All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I was wondering if there were any Splunkbase tools or tools in general that allow for data to interact between Splunk and Veracode and/or Contrast Security?
Hi Everyone, Is that possible that we can send multiple row in one incident. My search query is below: index=abc ns=blazegateway ("NullPointerException" OR "IllegalStateException" OR "RuntimeExcep... See more...
Hi Everyone, Is that possible that we can send multiple row in one incident. My search query is below: index=abc ns=blazegateway ("NullPointerException" OR "IllegalStateException" OR "RuntimeException" OR "NumberFormatException" OR "NoSuchMethodException" OR "ClassCastException" OR "ParseException" OR "InvocationTargetException" OR "OutOfMemoryError")| rex "message=(?<ExceptionMessage>[^\n]+)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|cluster showcount=t t=0.9|table app_name, ExceptionMessage,cluster_count,_time, environment, pod_name,ns|dedup ExceptionMessage|rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name,cluster_count as Count   so I am getting 5(It can be more based on result) rows with different Exception messges. I want that all 5 rows should be there in one incident. But I am getting only first row fields  Is that possible that all 5 rows will be in one incident
Thats all i need the method for cloning alerts as we migrate 
I've got an app that I've developed running on a HF that has the following inputs.conf   monitor:///apps/snmp-traps/traps-received.log] disabled = false host = hostname index = my_index sourcetype ... See more...
I've got an app that I've developed running on a HF that has the following inputs.conf   monitor:///apps/snmp-traps/traps-received.log] disabled = false host = hostname index = my_index sourcetype = SNMP:raw    Then the props.conf   [SNMP:raw] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = true TRANSFORMS-snmp_sourcetype = aruba_config_alert, aruba_down_ap, aruba_down_radio, aruba_radio_utilization, aruba_rogue_ap_detected_detail, aruba_rogue_ap_discovered, aruba_up_ap, snmp_aruba_amp, snmp_cisco_prime, snmp_cisco_asa, snmp_solarwinds, snmp_pan, snmp_generic_traps   Then the transforms.conf # # Set sourcetype based on trap # # # Aruba AMP Trap 12 # [aruba_rogue_ap_discovered] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::rogueAPDetected FORMAT = sourcetype::aruba:rogue_ap_discovered # # Aruba AMP Trap 13 # [aruba_down_ap] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::downAP FORMAT = sourcetype::aruba:down_ap # # Aruba AMP Trap 15 # [aruba_up_ap] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::upAP FORMAT = sourcetype::aruba:up_ap # # Aruba AMP Trap 16 # [aruba_down_radio] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::downRadio FORMAT = sourcetype::aruba:down_radio # # Aruba AMP Trap 30 # [aruba_radio_utilization] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::radioUtilization FORMAT = sourcetype::aruba:radio_utilization # # Aruba AMP Trap 32 # [aruba_rogue_ap_detected_detail] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::rogueAPDetectedDetail FORMAT = sourcetype::aruba:rogue_ap_detected_detail # # Aruba AMP Trap 59 # [aruba_up_radio] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::upRadio FORMAT = sourcetype::aruba:up_radio # # Aruba AMP Trap 200 # [aruba_config_alert] DEST_KEY = MetaData:Sourcetype REGEX = AWAMP-MIB::configAlert FORMAT = sourcetype::aruba:config_alert #### sourcetype routing [snmp_aruba_amp] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: AWAMP-MIB FORMAT = sourcetype::aruba:snmp [snmp_cisco_prime] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: CISCO-WIRELESS-NOTIFICATION-MIB FORMAT = sourcetype::cisco:prime [snmp_cisco_asa] DEST_KEY = MetaData:Sourcetype REGEX = .*SNMPv2-SMI\:\:enterprises\.3076.* FORMAT = sourcetype::cisco:asa:snmp [snmp_pan] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapOID.0 = OID\: PAN-TRAPS FORMAT = sourcetype::pan:snmp [snmp_solarwinds] DEST_KEY = MetaData:Sourcetype REGEX = SNMPv2-MIB\:\:snmpTrapEnterprise.0 = OID\: SOLARWINDS-PRODUCTS FORMAT = sourcetype::solarwinds:snmp [snmp_generic_traps] DEST_KEY = MetaData:Sourcetype REGEX = .*IF-MIB.* FORMAT = sourcetype::snmp:generic_traps The data is getting in and the props is calling the transforms correctly, but instead of seeing aruba:rogue_ap_discovered when a Rogue AP Discovered trap is in the log, instead I see aruba:snmp.  I thought I understood this when this was for PAN only it appeared that the transforms get processed in order.  Is there something I'm missing? Splunk 7.3.6 TIA, Joe
Hello, my distributed environment consists of: 1) Splunk Enterprise Security (Deployment Server/Search Head) - RHEL7.9 2) Splunk Indexer (Deployment Client) - RHEL7.9 3) WEF server (Windows Serve... See more...
