All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone! Splunk SOAR (Security Orchestration, Automation, and Response) is a powerful tool that enables security teams to automate incident response workflows. Splunk offers a range of SOAR ... See more...
Hello everyone! Splunk SOAR (Security Orchestration, Automation, and Response) is a powerful tool that enables security teams to automate incident response workflows. Splunk offers a range of SOAR (formerly Phantom) education courses designed to help users and security professionals fully leverage its capabilities, from basic automation to advanced playbook creation and incident management. Check out some free courses here!  Register here for Developing SOAR Playbooks, and here for Advanced SOAR Implementation! Feel free to post a comment if you have any questions. Splunk Community Team
Hey everyone! Splunk IT Service Intelligence (ITSI) is a premium solution that helps  monitor and manage IT operations and services by using advanced analytics and machine learning. For folks and t... See more...
Hey everyone! Splunk IT Service Intelligence (ITSI) is a premium solution that helps  monitor and manage IT operations and services by using advanced analytics and machine learning. For folks and teams looking to build expertise in Splunk ITSI, there are EDU courses that focus on the platform’s features, from basic service monitoring to advanced predictive analytics. Here is the EDU link for some free courses! Register here for Using Splunk IT Service Intelligence course, here for IT Essentials Learn Walkthrough, and here for Implementing Splunk IT Service Intelligence! Feel free to post a comment if you have any questions! Splunk Community Team
Hi everyone! Splunk offers a variety of Splunk Cloud Platform education (EDU) courses that are designed to help anyone master the platform, whether they're just starting or are experienced users. T... See more...
Hi everyone! Splunk offers a variety of Splunk Cloud Platform education (EDU) courses that are designed to help anyone master the platform, whether they're just starting or are experienced users. These courses cover everything from Cloud platform management to Advanced search techniques, and Data integration. Check out this EDU link for some free courses! Register here for Splunk Cloud Admin, here for Introduction to Dashboards, here for Dynamic Dashboard, and here for Scheduling Reports & Alerts. Post a comment if you have any questions! Splunk Community Team
Hello, Imagine you have hundreds of Windows Universal Forwarders each sending three sources to your "Heavy Forwarders" then forwarded to the Indexers. Imagine you want to send just one of the s... See more...
Hello, Imagine you have hundreds of Windows Universal Forwarders each sending three sources to your "Heavy Forwarders" then forwarded to the Indexers. Imagine you want to send just one of the sources, source A, of one of those Universal Forwarders, host A, via Syslog to a 3rd Party.   Is there an "elegant way" of filtering just that specific source of that specific host to be sent via syslog on the "Heavy Forwarders"/Indexers? Thank you
HI, Recently, we integreted AudioCodes RVI and CIC to Splunk entreprise, and i'm looking for interesting Dashboards , unfortunately i don't found an APP/ADD-on for this techno, Thx  
Hello, I recently updated a distributed environment with a bundle via the deployer to update the authentication.conf to have an updated LDAP strategy.  Since then there have been a number of issue w... See more...
Hello, I recently updated a distributed environment with a bundle via the deployer to update the authentication.conf to have an updated LDAP strategy.  Since then there have been a number of issue with users not being able to delete their knowledge objects which prompted me to try as my Admin user. However this is the error I am receiving when trying to delete via the web ui: 09-24-2024 16:52:13.948 +0000 ERROR SavedSearchAdminHandler [2802356 TcpChannelThread] - This saved search failed to handle removal request due to Object id=<alert/report name> cannot be deleted in config=savedsearches. I am using Splunk Enterprise version 9.3.0.
 Im currently using the query to find the cpu utilization for a few host but i want to see the average utilization per host  tag=name "CPU Utilization" | timechart span=15m max(SysStatsUtilizationCp... See more...
 Im currently using the query to find the cpu utilization for a few host but i want to see the average utilization per host  tag=name "CPU Utilization" | timechart span=15m max(SysStatsUtilizationCpu) by host limit=0   Any information would be helpful
I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin. The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_ ... See more...
I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin. The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_ From _internal its in search app, report acceleration, and user nobody.  _Audit provides no clues either. How do I trace this to the source? Thank you
Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist... See more...
Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values. The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this: SID SERVICE_NAME FILE_NAME SECTION KEY VALUE AAA index global.ini global timezone_dataset 123 AAA dpserver index.ini password policy minimal_password_length 16 AAA index index.ini flexible_table reclaim_interval 3600 AAA dpserver global.ini abstract_sql_plan max_count 1000000 BBB dpserver index.ini password policy minimal_password_length 16 BBB index index.ini password policy minimal_password_length 25 BBB dpserver global.ini abstract_sql_plan max_count 1000000 BBB index index.ini mergedog check_interval 60000   The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show: SERVICE_NAME FILE_NAME SECTION KEY Match index global.ini global timezone_dataset No dpserver index.ini password policy minimal_password_length Yes index index.ini flexible_table reclaim_interval No dpserver global.ini abstract_sql_plan max_count Yes index index.ini password policy minimal_password_length No index index.ini mergedog check_interval No   I have tried many different SPL searches, but none have provided the intended result. I would greatly appreciate any assistance or guidance. Cheers, David
Could the Splunk Add-on for Salesforce team clarify whether FIPS mode is supported? Per https://docs.splunk.com/Documentation/AddOns/released/Overview/Add-onsandFIPsmode it seems certain Add-on do b... See more...
Could the Splunk Add-on for Salesforce team clarify whether FIPS mode is supported? Per https://docs.splunk.com/Documentation/AddOns/released/Overview/Add-onsandFIPsmode it seems certain Add-on do but there doesn't seem to be a definitive list of what supports it and what doesn't.
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looki... See more...
Hi I want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking... See more...
Hi i want to extract highlighted part Sep 24 10:43:25 10.82.10.245 [S=217] [BID=d57afa:30] RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy Set 1 (PS_ITSP): Proxy lost. looking for another proxy; Severity:major; Source:Board#1/ProxyConnection#1; Unique ID:242; Additional Info1:; [Time:24-09@17:43:25.248] [63380759]
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. C... See more...
Hi Splunk Experts, I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible. Cases: Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5. Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4. Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3. Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.
I have to create a custom command using python script to update a particular property(enableSched) from 1 to 0 or 0 to 1.  Please let me know if anyone know how to do this..    
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for... See more...
Hi, I have an use case in which there are 4 images for Red, Amber, Green and Grey (No Data/Inactive), that is to be displayed in the dashboard I created. For the widget I'm using Choropleth SVG for image, right now I uploaded an image manually to visualize the widget. I'm assessing a way to connect the required s3 Bucket with the widget so to get those images onto Splunk Dashboard. Please can anyone assist on how to achieve this? Thanks!
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, De... See more...
Hello, I struggle to do the following: Count the volume for last 5min from current time -7d, -14d, -21d, -28d  (basically keeping the same day of the week) Do an avg and stdev of those counts, Define a range based on this, Get the count of the last 5 min from current time and tell when is out of the range All this in a table so I can use it from Alerts I read a lot of things, but couldn’t came up with something close enough so far, I’m still new with Splunk Thank you!
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performanc... See more...
Dears Splunkers, I´m investigating issue with the duplicated maps+ for Splunk application icon in the Home menu of Splunk (see attached pic.) Enterprise running on Cloud. This is a weird performance. Splunk version 9.1.2. Can you pls. suggest how to resolve this problem so that only 1 app. icon does appear as before? Thank you
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login ac... See more...
Hi, this is my 1st post, I'm a newbie splunkers. I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login access account in splunk.  When I checked out the audittrail log in query table, it's showing only 1 spesific clientip or src. That was different with the 1st time I inject the AD for login access to splunk, or inside the dev server because we only use AIO/standalone splunk in dev. It's showing the real IP of the user. But now, when I logged in to the splunk web, the audit trail log, will show the spesific 1 IP, I think it's LB or AD IP.  Even I used the native user like "admin", it will show only 1 IP, and it's not my device IP. How to make the real IP  fromuser showing, while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What... See more...
