All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=au... See more...
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00 type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66  While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working  Please someone help me with this..
Hi I have several unstructured log file that need extract error messges with rex spl command. 1-what is the optimize way to extract error messages from those logs?  2-group by error type (count by... See more...
Hi I have several unstructured log file that need extract error messges with rex spl command. 1-what is the optimize way to extract error messages from those logs?  2-group by error type (count by error type) e.g: 19 Socket recv failed: Connection TimeOut           3   readData failed. Read           3    Invalid Length for facility number           17   Duplicate - Stop Old Connection from IP Here is the sample: 00:03:00.895 APP module: Error: readData failed. Read [0] bytes instead of 4 for Len 00:03:00.895 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.12] Socket[405] 00:02:59.791 APP module1: T[0]R[0]L: ERROR: Invalid Length for facility number [000000000] ! 00:02:55.193 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.112] Socket[705] 00:02:50.536 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.13.1] Socket[114] 00:02:49.205 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.14] Socket[213] 00:02:46.317 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.51] 00:02:44.467 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.13] Socket[697] 00:02:43.468 APP module2: T[0]R[0]L: Error: Invalid TopUp No! 00:02:40.047 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.123] 00:02:34.424 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.13] 00:02:27.125 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.14] 00:02:25.840 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[506] 00:02:21.836 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:21.434 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[291] 00:02:18.846 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[220] 00:02:16.861 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[67] 00:02:16.855 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:13.954 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:13.085 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[284] 00:02:08.332 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:59.926 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[824] 00:01:59.371 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[216] 00:01:57.313 APP module3: X[0000]T[000000]R[000]L: ERR logoutInternalErr200Or100Or100: Txn Was Not Found To Logout 00:01:55.881 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[104] 00:01:49.036 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[191] 00:01:48.551 APP module2: T[0]R[0]L: Error: DoAction can not find action. TypeId(-1) Expect(0) 00:01:48.266 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:46.272 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:44.942 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[37] 00:01:44.016 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[449] 00:01:43.305 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[345] 00:01:38.840 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[195.165.249.51] Socket[655] 00:01:29.366 APP module2: T[0]R[0]L: ERROR: Invalid Length for facility number [000000000000] ! 00:01:27.744 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:26.463 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:24.663 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[195] 00:01:21.249 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[689] 00:01:19.752 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:15.978 APP module2: T[0]R[0]L: ERROR: Invalid Length for facility number [0000000000] ! 00:01:08.395 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[372] 00:01:08.367 APP module2: T[0]R[0]L: Error: Can not find exe [] 00:00:55.808 APP1 module4: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[313] 00:00:54.566 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:53.914 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[248] 00:00:47.717 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[197] 00:00:43.755 APP2 module4: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:39.936 APP2 module4: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:37.646 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:43.468 APP module4: T[0]R[0]L: Error: Invalid TopUp No! 00:03:00.895 APP module4: Error: readData failed. Read [0] bytes instead of 4 for Len 23:50:41.582 APP module4: X[00000]T[000000]R[0]L: oiu_fetch Error: I Cannot Found Any For This code:[0000000000] 00:00:03.164 APP module: T[0]R[0]L: Error: Module does not produce Pin Block. Call Supervisor. U[3357] Any idea? Thanks,
I have several Cisco FTD devices (managed by Cisco FMC) that are sending syslog messages to splunk. Here is the format.... <164>Sep 19 2021 13:26:27 ftdv-b-int : %FTD-4-313005: No matching connectio... See more...
I have several Cisco FTD devices (managed by Cisco FMC) that are sending syslog messages to splunk. Here is the format.... <164>Sep 19 2021 13:26:27 ftdv-b-int : %FTD-4-313005: No matching connection for ICMP error message: icmp src inside_Mgmt:10.0.20.238 dst inside_Legacy_Server:192.168.0.94 (type 3, code 3) on inside_Mgmt interface. Original IP payload: udp src 192.168.0.94/53 dst 10.0.20.238/12055. The time is in UTC.... is there a way to convert this time to local when I pull the records in so I can do alerting, etc. on these records?
