All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I need to do observability on different web applications on Windows workstations  For example i need to mesure response time or error code of the webapp Is it possible to collect these metrics ... See more...
Hi I need to do observability on different web applications on Windows workstations  For example i need to mesure response time or error code of the webapp Is it possible to collect these metrics in splunk? How? With Splunk APM? Website monitoring? Other question : how to collect events from the Windows event viewer? Thanks 
Let's say I have the following SPL query.  Ignore the regexes, thery're not important for the example: index=abc | rex field=MESSAGE "aaa(?<FIELD1>bbb)" | rex field=MESSAGE "ccc(?<FIELD2>ddd)" stat... See more...
Let's say I have the following SPL query.  Ignore the regexes, thery're not important for the example: index=abc | rex field=MESSAGE "aaa(?<FIELD1>bbb)" | rex field=MESSAGE "ccc(?<FIELD2>ddd)" stats count by FIELD1, FIELD2   Right now, the query doesn't return a result unless both fields match, but I still want to return a result if only one field matches.  I just want to return an empty string in the field that doesn't match.  Is there a way to do this? Thanks!
i write a custom alert with bash script who send values of spl query to the hive, the script create a case on the hive but with empty fields. alert_actions.conf: [alert_to_thehive] is_custom = 1 ... See more...
i write a custom alert with bash script who send values of spl query to the hive, the script create a case on the hive but with empty fields. alert_actions.conf: [alert_to_thehive] is_custom = 1 disabled = 0 label = Alert to TheHive description = Custom alert action to send alerts to TheHive icon_path = alert_icon.png payload_format = json ttl = 10 # Command to execute alert.execute.cmd = alert_to_thehive.sh # Arguments passed to the script alert.execute.cmd.arg.1 = $result.Image$ alert.execute.cmd.arg.2 = $result.CommandLine$
  (index=hcp_system OR index=hcp_logging) namespace=$env_dd$ | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MS... See more...
  (index=hcp_system OR index=hcp_logging) namespace=$env_dd$ | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>[^,]+),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#" | eval IID=if("$interface_dd$"!="", "$interface_dd$", IID), STEP=if("$step_dd$"!="", "$step_dd$", STEP), PKEY=if(isnull("$record_id$") OR "$record_id$"="", PKEY, "*" . "$record_id$" . "*"), STATE=if("$state_dd$"!="", "$state_dd$", STATE), MSG0=if(isnull("$message_1$") OR "$message_1$"="", MSG0, "*" . "$message_1$" . "*"), PROPS=if(isnull("$properties$") OR "$properties$"="", PROPS, "*" . "$properties$" . "*") | search (IID=* OR isnull(IID)) (STEP=* OR isnull(STEP)) (PKEY=* OR isnull(PKEY)) (STATE=* OR isnull(STATE)) (MSG0=* OR isnull(MSG0)) (PROPS=* OR isnull(PROPS)) | table IID STEP PKEY STATE MSG0 PROPS   How to make it show in the table values which are selected in DD and if the search field is "text field" (PKEY MSG0 and PROPS in my case) empty to show what the rex  PKEY:\s*(?P<PKEY>[^,]+) will extract. As current behavior is following: DD DropDown TF Text Field Input : -DD  IID:SF  -DD  STEP:RECEIVE_FROM_KAFKA -DD  STATE:IN_PROGRESS -TF  PKEY MSG0 and PROPS are empty Msg1:"#HLS# IID:SF, STEP:RECEIVE_FROM_KAFKA, PKEY:456, STATE:IN_PROGRESS, MSG0:Success, PROPS:YES #HLE#" Msg2: "#HLS# IID:SAP, STEP:SEND_TO_KAFKA, PKEY:52345345, STATE:IN_PROGRESS, MSG0:MOO, PROPS:FOO #HLE#" Extracted Table: STEP                                        |   PKEY             |       STATE                   |  MSG0      | PROPS RECEIVE_FROM_KAFKA |    52345345 |       IN_PROGRESS |  MOO         | YES   Resume: the result is mixed in column lines from different messages in the input of the text fields is empty, How can I make it to extract all messages with the following log pattern and then filter them based on the DD or text fields?
