All Topics

Top

All Topics

Hello colleagues! Have any of you integrated Cisco Talos as an intelligence source for Splunk Enterprise Security? Can you tell me the best way to do this?
Looking for props.conf / transforms.conf configuration guidance. The aim is to search logs from a HTTP Event Collector the same way we search for regular logs. Don't want to search JSON in the sea... See more...
Looking for props.conf / transforms.conf configuration guidance. The aim is to search logs from a HTTP Event Collector the same way we search for regular logs. Don't want to search JSON in the search heads. We're in the process of migrating from Splunk Forwarders to logging-operator in k8s. Thing is, Splunk Forwarder uses log files and standard indexer discovery whereas logging-operator uses stdout/stderr and must output to an HEC endpoint, meaning the logs arrive as JSON at the heavy forwarder. We want to use Splunk the same way we did over the years and want to avoid adapting alerts/dashboards etc to the new JSON source OLD CONFIG AIMED TO THE INDEXERS (using the following config we get environment/site/node/team/pod as search-time extraction fields)   [vm.container.meta] # source: /data/nodes/env1/site1/host1/logs/team1/env1/pod_name/localhost_access_log.log CLEAN_KEYS = 0 REGEX = \/.*\/.*\/(.*)\/(.*)\/(.*)\/.*\/(.*)\/.*\/(.*)\/ FORMAT = environment::$1 site::$2 node::$3 team::$4 pod::$5 SOURCE_KEY = MetaData:Source WRITE_META = true   SAMPLE LOG USING logging-operator   { "log": "ts=2024-10-15T15:22:44.548Z caller=scrape.go:1353 level=debug component=\"scrape manager\" scrape_pool=kubernetes-pods target=http://1.1.1.1:8050/_api/metrics msg=\"Scrape failed\" err=\"Get \\\"http://1.1.1.1:8050/_api/metrics\\\": dial tcp 1.1.1.1:8050: connect: connection refused\"\n", "stream": "stderr", "time": "2024-10-15T15:22:44.548801729Z", "environment": "env1", "node": "host1", "pod": "pod_name", "site": "site1", "team": "team1" }  
I just started a Free trial and it's already horrible. For 30mins I'm running around in circles trying to figure out how to add data as per your docs: https://docs.splunk.com/Documentation/SplunkClou... See more...
I just started a Free trial and it's already horrible. For 30mins I'm running around in circles trying to figure out how to add data as per your docs: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/SearchTutorial/Systemrequirements . I didn't get any link to Splunk web and the profile page is useless. At some point I got to a different part (splunk.my.site.com) but not only it was as useless but also how the F do I even got there and ? All I see is  'You have no active instances at this time.' .      
Query is to retrieve failed test case matching with exception message. Out of 6 failed test case, one test as exception and rest of them are skipped with message 'Test was skipped'. Below data of ... See more...
Query is to retrieve failed test case matching with exception message. Out of 6 failed test case, one test as exception and rest of them are skipped with message 'Test was skipped'. Below data of one event.      { "suite_build_id": "20241015.12", "suite_build_name": "pipeline_name", "unit_test_name_failed": [ { "message": "Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance.", "test_rail_name": "test_printer_order_placement_magento", "test_result": "fail" }, { "message": "Test was skipped", "test_rail_name": "test_updation_of_access_token", }, { "message": "Test was skipped", "test_name": "test_printer_and_user_details", "test_rail_name": "test_printer_and_user_details", } ] }      Now, I want to display result to show test_rail_name and exception_message which matches exception. Below is the query that I tried.     index="eqt-e2e" suite_build_name="pipeline-name" suite_build_number="20241015.12" | mvexpand unit_test_name_failed{}.message | mvexpand unit_test_name_failed{}.test_rail_name | search unit_test_name_failed{}.message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance." | table suite_build_number, suite_build_start_time, unit_test_name_failed{}.test_rail_name, unit_test_name_failed{}.message | rename suite_build_number AS "Pipeline Number", suite_build_start_time AS "Pipeline Date", unit_test_name_failed{}.test_rail_name AS "Test Name", unit_test_name_failed{}.message AS "Exception Message"     In the result, it should have been 1 event, but retrieve 6 events.  I understand, mvexpand works only on one multivalue fields, and here I have 2 multivalue fields. Let me know if there is any solution on retrieving the data.
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Co... See more...
