All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

1.  Hi.. i would like to know  what types of alerts can be created using splunk ? 2.  how do i found that fingerprint login generates an event and how to log that event into splunk? 3.  how to make... See more...
1.  Hi.. i would like to know  what types of alerts can be created using splunk ? 2.  how do i found that fingerprint login generates an event and how to log that event into splunk? 3.  how to make password alert for a website or particular app
I'm trying to set up a search to return Office 365 role change events for specific roles, such as the Global Administrator (aka Company Administrator).  The event data seems to be structured like thi... See more...
I'm trying to set up a search to return Office 365 role change events for specific roles, such as the Global Administrator (aka Company Administrator).  The event data seems to be structured like this (simplified for clarity):     { Id: <someGuid> ModifiedProperties: [ { Name: Role.ObjectID NewValue: OldValue: <someGuid> }, { Name: Role.DisplayName NewValue: OldValue: Company Administrator }, { Name: Role.TemplateId NewValue: OldValue: <someGuid> }, { Name: Role.WellKnownObjectName NewValue: OldValue: TenantAdmins } ] ObjectId: <UPN of object modified> Operation: <what was done> UserId: <UPN of user that made change }     I want to extract the value OldValue of ModifiedProperties object where Name = Role.DisplayName into a field.  I've had a look, and had thought either spath or eval would help, but I couldn't see any extra fields being created when I used either, much less being able to then extract data from it. Am I on the right track? Or looking at it all wrong?  My base search is this:     sourcetype="o365:management:activity" AND RecordType=8 AND (ModifiedProperties{}.NewValue="TenantAdmins" OR ModifiedProperties{}.OldValue="TenantAdmins")     I then tried to push it through eval like this:     | eval 'ModifiedProperties{}.Name'='ModifiedProperties{}.OldValue'     I thought I understood that should have added 4 extra fields (to match the four ModifiedProperties objects) to the returned event, but the events didn't change. Can anyone lend a hand?
I have Configured Distributed Splunk Setup AWS add-on in Heavy Forwarder and AWS app in Search Head but Configuration changes not displaying AWS app dashboard
We are receiving around 300gigs of syslog data everyday and we want to filter all the logs and index only what the network team wants us to. what is the configuration changes that can help me to achi... See more...
We are receiving around 300gigs of syslog data everyday and we want to filter all the logs and index only what the network team wants us to. what is the configuration changes that can help me to achieve this?    How do I filter all the unnecessary logs from the syslog server? I just need to index the events, where one of the field says sgt=4   Thanks & Regards, Manyutej Sanjeev
Hi We have to retrieve DATA through REST API and then display the data in the dashboard. After reading documents, the add-on is an easy method to get data into Splunk. But no dashboard for add-on. ... See more...
Hi We have to retrieve DATA through REST API and then display the data in the dashboard. After reading documents, the add-on is an easy method to get data into Splunk. But no dashboard for add-on. Can I combine the add-on into APP? Add-on: get data, APP: display the data?   Regards Emily   
What do you consider Splunk Enterprise & Splunk ES' Heart beats that one should check daily?
Which Splunk server do I install the Splunk Dashboard Examples App?
I need to check making sure Replication is taking place between my indexers & if any one is not calling in to Splunk since yesterday. Any SPL or this is appreciated.  
I have created a dashboard, only with custom search app with Java scripts in Splunk version 8 with simple xml code. Here is the reference - post. I have two issues with my custom search app. 1.... See more...
I have created a dashboard, only with custom search app with Java scripts in Splunk version 8 with simple xml code. Here is the reference - post. I have two issues with my custom search app. 1. Issue with Smart mode: - When the search query is entered and search bar return the results, it provides the result in "Smart mode". - In this mode, the raw event log is not displayed, instead of that, the fields and the values in each raw event are displayed as table format even for a very simple query like   index=main source=abc sourcetype=xyz   - If I switch to Fast mode manually, then I get the raw events but it's not readable. To view a complete log event, I need to scroll to right till the end. - It will be good if the raw event is wrapped together to the screen size and easily readable (as like normal Search app). 2. Issue with the option "Event Actions" - In the search app, when we get results for a query, we can see a small dropdown attached to each event results. - The dropdown shows the options like Extract fields, show source, Event type, etc., - The dropdown also shows the field-value like host, source, sourcetype and index - These options are missing in my custom search app results. These two issues need fix as soon as possible, so that I can make my custom search app provide results similar to the inbuilt search app. Could anyone please help me on fixing this issue as soon as possible
Hello Splunkers,   I'm facing an authentication issue with my splunk instance during the App deployment.   information about the infrastructure: Splunk Enterprise is configured with SSO M... See more...
Hello Splunkers,   I'm facing an authentication issue with my splunk instance during the App deployment.   information about the infrastructure: Splunk Enterprise is configured with SSO My User account has Admin role Splunk Service runs on Splunk user(Normal Setup as in the installation Doc) No password has been configured for the Splunk user account   Issue: Whenever i try to deploy app using ./splunk reload deploy-server usually it asks my user id and password which is my Active Directory user id & password. Since we have enabled SSO i'm unable to get authenticated and getting the below error, Your session is invalid. Please login. Splunk username: myid Password: An authentication error occurred: Client is not authenticated   Could someone help me on this issue as i'm new to deployment over SSO enabled system.   I have pretty much experiences with the normal apply deployment without SSO being enabled.   Thank you
I created a large data model with data sets and tried pivot, it worked for a couple of times, but then it started to fail with the following error.  
