All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello folks, Has anyone of you made it work that you somehow update the sighting of an attribute in connected MISP instance? I have my MISP integrated to Splunk, IoC are being downloaded to TI fr... See more...
Hello folks, Has anyone of you made it work that you somehow update the sighting of an attribute in connected MISP instance? I have my MISP integrated to Splunk, IoC are being downloaded to TI framework. Based on this some correlation searches that are scheduled, TI-based notables triggers I am looking for a way how to get the feedback about TP/FP back to MISP. I am using MISP42Splunk app, which has an adaptive response action "Alert for sighting MISP attribute(s)"  but I cannot make it work. I was also trying to do it via some in-build MISP command without any success. Do you guy have implemented this feature of do you know some way to do it? Thanks!
Hello !! I am new to using splunk and would like to know if it is possible to edit a lookup file via Splunk REST API or lookup editor API ?  Thank y'all
Hello Splunkers, I have a HTML button on my splunk dashboard, i want a pop-up when i click that button. That Pop-up will have a splunk Query Output. Please find my below code: Button: <html> <bu... See more...
Hello Splunkers, I have a HTML button on my splunk dashboard, i want a pop-up when i click that button. That Pop-up will have a splunk Query Output. Please find my below code: Button: <html> <button class="btn btn-primary button2" style="margin-left: 950px; margin-top: -75px; position: absolute;" token="button">Report Of Killed Processes</button> </html> Button.js require([ 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'underscore', 'splunkjs/mvc', '/static/app/abcd/Modal.js', "splunkjs/mvc/simplexml/ready!" ], function(SearchManager, TableView, _, mvc, Modal) { $(".button2").on("click", function (e){ e.preventDefault() console.log(e) var myModal = new Modal("mod1", { title: "Movie Details", backdrop: true, keyboard: false, destroyOnHide: true, type: 'wide' }); myModal.body .append($('<p>Please find the movie details below</p><div id="modal_dtl_tabl"></div>')); $(myModal.$el).on("show", function() { setTimeout(function() { var epoch = (new Date).getTime() var modal_movie_dtl_srch = new SearchManager({ id: "modal_tbl_srch" + epoch, earliest_time: "@d", latest_time: "now", preview: true, cache: false, search: "|inputlookup kill_log.csv  |table *" }); var myCustomtable = new TableView({ id: "modal_example-table" + epoch, managerid: "modal_tbl_srch" + epoch, pageSize: "10", el: $("#modal_dtl_tabl") }).render(); }, 300) }); myModal.show(); }) });   Also i am using Modal.js from Splunk Dev For All, placed it in my app ABCD. Now when i click the button, nothing happens.
Hello I have logs that contains some string that i want to replace with ***  i want to to be permanent and not only in search time. is it possible ? p.s - i don't have the log files anymore so i ... See more...
Hello I have logs that contains some string that i want to replace with ***  i want to to be permanent and not only in search time. is it possible ? p.s - i don't have the log files anymore so i cannot delete and index again   thanks
Hey there, I am looking to Configure the Crowdstrike OAuth API app inside my SOAR instance. To connect to Crowdstrike it will require an account on the Crowdstrike Falcon instance. I cannot find ... See more...
Hey there, I am looking to Configure the Crowdstrike OAuth API app inside my SOAR instance. To connect to Crowdstrike it will require an account on the Crowdstrike Falcon instance. I cannot find anywhere in the Documentation which states what permissions are needed for this account. Crowdstrike details the permissions on it's website but nothing specific for the API actions which are part of the SOAR app. Any ideas?  
Hallo. can anyone please help me. i want search sourcetype for this IP 10.2.123.123 OR 22.222.222.22 OR 33.333.333.33 | stats count by sourcetype the result will be join result as a 3 IP above.... See more...
Hallo. can anyone please help me. i want search sourcetype for this IP 10.2.123.123 OR 22.222.222.22 OR 33.333.333.33 | stats count by sourcetype the result will be join result as a 3 IP above. i want the result like this 10.2.123.123 | 22.222.222.22| 33.333.333.33 SourctypeA   | SourcetypeA    | SourcetyeA SourcetypeB|  SourcetypeB   | SourcetypeB SourcetypeC| SourcetypeC   | SourcetypeC
Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "htt... See more...
Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled. I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment. Thanks,  
https://answers.splunk.com/answers/562629/how-to-configure-pie-chart-to-display-count-within.html same as above post, would like to have a pie chart with its count, so followed the post and its work... See more...
https://answers.splunk.com/answers/562629/how-to-configure-pie-chart-to-display-count-within.html same as above post, would like to have a pie chart with its count, so followed the post and its work, it can show the Count in Pie Chart ... |stats count by sc_status |eval status_slice =sc_status+" - count:"+count   Beside, we still have a token to Pass the sc_status as 404/500/304... to customised search string in drilldown unfortunately, it's now passing sc_status as 304 - count:21088 instead of passing 304 to dilldown to search we click on it, which cause the search not working. <drilldown> <eval token="test">replace('click.value',"(\?&lt;=\d\d\d)(\?s)(.*\$)","")</eval> </drilldown> in drill down its not replacing the value as expexted would like to seek any way can fulfill both requirements ( Show Count in Pie Chart + Pass the correct Value to customised search)  
Hello, I'm Sahir Khan  I need a Helm chart for Splunk operator Deployment.
Hi  Can anyone please help with this extracting stats count by two fields.  I've below data in each transaction type                status A                    200 B                    400 C   ... See more...
Hi  Can anyone please help with this extracting stats count by two fields.  I've below data in each transaction type                status A                    200 B                    400 C                    200 B                    200 A                    200 B                    400 A                    500 C                    300   I need stats in below format type              status           count A                    200                 2 A                   500                  1 B                    200                 1 B                   400                 2                                   C                 200                   1  C                 300                   1   
Hi everyone, Long story in short. I am planning to migrate our Splunk Cluster from public cloud to on-prem with all the old data existing in the cloud, but transfer them from local storage to smart... See more...
