Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Topics
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Topics
All Topics
07-15-2021
12:31 AM
How can we see the rules we developed in the ES Content Updates area? How can we define it on the product so that it can be seen on this screen by categorizing according to Cyber Kill Chain and MITER...
See more...
How can we see the rules we developed in the ES Content Updates area? How can we define it on the product so that it can be seen on this screen by categorizing according to Cyber Kill Chain and MITER ATTACK Framework?
Labels
- Labels:
-
configuration
07-15-2021
12:19 AM
I want to find out How many times string appeared in ONE SINGLE EVENT. and group all the events and find table like : Attempts : Count : 1 100 2 ...
See more...
I want to find out How many times string appeared in ONE SINGLE EVENT. and group all the events and find table like : Attempts : Count : 1 100 2 342 3 201 4 04 5 00 how to write query for this ?
07-14-2021
11:10 PM
Hello Team, I'm very new to splunk, I have below two logs "message": "api.main REQ user1 10.10.44.76 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25school%25&query_string_list=%25college%25&page=...
See more...
Hello Team, I'm very new to splunk, I have below two logs "message": "api.main REQ user1 10.10.44.76 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25school%25&query_string_list=%25college%25&page=1&per_page=100\" "message": "api.main REQ user2 10.10.14.16 \"GET /api/v1/data?my_list=%25geo%25&our_list=%25office%25&query_string_list=%25school%25&page=1&per_page=100\" I want to get data between "%25school%25" -> school. So contains log1: school, collage log2: office, school We can count and show: school=2, office=1,collage=1, If possible we can plot in time chart Thanks in advance.
- Tags:
- field-extraction
07-14-2021
08:07 PM
Hi, Under lookups we have lookups as below lookups abcd.csv xyz.csv I could see configs in props.conf to map to these lookups props.conf LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW fiel...
See more...
Hi, Under lookups we have lookups as below lookups abcd.csv xyz.csv I could see configs in props.conf to map to these lookups props.conf LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3
You can see in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping). is this correct?
Labels
- Labels:
-
configuration
-
troubleshooting
07-14-2021
02:02 PM
I have two indexes including command line arguments, one has field name arg, the other one has field name command, what is the best practice to search some strings on both fields under different inde...
See more...
I have two indexes including command line arguments, one has field name arg, the other one has field name command, what is the best practice to search some strings on both fields under different indexes to create alert if matches. index=A arg="*command_string_to_search*" OR index=B command="*command_string_to_search*" How can we improve this search from performance standpoint? Thanks,
07-14-2021
01:51 PM
Hi everyone. We've just realized that Splunk-regmon.exe has been consuming 3.2GB out of 4GB RAM in one of our preprod servers. Is there anything we can do to prevent such amount of memory consumpti...
See more...
Hi everyone. We've just realized that Splunk-regmon.exe has been consuming 3.2GB out of 4GB RAM in one of our preprod servers. Is there anything we can do to prevent such amount of memory consumption? Maybe, should we disable it? Thank you Flavio
Labels
- Labels:
-
resource usage
07-14-2021
01:37 PM
I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to comb...
See more...
I've been trying to join the results of a search with a dataset on one line. I can get it to work with two lines, but it's hard to read and doesn't work with more than one result. I just want to combine the file_1 data with the search results. Here's what I have: index=windows [| inputlookup file_1 | fields field1] | dedup field1 | table field2, field3, field4 | append [| inputlookup file_1] Output First Line: field2 field3 field 4 Second Line: field1 field 5 etc I'd like it to be on one line. field1 is common to both the search and the dataset. Thanks in advance
Labels
- Labels:
-
join
07-14-2021
12:52 PM
Hi, Can someone help me in correlating 4688 Process created and Logon 4624 events? I tried using the Transaction and Stats command but unable to get the proper results. When I use the Transaction ...
See more...
Hi, Can someone help me in correlating 4688 Process created and Logon 4624 events? I tried using the Transaction and Stats command but unable to get the proper results. When I use the Transaction command with Logon_ID field I could not able to correlate both 4624 and 4688 events. Can some one help me in fixing the query. (EventCode=4624 LogonType=3) OR ((EventCode=4688) | transaction Logon_ID host startswith="4624" endswith="4688" Can someone help me in getting the Correct field for Correlating the 4688 and 4624 events in splunk
Labels
07-14-2021
12:35 PM
Hi, we re trying to setup the Secure Gateway app to register mobile devices in a Splunk Dev/Test instance but the "Websocket Test" panel in the end to end websocket troubleshooting dashboard is retur...
