All Topics

Top

All Topics

I have a rather complicated query that go like this:     index=* source=* earliest=-4mon@mon latest=@mon RESPONSE_CODE="0" | bin _time span=1mon | stats count AS MonthTotal1 SUM(AMOUNT) AS Month... See more...
I have a rather complicated query that go like this:     index=* source=* earliest=-4mon@mon latest=@mon RESPONSE_CODE="0" | bin _time span=1mon | stats count AS MonthTotal1 SUM(AMOUNT) AS MonthTotal BY MERCHANT_CODE, SUBMERCHANT_CODE, _time | eval lastMonthStart = relative_time(now(),"-mon@mon") | stats sum(eval(if(_time>=lastMonthStart,MonthTotal,0))) AS 1M_Total sum(eval(if(_time>=lastMonthStart,0, MonthTotal))) AS 3M_Total values(eval(if(_time>=lastMonthStart,MonthTotal1,null()))) AS Transaction sum(eval(if(_time<lastMonthStart,MonthTotal1,null()))) AS THREE_MONTHS BY SUBMERCHANT_CODE, MERCHANT_CODE | eval 3M_Total_avg = round(3M_Total/3,2) | eval RATE_Total = round((1M_Total/3M_Total_avg)*100,2) | search RATE_Total>=200 OR RATE_Total=0 | join MERCHANT_CODE [search index = * | dedup MERCHANT_CODE | table MERCHANT_CODE, BANK] | table MERCHANT_CODE SUBMERCHANT_CODE, BANK, 1M_Total, RATE_Total       It seem complicated but the gist is I have to compare the lastest month total value of transaction to the average of 3 months before it for each sub-merchant, if the rate is >200%, show it in a table. The typical event go like this (I'll omit some unnecessary parts):     2021-10-25 13:52:33 TRANSACTION_ID="144479283"AMOUNT="10000", MERCHANT_TRANSACTION_CODE="17797161285", RESPONSE_CODE="0",MERCHANT_CODE="MOMOCE", SUBMERCHANT_CODE="22312"     Something to note: - Each MERCHANT can have several SUBMERCHANT, or don't have one at all, so the field SUBMERCHANT is not always exist in events. - Each MERCHANT have a BANK associate to it, but in another table.  I have a query just for SUBMERCHANT as a baseline to compare results, but somehow the query above, and even if I use (eventstats) instead of (stats), all show all different results than the baseline.  Does anyone have anyideal to untangle this mess, I'll really appreciate!
Dear Splunk community, In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look f... See more...
Dear Splunk community, In Splunk, I am looking for logs that say "started with profile: [profile name]" and retrieve the profile name from found events. Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform. To make things more clear I have the following search query (query one):   index="myIndex" "started with profile" BD_L* | table _raw, platform, RUNID | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform | rename count AS "Amount"   The events found from above query contains the following (raw) :   Discovery run, 2021101306351355 started with profile BD_L2_Windows   The above query will return a list of events containing the raw data above and will result in the following table. This is a table with the amount of Discovery runs per platform: Using the following piece of code I can extract RUNID from the events. RUNID is what I need to use in a second search when looking for errors:   | rex "Discovery run, (?.+) started with profile"   Using RUNID I can look for errors (query two):   index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* | dedup _raw | stats count | rename count AS "Amount"   Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. So lets say we have the following simulation: - Two runs (one Windows and one Linux) - Windows run has 0 errors (none found in query 2) - Linux has 6 errors (found in query 2) This should result in the following results:   Platform | Amount Linux | 1   I need to find some way to return true or one from query 2 and use that in query 1 to group the results, but I am unable to due to lack of experience. I have not yet found anything similair to my question and hope anyone here can help me out. Thanks in advance.                    
index=pan* dvc_name="*" sourcetype="pan:traffic" OR sourcetype="pan:system" how can I trigger an email alert if example 1 or multiple devices are not sending traffic logs after 24hrs. I tried using ... See more...
index=pan* dvc_name="*" sourcetype="pan:traffic" OR sourcetype="pan:system" how can I trigger an email alert if example 1 or multiple devices are not sending traffic logs after 24hrs. I tried using the alert with condition number of results but it's not sending logs. because splunk counts the result not by device and by logs it added all the results.
