All Topics

Top

All Topics

Hei, We have onboarded data from HP Storage  and I am not sure if there is any TA for this technology or how to extract properly the fields from the logs and then to map them in Data Model. I have m... See more...
Hei, We have onboarded data from HP Storage  and I am not sure if there is any TA for this technology or how to extract properly the fields from the logs and then to map them in Data Model. I have many logs there and I'm confused.     Thank you in advance.
My team has created production environment with 6 syslog servers (2 in each of 3 multi site cluster).  My question is do two syslog servers be active active or one active and one stand by? Which wil... See more...
My team has created production environment with 6 syslog servers (2 in each of 3 multi site cluster).  My question is do two syslog servers be active active or one active and one stand by? Which will be the good practice?  And do load balancer needs here for syslog servers? Currently some app teams are using UDP and some are TCP. basically these are network logs from network devices. Differences bw DNS load balancer and LTM load balancer? Which is best? Please suggest what will be the good practice to achieve this without any data loss?  From syslog servers we have UF installed on it and forward it to our indexer.
I am new to Splunk admin and please explain this following stanzas: We have a dedicated syslog server which receives the logs from network devices and UF installed on the server forwards the data to... See more...
I am new to Splunk admin and please explain this following stanzas: We have a dedicated syslog server which receives the logs from network devices and UF installed on the server forwards the data to our cluster manager. These configs are in cluster manager under manager apps.
Hello Splunkers,     I'm getting proper results without any selction in input dropdown, I can able to download the results of that particular table but when I'm making any selection in dahsboard, s... See more...
Hello Splunkers,     I'm getting proper results without any selction in input dropdown, I can able to download the results of that particular table but when I'm making any selection in dahsboard, since its having the base search, its loading results will all fields in base search rather than the fields mentioned in that table. here is the query, <panel> <title>Raw Data</title> <!-- HTML Panel for Spinner --> <input type="text" token="value" searchWhenChanged="true"> <label>Row Data per Page</label> <default>20</default> <initialValue>20</initialValue> </input> <input type="radio" token="field3" searchWhenChanged="true"> <label>Condition_1</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search" searchWhenChanged="true"> <label>All Fields Search_1</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field4"> <label>Add New Condition</label> <choice value="0">Yes</choice> </input> <input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field6" searchWhenChanged="true" depends="$field4$"> <label>Condition_2</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search2" searchWhenChanged="true" depends="$field4$"> <label>All Fields Search_2</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <html> <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=Event_Logs&amp;outputMode=csv">Download CSV</a> </html> <html depends="$showSpinner3$"> <!-- CSS Style to Create Spinner using animation --> <style> .loadSpinner { margin: 0 auto; border: 5px solid #FFF; /* White BG */ border-top: 5px solid #3863A0; /* Blue */ border-radius: 80%; width: 50px; height: 50px; animation: spin 1s linear infinite; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } <!-- CSS override to hide default Splunk Search Progress Bar --> #panel1 .progress-bar{ visibility: hidden; } </style> <div class="loadSpinner"/> </html> <table> <search base="base_search_index"> <progress> <!-- Set the token to Show Spinner when the search is running --> <set token="showSpinner3">true</set> </progress> <done> <!-- Unset the token to Hide Spinner when the search completes --> <unset token="showSpinner3"></unset> </done> <query>| sort _time |eval _raw=displayname.","._raw | table _raw | appendpipe [| stats count | where count == 0 | eval _raw="No Data Found for selected time and filters" | table _raw ]</query> <done> <set token="export_sid">$job.sid$</set> </done> </search> <option name="count">$value$</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="_raw"> <colorPalette type="map">{"No Data Found for selected time and filters":#D41F1F}</colorPalette> </format> </table> </panel>
Hello, In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner... See more...
Hello, In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner. Is there a way in Splunk Enterprise Security to make the owner required to close a notable ? Than you very much in advance. Happy Splunking. Raphael
Hello guys, I need a help with a dropdown, basically I have this "Stage" column on Splunk dashboard classic, which I can choose the stage of the data. But when I reload the page or open the d... See more...
