All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,   I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that ... See more...
Hello,   I have a small dilema around AND OR boolean operators. I dont want null time logs for event=timeOut, but at the same time I also want the null values for event=timeOut because I need that info too. Would like to know if using OR instead of AND in the where clause would do that for me?   index="mvp.sl.idx" | eval DeliverToService=case(event="timeOut", logTime) | eval NullDeliverToService=case(event,"timeOut", logTime) | stats values(DeliverToService) as DeliverToService values(NullDeliverToService) as NullDeliverToService | where isNotNull(DeliverToService) OR isNull(NullDeliverToService)     
I'm wanting to add the short ID that one can generate for a notable in IR.  To the columns in Incident Review for our SOC to use.  However, I can't find the proper attribute name for th... See more...
I'm wanting to add the short ID that one can generate for a notable in IR.  To the columns in Incident Review for our SOC to use.  However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup.  Hoping someone can tell me what the correct "Short ID" attribute name is. Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable.  Thanks in Advance!  
I'm trying to differentiate between cd burns and cd read codes from Window Event Viewer using WinZipBurn. From what I've seen, a cd burn will generate event codes 1001, 1003, 1004, and then 1001 agai... See more...
I'm trying to differentiate between cd burns and cd read codes from Window Event Viewer using WinZipBurn. From what I've seen, a cd burn will generate event codes 1001, 1003, 1004, and then 1001 again in WinEventLog:Application. Reading from a cd will just generate code '1001.'   I'm trying to create a report that will determine if the sequence 1001, 1003, 1004, 1001 occurs within a 10 minute span. I'm not great with transactions so I'm sure there is an error. The following is what I tried: sourcetype=WinEventLog:Application WinZipBurn | transaction Account_Name maxspan=10m maxpause=3m startswith=eval(EventCode="1001") endswith=eval(EventCode="1001") I don't think it can tell the difference between the first one and the last. In EventViewer, there is more info that says the cd is blank vs finalized but Splunk isn't pulling it over. 1003 and 1004 are error codes that I'm not sure what for but they only occur in the middle of a burn.
Hello, Looking for some advice on a popular topping of non reporting hosts.  Perhaps someone already came across something like this, or has a better way of doing it.  We have device pairs that rep... See more...
Hello, Looking for some advice on a popular topping of non reporting hosts.  Perhaps someone already came across something like this, or has a better way of doing it.  We have device pairs that report differently, and I am looking for a way to alert if a device stops reporting based on expected reporting  cadence for a particular device.  For example, have a CSV with device name/IP and a column for the expected reporting threshold that can be used to generate an alert if it is exceeded. Example: FW1-primary, 2m FW1-secondary, 4h So the search can look at the second column, and if it's been more than 4 hours since FW1-secondary sent an event, an alert can be generated.  TIA!    
Hi i'm going to build a minimal siem in our office and because of price can't get es app what I would like to know is what if i use security essential app with some third party like wazuh and make so... See more...
Hi i'm going to build a minimal siem in our office and because of price can't get es app what I would like to know is what if i use security essential app with some third party like wazuh and make some correlation somehow, could i detect threat and risks? since i can't get answer any where else ,it would be great to help me
Hi Everyone, I need to create one hyperlink in my top menu bar. I tried with following code. But its not working. <collection> <li><a href="O2 Team">O2 Team</a></li> </collection> I just want i... See more...
Hi Everyone, I need to create one hyperlink in my top menu bar. I tried with following code. But its not working. <collection> <li><a href="O2 Team">O2 Team</a></li> </collection> I just want it as a static link as of now. Can someone guide me how to create it.  
Hi All, seeking help on this! For POC purpose I was trying to configure the google.com home page into Splunk website inputs app, when Defining CSS selector ,under the page preview tab google.com pag... See more...
Hi All, seeking help on this! For POC purpose I was trying to configure the google.com home page into Splunk website inputs app, when Defining CSS selector ,under the page preview tab google.com page is not getting loaded. When checked the Health tab from the app could see this error details Error Details: 2021-04-12 15:10:34,759 ERROR Exception generated while attempting to content for url=https://www.google.com/ Traceback (most recent call last):   File "/opt/splunk/etc/apps/website_input/bin/website_input_ops_rest_handler.py", line 285, in get_load_page     content = web_client.get_url(url, 'GET')   File "/opt/splunk/etc/apps/website_input/bin/website_input_app/web_client.py", line 492, in get_url     raise ConnectionFailure(str(e), e) ConnectionFailure: <urlopen error Tunnel connection failed: 504 Gateway Timeout>, caused by URLError(error('Tunnel connection failed: 504 Gateway Timeout',),)  I am using  Splunk Enterprise trial version (Single instance)  and is running in the AWS cloud instance, While configuring the app I have provide Splunk proxy server details  with http port 80. Initially I thought it might be due to firewall block,  but when executed the curl command from the putty and could see the page is getting loaded with out any error and also checked with the systems team and found that under security group for my instance the port 80,8080 and 443 are open for incoming traffic. Can any one throw some lights on this issue. 
