All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is there any documentation on safely upgrading splunk machines (master, searchhead, indexers) on splunk version 8.0.2 from RHEL 7 to RHEL 8 ?
So what I'm attempting to do,  is I have a list of user, IP, city, state, country, time.  I want to alert if I see a user on two different IP's within a 5-15? minute (short period of time) interval.... See more...
So what I'm attempting to do,  is I have a list of user, IP, city, state, country, time.  I want to alert if I see a user on two different IP's within a 5-15? minute (short period of time) interval. Any suggestions?    
To Whom It May Concern,   I'm as certain as I can be that I never received a "Welcome to Splunk" email with my URL, username, and temporary password for my instance.   I have attached a screensho... See more...
To Whom It May Concern,   I'm as certain as I can be that I never received a "Welcome to Splunk" email with my URL, username, and temporary password for my instance.   I have attached a screenshot and an article from the Splunk Experts forum (laying out the details of my specific issue). Thank you for the assistance.   https://community.splunk.com/t5/Security/Cloud-Trial-login/m-p/505291#M11563   Respectfully, Cory Stephenson
Hello,    I am trying to figure out which Role Capability controls being able to use a lookup in a query.  If I select all the capabilities then the role certainly can query a lookup.  However if I... See more...
Hello,    I am trying to figure out which Role Capability controls being able to use a lookup in a query.  If I select all the capabilities then the role certainly can query a lookup.  However if I select only the capabilities that I want the role to have, they lose the ability to query the lookup.  Looking at the documentation (https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/Rolesandcapabilities) it does not specify which capability allows for the querying of a lookup. Thanks! David
What source type do I enter while opening up a port to my License server from another Splunk Server.
Hi all, I'm looking for a method to put some icons into a table ( 4 or 5 foreach row), which are clickable and open different link ( one syslog, one cmdb infos, one performance and other). I've tri... See more...
Hi all, I'm looking for a method to put some icons into a table ( 4 or 5 foreach row), which are clickable and open different link ( one syslog, one cmdb infos, one performance and other). I've tried some solution like : https://community.splunk.com/t5/Splunk-Search/How-do-you-add-buttons-on-table-view/m-p/384712#M112364 but it's not what I'm looking for. I succeded in putting only label so somenthing like this: and the click on each link is working fine, so instead of the label I want to put an icon. Thanks in advance for any response Fabrizio
Hello I am trying to get data from two different searches into the same panel, let me explain.  Below is a search that runs and gives me the expected output of total of all IP's seen in the scans ... See more...
Hello I am trying to get data from two different searches into the same panel, let me explain.  Below is a search that runs and gives me the expected output of total of all IP's seen in the scans by System:   | inputlookup scan_data_2.csv |join type=inner [ |inputlookup KV_system |where isnotnull(stuff) |eval stuff=split(stuff, "|delim|") |mvexpand stuff |spath input=stuff "IP Addr" output=ip |spath input=devices "OS" |fields ip "OS" ] |join type=inner ip [inputlookup ips_of_systems.csv] |dedup ip |stats count by "Systems" |rename count as "Total IP's in System Scans" |sort - "Total IP's in System Scans"   That search gives me something like this as output (as expected):   Systems Total IP's in System Scans XYZ 10005 ABC 885   I would like to add a column that has the total number of servers by Systems whether it's seen in  the scans or not.  For example,  System "XYZ" has a total of 10005 seen in system scans, BUT overall they have 12000 IP's (only 10005 of which are seen by scans).  Note:  "| inputlookup ips_of_systems.csv" has a roster of ALL the IP's seen, whether it's seen in a scan or not. Note: "| inputlookup scan_data.csv" has a roster of all of the IP's seen in scans. I want it to look something like this:   Systems Total IP's in System Scans Total IP's of Systems XYZ 10005 12000 ABC 885 1000   Is that possible? (above) I'm not sure how to accomplish this, it looks easy, but I've been messing around with it for too long. Heck, even adding another column adding a % overall seen would even be nice too (not sure how to do this):   Systems Total IP's in System Scans Total IP's of Systems %Seen_in_Scan XYZ 10005 12000 83% ABC 885 1000 88%  
Hi, I am a newbie to splunk so apologies if I didn't follow any right etiquettes while creating this issue. I am trying to create a table where I can show some statistical fields(avg,95perc,count) ... See more...
