All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Everyone, I am using Timechart on two same queries but their sorting is different.But still the same values are coming for both the queries. Can someone guide me why. Below are my queries: inde... See more...
Hi Everyone, I am using Timechart on two same queries but their sorting is different.But still the same values are coming for both the queries. Can someone guide me why. Below are my queries: index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d") |fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime    index=abc source="/splunkLogs/JOB_NIFI_STATS_FOR_PLATINUM.csv"| eval fields=split(_raw,",") |eval Environment=mvindex(fields,10)|eval NIFI_PG_ID=mvindex(fields,9) |eval JOB_EXEC_TIME=mvindex(fields,5)|eval RunDate2=mvindex(fields,8)|eval JOB_STATUS=mvindex(fields,2)|eval JOB_NM=mvindex(fields,0)|where Environment="E3"|eval Run_Date=strptime(RunDate2,"%Y%m%d") |fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOB_NM |eval TotalExecTime=round(TotalExecTime,2)|sort TotalExecTime  Can someone guide me where I am wrong.
Hello, I am trying to figure out how to have Splunk detect multiple application control violations on the system. Looking to have the alert trigger if there are more than 5 windows events from a sin... See more...
Hello, I am trying to figure out how to have Splunk detect multiple application control violations on the system. Looking to have the alert trigger if there are more than 5 windows events from a single IP source. Does anyone know how I can go about this?
Hello, I am trying to monitor if a machine was booted to safe mode. Essentially, if there are more than 5 services dependency failures from a single IP address - the alert should trigger.  Does any... See more...
Hello, I am trying to monitor if a machine was booted to safe mode. Essentially, if there are more than 5 services dependency failures from a single IP address - the alert should trigger.  Does anyone know how I can go about this?
Hello, I am trying to figure out how to monitor for a successful removal/installation of a software in the environment (mainly MSI) using Splunk. Does anyone know how I can go about this?  
I have Splunk app for infrastructure installed on the Linux servers and on one of the servers the status shows as inactive yet data is being collected from that server. Is there something I am missing?
Hi!   Please clarify can I deploy my private apps to my Splunk Cloud Trial?  I'm at a loss because I cant see "select file" (or anything similar to what we have in Splunk Enterprise) button to cho... See more...
Hi!   Please clarify can I deploy my private apps to my Splunk Cloud Trial?  I'm at a loss because I cant see "select file" (or anything similar to what we have in Splunk Enterprise) button to choose archive with my app. Thank you! 
Hi everyone. I'm trying to get this query going  with one search but I can't seem to do that. I can only get it to work when I separate into two queries. Here are the two queries.   Query1: index=w... See more...
Hi everyone. I'm trying to get this query going  with one search but I can't seem to do that. I can only get it to work when I separate into two queries. Here are the two queries.   Query1: index=wineventlog NewObjectDN="*OU=blue*" OldObjectDN=*"Rad Users"* signature_id=4147   Query2: index=wineventlog NewObjectDN="*OU=blue*" OldObjectDN=*"Fad Users"* signature_id=4147   the Field OldObjectDN has multiple values I'm trying to combine into one search. What would the proper syntax be?
I have a csv file that I am monitoring with the props.conf for the sourcetype associated with this file with the parameter CHECK_METHOD = modtime set. This works well, but I occasionally have a sc... See more...
I have a csv file that I am monitoring with the props.conf for the sourcetype associated with this file with the parameter CHECK_METHOD = modtime set. This works well, but I occasionally have a scenario where I need to get the fishbucket to "forget" the file being monitored.  I tried the usual procedure using btprobe and reset $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ --file < full path of somefile.csv> --reset btprobe says it is unable to find the file.  I further went down this rabbit hole and tried to find the hash of the file in question, but once again no luck. $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0x5db5b08c29b4b08d decimal=6752497332353544333 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0x5db5b08c29b4b08d $SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> -salt < full path of somefile.csv> Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg. crc=0xa5cb29c8fe9d6ace decimal=11946688379772299982 I used the crc and tried to grep for it $SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0xa5cb29c8fe9d6ace I tried this too, I *know* the splunkforwarder is monitoring the file,  as btools & inputslist and monitor etc are all showing the file, what am I missing?  Any help is greatly appreciated.  I am really stumped here.
