All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Might be a silly question, given the IN search command, is it possible to negate the query using NOT? For example: ... error_code NOT IN (400, 402, 404, 406) | ...  
Our CrowdStrike Add-on stopped pulling logs via the API giving this error       2021-05-01 19:03:31,879 ERROR pid=31672 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collect... See more...
Our CrowdStrike Add-on stopped pulling logs via the API giving this error       2021-05-01 19:03:31,879 ERROR pid=31672 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/ta_crowdstrike_falcon_event_streams/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/crowdstrike_event_streams.py", line 71, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 358, in collect_events crowdstrike_client() File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 234, in crowdstrike_client num_feeds = len(response['resources']) TypeError: object of type 'NoneType' has no len()       I can't understand what happened or how to prevent it for happening again. Anyone out there with same issue?  
Hi all,   Using the below SPL i have created one new use case for multiple emails sent from external domain. For example if i get 5 results in search it is generating 5 individual notables events b... See more...
Hi all,   Using the below SPL i have created one new use case for multiple emails sent from external domain. For example if i get 5 results in search it is generating 5 individual notables events but i need one notable event for all the 5 results .. pls could you help me on these index=msexchange sourcetype=MSExchange*:MessageTracking tag=email action=delivered sender_domain!=@x.x.x recipients!=@x.x.x | stats dc(recipient) as count by sender | search count >=4 | rename count as recipient_count | table sender recipient_count Search Range 1hr Cron schedule : */5 * * * *
How do I look up the IP address plus the machine name of a Splunk Server for example my Deployment server? Is it possible to look up the complete list of IP's and machine name (computer account) of a... See more...
How do I look up the IP address plus the machine name of a Splunk Server for example my Deployment server? Is it possible to look up the complete list of IP's and machine name (computer account) of all the Splunk sever at once? Like the IP + computer account of SHs, DS, Cluster Master & so one?
Hi Splunkers, I need your help on the following data set. Index=auditbeat host --> log source command --> command run by host _time --> _time host1: _time : 00.00:00 - 00.15:00 --> 15 min inte... See more...
Hi Splunkers, I need your help on the following data set. Index=auditbeat host --> log source command --> command run by host _time --> _time host1: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir host2: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir host3: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir I need to write a search which will look at each 15 min time interval, within  EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following time interval -- host -- commands Thanks for your help.
What will happen if source type is incorrectly assign & how should i change it?
Hello Guys, Currently I am using splunk 6.4 version in my organization. I want to upgrade all splunk instance to 7.3.2 version. Can i directly upgrade splunk version from 6.4 to 7.3.2 ? If no then i... See more...
Hello Guys, Currently I am using splunk 6.4 version in my organization. I want to upgrade all splunk instance to 7.3.2 version. Can i directly upgrade splunk version from 6.4 to 7.3.2 ? If no then in which version should i go first & why.
Hi guys,   I am looking for a splunk query for following table    JobName Jobtime         Job1    2021-05-01 22:19:23    2021-05-01 22:19:22    2021-05-01 19:54:38    ... See more...
Hi guys,   I am looking for a splunk query for following table    JobName Jobtime         Job1    2021-05-01 22:19:23    2021-05-01 22:19:22    2021-05-01 19:54:38    2021-05-01 19:52:37                 Expected output:     JobName Job time Timecalculation Totaltime Job1  2021-05-01 22:19:23 1( sec) from first two entries time difference =1+121=122 seconds    2021-05-01 22:19:22        2021-05-01 19:54:38  2 minutes:1 second from entries 3 and 4 = 121 seconds      2021-05-01 19:52:37        
Hi All, I have ingested some sample logs in ITSI from windows, oracledb, aws, netapp devices, but the dashboards are not getting populated in ITSI. Can can anyone who knows ITSI suggest or guide,... See more...
Hi All, I have ingested some sample logs in ITSI from windows, oracledb, aws, netapp devices, but the dashboards are not getting populated in ITSI. Can can anyone who knows ITSI suggest or guide, how can the search ananlyzer, dashboards gets populated ? I have enabled correlation searches as well, but it did not worked.
I am searching for exceptions/the type of exception in logs and using below query- index=abcd ("*Exception" OR "*exception") | rex "(?P<Exception>.*\..*Exception:)" | eval mvFields=split(Exception, ... See more...
