All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

High CPU utilization observed for splunkd and python3.7 processes on Splunk HF after Splunk Enterprise upgrade from 7.x to 8.1.4 version. Any help would be appreciated. Tq.
I've almost created  a  framework to update  Splunk configuration  items for Search Heads   (transforms, props, savedsearches) etc and Create NEW apps via Splunk REST api. This works well in Standalo... See more...
I've almost created  a  framework to update  Splunk configuration  items for Search Heads   (transforms, props, savedsearches) etc and Create NEW apps via Splunk REST api. This works well in Standalone SH & SH cluster. Anyone  know if there are restrictions/capability  restrictions kept  in place for Splunk cloud offering? ie in Cloud offering - Can  I  create a  new App  via Rest api ? - Can i create/modify configuration items remotely?
Hi All, we are trying to install the ServiceNow Security Operations add-on for Splunk, and after we add in the required details including the password, we cannot locate where the password is being s... See more...
Hi All, we are trying to install the ServiceNow Security Operations add-on for Splunk, and after we add in the required details including the password, we cannot locate where the password is being stored. Was expecting a passwords.conf to be created with the password encrypted, but am not seeing anything in: /opt/splunk/etc/apps/TA-ServiceNow-SecOps/default Or in /opt/splunk/etc/apps/TA-ServiceNow-SecOps/local ServiceNow Security Operations Addon | Splunkbase We do have a sn_sec_instance.conf created in /local, but it only lists the url of our ServiceNow instance and the username. thanks
Hi, I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls: index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | stats co... See more...
Hi, I'm running the below syntax on Splunk Enterprise to get traffic logs from Fortigate firewalls: index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | stats count by srcip, dstip, dstport, service, action, date, time, policyid | dedup srcip dstip dstport service consecutive=true | sort 0 field This gives me all TCP & UDP traffic, then I can download & filter in a .csv but doesn't pick up ICMP traffic (specifically icmp type 8). I have to run a separate syntax to get just ICMP as below: index="fortinet" "devname=" "xxxxx-xxxxxx" "vd=" "xxx-xxxxx" policyid=5 action=accept | stats count by srcip, dstip, service, action, date, time, policyid | dedup srcip dstip service consecutive=true | sort 0 field It seems that because ICMP has no dstport the syntax needs adjusting. I need is a syntax that will return all traffic, i.e. TCP, UDP & ICMP. Please advise? Naz
Hello, I am trying to get the Perc99 and Perc95 from the total transaction in IIS which the bellow search:   source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket spa... See more...
Hello, I am trying to get the Perc99 and Perc95 from the total transaction in IIS which the bellow search:   source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket span=1w _time|stats count by _time|eventstats perc95(count) as p95 ,perc95(count) as p95    however it is just being the total for both, any help would be greatly appreciated.   Thanks   Joe  
Hi All, We are trying to install snow with Splunk using latest version of Splunk Add-on for ServiceNow and we are getting the below error. We are trying to integrate snow with Splunk using latest v... See more...
Hi All, We are trying to install snow with Splunk using latest version of Splunk Add-on for ServiceNow and we are getting the below error. We are trying to integrate snow with Splunk using latest version of Splunk Add-on for ServiceNow Heavy forwarder version: 8.1 Service now Addon:7.1   error: file=splunk_ta_snow_account_validation.py:validate:110 | Unable to reach ServiceNow instance at https://XXXX.service-now.com. The reason for failure is=Traceback (most recent call last): File "/splunk/etc/apps/Splunk_TA_snow/bin/splunk_ta_snow_account_validation.py", line 106, in validate resp, content = http.request(url) File "/splunk/etc/apps/Splunk_TA_snow/lib/httplib2/__init__.py", line 1709, in request conn, authority, uri, request_uri, method, body, headers, redirections, cachekey, File "/splunk/etc/apps/Splunk_TA_snow/lib/httplib2/__init__.py", line 1424, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/splunk/etc/apps/Splunk_TA_snow/lib/httplib2/__init__.py", line 1346, in _conn_request conn.connect() File "/splunk/etc/apps/Splunk_TA_snow/lib/httplib2/__init__.py", line 1138, in connect self.sock = self._context.wrap_socket(sock, server_hostname=self.host) File
  Current query : index=salcus sourcetype= ticket_mgmt_rest source= http:ticket_mgmt_rest |rename "properties.o2-TroubleTicket-ReqId" as REQID | transaction REQID keepevicted=true | search even... See more...