Hello I have a dashboard with 2 panels, in the second one i have a drilldown with link to search i'm trying to configure token but it is not working this is what i tried to do: <init> <set ... See more...
Hello I have a dashboard with 2 panels, in the second one i have a drilldown with link to search i'm trying to configure token but it is not working this is what i tried to do: <init> <set token="TransactionId">$TransactionId$</set> </init> and this is what im getting once clicking on the link: TransactionId=$TransactionId$ what am i missing ? thanks
Hi all, We've configured a Forcepoint Next Generation Firewall (NGFW) to send data through it's Security Management Center (SMC) after following this article: https://forcepoint.github.io/docs/ngfw_... See more...
Hi all, We've configured a Forcepoint Next Generation Firewall (NGFW) to send data through it's Security Management Center (SMC) after following this article: https://forcepoint.github.io/docs/ngfw_and_splunk/, however no data is displayed in the Splunk Enterprise (Standalone) Web UI > Apps > Forcepoint. From a 'tcpdump' on the Splunk Ent. device (hosted on Linux CentOS 7), we can see incoming traffic on configured incoming TCP-19997 port. Could anyone advise please? Kind regards, Lubo
Hello! So one of the questions I see showing up in various quizzes/flashcards for the Administrator certification is "Which Splunk component requires a Forwarder license?", and two of the choices ar... See more...
Hello! So one of the questions I see showing up in various quizzes/flashcards for the Administrator certification is "Which Splunk component requires a Forwarder license?", and two of the choices are HF and UF. The community seems pretty split on whether the right answer is UF or HF. The arguments for HF is that HF is a Splunk Enterprise instance with the Forwarding License required, and for UF that it has the forwarding license applied automatically. I guess the question comes down to what they mean by require a license, and I was hoping someone could give me some more clarity on which is the right answer and why. Sources: https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Distdeploylicenses Splunk Enterprise 8.2 Data Administration.pdf
Dear community, I have been trying to integrate splunk for my scripting purpose for some time now and it's time to reach out for some help. Design based on <form> and I have tried to implement this ... See more...
Dear community, I have been trying to integrate splunk for my scripting purpose for some time now and it's time to reach out for some help. Design based on <form> and I have tried to implement this with 2 ways: to run the search with custom python command from the drilldown, not sure how NOT run it automatically and to take those inputs as args: I have 3 input fields: Here is one version of my XML ( in the search "| pullssp" is my python script that requires above inputs) :   <form script="button.js">/*<init><set token="hostname"></set><set token="username"></set><set token="password"></set>*/</init> <label>submit button</label> <fieldset submitButton="false"></fieldset> <row depends="$hide$"> <panel> <html> <style> .btn-search{ color: #fff; padding: 6px 15px; font-weight: 500; background-color: #5cc05c; border: transparent; display: inline-block; height: auto; line-height: 20px; font-size: 14px; box-sizing: border-box; margin-bottom: 0; text-align: center; vertical-align: middle; cursor: pointer; border-radius: 3px; white-space: nowrap; } .btn-search:hover{ background-color: #40a540; border-color: transparent; color: #fff; box-shadow: inset 0 -2px 0 rgba(0,0,0,.1); text-decoration: none; text-shadow: none; filter: none; } </style> </html> </panel> </row> <row> <panel> <input type="text" searchWhenChanged="false" id="host" token="hostname"> <label>Server</label> <default>https://192.168.1.10</default> </input> <input type="text" searchWhenChanged="false" id="user" token="username"> <label>Username</label> <default>admin@admin.com</default> </input> <input type="text" searchWhenChanged="false" id="pass" token="password"> <label>Password</label> <default>Admin123</default> </input> <html> <input type="button" value="Search" id="submit_host" class="btn-search"/> </html> <table> <search> <query>| pullssp $hostname$ $username$ $password$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   Ideally I would like this not to run automatically just when I submit my inputs with search button. JS button with this version, constantly adjusting as I do not know js:   