventy_to_eighty=if(percent>=0.7, 1, 0), shield-eighty_to_ninety=if(percent>=0.8, 1, 0), shield-ninety_to_hundo=if(percent>=0.9, 1, 0) | fields shield-one_to_ten, shield-ten_to_twenty, shield-twenty_to_thirty, shield-thirty_to_forty, shield-forty_to_fifty, shield-fifty_to_sixty, shield-sixty_to_seventy, shield-seventy_to_eighty, shield-eighty_to_ninety, shield-ninety_to_hundo | transpose column_name="id" | rename "row 1" AS "count"     which results in which matches the id names in my svg:     <svg id="shield" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 897 1114" shape-rendering="geometricPrecision" text-rendering="geometricPrecision"><defs><filter id="shield-ninety_to_hundo-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ninety_to_hundo-filter-opacity-0" result="result"><feFuncA id="shield-ninety_to_hundo-filter-opacity-0-A" type="table" tableValues="0 0.95"/></feComponentTransfer></filter><filter id="shield-eighty_to_ninety-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-eighty_to_ninety-filter-opacity-0" result="result"><feFuncA id="shield-eighty_to_ninety-filter-opacity-0-A" type="table" tableValues="0 0.9"/></feComponentTransfer></filter><filter id="shield-seventy_to_eighty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-seventy_to_eighty-filter-opacity-0" result="result"><feFuncA id="shield-seventy_to_eighty-filter-opacity-0-A" type="table" tableValues="0 0.85"/></feComponentTransfer></filter><filter id="shield-sixty_to_seventy-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-sixty_to_seventy-filter-opacity-0" result="result"><feFuncA id="shield-sixty_to_seventy-filter-opacity-0-A" type="table" tableValues="0 0.8"/></feComponentTransfer></filter><filter id="shield-fifty_to_sixty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fifty_to_sixty-filter-opacity-0" result="result"><feFuncA id="shield-fifty_to_sixty-filter-opacity-0-A" type="table" tableValues="0 0.75"/></feComponentTransfer></filter><filter id="shield-fourty_to_fifty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fourty_to_fifty-filter-opacity-0" result="result"><feFuncA id="shield-fourty_to_fifty-filter-opacity-0-A" type="table" tableValues="0 0.7"/></feComponentTransfer></filter><filter id="shield-thirty_to_fourty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-thirty_to_fourty-filter-opacity-0" result="result"><feFuncA id="shield-thirty_to_fourty-filter-opacity-0-A" type="table" tableValues="0 0.65"/></feComponentTransfer></filter><filter id="shield-twenty_to_thirty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-twenty_to_thirty-filter-opacity-0" result="result"><feFuncA id="shield-twenty_to_thirty-filter-opacity-0-A" type="table" tableValues="0 0.6"/></feComponentTransfer></filter><filter id="shield-ten_to_twenty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ten_to_twenty-filter-opacity-0" result="result"><feFuncA id="shield-ten_to_twenty-filter-opacity-0-A" type="table" tableValues="0 0.55"/></feComponentTransfer></filter><filter id="shield-one_to_ten-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-one_to_ten-filter-opacity-0" result="result"><feFuncA id="shield-one_to_ten-filter-opacity-0-A" type="table" tableValues="0 0.5"/></feComponentTransfer></filter></defs><path