All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have extracting data for a longer events the regex fails with below error. please help with efficient expression I had tried increasing the depth_limit still its throwing error.  
I write Blog posts for blueteam, can I use splunk for demonstration purpose?
Good day! I want to know if it's possible to use splunk as a recovery option? this means that Splunk will be sending messages to IBM MQ based on the queue set up. from what i know, MQ can be setup... See more...
Good day! I want to know if it's possible to use splunk as a recovery option? this means that Splunk will be sending messages to IBM MQ based on the queue set up. from what i know, MQ can be setup as the source of the message in splunk: MQ Queue --> Splunk i wanted to know if this is possible: Splunk --> MQ Queue?  and how? like any idea? 
I have 2 types of logs from one source where I need to map fields vs values ...I dont want to create complex regex as they are from structured data so how do I create fields and values from events  ... See more...
I have 2 types of logs from one source where I need to map fields vs values ...I dont want to create complex regex as they are from structured data so how do I create fields and values from events  May 27 07:51:49 TESTHOSTTEST TESTDEVTEST_11.2.0.125: User '' (root) : FAILED: Sign On, ID: 123220127, InstID: 7653, IPAddress: 111.222.213.238, FolderID: 0, Username: root, AgentBrand: TEST DEV SSH, AgentVersion: 11.2.0.0, DEVSize: 0, Error: 2976, Message: Failed to sign on: This IP address has been locked out. May 27 07:51:34 TESTHOSTTEST TESTDEVTEST_11.2.0.125: User 'BLA BLA DI' (ei4o2f18pcsuo5tp) : Download File, ID: 123220102, InstID: 7653, IPAddress: 333.222.231.94, FileID: 770879833, FileName: 16680_Signup Detail_20210527 01-49-18-86.csv, FolderID: 472070079, FolderPath: /Home/test/TestWorks/Enhanced Affiliate Signup Reports, Username: TEST, AgentBrand: Chrome Browser, AgentVersion: 90.0.4430.212, DEVSize: 739698, Parm2: 0, Error: 0
Hi, Our event size is set to the default 10,000 bytes. We are using the universal forwarder to get log events to our indexing machine. However, we have some log lines that output 1-200KB of data. I... See more...
Hi, Our event size is set to the default 10,000 bytes. We are using the universal forwarder to get log events to our indexing machine. However, we have some log lines that output 1-200KB of data. It's okay for this data to be shortened to 10,000 bytes, but I'm curious how many bytes are being counted towards our daily license in this setup. Is it the 10,000 bytes? Or is it the full 1-200KB of data? I guess another thing I'm not clear on is -- does the shortening happen on the forwarder side or the indexer side? Thanks for any insight you can provide! Som
Hi,    Brand new to splunk here.  I've been using it about 1 month.  I have a lookup file, all_identities_prod.csv, that has a single column of identities (these look like email addresses) and the c... See more...
Hi,    Brand new to splunk here.  I've been using it about 1 month.  I have a lookup file, all_identities_prod.csv, that has a single column of identities (these look like email addresses) and the column name is 'identity'.  What I've been trying to do is to compare the identities in the file with the result of a 30 day search to find identities that are in the lookup file but not in the search results.  I've tried this many different ways.  Maybe using a lookup file for this isn't the best idea.  I don't know.  Here's an example of what I've been trying.  A subsearch seemed like the best idea. | inputlookup all_identities_prod.csv where NOT [search index=sec ab_id=cvo host=xxx-xxxx* identity="*" | dedup identity] | table identity I have to obfuscate the host name understandably.  What I get back from this is the full list of the identities in the lookup file.  I think the comparison function is where I'm lost.   Any ideas?  Maybe a better way of doing this altogether? Thanks in advance.  
I have the search to get max number of hours without events for feeds. It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes? index=feed... See more...
