All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, Under Incident Review, is there a way to merge/consolidate  triggered alerts of the same type and same host into one ?  By default it shows every single alert even though its from same Hos... See more...
Hi All, Under Incident Review, is there a way to merge/consolidate  triggered alerts of the same type and same host into one ?  By default it shows every single alert even though its from same Host/IP and of same type. We would like to consolidate similar ones into one common alert and then have it  display the total counts of events next to that alert ?
Hi I have spl command that take long time to return results! The main goal is to find high duration consume by each servers overtime. This spl command extract server and duration, is there any way... See more...
Hi I have spl command that take long time to return results! The main goal is to find high duration consume by each servers overtime. This spl command extract server and duration, is there any way to optimize this command? index="my-index" | search duration | rex field=source  "\/data\/(?<product>\w+)\\/(?<customer>\w+)/(?<date>\d+)\/log\.(?<servername>\w+)."   | rex  "duration\[(?<duration>\d+.\d+)"     Scope: for 2 hours more than 20 billion events exist on this log file. Any idea? Thanks,
hi I need to calculate the duration difference between 2 dates and having the result in seconds The field "Debut chargement Profile" correspond to the beginning and the field "Fin chargement Profil... See more...
hi I need to calculate the duration difference between 2 dates and having the result in seconds The field "Debut chargement Profile" correspond to the beginning and the field "Fin chargement Profile" correspond to the end the timestamp format is the following :  13/09/2021 11:00:06,000 how to do this please?
Hi , I have two tables ,i need to compare result of each column of table A with Table B and if there is any mismatch then i need to show those results EXAMPLE: Table A ID NAME TYPE ... See more...
Hi , I have two tables ,i need to compare result of each column of table A with Table B and if there is any mismatch then i need to show those results EXAMPLE: Table A ID NAME TYPE 1 TESLA VARCHAR 2 SWIFT INT   TABLE B ID NAME TYPE 1 TESLA INT 2 SWIFT INT   Result: IDA NAMEA TYPEA IDB NAMEB TYPEB 1 TESLA VARCHAR 1 TESLA INT   Any suggestions please?
Hi, from two columns, in order to create a report, i need to remove the elements that are present twice, not only remove the duplicates (dedup is not useful because it only removes duplicates) but a... See more...
Hi, from two columns, in order to create a report, i need to remove the elements that are present twice, not only remove the duplicates (dedup is not useful because it only removes duplicates) but also the original elements, for example: Table A | Table B 10.10       10.2 10.21       10.32 10.2          10.3 10.60       10.21 Table C (result) 10.10 10.32 10.3 10.60 thanks for your help
hi i try to do a pie chart from the code below but it doesnt works what is wrong please?   index_mesu sourcetype=sig sig_app="$site$" | fields sig_id site sig_app | rename sig_app as applicatio... See more...
hi i try to do a pie chart from the code below but it doesnt works what is wrong please?   index_mesu sourcetype=sig sig_app="$site$" | fields sig_id site sig_app | rename sig_app as application | stats dc(sig_id) as Total by site application | sort - Total limit=10
Hi Guys, Am new to splunk. i have table as below and setup the drill from the table to search with customised string. As expected earlisted date picking the exact date of the row but latest is not ... See more...
Hi Guys, Am new to splunk. i have table as below and setup the drill from the table to search with customised string. As expected earlisted date picking the exact date of the row but latest is not captures and becomes today date. Can any one help on this one please   Result: _time                      P01  P02  P03  P04 2021-08-29           2       4      3       0 2021-09-03           4       0      1       3   Source of my drilldown <drilldown><set token="form.host1">"$click.name2$"</set> <eval token="earliest">strftime($click.value$, "%Y/%m/%d %T")</eval> <eval token="latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval> <link target="_blank">search?q=index=prod_s3%20%20host=p01%20OR%20host=p02%20OR%20host=p03%20OR%20host=p04%20 sourcetype=%22WinEventLog:System%22%20EventCode=%2219%22%20%0D%0A%7Csearch%20host%20=%20$form.host1$%0D%0A%7Crex%20field=_raw%20%22.*%5C((%3F%3CKB%3E%5Cw*) %5C)%22%0D%0A%7Ceval%20t=strftime(_time,%20%22%25Y/%25m/%25d%20%25T%22)%0D%0A%7Cbin%20_time%20span=1d%0D%0A%7Ctable%20_time%20host%20ComputerName%20KB&amp; earliest=$click.value$&amp;latest=$latest$</link></drilldown>     If i use <condition field ="_time" then earliest and latest captures the row time nicely but customised search string is not coming up
hi   as you can see I use a base search in order to dis play two single pnels, one on the last 24 h and one on the last 7 days so for the second panel I need to put the time range on the last 7 da... See more...
