All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I have a distributed Splunk architecture and I am trying to optimise/trim the received logs using Ingest actions features. However, I have the below error : - I tried to create new rule set ... See more...
Hello, I have a distributed Splunk architecture and I am trying to optimise/trim the received logs using Ingest actions features. However, I have the below error : - I tried to create new rule set on the Heavey forwarder and indexer , but it returned with the error message "this endpoint will reject all requests until pass4SymmKey has been properly set." So, I want to check where should I implement this feature on Indexer or HF? and is there any pre-request to implement it?
Hi, I would like to extract a field from a JSON logs which is in a prettier format already. I would like to extract a field named "clientTransactionId" from below sample data. { [-]    @timestamp:... See more...
Hi, I would like to extract a field from a JSON logs which is in a prettier format already. I would like to extract a field named "clientTransactionId" from below sample data. { [-]    @timestamp: 2024-09-05T10:59:34.826855417+10:00    appName: TestApp    environment: UAT    ivUser: Ashish    level: INFO    logger: com.app.login    message: New user state created - state_id: XXXX-YYYYYY, key_id: twoFactorAuth, key_value: {"tamSessionIndex":"1d1ad722-XXXX-11ef-8a2b-005056b70cf5","devicePrint":"DDDDDDDDDDD","createdAt":"2099-09-05T00:59:34.734404799Z","updatedAt":"2099-09-05T00:59:34.734404799Z","clientSessionId":"ppppppppppppp","sessionId":"WWWWWWWWW","clientTransactionId":"8fd2353d-d609-XXXX-52i6-2e1dc12359m4","transactionId":"9285-:f18c10db191:XXXXXXXX_TRX","twoFaResult":"CHALLENGE","newDevice":true,"newLocation":false,"overseas":true} with TTL: 46825    parentId:    spanId: 14223cXXXX6d63d5    tamSessionIndex: 1d1ad722-6b22-11ef-8a2b-XXXXXXX    thread: https-jsse-nio-XXXX-exec-6    traceId: 66d90275ecc565aa61XXXXXXXX02f5815 }
Hello members   i'm facing problems regarding parsing the event details on splunk i have forwarded the events from HF to indexers and now it's able to search but i'm facing issues with field extrac... See more...
Hello members   i'm facing problems regarding parsing the event details on splunk i have forwarded the events from HF to indexers and now it's able to search but i'm facing issues with field extractions and event details because the messages are truncated for example    if i have something like this sample event    CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host   the categoryDeviceType parameter is truncated in field extraction so it display only forensic and other string is truncated   so can any one please help on this matter   my props.conf is   [trellix] category = Custom pulldown_type = 1 TIME_FORMAT = ^<\d+> EVAL-_time = strftime(_time, "%Y %b %d %H:%M:%S") TIME_PREFIX = %b %d %H:%M:%S
Hi, I have a requirement to perform end to search for troubleshooting in a dashboard. I am using multiple tokens inside the dashboard. Some tokens have a condition to be set or unset depending ... See more...
Hi, I have a requirement to perform end to search for troubleshooting in a dashboard. I am using multiple tokens inside the dashboard. Some tokens have a condition to be set or unset depending upon null values. However, if any of the tokens are not null, then I should concatenate the tokens and pass the combined token to the other sub searches. Note: There is always a token which is not null I tried but the other panels always say 'search is waiting for the input' Below is a sample snippet from the xml dashboard. <search><query>index=foo</query></search> <drilldown> <eval "combined">$token1$. .$token2$. .$token3$. .$token4$. $token5$</eval> <set "combined_token">$combined$</set> </drilldown> <panel> <search><query>index=abc $combined_token$</query></search> </panel>
I have installed free Splunk enterprise in my local system and It can be accessed via localhost:8000 I have also configured the webhook receiver in this instance to run at port 8088 via the HTTP eve... See more...
I have installed free Splunk enterprise in my local system and It can be accessed via localhost:8000 I have also configured the webhook receiver in this instance to run at port 8088 via the HTTP event collector settings I tried ngrok to expose localhost:8000 and localhost:8088 and use that public URL as a webhook listening server. But Splunk is not receiving any events. I can see my ngrok server being hit with the events but seems like it's not able to forward it over to splunk. what am I doing wrong here? What's the right way to expose my localhost Splunk instance to start receiving these webhook events? Thank you in advance for help! Webhooks Input #splunklocalhost
Hello Members,   i have data coming from HF indexed in indexer and i can search it the problem at the details of event    for example : event sample cs4=FIREEYE test when i see the details of th... See more...
Hello Members,   i have data coming from HF indexed in indexer and i can search it the problem at the details of event    for example : event sample cs4=FIREEYE test when i see the details of this event i see cs4=FIREEYE only first string other is truncated why?    
