All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Splunk search - How to search the fields1 values contains in field2

by in Splunk Search
‎08-20-2021 07:21 AM
‎08-20-2021 07:21 AM
Hi All, Hope you guys are doing fine. I do have few doubts with relates to field comparison. Please find the below sample data. Field1 Field2 TRAP_BGP BGP BACKWARD TRANSITION TRAP_BF... See more...
Hi All, Hope you guys are doing fine. I do have few doubts with relates to field comparison. Please find the below sample data. Field1 Field2 TRAP_BGP BGP BACKWARD TRANSITION TRAP_BFD CISCO BFD SESS DOWN Interface GigabitEthernet0/0 BGP BACKWARD TRANSITION TRAP_LINK LINK UP/DOWN TRAPS RECEIVED IN THE LAST 5 MINUTES EXCEEDS THRESHOLD   I need to check the value of field1 is containing in field2(partial match). From the above example, TRAP_BGP and BGP BACKWARD TRANSITION. in this both words BGP is common. if it is common then the result should "YES". This is sample data, we do have multiple data with this format(This data is dynamic not static). Can someone please help with the SPL query. I have tried match, LIKE command but it doesn't seems to be working.
Labels

How to send alert emails via office365

by in Alerting
‎08-20-2021 07:08 AM
‎08-20-2021 07:08 AM
i am unable to send the alerts via email (outlook), can anyone help me with that , i performed  all the procedure ,like entering the smtp host and all, i really dont know whats the issue , the a... See more...
i am unable to send the alerts via email (outlook), can anyone help me with that , i performed  all the procedure ,like entering the smtp host and all, i really dont know whats the issue , the alerts are triggering but the email action is not working , Here is my email settings :  smtp.office365.com:578 Enable TLS vinod@mail.com Password allowed domains left empty. i configured an alert and its work fine , it is shown in triggered alerts , can anyone help me with this it would be appreciated. Thankyou.       
Labels

searching a lookup table with multiple values in a field

by in Splunk Search
‎08-20-2021 06:58 AM
‎08-20-2021 06:58 AM
I have a csv file that that I am using for a lookup which has multiple values in a particular field. I am trying to do a lookup which matches any one of the field values. example: lookup table file... See more...
I have a csv file that that I am using for a lookup which has multiple values in a particular field. I am trying to do a lookup which matches any one of the field values. example: lookup table file - room,color livingroom,purple|green|yellow (the pipe symbol delineates the different values in the color field) Then my search - <base search>  | lookup paint_colors room OUTPUTNEW color | search color=purple | fields room,color | stats list by room My desired result would be to see livingroom in the results. Is it possible to search for any one value in a field with multiple values? Thanks in advance!    
Labels

Splunk HF to send both SSL and Not SSL to Indexer Cluster

by in Getting Data In
‎08-20-2021 05:28 AM
‎08-20-2021 05:28 AM
Hi Splunkers, I have some HF configured to send data over SSL to one indexer; As I am about to configure a second indexer, I was wondering if it is possible to load-balance data from HF to: IDX1 ... See more...
Hi Splunkers, I have some HF configured to send data over SSL to one indexer; As I am about to configure a second indexer, I was wondering if it is possible to load-balance data from HF to: IDX1 over SSL IDX2 without SSL And have outputs.conf configured such as: [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = idx1:1234,idx2:5678   where 1234 is the SSL port, and 5678 the standard one, without SSL. and on indexer side, we would have for inputs.conf IDX1 [splunktcp-ssl://1234] connection_host = dns IDX2 [splunktcp://5678] connection_host = dns   Do you think this could work? Thanks !
Labels

quotation of splunk

by in Splunk Enterprise
‎08-20-2021 05:03 AM
‎08-20-2021 05:03 AM
how to have the quotation of splunk entreprise for the entreiprise of D.R.C

splunk showing 1 event 2 times in multi site cluster

by in Splunk Search
‎08-20-2021 04:43 AM
‎08-20-2021 04:43 AM
We aren't supposed to see the same results from both sites. For a given event we should only see it coming from one site (whichever had the searchable copy). It almost appears that Splunk is giving a... See more...
We aren't supposed to see the same results from both sites. For a given event we should only see it coming from one site (whichever had the searchable copy). It almost appears that Splunk is giving a result from each site. What might be the issue here and how to resolve
Labels

Search Heads not parsing unexpectedly

by in Deployment Architecture
‎08-20-2021 03:59 AM
‎08-20-2021 03:59 AM
Hello, I need some help where to look in order to diagnostic the issue I am facing. I am using v8.0.9 in a multisite search head cluster and indexer cluster. After more than 30 days of normal opera... See more...
Hello, I need some help where to look in order to diagnostic the issue I am facing. I am using v8.0.9 in a multisite search head cluster and indexer cluster. After more than 30 days of normal operation, the search heads are not parsing bluecoat logs. While I try the same search from the cluster master the parsing is done properly but from any of the search heads.... There has not done any change in the cluster but suddenly the parsing stopped working. Any ideas on where to focus my troubleshooting?
Labels

