All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunkers, in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And t... See more...
Hi Splunkers, in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And the search uses macro ec2_excessive_terminateinstances_mltk_input_filter , that can not be found neither in ESCU nor other apps. Is it more a Support case or someone may help with this macro?  
Hi there I'm trying hard to make sense of events forwarded by WEF/WEC and collected by UF. I have a WEF subscription that forwards events from a host called "WinDev2102Eval" to a host "testdziura".... See more...
Hi there I'm trying hard to make sense of events forwarded by WEF/WEC and collected by UF. I have a WEF subscription that forwards events from a host called "WinDev2102Eval" to a host "testdziura". On that host I have a UF installed along with Splunk_TA_windows app. I have an input defined quite normally: [WinEventLog://ForwardedEvents] evt_resolve_ad_obj = 0 checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest index = winevents renderXml = true host=WinEventLogForwardHost There is nothing out of the ordinary. The events that come from the WEC host iself are shown as having host field set to "testdziura" (as configured in system/local/inputs.conf), the events collected from the other host are shown with host "WinDev2102Eval". Which is OK from the logical point of view. I don't understand though how I can match those WEF-forwarded events in props.conf (I need to perform some additional transforms for a subset of those events). Adding stanza [host::testdziura] applies only to events generated locally on the WEC host, not to those collected into Forwarded Events. Stanza [host::WinDev2102Eval] simply doesn't work. Surprisingly [source::WinEventLog:ForwardedEvents] applies to those forwarded events but this definition is way too broad for me. What I'm trying to understand is how the hell it all works. Because I don't see that source (WinEventLog:ForwardedEvents) anywhere near the events in question. In my quest for understanding I even resorted to dumping the network traffic (for debug purposes I don't use TLS in my lab) and got completely puzzled since the only metadata that seems to be getting sent with the event is the source, which is a location of splunk-winevtlog.exe (and thus completely different from the working stanza shown above) and destination index _MetaData:Index winevents. I suppose that host::testdziura is getting set by default from the general connection properties (I can see it presented at the beginning of the UF to Indexer connection). So I'm completely lost here. Where is this ForwardedEvent source coming from? Why isn't my [host::] stanza not working? And what should I put there to make it work? For debug purposes I did a simple transform that rewrites MetaData:Host into a Original_Host field so I thought I would see what splunk sees. But it's even more confusing since the events show Original_Host having value "host::WinDev2102Eval". Another question which got me puzzled is that I don't seem to have any input for the "typical" event logs (System, Application, Setup) explicitly defined (all those defined in Splunk_TA_windows/default/inputs.conf have disabled=1) but I'm still getting the events (and btools inputs list shows the inputs with disabled=0). What did I miss?   Best regards, MK
Hi Splunkers, I got the data from SC4S. However, I wound not get Splunk to recognize line breaks and timestamps correctly.Someone knows.
I have the need to run Jenkins app for multiple users on Splunk Cloud, but I need to ensure they cannot see each others indexes. How can I configure Jenkins (for instance) users from A to use the Je... See more...
I have the need to run Jenkins app for multiple users on Splunk Cloud, but I need to ensure they cannot see each others indexes. How can I configure Jenkins (for instance) users from A to use the Jenkins app reading indexes 1, 2 and 3 and users B to use it reading indexes 4, 5 and 6 and so forth...I assume Cloud Support would not allow for multiple installation instances of the same app? Any advice on this would be greatly appreciated.
After hardly trying it has been impossible to log in my account, create a case or even trying to solve the problem in the splunk community web. I had to create this account with my personal email, b... See more...
After hardly trying it has been impossible to log in my account, create a case or even trying to solve the problem in the splunk community web. I had to create this account with my personal email, but the account I can´t use is connected to an enterprise email. Please, I really need this access to my account and I still can´t reset my password, the only emails I can get are the ones asking for the username, but the ones for making a new password never arrive. I really need to solve this issue as soon as possible.
Hi Team,   Given a set of logs like below: Mar 2 12:56:34 10.1.2.3 router-01: 2021 Mar 2 12:56:34.628 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 12:52:30 10.1.... See more...