Can you please some one help me to understand few important thing we consider before we upgrade from 8,0.3 to 8.2.2 I see that major python change does that mean we need to upgrade python 2 to pytho... See more...
Can you please some one help me to understand few important thing we consider before we upgrade from 8,0.3 to 8.2.2 I see that major python change does that mean we need to upgrade python 2 to python3 on OS before we upgrade? I dont see the any prerequisites for the splunk installation on linux .As i understand all supporting software's are  inbuilt in splunk package
It seem that outer join is not working for me and I have no idea why. I have this two events: Event 1 (index="faults"):  Id = a8015353-18bf-11ec-8b0a-7c2a311251af AxesId = a7ba0fd6-18bf-11ec-b369... See more...
It seem that outer join is not working for me and I have no idea why. I have this two events: Event 1 (index="faults"):  Id = a8015353-18bf-11ec-8b0a-7c2a311251af AxesId = a7ba0fd6-18bf-11ec-b369-7c2a311251af TR = 3 Event 2 (index="axes"): id = a8015354-18bf-11ec-b3bb-7c2a311251af parent_id = a8015353-18bf-11ec-8b0a-7c2a311251af table= 10 couch= 30 My main search retrieves Event 1. I want to use an outer join to retrieve 'table' and 'couch' from Event2. I have two choices to join the events. I have tried both, didn't work: Event1 AxesId is Event2 id Event1 Id is Event2 parent_id This is my query:   index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af | join type=outer AxesId [search index="axes" | rename id AS AxesId] | table *   And this is the output table. Id AxesId TR table couch a8015353-18bf-11ec-8b0a-7c2a311251af a8015354-18bf-11ec-b3bb-7c2a311251af 3       Event 2 columns are there but have no information. Any help would be welcomed. Thanks    
    Hi, I have seen the dashboard which is running in Splunk but available publicly. https://covid-19.splunkforgood.com/coronavirus__covid_19_ I got the app and its source codes from... See more...
    Hi, I have seen the dashboard which is running in Splunk but available publicly. https://covid-19.splunkforgood.com/coronavirus__covid_19_ I got the app and its source codes from the github. https://github.com/splunk/corona_virus I would like to on how the dashboard is available publicly and how the searches are running when we run this dashboard. Because it does need the authentication to view the dashboard and what happens when lot of people run this dashboard at the same time.    Or is it manually updated via Iframe embedded Reports?   Thanks   Joe
Hi I would like to create a dashboard that has more than one chart, and also be able to decide where each chart goes, how can I do that? I can create a dashboard for a chart fine, struggling to unde... See more...
Hi I would like to create a dashboard that has more than one chart, and also be able to decide where each chart goes, how can I do that? I can create a dashboard for a chart fine, struggling to understand how to have more than one chart per dashboard.
Hi New to Splunk and learning how to create a simple dashboard. What I'd like to see is status=403 or status=200 over time So i've created this search here: index=main sourcetype="access_combined_... See more...
Hi New to Splunk and learning how to create a simple dashboard. What I'd like to see is status=403 or status=200 over time So i've created this search here: index=main sourcetype="access_combined_wcookie" status=403 OR status=200 | timechart span=1h count  Then I hit visualise. Question is, how do I differentiate between 403 and 200, they seem to be amalgamated. Is there a way to colour code them differently?  
Hi Splunkers! I have a problem with line breaking in Splunk add-on F5-bigip. I've tried some regex to break the line correctly but I'm not successful. First of all for simplicity I changed my outpu... See more...
