All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All.. Is there a way to keep the in chart zoom & pan option button to keep visible even on zero zoom selection
Hello, I have below TSTATS command which is checking the specifig index population with events per day:   | tstats count WHERE (index=_internal AND sourcetype=splunkd) OR (index=B) by host,sourcet... See more...
Hello, I have below TSTATS command which is checking the specifig index population with events per day:   | tstats count WHERE (index=_internal AND sourcetype=splunkd) OR (index=B) by host,sourcetype,index,_time span=1d   I would like to modify it to run the search on only hosts which are in the lookup list servers.csv.    Can you please help me with modification? 
After searching various posts around HTTP status codes, ended up posting new question   I would like to create alert if failures are 5% of total traffic.  My criteria of failure is anything ... See more...
After searching various posts around HTTP status codes, ended up posting new question   I would like to create alert if failures are 5% of total traffic.  My criteria of failure is anything that doesn't match HTTP status code 200, 400, 401, 403   Thanks in advance Pathik
Hello all, I have a dashboard and the source is json files. { "ID": "123", "TIME": "Jul 11, 2021, 08:55:54 AM", "STATUS": "FAIL", "DURATION": "4 hours, 32 minutes" } I have many tasks with ID... See more...
Hello all, I have a dashboard and the source is json files. { "ID": "123", "TIME": "Jul 11, 2021, 08:55:54 AM", "STATUS": "FAIL", "DURATION": "4 hours, 32 minutes" } I have many tasks with ID and each task has json files. I want to plot a graph for MTTR( taken from each failed task to next successful task) for these tasks. Previously i was collecting data separately for the MTTR and the graph was plotted direclty from it. But now i have to calucalte MTTR from the above json files.(failed to passed task) and later i want to plot a graph for it. I tried writing a query for it but it's not working. source="*cc_as_sw_cx_kpi_GEEA_iB2_PSW_Int_csw_build_beta2_*" index="testing" sourcetype="_json" | transaction STATUS startswith="Status=FAIL" endswith="Status=SUCCESS"|stats avg(Duration) as avg_duration by STATUS | eval MTTR=tostring(avg_duration,"Duration") |timechart dc(MTTR) I know this not the proper query for it. can anyone please help me in this. I am trying this from few days and this was all i got. Thanks in advance.
Hi Can some one help me , how we can create the attached dashboard . I do know we have to use the Geostats command ,but how can we utilize it in the use-cases created . How can we get the longitude ... See more...
Hi Can some one help me , how we can create the attached dashboard . I do know we have to use the Geostats command ,but how can we utilize it in the use-cases created . How can we get the longitude and latitude values from the use-cases . Can some one help with the query ?  
Hi, I have installed the MS Teams Add-on Version 1.1.2. Tested that the channel works and allowed access through firewall etc. This will just be used for Alerting in Splunk. We have a proxy that n... See more...
Hi, I have installed the MS Teams Add-on Version 1.1.2. Tested that the channel works and allowed access through firewall etc. This will just be used for Alerting in Splunk. We have a proxy that needs to be added to the config for this to work. Linux Search Head My question is, where do you actually enter the proxy details for the App? Thanks
Hi Splunker   I'm quite new to splunk. Can you please help me out on this search? I have a table of antivirus database version of each servers. Server       |          database version A      ... See more...
Hi Splunker   I'm quite new to splunk. Can you please help me out on this search? I have a table of antivirus database version of each servers. Server       |          database version A                                          5 B                                          4 C                                          4 D                                          3 E                                           5 Assume that A is my main server and the rest download from A. So I wanna compare the rest database version with A and display only the servers that version is less than A so the expected result will be Server       |          database version B                                          4 C                                          4 D                                          3  
Hi everyone, I got lots of the blow _row after the search: ........ 2002-02-22 17:32:15.592 somedatainformation ==> ASH.cctv.mary.CREDITCHECK.103294384.0000 2002-02-22 13:32:15.592 somedatainforma... See more...
Hi everyone, I got lots of the blow _row after the search: ........ 2002-02-22 17:32:15.592 somedatainformation ==> ASH.cctv.mary.CREDITCHECK.103294384.0000 2002-02-22 13:32:15.592 somedatainformation ==> ASH.cctv.mary.CREDITCHECK.103294384.0000 2002-02-22 13:30:15.222 somedatainformation ==> ASH.cctv.mary.CREDITCHECK.103292222.0002 ...... how can I just get the string after the "==>" like "ASH.cctv.mary.CREDITCHECK.103294384.0000" and remove the duplicated value? Thanks
After integration with ISE 2.4 successfully ,  I test action of quarantine for a device , phantoms shows it has been quarantined.  however I cannot find any changes on ISE.  ERS R/W has been enable ... See more...
After integration with ISE 2.4 successfully ,  I test action of quarantine for a device , phantoms shows it has been quarantined.  however I cannot find any changes on ISE.  ERS R/W has been enable Client MAC should be in list of ANC quarantine  ?   how can I do further troubleshooting
when the original syslog was forwarded to phantom, some key filed(like srcIP/dstIP) was missing artifact.   these key filed was in raw_data if we search artifiact in splunk. can phantom identify/par... See more...
when the original syslog was forwarded to phantom, some key filed(like srcIP/dstIP) was missing artifact.   these key filed was in raw_data if we search artifiact in splunk. can phantom identify/parse these field and add artifact automatically ?
Hi Team, Could you please throw some light here? We are receiving the error "Schema validation failed, unexpected property truncate" while editing the HEC token for modifying the existing sourcetyp... See more...
Hi Team, Could you please throw some light here? We are receiving the error "Schema validation failed, unexpected property truncate" while editing the HEC token for modifying the existing sourcetype to a new one. Appreciate any help here. TIA
Hi, so I am trying to record the Earliest connection for IP addresses and the Latest connection for IP addresses however when trying to use both the earliest(_time) and latest(_time) command it seems... See more...