Hi Guys, I have: 1 x Search Node 1 x Master Node  - 2 x Peer Nodes 1 x Deployment Node I've updated the master_uri & pass4SymmKey in the Search node and restarted it Splunk via the GUI, this wo... See more...
Hi Guys, I have: 1 x Search Node 1 x Master Node  - 2 x Peer Nodes 1 x Deployment Node I've updated the master_uri & pass4SymmKey in the Search node and restarted it Splunk via the GUI, this worked fine and the license page is showing the new values.  However, I am a bit reluctant to just change/restart the other nodes for fear of any bucket/replication issues. Am I ok to update the Master Node the same and perform a normal restart? Then update the Peer Nodes and perform a Rolling Restart? If not, what it is the best way to apply the conf changes and apply them? I did try searching the documentation but I got a bit lost. Thank you in advance.
Hi Everyone, I have one requirement. I have one dashboard which consists of multiple panels. when there is NO DATA its showing "NO RESULT FOUND" but I want to display one message "It is Error" I ... See more...
Hi Everyone, I have one requirement. I have one dashboard which consists of multiple panels. when there is NO DATA its showing "NO RESULT FOUND" but I want to display one message "It is Error" I am able to display it at top. But I want to display at each and every panel. Below are my two queries for 2 panels. I want to display in Both.  <row> <panel> <chart> <title>Overall Salesforce User Licenses</title> <search> <query>index="abc" sourcetype="xyz" $type$ TotalLicenses!=0 | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ |dedup OrgFolderName, LicenseName, SalesforceOrgId |chart sum(TotalLicenses) as "Total Licenses" sum(UnusedLicenses) as "Unused Licenses" sum(UsedLicenses) as "Used Licenses" by LicenseName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.maximumNumber">999999</option> <option name="charting.axisY.minimumNumber">0</option> <option name="charting.axisY.scale">log</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">all</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">top</option> <option name="height">400</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel> <table> <title>Overall Salesforce User Licenses</title> <search> <query>index="abc" sourcetype="xyz" $type$ | lookup Org_Alias.csv OrgFolderName OUTPUT OrgName as OrgName | search $OrgName$ |dedup OrgFolderName, LicenseName, SalesforceOrgId |stats sum(TotalLicenses) as "Total-Licenses" sum(UsedLicenses) as "Used Licenses" sum(UnusedLicenses) as "Unused Licenses" by LicenseName OrgName SalesforceOrgId | sort -Total-Licenses</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">30</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="rowNumbers">false</option> <option name="wrap">false</option> <fields>["LicenseName","OrgName","SalesforceOrgId","Total-Licenses","Used Licenses","Unused Licenses"]</fields> </table> </panel> </row>
So this app looks amazing and exactly what my team needs, but I can NOT get this thing working. Has anyone out there in the community managed to run this thing successfully? It's just been one proble... See more...
So this app looks amazing and exactly what my team needs, but I can NOT get this thing working. Has anyone out there in the community managed to run this thing successfully? It's just been one problem after another and I don't think I'm getting anywhere.  Right now I think I've narrowed the issue to a line in the "alert_manager_scheduler.log" in splunk/var/log, which states: ...message="No saved searches found in system, skipping..."(alert_manager_scheduler.py:86) Additionally, there is no data in my alerts index...which is what I had set as the index in Global Settings.  Note that I'm on Windows, and in an offline (no internet) environment.  The app in question is here: Alert Manager | Splunkbase Documentation here: Introduction - Alert Manager
Good day Community, I would like to know what is the best approach to filters events based on previous query. My precisely here is my scenario: I am attempting to correlate our firewall logs agai... See more...
Good day Community, I would like to know what is the best approach to filters events based on previous query. My precisely here is my scenario: I am attempting to correlate our firewall logs against Windows Event Log 5156 / 5154 which is the local firewall that allowed a connection. I am not sure if a multi-search is the best approach, or using append vs join vs subsearch. Did anyone ever crafted a SPL similar to the one describe above, or can provide some insight into the best method to achieve the results wanted.   Thank you,
has anyone had success in installing UF Version 7.x or 8.x 32bit on a windows server 2008 OS some R2 some not - we have a couple servers for an old legacy application company still needs in an isolat... See more...
has anyone had success in installing UF Version 7.x or 8.x 32bit on a windows server 2008 OS some R2 some not - we have a couple servers for an old legacy application company still needs in an isolated and protected environment (legacy application not supported by vendor anymore) but they are still running old UF 6.3.8 32 bits and we have had issues with the servers when trying to upgrade to newer UF 32 bit versions... currently forwarding data to an on-prem Heavy forwarder running splunk 7.3.7 and forwarding to splunkcloud. Unfortunately the legacy application cannot be installed on server 2012 and we are stuck with 2008 32 bit we tried several options to upgrade on test server OS to 2012 and app just won't run... any known versions of 8.x running 32bit 2008 server (not supported by splunk 8.x) thanks in advance for all replies...
