All Topics

Top

All Topics

Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app th... See more...
Need help with an SPL to create a search for Please. /opt/splunk/etc/apps/meta_woot/lookups/meta_woot_server_guid.csv Running this search am told per Meta Woot! app will enable the Meta Woot! app that is not running. When I open the app I get "No Data Found" . Thank u very much in advance.
Hello, what is the best way to get data from dynamoDB to Splunk?
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I ... See more...
Hello together, I have a csv file which looks like this:   "Time";"Comment" "15:53:21";"Here stands something \"very\" interesting"   I have nested quotes in the column "Comment". That´s why I have to escape them by using the "\".  This is what I want to have as output:   "Time";"Comment" "15:53:21";"Here stands something "very" interesting"   What I have tried so far is to use auto_escaped as KV_MODE which can be found in Add Data --> Select Source-->Set Source Type-->Advanced. But without success. The escape character is still there.   I would appreciate any helpful hints.
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "us... See more...
When trying to connect to the Splunk SDK, Python throws me this error: [Errno 11001] getaddrinfo failed My code: import splunklib.client as client HOST = "localhost:" PORT = 8000 USERNAME = "username" PASSWORD = "password" # Create a Service instance and log in service = client.connect( host=HOST, port=PORT, username=USERNAME, password=PASSWORD)   Throwback error is as following File "Z:\BD_PROJ\Studenten_Trainees\BI Team\Eichberger_Sowa\00_NLP_Eichberger\99_Misc\.spyder-py3\NLP_GIT_online\untitled0.py", line 33, in <module> service = client.connect( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\client.py", line 331, in connect s.login() File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 883, in login response = self.http.post( File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1242, in post return self.request(url, message) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1259, in request response = self.handler(url, message, **kwargs) File "C:\Users\eichberj\Test\lib\site-packages\splunklib\binding.py", line 1399, in request connection.request(method, path, body, head) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1255, in request self._send_request(method, url, body, headers, encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1301, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1250, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1010, in _send_output self.send(msg) File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 950, in send self.connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 1417, in connect super().connect() File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\http\client.py", line 921, in connect self.sock = self._create_connection( File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 822, in create_connection for res in getaddrinfo(host, port, 0, SOCK_STREAM): File "C:\Users\eichberj\AppData\Local\Programs\Python\Python39\lib\socket.py", line 953, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splun... See more...
Hi, We use Splunk Enterprise in our company and I am currently implementing remote(cloud) logging in our iOS and Android apps for error logging purpose.  I understand that Splunk used to have Splunk MINT for iOS but it is a Legacy now. Do you think is there a replacement for Splunk MINT for iOS ? or could you advise if it is advisable to do mobile apps logging to Splunk please?  Thanks.
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w... See more...
  Hi everyone,  I'm trying to get a simple text from a raw event, but I can't make it works. The event looks like this: and my regex looks like this: | rex field=_raw "Allow\s(?<GroupName>\w.+)\s+Enroll"  my issue is, that I only going to get a few of those groups, but not all... for example I will get the Domain Users but not the Enterprise Users which is in the same raw file... Could please someone help me with this regex?
How do we get Linux patching details in Splunk
Hi what is the spl command to extract users. Here is the sample: 2021-09-12 21:40:03,938 ERROR [APPNAME] User H83952 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERR... See more...
Hi what is the spl command to extract users. Here is the sample: 2021-09-12 21:40:03,938 ERROR [APPNAME] User H83952 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User 83944 invalid: javax.security.auth.login.LoginException: 2021-09-12 21:40:03,938 ERROR [APPNAME] User A_Frok invalid: javax.security.auth.login.LoginException: expected output: H83952 83944 A_Frok Thanks,
Hi, I am looking to compare a field value against the results of an ldapsearch to check whether the value is present or not. The Use Case is basically that I want to detect if a cloud user account i... See more...
Hi, I am looking to compare a field value against the results of an ldapsearch to check whether the value is present or not. The Use Case is basically that I want to detect if a cloud user account is created in our O365 environment, and that same user name does not exist in our on-prem Active Directory. I have the below SPL which returns newly created users in my O365 environment. The below returns a field named "user". index="o365_log" action=created command="Add user." I now want to search my Active Directory domain to see if this user exists or not. If it doesnt exists in Active Directory, I want the search to detect it and output the user name.  I am using ldapsearch and searching where the userPrincipleName is the same as the value of the user field. The SPL below is what I am using: | ldapfilter domain=default search="(userPrincipalName=$user$)" attrs="cn,userPrincipalName"  The above SPL works, however the problem I have is that Im not sure how to combine these two lines SPL together so that it performs the check and only output' users which are not found from the ldapsearch. Can somebody help? Thanks. 
Hi, In a field status contains two values one is failure and another is success. Where in failure it contains some description values also an null value. Also in success it contain description as ... See more...
Hi, In a field status contains two values one is failure and another is success. Where in failure it contains some description values also an null value. Also in success it contain description as null value. As I am confused how to check null condition as it contains in both failure and success descriptions.   Regards, Madhusri R  
