All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Greetings, I need to exclude events that happen every Saturday between 2 AM and 4AM only if they have a specific username. An authenticated scan runs that triggers a lot of logon attempts with a spe... See more...
Greetings, I need to exclude events that happen every Saturday between 2 AM and 4AM only if they have a specific username. An authenticated scan runs that triggers a lot of logon attempts with a specific user account during that time.  My search so far isn't working: index=[myindex] host=* sourcetype=linux_secure process=sshd ("tag::action"="success" OR "tag::action"="failure") | eval hour = tonumber(strftime(_time,"%H")) | eval dow = tonumber(strftime(_time,"%w")) | where (dow!=6 AND (hour!=2 OR hour!=3 OR hour!=4) AND user=[username]) However, as soon as I remove the username variable the search works fine.  Can anyone help me figure out what's wrong?  Thanks.
Hi There, In my logs, the specific field "Other Parameters" contains a lot of logs. I want it to extract the logs and make a separate field for the logs. Here I don' have access to Props & transfor... See more...
Hi There, In my logs, the specific field "Other Parameters" contains a lot of logs. I want it to extract the logs and make a separate field for the logs. Here I don' have access to Props & transforms. conf I want to do by field extraction. Please help here. I want new fields like - md5, pid, ppid, full_path, name,  Sample Logs in the "Other Parameter" field "Other Parameters":"payload={\"config_id\":5,\"config_rev_id\":13,\"finding\":{\"system_info\":{\"bits\":64,\"build_number\":\"19042\",\"os\":\"Microsoft Windows 10 Enterprise\",\"patch_level\":\"10.0.19042.0.0\",\"platform\":\"Windows\"}},\"intel_id\":209,\"match\":{\"contexts\":[{\"event\":{},\"process\":{\"uniqueEventId\":\"72057594037975619\",\"uniqueProcessId\":\"-7264562598978448809\"}},{\"event\":{},\"process\":{\"uniqueEventId\":\"72057594037975619\",\"uniqueProcessId\":\"-7264562598978448809\"}},{\"event\":{},\"process\":{\"uniqueEventId\":\"72057594037975619\",\"uniqueProcessId\":\"-7264562598978448809\"}}],\"hash\":2108229220,\"properties\":{\"args\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\regasm \\/codebase \\\"C:\\\\Windows\\\\SPEOFIPLAN\\\\Softland.CapitalHumano.Bridge.v701.dll\\\" \\/tlb:\\\"C:\\\\Windows\\\\SPEOFIPLAN\\\\Softland.CapitalHumano.Bridge.v701.tlb\\\"\",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegAsm.exe\",\"md5\":\"0d5df43af2916f47d00c1573797c1a13\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegAsm.exe\",\"parent\":{\"args\":\"\\\"C:\\\\WINDOWS\\\\System32\\\\cmd.exe\\\" \\/C \\\"C:\\\\Windows\\\\SPEOFIPLAN\\\\RegSCHv4.cmd\\\" \",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"md5\":\"8a2122e8162dbef04694b9c3e0b6cdee\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"parent\":{\"args\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\explorer.exe\",\"md5\":\"5ea66ff5ae5612f921bc9da23bac95f7\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\explorer.exe\",\"parent\":{\"args\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\",\"md5\":\"582a919ca5f944aa83895a5c633c122c\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\System32\\\\userinit.exe\",\"parent\":{\"args\":\"winlogon.exe\",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\"md5\":\"a987b43e6a8e8f894b98a3df022db518\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\"parent\":{\"args\":\"\\\\SystemRoot\\\\System32\\\\smss.exe 000000e4 00000084 \",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"md5\":\"2c3f91bb4c0994a7b36ed0b6b14ec9c7\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"parent\":{\"args\":\"\\\\SystemRoot\\\\System32\\\\smss.exe\",\"cwd\":null,\"file\":{\"fullpath\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"md5\":\"2c3f91bb4c0994a7b36ed0b6b14ec9c7\",\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"C:\\\\Windows\\\\System32\\\\smss.exe\",\"parent\":{\"args\":\"\",\"cwd\":null,\"file\":{\"fullpath\":\"System\",\"md5\":null,\"sha1\":null,\"sha256\":null,\"size\":null},\"name\":\"System\",\"parent\":{\"pid\":null},\"pid\":4,\"ppid\":null,\"recorder_table_id\":null,\"recorder_unique_id\":\"3510362775707909737\",\"start_time\":\"2021-09-04T15:50:24Z\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"pid\":456,\"ppid\":4,\"recorder_table_id\":null,\"recorder_unique_id\":\"-6091327008692918503\",\"start_time\":\"2021-09-04T15:50:26Z\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"pid\":9032,\"ppid\":456,\"recorder_table_id\":null,\"recorder_unique_id\":\"-2820547760412538774\",\"start_time\":\"2021-09-04T15:58:34Z\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"pid\":14432,\"ppid\":9032,\"recorder_table_id\":null,\"recorder_unique_id\":\"4059013987027248497\",\"start_time\":\"2021-09-04T15:58:34Z\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"},\"pid\":12896,\"ppid\":14432,\"recorder_table_id\":null,\"recorder_unique_id\":\"7583898902682956175\",\"start_time\":\"2021-09-04T15:59:19Z\",\"user\":\"Weir\\\\221924\"},\"pid\":1772,\"ppid\":12896,\"recorder_table_id\":null,\"recorder_unique_id\":\"5896339469594690517\",\"start_time\":\"2021-09-04T15:59:20Z\",\"user\":\"Weir\\\\221924\"},\"pid\":2032,\"ppid\":1772,\"recorder_table_id\":null,\"recorder_unique_id\":\"-594781336782834181\",\"start_time\":\"2021-09-04T17:03:14Z\",\"user\":\"Weir\\\\123121q\"},\"pid\":15172,\"ppid\":2032,\"recorder_table_id\":null,\"recorder_unique_id\":\"-7264562598978448809\",\"start_time\":\"2021-09-04T17:03:14Z\",\"user\":\"Weir\\\\123121q\"},\"source\":\"signals\",\"type\":\"process\",\"version\":1},\"service_id\":\"b909f782-b0ed-4979-aa9e-ee6fbe4ba5b2\"}"} Show syntax highlighted  
After I successfully installed Splunk Enterprise and I'd added some data I tried to do some searching, but there was an issue with searching, and the intended result doesn't appear at all. I think th... See more...
After I successfully installed Splunk Enterprise and I'd added some data I tried to do some searching, but there was an issue with searching, and the intended result doesn't appear at all. I think this is due to the red health status for IOWait as shown below, so how could solve this issue?
Hi Team,   I am finding a way to convert UTC to EPOCH   and vice versa for my search query   Sample is here -> date: 2021-09-04 08:25:56 UTC
I can CRUD threat intel collection rows with ESS REST API(such as /services/data/threat_intel/item/ip_intel), and I can see those rows at Security Intelligence->Threat Intelligence->Threat Artifacts.... See more...
I can CRUD threat intel collection rows with ESS REST API(such as /services/data/threat_intel/item/ip_intel), and I can see those rows at Security Intelligence->Threat Intelligence->Threat Artifacts.      May I know how I can do the same job on Splunk ESS portal? As I can only update local lookup files via Configure > Content > Content Management, and insert a row above/below, but it looks different from what I do with REST API, and I cannot get the rows I added with API there.    Besides, I cannot find the row I inserted to local lookup file at Security Intelligence->Threat Intelligence->Threat Artifacts. May I know if I missed something during configuration or there is elsewhere on ESS portal that I can update threat intel rows? Thanks  
Hello, I have some issues to extract fields from this SQL coded events. Is there any way we can perform field extraction on these events?  Two sample events are given below. Thank you so much, any h... See more...