Hi at all, I don't know if someone else found this issue: Using for the first time 9.3.0 version I tried to customize an app menu bar. Then I found that if I try to use this app with my language (... See more...
Hi at all, I don't know if someone else found this issue: Using for the first time 9.3.0 version I tried to customize an app menu bar. Then I found that if I try to use this app with my language (it-IT) it doesn't change; if instead I run it with the default english interface (en-US) it correctly runs. Ciao. Giuseppe  
Hi, I’ve created some scheduled Splunk reports with inline tables in the email body. We're sending these reports to a Slack channel via email, but the URLs appear as plain text in Slack, while they a... See more...
Hi, I’ve created some scheduled Splunk reports with inline tables in the email body. We're sending these reports to a Slack channel via email, but the URLs appear as plain text in Slack, while they are hyperlinked in Gmail. Is there a workaround to ensure the URLs are clickable in Slack? Also how to enable hyperlinks for URLs in report(not dashboard) @ITWhisperer @gcusello @PickleRick 
Hello all, implementing some routing at the moment in order to forward a subset of data to a third party syslog system. However, i'm running into issues with the Windows Logs. They look like this at ... See more...
Hello all, implementing some routing at the moment in order to forward a subset of data to a third party syslog system. However, i'm running into issues with the Windows Logs. They look like this at syslog-NG  Dec 29 07:47:18 12/29/2014 02:47:17 AM Dec 29 07:47:18 LogName=Security Dec 29 07:47:18 SourceName=Microsoft Windows security auditing. Dec 29 07:47:18 EventCode=4689 Dec 29 07:47:18 EventType=0   I believe this is because of the /r/n in the Windows events caused by non-xml  How can i get the Splunk Heavy Forwarder to treat each Windows event as one line and then send it through?  Architecture = UF - HF - Third Party System/Splunk Cloud  Thanks 
I am currently working on creating an alert for a possible MFA fatigue attack from our Entra ID sign in logs. The logic would be to find sign in events where a user received x number of MFA requests ... See more...
I am currently working on creating an alert for a possible MFA fatigue attack from our Entra ID sign in logs. The logic would be to find sign in events where a user received x number of MFA requests within a given timeframe, denied them all and then on the 5th one for example they approved the MFA request for our SOC to investigate. I have some of the logic for this written out below, but I am struggling to figure out how to add the last piece in of an approved MFA request after the x number of denied MFA attempts by the same user. Has anyone had any luck creating this and if so, how did you go about it? Any help is greatly appreciated. Thank you! index=cloud_entraid category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails="MFA denied; user declined the authentication" | rename properties.* as * | bucket span=10m _time | stats count min(_time) as firstTime max(_time) as lastTime by user, status.additionalDetails, appDisplayName, user_agent | where count > 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Me and other colleagues are not able to access Splunk Support Portal for days, receiving a 404 error. We have tried different links: https://splunk.my.site.com/customer/s/ https://splunk.my.site.c... See more...
Me and other colleagues are not able to access Splunk Support Portal for days, receiving a 404 error. We have tried different links: https://splunk.my.site.com/customer/s/ https://splunk.my.site.com/partner/s/ But non of them are working. This means we cannot access Entitlements or open and manage Cases. Is anyone having the same problem?
Hi Team, We are trying to install - Auto Update MaxMind Database into our splunk https://splunkbase.splunk.com/app/5482   --> This is the splunk app   We have the account id and the license ke... See more...
Hi Team, We are trying to install - Auto Update MaxMind Database into our splunk https://splunkbase.splunk.com/app/5482   --> This is the splunk app   We have the account id and the license key While testing this by running command - | maxminddbupdate  We got below error  HTTPSConnectionPool(host='download.maxmind.com', port=443): Max retries exceeded with url: /geoip/databases/GeoLite2-City/download?suffix=tar.gz (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))
Hi Everyone, Good Afternoon. We recently rename the add-on. After renaming we are facing the below issues : * After upgrading we are able to see two addon. One with old name and one with new name... See more...
