All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello there, I am hearing there is limit of 60 use cases can be only be used with Cloud Splunk, is this true? if so is the same limit applies on enterprise or different if so what is its limit? and ... See more...
Hello there, I am hearing there is limit of 60 use cases can be only be used with Cloud Splunk, is this true? if so is the same limit applies on enterprise or different if so what is its limit? and can you increase limits on Cloud if need be by licensing etc Many Thanks, Mozza
   I have the below Splunk Event & need to extract multiple fields from the same :   [TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TR... See more...
   I have the below Splunk Event & need to extract multiple fields from the same :   [TIMESTAMP=2021-02-19 12:16:30.684 UTC] [RUN_ID=] [TRACE_ID=] [STEP=End Processing] [LINE_NO=701] [LOG_LEVEL=TRACE] [MESSAGE=[ppv] [insert] Query completed , total 11 ms: [10 values] INSERT INTO errors (job,run,timestamp,count,alert,error,code,message,completets,active) VALUES (?,?,?,?,?,?,?,?,?,?); [job:'endcustomer--prod', run:'4569876', timestamp:1613736990530, count:200, alert:'failed after launch', error:'', code:'E302: Batch failed', message:'', completets:'', active:false]]   Expected Table Output : job run code endcustomer--prod 4569876 E302: Batch failed   I was able to pick some field like : run\:\'(?<run>\w+)' https://regex101.com/r/q7NqQb/1 However, unable to extract all the three fields above. Any help is appreciated.
I have some forwarders which are sending logs to indexers in another subnets and i have connected search head to these indexers. Each event have the host field but not ip field. I'm looking forward ... See more...
I have some forwarders which are sending logs to indexers in another subnets and i have connected search head to these indexers. Each event have the host field but not ip field. I'm looking forward to resolve ip address from these hosts. I have already found dnslookup, and metric (index=_internal component=Metric group=tcpin_connections) | stats values(hostname) as host by sourceIp). But there are some problems, dnslookup can't resolve ip of hosts that there are sending to indexer in other subnet. In metric there are not all hosts from log. And in some case dnslookup resolve ip and metric not (what is very strange for me). I have spent several dozen of hours on this problem (which seems for me, should be realy first issue in splunk administration) and i'm realy confused about it. I'm looking for universal solution or next solution of resolving ip from host name from events. Thank you for any help
Is there any reason that there are some command parameters that needs uppercase to work and some can use both lower and uppercase? Eks both of this does work | timechart count by index | timechart... See more...
Is there any reason that there are some command parameters that needs uppercase to work and some can use both lower and uppercase? Eks both of this does work | timechart count by index | timechart count BY index Same with these, works fine. | lookup dnslookup clientip as src_ip | lookup dnslookup clientip AS src_ip But this fails index in (test1 test2) Needs to be uppercase index IN (test1 test2)   This fails cat or dog Needs to be uppercase cat OR dog Where do I find a list and regulation on when to use upper/Lowercase (IN OR AND BY AS etc)?
Hi We are running an rather large Splunk Enterprise solution with many user and user level. I do not like that all user can see what apps are installed by going to the "Apps-Manage Apps" or "Apps->... See more...
Hi We are running an rather large Splunk Enterprise solution with many user and user level. I do not like that all user can see what apps are installed by going to the "Apps-Manage Apps" or "Apps->Find More Apps" It there any way to remove this menu or hide them?
I have two queries and i want to append those two queries and i need new column for separation for ex: i got below result from query 1 total     avg       max 10          15         16 and... See more...
I have two queries and i want to append those two queries and i need new column for separation for ex: i got below result from query 1 total     avg       max 10          15         16 and i got below result from query 2 total     avg       max 51          50        19 i want to append both queries and I want result like below Name       total   avg    max first           10         15       16 second     51         50        19       So I want new column with "Name" could anyone please help on this??
Hi,   I have two instances of Asterisk running in my production environment. The third server has a Splunk indexer installed with Universal Forwarders installed on the two Asterisk servers, respect... See more...
