All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Everyone, We are currently working on exchange logs (IIS), and trying to detect abnormal traffic from different countries for a unique user, which seemed fairly simple. The main problem is ... See more...
Hello Everyone, We are currently working on exchange logs (IIS), and trying to detect abnormal traffic from different countries for a unique user, which seemed fairly simple. The main problem is that, as we found out, most of Outlook for mobile data is proxied through Microsoft network (no comment on data security...), so it could come from several location for a single user (ireland, usa, etc). To set up the dashboard, we want to exclude (for now), every IP that cidr match the microsoft network (will do the same for other cloud providers). For this, we wanted a way to insert the networks in a lookup table and add a field to the search request if the IP is owned by a cloud provider. Here is an example of the MS network (might not be exhaustive though..): https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide Any idea  on how to: - Add simply all this garbage to a lookup file containing the networks + provider label (here Microsoft) - Make the lookup and then add a field if the ip is in the lookup table (like a field "Cloud based IP" which contains the Provider) As a result, we will be able to filter out Microsoft/Google/Amazon from the anomalies... Would help a lot, and hope it will help other that are trying to get a better understanding of external outlook connections..
HI ,i have updated inputs.conf in my deployment server. Can i restart my deployment server so that changes will get reflected. will it impact any of my UF where there will be disconnected from Deplo... See more...
HI ,i have updated inputs.conf in my deployment server. Can i restart my deployment server so that changes will get reflected. will it impact any of my UF where there will be disconnected from Deployment server and loss of data. Or can i use any command to update my inputs.conf in server?   Thanks
Hi , I wanted to know whether by clicking on the bar graph can we populate the different field values For example i have bar graph showing the index name ,but when i drilldown on the bars i need to... See more...
Hi , I wanted to know whether by clicking on the bar graph can we populate the different field values For example i have bar graph showing the index name ,but when i drilldown on the bars i need to populate the sourcetype name associated with the index shown in the bar graph. i have bar chart showing indexes . When i click on the  the bar's i want to display the sourcetype of the particural indexes. Now i am able to drilldown but i am not getting the required details i.e. source type.It is showing no results found since when clicked on the bar graph it takes the shown value .  PFB CODE: <drilldown> <set token="indexname">$click.name2$</set> </drilldown>   Query used in the second panel index=* |search sourcetype="$indexname$"|table index sourcetype Any suggestions?
Hello, I recently tuned my Authentication Datamodel and I cannot see any result in the action field while running a search. However I can see the result while using Pivot feature. FYI - I ... See more...
Hello, I recently tuned my Authentication Datamodel and I cannot see any result in the action field while running a search. However I can see the result while using Pivot feature. FYI - I used Eval Expression feature while tuning this DM.      case((sourcetype="linux" AND isnull(action)),"unknown",sourcetype="linux", action, sourcetype="AWS",action, (sourcetype="Okta" AND action="SUCCESS"), "success", (sourcetype="Okta" AND action="FAILURE"), "failure", (sourcetype="Duo" AND action="SUCCESS"), "success", (sourcetype="Duo" AND action="FAILURE"), "failure" )        
How to restrict the Application Permission in the Splunk UI.  Eg: i just want to give the access only to the particular Application and he can see only that application. is it possible
Hello, I am a big fan of using Join for combining results of different sourcetypes and indexes (especially with a type=left parameter) but I do see alot of hate in the community towards the usage of... See more...
Hello, I am a big fan of using Join for combining results of different sourcetypes and indexes (especially with a type=left parameter) but I do see alot of hate in the community towards the usage of Join considering performance and resource usage at the backend. Can anyone provide me with a valuable resource that shows methods for different scenarios as to when and which alternative method should be used instead of the infamous Join command, and at which scenario should Join be used as a last resort. Regards,
Hi, Anyone please help me in rewplacing join in this below query index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId deviceId | join... See more...