Hi, so I am trying to record the Earliest connection for IP addresses and the Latest connection for IP addresses however when trying to use both the earliest(_time) and latest(_time) command it seems that my latest(_time) command is overwriting my earliest(_time) value. Any reason for why this is happening and a potential fix? My code is as follows: | datamodel Network_Traffic All_Traffic search | search  All_Traffic.src_ip="172.18.*" OR All_Traffic.src_ip="172.19.*" OR All_Traffic.src_ip="172.20.*" OR | dedup All_Traffic.src_ip | eventstats earliest(_time) AS Earliest, latest(_time) as Latest by All_Traffic.src_ip | eval Earliest = strftime(Earliest,"%m/%d/%Y:%H:%M:%S") | eval Latest = strftime(Latest, "%m/%d/%Y:%H:%M:%S") | table All_Traffic.src_ip  Earliest Latest  
In a single value element, the text size always adjusted dynamically to the element's height. E.g., if you use the mouse to increase the single element's height, the text becomes larger. However, on... See more...
In a single value element, the text size always adjusted dynamically to the element's height. E.g., if you use the mouse to increase the single element's height, the text becomes larger. However, once you add the tag version="1.1" to the topmost dashboard or form element, the text size is fixed and does not adjust to changing heights any more. Reproduction In Splunk's web UI, create a new "classic" dashboard Add a single value visualization with the following search: index=_internal | timechart count Use the mouse to make the panel higher Notice how the single element's font size adjusted to the higher panel (it increased dynamically) Save the dashboard Edit the dashboard's source: change <dashboard> to <dashboard version="1.1"> Save the dashboard Refresh the page (press F5) The single element's font size is now smaller and it does not adjust to changed heights Revert the changes in the source, save the dashboard, and refresh the page The font size is adjusted correctly again A screen recording is available here: https://www.youtube.com/watch?v=M_btqoyDg2I My test environment: Splunk Enterprise 8.2.1 Chrome 92 Update 2021-09-23 Still unfixed in Splunk Enterprise 8.2.2.1
Hi, is it possible to indexed the event only once.  Thank you in advance.
I am extracting a list of free text string in the _ raw and creating a new field. The list of terms comes from user input, on the search input of a dashboard.  I cant seem to find how to place th... See more...
I am extracting a list of free text string in the _ raw and creating a new field. The list of terms comes from user input, on the search input of a dashboard.  I cant seem to find how to place the token/variable in the regex... probably something easy im missing. $token$="test|google|domain|badguy"      (formmated this way so regex can see it as OR separated list) rex field=_raw " (?<extractedfieldname>$token$) (does not work) Is there a way to do this? if not a token option, can i: eval tokenname=$token$ rex field=_raw " (?<extractedfieldname>'tokenname') (does not work) After the token/variable is placed correctly this is the search format im looking for: rex field=_raw " (?<extractedfieldname>test|google|domain|badguy) (this does work) thanks for any help!
We are testing a study on routing logs from an e-mail security product we have used to the SIEM environment. In this context, we carried out studies using free or community versions of different SIEM... See more...
We are testing a study on routing logs from an e-mail security product we have used to the SIEM environment. In this context, we carried out studies using free or community versions of different SIEM products. The logs transmitted to Splunk were sent encrypted with TLS as they were transmitted to other products. However, the logs we see on Splunk cannot be decrypted and come in the below. Example output: \x00 \x00 \xFC m\xDF qs\x81\xF2^8g&&\xB3B\xDF\xF9\xD5 I checked the config files in Splunk and it already supported TLS.  How can I fix that issue? 
I am getting multiple of the same errors + same saved searches that are skipped. So I can not find exactly how many time an App may have been installed without using the "upgrade" option. Please advi... See more...
I am getting multiple of the same errors + same saved searches that are skipped. So I can not find exactly how many time an App may have been installed without using the "upgrade" option. Please advise. Thank u very much in advance.
I know Saved searches depend on Kvstores & Kvstores are updates once a day. In order to synch the timing saved searches run & when Kvstores update. How do I look for the timing for Kvstores updates. ... See more...
I know Saved searches depend on Kvstores & Kvstores are updates once a day. In order to synch the timing saved searches run & when Kvstores update. How do I look for the timing for Kvstores updates. Any SPLs or using GUI?    
Hello! Sample data: Vehicle Hour of Day count delta(count) car1 11 5 -- car1 12 0 -5 car1 13 3 3 car2 11 9 6 car2 12 5 -4 car3 11 5 0 car3 12 5 0 ... See more...
Hello! Sample data: Vehicle Hour of Day count delta(count) car1 11 5 -- car1 12 0 -5 car1 13 3 3 car2 11 9 6 car2 12 5 -4 car3 11 5 0 car3 12 5 0 car3 13 0 -5 car3 14 2 2   Please notice how delta(count) is calculated even going from a row that says car1 to car2 or car2 to car3. I want to alert when delta(count) is greater than 5, but only if this delta is calculated going from a row that car2 to a similar next row that is also for car2. That is, if the row switches from car1 to car2 and delta is greater than 5, or like in the table, delta is 6, I want to ignore this change and only show rows with deltas greater than 5 that were calculated for the same car, and not between different cars. Is there a way to do this? I tried to using streamstats/eventstats with the last() function but I'm not sure that I am using it correctly. For the end product, I need an alert that will fire off when a car has an increase in its count of more than 5. Thank you so much for any help!!!
Hi,  I want to monitor the subnet 172.30.0.0/24 through splunk, which IP address is used and which is not. Whenever new IP address comes live or assign to any host, new alert should be made. Thanks