Hello Splunkers,   I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more. Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML? Is token generation the only secure way to make these API calls, or are there alternative methods? Thanks  Manish Kumar  
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a str... See more...
HI, I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day.  Is this possible? index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom... See more...
Hi Splunkers, I received a notice about upgrading jQuery to version 3.5 or higher, and I ran a jQuery scan through the Upgrade Readiness dashboard. The incompatibility issue is coming from my custom app. The file in question: C:\Program Files\Splunk\etc\apps\custom_app\appserver\static\help\en-GB\jquery.js needs to be updated. Remediation(Sugested by the dashboard): The jQuery 1.11.1 bundled with the app introduces vulnerabilities. Splunk apps must use jQuery 3.5 or higher, as lower versions are no longer supported in Splunk Cloud Platform. What I’ve done so far: I downloaded the new jQuery.js file from jquery.com, renamed it, and replaced the file in the specified path and restarted splunk, but this hasn't resolved the upgrade issue. I'm unsure of the next steps and would appreciate any guidance or suggestions. Thanks! Upgrade Readiness App  
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access... See more...
Currently I am having a Splunk Indexer with multiple Indexes and a Search Head. I would like to have one or two indexes to be available in two splunk indexer and data should be available to access from Search Head from both Indexer. Thanks
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I enco... See more...
I'm trying to update the Splunklib version in our app because it currently uses an older version that doesn't comply with Splunk's new App Inspect rules. After updating and validating the app, I encountered an "unknown error" when attempting to upload the new version to Splunkbase, despite the validation process not showing any errors or failures. Please refer to below image. What could be causing this issue?
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "packa... See more...
I have JSON data which are multivalued. I want to create a overview table of the counts. { "suite": [ { "hostname": "localhost", "failures": 0, "package": "ABC", "tests": 0, "name": "ABC_test", "id": 0, "time": 0, "errors": 0, "testcase": [ { "classname": "xyz", "name": "foo1", "time": 0, "status": "Passed" }, { "classname": "pqr", "name": "foo2", "time": 0, "status": "Passed" }, . . . ] } ] } This is the data. For a given project there'll be many JSON files like above. So i want to get the unique data while taking the counts. Tried with mvdedup, it did not work. |spath output=jenkins_url path=JenkinsMetaData.JENKINS_URL | spath output=suite path=suite{}.name | spath output=case path=suite{}.case{}.name | spath output=Build_Num path=JenkinsMetaData.buildnumber | spath output=Status path=suite{}.case{}.status | fields - _raw | eventstats max(Build_Num) as Latest_Build by Job_Name | where Latest_Build=Build_Num | stats values(Build_Num) as Build_Num count(eval(Status="Execution Failed" OR Status="Testcase_Failed")) AS Failed_cases, count(eval(Status="Passed")) AS Passed_cases, count(eval(Status="Failed" OR Status="Testcase_Error")) AS Execution_Failed_cases, dc(case) as Total_cases dc(suite) as "Total suite" by Job_Name Build_Variant Jenkins_Server When i do this Total_cases and Total suite are are correct, but other values are not correct. But when i use |Status="Passed"| stats dc(case) as Passed_cases for one project, im getting correct value. But my requirement is to create a table for all the projects. Anyone know how to handle this?
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Pane... See more...
Hi Team  Is it possible to use the output value of the base query as the drop down values in the input panel.  Example :  <search id="base"> <!-- Master query which will be used in all the Panels --> <query>index=ABC | eval fieldA =  If (fieldB = "ABC" ,  fieldB , fieldA )</query> I want to use the value of the fieldA in the dropdown of the input POH_Group. Below query is not working and i am not getting the values of fieldA in the dropdown of POH_Group: <input type="dropdown" token="POH_tokenD" searchWhenChanged="true"> <label>POH_Group</label> <prefix>POH_Group1="</prefix> <suffix>"</suffix> <fieldForLabel>POH_Group1</fieldForLabel> <fieldForValue>POH_Group1</fieldForValue> <choice value="*">All</choice> <default>*</default> <search> <query> | dedup fieldA | table fieldA </query>   Can you please help to fix this issue. 
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line ... See more...
getting below Error   Invalid key in stanza [proofpoint_digital_risk_audit_input://Digital_Risk_Data_Input] in /opt/splunk/etc/apps/TA-proofpoint-digital-risk-app-for-splunk/local/inputs.conf, line 2: token (value: xyznkbejrfhrekfjrltjgltrkgltrkgtkhgythytlhmylth).