We're monitoring an application with a large variety of report web services. The remote services URL's come in a wide variety. Some with only a couple segments some with 5 or 6 segments Some with ... See more...
We're monitoring an application with a large variety of report web services. The remote services URL's come in a wide variety. Some with only a couple segments some with 5 or 6 segments Some with parameters Some without  We'd like to drop the parameters, keep the first 3 segments if they exist and keep the  "/" 's Is this possible ? What would be the best way to do this ? Here is an example Parse the following URL's   https://ingress-tst.abc.com/componentservice/abc/12dd?sadf=qbert https://ingress-tst.abc.com/componentservice/abc/ https://ingress-tst.abc.com/componentservice/abc/post/test/12dd?sadf=qbert so they all show up in Appdynamics like  https://ingress-tst.abc.com/componentservice
Say I'm on UF version 6.2 and I want to upgrade to 8.1. splunk documentation clearly states you must go from 6.6 ---> 7.2 ----> 8.1 I have no issue understand the process, I want to understand why? ... See more...
Say I'm on UF version 6.2 and I want to upgrade to 8.1. splunk documentation clearly states you must go from 6.6 ---> 7.2 ----> 8.1 I have no issue understand the process, I want to understand why? Where's the documentation published by splunk that dives into the need/ reason the intermediate jump to 7.2 is there? Why is it impossible to go from 6.6 ---> 8.1 (once again I'm not fighting the process! ) I just want to know the explanation behind as to why?   Thanks
Hello, I want to have one main dashboard for all Splunk Users. But I see that everytime that a user opens the dashboard, it creates as many searches as the panels, which is normal. Is there a way t... See more...
Hello, I want to have one main dashboard for all Splunk Users. But I see that everytime that a user opens the dashboard, it creates as many searches as the panels, which is normal. Is there a way to have a dashboard that automatically refreshes eg. every 5 minutes for all users in order to save resources? Shall I save the searches as reports and put the reports in panels of the dashboard? Thank you in advance. Regards, Chris
Hi, Has anyone tried to mount the community ova on a Hyper-V? I have tried various methods of converting OVA (VMDK) to VHD / VHDX and tried creating GEN1 / 2 virtual machines. But it never works, t... See more...
Hi, Has anyone tried to mount the community ova on a Hyper-V? I have tried various methods of converting OVA (VMDK) to VHD / VHDX and tried creating GEN1 / 2 virtual machines. But it never works, the most I've managed to do is get into rescue mode. Has anyone gotten this to work for him in Hyper-v?  
Hi All, we are going to upgrade from splunk 7.3.3 to 8, but first I need to check compatibility of all apps with  Splunk Platform Upgrade Readiness App. We have indexer cluste, search head cluster,... See more...
Hi All, we are going to upgrade from splunk 7.3.3 to 8, but first I need to check compatibility of all apps with  Splunk Platform Upgrade Readiness App. We have indexer cluste, search head cluster, master node, deployer, deployment server, splunk monitoring web etc. , there are plenty of apps. Question is very general: Where needs to be Splunk Platform Upgrade Readiness App installed to cover all apps and makes it sufficient? Where it is not needed? Can you mention some approach how to decide? Are there some tips from experience? I would like to create some list like: I will install it here here and here and now I know I checked all apps.   Thank you very much
My task : 1)Create a dashboard 2)Show the Instance id, Instance type and CPUCreditBalance but Unable to show Instance type I have attached the query below index=main metric_name=CPUCreditBal... See more...
My task : 1)Create a dashboard 2)Show the Instance id, Instance type and CPUCreditBalance but Unable to show Instance type I have attached the query below index=main metric_name=CPUCreditBalance | timechart eval(round(avg(Average),2)) by metric_dimensions where max in top10 Any changes need in these queries?  
Hey all. I need help to selective forward (on a HF) from a log file that is being monitored by a UF. I only need to forward lines that contain the exact words "Read line". I've tried the below confs ... See more...
Hey all. I need help to selective forward (on a HF) from a log file that is being monitored by a UF. I only need to forward lines that contain the exact words "Read line". I've tried the below confs but the HF is still forwarding all lines that are written to the log. props.conf   [dcs_event] TRANSFORMS-routing = dcs_allow,dcs_drop   transforms.conf   [dcs_allow] DEST_KEY = queue REGEX = (Read line) FORMAT = indexQueue [dcs_drop] DEST_KEY = queue REGEX = . FORMAT = nullQueue      
According to the splunk doc , eval can be used within aggregate functions with stats command like:   index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Tota... See more...
According to the splunk doc , eval can be used within aggregate functions with stats command like:   index=main sourcetype="access_combined_wcookie"| stats count(eval(action = "purchase")) AS "Total purchases"   Now, I was of opinion that eval is used to create a search result field and looking at the query , it seems    eval(action = "purchase")     will create a field with true/false as value. But this is not the case. It actually creates a search field with value 1/0 which the count() function then counts. This I did not found documented anywhere in eval splunk docs. Can some one help me point to resource where all such deviations for eval command from its normal behaviour are documented ? Are there more than this ?