I am wondering if someone can tell me of a way to use API or CLI to create custom content definitions in Splunk Security Essentials . i have reviewed documentation @ https://docs.splunksecurityessent... See more...
I am wondering if someone can tell me of a way to use API or CLI to create custom content definitions in Splunk Security Essentials . i have reviewed documentation @ https://docs.splunksecurityessentials.com/ and there doesnt seem to be any specific information on it.
I recently submitted an app to SplunkBase. I need to transfer ownership of the app to the company I work for. who can I contact about transferring ownership?  I've emailed splunkbase-admin@splunk.com... See more...
I recently submitted an app to SplunkBase. I need to transfer ownership of the app to the company I work for. who can I contact about transferring ownership?  I've emailed splunkbase-admin@splunk.com but i haven't heard back from them, any tips?   Thank you , Marco
I am getting "requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url" error for Cortex XDR add-on.
Hi there, I have challenge which i am not sure if this is possible in Splunk. I have directory data with documents. On a dashboard i show a directory structure ... | chart c by Directory extentio... See more...
Hi there, I have challenge which i am not sure if this is possible in Splunk. I have directory data with documents. On a dashboard i show a directory structure ... | chart c by Directory extention | addtotals fieldname="Total" labelfield=Directory col=t Directory          doc    docx  dot Total DIRA\DIRB     1462  1450 167 3079 Total                  1462  1450 167 3079 The user is able to click on a directory to drilldown and it shows the next subdirectory Directory                                    doc     docx  dot    Total DIRA\DIRB\DIRC1                1000   450    167    1617 DIRA\DIRB\DIRC2                462     1000   0        1462 Total                                           1462   1450   167   3079 next.. DIRA\DIRB\DIRC1\DIRX              900    0             166   1066 DIRA\DIRB\DIRC1\DIRY             100     1450      1        1551 Total                                                     1000    1450    167   2617 And so further... My goal is this: I would like my output to look like this: separate directory columns in chart lay-out The reason is i want to be able to go-back to a higher directory level. And this value should be clickable dir1   dir2     dir3                   doc      docx  dot   Total DIRA DIRB  DIRC1              1000    450   167  1617 DIRA DIRB  DIRC2               462      1000  0      1462 Is this somehow possible? Regards, Harry
Can you have any script to install Splunk forwarder on the ec2 Linux machine via user data?
Hi,  I'm struggling to get a complete extraction on any fields that contain double quotes. The payload: 2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group ... See more...
Hi,  I'm struggling to get a complete extraction on any fields that contain double quotes. The payload: 2021-05-25 07:59:04.000, auditId="17864172953", groups_groupId="4639", groupName="some group name", people_personId="625841", users_userId="152321", userLogin="field-removed", userStaffFlag="false", auditIP="111.222.333.444", auditMod="Module", auditMessage="Module: "mod1" is not present in a check, Module: "mod2" is not present in a check, Module: "mod3" is not present in a check, Module: "mod4" is not present in a check, Module: "mod5" is not present in a check, Module: "mod6" is not present in a check, Module: "mod7" is not present in a check, Module: "mod8" is not present in a check, Module: "mod9" is not present in a check, Module: "mod10" is not present in a check", auditDate="2021-05-25 07:59:04.0", auditType="info", auditRID="88827e1f-d157-46d5-b1b4-20b91d4440a4", auditMicroSeconds="0.0000" In this example, it's the "auditMessage" key that will not extract completely and stops at the first "Module: "<-- The REGEX (\w+)="(.*?)" Gets me most of the way there (regx101), but doesn't work in splunk. My Fu has failed me.
I have a issue like ,the field which is not in the second sourcetype used as filter is not getting filtered. Environment field is not available in sourcetype2.But i need to filter the entire search ... See more...