Hi Everyone, Good Afternoon. We recently rename the add-on. After renaming we are facing the below issues : * After upgrading we are able to see two addon. One with old name and one with new name but ideally after upgrading only the latest addon should be there. * Inputs of old addon are not migrating to new addon. We replicated the APPID of old addon with new addon but it did not work. If anyone face the issue ,please suggest to resolve the problem. Thanks,
Hi there, I’m currently developing a React app and have almost finished the development. Now, I need to package it as a Splunk app, but I’m stuck on the packaging process. Is there a tool similar to... See more...
Hi there, I’m currently developing a React app and have almost finished the development. Now, I need to package it as a Splunk app, but I’m stuck on the packaging process. Is there a tool similar to the Splunk App Inspect that can fully inspect the React app I’ve created? Any documentation or blog posts on this would be really helpful. Thanks!
I want to extract JSON data alone into key value pairs and JSON is not fixed it can extend to extra lines. Everything need to be done on indexer level and nothing on search head.   Sample:   2024... See more...
I want to extract JSON data alone into key value pairs and JSON is not fixed it can extend to extra lines. Everything need to be done on indexer level and nothing on search head.   Sample:   2024-03-11T20:58:12.605Z [INFO] SessionManager sgrp:System_default swn:99999 sreq:1234567 | {"abrMode":"NA","abrProto":"HLS","event":"Create","sUrlMap":"","sc":{"Host":"x.x.x.x","OriginMedia":"HLS","URL":"/x.x.x.x/vod/Test-XXXX/XXXXX.smil/transmux/XXXXX"},"sm":{"ActiveReqs":0,"ActiveSecs":0,"AliveSecs":360,"MediaSecs":0,"SpanReqs":0,"SpanSecs":0},"swnId":"XXXXXXXX","wflow":"System_default"} 2024-03-11T20:58:12.611Z [INFO] SessionManager sgrp:System_default swn:99999 sreq:1234567 | {"abrMode":"NA","abrProto":"HLS","event":"Cache","sUrlMap":"","sc":{"Host":"x.x.x.x","OriginMedia":"HLS","URL":"/x.x.x.x/vod/Test-XXXXXX/XXXXXX.smil/transmux/XXX"},"sm":{"ActiveReqs":0,"ActiveSecs":0,"AliveSecs":0,"MediaSecs":0,"SpanReqs":0,"SpanSecs":0},"swnId":"XXXXXXXXXXXXX","wflow":"System_default"}
ACCU_DILAMZ9884 Failed, cueType=Splicer, SpliceEventID=0x00000BBC, SessionID=0x1A4D3100 SV event=454708529 spot=VAF00376_i pos=1 dur=0 Result=110 No Insertion Channel Found I want to extract the wor... See more...
ACCU_DILAMZ9884 Failed, cueType=Splicer, SpliceEventID=0x00000BBC, SessionID=0x1A4D3100 SV event=454708529 spot=VAF00376_i pos=1 dur=0 Result=110 No Insertion Channel Found I want to extract the words that come after Result=XXX And not include the Result=xxx in the output. |rex field=Message "(?<Test>\bResult.*\D+)"   This produces this output>>> Result=110 No Insertion Channel Found.   So I want to exclude the Results=XXX   
Hi community,    I am trying to connect to the DB connect app and i am constantly redirected to http://$HOST/en-US/app/splunk_app_db_connect/ftr What is the FTR and how can I get rid of thi... See more...
Hi community,    I am trying to connect to the DB connect app and i am constantly redirected to http://$HOST/en-US/app/splunk_app_db_connect/ftr What is the FTR and how can I get rid of this error or force a redirection to a DB app that will work.  I tried deleting the app folder in the ($SPLUNK_HOME/etc/apps) directory and reinstalling but still getting the same error. Any assistance here will be greatly appreciated.     
Suppose I have `/var/log/nginx/access.log` and then a dozen files in the same directory named like `access.log-<date>.gz`. When Splunk processes the gzip'd files, is it supposed to index them under t... See more...
