All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  Currently, our Angular application is configured as "User Experience", We are facing the below issues: 1. We want to trigger an alert when there is a specific HTTP code in the respon... See more...
Hi,  Currently, our Angular application is configured as "User Experience", We are facing the below issues: 1. We want to trigger an alert when there is a specific HTTP code in the response ex: 500, . While configuring health rules, there is no option to select a specific error code. 2. Anomalies are not detected even through enabled the option to overcome these issues Can we configure our application as "Application" so that will give more options to configure the health rules? 
Hello – I hope you can assist me with starting my AppD SaaS Pro trial. I have enrolled into this program a week ago and so far I only received the welcome message via email, with a recommended path ... See more...
Hello – I hope you can assist me with starting my AppD SaaS Pro trial. I have enrolled into this program a week ago and so far I only received the welcome message via email, with a recommended path for exploring the product. I was trying to  follow the recommended steps from the "welcome" email but after several attempts I always ended up  landing on the page where I can download agents... and this is pretty much it.  Kind regards, Andy
All, I've started seeing the following error message on Splunk 8.2.1 since installing alert_manager app and I'd like to clean it up. - Error from my deployment server, from btool checks - Version ... See more...
All, I've started seeing the following error message on Splunk 8.2.1 since installing alert_manager app and I'd like to clean it up. - Error from my deployment server, from btool checks - Version Splunk 8.2.1 - CentOS7 - I have /etc/deployment-apps/alert_manager/README/alert_manager.conf.spec there. So I assume that's what it's looking for. # Error 08-10-2021 13:23:41.948 -0700 WARN Application [28063 MainThread] - No spec file for: /opt/splunk/etc/deployment-apps/alert_manager/default/alert_manager.conf\n 08-10-2021 13:23:41.948 -0700 WARN Application [28063 MainThread] - Invalid key in stanza [alert_manager] in /opt/splunk/etc/deployment-apps/alert_manager/default/alert_actions.conf, line 12: param.urgency (value: low).\n # alert_manager.conf, line 12 under [settings] stanza auto_close_info = false # alert_manager.conf.spec, line 40, under [settings] stanza auto_close_info = [true | false] * Configure if informational events are automatically resolved * Defaults to false   Any ideas on how I'd troubleshoot this? 
I am struggling to follow the documentation to install the dfs manager app. Is there any better resources to follow? Currently I'm stuck figuring out why when setting the java_home field in the serv.... See more...
I am struggling to follow the documentation to install the dfs manager app. Is there any better resources to follow? Currently I'm stuck figuring out why when setting the java_home field in the serv.conf upon restart I am getting an error saying it is an invalid key.
Hi all, I am totally new to SPLUNK. I am going thru the free online class Splunk Fundamentals. I have uploaded the example data into SPLUNK exactly as directed by the directions. However, when I log... See more...
Hi all, I am totally new to SPLUNK. I am going thru the free online class Splunk Fundamentals. I have uploaded the example data into SPLUNK exactly as directed by the directions. However, when I log out then log back in from Admin to a Power user to search, the data is in SPLUNK but it says it is not indexed. Isn't the data automatically indexed upon uploading the files? The instructions do not say specifically, but after uploading the data, it expects you to see 239,625 Events Indexed. Yet for what ever reason, it is not indexding the data, what could cause that issue? I've redon the uploads 7 times now. I even went thru wiped out everything (am working on a VM) re-down loaded SPLUNK and started from scratch, and still no indexing. What the heck am I missing? TIA
I run the following to get a list of Saved / skipped searches thru the Monitoring console for my ES (Splunk ES). I need a field added to show the reason for failure / why skipped the searches. Thanks... See more...
I run the following to get a list of Saved / skipped searches thru the Monitoring console for my ES (Splunk ES). I need a field added to show the reason for failure / why skipped the searches. Thanks a million in advance for your help.   `dmc_set_index_internal` search_group=dmc_group_search_head search_group=* sourcetype=scheduler (status="completed" OR status="skipped" OR status="deferred")             | stats count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec by _time, host, app, savedsearch_name, user, savedsearch_id | where skipped_exec > 0  
Hoping someone can help here.... We are currently running DNS services on our Windows Active Directory servers (we do not currently have tools/tech in place to stream or otherwise capture this data... See more...
