All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have items visit log index with fields: category, item each event is a visit In addition, I have an index with all items in the system in form category, items_count I want to create a timechart o... See more...
I have items visit log index with fields: category, item each event is a visit In addition, I have an index with all items in the system in form category, items_count I want to create a timechart of categories: <category> -> <visited items>/<all items> other time What I did: index="visited" | eval cat_item = category."/".item | timechart dc(cat_item) by category | foreach * [ search index="cat" category="<<FIELD? >>" | eval <<FIELD>>= '<<FIELD>>'/items_count ] But this does not work timechart here creates a table with categories as columns and, each row contains the count of visited items  Now the problem is how I get column name, and value in the subquery. In the examples, the <<FIELD>> is used for the column name and column value alike.  Please help          
Hi Team, I want to extract aws-region from host name.  host= "my-service-name-.ip-101-99-126-252-us-west-2c".   I want to extract us-west-2 from the host. How I can achieve this.
I have a dropdown that has dynamic data, changes by the day, that I want filled in the dropdown for selection and use in the dashboard.  I've followed several entries from the community but the dropd... See more...
I have a dropdown that has dynamic data, changes by the day, that I want filled in the dropdown for selection and use in the dashboard.  I've followed several entries from the community but the dropdown is blank, only showing the ALL from the 'choice' entry.  Here is the SPL,   <fieldset submitButton="true">  <input type="dropdown" token="tok_site" searchWhenChanged="false">   <label>Site</label>   <search>    <query>earliest=-2h index=asset sourcetype=Armis:Asset                     | stats count by site.name    </query>   </search>   <choice value="*">ALL</choice>   <default>*</default>   <fieldForLabel>Site</fieldForLabel>   <fieldForValue>Site</fieldForValue>  </input> </fieldset> I will be adding a couple more dropdowns later, but they are dynamic as well.  If I can't get one to work, well.. Any suggestion on where I've made a mistake?
Hi Guys,         I have a scenario where i need to extract the file name from the event logs. The Event log first line looks like below. Event Log: [INFO] 2021-09-30T00:04:17.052Z 8d5eb00a-d033-4... See more...
Hi Guys,         I have a scenario where i need to extract the file name from the event logs. The Event log first line looks like below. Event Log: [INFO] 2021-09-30T00:04:17.052Z 8d5eb00a-d033-49a9-9d0f-c61011e4ae51 {"Records": [{"eventVersion": }]   Now i need to write a rex query to extract the file name "8d5eb00a-d033-49a9-9d0f-c61011e4ae51" from above event log. This file name changes for the every search query along with the timestamp.   Can someone suggest me how to resolve this?   Thanks.
Hi,     Actually I need a splunk to be deployed using helm chart can any one help me.     Thanks
hi i want to use sendmail spl command but it give me below error command="sendemail", (535, '5.7.3 Authentication unsuccessful') while sending mail to: myemail@mydomain.com   my spl command: inde... See more...
hi i want to use sendmail spl command but it give me below error command="sendemail", (535, '5.7.3 Authentication unsuccessful') while sending mail to: myemail@mydomain.com   my spl command: index=_internal | head 5 | sendemail to="myemail@mydomain.com" server=mail.server.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true     FYI:email setting from web server configuration already set correctly, and i test it with alert and send email correctly, but when i use sendmail spl command not work!   also i check config file it set correctly: /opt/splunk/etc/system/local/alert_actions.conf   any idea? thanks,
Does anyone know the amount of time a universal forwarder takes to go and recheck the DNS entries of servers listed in the outputs.conf file. If the servers are listed by servername and not IP in th... See more...
Does anyone know the amount of time a universal forwarder takes to go and recheck the DNS entries of servers listed in the outputs.conf file. If the servers are listed by servername and not IP in the outputs file than Splunk would go out and check for the IP of those servers.  I know it does this at forwarder startup; but doe it also recheck periodically?   I am looking at a situation where the DNS entries for the backend servers get changed to new IPs (in a disaster recovery scenario) and want to know how long it would take the forwarders to start picking up on the new IPs (without having to go out and cycle the all of the forwarders that would talk to the indexers whose IPs got changed). Thanks.
Hello everyone, I have added an IP on local_intel_ip.csv and it now appears on Threat Artifact panel. The correlation search "Threat Activity Detected" is enabled with Adaptive Response Actions a No... See more...
Hello everyone, I have added an IP on local_intel_ip.csv and it now appears on Threat Artifact panel. The correlation search "Threat Activity Detected" is enabled with Adaptive Response Actions a Notable and Risk Analysis. A notable event was triggered with this IP as destination IP, but the aforementioned Notable (Threat Activity Detected) was never triggered.  Any idea on what I might have done wrong? Thank you in advance. Chris
Is it possible to use data models from Common Information Model to use cases in splunk, if so, how can we do that 
Hi, I have difficulty to break a json into multiple events. Here is my log : (appear in one event, instead of 2)   { "InstanceInformationList": [ { "Version": false, ... See more...
