All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have requirement to split the single cell into two columns, in which i need to add different search result data. I need a table view like this, and 2 will be the value without duplicates, 5 ca... See more...
I have requirement to split the single cell into two columns, in which i need to add different search result data. I need a table view like this, and 2 will be the value without duplicates, 5 can be the value with duplicates. need to make a dashboard like this table 
Hello. I am trying to show our splunk instance inside another one of our application's webpages, so it can have our styling applied to splunk. (basically putting our company sidebar on the left, then... See more...
Hello. I am trying to show our splunk instance inside another one of our application's webpages, so it can have our styling applied to splunk. (basically putting our company sidebar on the left, then with the rest of the page rendering our splunk application).  Initially had the problem that it wouldn't load because of the same-origin header, so I was able to resolve that. However, now when I try to login through that iframe, I get a 400 error. The only information returned by that error is "{"status":2}". It also says server error under the login. Any ideas what this error might be, and why it may be happening?  
I need to collect Specific Splunk data for business analysis.  My target URL is https://splunk.usce.l.az.fisv.cloud/en-US/app/epayments/postpayee_success_and_failure?form.SponsorId=*&form.Subscriber... See more...
I need to collect Specific Splunk data for business analysis.  My target URL is https://splunk.usce.l.az.fisv.cloud/en-US/app/epayments/postpayee_success_and_failure?form.SponsorId=*&form.SubscriberId=*&form.CorrelationId=*&form.Status=*&form.Exception=-&form.timespan.earliest=-7d%40h&form.timespan.latest=now.  After login with my username/password, it will show "Post Payee Exception List".    I am trying to write a Python script to read Splunk data in last 7 days.  Below is my code: session = requests.Session() response = session.post(LOGIN_URL, auth = HTTPBasicAuth(user, password), verify=False) print(response.status_code) The user/password are the same ones for Web access and the LOGIN_URL is 'https://splunk.usce.l.az.fisv.cloud/en-US/account/login?return_to=%2Fen-US%2F'  However, the response status code is 401 which is a failure.  What's the correct Python way to login to Splunk website? In addition, I am trying to connect to Splunk server with Splunk-SDK package via port 8089.  Below is my Python code: import splunklib.client as client import splunklib.results as results HOST = "splunk.usce.l.az.fisv.cloud" PORT = 8089 credentials = get_splunk_pwd() username = credentials['username'] password = credentials['password'] service = client.connect(     host=HOST,     port=PORT,     username=username,     password=password) print(service)   rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-24h | head 5")) for result in rr:     if isinstance(result, results.Message):         # Diagnostic messages might be returned in the results         print('%s: %s' % (result.type, result.message) )     elif isinstance(result, dict):         # Normal events are returned as dicts         print(result)   Below is the output.  It looks like the Splunk connection is established successfully.  But the serarch is invalid.  What's the valid search string based on my target URL in 1st line?   <splunklib.client.Service object at 0x0000029461421790> DEBUG: Configuration initialization for /opt/splunk/etc took 91ms when dispatching a search (search ID: 1632765670.57370_31B6A7A0-BF6B-46EF-BD46-2CF0D6AB351A) DEBUG: Invalid eval expression for 'EVAL-SessionDateTime' in stanza [source::dbmon-tail://*/CCAuditLogSelect]: The expression is malformed. An unexpected character is reached at '“%Y-%m-%d %H:%M:%S.%3N”)'. DEBUG: Invalid eval expression for 'EVAL-TrxDateTime' in stanza [source::dbmon-tail://*/CCAuditLogSelect]: The expression is malformed. An unexpected character is reached at '“%Y-%m-%d %H:%M:%S.%3N”)'. DEBUG: base lispy: [ AND index::_internal ] DEBUG: search context: user="xzhang", app="search", bs-pathname="/opt/splunk/etc"  
I have Splunk Ent. + ES & want to upgrade to 8.2.2. Thank u very much.
Hi everyone. I try to explain you. For example: I can detect when a user has been connected form a X country, in this moment splunk send me a email, and I need to starting a investigation to det... See more...
Hi everyone. I try to explain you. For example: I can detect when a user has been connected form a X country, in this moment splunk send me a email, and I need to starting a investigation to determinate if that event is known. My question is: How can i configure a second search when that alert has been trigged? I would like Splunk run a search whit the information that it got from the alert. I wouldn’t like to modify my original search because if a add this second search in my firs search My performance could be affected,   thanks and regards.
Hi All, Any advice on how to go about finding coverage gaps in a typical ES installation ?We r ingesting logs from AWS, and On prem servers both.  Is there any document or tool that i can use to f... See more...
