All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is the Splunk App for CJIS    https://splunkbase.splunk.com/app/4442/#/details   certified for Splunk Cloud?  Thanks
I have a search that gets events related to procedures from the past week and organizes them into days. I also have a lookup table which holds the values of the procedure names I want to look for. Th... See more...
I have a search that gets events related to procedures from the past week and organizes them into days. I also have a lookup table which holds the values of the procedure names I want to look for. This lookup table data has no date values, unlike my splunk data,  since I want to compare it against every day represented.  Search:  (index=app host=host1sourcetype=st1) OR (index=chub source=s2) earliest=-1w@w latest=now [|inputlookup chubDashboardProcedures.csv | fields 1.0_Procedures | rename 1.0_Procedures as search|format "" "(" "" ")" "OR" ""] | fields Procedure_Name,Process_Name,Activity_Code, UpdatedDate | eval Procedure_Name=coalesce(Process_Name, Procedure_Name) | eval update = strptime( UpdatedDate, "%Y-%m-%d %H:%M:%S") | eval Day = relative_time(update,"@d") - if((tonumber(strftime(update, "%H%M")) < 1400), (24*60*60), 0) | dedup Procedure_Name Day | append [|inputlookup chubDashboardProcedures.csv|fields 1.0_Procedures, UpdatedDate| rename 1.0_Procedures as Procedure_Name_New| eval from="lookup"] | stats values(Procedure_Name_New) as lookup_procedures values(from) as from count(Procedure_Name) as fromcount values(Procedure_Name) as Procedure_Name_List values(eval(if(Activity_Code !="2000", Procedure_Name,null()))) as Failures by Day | mvexpand lookup_procedures | eval missing= if(match(Procedure_Name_List,lookup_procedures), "SAME", lookup_procedures) | sort - Day | eval Success_Percent = round(((Success_Count/Procedure_Count)*100),2) | eval Day = strftime(Day, "%F") | table Procedure_Name_List, lookup_procedures Failures missing  The lookup table values are there and I can compare them to a list of procedures that haven't been grouped into dates, but as soon as I group into dates I can't compare them anymore. I want to display events that are found in the lookup table but not the events for each day. 
All, Hopefully I have this in the correct location, I'm still new to all of this. Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like... See more...
All, Hopefully I have this in the correct location, I'm still new to all of this. Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how.  I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches. I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything. Greatly appreciate your help with this! Kevin
Hi, I have used the Service Now add on to pull in the incident table. We have a custom SNow field called "dv_u_configuration_item__generic_" which hasn't extracted and also isn't searchable. Is ther... See more...
Hi, I have used the Service Now add on to pull in the incident table. We have a custom SNow field called "dv_u_configuration_item__generic_" which hasn't extracted and also isn't searchable. Is there something about this field name that could cause issues?
Hello,   I need help with extracting specific data from logs.  I know this has been discussed few times before but if anyone has worked on powershell logs, you will see that it comes with lot of dat... See more...
Hello,   I need help with extracting specific data from logs.  I know this has been discussed few times before but if anyone has worked on powershell logs, you will see that it comes with lot of data.  Even doing simple get process at shell gives you information like below(example1)and scripts and other more complicated commands give lot more data(example2).   What I want to do it only display the commands that were run.  Meaning, extract just the commands in below text and disaplay as table or list in splunk.  How do I do this?  I already have regex that will catch powershell's verb-noun combo like this - [a-zA-Z]{3,}-[a-zA-Z]{3,} - this will match any powershell command.  But how do I extract just the command from lot of junk and display only PS commands and its switches and values?    Example 1)  Creating Scriptblock text (1 of 1):  get-process -Name explorer.exe ID: abc1234-8539-44xy-a16d-0492bfbd0d61 Path:   Exmaple2) Creating Scriptblock text (1 of 1):   For ($x in $y) { get-process -Name Explorer.exe write-host $x  } ID: abc1234-8539-44xy-a16nn-0492mnod0d61 Path:
Hello everyone.  Currently I have a cluster architecture of Splunk Enterprise 8.0.7.  SH cluster + Indexer Cluster + Master Node + Deployer, all of them in Windows. Now I have to deploy Splunk S... See more...
Hello everyone.  Currently I have a cluster architecture of Splunk Enterprise 8.0.7.  SH cluster + Indexer Cluster + Master Node + Deployer, all of them in Windows. Now I have to deploy Splunk Security over that architecture. Is that possible? Thanks in advance.  
Hi. some host assignments to groups using the en-US/app/splunk_app_for_nix/settings interface are "unstable" in that the host may be dissociated from that group spontaneously. This behavior *may* co... See more...
Hi. some host assignments to groups using the en-US/app/splunk_app_for_nix/settings interface are "unstable" in that the host may be dissociated from that group spontaneously. This behavior *may* correspond to hosts that are not currently online. Has anyone else observed "lost" group associations for some hosts, and perhaps discovered a solution to the problem? Thanks.
