All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

HI I have splunk with Cisco estreamer eNcore App for ONE FMC, it works fine for single FMC BUT , i have four fmc in netowrk . how i add multiple fmc in one splunk please help me thanks
I want to deploy a multisite Splunk cluster in the Docker Swarm cluster. We have 2 datacenters in different cities with the VMWare VSphere where we used to create virtual machines and install Swarm i... See more...
I want to deploy a multisite Splunk cluster in the Docker Swarm cluster. We have 2 datacenters in different cities with the VMWare VSphere where we used to create virtual machines and install Swarm into this VMs. But now I want to create more advanced setup using Docker Swarm. I'm planning to create geo-distributed Docker Swarm cluster with 3 master VMs and 5-10 worker nodes in both VSpheres. Inside that cluster I want to deploy multisite Docker Stack with following architecture: [site1] 1 splunk cluster master - main 2 splunk indexers 2 splunk searchheads 1 splunk searchhead captain 1 splunk deployer [site2] 1 splunk cluster master - backup 2 splunk indexers 2 splunk searchheads 1 splunk searchhead captain Is it good architecture for ingesting big amounts of data? Which Docker network type should I use? For storage I want to use Docker daemon's local storage driver on each of the Swarm VMs, is it good choice or not?
I have total of 7M users. My splunk query shows the count of completed users. I want to draw a pie chart showing completed users vs Total users.  So far I have gotten this far      << my query>> | ... See more...
I have total of 7M users. My splunk query shows the count of completed users. I want to draw a pie chart showing completed users vs Total users.  So far I have gotten this far      << my query>> | eval TotalMax=7000000 | stats count(Path) as completed | eval perc=(completed/TotalMax)/100 | table completed,perc count(Path) which is same as completed comes out as 200000 But perc is not getting calculated.  Am I missing anything ? --Sunray
Hi I am trying to evaluate Splunk in context of all the features that it has to offer.... I downloaded the demo, but the thing is there is no data for me to test out the features to see how unified d... See more...
Hi I am trying to evaluate Splunk in context of all the features that it has to offer.... I downloaded the demo, but the thing is there is no data for me to test out the features to see how unified dashboard looks like, is there a good reference link where you can point me to where I can get some sample data to infuse into Splunk to test it's ITSI capabilities?
I got the query that shows count every hour using timechart command      <<my query>> | timechart span=1h count(path)  What I would like is to show both count per hour and cumulative value (basical... See more...
I got the query that shows count every hour using timechart command      <<my query>> | timechart span=1h count(path)  What I would like is to show both count per hour and cumulative value (basically adding up the count per hour) How can I show the count per hour as column chart but the cumulative value as a line chart ? --Sunray
All, I have a threat intelligence application installed on my Splunk Cloud.  I recently brought online Splunk enterprise security.   Why is it that the application is not installed on Splunk Enterpr... See more...
All, I have a threat intelligence application installed on my Splunk Cloud.  I recently brought online Splunk enterprise security.   Why is it that the application is not installed on Splunk Enterprise Security automatically?  Shouldn't it replicate over automatically?  
I have the search: | tstats count where index=fologs module IN (G*) by module | sort -count limit=8 But I have a problem - there are several modules with name G10MIP* which always have min cou... See more...
I have the search: | tstats count where index=fologs module IN (G*) by module | sort -count limit=8 But I have a problem - there are several modules with name G10MIP* which always have min count 30, so I want to show only count >30 for modules with name G10MIP*
I would like to get a stats per week of a Customer that would be result like the Table 1. The data I'm playing with is 100+ Customer and randomly values. Table 1. Week CustomerA CustomerB ... See more...