Hello guys, I need a help with a dropdown, basically I have this "Stage" column on Splunk dashboard classic, which I can choose the stage of the data. But when I reload the page or open the dashboard on the new tab (Or Log in on another device), it returns to default value, which is Pending. This is the XML and the a.js I use: ------XML------- <dashboard version="1.1" script="a.js"> <label>Audit Progression Tracker</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label>Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="field2"> <label>Domain Controller</label> <choice value="dc1">Domain Controller 1</choice> <choice value="dc2">Domain Controller 2</choice> <choice value="dc3">Domain Controller 3</choice> <fieldForLabel>Choose DC</fieldForLabel> </input> </fieldset> <row> <panel> <table id="table_id"> <search> <query> index="ad_security_data" | where status ="failed" | table checklist_name, name, mitigation | eval Stage="Pending" </query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </dashboard> ------a.js---------- require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { console.log("Script loaded"); var StageDropdownRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { console.log("Checking cell for Stage column:", cell.field); return cell.field === "Stage"; }, render: function($td, cell) { console.log("Rendering cell for Stage column"); var dropdownHtml = ` <select> <option value="Pending" ${cell.value === "Pending" ? "selected" : ""}>Pending</option> <option value="Proceeding" ${cell.value === "Proceeding" ? "selected" : ""}>Proceeding</option> <option value="Solved" ${cell.value === "Solved" ? "selected" : ""}>Solved</option> </select> `; $td.html(dropdownHtml); updateBackgroundColor($td, cell.value); $td.find("select").on("change", function(e) { console.log("Selected value:", e.target.value); updateBackgroundColor($td, e.target.value); }); } }); function updateBackgroundColor($td, value) { var $select = $td.find("select"); // Chọn dropdown (phần tử <select>) if (value === "Proceeding") { $select.css("background-color", "#FFD700"); } else if (value === "Solved") { $select.css("background-color", "#90EE90"); } else { $select.css("background-color", ""); } } // Lấy bảng và áp dụng custom renderer var table = mvc.Components.get("table_id"); if (table) { console.log("Table found, applying custom renderer"); table.getVisualization(function(tableView) { // Thêm custom cell renderer và render lại bảng tableView.table.addCellRenderer(new StageDropdownRenderer()); tableView.table.render(); }); } else { console.log("Table not found"); } }); All I want it to keep it intact whatever I do and It can turn back to Pending every 8 A.M.  Thanks for the help
Hello Splunker!! Hope all is good. I have created a new role in a splunk. I have added some users to that role. I need to restrict that role user to not be able to see the "All Configuration" o... See more...
Hello Splunker!! Hope all is good. I have created a new role in a splunk. I have added some users to that role. I need to restrict that role user to not be able to see the "All Configuration" option in the settings.  Please help me, what settings should I change to get my results?   What I have did so far, but nothing works for me. [role_Splunk_engineer] list_all_configurations = disabled edit_configurations = disabled Thanks in Advance.
I am pretty new to Splunk and my project is also new. Can someone please explain the configurations given in our cluster manager. We have a syslog server which receives logs from F5 WAF devices and U... See more...
I am pretty new to Splunk and my project is also new. Can someone please explain the configurations given in our cluster manager. We have a syslog server which receives logs from F5 WAF devices and UF in syslog server forwards the data to our cluster manager.
i am trying to integrate group ib with splunk for which i installed the app entered my api key and username from which it redirects to the homepage. but all my dashboards are empty and no indexes are... See more...
i am trying to integrate group ib with splunk for which i installed the app entered my api key and username from which it redirects to the homepage. but all my dashboards are empty and no indexes are created? how can i troubleshoot or fix it?
I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. T... See more...
I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. The value I want to extract is "Stage=number". The regex I created is:  EXTRACT-Stage = Stage=(?<Stage>\d+) What could be the reason?
How can I troubleshoot slow search performance in Splunk when searching across large datasets?"
Hello ,   Can you help me out How can I find a listing of all universal forwarders that I have in my Splunk environment?
I tried to search data with dynamic script:   | ecs "opensearch_dashboards_sample_data_flights" "{ \"from\": 0, \"size\": 1000, \"query\": { \"match_all\": {} }, \"script_fields\": { \"fields\": { ... See more...
I tried to search data with dynamic script:   | ecs "opensearch_dashboards_sample_data_flights" "{ \"from\": 0, \"size\": 1000, \"query\": { \"match_all\": {} }, \"script_fields\": { \"fields\": { \"script\": { \"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String && value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\" } } }, \"track_total_hits\": true }" "only" | table *   But it not working. I think the problem is from my source command, but I don't know how to fix this   \"source\": \\\"def fields = params['_source'].keySet(); def result = new HashMap(); for (field in fields) { def value = params['_source'][field]; if (value instanceof String && value.contains('DE')) { result.put(field, value.replace('DE', 'Germany')); } else { result.put(field, value); }} return result;\\\"    Hope someone can help me fix this. Thank very much for speding tim for my issue.
