All Topics

Top

All Topics

Hi , I want to upgrade Splunk DB Connect( current version 1.1.7 ) to its latest version. please help me on these queries. 1.Can you suggest which version should I go for? 2.Are there any prerequis... See more...
Hi , I want to upgrade Splunk DB Connect( current version 1.1.7 ) to its latest version. please help me on these queries. 1.Can you suggest which version should I go for? 2.Are there any prerequisite before updating to its higher version? 3. Our current Splunk Enterprise version is 7.1.3, will it(Splunk DB Connect higher version) will be compatible with this version(SE version)? Regards, Rahul
Hello, This is my request:     index=antivirus | stats values(SAVVersion) as SAVVersion, values(EngineVersion) as EngineVersion ,values(VirusDataVersion) as VirusDataVersion, max(LastM... See more...
Hello, This is my request:     index=antivirus | stats values(SAVVersion) as SAVVersion, values(EngineVersion) as EngineVersion ,values(VirusDataVersion) as VirusDataVersion, max(LastMessageTime) as LastMessageTime, max(LastScanDateTime) as LastScanDateTime by Name | sort LastScanDateTime | eval diff=round((Now() - LastScanDateTime)/60/60/24) | eval "active the last seven days ?"=if(round((Now() - LastMessageTime)/60/60/24)>7,"NO","YES") | where (diff > 3) OR isnull(diff) | fillnull value="-" | sort - "active the last seven days ?" - diff     I would like to have only the PCs(Name) not scanned (LastScanDateTime) for more than three days, but my request does not work, it returns all the PCs. Can you please help me? sorry for my english  
Hello team,   I am trying to monitor windows event logs and have installed the universal forwarded with relevant data. I am getting the Application and System logs, however the Security events are ... See more...
Hello team,   I am trying to monitor windows event logs and have installed the universal forwarded with relevant data. I am getting the Application and System logs, however the Security events are not being forwarded. I am adding the inputs.conf details below please let me know what is causing this.   ###### OS Logs ###### [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 16350-16400 index = default_tier1_idx renderXml=false [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 0-10000 index = default_tier1_idx renderXml=false [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 # only index events with these event IDs. whitelist = 7000-7050 index = default_tier1_idx renderXml=false   Thank you
Hi All, Hope you all are doing good. I am trying to extract a field which the different types of data. I want to extract the reference number. DATA:- 0561170-0443 :- 0561170 this is reference num... See more...
Hi All, Hope you all are doing good. I am trying to extract a field which the different types of data. I want to extract the reference number. DATA:- 0561170-0443 :- 0561170 this is reference number 0213_DFS_201021004 :- 201021004 this is reference number 0159_1606766A_191021016 :- 1606766A this is reference number Can you please let me know how i can achieve this, i tried rex but it wont work. Is there any other way to do it?   Thanks in advance
Hi team, 1. I have first query which return me below chart         <baseQuery> |timechart span=4w count(ACT) as countOfOpenSession, distinct_count(UID) as countOfUserID, ... See more...
Hi team, 1. I have first query which return me below chart         <baseQuery> |timechart span=4w count(ACT) as countOfOpenSession, distinct_count(UID) as countOfUserID, distinct_count(CMN) as countOfCustomer             2. then I have second query which return me below table and chart, which is for getting the CMN value which has highest hit value per month.         <baseQuery> | stats count(ACT) as hit by date_month CMN | eventstats max(hit) as maxhit by date_month | where hit=maxhit | fields - maxhit                   Expected Chart I want to get from splunk search: 1. combine the two queries into one. (by the way, baseQuery for the two queries in my scenario are  same.) 2. combine the timeline chart and bar chart into one chart .  3. From the combined chart->on the bars, to display both CMN(customer Name) and hit count   Here is an example chart I want(similar to below)     how to edit the query and format to achieve the expected chart?
Hello team,   I am trying to extract the below highlighted fields. However when I use the expression this is working right on one type of event but picking a different(underlined) field from other ... See more...