Hi Splunkers! I have a problem with line breaking in Splunk add-on F5-bigip. I've tried some regex to break the line correctly but I'm not successful. First of all for simplicity I changed my outputs.conf in Heavy Forwarder. outputs.conf   [indexAndForward] index = true     In fact the   indexing is false on this node and this HF forward data to my indexer cluster and I also have search head cluster. But as I mentioned just for simplicity I turned mu indexing to true in this HF. Then I used these regexes to break the lines   props.conf   [f5:bigip:syslog] # LINE_BREAKER = ^()\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2} # LINE_BREAKER = ^\w{3}\s\d*\s\d{2}\W\d{2}\W\d{2} LINE_BREAKER = ([\r\n]+)\w{3}\s\d+\s\d{2}\W\d{2}\W\d{2} # LINE_BREAKER = ([\r\n]+) # LINE_BREAKER = \n MAX_TIMESTAMP_LOOKAHEAD = 16 # ADD_EXTRA_TIME_FIELDS = subseconds NO_BINARY_CHECK = true # EVENT_BREAKER_ENABLE = false # TIME_FORMAT = %b %d %H:%M:%S TIME_PREFIX = SHOULD_LINEMERGE = false TRUNCATE = 1000000     This is some of my data that I can't break the line correctly.     Sep 18 19:12:27 192.168.1.1 Sep 18 14:42:27 F5-LTM-3.company.local info logger[25169]: [ssl_req][18/Sep/2021:14:42:27 +0000] 1.1.1.1 TLSv1.2 ECDHE-RSA-AES128-SHA "/mgmt/shared/inflate/available" 2 Sep 18 19:12:28 192.168.1.1 Sep 18 14:42:28 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673914804247",request_status="alerted",response_code="302",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTP",query_string="",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:28",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="44180",dest_port="80",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared3-HTTP",uri="/account/login",fragment="",request="GET /Account/Login HTTP/1.1\r\nConnection: keep-alive\r\nHost: example.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Android 7.0; Mobile; rv:68.0) Gecko/68.0 FUSefox/68.0\r\nUpgrade-Insecure-Requests: 1\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n",response="Response logging disabled" Sep 18 19:12:28 192.168.1.1 Sep 18 14:42:28 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673951684370",request_status="alerted",response_code="302",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTP",query_string="",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:28",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="19338",dest_port="80",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared3-HTTP",uri="/account/login",fragment="",request="GET //Account/Login HTTP/1.1\r\nHost: example.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 FUSefox/92.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nCookie: GuidedTourVersion=1; SiteVersion=3.7.6; __utma=226054936.2062308401.1625890970.1631960683.1631966584.238; __utmz=226054936.1625890970.1.1.utmcsr=(dUSect)|utmccn=(dUSect)|utmcmd=(none); crisp-client%2Fsession%2Fbb1636a8-4b45-4fbb-971e-d5e50e2a1e1f=session_230233c6-895e-42d0-b257-4ae4c1903150; _hjid=b846f33d-e2e6-4c9a-a757-f9ab405b0193; Token=6abe8980-5856-4d6f-b05a-2915b970983e; lastmessage-6=87696; lastmessage-4=1; lastmessage-2=undefined; text0_1567617252=true; text0_496056564=true; .ASPXAUTH=4A5473E3674D47ED86E8EA52D6A4613C2F30F1D31A41DF7F8BEDBAB120DE5ACEB8E3DD46D71 Sep 18 19:12:29 192.168.1.1 Sep 18 14:42:29 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673926887289",request_status="alerted",response_code="302",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTP",query_string="",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:29",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="46453",dest_port="80",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared3-HTTP",uri="/account/login",fragment="",request="GET //Account/login HTTP/1.1\r\nHost: example.com\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Linux; Android 7.1.1; SM-J510F Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/64.0.3282.137 Mobile Saenri/537.36 AgentWeb/4.1.3 UCBrowser/1.1.1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en,en-US;q=0.9,en-GB;q=0.8,en-US;q=0.7\r\nX-Requested-With: com.sefryekcompany.mobiletradingpro\r\nX-Forwarded-For: 1.1.1.1\r\n\r\n",response="Response logging disabled" Sep 18 19:12:29 192.168.1.1 Sep 18 14:42:29 