All Topics

Top

All Topics

Hi Guys, Am new to splunk. i have table as below and setup the drill from the table to search with customised string. As expected earlisted date picking the exact date of the row but latest is not ... See more...
Hi Guys, Am new to splunk. i have table as below and setup the drill from the table to search with customised string. As expected earlisted date picking the exact date of the row but latest is not captures and becomes today date. Can any one help on this one please   Result: _time                      P01  P02  P03  P04 2021-08-29           2       4      3       0 2021-09-03           4       0      1       3   Source of my drilldown <drilldown><set token="form.host1">"$click.name2$"</set> <eval token="earliest">strftime($click.value$, "%Y/%m/%d %T")</eval> <eval token="latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval> <link target="_blank">search?q=index=prod_s3%20%20host=p01%20OR%20host=p02%20OR%20host=p03%20OR%20host=p04%20 sourcetype=%22WinEventLog:System%22%20EventCode=%2219%22%20%0D%0A%7Csearch%20host%20=%20$form.host1$%0D%0A%7Crex%20field=_raw%20%22.*%5C((%3F%3CKB%3E%5Cw*) %5C)%22%0D%0A%7Ceval%20t=strftime(_time,%20%22%25Y/%25m/%25d%20%25T%22)%0D%0A%7Cbin%20_time%20span=1d%0D%0A%7Ctable%20_time%20host%20ComputerName%20KB&amp; earliest=$click.value$&amp;latest=$latest$</link></drilldown>     If i use <condition field ="_time" then earliest and latest captures the row time nicely but customised search string is not coming up
Hi, Can someone please share the link to the sample questions and test blueprint for the splunk certification exams.
hi   as you can see I use a base search in order to dis play two single pnels, one on the last 24 h and one on the last 7 days so for the second panel I need to put the time range on the last 7 da... See more...
hi   as you can see I use a base search in order to dis play two single pnels, one on the last 24 h and one on the last 7 days so for the second panel I need to put the time range on the last 7 days I have done this but it doesn't works : <earliest>-7d@d</earliest> <latest>now</latest>   <row> <panel> <title>Incidents ouverts</title> <single> <title>Intervalle de remps : 24 dernières heures</title> <search id="countsite"> <query>`index_mes` sourcetype=sig sig_app="$site$" | stats dc(sig_id)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="height">200</option> <option name="rangeColors">["0x53a051","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="rangeValues">[0,5,10]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> </single> </panel> <panel> <title>Incidents ouverts</title> <single> <title>Intervalle de remps : 7 derniers jours</title> <search base="countsite"> <query> | stats dc(sig_id)</query> what is the problem please?  
This is the dummy dataset which has been created to address the issue I am facing. I want to count the number of occurrences of the task with respect to its state per day three times. I have tr... See more...
This is the dummy dataset which has been created to address the issue I am facing. I want to count the number of occurrences of the task with respect to its state per day three times. I have tried using timechart span=3h count by state in my query but I am unable to count the state when there is no event present for the same. The output expected is : Kindly help!!!
I cannot make this work if I have the searchWhenChanged=false. I would like to set the token and do the search only after Submit button is pressed.     <form script="simple_xml_examples:showtokens... See more...
I cannot make this work if I have the searchWhenChanged=false. I would like to set the token and do the search only after Submit button is pressed.     <form script="simple_xml_examples:showtokens.js"> <label>Set another token by checkbox value</label> <fieldset submitButton="true"> <input type="checkbox" token="checked" searchWhenChanged="false"> <choice value="yes">Check for yes</choice> <change> <condition value="yes"> <eval token="checked_result_value">if(true(), $form.checked$, "never_here"</eval> </condition> <condition> <eval token="checked_result_value">"NotChecked"</eval> </condition> </change> </input> </fieldset> <row> <panel> <single> <search> <query>| makeresults | eval value="$checked_result_value$"</query> </search> </single> </panel> </row> </form>  
I am currently assessing the options for indexer storage architecture.  I was reading the SVA and it had below statement for Classic Indexer Architecture Using File System Storage   This architect... See more...