Hi, Anyone please help me in rewplacing join in this below query index=168347-np [ | `last_np_sourcetype("index=168347-np","hardware")`] (physicalType=*) | fields physicalElementId deviceId | join deviceId [ search index=168347-np [| `last_np_sourcetype( "index=168347-np", "group_members")` ] groupId=300543 | fields deviceId ] | stats dc(physicalElementId) as Devices
Hello! I want to ping some host on the Internet from every UF in my network to quickly find out about its availability/unavailability. The simplest way would be to write a script, but no matter how ... See more...
Hello! I want to ping some host on the Internet from every UF in my network to quickly find out about its availability/unavailability. The simplest way would be to write a script, but no matter how much I tried to write a bat, nothing came of it. Perhaps someone has already solved this issue and can share the script, or else help to write it correctly. No matter what format the output of the script will be, the main thing is that this output can be used to determine the availability of the host. Here's what I tried:         ping -n 1 www.google.com @echo off ping -n 1 www.google.com | find "TTL=" > nul if errorlevel 0 echo Ping successful         Both scripts inject the system into recursion and do not output any ping results. I am a noob in bat scripts, please, help me...
Hi, I have a lookup table with IP ranges and locations. The problem is in the IP range column there can be several IP ranges separated by comma. How can match the client IP address with the right loc... See more...
Hi, I have a lookup table with IP ranges and locations. The problem is in the IP range column there can be several IP ranges separated by comma. How can match the client IP address with the right location?
Hello fellow splunkers, right now I'm working through the 7 labs for SE II which are necessary to be able to start the finishing accreditation quiz. I've been able to finish 5 of them by now but am ... See more...
Hello fellow splunkers, right now I'm working through the 7 labs for SE II which are necessary to be able to start the finishing accreditation quiz. I've been able to finish 5 of them by now but am totally lost with lab 6. here the instructions are: - events should begin with <Interceptor> and end with </Interceptor> (so Linebreaking is needed) - Extract (at search time) all fields and values in between the Interceptor lines and throw away any of the header lines before the first <Interceptor> and the line after the very last </Interceptor> - Use the ActionDate and ActionTime field as the timestamp - have Splunk auto extract the fields and values   how they say I'd know I've done it: - I'll have x amount of events and the fields broken out using SPATH notation - the correct timestamp - no text before the first and after the last Interceptor   What I have so far: - I'm able to extract ActionDate and ActionTime to create a new timestamp - I'm able to linebreak with LINE_BREAK = \<Interceptor\>()   My Issue: - When I linebreak I save the new sourcetype and try to proceed to alter it given the other things to do like extract timestamp or delete the header text. but when I change ANYTHING it just disregards the linebreaker argument and goes back to be one huge event again and I can't do anything about it. - even if I could linebreak and extract everything as stated, I don't really understand what they mean with "broken out using SPATH mean". do they mean via SPL ? cause they clearly stated that Splunk should "auto extract the fields and values" How the data looks: <?xml version="1.0" encoding="UTF-8" ?><dataroot><Interceptor><AttackCoords>-80.33100097073213,25.10742916222947</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>23</Infiltrators><Enforcer>Ironwood</Enforcer><ActionDate>2013-04-24</ActionDate><ActionTime>00:07:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords><AttackVessel>Rustic</AttackVessel></Interceptor><Interceptor><AttackCoords>-80.14622349209523,24.53605142362535</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>6</Infiltrators><Enforcer>Cunningham</Enforcer><ActionDate>2013-04-26</ActionDate><ActionTime>00:23:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords></LaunchCoords><AttackVessel>Raft</AttackVessel></Interceptor><Interceptor><AttackCoords>-80.75496221688965,24.72483828554483</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>11</Infiltrators><Enforcer>Forthright</Enforcer><ActionDate>2013-05-15</ActionDate><ActionTime>23:35:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords>-79.65932674368925,23.70743135623052</LaunchCoords><AttackVessel>Rustic</AttackVessel></Interceptor><Interceptor><AttackCoords>-80.32020594311533,25.02156920297054</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>6</Infiltrators><Enforcer>Pompano</Enforcer><ActionDate>2013-02-25</ActionDate><ActionTime>15:35:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords></LaunchCoords><AttackVessel>Raft</AttackVessel></Interceptor><Interceptor><AttackCoords>-80.15149489716094,24.57412215015249</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>6</Infiltrators><Enforcer>Tripoteur</Enforcer><ActionDate>2013-04-13</ActionDate><ActionTime>15:40:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords>-79.65999190070923,23.73619147168514</LaunchCoords><AttackVessel>Raft</AttackVessel></Interceptor></dataroot> I