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673919202912",request_status="alerted",response_code="301",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTPS",query_string="37419741",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:29",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="f8689163755118a6",src_port="44760",dest_port="443",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared1-HTTPS",uri="/serviceworker.js",fragment="",request="GET /serviceworker.js?37419741 HTTP/1.1\r\nHost: example.com\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nAccept: */*\r\nSave-Data: on\r\nService-Worker: script\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: same-origin\r\nSec-Fetch-Dest: serviceworker\r\nReferer: https://mobile.bmibourse.com/serviceworker.js?37419741\r\nUser-Agent: Mozilla/5.0 (Linux; Android 10; SM-A207F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Saenri/537.36\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9,en-US;q=0.8,en;q=0.7\r\nCookie: basket-warning-readed=1; basket-option-visited=true; tag-market-map-visited=true; index-technical-visited=true; stock-technical-visited=true; AppVersion=1.1.2; TS01e42c80=0180bb6f222b77a4b3dd30e3eddfc570acb1a0674cc23f80304088a610b57e5e43c686eb7415c18bc949724b74a1f77b7746en6cd8\r\nX-Forwarded-For: 5.116.208 Sep 18 19:12:29 192.168.1.1 Sep 18 14:42:29 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673963109971",request_status="alerted",response_code="301",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTPS",query_string="37418741",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:29",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="80b2664635b96eeb",src_port="41628",dest_port="443",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared3-HTTPS",uri="/serviceworker.js",fragment="",request="GET /serviceworker.js?37418741 HTTP/1.1\r\nHost: example.com\r\nUser-Agent: Mozilla/5.0 (Android 7.0; Mobile; rv:68.0) Gecko/68.0 FUSefox/68.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nService-Worker: script\r\nConnection: keep-alive\r\nCookie: _ga=GA1.2.1098137509.1594471619; basket-warning-readed=1; basket-option-visited=true; AppVersion=1.1.2; index-technical-visited=true; tag-market-map-visited=true\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nX-Forwarded-For: 1.1.1.1\r\nSSLcompany: 1\r\n\r\n",response="Response logging disabled" Sep 18 19:12:29 192.168.1.1 Sep 18 14:42:29 F5-LTM-3.company.local ASM:unit_hostname="F5-LTM-3.company.local",management_ip_address="192.168.1.1",management_ip_address_2="",http_class_name="/Common/Online",web_application_name="/Common/Online",policy_name="/Common/Online",policy_apply_date="2021-08-26 10:13:52",violations="Illegal redUSection attempt",support_id="13616148673952377578",request_status="alerted",response_code="301",ip_client="1.1.1.1",route_domain="0",method="GET",protocol="HTTPS",query_string="37418741",x_forwarded_for_header_value="1.1.1.1",sig_ids="",sig_names="",date_time="2021-09-18 14:42:29",severity="Error",attack_type="Other Application Activity",geo_location="US",ip_address_intelligence="N/A",username="N/A",session_id="3915b37e523c6d41",src_port="55434",dest_port="443",dest_ip="1.1.1.1",sub_violations="",vUSus_name="N/A",violation_rating="3",websocket_dUSection="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="",staged_threat_campaign_names="",blocking_exception_reason="N/A",captcha_result="not_received",microservice="",vs_name="/Common/OnlineShared2-HTTPS",uri="/serviceworker.js",fragment="",request="GET /serviceworker.js?37418741 HTTP/1.1\r\nHost: example.com\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nAccept: */*\r\nService-Worker: script\r\nX-Requested-With: com.sefryekcompany.mobiletradingpro\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: same-origin\r\nSec-Fetch-Dest: serviceworker\r\nReferer: https://mobile.mobinsb.com/serviceworker.js?37418741\r\nUser-Agent: Mozilla/5.0 (Linux; Android 10; SM-A600G Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/81.0.4044.138 Mobile Saenri/537.36\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9,en-CA;q=0.8,en-US;q=0.7,en;q=0.6\r\nCookie: companyRLCUrl=////////////////////////////////////core.companyrlc.com/; companyRLApiUrl=//rlcchartapi.companyrlc.com/; BrokerId=777; ThemeName=MobinSarmayeh; DisabledModules=changebroker; PushSubDomainName=push2v7.company.co      Thanks in advance
I'm new to Splunk. I've got a Search that works fine in the Search screen and correctly generates a bar chart. index="production" source="s3://hydrow-android-logs-input-queue-prod/console/*" logWor... See more...