I am currently assessing the options for indexer storage architecture.  I was reading the SVA and it had below statement for Classic Indexer Architecture Using File System Storage   This architecture is recommended when you have requirements for either • Short-term data retention (<=3 months) or • Long-term retention and performance-critical search use cases that frequently access older historic data    whereas, SmartStore Indexer Architecture Using Object Storage  This model can have significant positive impact on the TCO of your Splunk deployment, especially when you retain data for long periods of time. There's a bit of ambiguity between both statements. Our retention period is up 3 months and ingest roughly 1.5 TB per day.  Mainly have ES, key Dashboards and reporting for which we need data worth the last 3 months. Environment will be in AWS (Not Splunk Cloud). Based on this and the above two statements, I am confused which might be a better option to go for. 
I have installed Enterprise Security App.  I review Security Domain, in particular, Access and Network sections and I see many events coming from my AD, Office 365, and Firewalls. However, Security... See more...
I have installed Enterprise Security App.  I review Security Domain, in particular, Access and Network sections and I see many events coming from my AD, Office 365, and Firewalls. However, Security Posture dashboards are all empty.  I have checked permissions and given full access.  Could you advise what I should check to fix it?  
Hi, When using iplocation to get the Country list ,maximum i am getting null values for Country. How to get the exact country for the ip?   Regards, Madhusri R
I have a inputlookup search where I am looking to do a current count vs four week average count. My search is set up so it uses : | inputlookup count.csv | bin _time span=5m  I need my search to dis... See more...
I have a inputlookup search where I am looking to do a current count vs four week average count. My search is set up so it uses : | inputlookup count.csv | bin _time span=5m  I need my search to display data from prior four weeks like below. _time c Last Week Two Weeks  Three Weeks Ago Four weeks Ago   9/19/2021 15:10 265 (Count from 9/12/2021 15:10) (Count from 9/05/2021 15:10)       9/19/2021 15:15 362 (Count from 9/12/2021 15:15) (Count from 9/05/2021 15:15)       9/19/2021 15:20 589 (Count from 9/12/2021 15:20) (Count from 9/05/2021 15:20)       9/19/2021 15:25 700 (Count from 9/12/2021 15:25) (Count from 9/05/2021 15:25)         The problem is that I would normally use earliest and latest ( but these commands do not work with inputlooks. If anyone has solutions that work for inputlook it would be great!
Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _... See more...
Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events  Error in events: '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.',     #!/usr/local/bin/python3 # import time # need for sleep from xml.dom import minidom import time import json, pprint import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url = 'https://127.0.0.1:8089' username = 'admin' password = 'changeme' search_query = "search=search index=main earliest=-4y" r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify=False) session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue print ("Session Key:", session_key) r = requests.post(base_url + '/services/search/jobs/', data=search_query, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue print ("Search ID", sid) done = False while not done: r = requests.get(base_url + '/services/search/jobs/' + sid, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) response = minidom.parseString(r.text) for node in response.getElementsByTagName("s:key"): if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState": dispatchState = node.firstChild.nodeValue print ("Search Status: ", dispatchState) if dispatchState == "DONE": done = True else: time.sleep(1) r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/', headers = { 'Authorization': ('Splunk %s' %session_key)}, data={'output_mode': 'json'}, verify = False) pprint.pprint(json.loads(r.text))       Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.     {'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A', '_cd': '18:455', '_indextime': '1632029978', '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.', '_serial': '38', '_si': ['DC-C02SD43JG8WP', 'main'], '_sourcetype': 'ossec_agent_control', '_time': '2021-09-18T23:39:38.000-06:00', 'host': 'DC-C02SD43JG8WP', 'index': 'main', 'linecount': '1', 'source': 'ossec_agent_control', 'sourcetype': 'ossec_agent_control', 'splunk_server': 'DC-C02SD43JG8WP'},      
Hi I am trying to verify veteran status but when I verify with troop.Id I continue to get the message 'WorkForce Registration Incomplete'.