id="shield-ninety_to_hundo" d="M403.15385,39.86098C403.15385,39.86098,402.48718,40.46214,401.15385,41.66444C399.82052,42.26559,391.15385,46.17308,375.15385,53.38691C360.48718,60.60074,351.82052,64.50823,349.15385,65.10938C347.15385,66.31168,339.82052,69.61802,327.15385,75.02839C313.82052,80.43876,296.82052,87.35201,276.15385,95.76814C255.48718,103.58312,233.15385,111.3981,209.15385,119.21308C192.48063,124.22464,175.16391,128.94608,157.20368,133.37738L652.89442,133.37738C650.08098,132.60354,647.16746,131.7896,644.15385,130.93554C620.82052,124.32286,605.82052,120.1148,599.15385,118.31134C591.82052,116.50788,579.82052,112.29981,563.15385,105.68714C545.82052,99.07447,528.48718,92.16122,511.15385,84.94739C493.15385,77.73356,474.48718,69.91858,455.15385,61.50245C435.15385,53.08632,422.48718,47.37537,417.15385,44.36961L409.15385,39.86097L403.15385,39.86097L403.15385,39.86098Z" transform="matrix(1.163815 0 0 1 -22.90216 23.13903)" filter="url(#shield-ninety_to_hundo-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-eighty_to_ninety" d="M740,115.16155C728.66667,113.35809,711.33333,109.15002,688,102.53735L210.76683,102.53735C199.75935,105.3544,188.50374,108.05959,177,110.6529C150.33333,116.66442,127,121.47364,107,125.08055C87.66667,127.48516,65.66667,130.79149,41,134.99956L3,141.31166L2,141.31166L1,142.21339L1,186.39808L2.16394,206.86445L896.60263,206.86445C896.86754,202.10046,897,199.4864,897,199.02228C897,197.81997,897,187.60038,897,186.39808L898,186.39808L898,141.31166L897,141.31166L895,139.5082L894,139.5082C893.33333,139.5082,882,137.70474,860,134.09783C838,131.69322,815.33333,128.38689,792,124.17882C768.66667,119.97076,751.33333,116.965,740,115.16154L740,115.16155Z" transform="matrix(1 0 0 1 -1 55.97906)" filter="url(#shield-eighty_to_ninety-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-seventy_to_eighty" d="M897.09355,204.42209L0.09355,204.42209L0.09355,207.14939L2.09355,242.31679C2.93397,257.09451,4.17169,276.76838,5.80671,301.3384L7.78706,301.3384C7.71233,300.24738,7.63819,299.16361,7.56464,298.08709L889.62247,298.08709C889.55561,299.17789,889.48893,300.26166,889.42245,301.3384L891.36427,301.3384C894.51712,248.56297,896.09355,221.3747,896.09355,219.77356C896.09355,218.57125,896.09355,208.35166,896.09355,207.14936L897.09355,207.14936L897.09355,204.42209Z" transform="matrix(1 0 0 1 -0.09355 60.5097)" filter="url(#shield-seventy_to_eighty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-sixty_to_seventy" d="M9,317.40839C8.49895,310.17944,8.0205,303.22893,7.56464,296.55687L889.62247,296.55687C886.21876,352.08469,883.30811,389.38367,880.89052,408.45379L880.63628,408.45379C880.63628,408.45379,880.63628,408.45379,880.63628,408.45379L16.36373,408.45379C16.36373,408.45379,16.36373,408.45379,16.36373,408.45379L15.90733,408.45379C14.55985,394.75357,12.2574,364.40511,9,317.40839Z" transform="matrix(1 0 0 1 -0.093555 64.29416)" filter="url(#shield-sixty_to_seventy-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fifty_to_sixty" d="M891.40641,402.6281C891.59233,401.45453,891.78149,400.16115,891.9739,398.74795L27.70135,398.74795C30.24546,411.9551,32.48048,423.76865,34.4064,434.18859C36.4064,445.00933,41.4064,464.2462,49.4064,491.8992C49.77931,493.44602,50.15222,494.97779,50.52513,496.49451L869.58145,496.49451C873.07533,483.84591,876.35031,471.4934,879.40639,459.43696C884.73972,438.39664,888.73972,419.46034,891.40639,402.62808L891.40641,402.6281Z" transform="matrix(1 0 0 1 -11.337625 76)" filter="url(#shield-fifty_to_sixty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fourty_to_fifty" d="M860.58347,529.85845C853.9168,552.70223,846.25014,574.34371,837.58347,594.78289C837.03482,596.03875,836.48751,597.28738,835.94153,598.52878L81.97014,598.52878C77.13218,587.2482,72.66996,576.08056,68.58347,565.02586C61.9168,546.99129,55.25014,524.14751,48.58347,496.49451L870.02181,496.49451C867.04009,507.39347,863.89398,518.51478,860.58347,529.85845Z" transform="matrix(1 