Hi Team,   Given a set of logs like below: Mar 2 12:56:34 10.1.2.3 router-01: 2021 Mar 2 12:56:34.628 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 12:52:30 10.1.2.3 router-01: 2021 Mar 2 12:52:30.562 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 11:13:59 10.1.2.3 router-01: 2021 Mar 2 11:13:59.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 11:13:55 10.1.2.3 router-01: 2021 Mar 2 11:13:55.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:52:29 10.1.2.3 router-01: 2021 Mar 2 10:52:29.848 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 10:52:25 10.1.2.3 router-01: 2021 Mar 2 10:52:25.850 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:26:04 10.1.2.3 router-01: 2021 Mar 2 10:26:04.843 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 10:26:00 10.1.2.3 router-01: 2021 Mar 2 10:26:00.838 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:09:19 10.1.2.3 router-01: 2021 Mar 2 10:09:19.918 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout with our setup for the above as:  index=syslog  sourcetype=Cisco AND "IP SLA:" I am trying to send an e-mail alert that will send only the LAST event for "Threshold Cleared" and more importantly, a variable that computes (time delta) from the last "Occurred" to the last "Cleared" event, in this case 244 seconds (12:56:34 - 12:52:30). I have some knowledge of subsearches but only as part of another inline search and can't get my head on how to assign the result as a "variable" and then subsequently include that variable in an e-mail alert. Basically the email alert I want to construct is: "Latest IP SLA threshold has cleared at 12:56:34 PM.   Event duration was 244 seconds" Any suggestions on the syntax will be much appreciated. Thanks.  
Hi team, I have below sample events in splunk.   2021-04-09 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.1CMID=shangThai CMN="shanghai" 2021-04-08 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0... See more...
Hi team, I have below sample events in splunk.   2021-04-09 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.1CMID=shangThai CMN="shanghai" 2021-04-08 07:12:41,323 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.1CMID=shanghai CMN="shanghai" 2021-04-08 07:11:57,929 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shanghaiT1 CMN="shanghai" 2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=chengdu CMN="chengdu" 2021-04-08 07:11:53,871 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=chengduT3 CMN="chengdu" 2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=city CMN="city" 2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=beijing CMN="beijing" 2021-04-09 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=Tbeijing CMN="beijing" 2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shenyang CMN="shengyang" 2021-04-08 07:11:33,056 PLV=EVENT DT=MANUALEVENT CIP=0.0.0.2 CMID=shenyangD CMN="shengyang"   In the base query, I want to filter out below events with CMID value match below patterns:  1) *T 2) *T#:   # is a wildcard stands for a number. 3) *D 4) *D#:   # is a wildcard stands for a number.   and i am trying to filter them out by IN function, but failed. NOT CMID IN ("*T", "*T#", " *D", "*D#" )   Questions: how to achieve this by IN function?   Thanks, Cherie      
Hi Everyone, Is there any way to not send the reports when there is no data in it. I know this option is available in alerts. But is there any option for Reports. Please let me know. Thanks in ad... See more...
Hi Everyone, Is there any way to not send the reports when there is no data in it. I know this option is available in alerts. But is there any option for Reports. Please let me know. Thanks in advance
Hi, please help to resolved problem. DB connect not indexing data to index, in log files "splunk_app_db_connect_server.log" i see that the job is finished with status: COMPLETED no errors, but in ind... See more...
Hi, please help to resolved problem. DB connect not indexing data to index, in log files "splunk_app_db_connect_server.log" i see that the job is finished with status: COMPLETED no errors, but in index i not see any data. I Checked HTTP Event Collector the token is correct. I have no ides how to fix. 
How do I check to see if SmartStore is setup / configured in a Splunk environment & check it's settings for S3 / Cloud setup. 
How can I see a list of the questions I have asked across the various communities?
Splunk app MITRE&ATT&CK is not able to receive update. I copy & pasted the link it receives update from. I could get on the update site. Could not find errors why it will not update itself.
In the context of an HTML Dashboard, why would a simple JS file get parsed into HTML within .../static/app/myapp/? For example, line 20 of myClass.js reads:   size(width,height) {   which, insid... See more...
