All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I trying to perform a subquery on an else statement, I believe that the way I'm trying to do it is not right. I searched a bit over the internet but I couldn't find a way of doing it. My pro... See more...
Hello, I trying to perform a subquery on an else statement, I believe that the way I'm trying to do it is not right. I searched a bit over the internet but I couldn't find a way of doing it. My problem is as follows, I have two inputlookups, I want to: Read from first lookup extract a value name associated to a maximum in another column (done) Join over that column (model_name) with the second inputlookup and check whether evaluation metric is superiror to a given treshold keep the model_name. (done) Else query the second inputlookup to find model_name associated with maximum value. (my problem is here...how to write a subquery in an else statement)  Here's a not working code in the else statement:       |inputlookup model_evaluation.csv | eventstats max(evaluation_metric) as maxf | eval maxf=tonumber(maxf) | eval evaluation_metric=tonumber(evaluation_metric) | where evaluation_metric>=maxf | dedup maxf | rename evaluation_metric as training_score | table model_name training_score | join type=inner model_name [|inputlookup model_evaluation_month.csv | eval good_model_name = case (evaluation_metric > 0.95, model_name, 1=1, [search | eventstats max(evaluation_metric) as maxf | eval maxf=tonumber(maxf) | eval evaluation_metric=tonumber(evaluation_metric) | where evaluation_metric>=maxf |dedup maxf | return model_name]) | table *, good_model_name ]       Thank you in advance !
Hello everyone, I'm trying to build an app based on "map plus" app from splunkbase. Unlike normal dashboard - i don't need the dashboard frame at all and i would like to have a map in full screen m... See more...
Hello everyone, I'm trying to build an app based on "map plus" app from splunkbase. Unlike normal dashboard - i don't need the dashboard frame at all and i would like to have a map in full screen mode from the moment i open the URL (just like google maps). I'm trying to keep using splunk and do not build a new web app and integrate them for simplicity (don't want to deal with splunk SDK).   Does anyone knows what do i need to change in the visualization.js /css file in order to make it work? is it even possible?   thanks
_TCP_ROUTING = forward_logs disabled = false index = 1idx1 sourcetype = LOGS crcSalt = <SOURCE> Even though our inputs.conf has crcSalt=<SOURCE>, we see following info messages in splunkd.lo... See more...
_TCP_ROUTING = forward_logs disabled = false index = 1idx1 sourcetype = LOGS crcSalt = <SOURCE> Even though our inputs.conf has crcSalt=<SOURCE>, we see following info messages in splunkd.log and entire log file is getting reindexed for each log entry. Can you please confirm if any other parameters are needed? 11-17-2020 05:07:22.103 -0700 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='Xyz.log'. 11-17-2020 05:07:22.103 -0700 INFO WatchedFile - Will begin reading at offset=0 for file='Xyz.log'. 11-17-2020 05:07:22.104 -0700 WARN CsvLineBreaker - CSV StreamId: 8593577840253621053 has empty line. - data_source="Xyz.log"  
Hey, i want to search a field and get all the results which contain a value from another field. For example:  I have 2 fields: message and str. I want to get all the logs which their message field ... See more...
Hey, i want to search a field and get all the results which contain a value from another field. For example:  I have 2 fields: message and str. I want to get all the logs which their message field contain the value of str field. how can i do that?
I am new to this community, hope you can help. We use Splunk for years.  Symptom: we see ASCII numbers as search results, expecting readable texts. How can I get readable text?  Our Spring Boot app... See more...
I am new to this community, hope you can help. We use Splunk for years.  Symptom: we see ASCII numbers as search results, expecting readable texts. How can I get readable text?  Our Spring Boot applications run inside Docker containers. We log using e.g. log4j2. When I use in my Spring Boot application the Spring log4j2.xml configuration file (see below) then log statements are readable (as plain text) in the Docker logs. When I try to read them in Splunk the message is shown like: message=['123', '34' '116', ... ] When I remove the log4j2.xml file, then all logs are readable again both in the Docker logs as in Splunk. Why is this happening? How can I make the messages readable in Splunk? <?xml version="1.0" encoding="UTF-8"?> <Configuration status="info"> <Appenders> <Console name="Console-Appender" target="SYSTEM_OUT"> <PatternLayout> <pattern> [%-5level] %d{MM-dd HH:mm:ss.SSS} [%t] [%c{1} - %msg%n </pattern> </PatternLayout> </Console> </Appenders> <Loggers> <Logger name="nl.mycompany.xyz" level="info" additivity="false"> <AppenderRef ref="Console-Appender" /> </Logger> <Root> <AppenderRef ref="Console-Appender" /> </Root> </Loggers> </Configuration>  
Hello,  I'm looking for any help/documentation regarding instrumenting applicating with Opentelemetry and sending data into Splunk. Unfortunately, I can't find any detailed "get started" or "how-to" ... See more...
