All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

rex field? - extraction

by in Splunk Search
‎10-29-2021 02:09 AM
‎10-29-2021 02:09 AM
Hi, I want to extract the following term from this message:   (MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac]) that means the string between ().. message: 16:21:32.843 [gcp-pubsub-subscriber1][... See more...
Hi, I want to extract the following term from this message:   (MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac]) that means the string between ().. message: 16:21:32.843 [gcp-pubsub-subscriber1] INFO  zbank.harissa.cockpit.InboundGateway - update: [export_service] context:RDB (MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac]) progress:3/3 status:successful msg:exporting rrid: [8d9a85b8-0d34-4dea-8901-17520b4b9b9d] rrid:f50a0cce-af13-4e64-88aa-84de045380ca How does it goes? Thanks!
Labels

Windows Events - Why does SRC_IP for an Active Directory Server appears different in different events?

by in Splunk Search
‎10-29-2021 01:27 AM
‎10-29-2021 01:27 AM
Folks,  Need some assistance to understand why Splunk is reporting different IP's for the same hostname ( Active Dir Server) even though  the AD server has only one static IP ip assigned to it. For ... See more...
Folks,  Need some assistance to understand why Splunk is reporting different IP's for the same hostname ( Active Dir Server) even though  the AD server has only one static IP ip assigned to it. For example:  Lets assume my AD server is :   AD01.domain.com with IP  1.2.3.4  Now if i  run the search to group events where the src host is AD01,  index=ad |stats list(action) by src, src_ip| where src="AD01.domain.com"  it shows following results ...where  there is different src-IP for every event for the same Host AD01 src src_ip list(action)   AD01.domain.com 2.3.4.5 success   AD01.domain.com 10.76.12.102 success   AD01.domain.com 10.x.12.101 success   AD01.domaincom x.x.x.x failure   Why so ?
Labels

Splunk App for Phantom Reporting

by in Getting Data In
‎10-29-2021 01:13 AM
‎10-29-2021 01:13 AM
Hi Team, Splunk App for Phantom Reporting Testing 1 : If HEC token is created in HF,     Indexes are created in Indexer,    Roles/User/splunk app for phantom reporting app is created in SH ---> In... See more...
Hi Team, Splunk App for Phantom Reporting Testing 1 : If HEC token is created in HF,     Indexes are created in Indexer,    Roles/User/splunk app for phantom reporting app is created in SH ---> In phantom Side - If I give the host as (HF IP) --> It is not working (Getting error as) Test connection failed. Test connection failed for phantomsearch on host "Splunk": No results found. Testing 2: If indexes are created in Indexer,   HEC token/user/roles/splunk app for Phantom reporting app is created in SH --> In phantom side --> If I give the host as (SH IP) --> It is working (But it is not accepted as best practice) Testing 3: Indexes/HEC token/user/role is created in Indexer and splunk app for phantom reporting app is created in SH, In Phantom end --> If I give the host as (Indexer IP) ---> It is working (This is also not accepted as best practice) What should I do to make my Testing 1 work?

I want to use Splunk to work out the effective working hours of employees based on ad data. How should I make statistics

by in Other Usage
‎10-29-2021 01:07 AM
‎10-29-2021 01:07 AM
I want to use Splunk to work out the effective working hours of employees based on ad data. How should I make statistics

Extract count of each value of a field and create a timechart from it using stats

by in Splunk Search
‎10-29-2021 12:23 AM
‎10-29-2021 12:23 AM
I have a field "skill" which takes multiple values: I want to extract the count of each of the values of skill and store each of them in variables. Say v1,v2,v3,v5 etc: where their values are ... See more...
I have a field "skill" which takes multiple values: I want to extract the count of each of the values of skill and store each of them in variables. Say v1,v2,v3,v5 etc: where their values are v1 = 181 v2 = 144 v3 = 80 and so on.
Labels

Mark values in Diagram

by in Getting Data In
‎10-28-2021 11:54 PM
‎10-28-2021 11:54 PM
Hi, so I have a Bargraph with many values. The enduser who has to use that bargraph needs to see if the values are over or under certain values at some point. Thats why I want to draw a line at both... See more...
Hi, so I have a Bargraph with many values. The enduser who has to use that bargraph needs to see if the values are over or under certain values at some point. Thats why I want to draw a line at both the max allowed value and the min needed value. I attached a picture of how I want it to look. Is it possible to achieve something like this?

