All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to get the results for a value which is same, but the field name changes?

by in Alerting
‎08-10-2021 10:00 AM
‎08-10-2021 10:00 AM
I have an event that has field names that follows; file_1_customer : 123456789  file_2_customer : 34569876893 file_3_customer : 87974849747 file_4_customer : 473257792237 In this I'm looking for... See more...
I have an event that has field names that follows; file_1_customer : 123456789  file_2_customer : 34569876893 file_3_customer : 87974849747 file_4_customer : 473257792237 In this I'm looking for only this value (87974849747) and this value is constant it doesn't change. But the field name changes.  Example: Today the (87974849747) value comes in field file_3_customer, but tomorrow it may comes in file_1_customer and day after tomorrow it may comes in file_4_customer. Every day the field name changes but not the value. The value is same. How can I get the only field name and field value for (87974849747) respective with the changes?  
Labels

Trying to extract fields using regex

by in Splunk Search
‎08-10-2021 09:19 AM
1 Karma
‎08-10-2021 09:19 AM
1 Karma
Hi,  I am new to Splunk environment.  I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634... See more...
Hi,  I am new to Splunk environment.  I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex-- Regex ^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$ Where raw Log is -- SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=abc1.abc.aa.abc TaskCategory=Logoff OpCode=Info RecordNumber=12232 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ABC\A12345F123$ Account Name: A123B126$ Account Domain: ABC Logon ID: 0xA01234C Logon Type: 5 Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query --- index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$" Please advise.  Thanks in advance. 

Getting new index data into data model

by in Getting Data In
‎08-10-2021 09:15 AM
‎08-10-2021 09:15 AM
Hi - I am trying to configure the authentication data model to include additional source data indexes. We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data mo... See more...
Hi - I am trying to configure the authentication data model to include additional source data indexes. We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data model to recognize the new data.  The logs also appear to be in a different format, but I notice there's a method to "eval" the fields in the data model.  Can you please advise best practice for this?  Thanks.
Labels

How to substract two fields on epoch

by in Getting Data In
‎08-10-2021 08:32 AM
‎08-10-2021 08:32 AM
Hi, I tried to find answers on the forum but I didn't find any working solutions.   I had two fields with "hour / minute / second" like: TReceived > 17:13:10 TSent > 17:12:20   I'm trying ... See more...
Hi, I tried to find answers on the forum but I didn't find any working solutions.   I had two fields with "hour / minute / second" like: TReceived > 17:13:10 TSent > 17:12:20   I'm trying to substract TSent from TReceived and put it into a table. I did something like : | eval start=strptime(TSent, "%H:%M:%S.%N"), end=strptime(TReceived, "%H:%M:%S.%N") | eval difference=end-start |table end,start,difference   As a result, I correctly have something on the "end" and "star" column but "difference" stays empty. Am I missing something? Thanks.
Labels

How to use a combination of multiple regex cindition in transforms.conf

by in Getting Data In
‎08-10-2021 07:57 AM
‎08-10-2021 07:57 AM
Hi Expert, I am trying to confiture transforms that has multiple condition for match, with the following condition:     (word1 OR word2) AND word3 NOT ('phrase 4' OR 'phase 5')     and I tried... See more...
Hi Expert, I am trying to confiture transforms that has multiple condition for match, with the following condition:     (word1 OR word2) AND word3 NOT ('phrase 4' OR 'phase 5')     and I tried the following config, but still no luck.     [source::.../input.log] REGEX =^(?=.*(word1|word2))(?=.*word3)(?!.*(phrase 4|phrase 5)).*$ FORMAT = sourcetype::mytype DEST_KEY = MetaData:Sourcetype     The regex may be wrong or there is another workaround to archive this...  Any comment and/or recommendation would be really appreciated..
Labels

Phantom Version Dependency Check Failed - Installing App

by in Splunk SOAR
‎08-10-2021 07:56 AM
‎08-10-2021 07:56 AM
Attempting to install VMRay 2.0 Phantom App but I'm getting "Phantom Version Dependency Check Failed" error message. Phantom is running on 4.8.24304, do I need to upgrade Phantom to 4.10.x or is ther... See more...
Attempting to install VMRay 2.0 Phantom App but I'm getting "Phantom Version Dependency Check Failed" error message. Phantom is running on 4.8.24304, do I need to upgrade Phantom to 4.10.x or is there another way to install the app without upgrading the version of Phantom?