In the context of an HTML Dashboard, why would a simple JS file get parsed into HTML within .../static/app/myapp/? For example, line 20 of myClass.js reads:   size(width,height) {   which, inside of my.splunk.domain/en-US/static/@12B...85/app/myapp/myClass.js becomes   <tr> <td id="L20" class="blob-num js-line-number" data-line-number="20"></td> <td id="LC20" class="blob-code blob-code-inner js-file-line"> <span class=pl-en>size</span> <span class=pl-kos>(</span> <span class=pl-s1>width</span> <span class=pl-kos>,</span> <span class=pl-s1>height</span> <span class=pl-kos>)</span> <span class=pl-kos>{</span></td> </tr>   and so on for the entire file. Please note that myClass.js has the simple form   // this is the entire file class myClass { // vanilla js stuff... }   Here's the relevant context: I have an HTML dashboard, properly converted from a simple XML via the UI. This dashboard uses two JS files: d3.js and myClass.js. The first file, d3, works just fine; the second is included identically:   require.config({ baseUrl: "{{SPLUNKWEB_URL_PREFIX}}/static/js", waitSeconds: 0, // Disable require.js load timeout paths: { 'd3': '{{SPLUNKWEB_URL_PREFIX}}/static/app/myapp/d3v5', 'myClass': '{{SPLUNKWEB_URL_PREFIX}}/static/app/myapp/myClass' } });​ require([ "splunkjs/mvc", // ... "myClass", "d3" // Add comma-separated libraries and modules manually here, for example: // ..."splunkjs/mvc/simplexml/urltokenmodel" ], function( mvc, // ... myClass, d3 // Add comma-separated parameter names here, for example: // ...UrlTokenModel ) { // Everything else... }​   Both scripts are properly located in /splunk/etc/apps/myapp/appserver/static myClass.js does depend on d3.js. The browser console logs two errors: Uncaught SyntaxError: Unexpected token '<' in myClass.js:   // Translations for en_US i18n_register({"plural": function(n) { return n == 1 ? 0 : 1; }, "catalog": {}}); <!DOCTYPE html> // ERROR THROWN HERE // ...   bubbling to Uncaught TypeError: Cannot read property 'myProperty' of undefined Again, d3.js is also included in the same way and works fine; the script includes a similar preamble but is otherwise unchanged. Any ideas and/or solutions would be very much appreciated. Also, apologies for the formatting; extra spaces are being inserted.
I have two queries. I have enabled the installed software script in splunk so I can determine where software is not installed on a windows server. How do I run a query to return all hosts that do not... See more...
I have two queries. I have enabled the installed software script in splunk so I can determine where software is not installed on a windows server. How do I run a query to return all hosts that do not have specific software installed. The not function seems to only return items in a table. for example I have operations manager installed on serverx but not serverb how do I query all the servers to return server b.   The second query I have is: I have pulled in two csv data sources. The first list is our CMDB server list (call it A) and the second list is an extract of servers that have agents installed (call it B). I would like to compare the two lists and return the hosts that are in list A but not in list B. The two liosts are in the same index and have the same field name (Name) for servername.  
Hi, I recently completed the Splunk Cloud Admin course and it made mention that a Hybrid Search Head could be set up on-prem to read data across on-prem and cloud. I have also read about this here ... See more...
Hi, I recently completed the Splunk Cloud Admin course and it made mention that a Hybrid Search Head could be set up on-prem to read data across on-prem and cloud. I have also read about this here and all seems fine:           Splunk Cloud Platform Service Details   But now I have just listened to this video “Apps for Splunk Cloud - Premium Apps” here                 https://splunkpartnerlearningcenter.mindtickle.com/#/course/1346827044233204509?series=1305980034355667330 Then go into the course and play the THIRD video and listen to time from 3:10 to 3:25 it says that the use of a Hybrid search is only for up to 90 days.  Perhaps that video is out of date or perhaps I am misunderstanding. Does anyone know about this 90 day limit as we have several customers moving to the cloud and several want Hybrid search as an option. Thanks
anyone has the go through the process to make splunk addOn working on Splunk Enterprise 8.1?  The addOn used to work on 8.0. ////////////////////////////////////////////////////////////////////////... See more...
anyone has the go through the process to make splunk addOn working on Splunk Enterprise 8.1?  The addOn used to work on 8.0. /////////////////////////////////////////////////////////////////////////////// Is that addOn need to be changed for python 3 compatible for Splunk Enterprise 8.1?  Does the addOn need to rebuild or do any other thing?  Or use some other library? Or just tar and it will work? Thanks.      