hi   as you can see I use a base search in order to dis play two single pnels, one on the last 24 h and one on the last 7 days so for the second panel I need to put the time range on the last 7 days I have done this but it doesn't works : <earliest>-7d@d</earliest> <latest>now</latest>   <row> <panel> <title>Incidents ouverts</title> <single> <title>Intervalle de remps : 24 dernières heures</title> <search id="countsite"> <query>`index_mes` sourcetype=sig sig_app="$site$" | stats dc(sig_id)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="height">200</option> <option name="rangeColors">["0x53a051","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,5,10]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> <panel> <title>Incidents ouverts</title> <single> <title>Intervalle de remps : 7 derniers jours</title> <search base="countsite"> <query> | stats dc(sig_id)</query> what is the problem please?  
This is the dummy dataset which has been created to address the issue I am facing. I want to count the number of occurrences of the task with respect to its state per day three times. I have tr... See more...
This is the dummy dataset which has been created to address the issue I am facing. I want to count the number of occurrences of the task with respect to its state per day three times. I have tried using timechart span=3h count by state in my query but I am unable to count the state when there is no event present for the same. The output expected is : Kindly help!!!
I cannot make this work if I have the searchWhenChanged=false. I would like to set the token and do the search only after Submit button is pressed.     <form script="simple_xml_examples:showtokens... See more...
I cannot make this work if I have the searchWhenChanged=false. I would like to set the token and do the search only after Submit button is pressed.     <form script="simple_xml_examples:showtokens.js"> <label>Set another token by checkbox value</label> <fieldset submitButton="true"> <input type="checkbox" token="checked" searchWhenChanged="false"> <choice value="yes">Check for yes</choice> <change> <condition value="yes"> <eval token="checked_result_value">if(true(), $form.checked$, "never_here"</eval> </condition> <condition> <eval token="checked_result_value">"NotChecked"</eval> </condition> </change> </input> </fieldset> <row> <panel> <single> <search> <query>| makeresults | eval value="$checked_result_value$"</query> </search> </single> </panel> </row> </form>  
I am currently assessing the options for indexer storage architecture.  I was reading the SVA and it had below statement for Classic Indexer Architecture Using File System Storage   This architect... See more...
I am currently assessing the options for indexer storage architecture.  I was reading the SVA and it had below statement for Classic Indexer Architecture Using File System Storage   This architecture is recommended when you have requirements for either • Short-term data retention (<=3 months) or • Long-term retention and performance-critical search use cases that frequently access older historic data    whereas, SmartStore Indexer Architecture Using Object Storage  This model can have significant positive impact on the TCO of your Splunk deployment, especially when you retain data for long periods of time. There's a bit of ambiguity between both statements. Our retention period is up 3 months and ingest roughly 1.5 TB per day.  Mainly have ES, key Dashboards and reporting for which we need data worth the last 3 months. Environment will be in AWS (Not Splunk Cloud). Based on this and the above two statements, I am confused which might be a better option to go for. 
I have installed Enterprise Security App.  I review Security Domain, in particular, Access and Network sections and I see many events coming from my AD, Office 365, and Firewalls. However, Security... See more...
I have installed Enterprise Security App.  I review Security Domain, in particular, Access and Network sections and I see many events coming from my AD, Office 365, and Firewalls. However, Security Posture dashboards are all empty.  I have checked permissions and given full access.  Could you advise what I should check to fix it?  