If I have two queries: 1. index=poc container_name=app horizontalId=orange outputs events with the trace ids 2. index=poc container_name=app ExecutionTimeAspect Elastic Vertical Search Quer... See more...
If I have two queries: 1. index=poc container_name=app horizontalId=orange outputs events with the trace ids 2. index=poc container_name=app ExecutionTimeAspect Elastic Vertical Search Query Service | rex field=_raw "execution time is[ ]+(?<latency>\d+)[ ]+ms" | stats p90(latency) as Latency outputs a Latency = 845 I want to link output of query 2 and query 1 via the trace ids for the P90 Latency.
I am trying to be able to show the results of the drilldown search of a notable without having to leave the event/case page.  I am able to grab the drilldown search and send it back to Splunk using ... See more...
I am trying to be able to show the results of the drilldown search of a notable without having to leave the event/case page.  I am able to grab the drilldown search and send it back to Splunk using the 'run_query' command and receive the information but regardless of what fields I put in the "display" field of the command nothing shows up in the widget and attempting to create a new artifact with the data throws errors around it not being correctly formatted Json.  Does anyone have a best practice to show the results of a SPL query within Splunk SOAR within the event that it was run on? 
Hi folks,   I have a quick question based on this kind of data. consider this table    Age sex id ^N-S-Ba S-N mm 17 male 1 125 84 17 female 2 133 75   I have to create a dynamic range for the ... See more...
Hi folks,   I have a quick question based on this kind of data. consider this table    Age sex id ^N-S-Ba S-N mm 17 male 1 125 84 17 female 2 133 75   I have to create a dynamic range for the field "S-N mm" for the female is from 74,6  to 77 for the male is from 79,3 to 87,7 I need to create a table that when one of these values ​​is within range it should turn green thanks for the support Ale
Hello, I'm trying to obtain a table like this : FQDN uri list of  attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Tr... See more...
Hello, I'm trying to obtain a table like this : FQDN uri list of  attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Traversal 30 prod.com /sample Abuse of Functionality Forceful Browsing Command Execution 10   I can obtain the table without the list of attack_types, but I can't figure out how to add the values function. | stats count as attack_number by FQDN,uri | stats values(attack_type) as "Types of attack"  For each FQDN/uri I want to have the number of attacks, and all the attack_types seen. It seems obvious, but I'm missing it. Can someone help me ?
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses mo... See more...
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses modern JavaScript. So don't know if this would at least partially work.
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible... See more...
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible in splunk? Like for this capture dashboard, is it possible when i click in signature value   The rest visualization belows the table will dynamically changes based on the clicked column values, the action also can applied when i click on different column values from the first table. Is it possible in dashboard studio ?
  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it v... See more...
  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing  
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function ... See more...
Hello, i am trying to intergrate the Splunk Ui Toolkit into my  own Splunk instace that is running on localhost. I am using react to get a sessionkey with the following function: async function GetSessionKey(username, password, server) {     var key = await fetch(server + "/services/auth/login", {       method: "POST",       body: new URLSearchParams({         username: username,         password: password,         output_mode: "json",       }),       headers: {         "Content-Type": "application/x-www-form-urlencoded",       },     })       .then((response) => response.json())       .then((data) => {         return data["sessionKey"];       }); But i always get this on my network showing  
Hi Splunkers, SplunkEnterprise : 9.2.2 Splunk Security Essentials : 3.8   (and 3.4) I installed Splunk Security Essentials 3.8, but I can’t launch the app due to a Custom JavaScript Error. I ... See more...
Hi Splunkers, SplunkEnterprise : 9.2.2 Splunk Security Essentials : 3.8   (and 3.4) I installed Splunk Security Essentials 3.8, but I can’t launch the app due to a Custom JavaScript Error. I tried using an older version of SSE, but it didn’t resolve the issue. And I also enabled the ‘old version’ setting in the internal library, but it still didn’t help. If you know the solution please help........
I'm working with Dashboard Studio for the first time and I've got another question. In the input on the Dashboard, I set this $servers_entered$.  I thought I had a solution for counting how many ite... See more...
I'm working with Dashboard Studio for the first time and I've got another question. In the input on the Dashboard, I set this $servers_entered$.  I thought I had a solution for counting how many items are in $servers_entered$, but I found a case that failed.  This is what $servers_entered$ looks like. host_1, host_2, host_3, host_4, ..., host_n What I need is a way of counting how many entries are in $servers_entered$.  So far the commands I've tried have failed.  What would work? TIA, Joe
Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source.  Inside csv, I am evaluating two specifi... See more...
Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure on a network using data from a CSV source.  Inside csv, I am evaluating two specific fields used:      Source_Directory and Destination_Directory I am trying to compare the two going 3 folders deep in the file path but running into issue when performing my rex command.  Preset folder structure is: "\\my.local\d\p\" pulled from the data set used.  Within the folder "\p\", there are various folder names.  Need to eval if a folder path is different beyond the preset path of "\\my.local\d\p\..." I put in bold what a discrepancy would if there is one.  Example data in CSV:   Source_Directory                                                    Destination_Directory      \\my.local\d\p\prg1\folder1\bfolder            \\my.local\d\p\prg1\folder1\ffolder      \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg2\folder2      \\my.local\d\p\prg1\folder2                             \\my.local\d\p\prg2\folder1\xfolder\mfolder\      \\my.local\d\p\prg3\folder2\afolder            \\my.local\d\p\prg3\folder2      \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg1\folder3 Output query I am trying to create    Status           Source_Directory                                                    Destination_Directory     Same             \\my.local\d\p\prg1\folder1\bfolder            \\my.local\d\p\prg1\folder1\ffolder     Same             \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg2\folder2     Different        \\my.local\d\p\prg1\folder2                             \\my.local\d\p\prg2\folder1\xfolder\mfolder\     Same             \\my.local\d\p\prg3\folder2\afolder            \\my.local\d\p\prg3\folder2     Different        \\my.local\d\p\prg2\folder1                             \\my.local\d\p\prg1\folder3 If folder name is different after the preset"\\my.local\d\p\" path I need that to show in the "Status" output.  I have searched extensively on how to use this rex command in this instance with no luck so thought I would post my issue.  Here is the search I have been trying to use.  Splunk Search host="my.local" source="file_source.csv" sourcetype="csv" | eval src_dir = Source_Directory | eval des_dir = Destination_Directory | rex src_path = src_dir "(?<path>.*)\\\\\w*\.\w+$" | rex des_path= des_dir "(?<path>.*)\\\\\w*\.\w+$" | eval status = if (src_path = des_path, "Same", "Diffrent") | table status, Source_Directory, Destination_Directory Any assistance would be much appreciated.
Need some help in extracting Group Membership details from Windows Event Code 4627. As explained in this answer, https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/4704... See more...
Need some help in extracting Group Membership details from Windows Event Code 4627. As explained in this answer, https://community.splunk.com/t5/Splunk-Search/Regex-not-working-as-expected/m-p/470417 following seems to be working to extract Group_name, but capture doesn't stop once the group list ends. Instead, it continues to match everything till end of line. I experimented with (?ms) and (?m) but didnt have any succes.        "(?ms)(?:^Group Membership:\t\t\t|\G(?!^))\r?\n[\t ]*(?:[^\\\r\n]*\\\)*(?<Group_name>(.+))"           09/04/2024 11:59:59 PM LogName=Security EventCode=4627 EventType=0 ComputerName=DCServer.domain.x.y SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=64222222324 Keywords=Audit Success TaskCategory=Group Membership OpCode=Info Message=Group membership information. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: DCServer$ Account Domain: Domain Logon ID: 0x1111 Logon Type: 3 New Logon: Security ID: Domain\Account Account Name: Account Account Domain: Domain Logon ID: 0x5023236 Event in sequence: 1 of 1 Group Membership: Domain\Group1 Group2 BUILTIN\Group3 BUILTIN\Group4 BUILTIN\Group5 BUILTIN\Group6 NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users Domain\Group7 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.       When I use this regex, it does capture starting from the Group list but continues on till the end of event. How can I tell regex to stop matching once the group list ends? Also, this regex seems to be putting all groups as a single match. Is it possible to make it multi-valued, so that we can count total number of groups present in a given event, e.g. 9 groups in the event example above.   Thanks, ~Abhi
I'm working with Dashboard Studio for the first time and I've got a question. Originally I created a table search that returns data depending on what is in the $servers_entered$ field.  That works. ... See more...
I'm working with Dashboard Studio for the first time and I've got a question. Originally I created a table search that returns data depending on what is in the $servers_entered$ field.  That works.  I have been asked to add two single value fields.  The first is showing the number of servers in the $servers_entered$ field and that works.  The second is showing the number of servers in the table search.  There should be a way of linking that information, but I can't figure out how.  I could run the search again, but that is rather inefficient. How do you tie the search result count from a table search to a single value field? TIA, Joe
I'm missing something and it's probably blatantly obvious.... I have a search returning a number but I want to have a fillergauge show the value as it approaches a maximum value.  In this examp... See more...
I'm missing something and it's probably blatantly obvious.... I have a search returning a number but I want to have a fillergauge show the value as it approaches a maximum value.  In this example, I'd like the gauge to cap at 10,000 but it always shows 100.