All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'd like to pull a logon report that shows me any logon activity that is  != to the United States.  Any help is greatly appreciated.
I am working on an app which stores api key in passwords.conf in encrypted form using setup.xml. But now i want to make the app cloud compatible and i need to remove setup.xml. So, I have implemented... See more...
I am working on an app which stores api key in passwords.conf in encrypted form using setup.xml. But now i want to make the app cloud compatible and i need to remove setup.xml. So, I have implemented setup view page for app configuration where user will provide the api key. Now I have no idea how to store that key as encrypted without setup.xml. I have used this link for setup view implementation which is javascript based https://github.com/splunk/splunk-app-examples/tree/master/setup_pages/developer_guidance_setup_page   Any help/guidance would be appreciated.
Need some help with and advance joining of 3 queries I have three queries that produce tables,  I need to combine the results into one table.  The first query will produce a table with 10 fields wit... See more...
Need some help with and advance joining of 3 queries I have three queries that produce tables,  I need to combine the results into one table.  The first query will produce a table with 10 fields with a count for each, the other two only produce one field with a count but I want all the results to display in one table.   Table 1: {My Search Criteria}  PassedResult=0| stats count by riskcheckName| sort count desc   Table 2: {My Search Criteria}  PassedREsult=0 Golden_Key_Failed=Failed |stats count by Golden_Key_Failed | replace Failed WITH "Risk Score Fail" IN  Golden_Key_Failed   Table 3: {My Search Criteria}  PassedIAM=0 SN_Does_Not_Exist=Failed |stats count by SN_Does_Not_Exist | replace Failed WITH "SN Does Not Exist" IN  SN_Does_Not_Exist   thanks for any helo
I have a problem using the Splunk Logging Driver for Docker. The Java Application within the container produces messages to stdout and stderr with a different level of detail for different audiences... See more...
I have a problem using the Splunk Logging Driver for Docker. The Java Application within the container produces messages to stdout and stderr with a different level of detail for different audiences. In Splunk however all recieved messages are labled with source=stdout. Idealy I would like to get the source tag correct as used by the java App and then use it to diferentiate between both types of logs in Splunk queries. Is there something I can do to get the correct source?   Splunk log driver configuration in docker-compose: logging: driver: splunk options: splunk-url: https://splunkhf:8088 splunk-token: [TOKEN] splunk-index: splunk_index splunk-insecureskipverify: "true" splunk-sourcetype: log4j splunk-format: "json" tag: "{{.Name}}/{{.ID}}" Example log message sent to splunk: { line: 2021-01-12 11:37:49,191;10718;INFO ;[Thread-1];Logger; ;Executed all shutdown events. source: stdout tag: service_95f2bac29286/582385192fde }
Hi I am new to Splunk Cloud. We're collecting some pfSense logs to a dedicated Syslog server and Splunk cloud is receiving those logs but they are not parsed properly. I have read a couple of artic... See more...
Hi I am new to Splunk Cloud. We're collecting some pfSense logs to a dedicated Syslog server and Splunk cloud is receiving those logs but they are not parsed properly. I have read a couple of articles but nothing specific to Splunk cloud. Any ideas on how they can be parsed on Splunk cloud? here are the sample logs.    
Hello im trying to count the number of events of each alert  the alerts are saved in a lookup file which looks like this: creation_time eventtype kv_key max_time min_time status tail_id uuid... See more...
Hello im trying to count the number of events of each alert  the alerts are saved in a lookup file which looks like this: creation_time eventtype kv_key max_time min_time status tail_id uuids 1580820272 csm-cbb 5f401 1580820272 1578293527 Open N8 7fd5b533   when im running this query im getting no results found | inputlookup kv_alerts_prod | eval kv_key=_key | convert ctime(creation_time) AS _time | timechart span=1d count by _key   what am i missing ? thanks
I have a query like below : bla bla ...| lookup mylookupfile.csv Hostname as Name output Status Creation_Date | eval Status=MVDEDUP(Status) |eval Creation_Date=mvindex(Creation_Date,-1)| then rest ... See more...
I have a query like below : bla bla ...| lookup mylookupfile.csv Hostname as Name output Status Creation_Date | eval Status=MVDEDUP(Status) |eval Creation_Date=mvindex(Creation_Date,-1)| then rest of my query Here issue happens when while matching for the Hostname i get two Status values  So above query gives me output where :  1) i am getting Creation_Date field as the latest date only 2) But Status i am receiving both Active and Destroyed i want to get in Status field only the corresponding value of Status for latest(Creation_Date) How can i do that
Hi, After several update of some splunkbase apps and after a restart of my search head, I get this error : Invalid key in stanza [lookup_watcher] in /opt/splunk/etc/apps/SplunkAdmins/default/inputs... See more...