Hello, my distributed environment consists of: 1) Splunk Enterprise Security (Deployment Server/Search Head) - RHEL7.9 2) Splunk Indexer (Deployment Client) - RHEL7.9 3) WEF server (Windows Server 2016) which collects Windows Event Logs and sysmon events from systems that belong to the domain. There is a Splunk UF installed which forwards the events to Splunk Indexer (2). Question: I want to keep the data to indexer (2), but I want to be able to populate the respective datamodels in Splunk ES and get notable events for suspicious traffic in the domain. Where do I have to install the necessary addons that will normalize the data? On Splunk ES (1) or Splunk Indexer (2) ? Thank you in advance, Chris
Dear community, I'm trying to create a Double Measure Sankey diagram using the color_code (optional field). https://docs.splunk.com/Documentation/SankeyDiagram/1.5.0/SankeyDiagramViz/SankeySearchD... See more...
Dear community, I'm trying to create a Double Measure Sankey diagram using the color_code (optional field). https://docs.splunk.com/Documentation/SankeyDiagram/1.5.0/SankeyDiagramViz/SankeySearchDataFormat I'm seeing a problem on the Splunk Sankey diagram where color_code is not being properly populated. Looking at the legend here, the color of the link should be blue. It's populating it purple Another example here. The thiner purple line should be blue according to the legend. See below: Please advise. Thank you,
Hi, We have a huge lookup file with accounts’ data. Some of lookup’s columns has a value for each account, lake ‘username’ or ‘startdate’. However, another one may have no value at all, like ‘subcon... See more...
Hi, We have a huge lookup file with accounts’ data. Some of lookup’s columns has a value for each account, lake ‘username’ or ‘startdate’. However, another one may have no value at all, like ‘subcontractor’. When we perform a search like subcontractor=company_A it works great, but when we perform a search like subcontractor=* it returns no result. The only solution we were able to find is to use an eval function to create an empty value for every column:   | eval subcontractor =if(isnotnull(subcontractor), subcontractor,"")   It works but it doesn’t looks like the right way to do it, especially if you have dozens columns like this one. Do you now a better way to deal with lookup’s columns? Thanks for the help.
Hi Everyone, I am creating one alert: The search query is below: index=abc  ns=blazegateway ERROR|rex field=_raw "ERROR(?<Error_Message>.*)" |eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| ... See more...
Hi Everyone, I am creating one alert: The search query is below: index=abc  ns=blazegateway ERROR|rex field=_raw "ERROR(?<Error_Message>.*)" |eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| eval Error_Message=if(Error_Message="\",",null,Error_Message)|cluster showcount=t t=0.2|table app_name, Error_Message ,cluster_count,_time, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count I need to show all the Errors so I am fetching on keyword Error. My splunk log is below: Xms3096m -Xmx3096m -Dsidh_psf_spring_profile=e1 -Dspring.profiles.active=e1 -Dsidh_symmetric_cipher_key=MasVU4msfPLjItTYo1VLRgfi5VjJ46axIZ/9qTUAUmY= -Dio.javaagent.slf4j.simpleLogger.defaultLogLevel=ERROR', '-jar', '/opt/app-root/app.jar']   Dio.javaagent.slf4j.simpleLogger.defaultLogLevel=ERROR But the ERROR in above logs are not ERROR. I dont want them to come in alerts. what changes I should do in my search query to not get them but get rest of the Errors.   Thanks in advance
I currently have two searches that work separately but when I combine them into one search I cant seem to get it to run.  The first part is to find the earliest/Minimum value in a field called First... See more...