Hi everyone, Long story in short. I am planning to migrate our Splunk Cluster from public cloud to on-prem with all the old data existing in the cloud, but transfer them from local storage to smart store, the new data will be streaming to the on-prem cluster with all the configuration (index name, users, apps, reports, alerts, dashboard, etc) unchanged, and we will keep the minimum "in-cloud cluster" up and running until the data aged out. that's why we want to move the data from local storage to smart store for cost saving Now, I have two requirement: 1 rename the index name when data is migrated to smart store, this will be used in case we need to "hook up" it with our new on-prem cluster, so we need the index name to be different then their previous name. 2 we have a few indexes were configured "maxDataSize = auto_high_volume", from smartstore document, it seems that we can only use "maxDataSize=auto", even if we re-config this to "auto", it won't re-size the existing buckets from 10G to 750M, my question is is there any way for us to just move these bucket into the smartstore, the purpose for us is just to retain these data until they expire, there won't be active search on these data. Thank you
Hi All, We are using DB connect app to pull the DB logs. When we set interval as 5 mins (interval = */5 * * * *)  I could see some logs are missing. When we set the interval as 1 minute - I could ... See more...
Hi All, We are using DB connect app to pull the DB logs. When we set interval as 5 mins (interval = */5 * * * *)  I could see some logs are missing. When we set the interval as 1 minute - I could see more logs Why is it so? For example: Log count on 6th of October (with 1 minute interval) -- 521 Log count on 6th of October (with 5 minute interval) -- 119
I have the following address, and I want to extract the substring. Address: 121, riverstreet, sydney, Australia. I want to extract 'sydney'. Help would be highly appreciated.
Hi all, Does the Rubrik app support Token authentication yet? Tks Linh
As the title suggests, I am keen to know when ES license starts counting, from date of renewal or date of data ingestion ?
I have a UF on an rsyslog server. The UF is forwarding logs to the indexer successfully, but one of my two input flows is going to the wrong index, and I can't figure it out.  inputs.conf [monitor:... See more...
I have a UF on an rsyslog server. The UF is forwarding logs to the indexer successfully, but one of my two input flows is going to the wrong index, and I can't figure it out.  inputs.conf [monitor:///path/number/one/*] index = first_index sourcetype = first_index host_segment = 4 disabled = false [monitor:///path/number/two/*] index = second_index sourcetype = second_index host_segment = 4 disabled = false Data of sourcetype second_index makes it to the corresponding index, but data of sourcetype first_index ends up in the main index.  The only props and transforms I have configured are from the VMware add-on and its accessories, but I've scoured its conf files and have not found anything that would send this non-VMware data to main instead of where it belongs when it's specified in $SPLUNK_HOME/etc/system/local/inputs.conf. Any ideas? Thx!
Hello again Spelunkers!  So I have data that looks like this: assessment=normal [1.0] assessment=normal [1.1] assessment=suspect [0.75] assessment=suspect [0.88] assessment=bad [0.467] ... See more...
Hello again Spelunkers!  So I have data that looks like this: assessment=normal [1.0] assessment=normal [1.1] assessment=suspect [0.75] assessment=suspect [0.88] assessment=bad [0.467] I want a table column named rating that takes the "normal," "suspect," "bad" without the [###] after it. So I wrote the below thinking I can name the column rating and then capture any alpha characters and terminate at the white space between the word value and the [###] value. What would be the correct way of writing this? Thank you in advance!   | rex field=raw_ "assessment=(?<rating>/\w/\s)"  
Greetings All, I am very new to splunk and am creating a dashboard to show top non-compliances. For the below data, I want to display top non-compliant controls (example output also mentioned below)... See more...
Greetings All, I am very new to splunk and am creating a dashboard to show top non-compliances. For the below data, I want to display top non-compliant controls (example output also mentioned below) Could anyone please let me know how can I write a search query for the same? Thanks in advance.   Event_ID: abc1 Compliance_result: Non-Compliant Eval_results: { required_tags: { compliance: Compliant } encryption_enabled:{ compliance: Non-Compliant } public_access:{ compliance: Compliant } policy_enabled:{ compliance: Compliant } }   Event_ID: abc2 Compliance_result: Non-Compliant Eval_results: { required_tags: { compliance: Compliant } encryption_enabled:{ compliance: Non-Compliant } public_access:{ compliance: Non-Compliant } policy_enabled:{ compliance: Compliant } }   Generate Table in the below format -   Top Non Compliance controls: public_access - 2 encryption_enabled -1  
Hello,   Can i please know how to parse the value to the 2nd query from the output of 1st query. Any help would be appreciated.   1st query: index=<index_name>  sourcetype=<sourcetype_name> | ta... See more...
Hello,   Can i please know how to parse the value to the 2nd query from the output of 1st query. Any help would be appreciated.   1st query: index=<index_name>  sourcetype=<sourcetype_name> | table k8s_label | where k8s_label="id=<id_number>"   1st Query Output: name=peter project_id=123 user_id=2700835661 zone=us-west-2a   2nd Query: index=<index_name>  "server failed" Project_id=<need to get project_id  from the result of 1st query Output>     Thanks  
events are loaded with different currency from different countries and we are trying to have a view converting the currency into one currency.  We have uploaded CSV with average exchange rate per mon... See more...
events are loaded with different currency from different countries and we are trying to have a view converting the currency into one currency.  We have uploaded CSV with average exchange rate per month and would like to display a table using event date and use the rate from CSV, as the rates should be calculated as per the current rates and it should always change as we load new month rates