Hi, After several update of some splunkbase apps and after a restart of my search head, I get this error : Invalid key in stanza [lookup_watcher] in /opt/splunk/etc/apps/SplunkAdmins/default/inputs.conf, line 2: python.version (value: python3). Invalid key in stanza [sendresults_alert] in /opt/splunk/etc/apps/sendresults/default/alert_actions.conf, line 7: python.version (value: python3). Invalid key in stanza [slack] in /opt/splunk/etc/apps/slack_alerts/default/alert_actions.conf, line 6: python.version (value: python3). Invalid key in stanza [script://$SPLUNK_HOME/etc/apps/splunk-dashboard-app/bin/save_image_and_icon_on_install.py] in /opt/splunk/etc/apps/splunk-dashboard-app/default/inputs.conf, line 4: python.version (value: python3). I am in 7.3.4 and before updating, I checked the compatibility version with both 7.3 and 8.x because I am about to upgrade my platform to a 8.x version.     Is this message (python3) will block the functionality of app updated  on the 7.3.4 splunk version ?  Thank you.
Hello, our architecture in production was created years ago, we have Deployment Server and Cluster Master on same machine (linux vm) running Splunk Enterprise 7.3.4 fine. Is there any specific risk... See more...
Hello, our architecture in production was created years ago, we have Deployment Server and Cluster Master on same machine (linux vm) running Splunk Enterprise 7.3.4 fine. Is there any specific risk keeping this architecture if we migrate to Splunk 8? Thanks for your help.  
HI All, PLease help in extracting the below logs as per the conditions stated key1=value1,key2=value2\,key 3=value3\,value4\,value5\,value6\,key4={key5=value5\,key6= value6\,},key7=val10(key8=val11... See more...
HI All, PLease help in extracting the below logs as per the conditions stated key1=value1,key2=value2\,key 3=value3\,value4\,value5\,value6\,key4={key5=value5\,key6= value6\,},key7=val10(key8=val11\,key9=val12),key20=val20 i have a log of the above format i want to extract key value pairs without backslash also key 3=value3\,value4\,value5\,value6\,  is a multivalue field and should be extracted  as  :- key 3=value3,value4,value5,value6 and key4={key5=value5\,key6= value6\,}, is a json object  which should be extracted as:-   key5= value5 , key6= value 6(i.e key 4={ should not be extracted)  and key7=val10(key8=val11\,key9=val12) should be extracted individually as :- key7=val10 ,key8=val11,key9=val12  
Some context here - When I go to ESCU app and filter down the analytical stories based on CIS control 4, it shows me 6 stories all of which specifically address a certain use case. But I am having tr... See more...
Some context here - When I go to ESCU app and filter down the analytical stories based on CIS control 4, it shows me 6 stories all of which specifically address a certain use case. But I am having trouble understanding how a usecase is relevant to CIS 4 control. Take for e.g. Spectre And Meltdown Vulnerabilities maps to control 4. The only relevant  sub-controls under 4 that can be detected using ES I found were: Log and Alert on Changes to Administrative Group Membership and Log and Alert on Unsuccessful Administrative Account Login. Can anyone please help understand how is the analytical story relevant to 
if I provisioned Splunk cloud instance which is managed by Splunk team . Do I still have the backend access of the server . If no what is the proce
I'm trying to understand the functionality of keepevicted. I've read several documentation about it but it's still not clear.  I've made a search with transaction. Without keepevicted I get 54 event... See more...
I'm trying to understand the functionality of keepevicted. I've read several documentation about it but it's still not clear.  I've made a search with transaction. Without keepevicted I get 54 events, with keepevicted 62. I've searched the difference and found 1 with let's say the text "abc". When I add "abc" to the search (in the first line with index=....) without keepevicted the event is returned. I don't understand why that is. Can someone explain?   The search is something like this: index=main sourcetype="src_type1" *abc* earliest=1610441880 latest=1610445533.859 | eval tmpId=if(len(bi_Id)>0,bi_Id,if(len(bo_id)>0,bo_id,be_Id)) | transaction maxspan=5s tmpId | rex field=que1 "\{(?<cliber>.*)\}" | rex field=que2 "\{(?<serber>.*)\}" | stats count as Aantal by cliber
Hi all, Need your help in splitting the panels into 2 halfs. ataching 2 pitcures.  1. first one is the current panel structure am using. Current Panel design 2. second once is what we are looking... See more...