Hi All, Any advice on how to go about finding coverage gaps in a typical ES installation ?We r ingesting logs from AWS, and On prem servers both.  Is there any document or tool that i can use to find out whats missing , whats covered and overall gap analysis ? Also, Can someone pls point me to typical/ important Dashboards that we can leverage for every day security tasks, other than default out of the box ones ?     
I have the following search.  index=main_index sourcetype="hec:google" operationName=createMobileAuthenticationOutcome direction=response source="customers-mobile-authentications-v1" | dedup correl... See more...
I have the following search.  index=main_index sourcetype="hec:google" operationName=createMobileAuthenticationOutcome direction=response source="customers-mobile-authentications-v1" | dedup correlationId | stats count by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType eventData.log{}.downstreamRequestAdditionalLog.request.authenticationOutcome | sort -count | eventstats sum(count) as tot by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType | eval perc = round(count/tot*100,1) | stats list(eventData.log{}.downstreamRequestAdditionalLog.request.authenticationOutcome) as "OutCome Request Details" list(count) as Count, list(perc) as "% per Auth Type" by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType | appendpipe [ stats sum(Count) as Count, sum("% per Auth Type") as "% per Auth Type" by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType | eval "OutCome Request Details" = "Total Request"] | sort eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType | rename eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType as "Auth Type" which shows this table. But....  What I want to do is add another row for the total number of directOpenApp.Completed and pushNotifications.Completed I've tried addtotals and can't get my head around appendcols. Thanks r
Hi All, My question is regarding ES.  Can someone pls point me to typical/ important Dashboards that we can leverage for every day security tasks, other than default out of the box ones ?   We r i... See more...
Hi All, My question is regarding ES.  Can someone pls point me to typical/ important Dashboards that we can leverage for every day security tasks, other than default out of the box ones ?   We r ingesting logs from AWS, and On prem servers both.
Hello Splunkers!!   I want compare 30 days, 60 days and 90 days of data in Splunk on the basis of APP_ID. As i have written the below SPL for 30 days. Please let me know the quick and correct appro... See more...
Hello Splunkers!!   I want compare 30 days, 60 days and 90 days of data in Splunk on the basis of APP_ID. As i have written the below SPL for 30 days. Please let me know the quick and correct approach to write the SPL for the comparion three periods of data. 1. Should i use the join command and use the same kind of serach for 60 & 90 days ?   index="ito_snow" sourcetype=csv source="/opt/splunk/etc/apps/splunk_snow_tickets/bin/open_inc.sh" assignment_group="*" cmdb_ci=* earliest=-30d | rename cmdb_ci as Hostname state as incident_state number as Incident_Number | join type=outer Hostname [| inputlookup LocationMapping.csv | search Type=MFG OR Type=Mfg ] | join type=outer Hostname [| inputlookup abc.csv | search status="decom" | eval Hostname=lower(trim(target,"*"))] | join type=outer Hostname [| inputlookup yzN.csv | search SERVERS=* | rename SERVERS as Hostname] | where isnull(status) AND incident_state!="Resolved" | search OneSourceCode="*" | eval APP_ID=if(isnull(APP_ID),"Not Mapped",APP_ID), APP_NAME=if(isnull(APP_NAME),"Not Mapped",APP_NAME) , BU=if(isnull(BU),"Not Mapped",BU) | eval APP_DETAILS = APP_NAME."(".APP_ID.")" | table Incident_Number, BU, APP_DETAILS short_description, assignment_group,incident_state, Hostname, Location, OneSourceCode, Environment, Source, Type, , opened_at | stats dc(Incident_Number) as "incident Count" by APP_DETAILS
Our ITSI is showing some "Detected Anomaly" for the kpi "Index Usage". Where and how can I find the notable events for those "Detected Anomaly"?
Hello,I am trying to connect App to get data in Splunk using REST API. The issue is that REST API request need to be implemented in 2 steps. Send POST request to get the token (valid for 24 hrs) Se... See more...
Hello,I am trying to connect App to get data in Splunk using REST API. The issue is that REST API request need to be implemented in 2 steps. Send POST request to get the token (valid for 24 hrs) Send GET request to fetch the results using token from first request. I am able to implement two separate requests. But looking to automate this process. My idea is to write a script which will periodically copy the token values to input configuration file. FYI:I have used Rest API Modular input app for these request. Problems: Splunk Server is on windows. Using Rest API Modular Input App, It sending token results directly to Splunk server not sure how to get that on windows machine. If its linux I would have write a bash script which use curl to fetch token value and paste it to input configuration. Not sure how to perform this on windows. Thanks
Hello All:  I have problems with my application where I am configuring the following stanza in the inputs.config file (C:\Program Files\SplunkUniversalForwarder\etc\apps\ope_web_api\default):  http... See more...
