All Topics

Top

All Topics

Mvmap has different results on different versions left screen is 9.3.1 version right is 9.0.5  if field will have more then one value result will be equal    
Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its student-powered SOC program, made possible by the Splunk Academic Alliance program. This ini... See more...
Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its student-powered SOC program, made possible by the Splunk Academic Alliance program. This initiative not only provides hands-on experience with Splunk tools but also protects 18 higher education institutions across Louisiana, with plans to expand to 38 by 2025. Students gain up to 1,000 hours of real-world security operations experience each year, working side-by-side with TekStream experts to manage incidents and enhance statewide security.     For the Splunk community, this story highlights how the Academic Alliance program is actively preparing students to become the skilled professionals you’ll soon collaborate with in the workforce. Through exposure to Splunk Enterprise Security and SOAR platforms, these students are learning the tools and techniques essential to their future roles—giving them a head start as they enter the job market.  Read the full case study to explore how this program is laying the foundation for a more secure future, driven by the talent you’ll be working with tomorrow.
Hi,   in getting a 201 token error on Splunk cloud maintenance dashboard.   just wondered if anyone has seen this before.
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_... See more...
Hi Team, i am trying to design a query which show be result like total event count, sub event count and sub event in percent. can you please help with query For example below table : Work_Month_week | total_week_day|work day of week| Number of work hours | percent work hours 1                                      |  3                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %                                                                                |Tus                             | 4                                            |     %  2                                      |  2                               | Mon                          | 2                                            |     %                                                                                                                              |Tus                             | 4                                            |     %  3                                      |  3                               | Mon                          | 3                                            |     %                                                                                                                              |Tus                             |  5                                           |     %                                                                                |thu                             | 4                                            |     % 
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval comman... See more...
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval command?    
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apolo... See more...
Hi community, I have observed an issue with the ingestion of the first line in a log file that, at first glance, seemed to have been truncated. Here's a screenshot for reference: My apologies for the poor job at blurring the data, but the first event should look like the second event, with a whole lot of data after the highlighted field. The field DistPoint itself should have a value of "DEPSY.IM2" and, it got, apparently, truncated at such a weird point. All other subsequent lines in the log were successfully ingested. There were 3 log files landing on the ingestion point in quick succession - seconds apart, so I am not sure if this could have been the issue. I was about to update the truncate value for the sourcetype, but all lines in the logs are 3551 bytes, by default. Any ideas as to what could the problem have been? Thank you.
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next h... See more...
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next hour or so  in the same field for the City is Boston.
I am creating a panel and input type select as "link". There multiple choice filed is created, how to keep all choice button in a line using splunk classic. <panel id="panel_id_1"> <input type="l... See more...
I am creating a panel and input type select as "link". There multiple choice filed is created, how to keep all choice button in a line using splunk classic. <panel id="panel_id_1"> <input type="link" token="token_tab" searchWhenChanged="true" id="details"> <label></label> <choice value="x">X</choice> <choice value="Y">Y</choice> <choice value="z">Z</choice> </panel> I want keep all choice value as X Y Z, but for me it is coming X Y Z
What would be the proper way to push an authentication.conf from the deployer and have the bind password not left in clear text? Is it possible to push the authentication from the deployer without th... See more...
What would be the proper way to push an authentication.conf from the deployer and have the bind password not left in clear text? Is it possible to push the authentication from the deployer without the bind password  and then add another authentication.conf manually to each search head in system local with only the bind password in the stanza? After restart of the search head cluster I’m thinking the bind password would then be encrypted? Would this be the proper way to do this? Would appreciate any other suggestions. 
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index      | map maxsearches=1500 search="| metadata t... See more...
I found this very usefull search for a dashboard on gosplunk: | rest /services/data/indexes | dedup title | fields title | rename title AS index      | map maxsearches=1500 search="| metadata type=sourcetypes index=\"$index$\"     | eval Retention=tostring(abs(lastTime-firstTime), \"duration\")     | convert ctime(firstTime) ctime(lastTime)     | sort lastTime     | rename totalCount AS \"TotalEvents\" firstTime AS \"FirstEvent\" lastTime AS \"LastEvent\"     | eval index=\"$index$\""     | fields index  sourcetype TotalEvents FirstEvent LastEvent Retention     | sort sourcetype     | stats list(sourcetype) AS SourceTypes list(TotalEvents) AS TotalEvents list(FirstEvent) AS "First Event" by index     | append [| rest /services/data/indexes | dedup title | fields title | rename title AS index]     | dedup index | fillnull value=null SourceTypes TotalEvents "First Event" "Last Event" Retention | sort index | search index=* (SourceTypes=*) However, when i first ran it, some of the "lastevent" values appeared correctly. Ever since then, "LastEvent" and "Retention" have allways been "Null". I cant figure out why i dont get any return values on these fields. I got an error saying the limit on "list" command of 100 was surpassed. So i tried replacing "list()" with "values()" in the search, but the result is the same, just without the error. 