I currently have two searches that work separately but when I combine them into one search I cant seem to get it to run.  The first part is to find the earliest/Minimum value in a field called First_Seen for each Datacenter. First seen I have to convert into a readable format but I have this search working on its own. | stats min(firstSeen) AS min by Datacenter | eval min = strftime(min, "%F %T.%3N") The second part is getting stats on a field called state, Adding up a state of "Open" and "Reopened" per each Datacenter and then counting the number of state="Fixed" by each datacenter | stats count(eval(state="open" OR state="reopened")) as Open count(eval(state="fixed")) as fixed by Datacenter when I have all of these together within one query I get nothing to load, but separately they both work.
We need to monitor 300 devices for up and down state and the customer would like to have a tight SLA such as 3 - 4 minutes reporting on a down device. I have the following scripted input working - ... See more...
We need to monitor 300 devices for up and down state and the customer would like to have a tight SLA such as 3 - 4 minutes reporting on a down device. I have the following scripted input working - ping.sh - date; echo ip=<ip1> ; ping -c 4 <ip1> ; date; echo ip=<ip2> ; ping -c 4 <ip2> ; date; echo ip=<ip3> ; ping -c 4 <ip3> ; date; echo ip=<ip4> ; ping -c 4 <ip4> ; ... for 300 lines Is this a right approach? This script as is, is probably taking over 10 minutes to run. Should I spawn all 300 lines in the background? Is it reasonable to spawn 300 commands in parallel?  
I took over to Enterprise environment awhile back that is installed on Windows server 2012r2.  We are currently running version 7.3. Indexers are setup as a multisite index cluster.  With four indexe... See more...
I took over to Enterprise environment awhile back that is installed on Windows server 2012r2.  We are currently running version 7.3. Indexers are setup as a multisite index cluster.  With four indexers in the primary site, and a fourth one at our site 2. We have a requirement to move default Splunk indexes and custom event indexes to new drives installed on the index servers.   We are attempting to utilize two new volume paths parameters in our index.conf.  One for hot/warm and 2nd one for cold. New volumes index.conf is setup in one new app defined in the master node master/new volume app name/ Indexes are setup in another new app defined in the master node master/new index.config app name. Bundle push was successful when looking at the peers slave-apps directory, but indexes are not populated on the new disk drives. Splunk software was installed as local system, but later is was switch over to run as a different user. New user has read/write to the new disk drives. Documentation is little confusing, and it references a install on Linux more then windows How do I get the default location of indexes to migrate to new windows disk? 
Hello, I have a table from a xyseries. Each row consists of different strings of colors. I would like to pick one row from the xyseries, save it in some sort of token and then use it later in an svg... See more...
Hello, I have a table from a xyseries. Each row consists of different strings of colors. I would like to pick one row from the xyseries, save it in some sort of token and then use it later in an svg-file. The svg file is made up of three rectangles, which colors should depend on the chosen row of the xyseries. For example the search I made looks like this:   index=something |stats latest(vitamins) by fruit |eval color = if(fruit=="$fruit_token$", "red", 0) |fillnull value="green" |xyseries fruit vitamins color   Which gives something like this, when i choose apple as a fruit:                                                 vitaminA                       vitaminB             vitaminC apple                                    green                              red                        green banana                                green                              green                   green The idea is that I can search for a fruit I want (with an input-token), set the value in latest(vitamin) of that row to "red" and the rest to "green". Is there a way for me to access the "apple-row" as a whole? I can access a single column of a row by addressing the column name, i.e:   |search fruit=$fruit_token$ |eval var="something"+vitaminB+"else" |table var    would give something like: "somethingredelse" Which then I can store in a variable. But I somehow want all the rest (all the "greens") also. My end goal would be to use a svg-file, that looks something like this:   <row> <panel> <viz type="svg.svg"> <search> |makeresults |eval svg_viz = ".... &lt;rect id=01 fill=\"$vitaminA$\"$ &gt; &lt;rect id=02 fill=\"$vitaminB$\"$ &gt; &lt;rect id=03 fill=\"$vitaminC$\"$ &gt; ..." [...] </search> </viz> </panel> </row>     So in our example, if apple is my chosen fruit I would like to have my first rectangle to have the color "green", the 2nd the color "red" and the third one the color "green". In the end I would use hex code instead of "red" and "green". I hope this isn't a too narrow subject. I basically need some sort of access to the xyseries table. Maybe instead of using tokens I could also use my first search inside of the svg-file-query, but I couldn't get that to work either. I could use some help Cheers gerbert
Hey Splunkers! Please help me with the below query. I have the below table, and i want to create a new column based on the existing column values: Column1 Column2 Column3 Result Apple Gr... See more...
