Hi all, I have two sourcetypes: WinEventLog and XmlWinEventLog. Both were displaying as very hard to read XML data in the events. I was able to correct the WinEventLog data by editing the index.conf file from RenederXML=true to false, but it did not fix the XmlWinEventlog sourcetype data.  I think it might be the props.conf > KV_MODE = xml, but it also did not correct the parsing problem.  Any assistance would be greatly appreciated! /Paul  

Hi all I'm trying to get Syslog to send from my Aruba HP-2530-8 switch to Splunk. I installed the Aruba add-ons and have my data input set up for TCP port 514 with source type aruba:syslog. I think I'm missing something here any help is appreciated and thanks for reading. 

Hello, I am using "Splunk_TA_juniper" and I noticed a new problem with timestamp: there is a one hour offset for the timestamp compared to the time in the event. For instance, when I have an event whose _raw value starts with "Oct 28 15:12:37 fw-01-gra RT_FLOW:  ...", the timestamps is "2021-10-28T16:12:37.000+02:00" (16h instead of 15h). In addition, the event will only appear after an hour after its received by the indexer, in fact when the timestamp value is less than the current time. This behaviour is new. When I examine  events for september (for instance), the timestamp matches the time in the event. I tried to restart Splunk and the forwarder, nothing was changed. I haven't modify the configuration files for a long time, and I don't know what to do. Do you have an idea of what is going on or a possible solution? Regards Denis

Hello Splunk Community ! I have an alert setup to report failed login attempts by a user > 4 times in 5 minutes. Alert query : index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _time| stats count dc(user) by _time, user, Logon_Type,dest, src, Failure_Reason | where count > 3 | sort user | table _time, user, count, Logon_Type,dest, src, Failure_Reason Alert settings: Alert Type: Scheduled. Hourly, at 0 minutes past the hour. Trigger Condition: Number of Results is > 0 Issue : the last time this alert ran, i got results only from 3 PM attempts. the alert PDF did not report the results from 2:55 PM. Actual Query result:   Alert PDF that came in email: Any idea why the complete results were not shown from 2:55 PM when the alert triggered at the hour ? 

Hi there, We have an instance running already on windows server, I am planning to move our Frozen bucket location from a local drive to a share on another server, I just have a few questions regarding this. Is it as simple as editing the frozen locations on the indexes on the GUI for this and will a UNC path work ok if the permissions are set or must it be a mapped local drive? Thanks in advance!

Hello, We have a problème with Splunk Search head, the splunk service is restarted randomly when using the launch request or consultation of the dashbord. After the analysis we find kernel messages at the log level. Do you have any idea about this type of message. Sep 21 10:13:16 splksh01c kernel: [4960554.728167] splunkd[26359]: segfault at 8 ip 00007f2b51845c24 sp 00007f2b279fc868 error 6 in libjemalloc.so.2[7f2b51834000+49000] Sep 21 11:10:55 splksh01c kernel: [4964014.055174] splunkd[8210]: segfault at 68 ip 00007f816fdc749f sp 00007f81443f4da0 error 4 in libjemalloc.so.2[7f816fd9b000+49000] Sep 21 11:27:01 splksh01c kernel: [4964980.155146] splunkd[29689]: segfault at 68 ip 00007fa3888013d9 sp 00007fa3571fd200 error 4 in libjemalloc.so.2[7fa3887d5000+49000] Sep 21 12:03:54 splksh01c kernel: [4967193.444921] splunkd[9885]: segfault at 68 ip 00007fb56962b3d9 sp 00007fb5339fd240 error 4 in libjemalloc.so.2[7fb5695ff000+49000] Sep 21 12:54:45 splksh01c kernel: [4970243.694017] splunkd[12378]: segfault at 68 ip 00007f629482f49f sp 00007f626affc930 error 4 in libjemalloc.so.2[7f6294803000+49000] Sep 21 13:23:16 splksh01c kernel: [4971954.661062] splunkd[10366]: segfault at 8 ip 00007f3c111c4c24 sp 00007f3bd73fd568 error 6 in libjemalloc.so.2[7f3c111b3000+49000] Sep 21 14:23:26 splksh01c kernel: [4975565.162362] splunkd[8340]: segfault at 7f713ff89f40 ip 000055981749198f sp 00007f71419fa180 error 6 in splunkd[559814297000+40f3000]        

