All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a file which I uploaded once (say 1 year ago), i uploaded it again (say 6 months ago) with some changes, and then I uploaded the same file again recently with some changes . But I want to disp... See more...
I have a file which I uploaded once (say 1 year ago), i uploaded it again (say 6 months ago) with some changes, and then I uploaded the same file again recently with some changes . But I want to display only the latest file and the latest-1 version of the file. i.e... if I upload a file for n- time, i only want to compare the nth and (n-1)th files, and grab the event(s) which if different in them. Can any one help? 
Hi there I am trying to construct a search query which checks the ASN a user logs in from within a time period. I would like to exclude all results where the ASN value is the same for all logins ... See more...
Hi there I am trying to construct a search query which checks the ASN a user logs in from within a time period. I would like to exclude all results where the ASN value is the same for all logins for a user. Is there a way to do a compare of results based on both user and ASN within one search?
I have Splunk Enterprise + ES. We initially targeted a long list of servers on Premise & on the Cloud to report into Splunk & ES. I need to take an inventory of all Servers & regions making sure I am... See more...
I have Splunk Enterprise + ES. We initially targeted a long list of servers on Premise & on the Cloud to report into Splunk & ES. I need to take an inventory of all Servers & regions making sure I am watching the "entire" herd. How do I accomplish this please? Thank u in advance
Hi, While adding an HEC input on the Splunk heavy forwarder, Splunk does not provide the option to select the app. I am using Splunk version 8.1.3 and build 63079c59e632 Is this a bug in the web in... See more...
Hi, While adding an HEC input on the Splunk heavy forwarder, Splunk does not provide the option to select the app. I am using Splunk version 8.1.3 and build 63079c59e632 Is this a bug in the web interface in version 8.1.3 or has the option been removed do to some reason. HEC input addition screenshot: Thanks, Termcap
Hi, We would like to use AppD as a centralized log management solution and would like to know how to get all the logs stored in Aws cloudwatch and lambda service logs to AppD. After that using log ... See more...
Hi, We would like to use AppD as a centralized log management solution and would like to know how to get all the logs stored in Aws cloudwatch and lambda service logs to AppD. After that using log analytics to do some analysis on the logs pushed to AppD and visualize the metrics to get meaningful insights. I would need a clear steps to implement the log management solution for the above requirement. Regards, Manojkumar Tenali.
HI! I am trying to create something similar to the transaction scorecard with some business rules and saving each calculated % for dashboards and reports. For example: Login 99.30% availability in... See more...
HI! I am trying to create something similar to the transaction scorecard with some business rules and saving each calculated % for dashboards and reports. For example: Login 99.30% availability in the time range, where we calculate this by doing "Number of Transactions - Transactions with Technical Errors  / Number of Transactions" from a set of business transactions. We want this to see it online and also to have a daily and monthly ratio. I tried this query that gives me the number that i want: SELECT 100.0 * filter(count(*), userExperience != "ERROR") / count(*) FROM transactions WHERE application = "application example" AND transactionname =  "login business transactions example" SINCE 1 minutes But I cannot save that as a metric and also it is not exact when trying to see a 1 month period. Is there a way to calculate this? Is it possible to use Experience Level Management? Regards
Hello, I have completed the BOTSv1 investigation. But when it comes to BOTSv3, it is about cloud. May I know on how to reconnaissance if no information provided?  I only found cloud source type such... See more...
Hello, I have completed the BOTSv1 investigation. But when it comes to BOTSv3, it is about cloud. May I know on how to reconnaissance if no information provided?  I only found cloud source type such as aws*. Then after that I do not have any idea to continue the reconnaissance https://www.youtube.com/watch?v=q4LmktgWsRE&t=230s Please kindly help and advise.   Thank you
Dear All,    I am trying to store some aggregated values so that my query will perform better way when searching time is of 6-8 months.   Use case: _time                                         ... See more...
Dear All,    I am trying to store some aggregated values so that my query will perform better way when searching time is of 6-8 months.   Use case: _time                                                       Environment       BG         ApplicationName      Interface    ErrorType 22-05-2021 01:12:33                             E                          B                          K                            Z                  TimeOut 22-05-2021 01:13:33                             E                          B                          K                            Z              HttpConnectivityErr 22-05-2021 01:14:33                             E                          B                          K                            Z                  TimeOut 22-05-2021 01:15:33                             E                          B                          K                            Z             HttpConnectivityErr 22-05-2021 01:16:33                             E                          B                          K                            Z                  TimeOut 22-05-2021 01:17:33                             E                          B                          K                            Z              HttpConnectivityErr 22-05-2021 01:18:33                             E                          B                          K                            Z              HttpConnectivityErr 22-05-2021 01:19:33                             E                          B                          K                            Z              HttpConnectivityErr Expected Output: bin span 4m  _time   _time                                            Environment       BG         ApplicationName      Interface        ErrorType(multiValue) 22-05-2021 01:12:33                   E                          B                          K                            Z                     TimeOut_2                                                                                                                                                                                HttpConnectivityErr_2 22-05-2021 01:16:33                   E                          B                          K                            Z                      TimeOut_1                                                                                                                                                                                HttpConnectivityErr_3   What i want is for a span of 4 min i need unique  "ErrorType" column along with its count group by Environment,BG,ApplicationName,Interface. Please help me out with it.   Regards, Santosh  
Hello Everyone, I am starting my investigation after completion of the BOTSv1 and 2. When it comes to BOTSv3, it is talking about cloud incident. I have been thinking of how to perform reconnaissanc... See more...