hope someone can help understand how to proceed here. EDIT: in Lab 4 there was almost the same data to input - the only difference is that in lab6 it has no linebreaks whatsoever. here is my props.conf from lab4: [dreamcrusher] DATETIME_CONFIG = FIELD_HEADER_REGEX = <Interceptor> LINE_BREAKER = \<Interceptor\> MAX_DAYS_AGO = 4000 NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true REPORT-actiondate = actiondate EVAL-_time = strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S") and my transforms.conf: #[actiondate] #REGEX = \<ActionDate\>(?P<ActionDate>\d+-\d+-\d+)\<\/ActionDate\>\s*\<ActionTime\>(?P<ActionTime>\d+:\d+:\d+) #FORMAT = $1::$2  
Hi team, I have below query to search out all raw data and out put to a table format: index=testIndex AND sourcetype=testType AND ACT!="-" AND "DT=MANUALEVENT" AND C_PG="DEVELOPMENT_GOAL_V2" OR C_... See more...
Hi team, I have below query to search out all raw data and out put to a table format: index=testIndex AND sourcetype=testType AND ACT!="-" AND "DT=MANUALEVENT" AND C_PG="DEVELOPMENT_GOAL_V2" OR C_PG="PERFORMANCE_GOAL_V2" | table _time, SFDC, CMN, CMID, CIP, SID, PUID, UID, MID, PID, C_PG,C_SPG, ACT There're 6 different metrics/panels  in the dashboard to stats based on this query result,    Question: How  to create the summary index based on above query? I found that all the summary index command are  below 5 si commands per this official document  https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usesummaryindexing , and I can't figure out which one to use  to match my scenario. sichart sitimechart sistats, sitop, sirare
Hi Splunkers, I have a table that displays a value and corresponding to that the number of time that value has occurred. By default the table header is colored as Blue. I want to change the table he... See more...
Hi Splunkers, I have a table that displays a value and corresponding to that the number of time that value has occurred. By default the table header is colored as Blue. I want to change the table header to Grey if the values returned are zero, or the search returns no results.  I do not have access to .js. i can only make changes using simple XML. i have been trying to find a solution to this for quite some time now but i have had no success at all. Any leads would be wonderful. This is how my table looks right now when there is no data   @niketn  if possible could you help me out with this. I hear you are a legend around here.
Hello I am facing a problem while fetching a large number of rows from the database using the command dbxquery. I have a table of ~ 500,000 rows. I would like to receive data from this table and sa... See more...
Hello I am facing a problem while fetching a large number of rows from the database using the command dbxquery. I have a table of ~ 500,000 rows. I would like to receive data from this table and save it to a csv file. The data in the table rarely changes, so you want to import it into a csv file. But when trying to fetch data, the request hangs. I tried limiting the selection to a smaller number of rows, tried from 10,000 to 50,000 rows (through rownum...). Sometimes the query returns a result, sometimes it also hangs. Moreover, it can work and freeze with the same limitation, and I do not observe any dependence. For example, I run a query: | dbxquery connection="connection_name" query="query condition... and rownum<50000" and the result is returned, I run the same query again without any changes and it hangs. Has anyone come across a similar one? How can this be solved?
Pivot for Assets and Identities Data model -"Identity_Management" showing zero count. When running search - |tstats count from datamodel=Identity_Management by index   Error in 'DataModelCache': C... See more...
Pivot for Assets and Identities Data model -"Identity_Management" showing zero count. When running search - |tstats count from datamodel=Identity_Management by index   Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management The search job has failed due to an error. You may be able view the job in the Job Inspector.   12-14-2020 05:50:01.195 ERROR DataModelCache [33401 searchOrchestrator] - Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchPhaseGenerator [33401 searchOrchestrator] - Fallback to two phase search failed:Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchOrchestrator [33401 searchOrchestrator] - Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchStatusEnforcer [33401 searchOrchestrator] - sid:1607925000.24084 Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management   Pleasse advise! Thanks!