Subesearch with Inputlookup

by in Splunk Search
‎08-10-2021 07:48 AM
‎08-10-2021 07:48 AM
 I want to run a base query where some fields has a value which is present in inputlookup table   For example,  I have a csv file with the content:   type 1 2 3 . . and in my basesearch i h... See more...
 I want to run a base query where some fields has a value which is present in inputlookup table   For example,  I have a csv file with the content:   type 1 2 3 . . and in my basesearch i have the fields : type1, type2 I tried this query but is not working: index="example" [|inputlookup myfile .csv |stats values(type) as types] |Where type1 in(types) OR type2 in(types) |table type1 type2    Thanks      
Labels

Table with two headings

by in Splunk Search
‎08-10-2021 07:48 AM
‎08-10-2021 07:48 AM
Hi  ALL,   I  have the below data in  a log  . Type = success or  error . region names( In, CN, EMEA, APAC)         Time                        10 Aug                         9 Aug              ... See more...
Hi  ALL,   I  have the below data in  a log  . Type = success or  error . region names( In, CN, EMEA, APAC)         Time                        10 Aug                         9 Aug                                    8 Aug  Region              Success  Failure Total   Success Failure Total   Success Failure Total CN                   34                      2       36                   78    1       79                     67      2         69 IN                             65 1 66  i  want  to  get  the below format  of table .       Region 10 Aug 9 Aug 8 Aug   Success Failure Total Success Failure Total Success Failure Total CN 34 2 36 78 1 79 67 2 69 IN 65 1 66                   I  am not  able to  get  format  like this 
Labels

inputs.conf blacklist example

by in All Apps and Add-ons
‎08-10-2021 07:28 AM
‎08-10-2021 07:28 AM
Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else sear... See more...
Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else searches and finds this useful.  blacklist1 = EventCode="4688" Message="New Process Name:\s+(?:[C-F]:\\(?:Program Files\\SplunkUniversalForwarder|Splunk)\\bin\\(?:splunk|splunkd|splunk-optimize|splunk-powershell|splunk-admon|splunk-netmon|splunk-MonitorNoHandle|python3|btool)\.exe) blacklist2 = EventCode="(4663|4660|4907)" Message="Process Name:\s+(?:[C-F]:\\(?:Program Files\\Microsoft Configuration Manager\\bin\\X64|Program Files \W\w{3}\W\\Symantec\\Symantec Endpoint Protection\\\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\\Bin64|Program Files\\SMS_CCM|Windows\\System32|Windows\\System32\\(?:inetsrv|wbem)|.WINDOWS.~BT\\Sources|Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_\w{16,20}\.+\d\.+\d{1,6}\.+\w{22,30})\\(?:smsexec|sitecomp|TiWorker|SetupHost|WmiPrvSE|w3wp|poqexec|CcmExec|ccSvcHst)\.exe) I'm a novice with regex so there might be some ways to clean this up and make it shorter, but it works. If anyone has simplification recommendations, feel free to share.

How to change tables cells dynamically without showing the value in the cell?

