All Topics

Top

All Topics

HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasourc... See more...
HI, All I am trying to ingest data from Oracle DB to Splunk Observability Cloud  Q1:Should I Create a database user for this monitor OR just using the default account Q2: as the sample " datasource: "oracle://<username>:<password>@<host>:<port>/<database>" Should I create a  database OR I can use the default database   thanks in advance
hi index=idx_myindex source="/var/log/mylog.log" host="myhost-*" "memoryError" I know that if I give the conditions above, I can search for the log that caused the memoryError. As in the example a... See more...
hi index=idx_myindex source="/var/log/mylog.log" host="myhost-*" "memoryError" I know that if I give the conditions above, I can search for the log that caused the memoryError. As in the example above, when a log occurs in myhost-*, I would like to send a command to the host where the log occurred and execute a specific command on the agent. Is there a way?
Good morning, I am having consistent trouble with UI in the editor in both firefox and chrome in that I cannot get the Dynamic Element selector to do anything. It displays the available options but ... See more...
Good morning, I am having consistent trouble with UI in the editor in both firefox and chrome in that I cannot get the Dynamic Element selector to do anything. It displays the available options but I cannot select any of them. When I click on one, e.g. Background, nothing happens and it still says Select. Has anyone seen the before and have a workaround, or know what's causing it and how to fix it? Thank you, Charles
Hi Team, I can see events related to all hosts in internal index but the only few hosts data is available in newly created index. Please help me to troubleshoot the issue. Thanks in advance.
 I have dataset which have field INSERT_DATE now i want to perform search based the date which is match with Global Time Picker Search what i want to is  index = ******* host=transaction source... See more...
 I have dataset which have field INSERT_DATE now i want to perform search based the date which is match with Global Time Picker Search what i want to is  index = ******* host=transaction source=prd | spath | mvexpand message | rename message as _raw | fields - {}.* ``` optional ``` | spath path={} | mvexpand {} | fields - _* ``` optional ``` | spath input={} | search TARGET_SYSTEM="EAS" | eval _time=strptime(INSERT_DATE, "%m/%d/%Y") | chart sum(TRANSACTION_COUNT) as TRANSACTION_COUNT by INSERT_DATE | where INSERT_DATE =strftime($global_time.latest$, "%m/%d/%Y")  
How splunk calls coldToFrozen.py script automatically once the script is setup in /opt/splunk/bin and indexes.conf file with needed arguements. once cold_db is full how this script gets invoked by sp... See more...
How splunk calls coldToFrozen.py script automatically once the script is setup in /opt/splunk/bin and indexes.conf file with needed arguements. once cold_db is full how this script gets invoked by splunk
Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table. ... See more...
Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table.  The challenging thing is, there are 3 columns at the same time to be taken into account for filtering.  After a lot of trials, I ended up in creating a key from the 3 columns (which is unique) and then filter on the key.  It is working, I just don't understand why :-(. Question: Has anybody an idea why the Version 1 filter works, and why Version 2 filter fails? Question: What needs to be changed to get Version 2 also to work? index="pm-azlm_internal_prod_events" sourcetype="azlmj" | strcat ocp "_" fr "_" el unique_id | table _time ocp fr el unique_id d_1 | search d_1="DEF ges AZ*" ``` VERSION 1: the working one ``` ``` As long the subsearch returns a table with the column unique_id ``` ``` which is exactly the name of the column I want to filter on, all works great.``` | search NOT [| inputlookup pm-azlm-aufschneidmelder-j | strcat ocp "_" fr "_" sec unique_id | table unique_id] ``` VERSION 2: NOT working ``` ``` As soon I change the name of the column in the subsearch, the filte won't work anymore``` | search NOT [| inputlookup pm-azlm-aufschneidmelder-j | strcat ocp "_" fr "_" sec ignore | table ignore]``` | timechart span=1d limit=0 count by unique_id   And the final question: is there a way for such filtering without going through the key creation? Thank you in advance.
Hello, I would like to confirm if it is possible to upgrade Splunk directly from version 9.1.1 to 9.3 on Linux, without going through version 9.2. Could you please clarify if this is supported and... See more...
Hello, I would like to confirm if it is possible to upgrade Splunk directly from version 9.1.1 to 9.3 on Linux, without going through version 9.2. Could you please clarify if this is supported and if there are any specific considerations for this process? Best regards,
how to integrate microsoft intune in splunk using the connector downloaded from splunk base 
How can we locate usage related data from splunk, I have onpremise splunk instance and looking for usage and billing related data grouped by day. I am not able to locate data in any index.
How splunk calculates health score of any servicebased on KPIS, does it use any AI model or weightage formula for health score  ?? 
Hi all, I am having two fields as eventfield2and eventfield3with values of eventfield3= LHCP , RHCP ,LHCP & values of eventfield2= RHCP , RHCP ,LHCP . I want a result like as shown .          T... See more...
Hi all, I am having two fields as eventfield2and eventfield3with values of eventfield3= LHCP , RHCP ,LHCP & values of eventfield2= RHCP , RHCP ,LHCP . I want a result like as shown .          Thanks for your time in advance.      
I'm sure this has been asked before but can't find the answer. I'm looking to use SPLUNK to provide better metrics from Tenable. The data that is sent into SPLUNK from tenable has two source types th... See more...
I'm sure this has been asked before but can't find the answer. I'm looking to use SPLUNK to provide better metrics from Tenable. The data that is sent into SPLUNK from tenable has two source types that I'm interested in. Asset data and vuln data - I need to combine the two of them (UUID is the common field) so that I can then filter the data set down to specific tags that have been applied to the assets. This way, I can start creating better historical dashboards and reports.  I think what I need to do, is match the UUID's from both SourceTypes, which hopefully will then take all the vuln data and list it under the one unique UUID. From there, I need to be able to filter based on the tags created in tenable. Is this possible? Thanks
I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts. can anyone help me write it.