I would like to get a stats per week of a Customer that would be result like the Table 1. The data I'm playing with is 100+ Customer and randomly values. Table 1. Week CustomerA CustomerB CustomerC CustomerD CustomerE 27 60 0 0 37 22 28 110 0 0 35 21 29 65 0 0 56 20 30 33 0 0 72 13 31 4 0 0 2 3   Sample Raw log data: Date Customer Penalty 11-Dec CustomerA Code32 2-Nov CustomerB Code32 3-Oct CustomerA Code31 5-Dec CustomerA Code01 5-Nov CustomerA Code22 5-Nov CustomerC Code11 9-Nov CustomerB Code31   I used the Span command  to compile it as per Week and did the stats command below however this result not showing the way I need it.     |stats count by Customer by Week     My goal is to count the penalty of each customer per week and do some stack bar graph. Is there a way to count the specific value of the field(Customer) and use that KEY to be column name just like the Table 1 above?
I am trying to set up an indexer cluster with one master, 2 indexers and a search head, using splunk enterprise version 7.2.3. After configuring the master and the indexers I see the indexers as sic... See more...
I am trying to set up an indexer cluster with one master, 2 indexers and a search head, using splunk enterprise version 7.2.3. After configuring the master and the indexers I see the indexers as sick  Error [00000100] Instance name "xxxxx-1001264746-1-1088387397" REST interface to peer is not responding. Check var/log/splunk/splunkd_access.log on the peer.  On the access logs :- 10.236.9.173 - splunk-system-user [25/Dec/2020:00:46:54.047 +0000] "GET /services/admin/bundles/xxxxx-1001264746-3-1088390176?count=-1 HTTP/1.1" 404 174 - - - 0ms I see the following messages on the splunkd log in the master.  12-25-2020 00:37:54.055 +0000 WARN GetBundleListTransaction - Server xxxxx-1001264746-1-1088387397[https://10.236.9.46:8089/services/admin/bundles/xxxxx-1001264746-3-1088390176] does not support bundle version listing. Probably an older version. Giving up due to error code 404. 12-25-2020 00:37:54.055 +0000 WARN DistributedPeer - Peer:https://10.236.9.46:8089 Unable to get bundle list 12-25-2020 00:37:54.056 +0000 WARN DistributedPeerManager - Cannot determine a latest common bundle, search may be blocked 12-25-2020 00:37:54.056 +0000 WARN GetBundleListTransaction - Server xxxxx-1001264746-2-1088388970[https://10.236.9.48:8089/services/admin/bundles/xxxxx-1001264746-3-1088390176] does not support bundle version listing. Probably an older version. Giving up due to error code 404. 12-25-2020 00:37:54.056 +0000 WARN DistributedPeer - Peer:https://10.236.9.48:8089 Unable to get bundle list 12-25-2020 00:37:54.057 +0000 WARN DistributedPeerManager - Cannot determine a latest common bundle, search may be blocked Has someone seen or faced this issue before. Any help is much appreciated. Thanks.
I am subscribed to a 3rd party threat intelligence called Threatconnect.  I have the Threatconnect app for splunk installed on my search head.  My question is in regards to tuning as I have done ver... See more...
I am subscribed to a 3rd party threat intelligence called Threatconnect.  I have the Threatconnect app for splunk installed on my search head.  My question is in regards to tuning as I have done very little to none. Should I expect that the threat intelligence that is streaming in is being ran against the events in my environment automatically? Assuming the threat intelligence is CIM compliant, should I expect that my Enterprise Security will make a notable event if there is a match?        
I had annotations I wanted to control with a Yes or No dropdown. It mostly works, unsetting the token doesn't seem to clear the token correctly as the annotations remain.      <search depends=$sho... See more...
I had annotations I wanted to control with a Yes or No dropdown. It mostly works, unsetting the token doesn't seem to clear the token correctly as the annotations remain.      <search depends=$showToken$ id="base"> <query>search.....</query> </search> ... <input type="dropdown" token="showToken" searchWhenChanged="true"> <label>...</label> <choice value="yes">Yes</choice> <choice value="no">No</choice> <change> <condition match="$value$ == &quot;yes&quot;"> <set token="showToken">true</set> </condition> <condition match="$value$ == &quot;no&quot;"> <unset token="showToken"></unset> </condition> </change>   is there a better way to accomplish this easily? I saw an older post that said using javascript could work but I need to do this through only XML at this time.