Hi, I have difficulty to break a json into multiple events. Here is my log : (appear in one event, instead of 2)   { "InstanceInformationList": [ { "Version": false, "PlatformName": "Amazon Linux", "ComputerName": "ip-10-170-216-17.eu-east-1.compute.internal" }, { "PlatformType": "Linux", "IPAddress": "10.170.216.18", "AssociationOverview": { "DetailedStatus": "Failed", "InstanceAssociationStatusAggregatedCount": { "Failed": 1, "Success": 1 } }, "AssociationStatus": "Failed", "PlatformVersion": "2", "ComputerName": "ip-10-170-216-18.eu-east-1.compute.internal", "InstanceId": "i-00000000001", "PlatformName": "Amazon Linux" } ] }      And you can find my props.conf below :   [my_test] SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = json DATETIME_CONFIG = CURRENT TRUNCATE = 999999 JSON_TRIM_BRACES_IN_ARRAY_NAMES = true BREAK_ONLY_BEFORE = (\[\s+\{) MUST_BREAK_AFTER = (\},|\}\s+\]) SEDCMD-remove_header = s/(\{\s+.+?\[)//g SEDCMD-remove_footer = s/\]\s+\}//g       Can you help me to find the write parsing please ? Thank you.
I created a new splunk enterprise instance in which I want to connect to my already pre-existing main enterprise instance with the bulk of our data. The intention of having 2 is so I can track the he... See more...
I created a new splunk enterprise instance in which I want to connect to my already pre-existing main enterprise instance with the bulk of our data. The intention of having 2 is so I can track the heartbeat messages between each server to one another to alert when one or the other goes down. I already have the new instance connected to the old one through outputs.conf - and this gives me the ability to search for its heartbeat logs in index=_internal. However, connecting the main original instance to the new one is a different story. I have it forwarding to the new instance the same way, using outputs.conf. However, I believe that this is too much for the new instance to handle as it is a ton of data (which i don't even want to go there). Is there a way that I can have it establish the connection so I can monitor for heartbeats, but not send any data? Perhaps what settings can I tweak that disable the sending of anything but keep that connection between the two - without turning off indexing on the new instance so I am able to monitor and alert when the old instance stops sending heartbeats when it goes offline. 
I'm trying to exclude specific src_ip addresses from the results of a firewall query (example below). The query completes, however the src_ip addresses are not excluded and the following error is ret... See more...
I'm trying to exclude specific src_ip addresses from the results of a firewall query (example below). The query completes, however the src_ip addresses are not excluded and the following error is returned: [subsearch]: The lookup table 'dns_serves.csv' requires a .csv or KV store lookup definition.  Example: index=firewall | search NOT [|inputlookup dns_serves.csv | fields src_ip] | table src_ip dest_ip signature When running |inputlookup dns_servers.csv by itself the contents of the lookup are returned so I know the lookup is good. I've checked the lookup permissions, CSV encoding, and searches forum threads for a solution.   
Hi There Experts ,  In our current environment we have Splunk Integration with CA UIM monitoring tools to send Splunk alerts to CA UIM for Monitoring . While upgrading the splunk version we got to k... See more...
Hi There Experts ,  In our current environment we have Splunk Integration with CA UIM monitoring tools to send Splunk alerts to CA UIM for Monitoring . While upgrading the splunk version we got to know that Client have customized app for this integration which was on python 2 and as we are upgrading from 7 .3. to 8.1, there is issue with python compatibility .As new splunk versions supports only python 3 .  Any one has any idea on the workaround app or addon we can use from splunk base for integrating Splunk with CA UIM .  Please help   
I know how to set Values. multiselect.val(value_array); BUT:  Is there a way to set the labels to a different value (not the actual value)? For Example: i want to be able to select the country by... See more...
I know how to set Values. multiselect.val(value_array); BUT:  Is there a way to set the labels to a different value (not the actual value)? For Example: i want to be able to select the country by its name but in the search i use the country code. Something like: multiselect.label(lable_array); or: multiselect.val(value_array , label_array); I tried an array with label-value pairs but it did not work.
Hi, After the migration of our McAfee ePO server, I want to change the SQL query to reflect the changes made in the ePO database. But when I want to clic on "next" on the DataLab, the step 4 is faul... See more...