Hi,   I have two instances of Asterisk running in my production environment. The third server has a Splunk indexer installed with Universal Forwarders installed on the two Asterisk servers, respectively. The calling system is via SIP trunks and all of the calls fall on the Asterisk servers.   Now, I would like to monitor the nature of the traffic that is catered by the Asterisk Servers, i.e. UDP, TCP or RTP?   Is there a way to do so?    Any degree of help will be appreciated.   thanks and regards, Hisham
Hi, My requirement is like brining all the rows which are similar which has different numerical values in it , EX : Search|stats sum(CountOf_xxx) as "count" sum(CountOf_yyy) as True sum(CountOf_zz... See more...
Hi, My requirement is like brining all the rows which are similar which has different numerical values in it , EX : Search|stats sum(CountOf_xxx) as "count" sum(CountOf_yyy) as True sum(CountOf_zzz) as False by Platform Environment Tested Rule Severity |sort Tested "Rule" Using this i am getting repeated rows aligned with same values in column.I tried of using values(Platform) as Platform values(Environment) as Environment. But still i am not getting values in single rows with sum(xxx) Sum(yyy) sum(zzz) all aligned in single rows. Can anyone help me with answer pls.      
Hi everyone,  I have installed the technical add-on for tenable on my search head and it was working until a few days ago. For a few days I always going to get the following error message:   Unabl... See more...
Hi everyone,  I have installed the technical add-on for tenable on my search head and it was working until a few days ago. For a few days I always going to get the following error message:   Unable to initialize modular input "tenable_securitycenter_mobile" defined in the app "TA-tenable": Introspecting scheme=tenable_securitycenter_mobile: script running failed (exited with code 1)..   Does anyone know what it means? Thank you very much for helping me!   
Hi Everyone, I have two dropdowns and they are not working in the panels Can someone guide me on that: Below is my current code: Dropdown: <input type="dropdown" token="req" searchWhenChanged="t... See more...
Hi Everyone, I have two dropdowns and they are not working in the panels Can someone guide me on that: Below is my current code: Dropdown: <input type="dropdown" token="req" searchWhenChanged="true"> <label>Request Type</label> <choice value="*">All Request_Type</choice> <search> <query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\)\s+(?&lt;Request_Type&gt;[^ ]+)"|stats count by Request_Type </query> <earliest>-60d@d</earliest> <latest>now</latest> </search> <fieldForLabel>Request_Type</fieldForLabel> <fieldForValue>Request_Type</fieldForValue> <prefix>Request_Type="</prefix> <suffix>"</suffix> <initialValue>*</initialValue> <default>*</default> </input> <input type="dropdown" token="usr" searchWhenChanged="true"> <label>NiFi_Users</label> <choice value="*">All Users</choice> <search> <query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\&lt;(?&lt;Request_User&gt;\w+)\&gt;\&lt;"|stats count by Request_User</query> <earliest>-60d@d</earliest> <latest>now</latest> </search> <fieldForLabel>Request_User</fieldForLabel> <fieldForValue>Request_User</fieldForValue> <prefix>Request_User="</prefix> <suffix>"</suffix> <initialValue>*</initialValue> <default>*</default> </input> Panel Code: 1st PANEL <panel> <chart> <title>NiFi_Operations</title> <search> <query>index=abc sourcetype=uio source="user.log" process-groups |rex "\)\s+(?&lt;Request_Type&gt;[^ ]+)"|chart count(Request_Type) as "Request- Types" by Request_Type |search $req$ $usr$</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> 2nd Panel <panel> <chart> <title>NiFi_Users</title> <search> <query>index=abc sourcetype=xyz source="user.log" process-groups |rex "\&lt;(?&lt;Request_User&gt;\w+)\&gt;\&lt;"|chart count(Request_User) as "Users" by Request_User|search $usr$ $req$</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> I have extracted the field Request User and RequestType. Can someone guide me why the t  
Hi Everyone, I have one multiselect previously which was working fine in panels. when I change multiselect to dropdown its not working in the panels. Can someone guide me on that. Below is my cur... See more...