Hello,  I'm looking for any help/documentation regarding instrumenting applicating with Opentelemetry and sending data into Splunk. Unfortunately, I can't find any detailed "get started" or "how-to" guide to test this. I'll be very thankful if somebody can provide a "step-by-step" instruction(or something similar) for better understanding.
How to use the alert_condition parameter to create the alerts in the rest api
Can I please get the extraction of "14%" as memory used & "boot" as directory, thank you.  [2020-11-17 11:33:43+0200] Filesystem Size Used Avail Use% Mounted on /dev/sda1 2.0G 274M 1.8G 14% /boot
Hello, maybe just not using the right search term to find the location in the documentation. Out of curiosity, are there any other options for <option name="refresh.display">progressbar</option> ... See more...
Hello, maybe just not using the right search term to find the location in the documentation. Out of curiosity, are there any other options for <option name="refresh.display">progressbar</option> besides "none"? Looking for a spinning wheel or anything alike to indicate activity as the progress bar might be overlooked after pressing submit and the following (long-running) query. Thanks!
[WinEventLog://Security] disabled = 0 host = ABC evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = Event... See more...
[WinEventLog://Security] disabled = 0 host = ABC evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"   When we are putting this configuration in inputs.conf wherewver we are installing HF then we are seeing its forwarding the old event also. How we can define to send latest event or 7d event which is monitoring file ?     Can someone please help ?  
Hi! I would like to fetch HTTP request properties (not headers, not parameters) - according to attached picture; like RawUrl, UrlReferrer, or any other HTTP request property. Looking into transactio... See more...
Hi! I would like to fetch HTTP request properties (not headers, not parameters) - according to attached picture; like RawUrl, UrlReferrer, or any other HTTP request property. Looking into transaction snapshots -> any given segment -> More -> Properties they're all there - but how do I go about creating a data collector for fetching any of these properties? Been looking into https://docs.appdynamics.com/display/PRO45/Using+Getter+Chains which seemed promising, and thinking about method invocation data collectors - but haven't really succeeded yet. Anyone been able to create a data collector fetching HTTP request properties? Thanks! /Mattias
Hi guys i'm kinda new in Splunk. I try to create dashboard name "alerts" that is the same name as default alert tab  on Search apps and after I click save. default alerts page that I use to check... See more...
Hi guys i'm kinda new in Splunk. I try to create dashboard name "alerts" that is the same name as default alert tab  on Search apps and after I click save. default alerts page that I use to check on my alert got replaced into my new dashboard that has the same name. now everytime i click on alerts link i will go to my alerts dashboard not default alerts page that normally come with Search App so I wonder does it has a way to get default alert tab back.  I try to find in on app and setting but not found it yet Thanks
I put web request logs into Splunk. I did a lookup csv file that included suspicious user-agents characters like below. bad_user_agent nmap python java ... I need alert if user_agent fi... See more...
I put web request logs into Splunk. I did a lookup csv file that included suspicious user-agents characters like below. bad_user_agent nmap python java ... I need alert if user_agent field in web request log contains any word in csv file. How can I do a query? Example: user_agent="Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36" --> no alert user_agent="Java/14.0.2" --> ALERT user_agent="Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" --> ALERT Thank you.
Hi all, I have been making a search to know which account is in which groups using ldapsearch. I succesfully made the search. I will put the query below. Now my question is, is it possible to keep a... See more...
