All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a healthcare client that is using Epic.  I want to understand if Splunk has any recommendations or best practice documents for how logs/alerts from Epic should be monitored.  I'd like to under... See more...
I have a healthcare client that is using Epic.  I want to understand if Splunk has any recommendations or best practice documents for how logs/alerts from Epic should be monitored.  I'd like to understand if there are any rules that exist and what is the best way to get logs from Epic to Splunk.  Thanks.
Per this the app is end of life in 2 months.  https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastructure Is there a migration path to the "content pa... See more...
Per this the app is end of life in 2 months.  https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastructure Is there a migration path to the "content pack in Data Integrations" ?
I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here... See more...
I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex: Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*) An example that I'm trying to match to with data changed obviously: Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type - Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up. Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow.
  Hello there, I have Splunk Enterprise installed and one of my clients has asked me to implement threat intelligence. When searching I have found several APPs but I would like you to inform me wh... See more...
  Hello there, I have Splunk Enterprise installed and one of my clients has asked me to implement threat intelligence. When searching I have found several APPs but I would like you to inform me which ones you recommend and what does threat intelligence do.   https://apps.splunk.com/apps/#/order/popular/search/threat%20intelligence  
I need some help understanding how to send data from an api to splunk enterprise so that I can create a dashboard about the information. The api is open source and located at https://ghibliapi.heroku... See more...
I need some help understanding how to send data from an api to splunk enterprise so that I can create a dashboard about the information. The api is open source and located at https://ghibliapi.herokuapp.com/#. I understand that I can get the information using the curl command, but how do I input this information directly into my splunk instance? I don't have the option to use REST API as an data source for 'Add Data'. So far I've tried to print the output to a txt file and monitor that file using the universal forwarder, but I can't split the data into events properly, as the data is ingested line by line and backwards, regardless of the settings to props.conf. These are the current settings in my props file: [apiver2] EVENT_BREAKER_ENABLE = true EVENT_BREAKER = "(/{)" SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = ^/{ MUST_BREAK_AFTER = ^/}, MUST_NOT_BREAK_AFTER = ^"id.+ MUST_NOT_BREAK_BEFORE = ^"url.+ And it always displays like this:  So I'm thinking that maybe this is because of the data format of the request. What are my options for ingesting this data? A lot of this is new to me, so would HTTP Event Collector work, or is there something else I should do? Thanks in advance!
The PAVO  Splunk app  Source Profile & Destination Profile dashboards appear to  be missing a macro.  This is the error. A search for the macro was unsuccessful. Error in 'SearchParser': The search ... See more...
The PAVO  Splunk app  Source Profile & Destination Profile dashboards appear to  be missing a macro.  This is the error. A search for the macro was unsuccessful. Error in 'SearchParser': The search specifies a macro 'apl_aut_tstats' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. Can anyone who has this Splunk app installed check and see if it does exist in their installation? Thanks Robert  
Hi ,   I have to calculate the time difference between first event and last event for a particular flow in log I have used earliest (_time) and latest(_time) which gave me correct data. Index= * |... See more...
Hi ,   I have to calculate the time difference between first event and last event for a particular flow in log I have used earliest (_time) and latest(_time) which gave me correct data. Index= * | stats earliest(_time) as Earliest and latest (_time) as Latest  Gave output in epoch Times but I need difference of Earliest and Latest,tried using diff and eval diff to strf time but no luck.   Can someone help me with the query please          
How do I go about turning off the "Latest Resources" panel in the Dashboards page in v8.2?  
Hi Team, Is there any way to decode the logs which is already onboarded into splunk. Do we have any app to decode.?   Please suggest @ITWhisperer
How do I view / save the entire list of Reports + Alerts in Splunk Enterprise, any SPLs is much appreciated.  If you would show me how to generate the same for ES. Thank u
I have the data in the following format score_count score_value 23 50 46 52 1 53 890 54 with more than a 1 million score_values, each value having its distinct count.    Gi... See more...
I have the data in the following format score_count score_value 23 50 46 52 1 53 890 54 with more than a 1 million score_values, each value having its distinct count.    Given the data is in this format, how can I efficiently compute p95 or p99 of my the `score`.  I tried unrolling the table to create a single column with the value repeated multiple times, but the query does not complete at all.  Note that I'm planning to use this in a time chart command as so it has to be efficient to compute this value as well. 
I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unle... See more...