Hello Everyone, I am starting my investigation after completion of the BOTSv1 and 2. When it comes to BOTSv3, it is talking about cloud incident. I have been thinking of how to perform reconnaissance. I have learnt the reconnaissance in BOTSv1 and 2 but when it come to BOTSv3, it is more different. I am aware that BOTSv3 provide the CTF questions to visualize the timeline of the attacks.  May I kindly know on whether is there another way to visualize  the  the attack series using the MITRE Attack Framework and the Lockheed Martin Cyber Kill Chain, and  timeline of the critical events for this BOTSv3. Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on objectives Could you kindly help? Thank you
Hi Guys,  I am novice somewhat, and confusion has struck. Where does the | where clause go in the query? Is it before stats typically or after, end of query?  Also, AND -- I understand to use ... See more...
Hi Guys,  I am novice somewhat, and confusion has struck. Where does the | where clause go in the query? Is it before stats typically or after, end of query?  Also, AND -- I understand to use this when I want for example both burger and fries -- so like I want my results to show me both burger and fries so I would query - (burger AND fries)  ---- or is this OR instead of and? When would I use OR instead ?  Would like just some brief examples. Thanks in advance 
Hello, I am doing the Splunk Fundamentals module 4 lab. After ingesting the data it's nowhere to be found. Please help.
Hello. I've installed Splunk Enterprise for Windows x-64 bit on my Windows 10 machine for training purposes. I am working on the Splunk Fundamentals_Module 4 Lab. In Task 2: Ingest Web Application ... See more...
Hello. I've installed Splunk Enterprise for Windows x-64 bit on my Windows 10 machine for training purposes. I am working on the Splunk Fundamentals_Module 4 Lab. In Task 2: Ingest Web Application Data into Splunk Enterprise Step 8. Thee is no Add Data icon displayed got to the Home app by clicking the Splunk Enterprise logo int the upper left corner of the interface. Please help getting the Add Data icon to display. Thank You, RB
Hello, I am trying to get only the events from my logs that have started a task (in this case, going to a room) and have not ended their task. So for instance I may have two different set of events ... See more...
Hello, I am trying to get only the events from my logs that have started a task (in this case, going to a room) and have not ended their task. So for instance I may have two different set of events for a user (each example is below). In this first example, I would want to retrieve the fourth event because it is the latest "Go To Room" (or start task) that starts but does not have another event letting us know that it had left room 28 (there isn't an end task with the same field value of 28). 2021-05-21 16:34:22 UserId:123 Exit Room: 26 2021-05-21 16:34:12 UserId:123 Exit Room: 24 2021-05-21 16:34:08 UserId:123 Exit Room: 25 2021-05-21 16:33:59 UserId:123 Go To Room: 28 2021-05-21 16:33:52 UserId:123 Exit Room: 23   In this second example, I would NOT want to retrieve anything because the latest "Go To Room" task is finished with an "Exit Room" task with a matching field value of 28. 2021-05-21 16:34:22 UserId:123 Exit Room: 26 2021-05-21 16:34:12 UserId:123 Exit Room: 28 2021-05-21 16:34:08 UserId:123 Exit Room: 25 2021-05-21 16:33:59 UserId:123 Go To Room: 28 2021-05-21 16:33:52 UserId:123 Exit Room: 23   How should I go about this to retrieve the events I want?
Hi , given the below input (4 mins of sample access log data): _time,URI,Bytes 2021-05-18 02:01:00,a,1 2021-05-18 02:01:00,a,1 2021-05-18 02:02:00,a,1 2021-05-18 02:03:00,b,1 2021-05-18 02:03:... See more...