I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes.   I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert.... See more...
I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes.   I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert.   How can i achieve this? The following will trigger, but need to see the ips as well. index="w3logs" earliest = -10m | eval tempx = split(X_Forwarded_For,",") | eval ip=mvindex(tempx,0) | stats dc(ip) as dup by cs_username | where dup > 1
Hi we are using Splunk 7.3.4 , wanted to confirm the data indexed is not encrypted by default 
I have a lookup i want to assign it to a single field  Example: This is my lookup table with values Messge 0 0 1 0 0 Messge 1 1 3 1 1 Messge 2 11 0 0 0 Messge 3 1 0 0 ... See more...
I have a lookup i want to assign it to a single field  Example: This is my lookup table with values Messge 0 0 1 0 0 Messge 1 1 3 1 1 Messge 2 11 0 0 0 Messge 3 1 0 0 0 Messge 4 9 5 0 0 Messge 5 1 1 0 0 Messge 6 1 1 0 0 Messge 7 0 1 0 0     i want to get entire value of lookup to a single field eval myfield="Messge 0 0 1 0 0 Messge 1 1 3 1 1 Messge 2 11 0 0 0 Messge 3 1 0 0 0 Messge 4 9 5 0 0 Messge 5 1 1 0 0 Messge 6 1 1 0 0 Messge 7 0 1 0 0""
  I am not receiving the /var/log/messages from linux server.  I have written the stanza to monitored the var/log/massages in inputs.conf , Although receiving the var/log/audit.log and /var/log/secu... See more...
  I am not receiving the /var/log/messages from linux server.  I have written the stanza to monitored the var/log/massages in inputs.conf , Although receiving the var/log/audit.log and /var/log/secure.log, also given the read permission to splunk user for var/log directory .  And  mesage logs are generating continuously  at the remote side but still not receiving message logs.  [monitor:///var/log/messages] disabled = 0 index = linux blacklist = .*csv$ ignoreOlderThan = 1d
Im currently having trouble with query to get result of user activity duration after office hour within a month. i expected result will be like below: Query A:  user A = 13d 22h 12m 2s user B = 1... See more...
Im currently having trouble with query to get result of user activity duration after office hour within a month. i expected result will be like below: Query A:  user A = 13d 22h 12m 2s user B = 10d 15h 27m 3s OR Query B:  user A=320h 23m 2s user B=267h 42m 1s   Both answer can be acceptable for me to get as i try multiple set of query for the result above. Both query take time range after 5.30pm until 8.00am only for a month.  Below sample query :  Query A:  | eval date_hourmin = strftime(_time, "%H%M") | where date_hourmin>=1730 OR date_hourmin<=800 | transaction user,date_hourmin | stats sum(duration) as duration by user | sort - duration | eval string_dur = tostring(round(duration), "duration") | eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s") | eval result=replace(formatted_dur, "^d (0h (0m )?)?","") | table user duration string_dur formatted_dur result Query B:  | eval date_hourmin = strftime(_time, "%H%M") | where date_hourmin>=1730 OR date_hourmin<=800 | convert timeformat="%b %Y" ctime(_time) as date_month | streamstats earliest(date_hourmin) as time_in latest(date_hourmin) as time_out by date_month | eval duration=time_out-time_in | stats values(src_ip) as SourceIP values(srcPort) as SourcePort values(dstService) as DestService earliest(time_in) as TimeIn latest(time_out) as TimeOut values(dest_ip) as DestIP values(dstPort) as DestPort sum(duration) as TotalDuration count by date_month,user | eval secs=TotalDuration%60,mins=floor((TotalDuration/60)%60),hrs=floor((TotalDuration/3600)%60) | eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) | eval Time=HOURS.":".MINUTES.":".SECONDS | table user SourceIP SourcePort DestIP DestPort DestService Time count | sort - duration limit=10 Both query display the result, HOWEVER, its look like both query are not giving accurate result. Ive been struggling for this kind of query for a month now, perhaps im missing something here. Really appreciated if anyone can help n assist on this. TQ. 
Hi, I have a few fields  and I am trying to get results on  e.g. Field1 (Person) Field2(Sales) Field3 (Location).  what I am trying to do is somehow Sum(Sales) as Sales by Person (easy part), howev... See more...
Hi, I have a few fields  and I am trying to get results on  e.g. Field1 (Person) Field2(Sales) Field3 (Location).  what I am trying to do is somehow Sum(Sales) as Sales by Person (easy part), however I need to separate the location where sales came from e.g. Vic and Other State  and table the total result for each location per person.  Person    Vic               Other  Bob           $XX               $XX   Mary         $xx                $XX Phil            $XX              $XX Thoughts? and thank you in advance
Hi, is there any solution to create a notable event for missing forwarders? Now missing forwarders generate an alert on Monitoring Console, which runs on a separate Splunk instance than ES.  
I am writing a short report on std. features of the ES I can use with little effort. We have Splunk Ent. 8.0 & have installed ES on it. 
I would like to have an SME to work a couple hours per week to assist with Splunk tutoring.    Please email me if you are interested.  Please let me know if you are interested.  The sessions would be... See more...
I would like to have an SME to work a couple hours per week to assist with Splunk tutoring.    Please email me if you are interested.  Please let me know if you are interested.  The sessions would be via google hangout.