Hi Everyone, I have one multiselect previously which was working fine in panels. when I change multiselect to dropdown its not working in the panels. Can someone guide me on that. Below is my current code: <input type="dropdown" token="usr" searchWhenChanged="true"> <label>NiFi_Users</label> <choice value="*">All Users</choice> <search> <query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\&lt;(?&lt;Request_User&gt;\w+)\&gt;\&lt;"|stats count by Request_User</query> <earliest>-60d@d</earliest> <latest>now</latest> </search> <fieldForLabel>Request_User</fieldForLabel> <fieldForValue>Request_User</fieldForValue> <prefix>(</prefix> <suffix>)</suffix> <initialValue>*</initialValue> <default>*</default> </input> PANEL CODE: <panel> <chart> <title>NiFi_Users</title> <search> <query>index=abc sourcetype=xyz source="user.log" process-groups | rex "\&lt;(?&lt;Request_User&gt;\w+)\&gt;\&lt;"|chart count(Request_User) as "Users" by Request_User|search $usr$</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> Can someone guide me on that. What is wrong.
I have mistake that deleted the configuration default file. WebUI does not work properly after server restart. What should I do? deleted files splunk/etc/apps/SplunkForwarder/* splunk/etc/apps/S... See more...
I have mistake that deleted the configuration default file. WebUI does not work properly after server restart. What should I do? deleted files splunk/etc/apps/SplunkForwarder/* splunk/etc/apps/SplunkLightForwarder/* splunk/etc/apps/legacy/* splunk/etc/apps/sample_app/*  
Bonjour cher communauté, Je viens vers vous aujourd'hui, concernant l'interconnectivité entre Cyberwatch et Splunk. Est-ce que quelqu'un d'entre vous à déjà fait cela en entreprise?   Cordialemen... See more...
Bonjour cher communauté, Je viens vers vous aujourd'hui, concernant l'interconnectivité entre Cyberwatch et Splunk. Est-ce que quelqu'un d'entre vous à déjà fait cela en entreprise?   Cordialement, Quentin
My scenario is that I am trying to alert in the event where a user has been provided to an application but that same user wasn't added to an Active Directory group .  So I have the following 2 indexe... See more...
My scenario is that I am trying to alert in the event where a user has been provided to an application but that same user wasn't added to an Active Directory group .  So I have the following 2 indexes that provide me the information Application Access is in "index=myapp" Active Directory is in the "index=ad" My search for a new user being given access to the application is something such as   index=myapp Operation=Creation user_object="user*@mydomain.com"   My search for a user being added to an Active Directory group is   index=ad EventCode=4728 Group_Name="myapp_users"   I have tried the following searches that provide me with data but I can't figure out the next step to show where my objective is met (i.e. where the user didn't get added to the group but was given access to the app).     First Search    index=myapp Operation=Creation user_object="user*@mydomain.com" | dedup RID | eval dest_user=split(user_object,"@") | eval extracteduser=mvindex(dest_user,0) | join type=inner extracteduser [search index=ad EventCode=4728 | rex field=user "^(?extracteduser>[^\,]+)" | eval extracteduser=split(extracteduser,"=") | eval extracteduser=mvindex(extracteduser,1) | fields Group_Name, extracteduser]   In my example I will get 3 returned results.  USERA which was added to the application AND was added as a member to the AD group; USERB which was added to the application AND was added as a member to the AD group; and USERC which was added to the application but NOT added as a member to the AD group (myapp_users).  The problem becomes that in the results that are returned I see For the event returned for USERA and USERC, I see   Operation=Create user_object=USERA extracteduser=USERA Operation=Create user_object=USERB extracteduser=USERA   however for the USERC event, I see   Operation=Create user_object=USERC extracteduser=USERA   so I am getting the wrong extracteduser for the USERC event (no doubt because of the join).  I have then abandoned the join and moved to a multi-search Second Search    | multisearch [search index=myapp Operation=Creation user_object="user*@mydomain.com" | rename user_object as app_newuser] [search index=ad EventCode=4728" Group_Name="myapp_users" | rename user AS adperm_user] | rex field=adperm_user "^(?<extracteduser>[^\,]+)" | rex field=extracteduser "(?<CNAttrib>CN=(?<ad_user>.+))" | eval app_newuser=split(app_newuser,"@") | eval app_newuser=mvindex(app_newuser,0) | eval app_newuser=lower(app_newuser) | eval ad_user=lower(ad_user)   This gives me 2 fields that I now need to compare ad_user shows USERA and USERB <-- these users were added to the AD group AND the app app_newuser shows USERA, USERB, and USERC <-- these 3 users were added to the app   The result that I want in the end is to only show USERC as that was not a member of the AD group.  I have tried using something like the following but come up blank.   | where NOT app_newuser = ad_user | search NOT app_newuser = ad_user   I have probably made this more complicated than it needs to be, but am stuck now.