See more...
Hi, we re trying to setup the Secure Gateway app to register mobile devices in a Splunk Dev/Test instance but the "Websocket Test" panel in the end to end websocket troubleshooting dashboard is returning failure and the response content is "[]". Authentication and server_side_registration seems to be OK. We can make a successful connection to port 443 outbound to prod.spacebridge.spl.mobi, but we get an empty response when we use the following command suggested by the documentation: curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: prod.spacebridge.spl.mobi" -H "Origin: https://prod.spacebridge.spl.mobi" -H "Authorization: c014fb4e" https://prod.spacebridge.spl.mobi/mobile Any ideas or suggestions on how to troubleshoot or investigate this issue? Ref: https://docs.splunk.com/Documentation/SecureGateway/2.5.4/Admin/TroubleshootGatewayConnection Update1: We think this might be a network configuration issue (firewall or proxy related). We re going to check the network config. Javier.
Labels
- Labels:
-
configuration
-
troubleshooting
07-14-2021
11:32 AM
Is there a way to assign workload pools to certain roles? Like say - we have 2 types of users. TypeA and TypeB users. Can TypeA users be assgined only to limited_perf? And Type B Users assigned to
07-14-2021
11:31 AM
hi, please i would like to ask for help to determine how to convert the timezone of events i am indexing with the gcp cloud plattform add-on before they are indexed. Events arrive today in UTC, and I...
See more...
hi, please i would like to ask for help to determine how to convert the timezone of events i am indexing with the gcp cloud plattform add-on before they are indexed. Events arrive today in UTC, and I need to convert that time to gmt-4. I have been trying from the sourcetype configuration, without success. I was also seeing this link, without much success https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Applytimezoneoffsetstotimestamps
- Tags:
- timestamp
07-14-2021
11:27 AM
I created a saved search and a trigger upon completion to send myself an email that links to the finished job. It works mostly as intended by default, but it directs to my junk folder because the sen...
See more...
I created a saved search and a trigger upon completion to send myself an email that links to the finished job. It works mostly as intended by default, but it directs to my junk folder because the sender is "splunk" with no @domain.com. This would just be a minor inconvenience if the report was just going to go to me, but we are planning on rolling it out to several users and want to fix this. I initally tried going to the report Advanced Settings and changed the "action.email.from" from just "splunk" to "splunk@ourcompany.com". At that point the emails stopped coming completely. I checked the log at splunk/var/log/splunk/python.log for errors, but the only ones I have encountered are due to size limits which were resolved by removing the inline table. I have also gone to Server settings » Email settings and changed the "Send emails as" also to add my company domain. It appears the only emails that are coming through are the ones with the specific report "Advanced Settings" "action.email.from" field set to just "splunk" without the domain, but they are still going to my junk folder and are unable to be marked as a safe sender because there is no domain on the address. Could someone assist with troubleshooting this issue and how to add a domain to the sender address correctly? Thanks.
Labels
- Labels:
-
saved search
-
scheduled search
07-14-2021
10:49 AM
Hi All. Hope everyone doing well. we are sending data from demisto to Splunk. But here when data came to Splunk it is indexing cumulatively like yesterday we got 10 incidents and it was index...
See more...
Hi All. Hope everyone doing well. we are sending data from demisto to Splunk. But here when data came to Splunk it is indexing cumulatively like yesterday we got 10 incidents and it was indexed yesterday. today 5 incidents and when indexing the data today it is indexing yesterday's 10 incidents along with todays 5 incident details. here we are getting the cumulative results. Kindly help me with the same. Thanks In Advance Balaji
Labels
- Labels:
-
JSON
-
modular input
-
transforms.conf
07-14-2021
10:22 AM
Any ideas for troubleshooting clamav not showing up in the linux dashbord?
- Tags:
- ClamAV
- configuration
Labels
- Labels:
-
configuration
07-14-2021
09:45 AM
Hi, I am getting the bellow error: editTracker failed, reason='Unable to connect to license master=https://192.168.0.21:8189 Error connecting: SSL not configured on client' after running: s...
See more...