Hello team,   I am trying to extract the below highlighted fields. However when I use the expression this is working right on one type of event but picking a different(underlined) field from other event. Please let me know what wrong I am doing here.   (?:[^,]+,){19}\"(?<instance>[^,]+)\",.* Below is the event which is getting extracted as expected. 50271232,00004102,00000000,1600,"20210901225500","20210901225500",4,-1,-1,"SYSTEM","","psd217",46769357,"MS932","KAVS0260-I \x83W\x83\x87\x83u\x83l\x83b\x83g(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX:@5V689)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7","Information","jp1admin","/APP/ABC/AJS2","JOBNET","Server2:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/\x92l\x8ED\x94\xAD\x8Ds/04_\x92l\x8ED\x8Ew\x8E\xA6\x83f\x81[\x83^\x98A\x8Cg_\x8CߑO1TAX","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x     Below highlighted is what I need to extract but the underlined is getting extracted. 50271228,00004105,00000000,3088,"20210901225446","20210901225446",4,-1,-1,"SYSTEM","","psd240",316413752,"MS932","KAVS0263-I \x83W\x83\x87\x83u(AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\x91\x97\x90M\x8C㎞\x8Aԑҋ@1MIN:@50R6189)\x82\xF0\x8AJ\x8En\x82\xB5\x82܂\xB7(host: PSD511, JOBID: 0)","Information","jp1admin","/App/ABC/AJS2","JOB","Server1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\x91\x97\x90M\x8C㎞\x8Aԑҋ@1MIN","JOBNET","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N","AJSROOT1:/\x90V\x8A_\x96{\x94ԏ\x88\x97\x9D/MCS/\x8AĎ\x8B/09_\x92\x8D\x95\xB6\x91\x97\x90M\x96\xA2\x8DX\x90V\x8D\x80\x96ڃ`\x83F\x83b\x83N/HULFT\
Hello fellow Splunkers, It was brought to my attention from our F5 system manager that some logs from F5 are missing in Splunk. Once every few logs sent (and there are a lot of them) it appears the ... See more...
Hello fellow Splunkers, It was brought to my attention from our F5 system manager that some logs from F5 are missing in Splunk. Once every few logs sent (and there are a lot of them) it appears the a log or two just disappear and are not indexed. To ingest the logs we installed the F5 add-on on our HF and configured both ends (F5 and Splunk) according to the documentation at docs.splunk.com Does anyone have any idea what can cause this? We're using Splunk Enterprise 8.0.7 and the Splunk Add-On for F5 4.0.1   Thanks
  Hello EveryOne , Please Help Me Regarding How to Remove Splunk Search heads From Splunk Master Or Cluster   We Have Some Splunk Dedicated Search Heads  In Our Environment. Ex: 15 Search Heads .... See more...
  Hello EveryOne , Please Help Me Regarding How to Remove Splunk Search heads From Splunk Master Or Cluster   We Have Some Splunk Dedicated Search Heads  In Our Environment. Ex: 15 Search Heads . In That 7 Search Heads Are Down, Because The Users Are Stopped Using Splunk Search Heads. . So Now We Are Planning To Remove Those 7 search  heads from our Splunk Master . What Is Procedure . could Anyone Explain Me In Manual Way. It Would Be Great. .   Please Also Check One Screen Shot I Have Shared . Find Below , We Need to Remove These Search Heads.     Regards
Hi Team, I am pulling hair to figure out a query to extract data into a table with following information.  stopping system logging (rsyslog)  stopping the Tripwire agent stopping the Splunk agen... See more...
Hi Team, I am pulling hair to figure out a query to extract data into a table with following information.  stopping system logging (rsyslog)  stopping the Tripwire agent stopping the Splunk agent In hosts. Also want to know who stopped/disabled those services at what time so I can reconcile it with approved changes.  Really appreciate if someone can help. Thank you.
Does anyone know how to change the default time for ad-hoc searches from 30 minutes to 7 days in Splunk Cloud? I changed the setting in Server settings » Search preferences to 7 days. However, the def... See more...
Does anyone know how to change the default time for ad-hoc searches from 30 minutes to 7 days in Splunk Cloud? I changed the setting in Server settings » Search preferences to 7 days. However, the default in Search & Reporting is still 30 minutes. Our data usually takes 48 hours to get though the data pipeline, so a 30 minute time window for searches will never return data.
Apparently, after I fill in the type="laptop", color="blue", the laptop is still in black. Same goes for all the other types. They just remain black. Does anyone know why?
I recently installed brand new Splunk 8.2.2, then installed Splunk ES 6.6.0 on it, after Splunk ES installed and configured, I restarted Splunk from CLI, from that I got below error message: "Checki... See more...
I recently installed brand new Splunk 8.2.2, then installed Splunk ES 6.6.0 on it, after Splunk ES installed and configured, I restarted Splunk from CLI, from that I got below error message: "Checking conf files for problems... Invalid key in stanza [notable] in /opt/splunk/etc/apps/SA-ThreatIntelligence/default/alert_actions.conf, line 84: param.default_disposition (value: )."   There is no such error on Splunk ES 6.4.1, and there is also no such key, it's new from ES 6.6.0, who knows how to fix it? many thanks!
Hi all, I am trying to setup some sort of dashboard to view a list of sudo commands by server.  I started with the IT Essentials Learn App which recommends this command:   index=* sourcetype=linu... See more...