0 0 1 -10.80264 78)" filter="url(#shield-fourty_to_fifty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-thirty_to_fourty" d="M812.71154,648.80715C804.71154,664.43711,796.71154,678.86476,788.71154,692.09011C786.55816,695.81182,784.54969,699.22865,782.68612,702.34058L135.38342,702.34058C127.43105,689.5131,120.54042,678.2813,114.71153,668.64517C108.04486,655.41982,100.3782,639.18871,91.71153,619.95184C88.36976,612.76613,85.17668,605.6251,82.13227,598.52876L836.03467,598.52876C827.96867,616.86601,820.1943,633.62547,812.71154,648.80715Z" transform="matrix(1 0 0 1 -10.58347 80.00002)" filter="url(#shield-thirty_to_fourty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-twenty_to_thirty" d="M821.22193,863.28898C824.62574,858.68501,829.47778,851.03392,835.77806,840.33568L183.20086,840.33568C186.95596,846.40586,190.96299,852.85465,195.22194,859.68206C207.22194,878.31778,213.55527,887.63564,214.22194,887.63564C214.88861,887.63564,215.88861,889.13852,217.22194,892.14428C218.55527,894.54889,221.55527,898.75696,226.22194,904.76848C230.22194,910.78,232.88861,914.38692,234.22194,915.58922C236.22194,916.79152,241.88861,924.00535,251.22194,937.2307C253.46683,939.88757,255.62314,942.43793,257.69086,944.88179L761.20792,944.88179C764.18562,941.02488,767.52363,936.67105,771.22194,931.82033C787.22194,911.9823,798.55527,896.9535,805.22194,886.73391C813.22194,875.91317,818.55527,868.09819,821.22194,863.28897L821.22193,863.28898Z" transform="matrix(1 0 0 1 -60.98946 -55.99508)" filter="url(#shield-twenty_to_thirty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-ten_to_twenty" d="M683,923.50572C679.66667,927.11263,677.66667,928.91609,677,928.91609C676.33333,928.91609,674.66667,930.41897,672,933.42473C669.33333,935.82934,667,937.93337,665,939.73683C662.33333,942.14144,661,943.64432,661,944.24547C660.33333,944.84662,656,949.05469,648,956.86967C640,964.68465,634.66667,969.79444,632,972.19905C630,974.60366,628,976.40712,626,977.60942C624,978.81172,622,980.61518,620,983.01979C617.33333,985.4244,615.33333,986.92728,614,987.52843C612,988.12958,611,988.73073,611,989.33189C610.48468,989.79657,608.5752,991.33881,605.27156,993.95861L289.99178,993.95861C272.2308,979.01828,257.56688,965.75358,246,954.16449C234,942.14145,224,932.52301,216,925.30918C210.40494,918.75039,203.40118,910.49791,194.9887,900.55172L701.33535,900.55172C691.72932,913.02202,685.61753,920.67336,683,923.50572Z" transform="matrix(1 0 0 1 0.337975 -9.66501)" filter="url(#shield-ten_to_twenty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-one_to_ten" d="M602,1002.44724C596.66667,1006.65531,584.33333,1016.57432,565,1032.20427C545.66667,1046.63192,526,1059.85727,506,1071.88032C485.33333,1083.90336,470,1091.71834,460,1095.32526C450.66667,1098.93217,442.66667,1098.93217,436,1095.32526C428.66667,1092.92065,416,1086.30798,398,1075.48724C379.33333,1065.8688,366.66667,1058.65498,360,1053.84576C352.66667,1049.03654,349,1046.33136,349,1045.7302C348.33333,1045.12905,345,1042.42386,339,1037.61464C332.33333,1032.80542,327.66667,1029.49908,325,1027.69563C322.33333,1025.89217,311.33333,1017.17547,292,1001.54551C291.32616,1000.98129,290.65667,1000.41942,289.99151,999.85991L605.27184,999.85991C604.30151,1000.62939,603.21089,1001.49183,602,1002.44724Z" transform="matrix(1 0 0 1 0.868325 -13.56631)" filter="url(#shield-one_to_ten-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><g id="shield-g1"/></svg>     Is it my query or the svg file that needs help? Thanks
Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field cal... See more...
Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field called "excludedRules" that is null.  When it is not null, it is a list containing a dictionary with a field called ruleId.    ruleGroupList: [ [-]      { [-]        excludedRules: null        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesBotControlRuleSet        terminatingRule: null      }      { [-]        excludedRules: [ [-]          { [-]            exclusionType: EXCLUDED_AS_COUNT            ruleId: SizeRestrictions_BODY          }        ]        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesCommonRuleSet        terminatingRule: null      } In this case, I want to: list the ruleGroupList{}.ruleGroupId and the ruleGroupList{}.excludedRules{}.ruleId in a table, when ruleGroupList{}.excludedRules is not NULL.  If it is NULL, then I don't want to display the values for that dictionary.  There are 7 dictionaries in this ruleGroupList{} (as long as I don't change my WAF settings in AWS). This is my search: <search> | | spath input=ruleGroupList{} path=excludedRules | rename ruleGroupList{}.ruleGroupId as ruleGroup, ruleGroupList{}.excludedRules{}.ruleId as ruleGroupId, ruleGroupList{}.excludedRules as testNullExcludedRules | eval x=case(!isnull(testNullExcludedRules),mvzip(ruleGroup,ruleGroupId),isnull(testNullExcludedRules),x) | mvexpand x | eval x = split(x,",") | eval ruleGroupId=case(!isnull(testNullExcludedRules),mvindex(x,1)) | eval ruleGroup=case(!isnull(testNullExcludedRules),mvindex(x,0)) | table _time,ruleGroup,ruleGroupId This gives me the ruleGroupId correctly, but it always lists the first instance of the ruleGroup: I can't figure out how to ignore the ruleGroup when it's corresponding excludedRules is NULL. thanks for any help! Kevin
Hi All, I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems. I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log... See more...
Hi All, I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems. I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log. I'm using the addon: https://splunkbase.splunk.com/app/4310/ Has anyone in the community already been through this, or do they have an idea of what it could be? Splunk Enterprise Version:8.2.2 Akamai-siem-splunk-connector: 1.4.9 java version "1.8.0_311" Java(TM) SE Runtime Environment (build 1.8.0_311-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)   splunkd.log 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : Connection refused (Connection refused), Exception : java.lang.RuntimeException: Connection refused (Connection refused) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:462) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:449) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Caused by: java.net.ConnectException: Connection refused (Connection refused)     Thank you very much. James \°/
Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounter. The opscounter keeps count of how many times the field's value, or in this case, ... See more...
Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounter. The opscounter keeps count of how many times the field's value, or in this case, the value equates to a username is promoted to admin. If a user is promoted to admin, their count goes up on the opscounter; however, if they are demoted, the deopscounter goes up as well. As you can see in the opscounter image below, user1 was made an admin, and in the opscounter the count of 1, but in the deopscounter, you can see that user1 has a count of one, meaning they were demoted. If they are promoted again, their opscounter value will go to two. If a new user is added, they will automatically be added to the field same if they are demoted, but they will have the same value in both fields. I would like to create a dashboard that displays a list of current admins.   Knowing that is there a way to put every value that is in these fields in an if statement? My thought process is if user1 from opscounter is greater than user1 from deopcounter, display that user. I would like to figure out a way to make this work. If not, I'm open to suggestions on how to get the same results in a dashboard but through a different method. Any help is appreciated!