Hi team, I would like to convert the "DNS App for Splunk" Hosting from Externally hosted to Splunkbase hosted. I contacted the Splunk support team via  splunkbase-admin@splunk.com email address a few days back, but haven't received a response yet. Are you able to advise how I could achieve this?  Thanks and Kind Regards,

Hello, I have made a search/query to detect the attacks of XSS the problem I have is that it also shows valid requests because there are words (cookie, script) that also appear as invalid requests ¿How could I filter so that it only shows the attacks?       search "<script>" OR "</script>" OR "&#" OR "script" OR "`" OR "cookie" OR "alert" OR "%00"| append [ datamodel Web search | where like(uri,"http:/%") OR like(uri,"*javascript*") OR like(uri,"*vbscript*") OR like(uri,"*applet*") OR like(uri," *script*") OR like(uri,"*frame*")        

Hi All, I need to build pie chart for three separate fields which should display the field name and its percentage in the same pie chart.  Eg: ial1, ial2 and ial3 are three different fields in Splunk. It should display in the attached format. Could someone help me on this.  

We have a Cluster master which we are using as the monitoring console as well. We have created a dashboard to collect Cluster master status. This is working fine for 'admin' role and we are getting below error for the custom role which has inherited capabilities from 'user' role. Error message - Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/cluster/master/generation/master?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.   Query used for the dashboard-  | rest splunk_server=<Cluster master hostname> /services/cluster/master/generation/master | fields title pending_last_reason splunk_server search_factor_met replication_factor_met | eval all_data_searchable=if(isnull(pending_last_reason) OR pending_last_reason=="","All Data is Searchable","Some Data is Not Searchable") | eval search_factor_met=if(search_factor_met==1 OR search_factor_met=="1","Search Factor is Met","Search Factor is Not Met") | eval replication_factor_met=if(replication_factor_met==1 OR replication_factor_met=="1","Replication Factor is Met","Replication Factor is Not Met") | table title splunk_server search_factor_met replication_factor_met all_data_searchable | rename title as Title splunk_server as "Splunk Server" search_factor_met as "Search Factor Status" replication_factor_met as "Replication Factor Status" all_data_searchable as "All Data Searchable Status"     What capability I need to enable so that users can access this dashboard? Any help would be appreciated.

I have data in the following structure received for every event. Some events have just one or two sub calls and some have more sub calls. I need to calculate the sum of the total duration.       subCalls: [ [-] { [-] completionTimeMs: 69 method: GET statusCode: 200 } { [-] completionTimeMs: 77 method: GET statusCode: 200 } { [-] completionTimeMs: 956 method: POST statusCode: 200 } { [-] completionTimeMs: 201 method: PATCH statusCode: 204 } ]       The below search calculates the sum of all the values in all the events instead of every event. Please suggest on how to proceed further.       mysearch | eventstats sum(processRelevantFields.eventDetails.subCalls{}.completionTimeMs) as totalDuration | table traceId, totalDuration          

Hi Everyone, If I have 2 metrics one is cpu.1 2nd one is cpu.2 And i am using the below Query to get the metric percentages | mstats max(_value) avg(_value) min(_value) prestats=true WHERE metric_name="cpu.1" AND "index"="myindex" AND [| inputlookup metrics.csv] BY host span=30min | stats Max(_value) AS Max Avg(_value) AS Avg Min(_value) AS Min BY host | eval Status=if(Avg<75,"good",if(Avg>=75 AND Avg>=90,"critical","Warning")) Now my question is I need both toatlcpu=(cpu.1+cpu.2) in one query, and it should shows max(totalcpu), avg(totalcpu), min(totalcpu) Can guide me please.ThankQ

SPL Query: index=_internal sourcetype=splunkd component=sendmodalert action=notable Output: 10-27-2021 16:31:01.962 +0200 WARN  sendmodalert - action=notable - Alert action script returned error code=3 10-27-2021 16:31:01.962 +0200 INFO  sendmodalert - action=notable - Alert action script completed in duration=103 ms with exit code=3 10-27-2021 16:31:01.962 +0200 ERROR  sendmodalert - action=notable STDERR - ERROR: [Errno 13] Permission denied 10-27-2021 16:31:01.858 +0200 INFO  sendmodalert - Invoking modular alert action=notable for search="Threat - ....... - Rule" sid="......" in app="SplunkEnterpriseSecuritySuite" owner="......" type="saved"  Dear all, does someone know why permissions are denied for creating notable events in Enterprise Security (6.4.1) after a correlation search is triggered? The owner of the search has an ess_admin role.