Hello, I have some issues to extract fields from this SQL coded events. Is there any way we can perform field extraction on these events?  Two sample events are given below. Thank you so much, any help will be highly appreciated.   Q17CNB_L_0__20210630-235755_5828.html@^@^2021/06/30@^@^23:57:55@^@^ Q17CNB @^@^select "a"."basetin","w2nonus","w2maxdistoff","ssanonus","ssamaxdistoff","f1099rnonus","f1099rmaxdistoff","f1099miscnonus","f1099miscmaxdistoff","f1099gnonus","f1099gmaxdistoff","f1099intnonus","f1099intmaxdistoff","f1099oidnonus","f1099oidmaxdistoff","f1041k1nonus","f1041k1maxdistoff","f1065k1nonus","f1065k1maxdistoff","wages_w2","allocated_tips_w2","medicare_wages_w2","taxable_fica_tips_w2","WITHHLDG_w2","pens_annties_f1099_ssa_rrb","withhldg_f1099_ssa_rrb","gross_distrib_f1099r","taxable_amt_f1099r","WITHHLDG_f1099r","non_emp_compensation_f1099misc","othincome_f1099misc","rents_f1099misc","royalties_f1099misc","crop_insurance_f1099misc","WITHHLDG_f1099misc","taxbl_grant_f1099g","UNEMP_COMP_f1099g","prior_refnd_f1099g","agr_subsds_f1099g","atta_pymnt_f1099g","WITHHLDG_f1099g","interest_f1099int","savings_bonds_f1099int","WITHHLDG_f1099int","interest_f1099oid","withhldg_f1099oid","interest_f1041_k1","bus_inc_f1041_k1","net_rental_f1041_k1","oth_prtflo_f1041_k1","oth_rental_f1041_k1","interest_f1065_k1","guarpaymt_f1065_k1","ord_inc_f1065_k1","othrental_f1065_k1","realestate_f1065_k1","royalties_f1065_k1","section179_f1065_k1" into #TEMP9 from(select "basetin","w2nonus","w2maxdistoff","ssanonus","ssamaxdistoff","f1099rnonus","f1099rmaxdistoff","f1099miscnonus","f1099miscmaxdistoff","f1099gnonus","f1099gmaxdistoff","f1099intnonus","f1099intmaxdistoff","f1099oidnonus","f1099oidmaxdistoff","f1041k1nonus","f1041k1maxdistoff","wages_w2","allocated_tips_w2","medicare_wages_w2","taxable_fica_tips_w2","WITHHLDG_w2","pens_annties_f1099_ssa_rrb","withhldg_f1099_ssa_rrb","gross_distrib_f1099r","taxable_amt_f1099r","WITHHLDG_f1099r","non_emp_compensation_f1099misc","othincome_f1099misc","rents_f1099misc","royalties_f1099misc","crop_insurance_f1099misc","WITHHLDG_f1099misc","taxbl_grant_f1099g","UNEMP_COMP_f1099g","prior_refnd_f1099g","agr_subsds_f1099g","atta_pymnt_f1099g","WITHHLDG_f1099g","interest_f1099int","savings_bonds_f1099int","WITHHLDG_f1099int","interest_f1099oid","withhldg_f1099oid","interest_f1041_k1","bus_inc_f1041_k1","net_rental_f1041_k1","oth_prtflo_f1041_k1","oth_rental_f1041_k1" from #TEMP8) as "A" left outer join(select "tin","min"(case when "f1065k1nonus" = 1 then 1 else 0 end) as "f1065k1nonus","max"(case when "f1065k1maxdistoff" = 1 then 1 when "f1065k1maxdistoff" = 2 then 2 when "f1065k1maxdistoff" = 3 then 3 when "f1065k1maxdistoff" = 4 then 4 when "f1065k1maxdistoff" = 5 then 5 else 0 end) as "f1065k1maxdistoff","sum"("interest_f1065_k1") as "interest_f1065_k1","sum"("guarpaymt_f1065_k1") as "guarpaymt_f1065_k1","sum"("ord_inc_f1065_k1") as "ord_inc_f1065_k1","sum"("othrental_f1065_k1") as "othrental_f1065_k1","sum"("realestate_f1065_k1") as "realestate_f1065_k1","sum"("royalties_f1065_k1") as "royalties_f1065_k1","sum"("section179_f1065_k1") as "section179_f1065_k1" from #TEMP9a group by "tin") as "B" on "a"."basetin" = "b"."tin"@^@^D7CNB.#TEMP9|Temp D7CNB.#TEMP8 AS A|Temp  Q17CNB.#TEMP9A@^@^ N17CNB_L_0__20210630-235521_5826.html@^@^2021/06/30@^@^23:55:21@^@^ N17CNB @^@^select "a"."basetin","w2nonus","w2maxdistoff","ssanonus","ssamaxdistoff","f1099rnonus","f1099rmaxdistoff","f1099miscnonus","f1099miscmaxdistoff","f1099gnonus","f1099gmaxdistoff","f1099intnonus","f1099intmaxdistoff","f1099oidnonus","f1099oidmaxdistoff","f1041k1nonus","f1041k1maxdistoff","wages_w2","allocated_tips_w2","medicare_wages_w2","taxable_fica_tips_w2","WITHHLDG_w2","pens_annties_f1099_ssa_rrb","withhldg_f1099_ssa_rrb","gross_distrib_f1099r","taxable_amt_f1099r","WITHHLDG_f1099r","non_emp_compensation_f1099misc","othincome_f1099misc","rents_f1099misc","royalties_f1099misc","crop_insurance_f1099misc","WITHHLDG_f1099misc","taxbl_grant_f1099g","UNEMP_COMP_f1099g","prior_refnd_f1099g","agr_subsds_f1099g","atta_pymnt_f1099g","WITHHLDG_f1099g","interest_f1099int","savings_bonds_f1099int","WITHHLDG_f1099int","interest_f1099oid","withhldg_f1099oid","interest_f1041_k1","bus_inc_f1041_k1","net_rental_f1041_k1","oth_prtflo_f1041_k1","oth_rental_f1041_k1" into #TEMP8 from(select "basetin","w2nonus","w2maxdistoff","ssanonus","ssamaxdistoff","f1099rnonus","f1099rmaxdistoff","f1099miscnonus","f1099miscmaxdistoff","f1099gnonus","f1099gmaxdistoff","f1099intnonus","f1099intmaxdistoff","f1099oidnonus","f1099oidmaxdistoff","wages_w2","allocated_tips_w2","medicare_wages_w2","taxable_fica_tips_w2","WITHHLDG_w2","pens_annties_f1099_ssa_rrb","withhldg_f1099_ssa_rrb","gross_distrib_f1099r","taxable_amt_f1099r","WITHHLDG_f1099r","non_emp_compensation_f1099misc","othincome_f1099misc","rents_f1099misc","royalties_f1099misc","crop_insurance_f1099misc","WITHHLDG_f1099misc","taxbl_grant_f1099g","UNEMP_COMP_f1099g","prior_refnd_f1099g","agr_subsds_f1099g","atta_pymnt_f1099g","WITHHLDG_f1099g","interest_f1099int","savings_bonds_f1099int","WITHHLDG_f1099int","interest_f1099oid","withhldg_f1099oid" from #TEMP7) as "A" left outer join(select "tin","min"(case when "f1041k1nonus" = 1 then 1 else 0 end) as "f1041k1nonus","max"(case when "f1041k1maxdistoff" = 1 then 1 when "f1041k1maxdistoff" = 2 then 2 when "f1041k1maxdistoff" = 3 then 3 when "f1041k1maxdistoff" = 4 then 4 when "f1041k1maxdistoff" = 5 then 5 else 0 end) as "f1041k1maxdistoff","sum"("interest_f1041_k1") as "interest_f1041_k1","sum"("bus_inc_f1041_k1") as "bus_inc_f1041_k1","sum"("net_rental_f1041_k1") as "net_rental_f1041_k1","sum"("oth_prtflo_f1041_k1") as "oth_prtflo_f1041_k1","sum"("oth_rental_f1041_k1") as "oth_rental_f1041_k1" from #TEMP8A group by "tin") as "B" on "a"."basetin" = "b"."tin"@^@^D7CNB.#TEMP8|Temp D7CNB.#TEMP7 AS A|Temp  N17CNB.#TEMP8A@^@^      
There is a requirement to update jquery on all custom apps and I just have a simple js file in /app/appserver/static/  that allows me to have tabs on my dashboards but now they're all broken because ... See more...
There is a requirement to update jquery on all custom apps and I just have a simple js file in /app/appserver/static/  that allows me to have tabs on my dashboards but now they're all broken because splunk only supports jquery 3.5 or above now.  So I opened a ticket and they told me to update jquery for my app.  Well I think the solution is to update jqeury on the server so when I use:     require(['jquery','underscore','splunkjs/mvc', 'bootstrap.tab', 'splunkjs/mvc/simplexml/ready!'], function($, _, mvc){blah blah blah       it will pull the updated jquery from the servers.  However I can't do that because I'm on splunk cloud and can't update the jquery library on the server. So my question is how do I bundle a jquery.js file in my app, place it in the bin folder (or some other folder) and reference it in my require statement so that I can use an updated library?
How can I add new fields and/or rename existing fields to Global Account Settings which currently by default just have username/password inputs ? Something like client id, client secret etc.    ... See more...
How can I add new fields and/or rename existing fields to Global Account Settings which currently by default just have username/password inputs ? Something like client id, client secret etc.     I cannot add password/client secret as data input parameter as they get stored in plain text when add via system user interface(settings->data input)   I cannot make them global parameter either as we need to support multiple environment with each having different set of data. Any help would be appreciated.
Getting following error when installing Splunk Enterprise v8.2.2 and Splunk Add-on-builder 4.0.0 Any idea what must be going on? Unable to initialize modular input "validation_mi" defined in the ap... See more...
Getting following error when installing Splunk Enterprise v8.2.2 and Splunk Add-on-builder 4.0.0 Any idea what must be going on? Unable to initialize modular input "validation_mi" defined in the app "splunk_app_addon-builder": Introspecting scheme=validation_mi: script running failed (exited with code 1)..   File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reported by the InstalledFileHashChecker in splunkd.log File Integrity Check View ; potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. Learn more.      