With our cyber data, we have cases when streams of data stop, due to a down forwarder, bad DB connection etc. and cases when the streams suddenly increase in volume such as bluecoat cases, dns attack... See more...
With our cyber data, we have cases when streams of data stop, due to a down forwarder, bad DB connection etc. and cases when the streams suddenly increase in volume such as bluecoat cases, dns attack and more. We would like to alert on these cases without hardcoding the various indexes or sourctypes. We also wonder whether there is a good way to do it in ITSI.
Could not contact master. Check that the master is up, the master_uri=https://10.32.20.7:8089 and secret are specified correctly.
Hi, I am new to SPLUNK/SPL and I am wondering how can I check if the Tags field contains a tag "foo" within an eval. Something like: eval toto = if("tags{}" == "foo", 1,2)' Thanks, David
Hello, I am playing around with enabling TLS in the chatter between the UF and the IDX and all is working well.  I am curious as to how much compression do I achieve when I enable TLS, I tried searc... See more...
Hello, I am playing around with enabling TLS in the chatter between the UF and the IDX and all is working well.  I am curious as to how much compression do I achieve when I enable TLS, I tried searching for it but I am not finding any clear answer
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=au... See more...
I have logs with same _time(msg field) like below type=CWD msg=audit(1631697722.980:2773): cwd="/" type=PATH msg=audit(1631697722.980:2773): item=0 name="/bin/bash" inode=12593039 type=PATH msg=audit(1631697722.980:2773): item=1 ouid=0 ogid=0 rdev=00:00 type=PROCTITLE msg=audit(1631697722.980:2773): proctitle=2F62696E2F626E2F6C6F67726F74617E66  While indexing i want events to be grouped by _time (taking above example, instead of having 4 events i want one single events with all the type). I used SHOULD_LINEMERGE = true but its not working  Please someone help me with this..
Hi I have several unstructured log file that need extract error messges with rex spl command. 1-what is the optimize way to extract error messages from those logs?  2-group by error type (count by... See more...
Hi I have several unstructured log file that need extract error messges with rex spl command. 1-what is the optimize way to extract error messages from those logs?  2-group by error type (count by error type) e.g: 19 Socket recv failed: Connection TimeOut           3   readData failed. Read           3    Invalid Length for facility number           17   Duplicate - Stop Old Connection from IP Here is the sample: 00:03:00.895 APP module: Error: readData failed. Read [0] bytes instead of 4 for Len 00:03:00.895 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.12] Socket[405] 00:02:59.791 APP module1: T[0]R[0]L: ERROR: Invalid Length for facility number [000000000] ! 00:02:55.193 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.112] Socket[705] 00:02:50.536 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.13.1] Socket[114] 00:02:49.205 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.14] Socket[213] 00:02:46.317 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.51] 00:02:44.467 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.13] Socket[697] 00:02:43.468 APP module2: T[0]R[0]L: Error: Invalid TopUp No! 00:02:40.047 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.123] 00:02:34.424 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.13] 00:02:27.125 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.14] 00:02:25.840 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[506] 00:02:21.836 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:21.434 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[291] 00:02:18.846 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[220] 00:02:16.861 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[67] 00:02:16.855 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:13.954 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:13.085 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[284] 00:02:08.332 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:59.926 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[824] 00:01:59.371 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[216] 00:01:57.313 APP module3: X[0000]T[000000]R[000]L: ERR logoutInternalErr200Or100Or100: Txn Was Not Found To Logout 00:01:55.881 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[104] 00:01:49.036 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[191] 00:01:48.551 APP module2: T[0]R[0]L: Error: DoAction can not find action. TypeId(-1) Expect(0) 00:01:48.266 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:46.272 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:44.942 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[37] 00:01:44.016 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[449] 00:01:43.305 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[345] 00:01:38.840 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[195.165.249.51] Socket[655] 00:01:29.366 APP module2: T[0]R[0]L: ERROR: Invalid Length for facility number [000000000000] ! 