I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names Example: lookupname : test.csv ... See more...
I have a lookup file saved with a single column having values of specific fields in it. And want to use to search in query which matched with values in field names Example: lookupname : test.csv column name: column1 fieldname: field1
Hi  I am building dashboard for UPS monitoring and i would like to convert a specific metric which is battery age.  Which give us some information about last battery changed however i would like ... See more...
Hi  I am building dashboard for UPS monitoring and i would like to convert a specific metric which is battery age.  Which give us some information about last battery changed however i would like to see the result in month , days like below  Expected outcome - 1 month 20 days. current outcome  below image  Spl query -  index="ups" indexed_is_service_aggregate=1 kpi=BatteryAge| lookup service_kpi_lookup _key as itsi_service_id OUTPUT title AS service_name | search service_name="MainUPS" |stats latest(alert_value) AS BatteryAge Can anyone help me on this 
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button with below query ...But without selecting the env test or prod the query get search based on... See more...
Thanks for the solution which worked When i select the data entity and the time  and hit the submit button with below query ...But without selecting the env test or prod the query get search based on the default dropdown applies to the query if it is test  index as "np-ap" and sets stageToken as test. I want  the submit button to work even for the env selection ...along with data entity and date index="np-ap" AND source="--a-test" <query>index=$indexToken$ AND source="-a-$stageToken$"   <form version="1.1" theme="dark"> <label> stats</label> <fieldset submitButton="true"> <input type="dropdown" token="indexToken1"> <label>Environment</label> <choice value="pd-ap,prod">PROD</choice> <choice value="np-ap,test">TEST</choice> <change> <eval token="stageToken">mvindex(split($value$,","),1)</eval> <eval token="indexToken">mvindex(split($value$,","),0)</eval> </change> <default>np-ap,test</default> </input> <input type="dropdown" token="entityToken"> <label>Data Entity</label> <choice value="aa">aa</choice> <choice value="bb">bb</choice> <choice value="cc">cc</choice> <choice value="dd">dd</choice> <choice value="ee">ee</choice> <choice value="ff">ff</choice> <default>aa</default> </input> <input type="time" token="timeToken" searchWhenChanged="false"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html id="APIStats"> <style> #user{ text-align:center; color:#BFFF00; } </style> <h2 id="user">API</h2> </html> </panel> </row> <row> <panel> <table> <title>Unique</title> <search> <query>index=$indexToken$ AND source="-a-$stageToken$" | stats count </query> <earliest>$timeToken.earliest$</earliest> <latest>$timeToken.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  
Oct 22 14:20:45 10.5.0.200 DNAC {"version":"1.0.0","instanceId":"20fd8163-4ca8-424b-a5a9-1e4018372abb","eventId":"AUDIT_LOG_EVENT","namespace":"AUDIT_LOG","name":"AUDIT_LOG","description":"Executing... See more...
Oct 22 14:20:45 10.5.0.200 DNAC {"version":"1.0.0","instanceId":"20fd8163-4ca8-424b-a5a9-1e4018372abb","eventId":"AUDIT_LOG_EVENT","namespace":"AUDIT_LOG","name":"AUDIT_LOG","description":"Executing command terminal width 0\nconfig t\nFailed to fetch the preview commands.\n","type":"AUDIT_LOG","category":"INFO","domain":"Audit","subDomain":"","severity":1,"source":"NA","timestamp":1729606845043,"details":{"requestPayloadDescriptor":"terminal width 0\nconfig t\nFailed to fetch the preview commands.\n","requestPayload":"\n"},"ciscoDnaEventLink":null,"note":null,"tntId":"630db6e989269c11640abd49","context":null,"userId":"system","i18n":null,"eventHierarchy":{"hierarchy":"20fd8163-4ca8-424b-a5a9-1e4018372abb","hierarchyDelimiter":"."},"message":null,"messageParams":null,"additionalDetails":{"eventMetadata":{"auditLogMetadata":{"type":"CLI","version":"1.0.0"}}},"parentInstanceId":"9dde297d-845e-40d0-aeb0-a11e141f95b5","network":{"siteId":"","deviceId":"10.7.140.2"},"isSimulated":false,"startTime":1729606845055,"dnacIP":"10.5.0.200","tenantId":"SYS0"} host = 10.5.0.200 sourcetype = syslog   how do I extract : seperated fields?