I am searching for exceptions/the type of exception in logs and using below query- index=abcd ("*Exception" OR "*exception") | rex "(?P<Exception>.*\..*Exception:)" | eval mvFields=split(Exception, " ") | eval Exception1=mvindex(mvFields,mvfind(mvFields,"\..*Exception")) | timechart span=5m count by Exception1 but when I expand the time range to 4-7 days, I get the below alert message(although I get the output)  Error in rex command: regex= "(?P<Exception>.*\..*Exception:)" has exceeded configured match_limit, consider raising the value in limits.conf looking for more efficient way in which the above search can be refined without making any changes to limits.conf
I have two lookup tables that get updated 1/day from time/CPU intensive searches. I want to create an alert to let me know when there are deltas between these two lookup tables.  I can schedule as a... See more...
I have two lookup tables that get updated 1/day from time/CPU intensive searches. I want to create an alert to let me know when there are deltas between these two lookup tables.  I can schedule as a report, and this works, but then I get empty reports if not deltas are found. I think the reason my alert is not triggering is because the results from my search are not showing as events, but as statistics. |inputlookup main.csv |lookup secondary.csv eventSource as eventSource output Name|where isNull(Name) "Trigger Number of Results" = greater than 0 the search returns results, but no alert is triggered.      
Several thousand remote hosts connecting to a collector at 2 geographically distanced datacenters. One of the collectors should be getting bytes_seen > zero If neither collector sees bytes_seen > z... See more...
Several thousand remote hosts connecting to a collector at 2 geographically distanced datacenters. One of the collectors should be getting bytes_seen > zero If neither collector sees bytes_seen > zero, then the controller is assumed to be down and an alert needs to be raised. Trying to table RemoteDevice  DatacenterCollector BytesSeenWestCoast    DatacenterCollector    BytesSeenEastCoast                RemoteDeviceStatus Device-1              Collector-WestCoast      50                              Collector-EastCoast                     0                              Up Device-2              Collector-WestCoast      104                            Collector-EastCoast                     0                              Up Device-3              Collector-WestCoast      0                                 Collector-EastCoast                     0                              Down In this scenario, Device-3 should be marked down, and an alert generated. Expecting to use a lookup table file for a list of all the remote devices Splunk needs to receive the events for from the datacenter collectors.  
I am trying to count click through, the percent of total clicks over total searches.    index=basesearch action=click OR action=search  |stats count by action What I really want is a percent ... See more...
I am trying to count click through, the percent of total clicks over total searches.    index=basesearch action=click OR action=search  |stats count by action What I really want is a percent number of action=clicks divided by action=search. What command do i use? 
How do I look up the computer name of the Splunk instance like Deployment server or a SH? I would like to view .conf files & edit them. Please advise.
I would love a little guidance on how I could improve this search by getting away from Join.  I think I am hitting some result limits in doing so, but I could not get the same results using appendcol... See more...
I would love a little guidance on how I could improve this search by getting away from Join.  I think I am hitting some result limits in doing so, but I could not get the same results using appendcols:  I've also tried putting (sourctype=mysourcetype OR source=my_other_source) and renaming the field in the other source to match the field in the first source but that didn't work either. ...| stats latest(u_subscription_type) latest(sys_created_on) latest(dv_u_expiration_date) latest(dv_sys_updated_on) latest(u_status) latest(u_corresponding_ritm_number) latest(dv_u_corresponding_ritm_number) by dv_u_info,dv_u_sso,u_logonid | `rename(latest)` | eval record_updated=strptime(dv_sys_updated_on,"%Y-%m-%d %H:%M:%S"),record_created=strptime(sys_created_on,"%Y-%m-%d %H:%M:%S"),record_expires=strptime(dv_u_expiration_date, "%Y-%m-%d"),now=now() | eval USBViolation=if(now > record_expires, "yes", "no") | join type=left [ search (source=my_other_source) | rex field=horrible_field "#50\s+\-\s+(?P<business_justification>.+?)\s+\-\sBusiness\sCase" | eval u_corresponding_ritm_number=request_item |stats latest(business_justification) latest(dv_comments_and_work_notes) by u_corresponding_ritm_number | `rename(latest)`] | fields - now,record_created,record_exires,record_updated,record_expires
Hi , I am creating a dashboard where it should show the time difference between two latest events, since all the events look alike, I do not want splunk to pickup the old events timestamps and com... See more...