Hello All:  I have problems with my application where I am configuring the following stanza in the inputs.config file (C:\Program Files\SplunkUniversalForwarder\etc\apps\ope_web_api\default):  https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Specifyinputpathswithwildcards [monitor://D:\package\...\version\Admin\APIS\log] disabled = 0 index = ope_web_api sourcetype = api_logs ignoreOlderThan = 1d I have Splunk Cloud 8.2.2 version.  If I change the ... by the name of the file it works fine:  [monitor://D:\package\ABC\version\Admin\APIS\log] disabled = 0 index = ope_web_api sourcetype = api_logs ignoreOlderThan = 1d But I need the ... because not always is the same file name.  Does somebody know what I am missing here?  Regards.   
Hi@LukeMurphey , I am hoping you can help with your File Meta-Data addon that I am hoping is just what I need. I have been trying to get it working for a while now but it just didn't seem to do anyt... See more...
Hi@LukeMurphey , I am hoping you can help with your File Meta-Data addon that I am hoping is just what I need. I have been trying to get it working for a while now but it just didn't seem to do anything after setting up my Data Input. I've done a bit more digging today in the 'file_meta_data_modular_input.log' log file and I am getting the following error reported: 2021-09-27 15:24:06,745 ERROR Execution failed Traceback (most recent call last): File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\modular_input.zip\modular_input\modular_input_base_class.py", line 1095, in execute self.do_run(in_stream, log_exception_and_continue=True) File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\modular_input.zip\modular_input\modular_input_base_class.py", line 976, in do_run self.run(stanza, cleaned_params, input_config) File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 641, in run file_filter=file_filter) File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 187, in get_files_data file_path = file_path.encode("utf-8") AttributeError: 'bytes' object has no attribute 'encode' As the error is caused in the bold line above in the .py file, I guess this may be something to do with my Splunk Enterprise (Free version) running on a Windows 10 machine, trying to index Windows volumes. FYI in my Data Input, it doesn't matter if I have the "File or directory path" as "L:\" or "L:" or anything else (i.e. I want to index my L:\ volume), it just reports this error. Sorry this is probably a noob question but any help would be appreciated. FYI I am using v1.4.5 of your add-on. Many thanks in advance.
Hi, Need help with regex for LINE_BREAKER attribute in props.conf. I have the below data and wanted it as a single event in Splunk. Currently, <RESULTS> data splits into multiple events. I would l... See more...
Hi, Need help with regex for LINE_BREAKER attribute in props.conf. I have the below data and wanted it as a single event in Splunk. Currently, <RESULTS> data splits into multiple events. I would like to send the entire <DETECTION> tag as a single event. Can someone help me provide the right LINE_BREAKER pattern to be used?   <DETECTION> <ID>231</ID> <TYPE>Information</TYPE> <SEVERITY>1</SEVERITY> <RESULTS>Line 1 : field 1 : value1 field 2: value2</RESULTS> <STATUS>NEW</STATUS> </DETECTION>  
Hi, my company is deprecating basic authentication. We use the Microsoft Office 365 Reporting Add-on for Splunk which relies on basic authentication. Are there any plans on a future version for this... See more...
Hi, my company is deprecating basic authentication. We use the Microsoft Office 365 Reporting Add-on for Splunk which relies on basic authentication. Are there any plans on a future version for this app? Or are there other apps that can be used ( using other apis to get the same data)? This is the app we use: https://splunkbase.splunk.com/app/3720/#/details I appreciate feedback, hints on other options, Chris
XML parsing is not working as expected, field values are truncating , tried changing truncate values in props but that doesnt help.. Tried with and without KV_MODE as well props.conf on HF [iiq_db... See more...