Hello Team, As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not ge... See more...
Hello Team, As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.
Hello all, I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata ale... See more...
Hello all, I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES. Facts: 1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:   index=suricata sourcetype=suricata event_type=alert alert.severity=2   2. In Adaptive Response Actions I added a Notable with the following custom settings: Title: $signature$  (in order to output the Suricata Alert Signature Title) Description: A medium severity alert ($signature_id$) was triggered on $src$ Notes: - Search runs every 5minutes. - I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created. What is the problem: - In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event. - Description: is "unknown"   Notes: - The Notable event is successfully created and it contains all variable fields (src, signature, signature_id). - All fields are shown on Additional info on the notable, but the point is that variables do not show Troubleshooting done so far: - Deleted and recreated Corellation searches and Saved Searches - Restarted Splunk - Rebooted OS Splunk Version: 6.2.2 (Distributed Environment) Splunk ES: 6.6.0 Splunk CIM: 4.20.0 Any help would be appreciated. Regards, Chris
I have a search query to display external files shares that are active (Sharepoint/Onedrive).     This is working and shows us when file shares to third parties are still active. index=o365 file_... See more...
I have a search query to display external files shares that are active (Sharepoint/Onedrive).     This is working and shows us when file shares to third parties are still active. index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest | fillnull value="-" | dedup UniqueSharingId TargetUserOrGroupName | where NOT Operation=="RemovedFromSecureLink" |stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId The issue we have is if a user just deletes the file share folder (so no longer an active share) the dashboard still displays the share as active.   I need to append the following search and match to the unique sharing location to display if the file/folder has been deleted: index=o365 Operation=FileDeleted       TIA
Hi all,    I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns.  Query 1:  index=... See more...
Hi all,    I have two chart queries to get the success count and error count which are working as expected.  Now I want to add the both and get the total count from both columns.  Query 1:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="EXCEPTION" |chart count(app) over app by dc(correlationId) Query 2:  index=dev | rex "\"tracePoint\\\\\"\s:\s\\\\\"(?<tracePoint>[^\\\]+)" | rex "\"correlationId\\\\\"\s:\s\\\\\"(?<correlationId>[^\\\]+)" |search app="project1" OR app="project2" OR app="project3" OR app="project4" |where tracePoint="END" |chart count(app) over app by dc(correlationId) I tried with 'appendcols', but it is not working, can anyone help me on this.  Thanks in Advance.
Hi All, When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a... See more...
Hi All, When trying to pull AdminAudit logs from Exchange to Splunk we are only receiving the following log (Which is divided to 2 logs): First log: WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance Second log: of an object.     Can please someone explain how to resolve this issue and get proper admin audit logs from exchange?
Hi All We have a distributed environment (no cluster). Splunk Enterprise Version 8.1.3 Is there a way to create a dashboard for all search peers (indexers), where I can see there CPU, Memory and D... See more...
Hi All We have a distributed environment (no cluster). Splunk Enterprise Version 8.1.3 Is there a way to create a dashboard for all search peers (indexers), where I can see there CPU, Memory and Disk Usage?
There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know... See more...
There are some keywords that cannot be searched after changing the App. Even more specific keywords within a specific field are not searchable. There is no problem with permissions, but do you know anything about it?
I want to onboard azure signin logs to my splunk. I installed MS azure add-on for splunk on one HF and completed the authentication steps and app registration. Please suggest whats going wrong. Am... See more...
I want to onboard azure signin logs to my splunk. I installed MS azure add-on for splunk on one HF and completed the authentication steps and app registration. Please suggest whats going wrong. Am getting below error.  INFO pid=4495 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling INFO pid=4495 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled! ERROR pid=4495 tid=MainThread file=base_modinput.py:log_error:309 | _Splunk_ Unable to obtain access token
Hi , I want to add a text box in a dashboard panel and the manual input value of that textbox should be added to a new column in an already existing table. I understand that this can be done by loo... See more...
Hi , I want to add a text box in a dashboard panel and the manual input value of that textbox should be added to a new column in an already existing table. I understand that this can be done by lookup to save the values but i am not sure how to go ahead with it. This is the data format of the table i have with sample data(the original data i have is confidential). EMAIL NAME IP ID(new column) nish123@gmail.com Nishanth 10.10.10.0   abc098@gmail.com ABC 224.0.0.0   amit187@gmail.com Amit Sharma 63.125.0.0      I want to add a text box to this panel whose values should be inputted into ID column based on the unique value of EMAIL. and i want to save this table with the new values of ID.  How can this be done?? Any help would be appreciated.thanks
Hi Splunk team, I would like to receive your dedicated help.  I have a string field, the field's structure is name_timestamp.  The name contains underscores between words, after the name, there is ... See more...
Hi Splunk team, I would like to receive your dedicated help.  I have a string field, the field's structure is name_timestamp.  The name contains underscores between words, after the name, there is another underscore. Finally, there is a full date. for example: this_is_an_example_09_13_2021. My goal is to extract the name from this field. for this example, I would like to receive this_is_an_example.  Is it possible? Thanks in advance!