Hoping someone can help here.... We are currently running DNS services on our Windows Active Directory servers (we do not currently have tools/tech in place to stream or otherwise capture this data on the wire --- roadmap item).   We are also running on Splunk Cloud with a Splunk HF (installed on a dedicated stand-alone system) & Splunk UF (installed on the Active Directory server(s) with DNS services running).  So the data flows as follows: Splunk UF (AD Server) -> Splunk HF (dedicated box) -> Splunk Cloud Using this approach, I am able to successfully get the data in to Splunk Cloud.  My issue revolves around parsing the necessary fields.  I am most concerned about getting the DNS entry itself (as part of the initial query) as well as the IP address returned in the DNS response.  Below I have included the raw data, the inputs.conf, props.conf, and transforms.conf.  Please let me know what I am missing as I am at a loss at this point. ======== ======= ======DNS Query Raw Data====== 8/9/2021 7:19:32 AM 1750 PACKET 00000200616CA100 UDP Rcv ::1 1bf5 Q [0001 D NOERROR] A (27)vm3-proxy-pta-NCUS-CHI01P-2(9)connector(3)his(10)msappproxy(3)net(0) UDP question info at 00000200616CA100 Socket = 828 Remote addr ::1, port 62839 Time Query=229843, Queued=0, Expire=0 Buf length = 0x0fa0 (4000) Msg length = 0x004a (74) Message: XID 0x1bf5 Flags 0x0100 QR 0 (QUESTION) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 0 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 QTYPE A (1) QCLASS 1 ANSWER SECTION: empty AUTHORITY SECTION: empty ADDITIONAL SECTION: empty ======DNS Response Raw Data====== 8/9/2021 7:19:10 AM 1750 PACKET 000002006188FCC0 UDP Snd ::1 196c R Q [8081 DR NOERROR] A (27)vm3-proxy-pta-NCUS-CHI01P-2(9)connector(3)his(10)msappproxy(3)net(0) UDP response info at 000002006188FCC0 Socket = 828 Remote addr ::1, port 58618 Time Query=229821, Queued=229822, Expire=229825 Buf length = 0x0200 (512) Msg length = 0x00bb (187) Message: XID 0x196c Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 2 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x004a, RR count = 0 TYPE CNAME (5) CLASS 1 TTL 241 DLEN 85 DATA Offset = 0x00ab, RR count = 1 TYPE A (1) CLASS 1 TTL 7 DLEN 4 DATA 20.80.38.248 AUTHORITY SECTION: empty ADDITIONAL SECTION: Empty ======UF inputs.conf====== [monitor://c:\windows\system32\dns\dns.log] disabled = 0 index = dns sourcetype = windows:dns ======UF props.conf====== [windows:dns] SHOULD_LINEMERGE = True BREAK_ONLY_BEFORE_DATE = True EXTRACT-Domain = (?i) .*? \.(?P<Domain>[-a-zA-Z0-9@:%_\+.~#?;//=]{2,256}\.[a-z]{2,6}) EXTRACT-src=(?i) [Rcv|Snd] (?P<source_address>\d+\.\d+\.\d+\.\d+) EXTRACT-Threat_ID,Context,Int_packet_ID,proto,mode,Xid,type,Opcode,Flags_Hex,char_code,ResponseCode,question_type = .+?[AM|PM]\s+(?<Threat_ID>\w+)\s+(?<Context>\w+)\s+(?<Int_packet_ID>\w+)\s+(?<proto>\w+)\s+(?<mode>\w+)\s+\d+\.\d+\.\d+\.\d+\s+(?<Xid>\w+)\s(?<type>(?:R)?)\s+(?<Opcode>\w+)\s+\[(?<Flags_Hex>\w+)\s(?<char_codes>.+?)(?<ResponseCode>[A-Z]+)\]\s+(?<question_type>\w+)\s EXTRACT-Authoritative_Answer,TrunCation,Recursion_Desired,Recursion_Available = (?m) .+?Message:\W.+\W.+\W.+\W.+\W.+AA\s+(?<Authoritative_Answer>\d)\W.+TC\s+(?<TrunCation>\d)\W.+RD\s+(?<Recursion_Desired>\d)\W.+RA\s+(?<Recursion_Available>\d) SEDCMD-win_dns = s/\(\d+\)/./g ======HF inputs.conf====== [splunktcp://:5143] connection_host = x.x.x.x (masking IP) index = dns disabled = 0 ======HF props.conf====== [windows:dns] EXTRACT-Domain = (?i) .