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping. ... See more...
Is there any way to toggle the data points on and off via a radio button added to a dashboard? When doing line charts with long lengths of data, the numbers get tightly put together overlapping.
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restar... See more...
Our Nessus vulnerability scanner is flagging that the server_pkcs1.pem certificate is expired. I have verified that it is expired but unable to renew it.   Stopping service, renaming file and restarting service does not recreate it.  How do you renew this certificate?
November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s edition of indexEducation, the newsletter that takes an untraditional twist ... See more...
November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s edition of indexEducation, the newsletter that takes an untraditional twist on what’s new with Splunk Education. We hope the updates about our courses, certification program, and self-paced training will feed your obsession to learn, grow, and advance your careers. Let’s get started with an index for maximum performance readability: Training You Gotta Take | Things You Needa Know | Places You’ll Wanna Go  Training You Gotta Take SOC Essentials  | It’ll knock your socks off Crew, ankle, no-show, athletic, and compression. These are all sock essentials for your feet. But, now Splunk offers SOC Essentials: Investigating and Threat Hunting – a course for your brain. Part of the Blue Team Academy, this instructor-led training is designed to tackle the industry skills gap head-on. You’ll learn how to conduct investigations using Splunk Enterprise Security, master Risk-Based Alerting, and practice key tasks with Splunk SOAR. Plus, you’ll work with the PEAK Threat Hunting framework and put your knowledge to the test with a hypothesis-driven threat-hunting exercise.  Gotta get to class |  SOC(k)-wearing optional Training on the ‘tube | Enterprise Security 8.0  Ready to transform your SOC workflow skills? Pop over to the Splunk Education How-To YouTube channel and press play for training on Splunk Enterprise Security 8.0. This latest release revolutionizes threat detection, investigation, and response (TDIR) with features like seamless case management and integrated automation through Splunk SOAR. You’ll learn all about Splunk Mission Control, new detection types, detection versioning, and enhanced case management updates. Alex is waiting to walk you through the latest, so don’t leave her hanging.  Gotta learn on YouTube | The new release of Enterprise Security Things You Needa Know There’s an app for that | Start with Lantern Account takeovers, wire fraud, credit card fraud, oh my! It’s scary out there for Financial Services companies, which is why you’ve got Splunk. But because there are so many places for the bad guys to lurk, we’ve got guidance for using Splunk for dozens of use cases – starting with our updated Use Case Explorer specifically for Financial Services. The Use Case Explorer is a great tool to help you implement new use cases using either Splunk Enterprise or Splunk Cloud Platform, plus there’s also a new deployment guide for using the Splunk App for Fraud Analytics. Lantern is forcing the bad guys out of the dark – one guide at a time!    Needa know the use cases | Read on Lantern The case for academics | Splunk training in universities Ever wonder where the next generation of cybersecurity professionals is coming from? Well, wonder no more. Thanks to the Splunk Academic Alliance Program, we’re training tomorrow’s talent at universities like the University of Nevada, Las Vegas, and Louisiana State University. With classroom curriculum at the foundation, these students are getting hands-on experience in real-world security operations – and on Security Operations Center (SOC) teams. It’s a win-win: students get the skills they need, and organizations can then use this trained-up talent in their own SOCs.  Needa know about the future | We’ve got two case studies Places You’ll Wanna Go Splunk Education Goes to Washington | Splunk GovSummit 2024 Join us for monumental moments in the nation’s capital on December 11, 2024. Splunk GovSummit in Washington, D.C. is a one-day event packed with learning, insights, and innovation. We bring together public sector leaders and tech experts to explore the latest in observability, cybersecurity, AI adoption, and digital resilience, plus two instructor-led courses— SOC Essentials: Investigating and Threat Hunting and Exploring and Analyzing Data. From the U.S. Capitol to the Washington Monument, Splunk Education is in the House. (Well, not literally.)  Go to Washington | Register for our two in-person courses  To the classroom | Training tales and testimonials School is always in session with Splunk Education. If you’re curious about what the experience looks like, then check out Splunk Classroom Chronicles. This new series introduces you to our top-notch instructors and course developers, and highlights stories and feedback from our learners. With today’s fast-paced work environment, continuous professional development is key, and Splunk Education offers engaging, interactive training to keep you one step ahead of the bad guys. From hands-on labs to expert-led sessions, grab a virtual seat and put those thinking caps on. Go to the head of the class | Read the tales Find Your Way | Learning Bits and Breadcrumbs Go Chat | Join our Community User Group Slack Channel Go Stream It  | The Latest Course Releases (Some with Non-English Captions!) Go Last Minute | Seats Still Available for ILT Go to Lantern | For Financial Services Use Cases Go to STEP | Get Upskilled Go Discuss Stuff | Join the Community Go Social | LinkedIn for News Go Index It | Subscribe to our Newsletter   Thanks for sharing a few minutes of your day with us – whether you’re looking to grow your mind, career, or spirit, you can bet your sweet SaaS, we got you. If you think of anything else we may have missed, please reach out to us at indexEducation@splunk.com.    Answer to Index This: 200
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is t... See more...
fieldA:1:10 fieldB:1:3 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldA:1:10 fieldC:1:2 fieldC:1:1   I want to end up with a field called fieldA, fieldb, and fieldC where the field name is the actual text found in the string as i cant predict which event will contain which combination
Hi How can I check the cherrypy version for Splunk 7.3.8? There are no cherrypy related files in splunk/share/3rdparty. Thank you.
Hi, I have a log source (/logs/abc/def). I want to know what are the apps  using this log source in their inputs.conf.   Can someone provide me the search query?