  Current query : index=salcus sourcetype= ticket_mgmt_rest source= http:ticket_mgmt_rest |rename "properties.o2-TroubleTicket-ReqId" as REQID | transaction REQID keepevicted=true | search eventcount=2 |table REQID duration |sort -duration   Now I want only top 1 record which has maximum duration , so how can I modify above query
Hello, community What's skipped search? Do I understand correctly that it's a search which finished with error? How can I generate skipped search (weird task, but I have) Thank you.
Hi all, I'm having issue with this add-on "Microsoft Teams Add-on for Splunk". I currently use the add-on to get Teams Call Details Record downloaded to Splunk. For small call, this run well withou... See more...
Hi all, I'm having issue with this add-on "Microsoft Teams Add-on for Splunk". I currently use the add-on to get Teams Call Details Record downloaded to Splunk. For small call, this run well without issue. However, for big meeting when there are 200+ participants, call details record will be divided into several pages, and the URL to download next page is via "@odata.nextLink". But this add-on doesn't seem to download next page, it stops after downloading the first page and therefore not all participants' details are downloaded to Splunk. Via powershell, i can confirm that Graph API did return the "@odata.nextLink" (which was missing before, they only fixed it recently). Look into python code,  the add-on uses function "get_item" to fetch the data, and this function doesn't care about nextLink at all, which explains why I encountered the issue. Below is the code of this get_item function   def get_item(helper, access_token, url): headers = {} headers["Authorization"] = "Bearer %s" % access_token headers["Content-type"] = "application/json" proxies = get_proxy(helper, "requests") try: r = requests.get(url, headers=headers, proxies=proxies) r.raise_for_status() response_json = None response_json = json.loads(r.content) item = response_json except Exception as e: raise e return item     I found another function within the same library that does look into nextLink data, which is get_items   def get_items(helper, access_token, url, items=[]): headers = {} headers["Authorization"] = "Bearer %s" % access_token headers["Content-type"] = "application/json" proxies = get_proxy(helper, "requests") try: r = requests.get(url, headers=headers, proxies=proxies) if r.status_code != 200: return items r.raise_for_status() response_json = None response_json = json.loads(r.content) items += response_json['value'] if '@odata.nextLink' in response_json: nextLink = response_json['@odata.nextLink'] # This should never happen, but just in case... if not is_https(nextLink): raise ValueError("nextLink scheme is not HTTPS. nextLink URL: %s" % nextLink) helper.log_debug("_Splunk_ nextLink URL (@odata.nextLink): %s" % nextLink) get_items(helper, access_token, nextLink, items) except Exception as e: raise e return items     So, what I did was changing the code from   call_record = azutils.get_item(helper, access_token, url)     to   call_record = azutils.get_items(helper, access_token, url)   but it doesn't work. Anyone know how to get around this?   Thanks a lot
I've JSON Object in msg field as : "objectA":{ "aggrStatus":"SUCCESS", "attempts":[ { "aggrStatus":"FAILURE", "responses":[ { "requestTime":1626329472707, "responseTime":1626329474713, "s... See more...
I've JSON Object in msg field as : "objectA":{ "aggrStatus":"SUCCESS", "attempts":[ { "aggrStatus":"FAILURE", "responses":[ { "requestTime":1626329472707, "responseTime":1626329474713, "status":"FAILURE" } ] }, { "aggrStatus":"SUCCESS", "responses":[ { "requestTime":1626330378365, "responseTime":1626330378622, "status":"SUCCESS" } ] } ] } I want to find out Average Total time taken by Successful responses i.e. in above example second attempts response time should be considered as it's success and not first attempts response time. Total time taken = response time - requestTime; so how to find out : 1. Average Response of All successful events found 2. Table with count for response time less than 1sec, between 1 sec to 2 sec, between 2sec to 3 sec, greater than 3 sec Can you please help with Query ? Thank you so much for your help and efforts.
How can we see the rules we developed in the ES Content Updates area? How can we define it on the product so that it can be seen on this screen by categorizing according to Cyber Kill Chain and MITER... See more...
How can we see the rules we developed in the ES Content Updates area? How can we define it on the product so that it can be seen on this screen by categorizing according to Cyber Kill Chain and MITER ATTACK Framework?  
  I want to find out How many times string appeared in ONE SINGLE EVENT. and group all the events and find table like : Attempts        : Count : 1                            100 2              ... See more...