Hello, I'd like to understand if it's possible with any Splunk version, preferably version 6 or later, to implement this type of behavior: - Send and email only the first time the alarm condition i... See more...
Hello, I'd like to understand if it's possible with any Splunk version, preferably version 6 or later, to implement this type of behavior: - Send and email only the first time the alarm condition is met. If the alarm (scheduled with the "cron" method) triggers again the next time, don't send any email - Send an "end of alarm" email, after an alarm fired, when the alarm condition is not met anymore Thanks.
Hi, I need to do some analysis on access permissions of an application. I want to graphically show the relationships of users and the access they have. I have a simple data set like the format below... See more...
Hi, I need to do some analysis on access permissions of an application. I want to graphically show the relationships of users and the access they have. I have a simple data set like the format below (I have a much bigger dataset): I would like to answer the question: Of the users who have access to a specific folder, say "Apple", what other folders to they have access to and what are the associated volumes with that connection. I was thinking Sankey diagram but I am having trouble getting the data in the right format. Any help would be really appreciated. UserID Folder 1 Apple 1 Banana 2 Apple 3 Apple 3 Orange
Is there a list of tasks to perform daily / weekly to optimize Enterprise Security? In addition to any useful SPLs please? Thank you for your help & advice in advance.
I have Monitoring console on Ent + ES. Plus I have Splunk Admins + Meta Woot! on the Splunk Ent. Any cool Admin Apps for ES? Or Splunk Enterprise? Your valued message is much appreciated in advance.
Hello,  To pull in specific events in splunk i am trying to write a regex to identify lines that matches both the conditions 1: app_protocol=http or https 2. src_ip = starts with 15. or 16. This ... See more...
Hello,  To pull in specific events in splunk i am trying to write a regex to identify lines that matches both the conditions 1: app_protocol=http or https 2. src_ip = starts with 15. or 16. This is what i have , but doesnt seem to be working , am i doing somting wrong ?  .*app_protocol=HTTP|S\s.*(src_ip\=15\.\d+\.\d+\.\d+|16.\.\d+\.\d+\.\d+)*
I have to find logs between "string1"  and  "string2" in Splunk for index=abc. Then I need to verify if there is any "Error" or "Severe" word displayed in those logs. Can someone please help with th... See more...
I have to find logs between "string1"  and  "string2" in Splunk for index=abc. Then I need to verify if there is any "Error" or "Severe" word displayed in those logs. Can someone please help with the Splunk query?
Hi, I am configuring SSL encryption b/w agent and indexer/deployment server. But passwords placed under deployment-apps, remains in clear text.  I am looking for workaround to ensure password gets ... See more...
Hi, I am configuring SSL encryption b/w agent and indexer/deployment server. But passwords placed under deployment-apps, remains in clear text.  I am looking for workaround to ensure password gets encrypted. If not what are other options do we have to ensure secured communication b/w agent and indexer/deployment server? All suggestions are welcomed.
Hello there, I found what might be bug in dashboard studio. I wanted to fill the "refresh" parameters on dataSource using a token from a Number input field. When i edit the dashboard script to ... See more...
Hello there, I found what might be bug in dashboard studio. I wanted to fill the "refresh" parameters on dataSource using a token from a Number input field. When i edit the dashboard script to fill the "refresh" parameter with my token ($my_refresh_token$) and validate, i got a blank page, have to refresh the dashboard to make it work again, and the change is not saved ( when i fill the parameter with something like "60s" it works.) Can someone confirm this ?  Best regards, 
Hi team,  I need a golang REST API  code for sending the json logs to splunk enterprise. I have a hard time searching in the web , but unable to find the right sort of code that works . It would be ... See more...
Hi team,  I need a golang REST API  code for sending the json logs to splunk enterprise. I have a hard time searching in the web , but unable to find the right sort of code that works . It would be helpful for me if i get some links for it as soon as possible .  Thanks in advance, Arun
Hi all, I have an alert that looks for a specific message that includes the record ID. I would like to be able to create a numeric value for that ID that could be used to create a unique ID when ra... See more...
Hi all, I have an alert that looks for a specific message that includes the record ID. I would like to be able to create a numeric value for that ID that could be used to create a unique ID when raising a ServiceNow ticket.  Therefore, all alerts for the same record ID would write to the same SNow ticket. The record ID is a string of 7 alphanumerics - e.g. abc4efg I would like to be able to change "abc4efg" to "1234567".  Thus the number does not change, but the letters are all the equivalent 1-26 number. The only constant is the length of the record ID which is 7 characters. I've looked at many answers, sadly none provide exactly what I am looking for. Is this something that could be achieved using SED?   Thanks in advance.