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration unde... See more...
Hi Team, I am trying to integrate jenkins/cloudbees with Splunk using the splunk plugin. But I do not want to store the HEC_TOKEN as plain text or hard-coded value in the splunk configuration under Manage jenkins --> System --> Splunk for Jenkins Configuration. I am trying to store it as a credential or environment variable and then use it in Jenkinsfile but it does not work, Is there any work around for this? Please let me know. Thanks.
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(e... See more...
I'm trying to calculate the minute difference between two times and get an empty field   .........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60  
Greetings, Please help!! I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t... See more...
Greetings, Please help!! I need to extract the ID value from the two events below, and I’m kinda banging my head here… . I just need to list Q123456789 and each ID in my dashboard. But it I can’t get past all of the special characters. I’ve tried using different combinations like this: | eval msg=”the event” | rex "msg =(?< policyId >\w+)” | table policyId But what I would really like to have something like this in my dashboard: Starting Controller Q123456789 CallStatus=Success Q123456789 Starting Controller Q123456788 CallStatus=Success Q123456788 Starting Controller Q123456787 CallStatus=Success Q123456787 And so on. Is this possible? Your help is always appreciated. Thanks     Starting Controller=Fall Action=GetFallReportAssessment data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}   API=/api/Fall/reportAssessment/ CallStatus=Success Controller=Fall Action=GetFallReportAssessment Duration=27 data={"policyId":"Q123456789","inceptionDate":"20250501","postDate":"1900-01-01T12:00:00"}
Hi Team, I hope this email finds you well. I am currently working on a task to monitor long-running Apex classes in Salesforce and would like to write a query to help track these. Could you pleas... See more...
Hi Team, I hope this email finds you well. I am currently working on a task to monitor long-running Apex classes in Salesforce and would like to write a query to help track these. Could you please suggest the best approach or share a sample query that would assist in identifying and monitoring these classes effectively? Your guidance on this matter would be greatly appreciated. Thank you for your support. Regards
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID va... See more...
Hello, I'm just trying to learn SPL and am currently trying to find all sessions with login and logout requests, identified by the SESSION_ID field. So basically I'm trying to find all SESSION_ID values where within the session the user performs a login and logout operation. Coming from the relational database world, my first step was to write some sort of join operation but I quickly found out that joins are not the best thing to do in Splunk.  This is what I tried:   index=allsessions "*login*" | join type=inner left=L right=R where L.SESSION_ID=R.SESSION_ID [search index=allsessions "*logout*"]   Can someone help me write a better query for the above problem? Thanks!
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime... See more...
Hi All  I am trying to find out Server Up time & Downtime or offline  However i am using the below command which i am not getting what i want  | mstats max(System.System_Up_Time) AS "Uptime" WHERE index="permon_metrics" host=system1* BY host span=1m | dedup host | rex field=host "\w{6}(?<function_abbr>\w{4})" | search function_abbr=ADDS | sort Uptime asc | eval Uptime = round((now() - _time) / (60 * 60), 1) | search Uptime="4.0" I would like to see the output in a single tile like HH:MM:SS
Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance program is shaping the next generation of cybersecurity professionals by providing students w... See more...
Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance program is shaping the next generation of cybersecurity professionals by providing students with hands-on training and industry-recognized certifications at no cost. Through a combination of Splunk product donations, eLearning resources, and real-world lab environments, universities are equipping students with in-demand skills that will prepare them for exciting IT and data careers. From foundational learning to advanced live instruction and SOC challenges, the program helps students gain the experience and expertise they need to thrive in the workforce. ___________________________________________________________ Read Carol’s full blog on Splunk Blogs to learn more ___________________________________________________________ For our Splunk community, this means that your future colleagues and employees entering the field will be well-versed in the Splunk platform and ready to take on the cybersecurity challenges of tomorrow. By offering equitable access to these resources, the Academic Alliance is not only addressing the growing need for cybersecurity professionals but also ensuring that these future hires bring a deep understanding of data analytics, security operations, and threat prevention—skills critical to the success of any modern organization. Thanks for supporting the amazing work Splunk is doing to support our learners. -Callie Skokos on behalf of the Splunk Education Crew
Looking for the best/easiest way to retrieve or reconstruct a splunk url to an event retrieved using python to then post into browser and view the event though the web ui. Thanks!