Hi, I am a newbie to splunk so apologies if I didn't follow any right etiquettes while creating this issue. I am trying to create a table where I can show some statistical fields(avg,95perc,count) from current week for a given host and then show the trend from the beginning of the year for only count,95perc. Something like the table below: Service CurrentWeek:total CurrentWeek: avg_some_field CurrentWeek: some_field_95 2021-03-19:total 2021-03-19: some_field_95 2021-03-12:total 2021-03-12: some_field_95 HOST1               HOST2                 The way I'm currently doing this by using a join for the current week and aggregating data for the year broken down by week on host field as shown below:          index=some_index earliest=@w latest=now sourcetype="some_src_type"      | stats count as total, avg(some_field) as avg_some_field,  perc95(some_field) as some_field_95 by host_name     | join type=outer host_name     [search index=some_index  earliest=@y latest=@w  sourcetype="some_src_type"       | bin _time span=1w      | eval week=strftime(_time,"%Y-%m-%d")      | stats count as total_by_week,  perc95(some_field) as some_field_95 by host_name, week      | chart sum(total_by_week) as total,  mean(some_field_95) as some_field_95  by host_name, week useother=f     ]     | rename host_name as "Host", total as "CurrentWeek:total", avg_some_field as "CurrentWeek:avg_some_field", some_field_95 as "CurrentWeek:some_field_95"  ASK: If a host doesn't exist in current week, it doesn't show up in final table (because of the join) Is there a better way to solve this? Also, I would like following weeks to be in descending order in columns to show the most recent ones first. Currently it shows then in ascending order. @woodcock @DalJeanis @niketn 
How do I open a port in Splunk via Web Gui on a server. So it can access my License Server?
Is there a plan to support Splunk Cloud as SaaS hosted in Azure? if so, when?   Qiang
I'm working on a dashboard that is not returning any results but can find events upon clicking the "Open in Search" link.  Why is it not showing results on the dashboard view?
Hi, I am using heatmap to display the buffer time, it uses only the count for the specific time frame. So, I converted the HH:MM:SS to minutes and used as a count. But I want to show the buffer time... See more...
Hi, I am using heatmap to display the buffer time, it uses only the count for the specific time frame. So, I converted the HH:MM:SS to minutes and used as a count. But I want to show the buffer time in both minutes and HH:MM:SS along with the process name in the tooltip when I mouseover. Currently only the x axis and yaxis values(minutes and date) are shown I want to add more values to the tooltip so that I can see HH:MM:SS, minutes, process name and the date.  Could you please help me to know what are possible changes required in the heatmap js or any alternate solution. Sample screenshot of heatmap showing only the xaxis and yaxis value. Need to show additional values like minutes in HH:MM:SS and process name in this tooltip. The js which I used is the js came with heatmap app in Splunk.    
Hello, I want to create a line/bar chart with some data in a table. example: I have data in tabular form as mentioned below :- column1(string)   |    column2(num)  | cloumn3(time) X1            ... See more...
Hello, I want to create a line/bar chart with some data in a table. example: I have data in tabular form as mentioned below :- column1(string)   |    column2(num)  | cloumn3(time) X1                              |   12                            | time X2                              |   9                              | time X1                              |   10                           | time X1                              |   5                              | time X2                              |   15                           | time   I want to create a line graph with time at X-axis and column2 at Y-axis I want two lines in the graph. One for X1 and one for X2. And when I hover on the line it should indicate if the line is for X1 or X2.   Can someone please help me write the search query for this requirement?   Thanks in advance
Hi can some one help me with 'infection_found" tag is belongs to which Data Model.  Can it be consider for Malware data model - infection_found tag Malware attack ? If not, What can be the possible... See more...
Hi can some one help me with 'infection_found" tag is belongs to which Data Model.  Can it be consider for Malware data model - infection_found tag Malware attack ? If not, What can be the possible cases ?  Thank You !! 