Hi, When using iplocation to get the Country list ,maximum i am getting null values for Country. How to get the exact country for the ip?   Regards, Madhusri R
I have a inputlookup search where I am looking to do a current count vs four week average count. My search is set up so it uses : | inputlookup count.csv | bin _time span=5m  I need my search to dis... See more...
I have a inputlookup search where I am looking to do a current count vs four week average count. My search is set up so it uses : | inputlookup count.csv | bin _time span=5m  I need my search to display data from prior four weeks like below. _time c Last Week Two Weeks  Three Weeks Ago Four weeks Ago   9/19/2021 15:10 265 (Count from 9/12/2021 15:10) (Count from 9/05/2021 15:10)       9/19/2021 15:15 362 (Count from 9/12/2021 15:15) (Count from 9/05/2021 15:15)       9/19/2021 15:20 589 (Count from 9/12/2021 15:20) (Count from 9/05/2021 15:20)       9/19/2021 15:25 700 (Count from 9/12/2021 15:25) (Count from 9/05/2021 15:25)         The problem is that I would normally use earliest and latest ( but these commands do not work with inputlooks. If anyone has solutions that work for inputlook it would be great!
Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _... See more...
Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events  Error in events: '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.',     #!/usr/local/bin/python3 # import time # need for sleep from xml.dom import minidom import time import json, pprint import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url = 'https://127.0.0.1:8089' username = 'admin' password = 'changeme' search_query = "search=search index=main earliest=-4y" r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify=False) session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue print ("Session Key:", session_key) r = requests.post(base_url + '/services/search/jobs/', data=search_query, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue print ("Search ID", sid) done = False while not done: r = requests.get(base_url + '/services/search/jobs/' + sid, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) response = minidom.parseString(r.text) for node in response.getElementsByTagName("s:key"): if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState": dispatchState = node.firstChild.nodeValue print ("Search Status: ", dispatchState) if dispatchState == "DONE": done = True else: time.sleep(1) r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/', headers = { 'Authorization': ('Splunk %s' %session_key)}, data={'output_mode': 'json'}, verify = False) pprint.pprint(json.loads(r.text))       Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.     {'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A', '_cd': '18:455', '_indextime': '1632029978', '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.', '_serial': '38', '_si': ['DC-C02SD43JG8WP', 'main'], '_sourcetype': 'ossec_agent_control', '_time': '2021-09-18T23:39:38.000-06:00', 'host': 'DC-C02SD43JG8WP', 'index': 'main', 'linecount': '1', 'source': 'ossec_agent_control', 'sourcetype': 'ossec_agent_control', 'splunk_server': 'DC-C02SD43JG8WP'},      
With our cyber data, we have cases when streams of data stop, due to a down forwarder, bad DB connection etc. and cases when the streams suddenly increase in volume such as bluecoat cases, dns attack... See more...
With our cyber data, we have cases when streams of data stop, due to a down forwarder, bad DB connection etc. and cases when the streams suddenly increase in volume such as bluecoat cases, dns attack and more. We would like to alert on these cases without hardcoding the various indexes or sourctypes. We also wonder whether there is a good way to do it in ITSI.
Could not contact master. Check that the master is up, the master_uri=https://10.32.20.7:8089 and secret are specified correctly.
Hi, I am new to SPLUNK/SPL and I am wondering how can I check if the Tags field contains a tag "foo" within an eval. Something like: eval toto = if("tags{}" == "foo", 1,2)' Thanks, David
Hello, I am playing around with enabling TLS in the chatter between the UF and the IDX and all is working well.  I am curious as to how much compression do I achieve when I enable TLS, I tried searc... See more...
Hello, I am playing around with enabling TLS in the chatter between the UF and the IDX and all is working well.  I am curious as to how much compression do I achieve when I enable TLS, I tried searching for it but I am not finding any clear answer
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=au... See more...
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00 type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66  While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working  Please someone help me with this..