*? \.(?<Domain>[-a-zA-Z0-9@:%_\+.~#?;//=]{2,256}\.[a-z]{2,6}) EXTRACT-windows_dns_000001 = (?<thread_id>[0-9A-Fa-f]{4}) (?<Context>[^\s]+)\s+(?<internal_packet_id>[0-9A-Fa-f]+) (?<protocol>UDP|TCP) (?<direction_flag>Snd|Rcv) (?<client_ip>[0-9\.]+)\s+(?<xid>[0-9A-Fa-f]+) (?<type>[R\s]{1}) (?<opcode>[A-Z\?]{1}) \[(?<flags>[0-9A-Fa-f]+) (?<flagAuthoritativeAnswer>[A\s]{1})(?<flagTrucatedResponse>[T\s]{1})(?<flagRecursionDesire>[D\s]{1})(?<flagRecursionAvailable>[R\s]{1})\s+(?<response_code>[^\]]+)\]\s+(?<query_type>[^\s]+)\s+(?<query_name>[^/]+) EXTRACT-windows_dns_000010 = ([a-zA-Z0-9\-\_]+)\([0-9]+\)(?<tld>[a-zA-Z0-9\-\_]+)\(0\)$ EXTRACT-windows_dns_000020 = \([0-9]+\)(?<domain>[a-zA-Z0-9\-\_]+\([0-9]+\)[a-zA-Z0-9\-\_]+)\(0\)$ EXTRACT-windows_dns_000030 = \s\([0-9]+\)(?<hostname>[a-zA-Z0-9\-\_]+)\(0\)$ EVAL-domain = replace(domain, "([\(0-9\)]+)", ".") EVAL-query_domain = ltrim(replace(query_name, "(\([\d]+\))", "."),".") EVAL-type_msg = case(type="R", "Response", isnull(type), "Query") EVAL-opcode_msg = case(opcode="Q", "Standard Query", opcode="N", "Notify", opcode="U", "Update", opcode="?", "Unknown") EVAL-direction = case(direction_flag="Snd", "Send", direction_flag="Rcv", "Received") EVAL-decID = tonumber(xid, 16) REPORT-win_dns = dns_string_lengths, dns_strings REPORT-extractdoms = extractdoms REPORT-extractips = extractips ======HF transforms.conf====== [dns_string_lengths] REGEX = \((\d+)\) FORMAT = strings_len::$1 MV_ADD = true REPEAT_MATCH = true [dns_strings] REGEX = \([0-9]+\)([a-zA-Z0-9\-\_]+)\([0-9]+\) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true [extractdoms] SOURCE_KEY = query_domain REGEX = Name\s+\"(?<NewDomain>[a-zA-Z0-9\[\]\(\)\-\.\_]+\"\n) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true [extractips] REGEX = DATA\s+(?<Answers>[0-9\.]+\n) FORMAT = strings::$1 MV_ADD = true REPEAT_MATCH = true
I created a search head and an indexer and the search head is acting as the master license server. I added the tutorial data to the search head https://docs.splunk.com/Documentation/Splunk/8.2.1/Sear... See more...
I created a search head and an indexer and the search head is acting as the master license server. I added the tutorial data to the search head https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchTutorial/GetthetutorialdataintoSplunk  The indexer is associated with the master license server. On the search head I am getting the license error of 1 orphaned indexer reported by 1 indexer and the message is "this slave indexed data/sourcetype(s) without a corresponding license pool" and the indexer is the master license server and category is orphan_slave.  I read in other answers related to this that the sourcetypes need to be in a license pool. I added the two host of the search head and indexer to the license pool via the specific indexers option however I am still getting the same error. Will this error go away or am I still in violation?
Hi All, Please help me to solve this. desc="Trigger App : Search [Abc_[qwert] asd] number"  I want to fetch the "[Abc_[qwert] asd]" from the above string Thanks
Are the datasets that are included with Splunk Security Essentials updated dynamically or are they static? For example the ransomware_extensions_lookup.csv datasets.
I have an event that has field names that follows; file_1_customer : 123456789  file_2_customer : 34569876893 file_3_customer : 87974849747 file_4_customer : 473257792237 In this I'm looking for... See more...