Hey Splunkers! Please help me with the below query. I have the below table, and i want to create a new column based on the existing column values: Column1 Column2 Column3 Result Apple Grape Cherry Fruits Spinach Potato Raddish Vegetables   The Result column is the one Im looking to derive with the below query: | eval Result = if(column1="Apple" OR column2="Grape" OR column3="Cherry" , "Fruits", column1="Spinach" OR column2="Potato" OR column3="Raddish" , "Vegetables",1==1, "Unknown") However im getting an error, can someone please help? Much appreciated. Thanks!
Hi Everyone, I have one requirement. I am creating Incident through splunk alerts using SAHARA. This issue I am facing is: Below is my query: index=abc  ns=xyz|stats count by app_name|eval f1="k... See more...
Hi Everyone, I have one requirement. I am creating Incident through splunk alerts using SAHARA. This issue I am facing is: Below is my query: index=abc  ns=xyz|stats count by app_name|eval f1="khus" The result of the query is this: app_name                     f1 abc                                  khus xyx                                  khus But when I creating incident I am only getting first row in my incident not the second row I have passed like this in unique ID $result.app_name$ $result.f1$ Can someone guide me on this
Hi Team,  Can you suggest what should be search query of an alert that would trigger an alert only if a particular event say 'a' occurs twice. But for rest of the events it triggers and alert even... See more...
Hi Team,  Can you suggest what should be search query of an alert that would trigger an alert only if a particular event say 'a' occurs twice. But for rest of the events it triggers and alert even if there is one single event.
Hi,  I have the below lookup file  sbl.csv It has 3 rows  1. A=1, B = " Added" , C= 31/3/2021 04:16pm 2. .A=1, B = " Added" , C= 31/3/2021 04:45pm 3. . A=1, B = " Removed" , C= 31/3/2021 04:57p... See more...
Hi,  I have the below lookup file  sbl.csv It has 3 rows  1. A=1, B = " Added" , C= 31/3/2021 04:16pm 2. .A=1, B = " Added" , C= 31/3/2021 04:45pm 3. . A=1, B = " Removed" , C= 31/3/2021 04:57pm. Now if I give a search |inputlookup sbl.csv | stats latest(B) as status by A  I should get 1 , Removed but I am getting 1, Added  Why is that, can anyone help? 
So when I use  Report Start=$job.earliestTime$ Report End=$job.latestTime$ I am getting the below in my mail as response  Report Start=2021-03-24T06:00:00.000-05:00 Report End=2021-03-31T06:03:0... See more...
So when I use  Report Start=$job.earliestTime$ Report End=$job.latestTime$ I am getting the below in my mail as response  Report Start=2021-03-24T06:00:00.000-05:00 Report End=2021-03-31T06:03:00.000-05:00   Apart from the dates what are the other fields I am getting? Is there anyway I can change them to proper IST @mayurr98 
Hi, I want to add a refresh button which when clicked refreshes my panels in the dashboard. Either through JS or XML both works.Please help me with the code.   P:S I want to refresh my panel and ... See more...
Hi, I want to add a refresh button which when clicked refreshes my panels in the dashboard. Either through JS or XML both works.Please help me with the code.   P:S I want to refresh my panel and not dashboard.   
in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd please provide me the troubleshooting steps.
Good morning,   suppose I have the following entries in my file : BEGIN  abc def END; BEGIN  xyz END; *** I want to search for the sentence BEGIN and the sentence with END; As a result I ... See more...
Good morning,   suppose I have the following entries in my file : BEGIN  abc def END; BEGIN  xyz END; *** I want to search for the sentence BEGIN and the sentence with END; As a result I want to have the search entries BEGIN and END including the rows between.   Regards   Dik Pater