I'm new to Splunk. I've got a Search that works fine in the Search screen and correctly generates a bar chart. index="production" source="s3://hydrow-android-logs-input-queue-prod/console/*" logWorkoutEndDebugStats releaseStage="production" | rename workoutEndInfo.videoRestartStats.videoStopped as videoStops | stats count by buildNumber, videoStops | eventstats sum(count) as itemTotal by buildNumber | eval percentage=round((count / itemTotal) * 100 , 1 ) | search videoStops = true | chart values(percentage) over buildNumber by videoStops   Error when rendering as chart on a dashboard:     When I Save it to a dashboard or create a new chart on the dashboard and enter the search as the datasource, I get the error below.  if I change the visualization from a chart to a table, then the table renders fine.  There's no indication of why the visualization works fine on the Search page, but not the dashboard.   Any suggestions on how to debug this would be very welcome!    
Hi  Could someone help to let me know how to display fields stating "file is missing" in Splunk DB query output when no output is expected Currently the below query returns- | dbxquery query=" s... See more...
Hi  Could someone help to let me know how to display fields stating "file is missing" in Splunk DB query output when no output is expected Currently the below query returns- | dbxquery query=" select * from ............................ ;" connection="to_connect" > No results found Expected output- file missing   file missing    file missing (if possible ...different texts in different columns, not sure if eval/fillnull command can be used here)
I was looking at installing https://splunkbase.splunk.com/app/3075/ in Splunkcloud. The documentation here -> https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-use... See more...
I was looking at installing https://splunkbase.splunk.com/app/3075/ in Splunkcloud. The documentation here -> https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-... does not specify if it needs to be installed on IDM or can be installed on SH. I went ahead and installed on my ES SH and configured the app, but now the logs are coming into lastchanceindex. Has anyone installed this in splunkcloud and got this working?
Hello, I want to find the 7 days rolling sum as per the attached sample data. For example in the attached sample data, 7d_rolling_count for 18 Sep should be the sum of previous 7 today_count counts ... See more...
Hello, I want to find the 7 days rolling sum as per the attached sample data. For example in the attached sample data, 7d_rolling_count for 18 Sep should be the sum of previous 7 today_count counts (i.e. from 17 Sep to 11 Sep ) and 7d_rolling_count for 17 Sep should be the sum of previous 7 days today_count (i.e. from 16 Sep to 10 Sep and so on. I am only concerned to calculate the rolling average till first 8 days (i.e till 11 Sep).  Thanks for your time in advance.
Hi there, I am building a Synology Splunk TA to share with the community. In the logs, file sizes can be presented in many different units:   1.72 KB 2.35 KB 0 Bytes 75.08 KB 243.00 KB 18.62 MB 26... See more...
Hi there, I am building a Synology Splunk TA to share with the community. In the logs, file sizes can be presented in many different units:   1.72 KB 2.35 KB 0 Bytes 75.08 KB 243.00 KB 18.62 MB 261.62 KB 48.60 GB     I've been stuck trying to convert all of these values to bytes. This post was really helpful in using regex and eval statements, but does not consider the added complexity of have decimal places. Any assistance is appreciated and will be credited in the App.
Hi In my app there are 2 payment processor, netconnect(backup) and sourcejet(primary), where is netconnect is the backup processor. I have created a report query which pulls the refund data from the... See more...