I have a issue like ,the field which is not in the second sourcetype used as filter is not getting filtered. Environment field is not available in sourcetype2.But i need to filter the entire search using all the filter values below . when i filter with environment (like DEV) now , the values are not getting changed ,instead it has values for acct_environment="*" by default. below has the code , index=index1  sourcetype=Sourcetype1|fillnull value=Unspecified Rule_Severity|fillnull value=""|search Account_Environment="DEV" Account_Name="*" Baseline_Tested="AWS Certificate Manager Security Baseline" Rule_Severity="*" Rule_Name="*" Attestation_Classification="*" Cloud_Platform="*"| join type=left Baseline_Tested [search index=index2 sourcetype=Sourcetype2|fillnull value=""|eval PercentOf_Compliance_Assets=round((PercentOf_Compliance_Assets)*100,2)|eval PercentOf_Tests_Automated=round((PercentOf_Tests_Automated)*100,2)]|stats values(CountOf_Assets) as "# Tests Ran",values(CountOf_Compliant) as "# Compliant Tests", values(CountOf_Noncompliant) as "# Noncompliant Tests",values(PercentOf_Compliance_Assets) as "% Test Compliance", values(CountOf_Rules) as "# of Rules Checked",values(CountOf_Tests_MachineCheckable) as "# Automated Checks",values(CountOf_Tests_ManuallyAttested) as "# Manual Attested", values(PercentOf_Tests_Automated) as "% Automated Checks" values(Account_Environment) as Environment by Baseline_Tested|rename Baseline_Tested as "Baseline Tested"
Hi everybody. I'm back using Splunk after some years, so I'm a bit "rusty". This is my scenario: suppose I have a network with some hosts, both workstation and servers. I know only that an antivi... See more...
Hi everybody. I'm back using Splunk after some years, so I'm a bit "rusty". This is my scenario: suppose I have a network with some hosts, both workstation and servers. I know only that an antivirus is installed on them, but not which one for all of the hosts. What I know is: 1. Some hosts has Windows Defender, other not. 2. The Windows Defender Logs are configured to be sent to splunk. The other data mising is: the hosts with Defender, how are configured to get data? With a Splunk app? This is a data I have not. So, my question is: is there a Splunk query that I can use to discover if Defender is in execution or not. formatting the result to show the hostname of every machine?
Hi. I would like to unterstand why Splunk does not close a transaction with only 1 event, if i force a STARTSWITH parameter... i tried all possible parameters, but with STARTSWITH there's no way, tr... See more...
Hi. I would like to unterstand why Splunk does not close a transaction with only 1 event, if i force a STARTSWITH parameter... i tried all possible parameters, but with STARTSWITH there's no way, transaction is dropped...   timestamp ..... user=XXXXXXXXXXXXXX action=login_do from=127.0.0.1 status=failed   .... | transaction maxevents=-1 user from startswith="login_do" ... no events returned...   .... | transaction maxevents=-1 user from ... event cought!!!   Thanks.
I want to upgrade Python 2.7 to Python 3.7 to work with Splunk Enterprise 8.1 version. Can someone please guide me through the migration path of python?
Hi, I am currently working on getting our Sophos Central Cloud logs into SPLUNK. I have the 1st step out of the way in that I have the logs being ingested fine. I am however having some difficulty i... See more...
Hi, I am currently working on getting our Sophos Central Cloud logs into SPLUNK. I have the 1st step out of the way in that I have the logs being ingested fine. I am however having some difficulty in getting them into the correct index. Following the documentation here: Configuration - Splunk Connect for Syslog (splunk-connect-for-syslog.readthedocs.io) I am planning to add the following to to the splunk_metadata.csv: sophos_sophos central_Event::Endpoint::UpdateSuccess,sourcetype,sophos:endpoint:update:cef,index,sophos sophos_sophos central_Event::Endpoint::WebControlViolation,sourcetype,sophos:endpoint:update:cef,index,sophos Based off the following 2 examples, do these appear correct?   Many thanks Shaun
My local drive doesn't appear in monitoring data in files and directories. Does anyone know how to make my local drive visible?