Hi all, I have been making a search to know which account is in which groups using ldapsearch. I succesfully made the search. I will put the query below. Now my question is, is it possible to keep a history of the results for 30 days. My search will be turned into a report which will run every day and I want to keep every result for 30 days. I was thinking to put everything in a pdf or csv report but I don't know how to delete it after 30 days. Otherwise i would need to send the report by mail but I really want to avoid that options if possible. Does someone know what the best option would be and how I could set it up.  The query is : | ldapsearch domain="default" search="(&(objectClass=group)(cn=*))" | ldapgroup | rex field=member_dn "CN=(?<member_name_full>[^,]*)," | table cn,member_dn,member_type,member_name_full | sort cn | rename cn AS "Group Name", member_dn AS "Member DN", member_type AS "Member Type", member_name_full AS "Member Name"   Thank you. Sasquatchatmars
Hi Friends, i am using Splunk Enterprise 7.1.1.0. Due to some reason want to replace current service account with new one. I don't have password for current service account. could you please advis... See more...
Hi Friends, i am using Splunk Enterprise 7.1.1.0. Due to some reason want to replace current service account with new one. I don't have password for current service account. could you please advise what places Splunk use user account or service account to run the show. e.g. windows services, sql database or anything else? i want to know which places i need to replace/update the new service account?
Hi, I have the following log from which I need to extract 2 fields:   [INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com] [4223TD-E3DE-234... See more...
Hi, I have the following log from which I need to extract 2 fields:   [INFO ] 2020-11-16 20:52:30,729 (http-nio-8085-exec-127) [MyServiceImpl(emailServ:6431)] [my email@yahoo.com] [4223TD-E3DE-2345-8E59-1-YDHGC] Validation failed.Invalid. Response JSON {"emailAddress":"mynewemail","statusReason":"failed_syntax_check","domain":"","processedAt":"2020-11-16 20:52:30 GMT-0700 (MST)","cache":false,"account":"","status":"invalid"}   I need to show the below values as 2 different fields in a table: my email@yahoo.com as Email1 mynewemail as Email2 Was not able to fetch Email1 field. Tried to fetch the Email2 field as below. But that didnt work either.   ^(?:[^<\n]*<){2}\s+"\{"\w+":"(?P<emailAddress>[^"]+)     Please extend your help.
I am new to Splunk, writing my first application. All the documentation regarding .conf files says NOT to modify files in the default folders, and only work with files in local. This is great and mak... See more...
I am new to Splunk, writing my first application. All the documentation regarding .conf files says NOT to modify files in the default folders, and only work with files in local. This is great and makes sense. However, when it comes to app.conf, (1) the UI itself edits the file in default and (2) the documentation points to $SPLUNK_HOME/etc/apps/<your_app_name>/default/app.conf. What is the best practice? Thank you   p.s. Documentation links: https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/configureappproperties/ https://dev.splunk.com/enterprise/docs/developapps/createapps/addnavsplunkapp/  
Hello everyone! I am looking forward to getting a 7.1.2 Enterprise Trial Version(60 days) for RnD. I understand that we get 60 days of access to the latest Splunk version. Is there a way I can get t... See more...
Hello everyone! I am looking forward to getting a 7.1.2 Enterprise Trial Version(60 days) for RnD. I understand that we get 60 days of access to the latest Splunk version. Is there a way I can get the mentioned version?   Thanks Saurabh
Hello all, can some one suggest me the best method to compare the source_ip in events to the lookup table which have the list of all the permitted IP ranges. Then to show the events for which the so... See more...
Hello all, can some one suggest me the best method to compare the source_ip in events to the lookup table which have the list of all the permitted IP ranges. Then to show the events for which the source_ip is not matched lookup table senario: index=abc source_ip=x.x.x.x lookup ip_ranges (have only one column with details of ip ranges x.x.x.x/x) 
Hi, I am trying the following search syntax in Splunk to build out a report of our top 25 riskiest systems. But when I run it, I get “Unknown search command 'isnull'” message. Thanks in advance! ... See more...