Hello, is there any better solution than copying indexes.conf based in /etc/master-apps to the deployment server apps in order to use the "Settings/Add data/Forward (data from a Splunk forwarder)" G... See more...
Hello, is there any better solution than copying indexes.conf based in /etc/master-apps to the deployment server apps in order to use the "Settings/Add data/Forward (data from a Splunk forwarder)" GUI? The copy is just there to get list of indexes and use the web interface to configure new data to add and deploy to forwarders? Thanks.
Hi,   i have extracted data from a database into a summary index which is updated every hour. The database has information that is in the past and the future. DESCR="TV HD",  START_Time="2021-01-... See more...
Hi,   i have extracted data from a database into a summary index which is updated every hour. The database has information that is in the past and the future. DESCR="TV HD",  START_Time="2021-01-10 09:00:00", NAME="Crime Patrol" DESCR="TV HD", START_Time="2021-01-11 10:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-12 09:00:00", NAME="Ambulance Patrol" DESCR="TV HD", START_Time="2021-01-13 09:00:00", NAME="Crime Patrol" DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-15 09:00:00", NAME="Ambulance Patrol" DESCR="TV HD", START_Time="2021-01-16 09:00:00", NAME="Crime Patrol" I would like to extract data for the last two days based on START_time. eg todays date is 2021-01-15 returned data DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-15 09:00:00", NAME="Ambulance Patrol" I have tried to use relative time/strptime but i am unable to get the time frame correct. My problem is that most solutions require my to eval START_Time to _time using strftime. However as my data is in a summary index the above data has multiple time entries in front of it and to get the latest time i use earliest=-60m@m latest=@m. This causes me issues when modifying _time in a search. I have tried to use this solution as a guide. https://www.splunk.com/en_us/blog/tips-and-tricks/get-time-on-your-side-how-to-sort-by-more-than-one-time-field.html The time picker is ignored as i am using earliest/latest. i only get details for the last hour, if i change it to earliest=-120m@m latest=@m i get a double line.  2021-01-15 14:25:13.206 DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" 2021-01-15 13:25:13.206  DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" Does any one have any ideas? Thanks.
Hello, I have some alerts that send an email with the events to me if triggered. I need to create a custom script for the alerts that check if that splunk indexer is the indexer that should be is re... See more...
Hello, I have some alerts that send an email with the events to me if triggered. I need to create a custom script for the alerts that check if that splunk indexer is the indexer that should be is receiving events from our application logs.  Our application can run in two cities but only one city is active. We actually failover if necessary to the other city, so the splunk indexer in that city  only  will receive events from the application logs.  I cannot keep alerts from both indexers active, so the standby city needs to have all its alerts disabled.  We failover manually which causes us to manually disable alerts on indexer in the city we are switching from and enable the alerts in the city we are switching to. I need to all the alerts enabled at both cities all the time.  I need the alerts to do an nslookup of the IP that is active for the application and if that IP is on that indexer's side then the alert is valid and should email the events to me. If the IP is not on that indexer's side, the alert is a false positive and nothing needs to get emailed.  Any help is appreciated
Index=A sourcetype=B and I can see under fields category filed "C" with count of 10k+ values .. But if I search with  Index=A sourcetype=B category=C , It is showing No results found tried in all th... See more...
Index=A sourcetype=B and I can see under fields category filed "C" with count of 10k+ values .. But if I search with  Index=A sourcetype=B category=C , It is showing No results found tried in all the search modes didn't worked. source tcp:9997 . Can some one please suggest what can be the issue. 
Hi everyone, I'm checking the alerts via REST API (/servicesNS/e524067/-/alerts/fired_alerts/-) and what I get is consistent with what is shown in Triggered Alerts view. However, if I do a search in... See more...
Hi everyone, I'm checking the alerts via REST API (/servicesNS/e524067/-/alerts/fired_alerts/-) and what I get is consistent with what is shown in Triggered Alerts view. However, if I do a search index=_audit action=alert_fired, I see the same alerts I get via REST but also some other alerts. I checked the expiration and trigger times, those extra alerts are fairly new and have not expired yet. What is the reason for this inconsistency? Thanks, Krunoslav Ivesic
Hello, I have a little trouble with using REST API in Splunk via curl and postman. I have my own Splunk application with a python script which is available by link http://splunk:8000/en-US/splunkd/... See more...
Hello, I have a little trouble with using REST API in Splunk via curl and postman. I have my own Splunk application with a python script which is available by link http://splunk:8000/en-US/splunkd/__raw/services/appname/pyscript. And I wanna get access to this file via PostMan or Curl. In the first step, I created sessionsKey - successful. But when I want to use this key in the header "Authorization: Splunk <key>" via POST/GET then via curl I see "303 see other", and via postman - "Splunk relies on JavaScript to function properly. Please enable JavaScript and then refresh the page to login."   Where I wrong?
Hello!  I need to collect some data from PCs, that are the part of the industrial machines. These computers run Windows XP (x86) and 7 (both x86 and x64), which are no longer supported by either Mic... See more...