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!"], function($, mvc) { var defaultTokenModel = mvc.Components.get("submitted"); $( "#submit_" ).click(function() { var hostname= $('#host input[type="text"]').val(); var hostname= $('#user input[type="text"]').val(); var hostname= $('#pass input[type="text"]').val(); defaultTokenModel.set("hostname",hostname); defaultTokenModel.set("username",username); defaultTokenModel.set("password",password); }); });   Here is another way I'm thinking how to try to pass this to js script and run command from there:   <form script="get.js" hideSplunkBar="1" hideFooter="1" hideEdit="0" isDashboard="0"> <label>Update</label> <fieldset submitButton="false" autoRun="false"> <input type="text" token="field1"> <label>Server</label> </input> <input type="text" token="field2"> <label>Username</label> </input> <input type="text" token="field3"> <label>Password</label> </input> </fieldset> <row> <panel> <html> <fieldset submitButton="true"> <button class="btn btn-primary button1"> <span>Update STUFF</span> </button> </fieldset> </html> </panel> </row> </form>   General idea of how js script should reflect action upon button1 click:   require([ "jquery", "splunkjs/mvc/searchmanager", "splunkjs/mvc/simplexml/ready!" ], function( $, SearchManager ) { var mysearch = new SearchManager({ id: "mysearch", autostart: "false", search: "|pullssp $field1$ $field2$ $field3$" }); $(".button1").on("click", function (){ var ok = confirm("Are you sure?"); if (ok){ mysearch.startSearch(); } }); });   How can I use default token model to grab those tokens and pass further to my search to use with python script command please? Could not find any examples on it. @vnravikumarseen couple of your posts and I think you might be able to help ? Many Thanks in advance all
I have configured an automatic lookup, however when I try to do a search it gives a message " Could not load lookup=LOOKUP-auto_prices [subsearch]: Could not load lookup=LOOKUP-auto_prices " Ca... See more...
I have configured an automatic lookup, however when I try to do a search it gives a message " Could not load lookup=LOOKUP-auto_prices [subsearch]: Could not load lookup=LOOKUP-auto_prices " Can someone help me,please?
I given a EDI file in SQL and i execute this file in Splunk-DB-Connect but it getting error as below. Non-Displayable Column Type BLOB  
All,  I have a simple requirement to list failed login attempts from same src_ip in a span of 5 mins.  i have seen 2 options in the community here one using stats and other using streamstats.  Which... See more...
All,  I have a simple requirement to list failed login attempts from same src_ip in a span of 5 mins.  i have seen 2 options in the community here one using stats and other using streamstats.  Which one is more accurate ? @ITWhisperer      index=XYZ sourcetype=ABC eventName=*Get* errorCode!=success | bin _time span=5m | table _time host eventName, app, command, dest, errorCode, region, userName, user_type, user, src_ip | stats values(*) as *, count by src_ip | where count>=5 OR index=XYZ sourcetype=ABC eventName=*Get* errorCode!=success | streamstats time_window=5m count as failed_attempts by src_ip | where failed_attempts > 5 | table _time user failed_attempts src_ip dest host eventName app command, dest errorCode region userName    
Hi all, I have a xml file as below. <?xml version="1.0" encoding="UTF-8"?> <suite name="abc" timestamp="20.08.2021 15:47:20" hostname="kkt2si" tests="5" failures="1" errors="1" time="0"> <case n... See more...
Hi all, I have a xml file as below. <?xml version="1.0" encoding="UTF-8"?> <suite name="abc" timestamp="20.08.2021 15:47:20" hostname="kkt2si" tests="5" failures="1" errors="1" time="0"> <case name="a" time="626" classname="x"> <failure message="failed" /> </case> <case name="b" time="427" classname="x" /> <case name="C" time="616" classname="y" /> <case name="d" time="626" classname="y"> <error message="error" /> </case> <case name="e" time="621" classname="x" /> </suite>   The cases which doesnt have failure or errors are the ones which are passed. I am able to make a list of cases but i am confused how to add a column of the status. Anyone know the solution for this? |spath output=cases path=suite.case{@name}| table cases This is how i extracted the cases. I want to add a column which shows the status. Please suggest some answers.  
Hi All, I am trying to create a dashboard panel in trellis view. I have used the below query: (my search query) | stats count | eval Result=if("count"="0","Ok","Error") | fields - Exception,count ... See more...