I have been searching for a couple of hours for an explanation and what purpose this k/v isBad TRUE  can you please elaborate on this question .    
Hi everyone, I am trying to index data from a single log file to different indexes but i can't do it, i have this data wich need to route to diferent indexes: svr80001.xxxxxx.com [UDP: [172.22.175.... See more...
Hi everyone, I am trying to index data from a single log file to different indexes but i can't do it, i have this data wich need to route to diferent indexes: svr80001.xxxxxx.com [UDP: [172.22.175.102]:27869->[172.22.172.244]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (121711881) 14 days, 2:05:18.81 <UNKNOWN> [UDP: [115.100.9.100]:56090->[172.22.172.244]:162]: I need to filter using the ipaddress, and i follow the next link https://community.splunk.com/t5/Getting-Data-In/How-to-filter-data-from-a-single-file-and-write-to-two-different/m-p/513371 but isn't work to me. Regards, Diego
My goal - my ISP has warned me I've got a security issue. I'm trying to monitor my outgoing data to see which device is possibly speaking to the enemy. HomeMonitor looks pretty well suited to this t... See more...
My goal - my ISP has warned me I've got a security issue. I'm trying to monitor my outgoing data to see which device is possibly speaking to the enemy. HomeMonitor looks pretty well suited to this task.  I've got it all installed, but am struggling to get the sourcetype configured for the Edge Router syslog format. My router is a Ubiquiti EdgeRouter X. My Splunk Server is a Win 10 PC, hardwired into EdgeRouter. I configured the edgerouter to turn on syslogging, & enabled logging for the NAT masquarade. This gives me logs of all outgoing traffic only. I am able to pull the UDS traffic using Kiwi Syslog, it spits it out in this format: 2020-12-23 18:21:54 Kernel.Warning 192.168.2.1 Dec 23 18:21:55 ubnt kernel: [NAT-5010-MASQ] IN= OUT=eth0 src=XX.XX.XXX.XXX DST=XX.XX.XXX.X LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=14664 DF PROTO=UDP SPT=21167 DPT=53 LEN=53 Per Ubiquiti's website,  NOTE:EdgeOS uses the BSD Syslog format, the rsyslogd service and UDP port 514 (not customizable) for Syslog by default. I tried installing this TA, but it appears to me misconfigured for my purposes.  https://splunkbase.splunk.com/app/3483/ I read elsewhere that using asus sourcetype gets it close. I cloned asus sourcetype & made a few changes to it, dst & dpt weren't capatilized (I'm assuming it's case sensitive), I updated time format. This gets me SOME data, in Network Overview Outbound Traffic, but it only shows Source IPs. I really want to look at destination IPs & see if they're on a blacklist etc... I think the blocked traffic & map of connections panels are more suited to this task, but I'm not getting any data populating in there. Does anyone have any guidance? I assume I'm missing some critical data alias' or something.   All help is appreciated, here's a pic of the sourcetype config.    
I need to build a query to get count of transactions having multiple 'jId' and time difference greater than 5 mins.  Want to find 'Applname' which is having  'ASNumber'  with multiple 'jId's. |rex ... See more...
I need to build a query to get count of transactions having multiple 'jId' and time difference greater than 5 mins.  Want to find 'Applname' which is having  'ASNumber'  with multiple 'jId's. |rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" |rex field=_raw "jobId: (?<jId>\w+);" |rex field=_raw "\<ASNumber\>(?<ASNumber>[^\<]+)\<[^\<]" |stats values(jId) as jId by ASNumber |stats earliest(_time) as start latest(_time) as end by jId,sourcetype |eval diff=end-start the stats will be like as below: Applname1  -  3 Applname2  -  2 Applname3  -  1 Can anyone help me on this.
I was working on using | rest ....alerts/fired_alerts to create annotations for a dashboard. I thought I read somewhere that the way the fired_alerts are stored is that on a restart of Splunk this da... See more...
I was working on using | rest ....alerts/fired_alerts to create annotations for a dashboard. I thought I read somewhere that the way the fired_alerts are stored is that on a restart of Splunk this data will be lost. Is this true on Cloud?