I have an event that has field names that follows; file_1_customer : 123456789  file_2_customer : 34569876893 file_3_customer : 87974849747 file_4_customer : 473257792237 In this I'm looking for only this value (87974849747) and this value is constant it doesn't change. But the field name changes.  Example: Today the (87974849747) value comes in field file_3_customer, but tomorrow it may comes in file_1_customer and day after tomorrow it may comes in file_4_customer. Every day the field name changes but not the value. The value is same. How can I get the only field name and field value for (87974849747) respective with the changes?  
Hi,  I am new to Splunk environment.  I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634... See more...
Hi,  I am new to Splunk environment.  I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$ Where raw Log is -- SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=abc1.abc.aa.abc TaskCategory=Logoff OpCode=Info RecordNumber=12232 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ABC\A12345F123$ Account Name: A123B126$ Account Domain: ABC Logon ID: 0xA01234C Logon Type: 5 Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query --- index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$" Please advise.  Thanks in advance. 
Hi - I am trying to configure the authentication data model to include additional source data indexes. We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data mo... See more...
Hi - I am trying to configure the authentication data model to include additional source data indexes. We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data model to recognize the new data.  The logs also appear to be in a different format, but I notice there's a method to "eval" the fields in the data model.  Can you please advise best practice for this?  Thanks.
Hi, I tried to find answers on the forum but I didn't find any working solutions.   I had two fields with "hour / minute / second" like: TReceived > 17:13:10 TSent > 17:12:20   I'm trying ... See more...
Hi, I tried to find answers on the forum but I didn't find any working solutions.   I had two fields with "hour / minute / second" like: TReceived > 17:13:10 TSent > 17:12:20   I'm trying to substract TSent from TReceived and put it into a table. I did something like : | eval start=strptime(TSent, "%H:%M:%S.%N"), end=strptime(TReceived, "%H:%M:%S.%N") | eval difference=end-start |table end,start,difference   As a result, I correctly have something on the "end" and "star" column but "difference" stays empty. Am I missing something? Thanks.
Hi Expert, I am trying to confiture transforms that has multiple condition for match, with the following condition:     (word1 OR word2) AND word3 NOT ('phrase 4' OR 'phase 5')     and I tried... See more...
Hi Expert, I am trying to confiture transforms that has multiple condition for match, with the following condition:     (word1 OR word2) AND word3 NOT ('phrase 4' OR 'phase 5')     and I tried the following config, but still no luck.     [source::.../input.log] REGEX =^(?=.*(word1|word2))(?=.*word3)(?!.*(phrase 4|phrase 5)).*$ FORMAT = sourcetype::mytype DEST_KEY = MetaData:Sourcetype     The regex may be wrong or there is another workaround to archive this...  Any comment and/or recommendation would be really appreciated..
Attempting to install VMRay 2.0 Phantom App but I'm getting "Phantom Version Dependency Check Failed" error message. Phantom is running on 4.8.24304, do I need to upgrade Phantom to 4.10.x or is ther... See more...
Attempting to install VMRay 2.0 Phantom App but I'm getting "Phantom Version Dependency Check Failed" error message. Phantom is running on 4.8.24304, do I need to upgrade Phantom to 4.10.x or is there another way to install the app without upgrading the version of Phantom?
 I want to run a base query where some fields has a value which is present in inputlookup table   For example,  I have a csv file with the content:   type 1 2 3 . . and in my basesearch i h... See more...
 I want to run a base query where some fields has a value which is present in inputlookup table   For example,  I have a csv file with the content:   type 1 2 3 . . and in my basesearch i have the fields : type1, type2 I tried this query but is not working: index="example" [|inputlookup myfile .csv |stats values(type) as types] |Where type1 in(types) OR type2 in(types) |table type1 type2    Thanks      
Hi  ALL,   I  have the below data in  a log  . Type = success or  error . region names( In, CN, EMEA, APAC)         Time                        10 Aug                         9 Aug              ... See more...
Hi  ALL,   I  have the below data in  a log  . Type = success or  error . region names( In, CN, EMEA, APAC)         Time                        10 Aug                         9 Aug                                    8 Aug  Region              Success  Failure Total   Success Failure Total   Success Failure Total CN                   34                      2       36                   78    1       79                     67      2         69 IN                             65 1 66  i  want  to  get  the below format  of table .       Region 10 Aug 9 Aug 8 Aug   Success Failure Total Success Failure Total Success Failure Total CN 34 2 36 78 1 79 67 2 69 IN 65 1 66                   I  am not  able to  get  format  like this 
Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else sear... See more...
Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else searches and finds this useful.  blacklist1 = EventCode="4688" Message="New Process Name:\s+(?:[C-F]:\\(?:Program Files\\SplunkUniversalForwarder|Splunk)\\bin\\(?:splunk|splunkd|splunk-optimize|splunk-powershell|splunk-admon|splunk-netmon|splunk-MonitorNoHandle|python3|btool)\.exe) blacklist2 = EventCode="(4663|4660|4907)" Message="Process Name:\s+(?:[C-F]:\\(?:Program Files\\Microsoft Configuration Manager\\bin\\X64|Program Files \W\w{3}\W\\Symantec\\Symantec Endpoint Protection\\\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\\Bin64|Program Files\\SMS_CCM|Windows\\System32|Windows\\System32\\(?:inetsrv|wbem)|.WINDOWS.~BT\\Sources|Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_\w{16,20}\.+\d\.+\d{1,6}\.+\w{22,30})\\(?:smsexec|sitecomp|TiWorker|SetupHost|WmiPrvSE|w3wp|poqexec|CcmExec|ccSvcHst)\.exe) I'm a novice with regex so there might be some ways to clean this up and make it shorter, but it works. If anyone has simplification recommendations, feel free to share.
I have a panel in which I want to apply 2 colors depending on the threshold something like below. However, I don't want to show the HIGH and LOW values inside the cell. Below is the codepiece that i'... See more...
I have a panel in which I want to apply 2 colors depending on the threshold something like below. However, I don't want to show the HIGH and LOW values inside the cell. Below is the codepiece that i've referred: <panel id="mon2"> <title>QUALITY MATRIX</title> <html> <div> <div> <p id="m2"> <div class="legend" style="float: down;height:30px;width:30px;border-radius:50%;background-color:#FF0000;display: inline-grid;margin-right:40px;font-weight: bolder;text-align: center">1</div> </p> </div> </div> </html> <table id="master"> <search> <query>index=highjump sourcetype=dbconnectsql source=*MaterialMaster-TotalCount* earliest=@d latest=now() | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | dedup _time | stats sum(TotalCount) as "Total Material extensions [Today]" | appendcols [ search index=highjump sourcetype=dbconnectsql source=*MaterialMaster-ErrorCount* earliest=@d latest=now() | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | dedup _time | stats sum(TotalCount) as "Unsuccessful Material Extensions [Today]" ] | appendcols [ search index=highjump sourcetype=dbconnectsql source=*MaterialMaster-ErrorCount* earliest=-1y@y latest<@d | dedup _time | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | stats sum(TotalCount) as "Unsuccessful Material Extensions [Backlog]" ] | table "Total Material extensions [Today]", "Unsuccessful Material Extensions [Today]","Unsuccessful Material Extensions [Backlog]" | appendpipe [ stats count | where count==0] | fillnull value=0 "Unsuccessful Material Extensions [Today]" | fillnull value=0 "Total Material extensions [Today]" | fillnull value=0 "Unsuccessful Material Extensions [Backlog]" | transpose | rename "row 1" as "count" | eval color =case(count>"0","HIGH",count="0","LOW") | foreach column [ eval <<FIELD>>=mvappend('<<FIELD>>',color)] | fields - color| fields - count </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <format type="color" field="column"> <colorPalette type="expression">case (match(value,"LOW"),"#294E70",match(value,"HIGH"),"#D22B2B")</colorPalette> </format> <!-- <format type="color" field="count"> <colorPalette type="expression">case (match(value,"LOW"),"#294E70",match(value,"HIGH"),"#D22B2B")</colorPalette> </format>--> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> <html> <style> #mon2{ width: 25% !important; align: center !important; text-align: left !important; padding: 0px !important; margin: 0px 0px 0px 0px !important; } #master .table th, .table td { text-align: left !important; <!--font-weight: bold !important;--> font-size:800% !important; color: #FFFFFF !important; <!--background-color: #48AAAD !important;--> font-family: Arial, Helvetica, sans-serif; font-variant: normal; font-stretch: expanded; } </style> </html> </panel>