All Topics

Top

All Topics

How to create custom heatmap to project the overall health of all the applications deployed by platform and region vice?   which metrics we can used to project the overall application in Splunk obs... See more...
How to create custom heatmap to project the overall health of all the applications deployed by platform and region vice?   which metrics we can used to project the overall application in Splunk observability cloud. in RUM, we have only country property .Using that we are able to split application by country & environment vice. need to split by platform & region vice.      
how to create chart for Alert/Detector status to showcase overall health of application?   1.how may alerts configured for each application? 2.staus of alerts by severity    what is the metrics ... See more...
how to create chart for Alert/Detector status to showcase overall health of application?   1.how may alerts configured for each application? 2.staus of alerts by severity    what is the metrics available to showcase the above usecase in overall health dashboard in splunk observability cloud 
Hello Splunkers, After completing a few splunk courses, working on a sandbox, when and how did you all get your first break? (Assuming the person has an IT background though not specifically in Spl... See more...
Hello Splunkers, After completing a few splunk courses, working on a sandbox, when and how did you all get your first break? (Assuming the person has an IT background though not specifically in Splunk) A Splunk certification is next on the agenda. Your insights are welcomed.  
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList'... See more...
Hi There, hope u r doing good, thanks for reading.  1) A fresh install of Splunk Enterprise 9.3.2 showing this security warning: Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web.12/2/2024, 5:40:52 AM 2)  I have noticed this error around 2 or 3 months ago, but as its a simple and low priority / functionality related one, i ignored it. 3) last week as we Splunkers were discussing in our usergroup meeting about this, one of my friend asked - ok, this is a low priority issue for you, but for an organizations infosec perspective this could be a medium/big issue. 4) He suggested me that - the default config files should be configured to keep things in secured fashion(similar to that "zero-trust" security policy), giving a warning message isnt enough, right. i had to agree with him.  5) Screenshot attached for your note:
Hi, I have 12 years of experience in IT with Microsoft Technologies - MS SQL Server, MSBI, Power BI. Now I am planning to improve my technical skill set with Splunk. So please suggest... 1. Do I nee... See more...
Hi, I have 12 years of experience in IT with Microsoft Technologies - MS SQL Server, MSBI, Power BI. Now I am planning to improve my technical skill set with Splunk. So please suggest... 1. Do I need to know any other technologies to learn Splunk 2. Admin & Developer growth in Splunk 3. Suggest certifications as per my previous experience. Regards, Venal.
Does calls on C++ layer are considered in overall calls ? Suppose there is one transaction which flows from Web Server to Java to Node.Js then it will counted as 3 calls or one call? 
Hi Folks, Can anyone suggest or help me out on how to get prep for Splunk administration certification course and which certification is good in that case? Regards, Kanchan
Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eva... See more...
Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'> %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384}</Data></EventData></Event>" | rex mode=sed "s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\\1 Computer:\\2 SubjectUserName:\\3 SubjectDomainName:\\4 TargetUserName:\\5 TargetDomainName:\\6 LogonType:\\7/g" ---------------------------------- [XmlWinEventLog: Security] SEDCMD-reduce_4627 = s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\1 Computer:\2 SubjectUserName:\3 SubjectDomainName:\4 TargetUserName:\5 TargetDomainName:\6 LogonType:\7/g Can anyone help me identify where the problem is, please? Thank you.
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster ... See more...
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster sitting in Region B, Can one s3  Remote Object Store used with all Indexers from both Clusters?  Thanks.
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this ... See more...
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this screen saves a limited amount of information in its LOG files regarding the Internet connection.   I wanted to know, does Splunk have a solution for such situations? Perhaps there is an application that we can install on this device that will allow us to erase the necessary LOGs?   Thank you in advance for you answer  
We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Micros... See more...
We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure. They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder. Any thoughts?
I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to im... See more...
I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to implement in a Splunk Dashboard?
index=test pod=poddy1 "severity"="INFO" "message"="IamExample*" | rex field=message "IamExample(?<total>).*" | rex field=message ".*ACCOUNT<accountreg>.*):" | rex field=message ".*Login(?<login... See more...
index=test pod=poddy1 "severity"="INFO" "message"="IamExample*" | rex field=message "IamExample(?<total>).*" | rex field=message ".*ACCOUNT<accountreg>.*):" | rex field=message ".*Login(?<login>.*)" | rex field=message ".*Profile(?<profile>" | rex field=message ".*Card(?<card>)" | rex field=message ".*Online(?<online>) " | stats count(total) as "Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online " Choosing a bar chart to display has "Total" show on the left hand side is there a way remove it? also hovering over the chart its showing the count is there a way to make it display like this example below? field, count , percentage we want to divide Account , Login , Profile, Online it by Total that we have above         
How to Break a multiple events into a single event based on timestamp? My logs doesn't have a date and it only has timestamp - For Ex - it starts as below format.. 17:22:29.875 Splunk version - ... See more...
How to Break a multiple events into a single event based on timestamp? My logs doesn't have a date and it only has timestamp - For Ex - it starts as below format.. 17:22:29.875 Splunk version - 9.2.1 i have tried many options in props.conf but no luck still i could see multiple events in my search and i couldn't see events are breaked as per each timestamp. will LINE_BREAKER works or BREAK_ONLY_BEFORE - tried both but no luck.. is it possible to break events with timestamp in splunk or it's possible to break events only with date and time ?? Thanks in Advance.
Some time ago, on Splunk Cloud, I deleted a couple of apps that were used only for testing. These apps had some alerts configured. Now, I see that those test alerts are still running. I found them b... See more...
Some time ago, on Splunk Cloud, I deleted a couple of apps that were used only for testing. These apps had some alerts configured. Now, I see that those test alerts are still running. I found them by searching: index=_internal sourcetype=scheduler app=<deleted app name> However, I can't see these apps in the app list anymore. How can I fix this? Thanks!
How to create custom datalink in Splunk observability cloud for passing filtered values from chart to identify the rootcause of the issue by navigating to APM,RUM,Synthetics page.    
Hi , we have instrumented sql server metrics using OTEL. https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/sqlserverreceiver/documentation.md we have a tempdb , ... See more...
Hi , we have instrumented sql server metrics using OTEL. https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/sqlserverreceiver/documentation.md we have a tempdb , 1.need to identify space usage , 2.And which query contributes to more tempdb usage using sqlserver receiver OTEL metrics?  
Hi In the App menu. I have a situation where I need to keep installing apps, with different version names. However, when this gets to high numbers it might not look so great (I might be difficult ... See more...
Hi In the App menu. I have a situation where I need to keep installing apps, with different version names. However, when this gets to high numbers it might not look so great (I might be difficult to find the app you need). I have 2 questions - 1st Can I increase the size of the row - When the text wraps around it does not look good (In my image I needed to shorten the name to stop wrapping around) 2nd Can I make a multi-drop-down to the right? Like the image below      
Good day! We would like to know if it is possible to reduce the number of fields displayed in the Alert Fields section or hide the section entirely for incidents created in Splunk OnCall (VictorOp... See more...
Good day! We would like to know if it is possible to reduce the number of fields displayed in the Alert Fields section or hide the section entirely for incidents created in Splunk OnCall (VictorOps), please see the attached screenshot. Currently, ITSI is passing an excessive number of fields. Can the Splunk OnCall incident details UI be customized to address this? Thank you.
HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasourc... See more...
HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasource: "oracle://<username>:<password>@<host>:<port>/<database>" Should I create a  database OR I can use the default database   thanks in advance