All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers, I am trying to write is a condition that says if command starts with "CHA" or "INS" add one. The Query:  host=*| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%", "INS % AUDIT%"),1,0)| s... See more...
Hello Splunkers, I am trying to write is a condition that says if command starts with "CHA" or "INS" add one. The Query:  host=*| eval AUDIT=if(like(COMMAND,"CHA % AUDIT%", "INS % AUDIT%"),1,0)| stats sum(AUDIT)   Not combining the conditions get me a working query EX:  host=* | eval AUDIT=if(like(COMMAND,"CHA % AUDIT%"),1,0)|stats sum(AUDIT)   Is there a way I can get the query working?    
IP Field in IIS log is like below. 100.30.24.56,+11.44.66.778,+120.33.44.15,12.567.89.666 I want to get only the IP before first comma. (100.30.24.56 in this case).  Tried something like below but... See more...
IP Field in IIS log is like below. 100.30.24.56,+11.44.66.778,+120.33.44.15,12.567.89.666 I want to get only the IP before first comma. (100.30.24.56 in this case).  Tried something like below but no luck. eval IP=split(IP,",")
Event Engine ConsoleWe are planning to Integrate Event Engine Console Jobs and logs with Splunk. Could you please help on this Integration so that we can monitor the Jobs  & Logs of ETL Process th... See more...
Event Engine ConsoleWe are planning to Integrate Event Engine Console Jobs and logs with Splunk. Could you please help on this Integration so that we can monitor the Jobs  & Logs of ETL Process that has been running in Event Engine Console. We would like to visualize on Splunk Dashboard.    Event Engine Console Version Details.    
I have a log like this  {"module": “x”, "app_name": “sample”-app, "message": "Number of  Transactions :52”}. I need to extract the value 52 as count. I can use    eval c1=substr(message,25,2) . But... See more...
I have a log like this  {"module": “x”, "app_name": “sample”-app, "message": "Number of  Transactions :52”}. I need to extract the value 52 as count. I can use    eval c1=substr(message,25,2) . But how can I use as count variable. I want to use this count to compare with another count
Hi all, We currently have an Splunk add-on that is cluster-naive and would like to convert it to be able to be deployed on a Search Head Cluster. I have been able to location information packing app... See more...
Hi all, We currently have an Splunk add-on that is cluster-naive and would like to convert it to be able to be deployed on a Search Head Cluster. I have been able to location information packing apps for clusters  so far. Is packing the only stage of development where we need to consider a clustered environment, or are there steps that need to be taken earlier in app development in order to ensure the app is deployable on a cluster? Thank you for the input.
Roughly once a week, I'm getting the following errors on my single instance Splunk deployment.   KV Store changed status to failed. KVStore process terminated.. 12/3/2020, 11:53:25 AM KV Store ... See more...
Roughly once a week, I'm getting the following errors on my single instance Splunk deployment.   KV Store changed status to failed. KVStore process terminated.. 12/3/2020, 11:53:25 AM KV Store process terminated abnormally (exit code 14, status exited with code 14). See mongod.log and splunkd.log for details. 12/3/2020, 11:53:25 AM   Now, I can fix the issue, by stopping Splunk, renaming the mongod folder and restarting Splunk but I want to know why I'm getting the errors and how to prevent them in the first place.  Any help or assistance would be greatly appreciated.
I have a method which takes in a single argument that is an xml string.  Is there a way to split these transactions based on a tag in the xml?
Hi, Within a Custom Function, is it possible to grab information from the current container? For example, I've added this line to a function: from_address = str(phantom.collect2(container=container... See more...
Hi, Within a Custom Function, is it possible to grab information from the current container? For example, I've added this line to a function: from_address = str(phantom.collect2(container=container, datapath=["artifact:*.cef.fromEmail"], limit=1)[0][0]) Ideally the value of the variable would just be a string of an email address. But I get an error that the variable "container" hasn't been defined. However, when I test this line in the "custom code" section of a function block within a playbook, it works fine.  Any thoughts on how I can achieve this? Thanks!
I want to create a dashboard on severity level , and hardware its causing on, what will be the base search lookalike ?
 I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I would like to create a weekly report showing: License consumption per index, host, source, so... See more...
 I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I would like to create a weekly report showing: License consumption per index, host, source, sourcetype License consumption per index and thereafter broken down per host, source, sourcetype Is there already some canned report for this (licensing dashboard?) or would anyone have a custom query?
 I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I am logged into the UI of the search head and have the admin role but I cannot do any of the fol... See more...
 I have Splunk 8.0.5: One cluster master One Search head Two indexers to host clustered indexes I am logged into the UI of the search head and have the admin role but I cannot do any of the following: View any of the clustered custom indexes View the licensing usage in the monitoring console So on the cluster master we are no t using LDAP for auth but just Splunk accounts and the account i have as the power role. I still cannot see the licensing dashboards. What level of role/capability to I need (as a minimum) to see this info dash board or is there a read-only type role I could create or use to delegate this capability?
I have  kv lookup table named bingo_kv_table. There are multiple rows having same hosts along with other hosts. I want to run a splunk query to remove all the rows having a particular host name. Othe... See more...
I have  kv lookup table named bingo_kv_table. There are multiple rows having same hosts along with other hosts. I want to run a splunk query to remove all the rows having a particular host name. Other fields along with are start_date, start_time, end_date, end_time, title, user_name. I can extract the table using |inputlookup bingo_kv_table|streamstats count as row |search host_list="*host*"     I want to delete multiple rows having same host name. What command should I run without manually deleting each entry 
Splunk Version - 7.2.4.2 Splunk ES Version - 5.3.0 Hi, I am trying to add a custom lookup within ES to define Category/Priority for certain assets. Followed this article to the letter to create lo... See more...