XML parsing is not working as expected, field values are truncating , tried changing truncate values in props but that doesnt help.. Tried with and without KV_MODE as well props.conf on HF [iiq_db] TRUNCATE = 100000 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = custom pulldown_type = true KV_MODE = xml sample log   2021-09-24 14:28:29.011, id="XXXXXXX", created_dt="2021-09-24 08:18:01.87", created="1632489481870", source="RequestHandler", action="provision", target="XXXX", application="Enterprise Directory", account_name="XXXX,ou=XXXXX,ou=XXXX,ou=HO,o=XXX.com", attributes="<Attributes> <Map> <entry key="IIQDisabled"> <value> <Boolean></Boolean> </value> </entry> <entry key="accountFlag" value="ACTIVE"/> <entry key="cn" value="XXXXX"/> <entry key="dn" value="uid=XXXX,ou=XXXX,ou=XXXX,ou=HO,o=XXX.com"/> <entry key="email" value="XX@XX.com"/> <entry key="employeeNumber" value="XXXXX"/> <entry key="employeeType" value="E"/> <entry key="givenname" value="XXXXX"/> <entry key="globaluid" value="XXX"/> <entry key="mail" value="(XX0:XX1:XX3:XX0:XX0:XX0:XX0:XX0:XX0:XX0)XX@XX.com"/> <entry key="mailAccessDomain" value="HO XXX"/> <entry key="mailRoutingAddress" value="(XX0)EX"/> <entry key="mailalternateaddress"> <value> <List> <String>(XX0:XX11)S=XXXX/G=XXX/OU=XXXX.com</String> </List> </value> </entry> <entry key="XXUniqueId" value="XYZ"/> <entry key="XXaccountstatus" value="0"/> <entry key="XXlcsp1" value="XYZ"/> <entry key="XXlinteractivep1" value="XYZ"/> <entry key="XXllcp1" value="XXXXYZ"/> <entry key="XXlmaildisplayname" value="XY , AB"/> <entry key="XXlmemberof"> <value> <List> <String>cn=Passphrase-Policy-Users,ou=groups,o=XXl.com</String> </List> </value> </entry> <entry key="XXlprofilechecksum" value="XXXX"/> <entry key="XXorgmemberof"> <value> <List> <String>ou=XXX,ou=XXXX,ou=HO,o=XXl.com</String> </List> </value> </entry> <entry key="XXworkgroupmanager" value="XXXXXXX"/> <entry key="nsAccountLock" value="FALSE"/> <entry key="objectClass"> <value> <List> <String>top</String> <String>person</String> <String>organizationalperson</String> <String>inetorgperson</String> <String>mailrecipient</String> <String>universaluniqueid</String> <String>XXlorgperson</String> </List> </value> </entry> <entry key="op"> <value> <ObjectOperation>Modify</ObjectOperation> </value> </entry> <entry key="sn" value="XXXX"/> <entry key="uid" value="XXXX"/> <entry key="uidns" value="XXXX"/> <entry key="uuid" value="XXXXX"/> </Map> </Attributes> ", string1="Enterprise Directory", string2="committed"    
Hello! I have been trying to make a base search on a dashboard with a time and environment input as a drop-down. It only search it once and don't actually change my search ones i change my input. I... See more...
Hello! I have been trying to make a base search on a dashboard with a time and environment input as a drop-down. It only search it once and don't actually change my search ones i change my input. Is there something I'm missing? This is my form inputs:   <form> <fieldset submitButton="false" autoRun="false"> <input type="dropdown" token="env"> <label>Environment</label> <choice value="TEST">TEST</choice> <choice value="DEV">DEV</choice> <choice value="PRD">PRD</choice> </input> <input type="time" token="time"> <label>Time</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </fieldset>     This is my basesearch and 2 diffrent pie charts:   <search id="base_search"> <query>index=Lorem logtype=ipsum enviroment=$env$ | stats count BY status</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <row> <panel> <chart> <search base="base_search"> <query> search statuscode<400 <query> </search> <option name="charting.chart">pie</option> </chart> </panel> </row> <row> <panel> <chart> <search base="base_search"> <query> search statuscode>400 <query> </search> <option name="charting.chart">pie</option> </chart> </panel> </row>    
i all I'm tasked with performing an audit of our Splunk (Cloud) Search Heads (2) as many Apps \ Add-Ons have been sporadically installed onto them over the years and problems are occurring. The aim... See more...
i all I'm tasked with performing an audit of our Splunk (Cloud) Search Heads (2) as many Apps \ Add-Ons have been sporadically installed onto them over the years and problems are occurring. The aim is to export the search to .CSV to compare, detect gaps, mismatches etc., identify candidates for upgrade or removal etc. Any offers to help greatly appreciated.        
We are recieving following error in the logs after UF upgrade to 8.2.1, can someone please confirm if any action needs to be taken or if this error can be ignored? ERROR DistributedTracer [389066 M... See more...
We are recieving following error in the logs after UF upgrade to 8.2.1, can someone please confirm if any action needs to be taken or if this error can be ignored? ERROR DistributedTracer [389066 MainThread] - Couldn't find "distributed_tracer" in server.conf. ./splunk --version Splunk Universal Forwarder 8.2.1 (build ddff1c41e5cf) UF has been started and running correctly.
Hello dears, I want to list my search if  "B" total count higher than >3 than list by "A" A and B fields could have variable values, doesn't matter.  search | stats count(B) by A,B |sort -A |where... See more...
Hello dears, I want to list my search if  "B" total count higher than >3 than list by "A" A and B fields could have variable values, doesn't matter.  search | stats count(B) by A,B |sort -A |where B>3