I have the search to get max number of hours without events for feeds. It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes? index=feed1 OR index=feed2 | bucket _time span=1h | stats count as event_count by _time, index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600)-1 | stats max(number_of_zeros) by index
Hi,  I'm trying to get non matching id's from first search to second search.  eg:  i have 10 id's from first search and only 5 id's are matching to second, i need to display the other non matc... See more...
Hi,  I'm trying to get non matching id's from first search to second search.  eg:  i have 10 id's from first search and only 5 id's are matching to second, i need to display the other non matching id's from first search 1st search                                                                                            2nd search  ID      name   joined_date                             Cust_id           name        joined_date          last_date    100     a        01/01/2000                             100                     a               01/01/2000     12/01/2001 150     b        02/01/2000                              150                     b              02/01/2000     12/01/2002 200     c        03/01/2000                                200                    c               03/01/2000     11/01/2001 250     d        04/01/2000                               250                     d                04/01/2000     10/01/2001 300     e        05/01/2000                                300                    e                  05/01/2000    12/01/2005 350     f         05/01/2000 400     g        06/01/2000 450    h        06/01/2000 500     i        07/01/2000 550     j        08/01/2000          result set ID         name              joined_date 350       f                    05/01/2000 400       g                   06/01/2000 450       h                     06/01/2000 500       i                     07/01/2000 550       j                      08/01/2000 i have tried using NOT condition index=abced_dev business=finance  |dedup id | table ID name joined_date NOT [search index=xxxyz business=audit |dedup Cust_id |rename Cust_id as ID |table ID name joined_date] |table ID name joined_date Thanks
i can't start forwarder i take this error: Starting splunk server daemon (splunkd)... SplunkForwarder: Unable to start the service: Access is denied.
Hello, i want to install the universal installer on a windows 2016 server.  I proceed according to these instructions: In point 3, reference is made to the installation instructions for Linux. ... See more...
Hello, i want to install the universal installer on a windows 2016 server.  I proceed according to these instructions: In point 3, reference is made to the installation instructions for Linux. I downloaded the splunkclouduf.spl This is the point about Linux or not? Install the following app by entering the following command: / opt / splunkforwarder / bin / splunk install app /tmp/splunkclouduf.spl. How do I install the credentials for on a Windows machine?   Many thanks!
Hello, I am having an issue with my data being changed from what exists. Is there potentially a field limit on dashboards? I am using a chart command by work_center and two of my work_center's are g... See more...
Hello, I am having an issue with my data being changed from what exists. Is there potentially a field limit on dashboards? I am using a chart command by work_center and two of my work_center's are getting cut off and the information is being put under "OTHER".   The line of code in subject is: | chart values(measure) over statistic by work_center Here is two pictures to prove things exist beyond 1CAP7.   
How do I add a horizontal and vertical line to a bubble chart at the 0 mark on the x y axis?  Similar to the ones that I drew in this picture.  I saw some articles that show how to do it in a timelin... See more...
How do I add a horizontal and vertical line to a bubble chart at the 0 mark on the x y axis?  Similar to the ones that I drew in this picture.  I saw some articles that show how to do it in a timeline, but they don't seem to work in a bubble chart.
hello, we have some raw data with one field wrong from April. But we cannot reload data from the source. Is there any way that we can modify only one field? for example: _time  id  name  value: 20... See more...
hello, we have some raw data with one field wrong from April. But we cannot reload data from the source. Is there any way that we can modify only one field? for example: _time  id  name  value: 20210406 1  "SMT" 60        to be   20210406 1  "Node" 60 20210416 100  "SMT" 80   to be   20210416 100  "Node" 80  
@samsnguy_cisco  Hi Samson, The current version 2.0.1of Cisco AMP for Endpoints Events seems to cut off the "Vulnerable Application Detected" JSON. It appears if there is a large amount of CVE info... See more...