Could not contact master. Check that the master is up, the master_uri=https://10.0.209.11:8089 and secret are specified correctly on IDX.   I went in and fixed the previous error of the password ... See more...
Could not contact master. Check that the master is up, the master_uri=https://10.0.209.11:8089 and secret are specified correctly on IDX.   I went in and fixed the previous error of the password but I still have this error. I would like to learn to troubleshoot my issue. would someone be willing to come on zoom and assist me? 
Hello Esteemed Splunkers, I have a long question, and I wish to have a long and detailed discussion ^-^  First of all:                    We have a distributed environment:                    Dep... See more...
Hello Esteemed Splunkers, I have a long question, and I wish to have a long and detailed discussion ^-^  First of all:                    We have a distributed environment:                    Deployer with 3x search heads.                    indexer master with 3x indexer.                   Deployment server with 2x heavy forwarder. and we want to deploy "Splunk_TA_fortinet_fortigate" the below is the content: the question is: should we deploy this app from the deployer to all search heads? should we deploy this app from the Indexer Master to all indexers? should we deploy this app from the deployment server to all heavy forwarders? should we change the name of the default folder to local? In a nutshell, what should we do and the consideration should we look at?   Thanks in advance!
All,  I am currently working with Splunk Add-on for Microsoft Office 365.  The default regex in transforms.conf for extract_src_user_domain and extract_recipient_domain will only extract the last tw... See more...
All,  I am currently working with Splunk Add-on for Microsoft Office 365.  The default regex in transforms.conf for extract_src_user_domain and extract_recipient_domain will only extract the last two parts of an email domain, resulting in domains like bank.co.in returning as co.in  Current [extract_src_user_domain] SOURCE_KEY = ExchangeMetaData.From REGEX = (?<SrcUserDomain>[a-zA-Z]*\.[a-zA-Z]*$) [extract_recipient_domain] SOURCE_KEY = ExchangeMetaData.To{} REGEX = (?<RecipientDomain>[a-zA-Z]*\.[a-zA-Z]*$) MV_ADD = true Suggest updating it to be inline with messagetrace rex [extract_messagetrace_src_user_domain] SOURCE_KEY = SenderAddress REGEX = @(?<src_user_domain>\S*) [extract_messagetrace_recipient_domain] SOURCE_KEY = RecipientAddress REGEX = @(?<recipient_domain>\S*) Thanks, 
I tried to upload a zip file. It showed "Upload failed ERROR: Read Timeout." I am using Windows. The file size is 1910KB.  Also, I successfully uploaded some files (not zip). But they were not displa... See more...
I tried to upload a zip file. It showed "Upload failed ERROR: Read Timeout." I am using Windows. The file size is 1910KB.  Also, I successfully uploaded some files (not zip). But they were not displaying in the data summary. Please help. Thank you.
Hi, I am trying to instrument a service in kubernetes that run on apache. I have looked for docker image I can use, but I could not find it. Point me in the right direction
Hi, I am using the Db connect 3.18.1 to collect sql audit logs FROM sys.fn_get_audit_file function.  When I use event_time as the indexing column, no events are collected with no error messages. But... See more...
Hi, I am using the Db connect 3.18.1 to collect sql audit logs FROM sys.fn_get_audit_file function.  When I use event_time as the indexing column, no events are collected with no error messages. But when I changed the indexing to be Current, I got the audit events logged to the indexer. But no logs were collected when I used event_time as indexing column. I did not see any useful or error messages from debug logs.  Appreciate any help or tips.   thanks,
I want to extract error code from the below text but getting unexpected closing tag. The name of the column in the Database is SERVICE_RESPONSE Text: Service execution forgetGCPPauseAndResumeCall F... See more...
I want to extract error code from the below text but getting unexpected closing tag. The name of the column in the Database is SERVICE_RESPONSE Text: Service execution forgetGCPPauseAndResumeCall Failed. Error -> Status Code - > 404, Status Text -> Not Found, Response Body ->{"message":"HTTP 404 Not Found","code":"not found","status":404,"contextId":"c496bcae-115b-456c-a557-3d5e2daae0b8","details":[],"errors":[]}. Check Business audit for more details Solution1: | rex field=SERVICE_RESPONSE "\"status\"\s*:\s*(?P<ERROR_CODE>\d+)" //above expression is giving unexpected close tag   Solution2:  | rex field=SERVICE_RESPONSE "&lt;dqt&gt;status&lt;dqt&gt;\:(?P<ERROR_CODE>.\w+)"