I have simple alert setup and it is supposed to trigger when there are no events. But the alert is getting triggered even when i can see the results when run the search manually in search App. But w... See more...
I have simple alert setup and it is supposed to trigger when there are no events. But the alert is getting triggered even when i can see the results when run the search manually in search App. But when i inspect the job and run the search from under Activity>Triggered Alerts i do not see any events. How do i rectify this issue?  I am searching the query for earliest=-11m in the alert query and my cron schedule is 4,14,24,34,44,54 * * * * Alert is created by other USER ,who has same privilege's as mine i.e. Admin
HI I have a web UI connection into the Heavy Forwarder over port 8000. Is there a way I can view a list of universal forwarders that are sending to this Heavy forwarder?
The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result. The Questions: why is ... See more...
The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result. The Questions: why is this happening and how do I correct it? The basic setup consists of a Heavy Forwarder, an Indexer, and a Search Head.  The geolocation database has been updated on the Search Head and Indexer.  Each server only has one geolocation database. A test datamodel was created and geolocation fields were created within the datamodel.  The fields were created within the GUI (data models, add field, Geo IP).  I have conducted queries and these fields populate results (queries can be conducted on IPV4 & IPV6 addresses), so I know that the datamodel and the geoip fields work. The queries and results:  - Address: 2606:2e00:8003:1b::1f42 - Query #1: Australia is the result      * | tstats count AS Unique_IPs FROM datamodel="test" BY test.test_City test.test_Country - Query #2: United States is the result      * | datamodel test search | where src_ip="2606:2e00:8003:1b::1f42" | table src_ip test_City test_Country
The current Duo-Splunk connector suggests that it can be used for Splunk running v7 and v8.   However, when running the app from Splunk v7; the script does not seem to run as expected due to the s... See more...
The current Duo-Splunk connector suggests that it can be used for Splunk running v7 and v8.   However, when running the app from Splunk v7; the script does not seem to run as expected due to the six.py version being 1.9.0 and the module expects 1.12 to run.   Any inputs to how this can be addressed ?
hello All,  I have created a dashboard with two panels. The first panel runs a search (query below) for time-window-1 and the second panel runs the same search for time-windows-2.  Both the time win... See more...
hello All,  I have created a dashboard with two panels. The first panel runs a search (query below) for time-window-1 and the second panel runs the same search for time-windows-2.  Both the time windows are customizable on the dashboard and passed as parameters to the query as shown below.  index=dev sourcetype!=warn component AND errormessage earliest=$field1.earliest$ latest=$field1.latest$ | dedup errormessage,component Currently each panel displays the unique results in the respective time window. I want  the dashboard to compare the results of time-window-1 and time-window-2 and display : 1. The unique results that are present in time-window-1 and NOT in time-window-2    2. The unique results that are present in time-window-2 and NOT in time-window-1   Please help.     
Hello, I have a savedsearches.conf deployed via a TA on Splunk. The conf has ~90-100 searches in it. I would like to count the number of events generated per search query over a given period of tim... See more...
Hello, I have a savedsearches.conf deployed via a TA on Splunk. The conf has ~90-100 searches in it. I would like to count the number of events generated per search query over a given period of time. Could someone kindly help me with a Splunk query to do this? I've been trying for a while now. Thank you!