Writing to a .conf/.json file on a search head cluster via Python

by in Splunk Dev
‎08-20-2021 03:08 AM
‎08-20-2021 03:08 AM
I am trying to make an app (using Python) in which a user will select key field details that have to be saved into a settings file (json or conf) but currently when it write's it's only saving to the... See more...
I am trying to make an app (using Python) in which a user will select key field details that have to be saved into a settings file (json or conf) but currently when it write's it's only saving to the search head the user is currently on, no replicating across them all. 
Labels

How to update Email Address in Splunk profie

by in Security
‎08-20-2021 03:02 AM
‎08-20-2021 03:02 AM
HI Team, I need to add my company email address to my SplunK profile. I want to update it with my professional email ID so that the new certifications I do through my company ID can be reflected in... See more...
HI Team, I need to add my company email address to my SplunK profile. I want to update it with my professional email ID so that the new certifications I do through my company ID can be reflected in my own Profile along existing certifications.

Export and import project in Addon Builder

by in Splunk Enterprise
‎08-20-2021 03:01 AM
‎08-20-2021 03:01 AM
Hi community I created an Addon based on the Addon Builder 3.01, in order to maintain this Addon, Splunk asked me to export the project and import it into the new version of Addon builder 4.0. I tr... See more...
Hi community I created an Addon based on the Addon Builder 3.01, in order to maintain this Addon, Splunk asked me to export the project and import it into the new version of Addon builder 4.0. I tried to export the project from the old Add-on builder but i cannot see my Add-on :   I can see it under « Other apps and add-ons section :   Any idea what's the problem and how can i open it from the Addon builder page to avoid creating the Addon from scratch using the new version of the addon builder.   Thanks
Labels

Splunk UF monitoring logs that is not accessible to is underlying user

by in Getting Data In
‎08-20-2021 02:40 AM
‎08-20-2021 02:40 AM
Hi Fellas! I just wanted to ask if it would be possible for a Splunk UF to monitor logs that is not accessible to its underlying user. For example, I am running my Splunk UF instance under the splu... See more...
Hi Fellas! I just wanted to ask if it would be possible for a Splunk UF to monitor logs that is not accessible to its underlying user. For example, I am running my Splunk UF instance under the splunk user and I am try to capture data from files under the directory /var/logs/appservicename/*.log which is owned by root user. Given the I have the correct configuration at inputs.conf and outputs.conf, will the data be transmitted to my indexer instance?  

Missing index firedalerts (used by app DA-ITSI-CP-unix-dashboards)

by in Splunk ITSI
‎08-20-2021 02:24 AM
2 Karma
‎08-20-2021 02:24 AM
2 Karma
After the installation of IT Essential Works, I started to received the following alert   Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host=... See more...
After the installation of IT Essential Works, I started to received the following alert   Received event for unconfigured/disabled/deleted index=firedalerts with source="source::fired_alerts" host="host::XXXXXXXXXX" sourcetype="sourcetype::stash". So far received events from 1 missing index(es).   I decided to created the index manually and after a day I saw a few events coming in and digging a bit I found out that they seem to come from the saved search called fired_alerts that is part of the App DA-ITSI-CP-unix-dashboards, which I don't have it enabled. (!). I only enabled the Exchange content. which query is   | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=firedalerts   is this normal? why the index was not created automatically by ITSI?

Regex extraction with dashes

by in Knowledge Management
‎08-20-2021 01:47 AM
‎08-20-2021 01:47 AM
Hi folks,  It's been a while since i posted here, but it looks like I'm stuck a bit (again!) I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a... See more...
Hi folks,  It's been a while since i posted here, but it looks like I'm stuck a bit (again!) I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a dash "-" .  The issue I have that some of the words in my string also contain -'s. e.g. "Access - My string - July - Splunk" , so the data I'd like to show as my resuls is only My string - July.  I came up with this:  | rex field=rule_name max_match=0 "(?<=-\s)(?<rule_name>[^-]+)(?=-)" | rex field=rule_name mode=sed "s/^s/s/g" | rex field=rule_name mode=sed "s/\s$//g" But then my result shows in 2 separate lines like this:    My string    July   Any tips and hints on how to make them appear in one line?    Thank you !   
Labels

Use two stats function with different group by

by in Splunk Search
‎08-20-2021 12:37 AM
‎08-20-2021 12:37 AM
how to get this two stats result in one query (earliest=-24h@h index="s_data_sum" (type="c" OR type="s") (sourcetype="ys:ho_sum" OR (sourcetype="ys:vo_cv"))) | stats latest(first) as first lat... See more...
how to get this two stats result in one query (earliest=-24h@h index="s_data_sum" (type="c" OR type="s") (sourcetype="ys:ho_sum" OR (sourcetype="ys:vo_cv"))) | stats latest(first) as first latest(last) as last latest(index) as index by dev_id dq (this dq field is not present in ho_sum) | stats latest(first) as first_vu latest(last) as last_vu latest(index) as index_1 by dev_id sourcetype
Labels