Hello!  I need to collect some data from PCs, that are the part of the industrial machines. These computers run Windows XP (x86) and 7 (both x86 and x64), which are no longer supported by either Microsoft or Splunk. Also, the organization has deployed Splunk Enterprise version 8.1, that is, I eventually need to enter data from these computers into Splunk server. To summarize, I need installation files of the latest releases of Splunk for: 1. Splunk UF for Windows XP x86 2. Splunk UF for Windows 7 x86 3. Splunk UF for Windows 7 x64 4. Splunk Enterprise (x64) which is compatible with Windows XP UF (for HF deployment) 5. Splunk Enterprise (x64) which is compatible with Windows 7 UF (for HF deployment) Also, I found that Splunk didn't remove installation files from download site, only remove the links from download page. For example, I found the direct download link for 6.2.0 version, but I don't know for which Windows version it is: https://download.splunk.com/products/splunk/releases/6.2.0/windows/splunk-6.2.0-237341-x64-release.msi I would be very grateful if someone shares such links or the installation files themselves, because the Splunk Support replied that "nothing can help"...
Hi, i would to like to ask:  1. Where do I find the log files that are being forwarded from an universal forwarder on the machine installed with Splunk Enterprise ? 
Hi All, I am new here and got an issue when I tried to connect Cisco AMP. Infos: Splunk Enterprise Version:8.0.3 Cisco AMP for Endpoints Events Input Version: 1.1.8 I have configured Cisco AMP (A... See more...
Hi All, I am new here and got an issue when I tried to connect Cisco AMP. Infos: Splunk Enterprise Version:8.0.3 Cisco AMP for Endpoints Events Input Version: 1.1.8 I have configured Cisco AMP (API host: api.eu.amp.cisco.com, key, and ID: correct), splunk has internet access, and firewall rules are correct.  Still, when I try to make a new input I've got an error messsage: "Warning! It appears your configuration is incomplete, so you will not be able to create any inputs. Please update your configuration."    Do you have any idea? (tried the refresh) Thanks, Vestator
Hi All, using the default drilldown the drilldown would open in a new tab as expected when I edited the drilldown to make the results more specific like this <drilldown> <condition field="community... See more...
Hi All, using the default drilldown the drilldown would open in a new tab as expected when I edited the drilldown to make the results more specific like this <drilldown> <condition field="community"> <set token="community_tok">$click.value$</set> <eval token="drilldown.earliest">strptime($row._time$,"%Y-%m-%d %H:%M:%S")</eval> <eval token="drilldown.latest">strptime($row._time$,"%Y-%m-%d %H:%M:%S") + $row._span$</eval> <link target="_blank">search?q="index%3Dtelephony%20community%3d$community_tok$%20%7Ctimechart%20count%20by%20community&amp;earliest=$drilldown.earliest$&amp;latest=$drilldown.latest$"</link> </condition> </drilldown> the drill down works as expected but it no longer opens in a new tab any ideas anyone? I am using splunk enterprise 8.1.1
Hi There, I have a search that shows the top 2 Id's that have the most payments processed in each country. I'm trying to make this search give me these results per hour The search itself works as e... See more...
Hi There, I have a search that shows the top 2 Id's that have the most payments processed in each country. I'm trying to make this search give me these results per hour The search itself works as expected in the below format, I just want to give the results in an hourly interval instead  `index` "Payment Status" | rex "status:(?P<status>APPROVED|DECLINED)" | search status=APPROVED OR status=DECLINED | top limit=2 id by country, status I've tried putting it into a timechart and also using the span but it keeps asking for a function and I don't know how to rewrite the above into hourly spans.
I have the following log:   Number=Test1,Code=DPCA , ErrorMessage= sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: ... See more...
I have the following log:   Number=Test1,Code=DPCA , ErrorMessage= sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     I'm trying to pull ErrorMessage from the log through regex but in vain. The field is not getting extracted. Below is the regex I'm using. Am I missing something? Please help.   rex "^(?:(?&lt;ErrorMessage&gt;[^,]*),){3}"    
Hi there, i am trying to figure out a way, to output results of an alert as a table into an external application e.g. a ticketing tool which has a "notes"-textbox which allows just plain text.  A... See more...
Hi there, i am trying to figure out a way, to output results of an alert as a table into an external application e.g. a ticketing tool which has a "notes"-textbox which allows just plain text.  At the moment, i just send the raw logs by $result._raw$, but what i want to do is something like: Query Example: index=main sourcetype=WinEventLog:Security EventID IN (4624,4625) | stats count by _time, user, EventID, host DESIRED OUTPUT for the external Application: +--------+-------+---------+----------+ | _time | user | EventID | host        | +--------+-------+---------+----------+ | time_1 | alice | 4625 | 10.0.0.5 |  | time_2 | bob |  4624  | 10.0.0.6 | | time_3 | tom |  4624  | 10.0.0.7 | +--------+-------+---------+----------+   Is this possible?  First i thought mvcombine, but don´t now if such a pattern is possible? Kind regards ssd