I am trying to search for log entries that contain the following: KeyError: 'ABC_DEF' The following work, but will find all instances of ABC_DEF even if it is not accompanied by KeyError: ABC DEF ... See more...
I am trying to search for log entries that contain the following: KeyError: 'ABC_DEF' The following work, but will find all instances of ABC_DEF even if it is not accompanied by KeyError: ABC DEF ABC_DEF 'ABC_DEF' The following return nothing of use to me: KeyError: ABC_DEF KeyError: 'ABC_DEF' KeyError ABC_DEF KeyError ABC DEF KeyError "KeyError:" What should my search look like to find the above? Of note, the last entry above would resolve to the following Splunk query string: index=* "KeyError:" Thank you in advance
I'd like to have an alert that throttles per result, but triggers only once per schedule run (instead of once per host). Or solve this problem some other way. For example if a service restarts we'll... See more...
I'd like to have an alert that throttles per result, but triggers only once per schedule run (instead of once per host). Or solve this problem some other way. For example if a service restarts we'll pick up an event from the log and send an email, but if 10 restart at the same time we don't want 10 emails, just one. We want some sort of throttle on the alert because: We're monitoring Production systems and we need the alert to fire within a minute or two of the event occurring. So we're using a schedule like * * * * *, or maybe */5 * * * * depending on the criticality of the event. We can't guarantee that the event is delivered to Splunk on time. On occasion someone will be messing with the SAN and indexing will get delayed by a couple minutes, or perhaps the host rebooted and the event won't be sent for another few minutes. We're stuck with this environment for the time being. This (to my understanding) prevents us from using a simple schedule like * * * * * and earliest=-1m@m because we could miss events that don't arrive within the minute. Therefore the best way to ensure we don't miss events has been increase the range of the search, for example to -5m@m. However this means we'll catch the same event multiple times if our schedule is still * * * * *. Hence wanting to exclude the events we've already alerted on once. Is there a good way to approach this problem? I have similar concerns about using summarization searches where I want the summary results quickly but don't trust the events to be searchable quickly enough. Thank you.
I know it's not possible to change a username, but how about the email address associated to a user account? The domain is no longer available, therefor no emails can be received for that address. ... See more...
I know it's not possible to change a username, but how about the email address associated to a user account? The domain is no longer available, therefor no emails can be received for that address. I assume the answer is "no" since I saw the field was not editable. Next, I assume that I will have to create a new account and abandon the current one, including all the history if any (so much for data integrity). Presuming that I am correct, you may want to re-think the benefit of this rule because companies churn all the time - they come and they go. Does it make sense that those accounts do also? Thanks, Jeff
Hello Team,   I would like to setup Splunk email alert when Log Statement 2 and Log Statement 3 doesn’t execute due to some issues. Log Statement 1 always execute, Log Statement 2 and Log Statement... See more...
Hello Team,   I would like to setup Splunk email alert when Log Statement 2 and Log Statement 3 doesn’t execute due to some issues. Log Statement 1 always execute, Log Statement 2 and Log Statement 3 only execute when my scheduler job is working fine.    Log Statement 2 and Log Statement 3 will not execute and print in log when my scheduler job doesn’t trigger successfully. I would like to get notification when Log Statement 2 and Log Statement 3 not printing in logs after Log Statement 1   I can run the query every 30 min to check if Log Statement 2 and Log Statement 3 printed after Log Statement 1.   I have Splunk Admin access and need help to prepare query. Can you someone please advice.   ------------------------- Log Statement 1:    “This is Log Line 1 which execute every time when transaction submitted”.   Log Statement 2:    “This is Log Line 2 will execute after Log Line 1 when transaction in-progress”.   Log Statement 3:    “This is Log Line 3 will execute after Log Line 2 when transaction completed”. -------------------------