Heavy forwarder does not forward right index from db connect 3

by in Splunk Enterprise
‎08-19-2021 10:41 PM
‎08-19-2021 10:41 PM
Hi Splunker, I'm installed splunk database connect app 3.5.1 on splunk server as heavy forwader. I configured forwarding data to index=AAA but it always forward to index=main, i dont know why, some... See more...
Hi Splunker, I'm installed splunk database connect app 3.5.1 on splunk server as heavy forwader. I configured forwarding data to index=AAA but it always forward to index=main, i dont know why, someone help me plz. Thanks!      

Request for searching APIs

by in Splunk Search
‎08-19-2021 10:21 PM
‎08-19-2021 10:21 PM
Hi, How do I get APIs for measuring Units that is SVC(Splunk Virtual Compute Unit) and vCPU (Virtual CPU) in splunk? also need to find API for pricing plans (work load pricing, Entity Pricing and i... See more...
Hi, How do I get APIs for measuring Units that is SVC(Splunk Virtual Compute Unit) and vCPU (Virtual CPU) in splunk? also need to find API for pricing plans (work load pricing, Entity Pricing and ingest pricing). Please guide me where can I get these APIs? Thanks

how to time range

by in Splunk Enterprise
‎08-19-2021 10:20 PM
‎08-19-2021 10:20 PM
index="*" | stats count by clientip, productId | stats list(productId) AS productId list(count) AS count by clientip   I want to get information that has been released more than 10 times in an ho... See more...
index="*" | stats count by clientip, productId | stats list(productId) AS productId list(count) AS count by clientip   I want to get information that has been released more than 10 times in an hour from the time the log was detected, not the current time standard in the command.

Subtracts two time field showing null result

by in Getting Data In
‎08-19-2021 10:14 PM
‎08-19-2021 10:14 PM
Hi,   i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me. Query -- index=victorops sourcetype="splunk:victorops:incidents:json" "... See more...
Hi,   i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me. Query -- index=victorops sourcetype="splunk:victorops:incidents:json" "PTS" | dedup incidentNumber | eval startTimeFormatted=strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") -18000 | eval SplunkStartTime=strftime(startTimeFormatted,"%m/%d/%y %H:%M:%S") | eval endTimeFormatted=strptime(lastAlertTime,"%Y-%m-%dT%H:%M:%SZ") -18000 | eval SplunkEndTime=strftime(endTimeFormatted,"%m/%d/%y %H:%M:%S") | eval MTTR = round((SplunkEndTime-SplunkStartTime)/86400) | table incidentNumber, SplunkStartTime, routingKey, entityDisplayName, SplunkEndTime, currentPhase, MTTR Above query  showing "NULL" output to "MTTR" field.   Please advise !
Labels

Splunk Alert when the time taken is greater than 50000 ms

by in Getting Data In
‎08-19-2021 09:18 PM
‎08-19-2021 09:18 PM
Hi  We would like to create a splunk alert for long running requests. If the request exceeds 5000ms then we should get an alert. Search Query : sourcetype="access:log" host=hostname* USERID "searc... See more...
Hi  We would like to create a splunk alert for long running requests. If the request exceeds 5000ms then we should get an alert. Search Query : sourcetype="access:log" host=hostname* USERID "search" The out put that we get is: 8/20/21 12:07:07.000 AM 30.X.X.X 7x4697381x3 USERID[20/Aug/2021:00:07:07 -0400] "POST /rest/api/2/search HTTP/1.1" 200 63 243 "-" "APP.Api/10.98.3.17993 APP/10.98.3.17993 (Microsoft Windows NT 6.2.9200.0)" "1duei1d";52.14.54.126, 30.x.x.x, 30.x.x.x https-jsse-nio-8443-exec-142 host = hostnamesource = /access_log.2021-08-20sourcetype = access   Is there a way we can accomplish this?

Microsoft 365 Defender Add-on for Splunk giving errors

by in All Apps and Add-ons
‎08-19-2021 06:09 PM
‎08-19-2021 06:09 PM
Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error Error:- 08-20-2021 01:00:04.803 +0000 ERR... See more...
Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error Error:- 08-20-2021 01:00:04.803 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" ERROR'access_token' 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" KeyError: 'access_token' 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" return response['access_token'] 08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" raise e 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" input_module.collect_events(self, ew) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" self.collect_events(ew) 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events 08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" Traceback (most recent call last): ... 2 lines omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token ... 1 line omitted ... File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token Show all 13 lines 08-20-2021 01:00:04.302 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" ERROR'access_token' 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" KeyError: 'access_token' 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" return response['access_token'] 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" raise e 08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token