All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

What am I missing here? So we have the MSCS TA installed and the data from an Azure Storage Account is been ingested into Splunk as `mscs:vm:metrics` sourcetype. The `CounterName` field has several ... See more...
What am I missing here? So we have the MSCS TA installed and the data from an Azure Storage Account is been ingested into Splunk as `mscs:vm:metrics` sourcetype. The `CounterName` field has several metric names present so that side looks good. I have looked high and low for preconfigured searches and dashboards for said sourcetype but to no avail. There is no Content Pack (yet?) in the ITSI app for Azure and SIM is cloud only. We are running on-prem only. So: one cannot do any dashboards for Azure VM metrics without SIM and paid for ITSI app?
Hello, I have a requirement to find the rolling average  and variance % as per below requirement. If there is no event for any date then we should have an 0 events for that missing date so that we'v... See more...
Hello, I have a requirement to find the rolling average  and variance % as per below requirement. If there is no event for any date then we should have an 0 events for that missing date so that we've continuously dates in our report. The "7d Rolling average Daily Event Count" column is the average count of events ingested each day for the last 7 days NOT including today (yesterday thru previous 6 days). "Variance" is the difference in count of events between today's event count and the 7d rolling Avg.  (Today's event count minus the 7d rolling average event count). "% Variance" is the percentage difference between today's event count and the 7d rolling average (Variance divided by 7d rolling average ). "average Daily Variance" is the absolute value of the 7d rolling average of the % Variance values, not including today (yesterday thru previous 6 days). Example: data source Last event time Event Count 7d rolling average event count Variance % Variance average Daily Variance test 9/3/2021 2957 2060 897 44% 24% test 9/2/2021 1438 2064 -626 -30% 24% test 9/1/2021 2906 2055 851 41% 23% test 8/31/2021 2753 2036 718 35% 22% test 8/30/2021 2131 2036 95 5% 22% test 8/29/2021 2235 2010 225 11% 23% test 8/28/2021 3126 1961 1165 59% 21% test 8/27/2021 2785 1931 854 44% 20% test 8/26/2021 1331 1939 -608 -31% 20% test 8/25/2021 1685 1950 -265 -14% 20% test 8/24/2021 1426 1984 -558 -28% 20% test 8/23/2021 1939 1965 -26 -1% 21% test 8/22/2021 2467 1966 501 25% 20% test 8/21/2021 1482 2010 -528 -26% 20% test 8/20/2021 2026 2016 10 0% 20%   Thanks for your help in advance.
Hi there, I want to be able to allow a dashboard of my app read the hostname stored in inputs.conf, which is provided by user when setting up the app. Specifically, I have a button on one of my app'... See more...
Hi there, I want to be able to allow a dashboard of my app read the hostname stored in inputs.conf, which is provided by user when setting up the app. Specifically, I have a button on one of my app's dashboard which links to the hostname url user enters. However, I'm not sure how the dashboard can read the hostname so that the button can be dynamically populated with different hostname.  Here is how I store the hostname in inputs.conf. Once done setting up, HOST can be filled in properly.      [modinput://input] API_KEY = HOST = interval = 600     Thank you in advance! 
Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app th... See more...
Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app that is not running. When I open the app I get "No Data Found" . Thank u very much in advance.
Hello, what is the best way to get data from dynamoDB to Splunk?
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I ... See more...
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I have to escape them by using the "\".  This is what I want to have as output:   "Time";"Comment" "15:53:21";"Here stands something "very" interesting"   What I have tried so far is to use auto_escaped as KV_MODE which can be found in Add Data --> Select Source-->Set Source Type-->Advanced. But without success. The escape character is still there.   I would appreciate any helpful hints.
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "us... See more...
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "username" PASSWORD = "password" # Create a Service instance and log in service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD)   Throwback error is as following File "Z:\BD_PROJ\Studenten_Trainees\BI Team\Eichberger_Sowa\00_NLP_Eichberger\99_Misc\.spyder-py3\NLP_GIT_online\untitled0.py", line 33, in <module> service = client.connect( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\client.py", line 331, in connect s.login() File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 883, in login response = self.http.post( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1242, in post return self.request(url, message) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1259, in request response = self.handler(url, message, **kwargs) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1399, in request connection.request(method, path, body, head) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1255, in request self._send_request(method, url, body, headers, encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1301, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1250, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1010, in _send_output self.send(msg) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 950, in send self.connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1417, in connect super().connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 921, in connect self.sock = self._create_connection( File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 822, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 953, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splun... See more...
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splunk MINT for iOS but it is a Legacy now. Do you think is there a replacement for Splunk MINT for iOS ? or could you advise if it is advisable to do mobile apps logging to Splunk please?  Thanks.