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in... See more...
With SOAR's Splunk app (Splunk | Splunkbase), you can pull the SID of your search and append that to your Splunk instance's base URL. This is the same format as if you had clicked the share button in Splunk. Unfortunately, using the link returns "Permission Denied" because the SID hasn't actually been shared.   Does anyone know how to make the results of a search run by the Splunk app shareable?
Register here.This thread is for the Community Office Hours session on Kubernetes Observability on Tue, December 10, 2024 at 1pm PT / 4pm ET. What can I ask in this AMA? How do I use and customize... See more...
Register here.This thread is for the Community Office Hours session on Kubernetes Observability on Tue, December 10, 2024 at 1pm PT / 4pm ET. What can I ask in this AMA? How do I use and customize Kubernetes navigators? What are best practices for optimizing Kubernetes alerts and troubleshooting workflows? Is there a way to view Kubernetes logs correlated with metrics? How do I review Pod status? How do I monitor Kubernetes resource limits? Anything else you’d like to learn! Please submit your questions at registration. You can also head to the#office-hours user Slack channel to ask questions (request access here). Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants. Look forward to connecting!
Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the Splunk suite of products. This session is designed for security experts and IT leaders from financ... See more...
Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the Splunk suite of products. This session is designed for security experts and IT leaders from financial services organizations or any other industry that are looking to enhance their fraud detection and prevention strategies. Watch this Tech Talk to learn: Our approach to solving for fraud How to use the Splunk suite of products to detect and prevent fraud Best practices and lessons learned when using Splunk to detect and prevent fraud Watch full Tech Talk here:
Register here. This thread is for the Community Office Hours session on Observability: Digital Experience Monitoring (EMEA) on Thursday, November 7, 2024 at 2pm GMT. This is your opportunity to ask ... See more...
Register here. This thread is for the Community Office Hours session on Observability: Digital Experience Monitoring (EMEA) on Thursday, November 7, 2024 at 2pm GMT. This is your opportunity to ask questions related to your specific Digital Experience Management (DEM) questions with Splunk Real User Monitoring (RUM) and Splunk Synthetics, including: Gaining a full view of the end user experience Running front-end/back-end investigations to pinpoint errors Running synthetics tests to proactively predict app and website performance Measuring KPI's focused on customer experience Anything else you’d like to learn! We look forward to seeing you there!  Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here).  Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants. Look forward to connecting!
Exciting news!  In our ongoing mission to deliver the best customer experience, we are thrilled to announce that the Palo Alto App and Add-on are now officially SPLUNK SUPPORTED . Through a dili... See more...
Exciting news!  In our ongoing mission to deliver the best customer experience, we are thrilled to announce that the Palo Alto App and Add-on are now officially SPLUNK SUPPORTED . Through a diligent and productive partnership between Splunk and Palo Alto Networks, we’ve released two new Splunkbase listings to enhance the whole solution: Splunk App for Palo Alto Networks Splunk Add-on for Palo Alto Networks Moving forward, all updates, enhancements, and support will be managed directly by Splunk. The new releases include major and minor changes, such as:  Updated CIM mapping Improved dashboards Support for the latest PanOS releases Universal Configuration Console (UCC) Add-on framework  Please refer to the respective documentation for detailed information on changes.  We highly encourage all users to transition to the newly released integration, as the old one will be deprecated and will no longer receive updates or support. To smooth out the process please follow migration guides available here: Palo Alto Splunk App migration guide Palo Alto Splunk Add-on migration guide Happy Splunking!
Register here! This thread is for the Community Office Hours session on Security: Enterprise Security (ES) on Wed, Nov 13, 2024 at 1pm PT / 4pm ET.    This is your opportunity to ask questions rela... See more...
Register here! This thread is for the Community Office Hours session on Security: Enterprise Security (ES) on Wed, Nov 13, 2024 at 1pm PT / 4pm ET.    This is your opportunity to ask questions related to your specific Splunk Enterprise Security needs, including: What are some tips and tricks for getting started and becoming an expert in ES? What to expect in Enterprise Security 8.0, including the Mission Control interface and SOAR integration? What is the new Enterprise Security 8.0 workflow? What are the best practices for implementing threat detection, and what is the latest security content from the threat research team? How to implement use cases like RBA, incident management, and threat hunting? Which Splunkbase apps and add-ons are recommended for ES use cases? Anything else you’d like to learn!   Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here).    Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.   Look forward to connecting!