Hi all, I am trying to setup some sort of dashboard to view a list of sudo commands by server.  I started with the IT Essentials Learn App which recommends this command:   index=* sourcetype=linux_secure process=sudo COMMAND=* host=* | rex "COMMAND=(?<raw_command>.*)" | eval COMMAND=coalesce(raw_command, COMMAND) | table _time host USER PWD COMMAND     This command did not work for me so I started playing with it a bit. I realized that the    sourcetype=linux_secure   does not exist.    My understanding is that the splunk add-on for unix and linux is supposed to apply this sourcetype. I verified my configuration and didn't see anything to modify so I went ahead and looked at the $SPLUNK/etc/apps/Splunk_TA_nix/default/inputs.conf file. I cannot find a single instance of sourcetype=linux_secure in that config file so I don't think that sourcetype is being applied to any sources. Has linux_secure been deprecated or do I simply need to modify my local/inputs.conf file with something?   Does anyone have a recommended way to perform this search? I have tried a number of methods but am struggling to get what I need.
I'm working on enhancing our data pipeline by leveraging the use of a messaging bus such as Kafka or Pulsar.  Both are enticing options, however they each come with their own advantages and drawbacks... See more...
I'm working on enhancing our data pipeline by leveraging the use of a messaging bus such as Kafka or Pulsar.  Both are enticing options, however they each come with their own advantages and drawbacks.  This installation will be dedicated to Splunk, so no shared messaging busses interfering with our logging needs.  I would love to know what have been the experiences of the user community when using either of these platforms?  Why did you choose one over the other?  Have you regretted the choice and why? Thanks. The Frunkster
I am looking for a way to filter the events that a user can see based on the values of the event. For example, if there are events with the field 'building' and the field has values 'a' through 'z', ... See more...
I am looking for a way to filter the events that a user can see based on the values of the event. For example, if there are events with the field 'building' and the field has values 'a' through 'z', I would want user 1 to only be able to retrieve events where the building is of a value 'a' though 'g', and user 2 could be given access to events where the building values are 'f' though 'p'. I have looked into using roles to apply filters, but those are limited to indexed fields and I will have dozens of fields in my events that will need this type of filtering, so it is not a good option. Additionally, the filtering should be secure so that there is no way for users to bypass that filtering. Any ideas?
I’m experiencing issues uploading custom dashboards from extensions. What do I do? If you encounter issues while uploading dashboards via extensions, your best course of action is to create the d... See more...
I’m experiencing issues uploading custom dashboards from extensions. What do I do? If you encounter issues while uploading dashboards via extensions, your best course of action is to create the dashboard directly from the Controller UI instead. However, be sure to confirm that the metrics you would like to include in the dashboard are consistently reporting data to the Controller. Please review the Custom Dashboard documentation for instructions on how to create a dashboard from the Controller.
I created an Access Policy in Azure. How do I configure the Storage Account to use the Access Policy https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configurestorageaccount? In... See more...
I created an Access Policy in Azure. How do I configure the Storage Account to use the Access Policy https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configurestorageaccount? In Azure there is an Access Policy Identifier assigned to the Access Policy, where does this get entered into the Storage Account form?
I've created custom python input via add-on builder,  called events from API for last 24 hours and data are there. I can see them in the data builder in response. However, add-on I am trying to crea... See more...
I've created custom python input via add-on builder,  called events from API for last 24 hours and data are there. I can see them in the data builder in response. However, add-on I am trying to create needs to run on 60 seconds schedule. At Edit Data Input I've selected Collection Interval of 60 seconds and in my add-on I look to the past 60 seconds.  At Define & Test step I click on Finish, get confirmation about set up interval and that's all. There are no events and based on _internal logs it didn't even run once after saving. Any idea what could be wrong? Why the script isn't running on schedule? 
We are using coldToFrozenScript to store frozen Index data in GCS. To prove our DR annually we need to restore. This is the first time I have done so at this company and ran into an error that pukes ... See more...
We are using coldToFrozenScript to store frozen Index data in GCS. To prove our DR annually we need to restore. This is the first time I have done so at this company and ran into an error that pukes out when I run the rebuild command, however, I will say that the data appears to show up in Splunk and is searchable. So, I'm wondering is this error something that can be dismissed, or is it something that I should pay attention to?   WARN IndexConfig - Home path size limit cannot accommodate maximum number of hot buckets with specified bucket size because homePath.maxDataSizeMB is too small. Please check your index configuration: idx=linux maxDataSize=750 MB, homePath.maxDataSizeMB=800 MB The indexes.conf for this index is as follows: [linux] repFactor = auto homePath = volume:indexvol001/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = $SPLUNK_DB/linux/thaweddb tstatsHomePath=volume:_splunk_summaries/$_index_name/datamodel_summary/ frozenTimePeriodInSecs = 31536000 homePath.maxDataSizeMB = 800 maxTotalDataSizeMB = 491789400 maxWarmDBCount = 285
is it possible to record user sessions? I mean a video record.  and correlate it with :   Windows users behavior Linux users behavior DB (both SQL and Oracle) behavior – query execution, proce... See more...
is it possible to record user sessions? I mean a video record.  and correlate it with :   Windows users behavior Linux users behavior DB (both SQL and Oracle) behavior – query execution, procedures, index, table, user, creation/dropping m