I want to replace the values of alertnateId and displayName to "****", I tried with below sed command but its not changing the the whole value. index=sample | rex mode=sed "s/(\"alternateId\"\:\s... See more...
I want to replace the values of alertnateId and displayName to "****", I tried with below sed command but its not changing the the whole value. index=sample | rex mode=sed "s/(\"alternateId\"\:\s+\")(\w+)/\1****\"/g" | rex mode=sed "s/(\"displayName\"\:\s+\")(\w+\W)/\1****\"/g" _raw data: {"logs_id": "4890d36f-5ee3-11eb-b3a5-852911ef9cd4", "securityContext": { "alternateId": "****"@Anonymous.com", "id": "ramxghl092", "displayName": "****"System"}, Expected is to get  {"logs_id": "4890d36f-5ee3-11eb-b3a5-852911ef9cd4", "securityContext": { "alternateId": "****", "id": "ramxghl092", "displayName": "****"},
hello   My field sounds like this   03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$   And I need to catch everything after    03/01/2019 07:10 0   it means I just need :   03/01/2019 07:... See more...
hello   My field sounds like this   03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$   And I need to catch everything after    03/01/2019 07:10 0   it means I just need :   03/01/2019 07:10 0 MBAM CLIENT (2.5_64b) EN.$w$   could you help me please??
I am new to using the Transfroms.conf and props.conf to manipulate data. The issue we are experiencing is in our WinEventLog data, we have a field that comes over as Creator Process Name Creator Pro... See more...
I am new to using the Transfroms.conf and props.conf to manipulate data. The issue we are experiencing is in our WinEventLog data, we have a field that comes over as Creator Process Name Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe However most of the correlation searches are looking for process name, parent process name, etc. I have created a field alias to have the Creator Process Name also follow parent process name. I am trying to use Transforms and props in order to drop most of the file path for process name field, for example: Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Name: splunkd.exe   Here is my current entry in Transfroms.conf [Creator_Process_Name_as_process_name] SOURCE_KEY = Creator_Process_Name REGEX = \t\w:.*[\\](?<process_name>.*)\n FORMAT = process_name::$1   and in Props.conf TRANSFORMS-Creator_Process_Name_as_process_name = Creator_Process_Name_AS_process_name   Doesn't seem to be working like it should, I actually do get a process name populated but it is the whole flie path. Regex101 seems to show the Regex to be correct in just pulling the .exe
Hello, Last week I've been trying to implement a JS script in a distributed environment, and while it worked fine in a single machine, the replication has not been made in all of the SH. The questi... See more...
Hello, Last week I've been trying to implement a JS script in a distributed environment, and while it worked fine in a single machine, the replication has not been made in all of the SH. The question is: How can I deploy the changes made alongside the SH ? , already tried to use the command: splunk reload deploy-server and while it didn't return any error message, the changes were not made. As a workaround I've tried to apply the changes in a SH then wait for it to replicate in the others, which seemingly worked fine. Still, isn't there a way (like the command listed before) to force changes among the SH ? Thanks in advance.
I have two Splunk environments with the same Splunk Version 7.3.3. On one environment I see the sourcetype edit link when I click on edit, on the other environment the sourcetype page is missing, ev... See more...
I have two Splunk environments with the same Splunk Version 7.3.3. On one environment I see the sourcetype edit link when I click on edit, on the other environment the sourcetype page is missing, even when i cope the link from the environment on which it works and paste it to the environment on which it doesnt. 
I'm using the transaction with startswith to match multiple strings. I want any event that contains either of the strings. which of the below one is correct ? index=web "web-thread-" | transactio... See more...
I'm using the transaction with startswith to match multiple strings. I want any event that contains either of the strings. which of the below one is correct ? index=web "web-thread-" | transaction txid startswith=(param=121fdfd OR param2=asfdads3232 OR a_inexe_1 OR asdf_1) endswith="web time:" maxspan=10m index=web "web-thread-" | transaction txid startswith=("param=121fdfd" OR "param2=asfdads3232" OR "a_inexe_1" OR "asdf_1") endswith="web time:" maxspan=10m Both of the above produces slightly different results. I would like to know which is correct?