Splunk Version - 7.2.4.2 Splunk ES Version - 5.3.0 Hi, I am trying to add a custom lookup within ES to define Category/Priority for certain assets. Followed this article to the letter to create lookup Table & Definitions with correct permissions. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createlookups Lookup was also formatted as required. I was able to add the Lookup definition under Configure > Data Enrichment > Identity Management but still the new Categories do not show up under any search for the asset nor are they being used by ES for Correlations. I do see another location Configure > Content > Content Management > Create New Content > Managed Lookup but when I try to add a new Managed Lookup, this new lookup definition is not listed in the drop-down. Could this be causing ES not to read/merge the data from this new custom lookup? What is the difference between adding lookup under these two locations? Note: As a test, I added the same data in the built-in assets.csv lookup and now at least ES Asset Center can see the updated Categories for those assets but it still doesn't get added when running Searches/Data Model correlations etc. Thanks, ~ Abhi
Hello,  I want to simply set a Dashboard Timepicker token with milliseconds granularity with a Drilldown Search. The Result should look like:    <query>| makeresults `comment("Grundzeit als Strin... See more...
Hello,  I want to simply set a Dashboard Timepicker token with milliseconds granularity with a Drilldown Search. The Result should look like:    <query>| makeresults `comment("Grundzeit als String")` | eval _time="2020-12-03T23:59:51.500" </query> ... Drilldown <condition field="_time"> <eval token="form.test.earliest">strptime($row._time$,"%Y-%m-%dT%H:%M:%S.%3N") - 0.100</eval> <eval token="form.test.latest">strptime($row._time$,"%Y-%m-%dT%H:%M:%S.%3N") + 0.100</eval> </condition>   This gets me 1607036390.900 - 1607036391.1 (23:59:50.900 - 23:59:51.100) With this approach, the resulting times being set are always (000 - 100 = X.900, and 000 + 100 (X.100). The milliseconds are ignored or rather being considered 000, despite being .500 in the makeresults.  I am fully aware that I can workaround when making the calculations in the query. What fully work is:    <query>| makeresults | eval _time="2020-12-03T23:59:51.500" | eval mytime2=strptime(_time,"%Y-%m-%dT%H:%M:%S.%3N") | table reset, _time, mytime2 </query> ... Drilldown <eval token="form.test.earliest">$row.mytime2$ - 0.100</eval> <eval token="form.test.latest">$row.mytime2$ + 0.100</eval>   This gets me 1607036391.400 - 1607036391.600 (23:59:51.400 - 23:59:51.600) which is correct. This code itself is identical. The only difference is, that strptime now is being used in the eval token instead of the query. I've tried a lot of different things here - such as using testtime="2020-12-03T23:59:51.500" instead of _time for formatting reasons. Using %3N instead of %Q and many other things. Nothing works. It seems that strptime behaves buggy in a dashboard eval token context. For me, this looks like a weird bug. Can anyone confirm this or help me? Best regards, 
Can i get index daily usage for a. particular index?
Hi all,  I have data in below that indicates logon and logoff time. _time user startTime endTime 20/12/04 18:07:03.000 A 1607072823 1607073562 20/12/04 17:53:22.000 B 1607072002 1... See more...
Hi all,  I have data in below that indicates logon and logoff time. _time user startTime endTime 20/12/04 18:07:03.000 A 1607072823 1607073562 20/12/04 17:53:22.000 B 1607072002 1607074229 20/12/04 16:21:19.000 A 1607066479 1607066494 20/12/04 16:07:32.000 C 1607065652 1607065719 "_time" is equal to startTime but startTime is epoch time. I would like to plot this time series data to line chart using timechart command. Like, x axis indicates time with 1minutes span, and y axis indicates each user name and plot data to be 1 between session startTime and endTime.
I am trying to monitor for higher than threshold number of events per user.   Alert is run once in an hour and I need to inspect every X minute window in the previous hour for number of occurrences... See more...
I am trying to monitor for higher than threshold number of events per user.   Alert is run once in an hour and I need to inspect every X minute window in the previous hour for number of occurrences higher than allowed threshold (5 here). index="someindex" | search event="Event-Indicating-String" | stats count(eval(event)) as occurrences by offender | where occurrences > 5 | table offender occurrences I have available timestamp (in seconds) for every event before I aggregate them.   How do I go about this?
Hi Can anyone help me to do the configuration of Microsoft 365 defender add on for Splunk.We are having splunk cloud and have raised the ticket for installation and it has been done.Can someone help ... See more...
Hi Can anyone help me to do the configuration of Microsoft 365 defender add on for Splunk.We are having splunk cloud and have raised the ticket for installation and it has been done.Can someone help me to configure add on.When I open the app its having 5 tabs,out of which when I am clicking on inputs its not displaying anything and its showing as loading.Same is happening for configuration->Account.   Is there anything I have to do in the setting?As per my understanding if IDM is there for the cloud stack splunk team needs to do all the configurations right.Please correct me if I am wrong. Can anyone give the step by step process if we have to do it from our side.I have attached screenshots below. Many thanks
For Splunk SSE version 3.2.0, please provide a list of the 4 new native detections and 40+ detections from the Security Research Team. Detailed release notes are key to proper implementation. 
Hello, I want to search AD for all users in my organization. But as the list is huge, there is memory error occurring and I'm getting 0 results. Is there any way I can split my search. Below is the ... See more...
Hello, I want to search AD for all users in my organization. But as the list is huge, there is memory error occurring and I'm getting 0 results. Is there any way I can split my search. Below is the query I was trying. | ldapsearch search="(&(objectclass=user)(CN=*))" | table objectSid description sAMAccountName What I want is like if there are 90000 users, I want to split my search for 1st 45000 users and last 45000 users. Thanks in Advance @woodcock