Hi, I am getting the bellow error: editTracker failed, reason='Unable to connect to license master=https://192.168.0.21:8189 Error connecting: SSL not configured on client' after running: sudo ./splunk edit licenser-localslave -master_uri https://192.168.0.21:8189 I have tried removing the SSLpassword from system/local/server.conf however this has not worked. Thanks Joe
Labels
- Labels:
-
administration
-
configuration
-
installation
07-14-2021
09:26 AM
So we have a search creating a notable event. The search is configured to suppress for 2 days. The search is managed in an a Splunk app. If we install a new version of the app, or make any changes...
See more...
So we have a search creating a notable event. The search is configured to suppress for 2 days. The search is managed in an a Splunk app. If we install a new version of the app, or make any changes to the search, the throttle appears to be reset. My question is if it is possible to preserve the throttling between app installs or changes to the search? Ultimately what we want to avoid is changes to the app causing duplicate notable events from being created.
Labels
- Labels:
-
alert action
-
throttling
07-14-2021
08:39 AM
Hello, when user clicks on panel for drill-down, it shows relevant record in new window. I am looking to hide the search query to end- user ? I could see some params in drill-down url display.pag...
See more...
Hello, when user clicks on panel for drill-down, it shows relevant record in new window. I am looking to hide the search query to end- user ? I could see some params in drill-down url display.page.search.mode=verbose dispatch.sample_ratio=1 display.general.type=statistics But nothing related to hiding search query. Is this feasible by passing any additional parameter to the drill-down. here's sample dashboard to explain in more detail. <dashboard>
<label>test</label>
<description>Test dashboard</description>
<row>
<panel>
<chart>
<title>Stats in pie chart</title>
<search>
<query>index=_internal sourcetype=splunkd log_level=ERROR
| stats count by host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</dashboard> when you click on on slice of the pie chart. it opens a new tab where search query visible to user which i would like to hide it to end user.
- Tags:
- drilldown
Labels
- Labels:
-
using Splunk Enterprise
07-14-2021
08:23 AM
In the above attachment , I created graph which shows hourly maximum response time with respect to request response pair .Now in drilldown when I click on any slot maximum response time(marked i...
See more...
In the above attachment , I created graph which shows hourly maximum response time with respect to request response pair .Now in drilldown when I click on any slot maximum response time(marked in yellow) ,I want to show the logs of that request response pair(2 events will be there in result) only which has this maximum value. Query used for graph : index=salcus sourcetype= ticket_mgmt_rest source= http:ticket_mgmt_rest |rename "properties.o2-TroubleTicket-ReqId" as REQID | transaction REQID keepevicted=true | search eventcount=2 | timechart span=1h eval(round(max(duration),3)) as MaxRespTime count by sourcetype|fillnull
- Tags:
- drilldown
07-14-2021
08:01 AM
Hi All, I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row. so far the searc...
See more...
Hi All, I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row. so far the search I have is I am unsure how to include/return two machines of the same name: index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded" | rex field=_raw "Actual value\\\":\s+\\\"(?<actual_value>\d+)" | search actual_value>=10 | table Target,actual_value,ApplicationName,Title here is an example event: 07/14/2021 10:39:49 AM LogName=LoginPI Events EventCode=800 EventType=4 ComputerName=RNBSVSIMGT02.rightnetworks.com SourceName=Application Threshold Exceeded Type=Information RecordNumber=1786721 Keywords=Classic TaskCategory=None OpCode=Info Message={ "Description": "Measurement duration (7.561s) exceeded threshold of 5s (51.22%)", "Actual value": "7.561", "Threshold value": "5", "Measurement": "quickbooksopen_2021", "Locale": "English (United States)", "RemotingProtocol": "Rdp", "Resolution": "1920 × 1080", "ScaleFactor": "100%", "Target": "BPOQCP01S01", "TargetOS": "Microsoft Windows Server 2016 Standard 10.0.14393 (1607)", "AppExecutionId": "4ed43186-648c-4e8e-96ee-9e4b52e468cb", "AccountId": "a4a6655b-f7ac-4783-aec5-698a146eb2cf", "AccountName": "rightnetworks\\eloginpi082", "LauncherName": "RNBSVSI23", "EnvironmentName": "BPOQCP01S01", "EnvironmentId": "bc31c8f6-e8c0-4278-93c3-08d8040960f8", "ApplicationName": "QB_2021_Open", "ApplicationId": "ece9c6b9-6662-45be-970d-2708603ca13b", "Title": "Application threshold exceeded" }
Labels
- Labels:
-
chart