Suppose I have `/var/log/nginx/access.log` and then a dozen files in the same directory named like `access.log-<date>.gz`. When Splunk processes the gzip'd files, is it supposed to index them under the `/var/log/nginx/access.log` source? I ask because I've noticed that these gzip files show up when I query: ``` source="/var/log/nginx/access.log*" | stats count by source ```   I'd appreciate a link to docs regarding this, I couldn't find any. Thanks!
We use the Qualys Technical Add-On to pull vulnerability data into Splunk. We run it on our Inputs Data Manager We'd like to include additional fields in our data pulls, but in order to do that we ne... See more...
We use the Qualys Technical Add-On to pull vulnerability data into Splunk. We run it on our Inputs Data Manager We'd like to include additional fields in our data pulls, but in order to do that we need to go to the setup page. When going to the setup page on the IDM it never loads and we see this data in web_service.log 2024-09-03 21:26:32,726 INFO  __init__:654 - Authorization Failed: b'{"messages":[{"type":"ERROR","text":"You (user=myusername) do not have permission to perform this operation (requires capability: edit_telemetry_settings)."}]}' From what I've been told edit_telemetry_settings can only be assigned to admins, not sc_admins. So no one has access to get to the setup page.  Qualys is telling me that they have others users with IDMs that are using the Qualys TA fine, but our issue has persisted across restarts, multiple environments and multiple TA versions. Can anyone confirm they can load the setup for the Qualys TA page from an IDM?    
I recently issued a "splunk set default-hostname <hostname>" on a new node I added to our search cluster. It ended up replicating etc/system/local/inputs.conf to all other members, so obviously, all ... See more...
I recently issued a "splunk set default-hostname <hostname>" on a new node I added to our search cluster. It ended up replicating etc/system/local/inputs.conf to all other members, so obviously, all search members began logging their events with the same 'host' field. So, if I want to avoid this in the future,  how do I leverage conf_replication_summary.excludelist to blacklist the file from replication? I'm thinking that it'd be something like this, but I really don't know as I've never used this flag before. [shclustering] conf_replication_summary.excludelist.inputs = etc[/\\]system[/\\]local[/\\]inputs\.conf Thank you.
I need to run Splunk Stream on some universal forwarders to capture data from a set of servers. The only way I've been able to do this is by running splunkd as root, which is not viable in production... See more...
I need to run Splunk Stream on some universal forwarders to capture data from a set of servers. The only way I've been able to do this is by running splunkd as root, which is not viable in production. I am deploying Splunk_TA_stream 8.1.3 to the forwarders using a deployment server; forwarders are configured for boot-start. I've followed the documentation on installing the add-on and running set_permissions.sh to change the binary to run as root. However, restarting splunk reverts the permissions on the streamfwd binary and streaming fails to start, throwing the errors below.  If I modify the service to run as root stream works as expected. (CaptureServer.cpp:2338) stream.CaptureServer - SnifferReactor was unable to start packet capturesniffer (SnifferReactor/PcapNetworkCapture.cpp:238) stream.NetworkCapture - SnifferReactor unrecognized link layer for device <ens192>: 253 The servers I need to stream from are all running Red Hat 9.4 on VMWare 8 using VMXNET 3 NICs. I'm aware of workarounds others have come up with, but we need a permanent solution to this problem. streamfwd app error in /var/log/splunk/streamfwd.l... - Splunk Community
A little background.  Our organization set up hundreds of service templates when we rolled out ITSI.   We're trying to clean up unwanted KPI's in these services.  I have one KPI that I want off of ... See more...
A little background.  Our organization set up hundreds of service templates when we rolled out ITSI.   We're trying to clean up unwanted KPI's in these services.  I have one KPI that I want off of all the service templates.   The manual process of navigating  1) Configuration 2) Service Monitoring 3) Service Templates 4) Search for a service 5) edit 6) click the X on the unwanted KPI 7) Save the template Propagate the change   Is taking forever to do in bulk.     Is there a faster way?