Hi In my app there are 2 payment processor, netconnect(backup) and sourcejet(primary), where is netconnect is the backup processor. I have created a report query which pulls the refund data from the logs given below log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=netconnect; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> The query used is as below: stage=final type=payment processor=netconnect method=refund status=failed bookingId=* paymentMode=* | stats count by bookingId Output: bookingId Count 91113274385 1 91111234567 1 91114567890 1   Now the issue here is in certain scenario system makes a retry using the backup net connect processor. This happens when the first call for refund to sourcejet failed due to a system error. Netconnect log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=sourcejet; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> Sourcejet log: <myapp.com.sys.BillingLogger.logResponse(?:?):stage=final; type=payment; service=PaymentCollect; processor=sourcejet; method=refund; itemType=F; status=failed; latency=602; payMode=Card; CardType=visa; bookingId=91113274385; error='Decline - Generic Error. No other information provided'> If there is a way to eliminate the sourcejet failures using net connect for backup
Hi, Due to come compliance issue, there is a need to search for logs from 10pm to the following day 10am. This has to be a daily affair.  Can someone please show me how this is done? Thank You
Anyone have a good method for doing substring matches where field1 is my searched field and field2 is my substring I want to search for? Attempted to use the following logic without any luck and runn... See more...
Anyone have a good method for doing substring matches where field1 is my searched field and field2 is my substring I want to search for? Attempted to use the following logic without any luck and running low on ideas.   | eval comparison = if(like(field1, %field2%), "1", "0")   field1 is a URL and field2 is a base domain, but field2 is input from a lookup, so it's variable but would look something like:   field1="http://www.yahoo.com/mail/inbox" field2="yahoo" OR field1="linkedin.com/company/google/profile" field2="google"   I'm low on ideas after spending my time in docs and forums all day.
We are planning to install controller 21.x. Is is possible to use Oracle as controller database instead MySQL ? Regards, Qumrul 
Hi, I want to change this first (sanitized) query to use a data model instead but I'm unsure how to incorporate "[field] IN ([comma separated list])".      search index=my_index _raw IN ("*test*" ... See more...
Hi, I want to change this first (sanitized) query to use a data model instead but I'm unsure how to incorporate "[field] IN ([comma separated list])".      search index=my_index _raw IN ("*test*" ,"*sale*", "*customer*", "*item*" , "*code*") |transaction src maxspan=1h |table _time src url     This is my latest  failed attempt:   |tstats values(Web.url) as urls FROM datamodel=Web by Web.src |search urls IN("*test*" ,"*sale*", "*customer*", "*item*" , "*code*") |table *     In the 2nd query, how can I use the IN operator after tstats to see if any one of strings  in a list (the wildcards are required) exists in a field?
I have a simple Maven configuration where I know the following is on the classpath (I can verify it at runtime before Spring Boot starts up in my application class): com.splunk.logging:splunk-libr... See more...
I have a simple Maven configuration where I know the following is on the classpath (I can verify it at runtime before Spring Boot starts up in my application class): com.splunk.logging:splunk-library-javalogging:1.6.2 The Maven dependency looks like: <dependency> <groupId>com.splunk.logging</groupId> <artifactId>splunk-library-javalogging</artifactId> <version>1.6.2</version> </dependency>   I made sure that Spring Boot is loaded this way: <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <version>${version.spring.boot}</version> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> <version>2.5.4</version> </dependency>      I created an appender this way: <?xml version="1.0" encoding="UTF-8"?> <Configuration status="info" name="LoggingTesting" packages=""> <Appenders> <SplunkHttp name="SPLUNK_APPENDER_1" url="http://SPLUNK_IP:8088/services/collector/event" token="MY_TOKEN" source="SampleJavaAppender1" messageFormat="text" batch_size_bytes="0" batch_size_count="5" batch_interval="0" connect_timeout="5000" disableCertificateValidation="true"> <PatternLayout pattern="%m"/> </SplunkHttp>   When I launch my application, I get this error: main ERROR Error processing element SplunkHttp ([Appenders: null]): CLASS_NOT_FOUND main ERROR Unable to locate appender "SPLUNK_APPENDER_1" for logger config "root" This was all based on the sample Log4J2 configuration . What am I missing in my configuration?