Hi All, I am trying to create a dashboard panel in trellis view. I have used the below query: (my search query) | stats count | eval Result=if("count"="0","Ok","Error") | fields - Exception,count With this I can get the dashboard panel as  Please look into the source below: <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">1</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> </panel> Here I have a requirement to change the color of the trellis box. I want it to be green when "Ok" and red when it is "Error".  Please help guide me to achieve the desired output.   Thank you..!!
I have got a complicated task of consolidating two standalone search heads and a single search head cluster (4 nodes) all into a single search head cluster of 3 nodes.   Can someone please advise w... See more...
I have got a complicated task of consolidating two standalone search heads and a single search head cluster (4 nodes) all into a single search head cluster of 3 nodes.   Can someone please advise what would be the most efficient and correct method to accomplish this ?
Hi There,  I have a query that I use to extract all database modifications. However, I want to exclude SELECT from capturing via this query. I want to extract only INSERT, DELETE, UPDATE.  My Que... See more...
Hi There,  I have a query that I use to extract all database modifications. However, I want to exclude SELECT from capturing via this query. I want to extract only INSERT, DELETE, UPDATE.  My Query: index="database_db" source=database_audit sourcetype="database_audit" | eval "Database Modifications:" = "Modification on " + host, "Date and Time" = EXTENDED_TIMESTAMP_NY, "Type" = SQL_TEXT, "User" = DB_USER , "Source" = sourcetype | rex field=_raw "SQL_TEXT=\S(?P<Type>\W?......)\s" | rex field=_raw "DB_USER=(?P<UserName>..........)" | table "Date and Time", "Database Modifications:" ,"Type", "User", "Source" Can anybody help ? Thank you.
Hi, Does anyone have a good example from Logstash to Splunk HEC? I only get "services/collector/raw" working with logstash but would prefer more to use /collector or /event so we can easy change so... See more...
Hi, Does anyone have a good example from Logstash to Splunk HEC? I only get "services/collector/raw" working with logstash but would prefer more to use /collector or /event so we can easy change sourcetype. I see that in case of /collector or /event message must be constructed in a special way. So If anyone have good logstash example. as we are using also multiple index-es, we would like to dynamically change and parse message logs and then parse with good sourcetype stanza and deliver to different index. depends on log type (eg. different OS, or network equipment, etc...)
index=anIndex sourcetype=aSourceType ("*Starting application:*" AND (host="aHostName*")) | stats values(host) AS ServerList The above query gives me a list of distinct server names.  What I am attem... See more...
index=anIndex sourcetype=aSourceType ("*Starting application:*" AND (host="aHostName*")) | stats values(host) AS ServerList The above query gives me a list of distinct server names.  What I am attempting to do is use this query for an alert and provide the list of server's but only when the # of servers in the distinct list returned in the above query is less than a specified #. I will be configuring the alert to trigger when the results are > 0 since the trigger condition will be in the query and not the alert. How do I modify the query above to only provide ServerList if the # of distinct servers in that list is < 10 ?  
Dears, Can we integrate the Fireeye HX with Splunk using GUI or not ? If not let me know the process for CLI. 
Hello!   A dashboard runs a search and I want to create an alert for this. So I replicated the search code to the alert. However, now, if there is a change in the dashboard, my alert will not be up... See more...
Hello!   A dashboard runs a search and I want to create an alert for this. So I replicated the search code to the alert. However, now, if there is a change in the dashboard, my alert will not be updated.   Is there a way to create an alert with a search like: "search dashboard1" or something so that whatever changes happen to the dashboard, they will be fed into my alert? Thanks!
Hi Splunk Team, I am looking for the API where  we can blackout monitoring on Azure VM while these VMs are under patching process. The patch will happen to a group of VMs together based on its tag i... See more...
Hi Splunk Team, I am looking for the API where  we can blackout monitoring on Azure VM while these VMs are under patching process. The patch will happen to a group of VMs together based on its tag in azure. Can you please suggest me an approach to group VM and then blackout monitoring alerts and then re-enable when the patching processing is completed?   Thanks in advance George