Hi , given the below input (4 mins of sample access log data): _time,URI,Bytes 2021-05-18 02:01:00,a,1 2021-05-18 02:01:00,a,1 2021-05-18 02:02:00,a,1 2021-05-18 02:03:00,b,1 2021-05-18 02:03:00,b,1 2021-05-18 02:04:00,a,1 assuming a window of 2 mins from (2:01:00.000 ) to (2:03:00.000), i want to perform some computations (average and standard dev of bytes grouped by URI) as below: source="ds1.csv" host="vgspl11hr" index="sfp" sourcetype="csv" | table _time,URI,Bytes | timechart span=1m avg(Bytes) AS avg_bytes, stdev(Bytes) AS std_bytes by URI limit=0 | fillnull value="" | untable _time Measure Value | eval Metric=mvindex(split(Measure,": "),0),uri=mvindex(split(Measure,": "),1) | fields - Measure | eval time_uri=_time."__".uri | fields - uri - _time | xyseries time_uri Metric Value | eval _time=mvindex(split(time_uri,"__"),0),uri=mvindex(split(time_uri,"__"),1) | fields - time_uri exact time window between (5/18/21 2:01:00.000 AM to 5/18/21 2:03:00.000 AM), below is the output: _time uri avg_bytes std_bytes 2021-05-18 02:01:00 a 1 0 2021-05-18 02:02:00 a 1 0 So, the timechart performed the computations on the existing URIs in the first 2 mins time window, in that case the URI=a. However, i want the timechart to consider the existence of the URI = b. Is there a way to have the timechart consider all the values of the URI in the computation, even if not all of the URIs existing  in that time window? I need the output to be as below in the first 2 mins time window: _time uri avg_bytes std_bytes 2021-05-18 02:01:00 a 1 0 2021-05-18 02:01:00 b 2021-05-18 02:02:00 a 1 0 2021-05-18 02:02:00 b Is that possible? I would really appreciate if you helped me.
We had a system integrator install and configure SC4S, and I'm trying to understand the configuration afterwards.  I've been going through this document, and I'm confused by something pretty early on... See more...
We had a system integrator install and configure SC4S, and I'm trying to understand the configuration afterwards.  I've been going through this document, and I'm confused by something pretty early on. The document says I should see the following in env_file: SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://splunk.smg.aws:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=a778f63a-5dff-4e3c-a72c-a03183659e94 #Uncomment the following line if using untrusted SSL certificates #SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no Instead, this is what I see:       SPLUNK_HEC_URL=<***my urls***> SPLUNK_HEC_TOKEN=<***my token***> #Uncomment the following line if using untrusted SSL certificates SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no       This clearly works, but I'd like to understand why.  Is "SPLUNK_HEC_URL" functionally equivalent to "SC4S_DEST_SPLUNK_HEC_DEFAULT_URL" and likewise "SPLUNK_HEC_TOKEN"?  Is the documentation old, or is my sc4s old?
I have a summary index for hourly event count of a feed. The feed has some hours with event count empty. How can I get the max number of hours with no event. In the following example, the max number... See more...
I have a summary index for hourly event count of a feed. The feed has some hours with event count empty. How can I get the max number of hours with no event. In the following example, the max number of hours without event is 3. Time                Hourly Event Count hour 01:00   235 hour 02:00 hour 03:00 hour 04:00   67 hour 05:00 hour 06:00   43 hour 07:00 hour 08:00 hour 09:00 hour 10:00   87
Hi all, I have the following events source_host=lioness1 source_host_description="This is the main server" source_host=lion source_host_description="This is SQL server"   I need to extract ... See more...
Hi all, I have the following events source_host=lioness1 source_host_description="This is the main server" source_host=lion source_host_description="This is SQL server"   I need to extract the description, which is all the text between double quotes and assign it to the field description. Would you please help?    
Hello Everyone and welcome is there a way to import a csv file to then use it a search parameter to search for events within an index in splunk? I am trying to  find the total bill cost of some pati... See more...
Hello Everyone and welcome is there a way to import a csv file to then use it a search parameter to search for events within an index in splunk? I am trying to  find the total bill cost of some patients in a hospital but I am only interested in some IDs I have in a CSV file I use this code to find total bill amount index="rea_host" search ID=* AND bill_due=* | stats values(bill_due) by ID I am trying to use a CVS file named "STATUS" where the ID fields has the name "patient_documentation" I type: index="rea_host" search bill_due=* AND [ lookup STATUS OUTPUT patient_documentation as ID] | stats values(bill_due) by ID   with no luck, can someone please help me out? thank you so much  
How do I obtain my license file?   I purchased a copy of Splunk Enterprise ..... I need to figure out what my license key is.
We currently have a deployment server which manages our infrastructure quiye well. A change in our environment is coming where the requirement is to (due to minimal change) make the universal forward... See more...
We currently have a deployment server which manages our infrastructure quiye well. A change in our environment is coming where the requirement is to (due to minimal change) make the universal forwarders (these are Windows) unmanaged and for any future changes to be done via a powershell script. My obvious response is no but I wanted to see what other peoples experiences are with not using a deployment server to manage anywhere between 30-40 machines usong scripts such as Powershell. What cons have you found doing it this way when compared to a tried and trusted approach with DS? I can't see any pros with it but I will ask that to.