by in Dashboards & Visualizations
‎08-10-2021 07:24 AM
‎08-10-2021 07:24 AM
I have a panel in which I want to apply 2 colors depending on the threshold something like below. However, I don't want to show the HIGH and LOW values inside the cell. Below is the codepiece that i'... See more...
I have a panel in which I want to apply 2 colors depending on the threshold something like below. However, I don't want to show the HIGH and LOW values inside the cell. Below is the codepiece that i've referred: <panel id="mon2"> <title>QUALITY MATRIX</title> <html> <div> <div> <p id="m2"> <div class="legend" style="float: down;height:30px;width:30px;border-radius:50%;background-color:#FF0000;display: inline-grid;margin-right:40px;font-weight: bolder;text-align: center">1</div> </p> </div> </div> </html> <table id="master"> <search> <query>index=highjump sourcetype=dbconnectsql source=*MaterialMaster-TotalCount* earliest=@d latest=now() | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | dedup _time | stats sum(TotalCount) as "Total Material extensions [Today]" | appendcols [ search index=highjump sourcetype=dbconnectsql source=*MaterialMaster-ErrorCount* earliest=@d latest=now() | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | dedup _time | stats sum(TotalCount) as "Unsuccessful Material Extensions [Today]" ] | appendcols [ search index=highjump sourcetype=dbconnectsql source=*MaterialMaster-ErrorCount* earliest=-1y@y latest<@d | dedup _time | rex field=source "^(?P<site>[^\_]+)" | search site="Allentown" | stats sum(TotalCount) as "Unsuccessful Material Extensions [Backlog]" ] | table "Total Material extensions [Today]", "Unsuccessful Material Extensions [Today]","Unsuccessful Material Extensions [Backlog]" | appendpipe [ stats count | where count==0] | fillnull value=0 "Unsuccessful Material Extensions [Today]" | fillnull value=0 "Total Material extensions [Today]" | fillnull value=0 "Unsuccessful Material Extensions [Backlog]" | transpose | rename "row 1" as "count" | eval color =case(count>"0","HIGH",count="0","LOW") | foreach column [ eval <<FIELD>>=mvappend('<<FIELD>>',color)] | fields - color| fields - count </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <format type="color" field="column"> <colorPalette type="expression">case (match(value,"LOW"),"#294E70",match(value,"HIGH"),"#D22B2B")</colorPalette> </format> <!-- <format type="color" field="count"> <colorPalette type="expression">case (match(value,"LOW"),"#294E70",match(value,"HIGH"),"#D22B2B")</colorPalette> </format>--> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> <html> <style> #mon2{ width: 25% !important; align: center !important; text-align: left !important; padding: 0px !important; margin: 0px 0px 0px 0px !important; } #master .table th, .table td { text-align: left !important; <!--font-weight: bold !important;--> font-size:800% !important; color: #FFFFFF !important; <!--background-color: #48AAAD !important;--> font-family: Arial, Helvetica, sans-serif; font-variant: normal; font-stretch: expanded; } </style> </html> </panel>    

Field extraction for space

by in Splunk Search
‎08-10-2021 07:19 AM
‎08-10-2021 07:19 AM
Hi Team, We have one field as Customer=ABC DEF where one space in between  where if i am giving any as Customer = *DEF* then its not giving any value..  
Labels

How can we deal with tables that don’t have a rising column?

by in Getting Data In
‎08-10-2021 06:49 AM
‎08-10-2021 06:49 AM
In DB Connect we have situations where we don’t have a rising column. What can we do in such cases?

splunk add on for salesforce

by in Splunk Cloud Platform
‎08-10-2021 04:22 AM
‎08-10-2021 04:22 AM
Hi Team,   We have using Splunk add on for salesforce plugin to inject salesforce logs into splunk . its been 3 months we were able to add inputs and able to see the logs. but recently when we t... See more...
Hi Team,   We have using Splunk add on for salesforce plugin to inject salesforce logs into splunk . its been 3 months we were able to add inputs and able to see the logs. but recently when we trying to open the  splunk add for salesforce ,we were seeing below screen . if any one face isssue .please let us knwo the root cause and its solution attached is the screen shot
Labels

Splunk regex help

by in Splunk Search
‎08-10-2021 04:06 AM
‎08-10-2021 04:06 AM
Hi Team,   I've a field name uri, which has value like this -- /dev/{AccountNumber}/accountDetail /uat/{ContentID}/content   I want to extract one column like, 'uriwithregex' so that I can use ... See more...
Hi Team,   I've a field name uri, which has value like this -- /dev/{AccountNumber}/accountDetail /uat/{ContentID}/content   I want to extract one column like, 'uriwithregex' so that I can use it later. The value of uriwithregex will be like  /dev/*/accountDetail /uat/*/content So basically want to replace the string with * (Including the curly brackets) Could someone please help ?
Labels

Splunk Time difference search

by in Splunk Search
‎08-10-2021 03:55 AM
‎08-10-2021 03:55 AM
I have two results of servers list as per last 30 days and last 12 hrs. I want to compare and find out which servers are not reporting in 12 hrs list. What can be the query for it. Little new in Spl... See more...
I have two results of servers list as per last 30 days and last 12 hrs. I want to compare and find out which servers are not reporting in 12 hrs list. What can be the query for it. Little new in Splunk.
Labels

add-on in office 365 in a distributed architechture

by in All Apps and Add-ons
‎08-10-2021 03:10 AM
‎08-10-2021 03:10 AM
I want to install the office 365 add-on in a distributed architechture with an index cluster and a single search Head Where should this module be installed (is it in the master cluster, in the index... See more...
I want to install the office 365 add-on in a distributed architechture with an index cluster and a single search Head Where should this module be installed (is it in the master cluster, in the indexer, in the search Head?) thank you
Labels