I have multiple alerts with searches similar to the one below where fields are renamed to a numeric ordering. The search results are passed from phantom to a webex chat which reorders the fields unless this is done.  I am seeing back to back alerts when the throttle should have enacted. This also doesn't occur for all field values. An example would be an alert at 01:10 and 01:11 both containing the same throttled field value. At a loss at what the cause is. It doesn't appear to be the _'s because I would expect this behavior for all ~20 alerts of this format. Example search and alert configuration: Throttle for each result, value: 3_Publication index=database sourcetype=mssql:replication:status | fields _time, host, publisher, publication, agent_name, agent_type, agent_status | eval host = upper(host) | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | table Time, host, publisher, publication, agent_name, agent_type, agent_status | rename Time as 0_Time, host as 1_Host, publisher as 2_Publisher, publication as 3_Publication, agent_name as 4_Agent_Name, agent_type as 5_Agent_Type, agent_status as 6_Agent_Status
So, 2 of our indexers sometime have very high I/O due to a known issue,  but this is causing index queueing on all our 31 other indexers in same cluster.  When we turn off the 2 indexers that are goi... See more...
So, 2 of our indexers sometime have very high I/O due to a known issue,  but this is causing index queueing on all our 31 other indexers in same cluster.  When we turn off the 2 indexers that are going to have high I/O,  we dont see any issue. We are assuming that replication to these problem indexers are blocking other indexers and causing ripple effect across cluster.  Is it expected that the cluster behaves this way?   Are there any configuration to optimize or create dedicated threads only for replication with out blocking indexing and searching?
Hello, Where we should put the following configuration files? is this the correct place/info for them? Any help will be highly appreciated. Thank you so much, appreciated!  Deployment Client Config... See more...
Hello, Where we should put the following configuration files? is this the correct place/info for them? Any help will be highly appreciated. Thank you so much, appreciated!  Deployment Client Configuration (Source Server where we have UF/HF) INDEXES Configuration File (Destination Server where we receive events ) INPUT Configuration File (Destination Server where we receive events ) PROPS Configuration File (Destination Server where we receive events ) TRANSFORMS Configuration File (Destination Server where we receive events )      
Hello, I have a problem regarding a datamodel search. My datamodel consists of different boolean values with a span of 5s. The summary range of the data model is defined for two weeks. I want to w... See more...
Hello, I have a problem regarding a datamodel search. My datamodel consists of different boolean values with a span of 5s. The summary range of the data model is defined for two weeks. I want to walk through the data and count events which contain the value "true" (GROUPBY _time span=5s ....). When I'm running the search with earliest=-2d@d I get an error "Job terminated unexpectedly". In the search.log I found "ERROR ProcessRunner - helper process seems to have died (child killed by signal 9: Killed)!" When I'm running the same search for earliest=-1d@d I don't get an error. In the OS logs of my server I've noticed that the cpu nearly reaches 100% of the capacity. THP is disabled. Thank you
  SerialNumber Duration 111A 200 111A 500 2222 300 3333 100 3333 250   How can I display only the lowest duration for each SerialNumber.  | dedup SerialNumber would som... See more...
  SerialNumber Duration 111A 200 111A 500 2222 300 3333 100 3333 250   How can I display only the lowest duration for each SerialNumber.  | dedup SerialNumber would sometimes get me the larger duration.   Expected Output: SerialNumber Duration 111A 200 2222 300 3333 100  
I am having trouble upgrading to Splunk 8.2.2 from 8.0.4.1.  I keep getting that annoying 1603 error, but I can't seem to fix it.  I've already tried re-propagating permissions for the folders and va... See more...