Hello, im attempting to setup DB Connect 3.4.1 to comunicate to an Oracle 11g XE database hosted on the same machine (Ubuntu 18.04) as the Splunk 8.1.0 instance. Im using the ojdbc6.jar driver from ... See more...
Hello, im attempting to setup DB Connect 3.4.1 to comunicate to an Oracle 11g XE database hosted on the same machine (Ubuntu 18.04) as the Splunk 8.1.0 instance. Im using the ojdbc6.jar driver from Oracle web (https://www.oracle.com/database/technologies/jdbcdriver-ucp-downloads.html) with openjdk8 as suggested from the web. Managed to connect the database, select schema, and a table from the DB Connect interface, but i cannot perform a query to OracleDB from neither SQLExplorer or dbxquery command in search (it gets stuck at 20% in the progress bar everytime). If i reach the OracleDB from another Splunk 8.0.3 server running DB Connect 3.2.0 the comunication is fully working queries included. If i install DB Connect 3.2.0 in the actual server we managed to get it working after applying a fix for python version compatibility (https://community.splunk.com/t5/All-Apps-and-Add-ons/A-bytes-like-object-is-required-not-string-Splunk-DB-Connect/m-p/480429). ¿Any ideas on how to get it working on DB Connect 3.4.1?
Getting below error after executing below command  ./splunk start --accept-license --answer-yes It seems that the Splunk default certificates are being used. If certificate validation is turned o... See more...
Getting below error after executing below command  ./splunk start --accept-license --answer-yes It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after upgrade. "/base_app/splunk/splunkforwarder/etc/auth/ca.pem": already a renewed Splunk certificate: skipping renewal "/base_app/splunk/splunkforwarder/etc/auth/cacert.pem": already a renewed Splunk certificate: skipping renewal ERROR: Valid migration mode not specified. ERROR while running migrate-distsearch-conf migration.
Hi All, I am trying to add dropdown on workname but output always comes as no records found although that workname is present in the dashboard output. Below is my code: $Env$ sourcetype = s $field... See more...
Hi All, I am trying to add dropdown on workname but output always comes as no records found although that workname is present in the dashboard output. Below is my code: $Env$ sourcetype = s $field2$$input$ | table XMIT_NM,USER_NM,WORK_ID,FILE_NM,FILE_ID | join [ search $Env$ sourcetype=b | table WORK_ID WORK_NM ] | table XMIT_NM,USER_NM,WORK_NM,FILE_NM,FILE_ID Below is my XML: <input type="dropdown" token="field2" searchWhenChanged="true"> <label>Search</label> <choice value="&quot;*&quot;">Any</choice> <choice value="USER_NM">username</choice> <choice value="WORK_NM">Work name</choice> <default>"*"</default> <initialValue>"*"</initialValue> I have tried <choice value="WORK_NM=">Work name</choice> and <choice value="&quot;WORK_NM&quot;">Work name</choice> as well but its not working but search using USER_NM is working fine, please suggest is it due to WORK_NM is output from join command and hence it cannot be used or any other ways to make this work.  
Hello, I have  the below use case to detect Cleartext Passwords at rest | from datamodel:"Compute_Inventory"."Cleartext_Passwords" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values... See more...
Hello, I have  the below use case to detect Cleartext Passwords at rest | from datamodel:"Compute_Inventory"."Cleartext_Passwords" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(tag) as "tag",count by "dest","user","password" This datamodel runs the below search query  (`cim_Compute_Inventory_indexes`) tag=inventory (tag=cpu OR tag=memory OR tag=network OR tag=storage OR (tag=system tag=version) OR tag=user OR tag=virtual) tag=user password=* But I am not getting any results. There are events like below which says password=x (I know its fetching from /etc/passwd) and not cleartext password, but still, I do not see any results when I do a pivot. Can someone please tell me why?     When I remove password=* and do a preview, I see password=x. Password is properly being extracted as a separate field when I run the query for its sourcetype and index.