Does anyone have advice about consuming large amounts of data from ServiceNow?

by in Splunk Enterprise
‎10-28-2021 08:38 PM
‎10-28-2021 08:38 PM
Hi Splunk Community, I was wondering if anyone might be able to provide some advice around using the ServiceNow add-on for Splunk specifically in regards to the consuming data from the CMDB. Ther... See more...
Hi Splunk Community, I was wondering if anyone might be able to provide some advice around using the ServiceNow add-on for Splunk specifically in regards to the consuming data from the CMDB. There are OOB Inputs that come with the add-on which are fine for some basic tables however I'm looking at the CI relationship table which currently contains 19m+ records! We don't want to consume all of those as we're only really interested in the ones that relate to the basic tables we're already importing using the OOB inputs, which is around 10 tables. The filters available with the add-on don't provide enough functionality to filter our requirement. Maybe a custom REST API call not within the ServiceNow add-on or maybe a post from ServiceNow to Splunk is the way to go.  Keen to hear how others might have tackled anything similar?
Labels

How do you use timewarp in specific?

by in Splunk Search
‎10-28-2021 07:43 PM
‎10-28-2021 07:43 PM
Let's say I have this query   index = x |stats count as Total, sum(AMMOUNT) as TAmmount BY MERCHANT, SUBMERCHANT   I want to make a comparison by percentage between this month to the average of ... See more...
Let's say I have this query   index = x |stats count as Total, sum(AMMOUNT) as TAmmount BY MERCHANT, SUBMERCHANT   I want to make a comparison by percentage between this month to the average of TOTAL three month ago. How do you go about using timewarp to  archive that goal?
Labels

rename row1 after transpose

by in Splunk Search
‎10-28-2021 07:33 PM
‎10-28-2021 07:33 PM
hi team, as titled, how to rename 'row1' to 'number' after transpose. I tried rename and replace, but doesn't work.  

Has anyone encountered this error: Asset and Identity Management issue?

by in Security
‎10-28-2021 04:22 PM
1 Karma
‎10-28-2021 04:22 PM
1 Karma
Has anyone encountered this issue and how did you fixed it on Splunkcloud and Enterprise Security "Identity: An error occurred while the Asset and Identity Management modular input ran" ?  When I che... See more...
Has anyone encountered this issue and how did you fixed it on Splunkcloud and Enterprise Security "Identity: An error occurred while the Asset and Identity Management modular input ran" ?  When I checked the error it is saying that Lookup file error, unknown path or update time. Pretty sure lookups is existing but I am not sure what it means by update time?    

timestamp strftime issues

by in Splunk Enterprise
‎10-28-2021 04:16 PM
‎10-28-2021 04:16 PM
Hi all, I keep getting "DateParserVerbose [6827 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (75) characters of event. Defaulting to timestamp of previous event" warnings. ... See more...
Hi all, I keep getting "DateParserVerbose [6827 merging] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (75) characters of event. Defaulting to timestamp of previous event" warnings. The time stamp in the logs looks like: 2021/10/28T16:06:08.183-07:00 props.conf looks like: DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = true MAX_TIMESTAMP_LOOKAHEAD = 75 MAX_DAYS_AGO = 36500 MAX_DAYS_HENCE = 36500 TIME_FORMAT = %d-%b-%y %I.%M.%S.%6Q %p SHOULD_LINEMERGE = false TRUNCATE = 500000 Anyone know what my time_format should be instead?
Labels

Alert Throttling - where are the throttled values stored?

by in Alerting
‎10-28-2021 03:29 PM
‎10-28-2021 03:29 PM
Hi All, I'm trying to work out best practice with regards to alert throttling and max time frames. Trying to determine whether if we where to throttle something for 2 weeks, would we actually be be... See more...
Hi All, I'm trying to work out best practice with regards to alert throttling and max time frames. Trying to determine whether if we where to throttle something for 2 weeks, would we actually be better off filtering in a different way, either by using a lookup or a subsearch. I'd like to know where the values that are used for throttling are stored, and what whether there is any performance considerations we need to account for when looking at throttling for longer periods.
Labels

Comparing Results from two seperate searches?

by in Splunk Search
‎10-28-2021 03:24 PM
‎10-28-2021 03:24 PM
Greetings,   I'm looking to craft a correlation that allows me to compare the results between two separate searches. Here's the use case: I have 2 indexes, one containing Threat Intelligence data... See more...
Greetings,   I'm looking to craft a correlation that allows me to compare the results between two separate searches. Here's the use case: I have 2 indexes, one containing Threat Intelligence data (including domain names to be specific for this case). While the other index holds all DNS requests. I'm looking to craft a Splunk correlation that reads each domain within the DNS requests, which then compares each of those domains to the Threat Intelligence data and see if there's any matches.    For instance, maybe something along the lines of the logic below: index=Threat_Intelligence | table DomainName | where DomainName IN [search index=DNS | table RequestedDomain]   FYI: The latest Threat Intelligence feeds are pulled every single morning and is updated within Splunk. I thought about using lookup tables or KV Store lookups, but we're pulling in several files each morning, 2 of which are close to 1GB in size. It looks like Splunk Cloud caps the event limit of these lookups to 10,000 events by default, and I've read to be cautious about increasing this limit. 
Labels

Splunk Cloud- How do I run rest dispatch_rest_to_indexers?