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w... See more...
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w.+)\s+Enroll"  my issue is, that I only going to get a few of those groups, but not all... for example I will get the Domain Users but not the Enterprise Users which is in the same raw file... Could please someone help me with this regex?
How do we get Linux patching details in Splunk
Hi what is the spl command to extract users. Here is the sample: 2021-09-12 21:40:03,938 ERROR [APPNAME] User H83952 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERR... See more...
Hi what is the spl command to extract users. Here is the sample: 2021-09-12 21:40:03,938 ERROR [APPNAME] User H83952 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User 83944 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User A_Frok invalid: javax.security.auth.login.LoginException: expected output: H83952 83944 A_Frok Thanks,
Hi, I am looking to compare a field value against the results of an ldapsearch to check whether the value is present or not. The Use Case is basically that I want to detect if a cloud user account i... See more...
Hi, I am looking to compare a field value against the results of an ldapsearch to check whether the value is present or not. The Use Case is basically that I want to detect if a cloud user account is created in our O365 environment, and that same user name does not exist in our on-prem Active Directory. I have the below SPL which returns newly created users in my O365 environment. The below returns a field named "user". index="o365_log" action=created command="Add user." I now want to search my Active Directory domain to see if this user exists or not. If it doesnt exists in Active Directory, I want the search to detect it and output the user name.  I am using ldapsearch and searching where the userPrincipleName is the same as the value of the user field. The SPL below is what I am using: | ldapfilter domain=default search="(userPrincipalName=$user$)" attrs="cn,userPrincipalName"  The above SPL works, however the problem I have is that Im not sure how to combine these two lines SPL together so that it performs the check and only output' users which are not found from the ldapsearch. Can somebody help? Thanks. 
Hi, In a field status contains two values one is failure and another is success. Where in failure it contains some description values also an null value. Also in success it contain description as ... See more...
Hi, In a field status contains two values one is failure and another is success. Where in failure it contains some description values also an null value. Also in success it contain description as null value. As I am confused how to check null condition as it contains in both failure and success descriptions.   Regards, Madhusri R  
Hello Team, As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not ge... See more...
Hello Team, As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.
Hello all, I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata ale... See more...
Hello all, I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES. Facts: 1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:   index=suricata sourcetype=suricata event_type=alert alert.severity=2   2. In Adaptive Response Actions I added a Notable with the following custom settings: Title: $signature$  (in order to output the Suricata Alert Signature Title) Description: A medium severity alert ($signature_id$) was triggered on $src$ Notes: - Search runs every 5minutes. - I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created. What is the problem: - In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event. - Description: is "unknown"   Notes: - The Notable event is successfully created and it contains all variable fields (src, signature, signature_id). - All fields are shown on Additional info on the notable, but the point is that variables do not show Troubleshooting done so far: - Deleted and recreated Corellation searches and Saved Searches - Restarted Splunk - Rebooted OS Splunk Version: 6.2.2 (Distributed Environment) Splunk ES: 6.6.0 Splunk CIM: 4.20.0 Any help would be appreciated. Regards, Chris
I have a search query to display external files shares that are active (Sharepoint/Onedrive).     This is working and shows us when file shares to third parties are still active. index=o365 file_... See more...
I have a search query to display external files shares that are active (Sharepoint/Onedrive).     This is working and shows us when file shares to third parties are still active. index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest | fillnull value="-" | dedup UniqueSharingId TargetUserOrGroupName | where NOT Operation=="RemovedFromSecureLink" |stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId The issue we have is if a user just deletes the file share folder (so no longer an active share) the dashboard still displays the share as active.   I need to append the following search and match to the unique sharing location to display if the file/folder has been deleted: index=o365 Operation=FileDeleted       TIA
Hi all,    I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns.  Query 1:  index=... See more...
Hi all,    I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns.  Query 1:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" |chart count(app) over app by dc(correlationId) Query 2:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="END" |chart count(app) over app by dc(correlationId) I tried with 'appendcols', but it is not working, can anyone help me on this.  Thanks in Advance.
Hi All, When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a... See more...
Hi All, When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance Second log: of an object.     Can please someone explain how to resolve this issue and get proper admin audit logs from exchange?
Hi All We have a distributed environment (no cluster). Splunk Enterprise Version 8.1.3 Is there a way to create a dashboard for all search peers (indexers), where I can see there CPU, Memory and D... See more...
Hi All We have a distributed environment (no cluster). Splunk Enterprise Version 8.1.3 Is there a way to create a dashboard for all search peers (indexers), where I can see there CPU, Memory and Disk Usage?
There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know... See more...
There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know anything about it?