Hi all, Need your help in splitting the panels into 2 halfs. ataching 2 pitcures.  1. first one is the current panel structure am using. Current Panel design 2. second once is what we are looking for. Expected Panel design
Quite often I saw this warning from dashboard panels. I have no cue what happened with following message. The search peers didn't look busy at all. Can someone give any advice? Thanks!! Distribute... See more...
Quite often I saw this warning from dashboard panels. I have no cue what happened with following message. The search peers didn't look busy at all. Can someone give any advice? Thanks!! DistributedPeerManager - Unable to distribute to peer named x.x.x.x:8089 at uri=x.x.x.x:8089 using the uri-scheme=https because peer has status=Down. Verify uri-scheme, connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. See the Troubleshooting Manual for more information. I read this manual but still can't find any obvious delay/disconnect https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/authtimeout
Hi All, Recently, I installed MISP42Splunk in my environment  in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.  1. Pull IOC from MISP and outputlookup to a c... See more...
Hi All, Recently, I installed MISP42Splunk in my environment  in order to integrate MISP with Splunk. Below is the workflow on how I tried to do this.  1. Pull IOC from MISP and outputlookup to a csv.  2. Use SPL to format the CSV  3. outputlookup to xxx_intel like  ip_intel, email_intel.  But seems like the "threat - gen" search didn't use the updated IOC. May I know if I am doing anything wrong? and how to do it correctly. Thanks.       
Here is the sample log and I need to check which modelId is having most of the error using rex and stats count ####<Jan 11, 2021 11:17:52.338 PM PST> <ERROR> <myapp.main.catalog.store.trxn.Order... See more...
Here is the sample log and I need to check which modelId is having most of the error using rex and stats count ####<Jan 11, 2021 11:17:52.338 PM PST> <ERROR> <myapp.main.catalog.store.trxn.OrderResponseValidator> <bus-ser15> <bus-ser1515_5> <requestId=9c4q00cv-e10x-00b4-z55f-11b44dc4c37m> <clientIp=11.22.33.222> <myapp.main.catalog.store.trxn.OrderResponseValidator.logOrderResponseValidationError(?:?):Productadd service error for modelId 765431 and reference number null[Model is not available in the store], [An error has occurred. Please verify your order status.]> Can someone please help?
Hi All, I have a requirement to group keys  (key - value pair) having wildcard char like - usermetadata_*  by other unique field PipelineName. INPUT : level: INFO    logGroup: test    loggerName... See more...
Hi All, I have a requirement to group keys  (key - value pair) having wildcard char like - usermetadata_*  by other unique field PipelineName. INPUT : level: INFO    logGroup: test    loggerName: Logger    message: {      Trace-Type: client      UserMetaData_eventID: [1234]      UserMetaData_orderLineType: xyz      UserMetaData_purchaseOrderType: [2]      UserMetaData_purchaseOrderID: [3421]      UserMetaData_purchaseOrderVersion: [789]      UserMetaData_salesOrderID: [-789]      PipelineName: abc } OUTPUT example:  I want the output like this : PipelineName                        usermetadata_keys abc                                            UserMetaData_eventID:                                                    UserMetaData_orderLineType                                                    UserMetaData_purchaseOrderType                                                    UserMetaData_purchaseOrderID                                                    UserMetaData_purchaseOrderVersion                                                    UserMetaData_salesOrderID  
To be specific, I have a dashboard panel that show percentage of timed out transaction, and I want it to change color to alert red when it reach 20% or more. When I use the Edit dashboard/Format visu... See more...
To be specific, I have a dashboard panel that show percentage of timed out transaction, and I want it to change color to alert red when it reach 20% or more. When I use the Edit dashboard/Format visualization/Color, it can only change if the showed result is number, because my result is a number, with a "%" attached to it, it have no effect, here is my code   |eval Timed_Out =round((Timed/Total)*100,2)."%" |table Timed_Out   So is there a way for the showed result automatically have "%" so the Format Visualization could work? Thank you
I checked CIM data models have inherited _time but I couldn't retrieve.  Anyone can tell what's wrong?  | tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.A... See more...
I checked CIM data models have inherited _time but I couldn't retrieve.  Anyone can tell what's wrong?  | tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic._time