by in Security
‎10-28-2021 02:58 PM
‎10-28-2021 02:58 PM
Hi. I am trying to run this in splunk cloud: |rest /services/search/jobs|search isRealTimeSearch=1 But getting this: Restricting results of the "rest" operator to the local instance because y... See more...
Hi. I am trying to run this in splunk cloud: |rest /services/search/jobs|search isRealTimeSearch=1 But getting this: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability I have looked at users and roles and that capability is not in the list to choose.  It is in theSplunk Cloud documentation but simply isnt there to select. Any ideas why? Thanks, Keith
Labels

Why is this "earliest" not working?

by in Splunk Search
‎10-28-2021 01:58 PM
‎10-28-2021 01:58 PM
index=myindex  | eval createdepoch = strptime(created, "%Y-%m-%d") | eval _time = createdepoch | search earliest=-90d@d  | table _time This returns no results,  Can anyone tell me why this wou... See more...
index=myindex  | eval createdepoch = strptime(created, "%Y-%m-%d") | eval _time = createdepoch | search earliest=-90d@d  | table _time This returns no results,  Can anyone tell me why this wouldn't work?  
Labels

Extracting Account Name:

by in Splunk Search
‎10-28-2021 01:18 PM
‎10-28-2021 01:18 PM
Oct 28 20:08:57 XXX.XXX.com Microsoft-Windows-Security-Auditing[4]: EventID: 4663 An attempt was made to access an object. Subject: Security ID: XXX Account Name: John Account Domain: XXX    My que... See more...
Oct 28 20:08:57 XXX.XXX.com Microsoft-Windows-Security-Auditing[4]: EventID: 4663 An attempt was made to access an object. Subject: Security ID: XXX Account Name: John Account Domain: XXX    My question is how do I extract the "Account Name: user" from this? I tried creating a new field extract with the space delimiter but if I selected John above, it wouldn't pull the account name from the rest of the log entries. Thanks in advance!
Labels

Regex not working on splunk for the expression which works well on regex 101

by in Splunk Search
‎10-28-2021 12:57 PM
‎10-28-2021 12:57 PM
i have data as below :     Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.... See more...
i have data as below :     Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https    and working rex below from regex 101  :   IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})   now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below : index=test sourcetype="test" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})" | rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})"
Labels

Where can I download Splunk add-on for Unix Version 6

by in All Apps and Add-ons
‎10-28-2021 12:26 PM
‎10-28-2021 12:26 PM
Currently on Splunk version 8.2.2.1. Currently I have Splunk add-on for Unix version 5.1.2.  According to the documents, I need to upgrade to version 6 first then version 7 before upgrading to the la... See more...
Currently on Splunk version 8.2.2.1. Currently I have Splunk add-on for Unix version 5.1.2.  According to the documents, I need to upgrade to version 6 first then version 7 before upgrading to the latest 8. I cannot find the older versions of this add-on. Does anybody know where to get these?   Thanks in advance for your time.

rex operation -- Regex: syntax error in subpattern name (missing terminator)

by in Splunk Search
‎10-28-2021 12:08 PM
‎10-28-2021 12:08 PM
Hi, I'm continuously receiving the error Regex: syntax error in subpattern name (missing terminator) when attempting to search with a 'rex' operation.  I've gone through several different message bo... See more...
Hi, I'm continuously receiving the error Regex: syntax error in subpattern name (missing terminator) when attempting to search with a 'rex' operation.  I've gone through several different message boards and nothing seems to resolve the issue.  Any help would be greatly appreciated! My intention is to grab the "Http-Method" value from the raw event. Search: [Search...] | rex field=_raw "Method: (?<Http-Method>.*)" Sample Event: 2021-10-28 10:55:39,505 1109468116 [http-bio-8443-exec-9] INFO o.a.c.i.LoggingInInterceptor - Inbound Message ---------------------------- ID: 41087 Address: [...Sensitive Information Removed...] Encoding: ISO-8859-1 Http-Method: POST Content-Type: application-xml Headers: [...Sensitive Information Removed...]
Labels

Evalaute field from different areas

by in Splunk Search
‎10-28-2021 10:37 AM
‎10-28-2021 10:37 AM
Hi, I would like to determine a field from different areas of a log. eg see below for my expectations.  Note: You can be sure these three  T INFO id=1 sourcetype=userservice FirstName=Vinod T+1 IN... See more...
Hi, I would like to determine a field from different areas of a log. eg see below for my expectations.  Note: You can be sure these three  T INFO id=1 sourcetype=userservice FirstName=Vinod T+1 INFO id=2 sourcetype=loginservice User 'Vinod' logged in T+2 INFO id=3 sourcetype=userservice FirstName=Jason T+3 INFO id=4 sourcetype=loginservice User 'Jason' logged in. T+4 INFO id=5 sourcetype=userservice User deleted: Jason   Output: Name | Count Vinod  | 2 Jason | 3