Hello everyone, I've seen a number of older posts about automating dashboard exporting with Splunk's API. However, those methods don't seem to apply to the new Dashboard Studio. Does anyone know ho... See more...
Hello everyone, I've seen a number of older posts about automating dashboard exporting with Splunk's API. However, those methods don't seem to apply to the new Dashboard Studio. Does anyone know how exporting can be automated for Dashboard Studio dashboards? Thanks in advance.
My index shows the latest event section "in an hour", I have never seen that before. What exactly does that mean?
I am getting the error "SSL certificate verification failed. Please add a valid SSL Certificate or Change VERIFY_SSL flag to False" when attempting to add a new account in the configuration for the C... See more...
I am getting the error "SSL certificate verification failed. Please add a valid SSL Certificate or Change VERIFY_SSL flag to False" when attempting to add a new account in the configuration for the Cybervision add on. I am interested in setting the verify_ssl to false, but am having a difficult time finding the location to change this. Does anyone know the path/file that I can make this change on?
I used a custom function that parses out email addresses from an alert, I used the phantom.add_artifact function to add the artifact to the container. I am then using a filter to check for the artifa... See more...
I used a custom function that parses out email addresses from an alert, I used the phantom.add_artifact function to add the artifact to the container. I am then using a filter to check for the artifact ("artifact:*.label", "==", "notiresponse"). It evaluates as false each time even though if I check the container it is there. What can I do to ensure that the filter is seeing this artifact? When I check the debug log, I can see the loop checking against all of the artifacts in the container except for the one I am creating via custom function. We have multiple playbooks that do this, but this one, in particular, is giving me trouble. 
I have two fields below that show up in our log files.  I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that di... See more...
I have two fields below that show up in our log files.  I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that didn't extract.  Is there a simple Regex I can use to extract ObjectType and Domain Controller fields in example below?  Values should never have space so we can end value after first space. ObjectType User Domain Controller TSTETCDRS001
I am trying to assigning back Numeric value to $ps$ token which I change to ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4 by Eval. after I click the Bar in a bar... See more...
I am trying to assigning back Numeric value to $ps$ token which I change to ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4 by Eval. after I click the Bar in a bar chart and token $ps$ gets the value as one of the processingStepNames(ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4) but I need to to change the Names back to Number's which I changed by Eval. How should I do that? I tried Eval to do so but it is not working. Any suggestion please? <dashboard> <label>Processing_Step_Clone_2</label> <row> <panel> <chart> <title>$form.Source$ between $form.earliest_date$ $form.second_dash.earliest$ - $form.second_dash.latest$</title> <search> <query>index=Idx1 sourcetype=sourcetype#  Datatype=$form.Datatype$ |spath Source | search Source=$form.Source$ |eval type = if(ProcessStatus=0,"Success","Failure") |eval ProcessingStep=if(ProcessingStep="6","ProcessingStepName1",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="21","ProcessingStepName2",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="1","ProcessingStepName3",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="2","ProcessingStepName4",ProcessingStep) |chart count over ProcessingStep </query> <earliest>$form.second_dash.earliest$</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> . . . <option name="trellis.size">medium</option> <drilldown> <set token="ps">$click.value$></set> </drilldown> </chart> </panel> </row> <row> <panel> <chart> <title>Success/Failure visualization for $ps$ </title> <search> <query>index=Idx1 sourcetype=sourcetype# Datatype=$form.Datatype$ | spath Source | search Source=$form.Source$ | eval type = if(ProcessStatus=0,"Success","Failure") | search ProcessingStep=$ps$ | timechart count by type</query> <earliest>$form.second_dash.earliest$</earliest> <latest>now</latest> </search>
My current search returns a series of events like:  {'field1' : {'field2' : [obj1, obj2, obj3]}} {'field1' : {'field2' : [obj4, obj5]}} {'field1' : {'field2' : [obj6]}}   I want to return the to... See more...