Hi, I am trying the following search syntax in Splunk to build out a report of our top 25 riskiest systems. But when I run it, I get “Unknown search command 'isnull'” message. Thanks in advance! index=utexas-chomp (app=TENABLE event=INTEL OR event=VULN family_type!="compliance"severity_name=* NOT hasBeenMitigated=1) OR (app=SCAVENGER event=INTEL OR event=VULN scan_net=ots_network OR scan_net=cluster_network) OR (app=BITSIGHT_FINDINGS event=INTEL OR event=VULN affects_rating="True" grade!=GOOD grade!=NEUTRAL) earliest=-7d | eval severity_name=if(app=="BITSIGHT_FINDINGS","seen from bitsight | (!!!)",severity_name) eval pluginName=if(app=="BITSIGHT_FINDINGS" and | isnull(pluginName), remediations_message, pluginName) eval | pluginName=if(app=="BITSIGHT_FINDINGS" and isnull(pluginName), | details_message, pluginName) eval | pluginName=if(app=="BITSIGHT_FINDINGS" and isnull(pluginName), | infection_family, pluginName) eval | pluginName=if(app=="BITSIGHT_FINDINGS", "BITSIGHT_" + pluginName, | pluginName) eval pluginID=if(app=="BITSIGHT_FINDINGS", pluginName, | pluginID) eval pluginText=if(app=="BITSIGHT_FINDINGS",_raw, | pluginText) eval | severity_id=if(app=="BITSIGHT_FINDINGS",1,severity_id) | eval host_seen_from_bitsight=if(app=="BITSIGHT_FINDINGS",1,0) | eval severity_name=if(app=="SCAVENGER" AND | scan_net="ots_network","seen from internet (!!!)",severity_name) eval | pluginID=if(app=="SCAVENGER" AND | scan_net="ots_network","seen_from_internet-"+protocol+port,pluginID) | eval pluginName=if(app=="SCAVENGER" AND | scan_net="ots_network","seen_from_internet-"+protocol+port,pluginName) | eval pluginText=if(app=="SCAVENGER" AND | scan_net="ots_network","seen_from_internet-"+protocol+port,pluginText) | eval severity_id=if(app=="SCAVENGER" AND scan_net="ots_network" | ,1,severity_id) eval host_seen_from_internet=if(app=="SCAVENGER" AND | scan_net=="ots_network",1,0) | eval severity_name=if(app=="SCAVENGER" AND | scan_net=="cluster_network","seen from campus (!)",severity_name) eval | pluginID=if(app=="SCAVENGER" AND | scan_net=="cluster_network","seen_from_campus-"+protocol+port,pluginID | ) eval pluginName=if(app=="SCAVENGER" AND | scan_net=="cluster_network","seen_from_campus-"+protocol+port,pluginNa | me) eval pluginText=if(app=="SCAVENGER" AND | scan_net=="cluster_network","seen_from_campus-"+protocol+port,pluginTe | xt) eval severity_id=if(app=="SCAVENGER" AND | scan_net=="cluster_network" ,1,severity_id) eval | host_seen_from_campus=if(app=="SCAVENGER" AND | scan_net=="cluster_network",1,0) | extract pairdelim=" ,", kvdelim="=", auto=f, limit=500000, | maxchars=1204800 mv_add=f rex field=pluginText "Credentialed checks : (?<credentialed_checks>[^|]+)" | where severity_id > 0 | dedup pluginID, srcip | eventstats sum(host_seen_from_internet) as internet_ports_open | sum(host_seen_from_campus) as campus_ports_open | sum(host_seen_from_bitsight) as bitsight_ports_open by port, srcip | `tenable_severity` | eval last_seen = strftime(_time, "%m/%d/%Y %I:%M:%S %p") rex field=cpe | "cpe:/[a-z]:(?<cpe_vendor>[^:]+):(?<cpe_software>[a-z0-9]+)" | rex field=pluginText "Credentialed checks : (?<credentialed_checks>[^|]+)" | eval cpe_vendor = if(pluginName like "seen_from_internet%", | "seen_from_internet", cpe_vendor) eventstats count as cpe_count, by | cpe_vendor, srcip eval VULNID = if(cpe_count > 4, cpe_count + " " + | cpe_vendor + " vulnerabilities", pluginName) eval VULNID = | if(isnull(cpe_vendor), pluginName, VULNID) | eval wholecpe = cpe_vendor + ":" + cpe_software | stats first(dnsName) as fqdn max(severity) as max_severity | values(VULNID) as vulns first(last_seen) as last_seen, | values(wholecpe) as vulnerable_software count as vulnerablities | first(deptcode) as deptcode by srcip eval fqdn = if(fqdn == "" or | isnull(fqdn), "Could Not Resolve", fqdn) | sort 25 - max_severity