I am using the following html for my alert action data entry screen.  The tenant mulit-select does not show up in the configuration dictionary of the payload object passed to the python script.  What am I doing wrong? Payload passed to python script: Payload: {'app': 'search', 'owner': 'jon_fournet@bmc.com', 'result_id': '1', 'results_file': '/opt/splunk/var/run/splunk/dispatch/rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19/per_result_alert/tmp_1.csv.gz', 'results_link': 'http://clm-aus-wm6fwd:8000/app/search/search?q=%7Cloadjob%20rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now', 'search_uri': '/servicesNS/jon_fournet%40bmc.com/search/saved/searches/sentToBHOM12', 'server_host': 'clm-aus-wm6fwd', 'server_uri': 'https://127.0.0.1:8089', 'session_key': 'juYpGOJO29CVEJXEhNFtlVZu0NdAUtGRObXSddXgB^nwDFZHofpZ58tDr^dfFRHcAeBKb3sKvtUNY48u7z2go^bDjUIR1K59YJhT3mkpPKXm3Vom_mXwSCA5rF2AQsgeoEuM332jKYMhEiZRakt1Qs69if_wD_QAPo', 'sid': 'rt_scheduler_am9uX2ZvdXJuZXRAYm1jLmNvbQ__search__sentToBHOM12_at_1727135173_17.19', 'search_name': 'sentToBHOM12', 'configuration': {'additional_info': 'This is an additional slot', 'category': 'AVAILABILITY_MANAGEMENT', 'ciid': 'test ciid', 'citype': 'testcitype', 'hostname': 'splunktesthost', 'logLevel': 'WARN', 'message': ' kkkk', 'object': 'testobject', 'originuri': 'testuri', 'severity': 'WARNING', 'subcategory': 'APPLICATION'}   HTML: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Information</title> <style> body { background-color: lightblue; font-family: Arial, sans-serif; } .container { width: 80%; margin: 20px auto; } .section { background-color: white; padding: 15px; margin-bottom: 20px; border: 2px solid black; border-radius: 5px; } .section h2 { margin-top: 0; } </style> </head> <body> <form class="form-horizontal form-complex"> <h1>BHOM Tenant Configuration</h1> <div class="control-group"> <label class="control-label" for="bmc_tenants">Tenants</label> <div class="controls"> <select id="bmc_tenants" name="action.sendToBHOM.param.tenants" multiple size="3"> <option value="prod">Production</option> <option value="qa">QA</option> <option value="dev">Development</option> </select> <span class="help-block">The BHOM Tenants to forward alerts</span> </div> </div> <h1>BHOM Event Configuration</h1> <div class="control-group"><label class="control-label" for="bmc_severity">Severity</label> <div class="controls"><select id="bmc_severity" name="action.sendToBHOM.param.severity"> <option value="OK">Ok</option> <option value="WARNING">Warning</option> <option value="MINOR">Minor</option> <option value="MAJOR">Major</option> <option value="CRITICAL">Critical</option> </select><span class="help-block">The severity of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_hostname">Source Hostname</label> <div class="controls"><input id="bmc_hostname" name="action.sendToBHOM.param.hostname" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Hostname of the source of the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_object">Object</label> <div class="controls"><input id="bmc_object" name="action.sendToBHOM.param.object" type="text" placeholder="e.g. Splunk_log_1 " /> <span class="help-block">The Object related to the alert</span></div> </div> <div class="control-group"> <div class="control-group"><label class="control-label" for="bmc_category">Category</label> <div class="controls"><input id="bmc_category" name="action.sendToBHOM.param.category" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_subcategory">Sub-Category</label> <div class="controls"><input id="bmc_subcategory" name="action.sendToBHOM.param.subcategory" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Sub-Category related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_originuri">Origin URI</label> <div class="controls"><input id="bmc_originuri" name="action.sendToBHOM.param.originuri" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Origin URI related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_ciid">CI ID</label> <div class="controls"><input id="bmc_ciid" name="action.sendToBHOM.param.ciid" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI ID related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_citype">CI Type</label> <div class="controls"><input id="bmc_citype" name="action.sendToBHOM.param.citype" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The CI Type related to the alert</span></div> </div> <div class="control-group"><label class="control-label" for="bmc_event_message">Message</label> <div class="controls"><textarea id="bmc_event_message" style="height: 120px;" name="action.sendToBHOM.param.message"> </textarea><span class="help-block">The message for the event send to BHOM</span</div> </div> </div> <div class="control-group"><label class="control-label" for="bmc_additional_info">Additional Info</label> <div class="controls"><input id="bmc_additional_info" name="action.sendToBHOM.param.additional_info" type="text" placeholder="e.g. splunk.bmc.com " /> <span class="help-block">The Additional Information related to the alert</span></div> </div> </div> <h1>Log Level (logs written to index _internal)</h1> <label for="logLevel">Choose a log level:</label> <select id="logLevel" name="action.sendToBHOM.param.logLevel"> <option value="INFO">INFO</option> <option value="WARN">WARNING</option> <option value="ERROR" selected>ERROR</option> <option value="DEBUG">DEBUG</option> </select> </body> </html>  
I want to show which User not logged into Splunk for last 30 or 90days in splunk For example: we have 300 user have access to splunk UI, I want to know who is not logged into splunk more than 7 day... See more...
I want to show which User not logged into Splunk for last 30 or 90days in splunk For example: we have 300 user have access to splunk UI, I want to know who is not logged into splunk more than 7 days  Below query will show who has logged into splunk, but i wanted to show the who is not logged and last login time information. index=_audit sourcetype=audittrail action=success AND info=succeeded | eval secondsSinceLastSeen=now()-_time | eval timeSinceLastSeen=tostring(secondsSinceLastSeen, "duration") | stats count BY user timeSinceLastSeen | append [| rest /services/authentication/users | rename title as user | eval count=0 | fields user ] | stats sum(count) AS total BY user timeSinceLastSeen