My current search returns a series of events like:  {'field1' : {'field2' : [obj1, obj2, obj3]}} {'field1' : {'field2' : [obj4, obj5]}} {'field1' : {'field2' : [obj6]}}   I want to return the total sum of the lengths of the field1.field2 lists - in this case, would be 3 + 2 + 1 = 6 Can anyone help me with an easy way to do this? 
I just installed Splunk on a Windows 10 Pro and iPad Apple  and when I start it I get: I tried modifying my firewall but that didn't solve the issue. I was thinking it might be a port forw... See more...
I just installed Splunk on a Windows 10 Pro and iPad Apple  and when I start it I get: I tried modifying my firewall but that didn't solve the issue. I was thinking it might be a port forwarding issue but if so, what addresses and ports do I need to forward? P/s: iPad cũ and giá iPhone cũ view more laptop cũ hcm Vietnamese language
Hi, We have a large amount of data in /opt/app/axtract_fe1/var/log/apache2/main_collector_access-*.log file, and we do not want HTTP 200, 204 or 401 logs. How do I filter this out from being indexe... See more...
Hi, We have a large amount of data in /opt/app/axtract_fe1/var/log/apache2/main_collector_access-*.log file, and we do not want HTTP 200, 204 or 401 logs. How do I filter this out from being indexed? //SAMPLE LOG 70.166.76.65 - - [27/Oct/2021:12:42:56 -0400] "POST / HTTP/1.1" 200 2949 "-" "-" R:1 Conn:- PID:12954 RD:45125 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/45125 70.166.76.65 - - [27/Oct/2021:12:42:56 -0400] "POST / HTTP/1.1" 204 248 "-" "-" R:1 Conn:close PID:12954 RD:40522 CSt:- FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/40522 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 200 800 "-" "-" R:0 Conn:- PID:12945 RD:34579 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/34579 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 200 2949 "-" "-" R:1 Conn:- PID:12945 RD:43790 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/43790 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 204 248 "-" "-" R:1 Conn:close PID:12945 RD:40819 CSt:- FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/40819 //Props.conf file [source::/path/to/your/access.log*] TRANSFORMS-null= setnull    
hello I need to calculate a percentage value from 2 differents stats  First I tried to do something like this   index=toto sourcetype=:request web_domain="*" web_status=* | stats dc(web_domain)... See more...
hello I need to calculate a percentage value from 2 differents stats  First I tried to do something like this   index=toto sourcetype=:request web_domain="*" web_status=* | stats dc(web_domain) as nbdomain, count(web_status) as nbdomainko | eval KO=round(nbdomain/nbdomainko*100,1) | table KO   it returns a result but it's wrong because I need to count the web_status by web_domain in order to count the number of web_status by web_domain for being able to calculate my percentage value   | stats dc(web_domain) as nbdomain, count(web_status) as nbdomainko by web_domain   So I try to separate the 2 search with an append command but it returns anything   index=toto sourcetype=request web_domain="*" web_status=* | stats dc(web_domain) as nbdomain | append [ search index=toto sourcetype=:request web_domain="*" web_status=* | stats count(web_status) as nbstatus by web_domain] | eval prcerreur = round(nbdomain/nbstatus*100,1). " %" | table prcerreur   so what is the best way to solve my use case please?  
Created an app from front end but the app directory is not showing under $SPLUNK_HOME/etc/apps directory
Hi  Team,   I have Created an app from front end but the app directory is not showing under $SPLUNK_HOME/etc/apps directory.   Any suggestions as to what I am missing   Thank You
We are using export to excel app on splunk 7.2.4.2 version which is working fine. after we upgraded splunk version to 8.1.2 - the app is not working and giving attached error when clicked on export ... See more...
We are using export to excel app on splunk 7.2.4.2 version which is working fine. after we upgraded splunk version to 8.1.2 - the app is not working and giving attached error when clicked on export button. the app is using python 2.7 version but splunk 8.1.2 version comes with python 3 version. we tried placing python.version=2 in config files but didn't help us. https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-8-python-2-7-for-an-app/m-p/487637