I have customized Navigation menu but it is showing "None"   But Dashboard under it is fine... How could I display Collection Name. Please help me to rectify it
Hi Team: Here on the Extraction for Event 2, the MESSAGE field is extracted as empty as its not multiline. How should i extract MESSAGE for both multiline and single line.? Query: index=abcd sour... See more...
Hi Team: Here on the Extraction for Event 2, the MESSAGE field is extracted as empty as its not multiline. How should i extract MESSAGE for both multiline and single line.? Query: index=abcd sourcetype=fallback | rex field=_raw "^(?P<DATETIME>[^,]+),\d+\s+\[(?P<DAEMON>[^\]]+)\]\s+(?P<SEV>[^ ]+)\s+(?P<CLASS>[^ ]+)\s+\-\s+(?P<MESSAGE>(.*[\r\n]+)*)" | table DATETIME, DAEMON, SEV, CLASS, MESSAGE Event 1: 2020-12-07 17:43:02,075 [ABCD_Daemon1] WARN ABCD_CLASS1 - Failed to process java.lang.InterruptedException at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2014) at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2048) at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:403) at db.$EmailNotifierDaemon.run(asdasd.java:1133) Extracted as: DATETIME : 2020-12-07 17:43:02 DAEMON: ABCD_Daemon1 SEV: WARN CLASS: ABCD_CLASS1 MESSAGE: Failed to process java.lang.InterruptedException at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2014) at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2048) at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:403) at db.$EmailNotifierDaemon.run(asdasd.java:1133) Event 2: 2020-12-07 16:12:14,273 [ABCD_Daemon2] INFO ABCD_CLASS2 - Got notification for external configuration change, cleaning caches. Extracted as: DATETIME : 2020-12-07 16:12:14 DAEMON: ABCD_Daemon2 SEV: INFO CLASS: ABCD_CLASS2 MESSAGE: Thank you
I'm looking for the best bootcamp. Any suggestions? In person would be great.
Hi We have two sets of computers, one set is in 40s and another one set in 30s. When displaying chart I want to display both sets of computers in different specified color, one in blue colors and an... See more...
Hi We have two sets of computers, one set is in 40s and another one set in 30s. When displaying chart I want to display both sets of computers in different specified color, one in blue colors and another in green colors.  Here is the chart that I am using  <chart> <search> <query>index=iis_prod | stats count by s_computername | sort - count | head 10</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> <refresh>10m</refresh> <refreshType>delay</refreshType> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">0</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">bar</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">all</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.placement">none</option> <option name="height">225</option> <option name="refresh.display">progressbar</option> </chart>   I tried adding option called fieldColors to specific computer but it doesn't work <option name="charting.fieldColors">{"webcetweb40":0x65a637}</option>   I tried adding option called seriesColors but that changes all of the bars <option name="charting.seriesColors">[0x65a637]</option>   here is my bar chart screenshot.   Any help regarding this would be appreciated. Thanks!
  Hi, I always appreciate your taking the time to answer my question. We will connect independent systems using the L3 Switch and send the syslog to the cyber security operation center like a... See more...
  Hi, I always appreciate your taking the time to answer my question. We will connect independent systems using the L3 Switch and send the syslog to the cyber security operation center like attached picture. (Network switch will send via syslog function, and Splunk forwarder will be installed on workstation)   Even if the IP address is duplicated in each system, the IP address cannot be changed. If IP addresses are duplicated between independent systems, is there a problem in transmitting logs? Then, what is the solution to this problem?   Best regards,
Hi, I have standalone server which acting as search head and indexer . And the server is under utilized so I want to increase  batch_search_max_pipeline=2 which will also improve search performanc... See more...
Hi, I have standalone server which acting as search head and indexer . And the server is under utilized so I want to increase  batch_search_max_pipeline=2 which will also improve search performance as well. I want to confirm before making changes that is it applicable this change on my standalone server. Or this change is applicable only for indexer cluster. so can I make this change on my standalone server? Thanks,