Hi, After the migration of our McAfee ePO server, I want to change the SQL query to reflect the changes made in the ePO database. But when I want to clic on "next" on the DataLab, the step 4 is faulty. The query is OK (in the DataLab, it return values), the "rising" parameters seems to be good, so I don't see what's going wrong. Thank's in advance for your help. Below the query :  SELECT [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEventFilterDesc].[Name] as [event_description], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled], [EPOEvents].[TargetUserName] as [logon_user], [EPOComputerPropertiesMT].[UserName] as [user], [EPOComputerPropertiesMT].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerPropertiesMT].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerPropertiesMT].[SubnetMask] as [dest_netmask], [EPOComputerPropertiesMT].[NetAddress] as [dest_mac], [EPOComputerPropertiesMT].[OSType] as [os], [EPOComputerPropertiesMT].[OSBuildNum] as [sp], [EPOComputerPropertiesMT].[OSVersion] as [os_version], [EPOComputerPropertiesMT].[OSBuildNum] as [os_build], [EPOComputerPropertiesMT].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [src_mac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [source_logon_user], [EPOComputerPropertiesMT].[IsPortable] as [is_laptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [product_version], [EPOEvents].[AnalyzerEngineVersion] as [engine_version], [EPOEvents].[AnalyzerDATVersion] as [dat_version], [EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version], [EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version], [EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version], [EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix], [EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version], [EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp] FROM [EPOEvents] LEFT JOIN [EPOLeafNodeMT] ON [EPOEvents].[AgentGUID] = [EPOLeafNodeMT].[AgentGUID] LEFT JOIN [EPOProdPropsView_VIRUSCAN] ON [EPOLeafNodeMT].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID] LEFT JOIN [EPOComputerPropertiesMT] ON [EPOLeafNodeMT].[AutoID] = [EPOComputerPropertiesMT].[ParentID] LEFT JOIN [EPOEventFilterDesc] ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId] WHERE [EPOEvents].[AutoID] > ? AND ([EPOEventFilterDesc].[Language]='0409') ORDER BY [EPOEvents].[AutoID] ASC
Good afternoon! I have a XPRT_002_SYSAT-41777_202110020712.csv file. After some time, exactly the same XPRT_002_SYSAT-41777_202110020712.csv file appears in my directory, with exactly the same conte... See more...
Good afternoon! I have a XPRT_002_SYSAT-41777_202110020712.csv file. After some time, exactly the same XPRT_002_SYSAT-41777_202110020712.csv file appears in my directory, with exactly the same content, but with a different modification time. In this case, the system indexes all events from this file twice and I have duplicates. I know that they can be filtered by means of dedup _raw, but it is not my way because it very strongly worsens search performance. Are there any other ways to configure indexing based on file changes rather than name and size, and if they match, do not index again? Tried: crcSalt = <SOURCE> CHECK_METHOD = modtime
Hi, I would like to ask for help with following problem: We have SH cluster (3 nodes) and IDX cluster (3 nodes). We upgraded it from 8.0.9 to 8.1.6 because of EOS of 8.0 version. Everything looks fi... See more...
Hi, I would like to ask for help with following problem: We have SH cluster (3 nodes) and IDX cluster (3 nodes). We upgraded it from 8.0.9 to 8.1.6 because of EOS of 8.0 version. Everything looks fine, except one thing - sometimes this happens: I run a search. The search starts, but after a while it stucks (on the line below the place for entering the SPL query, the number of events stops) and after cca 5 minutes the search ends with an error message "Streamed search execute failed because: Error in 'lookup' command: Failed to re-open lookup file: '/srv/app/int/secmon/splunk/var/run/searchpeers/08270BDA-BE03-4A78-8C6C-95A9CE10BB8D-1633508003/kvstore_s_SA-IdeRjww0FotymhlCIaS1cqkc05a_assetsXy0Y9f6F5lMW4rOy8KLC@P22'" It happens completely randomly, does not matter what data I search for. Sometimes this message is generated by only 1 IDX node, sometimes by 2, sometimes by all 3 nodes in IDX cluster. Error message is always exactly the same (except the part "1633508003", which is time of search). Sometimes I get partial results (some events returned), sometimes not (0 events returned). Before upgrade there was no message like this. Could someone help with this? Is it related to the upgrade? And how to fix it? I tried to search through Splunk Community, google around, but did not find anything useful... Thanks in advance. Lukas Mecir
Hi how can I calculate percentage of a each ErrorCode field by servername? here is the spl: index="my_index" | rex field=source "\/log\.(?<servername>\w+)." | rex "Err\-ErrorCode\[(?<ErrorCode>\... See more...
Hi how can I calculate percentage of a each ErrorCode field by servername? here is the spl: index="my_index" | rex field=source "\/log\.(?<servername>\w+)." | rex "Err\-ErrorCode\[(?<ErrorCode>\d+)" expected output: Servername     ErrorCode      Percentage  server1             404                    50%                              500                    40%                              200                    10% server2             500                    50%                              404                    45%                              200                    5% …   any idea?  Thanks 
Hi Splunkers,   1. We are upgrading splunk version from 7.3.4 to 8.1.X. But can someone help to get the exact stable version between 8.1.X. Please assist us. Thanks, Abhijeet B.
Citry contains 12 names. in result i am able to see only city name with product if product is zero it is not showing the Citry name base search |stats count(product) AS Total BY City |fillnull va... See more...
Citry contains 12 names. in result i am able to see only city name with product if product is zero it is not showing the Citry name base search |stats count(product) AS Total BY City |fillnull value=0 City Citry Total citry1 1 citry5 50 citry10 15 expectation  Citry Total citry1 1 citry2 0 citry3 0 citry4 0 citry5 50 citry6 0 citry7 0 citry8 0 citry9 0 citry10 15 citry11 0 citry12 0