Hi , I am creating a dashboard where it should show the time difference between two latest events, since all the events look alike, I do not want splunk to pickup the old events timestamps and compare with the new one. I tried using dedup and it is showing only for one particular day even though I selected a range of dates. Query: index=i01_prd  ("ProcessBatch" AND "Total Processed") OR (ProcessBatch BEGIN - ProcessBatch.doWork) | bucket _time span=1d as day | stats earliest(_time) as First latest(_time) as Last by day | eval DurationInMinutesDeci=round((Last - First)) | eval day=strftime(day,"%m/%d/%y") | eval Last=strftime(Last,"%S") | eval First=strftime(First,"%S") | rename Last as "Last_ss" | rename First as "First_ss" | rename DurationInMinutesDeci as Seconds | rename _time as exacttime | rename day as _time | table _time, Seconds
Licensing best practices, need to trim it. I have Splunk Enterprise, a SOC team that uses ES. If you have taken measures that worked for you please share some highlights. Thank u
Hello. Maybe someone can point me in a good direction because I don't have a reasonable idea at the moment. The situation is - the customer has many event sources (definitely over a thousand; proba... See more...
Hello. Maybe someone can point me in a good direction because I don't have a reasonable idea at the moment. The situation is - the customer has many event sources (definitely over a thousand; probably closer to two). A subset of the sources is "categorized". To make long story short - there is a big excel table in which every source is described with various labels. For example: Host Source Site Category1 Category2 ... host1 192.168.1.1 site_a LAN Office ... host2 192.168.2.3 site_a DMZ Plant ... host3 WindowsEventLog site_b LAN Plant ... ... ... ... ... ...     "Site" is an indexed field added at ingest time. Every single event source is unambigously characterised as either site/source or site/host combination. And now I need two things. One is relatively simple because the customer wants to have the categories pertaining to a given event source displayed along with events. That's quite easy  - a simple lookup does the trick; if I want to make customer's users' live easier, I can do a macro - no problem. But the second one is where I'm stuck. The customer wants to be able to select events by using the categories of the sources. Of course with small event volumes it would be perfectly acceptable to do a simple query, run it through a lookup and then filter the result. With small set of sources I'd just tell the customer to filter by particular host and get on with his life. But in this case the amount of data we would have to prepare firstly, just to be filtered later would be huge, so it would be reasonable to filter it as early as we can (especially that both pairs of fields that can be used to distinguish event sources are indexed fields and don't have to be parsed from the events). And the subsets of the hosts we would need to be using are quite big. I thought about using lookup in a subquery but don't know how to approach it so it makes sense.
Hello Community, I need your help to understand why if I use twice a "lookup" command on the same table lookup (out-of-the-box "geo_attr_countries"), I don't get the results I expect, since it looks... See more...
Hello Community, I need your help to understand why if I use twice a "lookup" command on the same table lookup (out-of-the-box "geo_attr_countries"), I don't get the results I expect, since it looks like the second one is ignored, but it does work if I replace both the "lookup" commands with equivalent "join" commands. I am using Splunk Cloud 8.1 and I would prefer the double "lookup" due to better search performance on my dataset, where events may have the country code or the country name in the same field and I need both of them. Below 2 examples you can run in your Splunk (in bold the only lines changed): Double "lookup" not working: | makeresults | eval countryCodeOrName="Spain" | append [| makeresults | eval countryCodeOrName="IT"] | append [| makeresults | eval countryCodeOrName="France"] | append [| makeresults | eval countryCodeOrName="DE"] | table countryCodeOrName | eval country=if(len(countryCodeOrName)>2,countryCodeOrName,"-") | eval iso2=if((len(countryCodeOrName) == 2),countryCodeOrName,"-") | lookup geo_attr_countries country OUTPUT iso2 as countryCode | lookup geo_attr_countries iso2 OUTPUT country as countryName | table countryCodeOrName countryCode countryName Double "join" working: | makeresults | eval countryCodeOrName="Spain" | append [| makeresults | eval countryCodeOrName="IT"] | append [| makeresults | eval countryCodeOrName="France"] | append [| makeresults | eval countryCodeOrName="DE"] | table countryCodeOrName | eval country=if(len(countryCodeOrName)>2,countryCodeOrName,"-") | eval iso2=if((len(countryCodeOrName) == 2),countryCodeOrName,"-") | join type=left country [| inputlookup geo_attr_countries | table country iso2 | rename iso2 as countryCode ] | join type=left iso2 [| inputlookup geo_attr_countries | table country iso2 | rename country as countryName ] | table countryCodeOrName countryCode countryName I would appreciate your suggestions! Thanks, G.P.
Within _raw we have this segment -   SQL_TEXT="grant create database link to aaa01, bbb02, yyy03, xxx04",   We would like to replace only the commas in this part of _raw with dollar signs. Is it ... See more...
Within _raw we have this segment -   SQL_TEXT="grant create database link to aaa01, bbb02, yyy03, xxx04",   We would like to replace only the commas in this part of _raw with dollar signs. Is it possible?