00:01:27.744 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:26.463 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:24.663 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[195] 00:01:21.249 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[689] 00:01:19.752 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:01:15.978 APP module2: T[0]R[0]L: ERROR: Invalid Length for facility number [0000000000] ! 00:01:08.395 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[372] 00:01:08.367 APP module2: T[0]R[0]L: Error: Can not find exe [] 00:00:55.808 APP1 module4: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[313] 00:00:54.566 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:53.914 APP module: Error: Socket recv failed: Connection Reset by Peer[FIN Received] IP[192.168.1.1] Socket[248] 00:00:47.717 APP module: Error: Socket recv failed: Connection TimeOut IP[192.168.1.1] Socket[197] 00:00:43.755 APP2 module4: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:39.936 APP2 module4: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:00:37.646 APP module: Error: Duplicate - Stop Old Connection from IP[192.168.1.1] 00:02:43.468 APP module4: T[0]R[0]L: Error: Invalid TopUp No! 00:03:00.895 APP module4: Error: readData failed. Read [0] bytes instead of 4 for Len 23:50:41.582 APP module4: X[00000]T[000000]R[0]L: oiu_fetch Error: I Cannot Found Any For This code:[0000000000] 00:00:03.164 APP module: T[0]R[0]L: Error: Module does not produce Pin Block. Call Supervisor. U[3357] Any idea? Thanks,
I have several Cisco FTD devices (managed by Cisco FMC) that are sending syslog messages to splunk. Here is the format.... <164>Sep 19 2021 13:26:27 ftdv-b-int : %FTD-4-313005: No matching connectio... See more...
I have several Cisco FTD devices (managed by Cisco FMC) that are sending syslog messages to splunk. Here is the format.... <164>Sep 19 2021 13:26:27 ftdv-b-int : %FTD-4-313005: No matching connection for ICMP error message: icmp src inside_Mgmt:10.0.20.238 dst inside_Legacy_Server:192.168.0.94 (type 3, code 3) on inside_Mgmt interface. Original IP payload: udp src 192.168.0.94/53 dst 10.0.20.238/12055. The time is in UTC.... is there a way to convert this time to local when I pull the records in so I can do alerting, etc. on these records?
Can you please some one help me to understand few important thing we consider before we upgrade from 8,0.3 to 8.2.2 I see that major python change does that mean we need to upgrade python 2 to pytho... See more...
Can you please some one help me to understand few important thing we consider before we upgrade from 8,0.3 to 8.2.2 I see that major python change does that mean we need to upgrade python 2 to python3 on OS before we upgrade? I dont see the any prerequisites for the splunk installation on linux .As i understand all supporting software's are  inbuilt in splunk package
It seem that outer join is not working for me and I have no idea why. I have this two events: Event 1 (index="faults"):  Id = a8015353-18bf-11ec-8b0a-7c2a311251af AxesId = a7ba0fd6-18bf-11ec-b369... See more...
It seem that outer join is not working for me and I have no idea why. I have this two events: Event 1 (index="faults"):  Id = a8015353-18bf-11ec-8b0a-7c2a311251af AxesId = a7ba0fd6-18bf-11ec-b369-7c2a311251af TR = 3 Event 2 (index="axes"): id = a8015354-18bf-11ec-b3bb-7c2a311251af parent_id = a8015353-18bf-11ec-8b0a-7c2a311251af table= 10 couch= 30 My main search retrieves Event 1. I want to use an outer join to retrieve 'table' and 'couch' from Event2. I have two choices to join the events. I have tried both, didn't work: Event1 AxesId is Event2 id Event1 Id is Event2 parent_id This is my query:   index="faults" Id=a8015353-18bf-11ec-8b0a-7c2a311251af | join type=outer AxesId [search index="axes" | rename id AS AxesId] | table *   And this is the output table. Id AxesId TR table couch a8015353-18bf-11ec-8b0a-7c2a311251af a8015354-18bf-11ec-b3bb-7c2a311251af 3       Event 2 columns are there but have no information. Any help would be welcomed. Thanks