@samsnguy_cisco  Hi Samson, The current version 2.0.1of Cisco AMP for Endpoints Events seems to cut off the "Vulnerable Application Detected" JSON. It appears if there is a large amount of CVE info, it tends to leave the event incomplete and does not format the JSON correctly. I don't know if it is the behavior of the response or not. When running the python manually, it appears to do the same thing from api.amp.cisco.com. A limitation of the size of the JSON response.  Would this be correct?   Thanks,   John
Hello, I have events that look like this: 2021-05-27 14:33:44 UserId:123 Begin Fix for Issue:4354657687    <-- extra/delayed event logged after fix 2021-05-27 14:33:43 UserId:123 Fix Success! 202... See more...
Hello, I have events that look like this: 2021-05-27 14:33:44 UserId:123 Begin Fix for Issue:4354657687    <-- extra/delayed event logged after fix 2021-05-27 14:33:43 UserId:123 Fix Success! 2021-05-27 14:33:01 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:32:32 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:32:08 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:31:47 UserId:123 Fix Success! 2021-05-27 14:31:25 UserId:123 Begin Fix for Issue:4353228391 I am making a search to return instances where a new issue has started but has not yet been fixed. If I grab the latest event and it begins with "Begin Fix" I am currently taking that and using it to calculate the duration where an issue is considered "ongoing". However, in some cases, my events occur so that there is an extra event with the same issue id that occurs AFTER the fix has occurred.  How should I go about this to only grab the latest event if its issue id has not been fixed yet?
What would be 7-10 Critical Alerts Admins can setup on All Splunk / ES servers to be alerted about ? During Daily checks.
Hi, I have logs coming from 5 servers, consider each sends status data everytime there is change in status, So I want to create a dashboard where it shows the servername and status as single value p... See more...
Hi, I have logs coming from 5 servers, consider each sends status data everytime there is change in status, So I want to create a dashboard where it shows the servername and status as single value panel. challenge here is, whenever new log comes from server, that status should be updated in dashboard panel, like real time, So old value will be replaces with new status value.   Example: ABC Server   Status:Down When new log comes server down status, ABC server Status:Up Like this I need to update some fields based on recent log values. Thanks in Advance!
I have a dashboard panel configured to set a token called Tok_User  to click.value2, and another token called temp_search that sets the the value to user=$Tok_User$   In another panel, I have an HT... See more...
I have a dashboard panel configured to set a token called Tok_User  to click.value2, and another token called temp_search that sets the the value to user=$Tok_User$   In another panel, I have an HTML button that opens ES incident review using the following URL format: <html> <style>.btn-primary { margin: 5px 10px 5px 0; }</style> <a href="https://mysplunkurl:8000/en_us/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=-7d@d&amp;latest=now&amp;form.status_form=*&amp;form.owner_form=*&amp;form.security_domain_form=*&amp;form.srch=$temp_search$&amp;form.selected_urgency=critical&amp;form.selected_urgency=high&amp;form.selected_urgency=medium&amp;form.selected_urgency=low&amp;form.selected_urgency=informational&amp;form.source=A_Src_I_Want&amp;form.source=Another_Src_I_Want&amp; target="_blank" class="btn btn-primary">Review New Activity</a> </html>   The sources fill in just fine, but in the search only "user" comes over, not user=<theclickvalue2username>   What am I missing to get this to transition properly?
I have a preliminary search of a web-server-like log that looks like: index=whatever Method=GET | where Response in (200,404) | replace 200 with "Hit", 404 with "Miss" in Response There is also a... See more...
I have a preliminary search of a web-server-like log that looks like: index=whatever Method=GET | where Response in (200,404) | replace 200 with "Hit", 404 with "Miss" in Response There is also a User field. I want to: Calculate the percentage of misses from the total, e.g., p = misses / (hits + misses), by User. Show the Hits & Misses for only those users where the percentage of misses exceeds some percentage, say 50%. How can I add to the search to get what I want? Thanks.
field1=abcdCheck:123456wxyz, sdfCheck:234567qwe I want get the result as Check:123456