  I want to find out How many times string appeared in ONE SINGLE EVENT. and group all the events and find table like : Attempts        : Count : 1                            100 2                            342 3                            201 4                            04 5                            00 how to write query for this ?
Hello Team, I'm very new to splunk, I have below two logs "message": "api.main REQ user1 10.10.44.76 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25school%25&query_string_list=%25college%25&page=... See more...
Hello Team, I'm very new to splunk, I have below two logs "message": "api.main REQ user1 10.10.44.76 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25school%25&query_string_list=%25college%25&page=1&per_page=100\" "message": "api.main REQ user2 10.10.14.16 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25office%25&query_string_list=%25school%25&page=1&per_page=100\" I want to get data between  "%25school%25" -> school. So contains log1: school, collage                          log2: office, school We can count and show: school=2, office=1,collage=1, If possible we can plot in time chart Thanks in advance.
When I run btool, getting this error,   Will setenv SPLUNK_CLI_DEBUG to "v"     can someone please help me fix this ?   Thanks
Hi, Under lookups we have lookups as below lookups abcd.csv xyz.csv I could see configs in props.conf to map to these lookups props.conf LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW fiel... See more...
Hi, Under lookups we have lookups as below lookups abcd.csv xyz.csv I could see configs in props.conf to map to these lookups props.conf LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2 LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3 You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping). is this correct?   
I have two indexes including command line arguments, one has field name arg, the other one has field name command, what is the best practice to search some strings on both fields under different inde... See more...
I have two indexes including command line arguments, one has field name arg, the other one has field name command, what is the best practice to search some strings on both fields under different indexes to create alert if matches.  index=A arg="*command_string_to_search*" OR  index=B command="*command_string_to_search*" How can we improve this search from performance standpoint?  Thanks,
Hi everyone. We've just realized that Splunk-regmon.exe has been consuming 3.2GB out of 4GB RAM in one of our preprod servers. Is there anything we can do to prevent such amount of memory consumpti... See more...
Hi everyone. We've just realized that Splunk-regmon.exe has been consuming 3.2GB out of 4GB RAM in one of our preprod servers. Is there anything we can do to prevent such amount of memory consumption? Maybe, should we disable it?   Thank you Flavio
I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to comb... See more...
I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to combine the file_1 data with the search results. Here's what I have: index=windows [| inputlookup file_1 | fields field1] | dedup field1 | table field2, field3, field4  | append [| inputlookup file_1] Output First Line: field2    field3   field 4  Second Line:                                              field1 field 5 etc   I'd like it to be on one line. field1 is common to both the search and the dataset.    Thanks in advance
Hi, Can someone help me in correlating 4688 Process created and Logon 4624 events? I tried using the Transaction  and Stats command but unable to get the proper results. When I use the Transaction ... See more...
Hi, Can someone help me in correlating 4688 Process created and Logon 4624 events? I tried using the Transaction  and Stats command but unable to get the proper results. When I use the Transaction command with Logon_ID field I could not able to correlate both 4624 and 4688 events. Can some one help me in fixing the query.   (EventCode=4624 LogonType=3) OR ((EventCode=4688) | transaction Logon_ID host startswith="4624" endswith="4688"   Can someone help me in getting the Correct field for Correlating the 4688 and 4624 events in splunk
Hi, we re trying to setup the Secure Gateway app to register mobile devices in a Splunk Dev/Test instance but the "Websocket Test" panel in the end to end websocket troubleshooting dashboard is retur... See more...
Hi, we re trying to setup the Secure Gateway app to register mobile devices in a Splunk Dev/Test instance but the "Websocket Test" panel in the end to end websocket troubleshooting dashboard is returning failure and the response content is "[]". Authentication and server_side_registration seems to be OK. We can make a successful connection to port 443 outbound to prod.spacebridge.spl.mobi, but we get an empty response when we use the following command suggested by the documentation: curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: prod.spacebridge.spl.mobi" -H "Origin: https://prod.spacebridge.spl.mobi" -H "Authorization: c014fb4e" https://prod.spacebridge.spl.mobi/mobile Any ideas or suggestions on how to troubleshoot or investigate this issue? Ref: https://docs.splunk.com/Documentation/SecureGateway/2.5.4/Admin/TroubleshootGatewayConnection Update1: We think this might be a network configuration issue (firewall or proxy related). We re going to check the network config. Javier.