I am having trouble upgrading to Splunk 8.2.2 from 8.0.4.1.  I keep getting that annoying 1603 error, but I can't seem to fix it.  I've already tried re-propagating permissions for the folders and various re-registrations of the Windows Installer service, but same errors. Below is a snippet of what I get before the rollback.  Any nudges in the right direction would be appreciated.   InstallFiles: File: SelectedFields.js, Directory: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\js\views\shared\eventsviewer\list\body\row\, Size: 3708 InstallFiles: File: cp866.py, Directory: C:\Program Files\Splunk\Python-3.7\Lib\encodings\, Size: 34396 InstallFiles: File: Brunei, Directory: C:\Program Files\Splunk\Python-2.7\Lib\site-packages\pytz\zoneinfo\Asia\, Size: 203 InstallFiles: File: progress-bars.pcss, Directory: C:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\pcss\base\, Size: 4000 InstallFiles: File: struct.py, Directory: C:\Program Files\Splunk\Python-3.7\Lib\, Size: 257 InstallFiles: File: St_Helena, Directory: C:\Program Files\Splunk\Python-3.7\Lib\site-packages\pytz\zoneinfo\Atlantic\, Size: 148 InstallFiles: File: SplunkWeb.URL, Directory: C:\ProgramData\Splunk Enterprise\, Size: 47 Action 19:04:48: RollbackRegmonDrv. Action 19:04:48: InstallRegmonDrv. InstallRegmonDrv: Warning: Invalid property ignored: FailCA=. InstallRegmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splunkdrv.inf. InstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf InstallRegmonDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallRegmonDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splunkdrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallRegmonDrv: Info: WaitForSingleObject returned : 0x0 InstallRegmonDrv: Info: Exit code for process : 0x0 InstallRegmonDrv: Info: Leave. Action 19:04:49: RollbackNetmonDrv. Action 19:04:49: InstallNetmonDrv. InstallNetmonDrv: Warning: Invalid property ignored: FailCA=. InstallNetmonDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\splknetdrv.inf. InstallNetmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf InstallNetmonDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallNetmonDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\splknetdrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallNetmonDrv: Info: WaitForSingleObject returned : 0x0 InstallNetmonDrv: Info: Exit code for process : 0x0 InstallNetmonDrv: Info: Leave. Action 19:04:51: RollbackNohandleDrv. Action 19:04:51: InstallNohandleDrv. InstallNohandleDrv: Warning: Invalid property ignored: FailCA=. InstallNohandleDrv: Info: Driver inf file: C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf. InstallNohandleDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf InstallNohandleDrv: Info: SystemPath is: C:\WINDOWS\system32\ InstallNohandleDrv: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\Splunk\bin\SplunkMonitorNoHandleDrv.inf >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" InstallNohandleDrv: Info: WaitForSingleObject returned : 0x0 InstallNohandleDrv: Info: Exit code for process : 0x0 InstallNohandleDrv: Info: Leave. Action 19:04:52: CreateFtr. CreateFtr: Warning: Invalid property ignored: FailCA=. Action 19:04:53: FirstTimeRun. FirstTimeRun: Warning: Invalid property ignored: FailCA=. FirstTimeRun: Info: Properties: splunkHome: C:\Program Files\Splunk. FirstTimeRun: Info: Execute first time run. FirstTimeRun: Info: Enter. Args: "C:\Program Files\Splunk\bin\splunk.exe", _internal first-time-run --answer-yes --no-prompt FirstTimeRun: Info: SystemPath is: C:\WINDOWS\system32\ FirstTimeRun: Info: Execute string: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\Splunk\bin\splunk.exe" _internal first-time-run --answer-yes --no-prompt >> "C:\Users\username\AppData\Local\Temp\splunk.log" 2>&1" FirstTimeRun: Info: WaitForSingleObject returned : 0x0 FirstTimeRun: Info: Exit code for process : 0x1 FirstTimeRun: Info: Leave. FirstTimeRun: Error: ExecCmd failed: 0x1. FirstTimeRun: Error 0x80004005: Cannot execute first time run. CustomAction FirstTimeRun returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 19:05:37: InstallFinalize. Return value 3. Action 19:05:37: Rollback. Rolling back action:    
we have a lot of contents/knoweldge objects and are trying to weed out the ones that are unused. We are using Enterprise Security and other apps.  I have identified a few `Macros`  that I want to re... See more...
we have a lot of contents/knoweldge objects and are trying to weed out the ones that are unused. We are using Enterprise Security and other apps.  I have identified a few `Macros`  that I want to remove/delete, but before that I want to make sure that they are not used in any Splunk Saved search/correlation search/loop up generating search Or within any SPL for that matter. Is there a way to find it ?
Hello, I have this 3 queries : sourcetype="Silverpop-*" Message="Message was successfully sent to *"| top limit=500 "AdditionalData.additionalData.AdditionalParameters.MailingID"   sourcetype="ku... See more...
Hello, I have this 3 queries : sourcetype="Silverpop-*" Message="Message was successfully sent to *"| top limit=500 "AdditionalData.additionalData.AdditionalParameters.MailingID"   sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" "ContextData.ChannelName"=SalesforceEmail| top limit=500 "AdditionalData.Meta.NotificationType"   sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" "ContextData.ChannelName"=SalesforcePriorityEmail| top limit=500 "AdditionalData.Meta.NotificationType"   i want to union the second and third queries and compare to the first one and show it all in csv file   how can i do it ?   thanks
We are getting some vulnerabilities for our splunk instance and to fix that we need to Add strict-transport-security header to the http responses. We have tried adding stanza "sendStrictTransportSec... See more...
We are getting some vulnerabilities for our splunk instance and to fix that we need to Add strict-transport-security header to the http responses. We have tried adding stanza "sendStrictTransportSecurityHeader = true" to the server.conf and web.conf but the issue still persist, Can anyone please help me on this issue