/etc/syslog-ng/syslog-ng.conf configuration

by in Getting Data In
‎08-10-2021 02:47 AM
‎08-10-2021 02:47 AM
I am using syslog-ng  the syslog are configured to create a new file every min  with the below   destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(... See more...
I am using syslog-ng  the syslog are configured to create a new file every min  with the below   destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");}; looks like the files are created are large file  is there an option to create the files every 30 sec for example  didn't find is possible to set  destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $SEC 30).log");}; OR  destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 0.5).log");};  
Labels

My CollorPallete expression is not working when using LIKE

by in Dashboards & Visualizations
‎08-10-2021 02:36 AM
‎08-10-2021 02:36 AM
Dear community, When using a CollorPallete expression on a statistics table the following code works: <format type="color" field="myField"> <colorPalette type="expression">if (value == "DEBUG",... See more...
Dear community, When using a CollorPallete expression on a statistics table the following code works: <format type="color" field="myField"> <colorPalette type="expression">if (value == "DEBUG", "#f54242","#65A637") </colorPalette> </format> #F54242 = RED #65A637 = GREEN Because the data in myField is not exactly "DEBUG" , the table collumns are all green.  So in order to make the collumns with "DEBUG" red and the rest green, I tried the following piece of code: <format type="color" field="myField"> <colorPalette type="expression">if (like(value,"%DEBUG%", "#f54242","#65A637") </colorPalette> </format>   This piece of code is not working at all. I am trying to use the wildcard to find any occurance of "DEBUG" inside myField. Not only are the fields not red, they are not even green, making me think my code is incorrect.  What am I doing wrong?  Thanks.
Labels

Custom Fields handling in Splunk Add-on for ServiceNow

by in All Apps and Add-ons
‎08-10-2021 01:52 AM
6 Karma
‎08-10-2021 01:52 AM
6 Karma
Hi fellow Splunkers, I have some questions regarding using custom fields in the Splunk Add-on for ServiceNow. When I try to set an alert to resolved (state 6) I seem to be unable to set the resolut... See more...
Hi fellow Splunkers, I have some questions regarding using custom fields in the Splunk Add-on for ServiceNow. When I try to set an alert to resolved (state 6) I seem to be unable to set the resolution information or resolution notes, instead I now place it as a comment. Did someone here manage to arrange this? Upon creating a ticket in SNOW I can set the "short_description" field but I seem to be unable to set the "description" field. As in we can set the description field in Splunk but the content won’t be shown in SNOW, also when i set it as a custom field. Perhaps some mapping/configuration on SNOW side is needed here, but there is no documentation about what needs to be done on SNOW side. So I guess my questions are related to how to make custom fields working on both Splunk and SNOW side as I’m missing some documentation and need some guidance! Would be much appreciated if someone can help  out!

Need help: Stack 2 panels left, and have 1 panel on the right.

by in Dashboards & Visualizations
‎08-10-2021 12:44 AM
‎08-10-2021 12:44 AM
Dear Community, I need help with the creation of a dashboard where: I have 1 row I have 3 panels I want 2 panels stacked on top of each other on the left I want 1 panel in full height on the rig... See more...
Dear Community, I need help with the creation of a dashboard where: I have 1 row I have 3 panels I want 2 panels stacked on top of each other on the left I want 1 panel in full height on the right I have searched different topics on the community but most of those only provide results without context and when I don't get them to work, I don't know what to do. This is what I managed to create so far: Using the following sourcecode: <dashboard> <label>Stack 2 left, 1 right</label> <row> <panel id="topleft"> <title></title> <html> <style> #topleft{ width:15% !important; float: left; } #bottomleft{ width:15% !important; clear: left; float: left; } #right{ width:85% !important; overflow: hidden; } </style> </html> <table> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="bottomleft"> <title></title> <chart> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </chart> </panel> <panel id="right"> <title></title> <table> <search> <query>SomeQueryThatReturnsNothing</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>   What I would like to achieve is: The panel with id="right" to be full height so that I have 2 small panels stacked on each other on the left and one big panel on the right that fully populates the screen I have tried playing with height but it doesn't seem to affect the panel in any way. Could anyone help me out with this issue? Thanks in advance.
Labels