All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, Please let me know how to integrate Forescout with Splunk ES. Thanks
Hi, if input is add then show all data, if input is delete show only the added data to delete in splunk Add         number (showall)         submit xxx number added succesfully Delete     number(... See more...
Hi, if input is add then show all data, if input is delete show only the added data to delete in splunk Add         number (showall)         submit xxx number added succesfully Delete     number(show xxx only)   submit  xxx number deleted succesfully   what logic shall i put here.  
Hi, I'm wanting to create a Traffic Light Dashboard based on a count of incoming records. What would be the best way to achieve this.  Counts over a time period?   Regards, David
Hi  I tried rex extracting user agent details, however due to my lack of knowledge in Splunk finding difficultly. From the below rex command output i managed to extract ( OS, Version ). I tried the... See more...
Hi  I tried rex extracting user agent details, however due to my lack of knowledge in Splunk finding difficultly. From the below rex command output i managed to extract ( OS, Version ). I tried the below rex and its working fine however i dont know how to capture more details like mentioned in the below tabular column.  1 - \((?P<os>[^;]+);(?P<vers>[^;)]+).*$  2 - | rex "\(.*(?<OS>Android\s\d+|OS \d+_\d+|Windows NT\s\d+\.\d+)\;?.*\)" | fillnull value="unrecognised" OS 3 - rex "\((?P<osinfo>[^\)]+)\)" | rex field=osinfo "(?P<os>[^;]+);(?P<vers>[^;]+)(;(?P<etc>[^;]+))?" | stats count by os, vers I would like to extract them as below format would that be possible ? Mobile Device  Software name  Software version  Layout Engine OS System  OS  OS version  A10 - SM-A105G Chrome  86.0.42.40.185 Blink Android 10 Android 10 I phone Safari 14 Webkit IOS 14.1 IOS 14.1 Desktop Chrome 86 86.0.4240.111 Blink Windows 10 Windows 10   UserAgent has different format for iOS & Android and Desktop as we can see below, Android user - Mozilla/5.0 (Linux; Android 10; SAMSUNG SMT590) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser / 12.1 Chrome/79.0.3945.136 Safari/537.36   Iphone user - Mozilla/5.0 (iPhone; CPU iPhone OS 14_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1 Desktop user - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 HP device Mozilla/5.0 (Linux; Android 5.1.1; HP Pro Slate 12 Build/LMY47V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Safari/537.36 Could anyone please assist me writing  a regular expression  which satisfy the tabular column.   Thanks 
We're starting outline our architecture and how data will flow, and we're looking to forward data to both an on prem dev environment and cloud environment at the same time. Splunk documentation only ... See more...
We're starting outline our architecture and how data will flow, and we're looking to forward data to both an on prem dev environment and cloud environment at the same time. Splunk documentation only seems to show how to install to forward to one version or the other. I do see that you can modify .conf files to clone data to multiple locations, but during install you're still choosing Splunk Cloud or Enterprise. I guess I'm looking for some input on how people with both types of environments at the same time handle their data.
Hi @gcusello , I'm getting no results when I run any queries in splunk. The following error I'm getting.Can you please help me in this? Distributed: Unable to distribute to peer named X.X.X.X:808... See more...
Hi @gcusello , I'm getting no results when I run any queries in splunk. The following error I'm getting.Can you please help me in this? Distributed: Unable to distribute to peer named X.X.X.X:8089 at uri=X.X.X.X:8089 using the uri-scheme=https because peer has status=2. Please verify uri-scheme, connectivity to the search peer, that the search peer is up, and an adequate level of system resources are available. See the Troubleshooting Manual for more information. Regards, Rahul Gupta
I have a search that returns two fields, Username and Location, for a specific username.  To extend this search, I would also like to see: a) any other usernames, in addition to the one searched for... See more...
I have a search that returns two fields, Username and Location, for a specific username.  To extend this search, I would also like to see: a) any other usernames, in addition to the one searched for, in the same location(s).  So if the initial search returns two different locations, I would like to see the additional users for both locations; b) if the _time value for the additional usernames are within 15minutes (+ or -) of the initial username. Current search that returns the data for a specific Username is     (index="o365" OR index="main") (type="New-Request" OR Operation="*") Username="smith*" Campus="MainSite" | dedup Username,Location | fields _time,Username,type,Operation,Location,DateTime,SSID,Campus,src_ip,Client_Mac | table Username,Location       I'm assuming I need to do a nested search, I'm just not sure how to prepare it and pass the relevant location to return the addition usernames.
Using both 8.0.1 and 8.0.6, I am unable to redeploy apps when attempting to deploy Splunk_ML_Toolkit with Splunk_SA_Scientific_Python_linux_x86_64. The same error occurs in both environments in which... See more...
Using both 8.0.1 and 8.0.6, I am unable to redeploy apps when attempting to deploy Splunk_ML_Toolkit with Splunk_SA_Scientific_Python_linux_x86_64. The same error occurs in both environments in which I have tried it: Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=Splunk_SA_Scientific_Python_linux_x86_64 on target=https://10.8.8.13:8089:Network-layer error: Connection reset by peer This occurs almost immediately after trying command below; $ splunk apply shcluster-bundle -target https://10.8.8.13:8089
On all SearchHead cluster members with ver 8.0.2,  every day we are observing that CPU utilization grows. After roughly two days CPU load grapsh looks like "climbing". After our analysis we found th... See more...
On all SearchHead cluster members with ver 8.0.2,  every day we are observing that CPU utilization grows. After roughly two days CPU load grapsh looks like "climbing". After our analysis we found that several queries are "zombied" and it looks like Splunk does not control them. These processes runs on Operating System level endlessly like consuming more and more CPU over time. In UI there is message that "Search auto-canceled" Always on the end of search.log for such process we see ; 09-28-2020 14:52:57.907 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=CANCEL 09-28-2020 14:52:57.907 INFO DispatchExecutor - User applied action=CANCEL while status=3 09-28-2020 14:52:58.906 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=CANCEL 09-28-2020 14:52:58.906 INFO DispatchExecutor - User applied action=CANCEL while status=3 09-28-2020 14:52:59.906 INFO ReducePhaseExecutor - ReducePhaseExecutor=1 action=CANCEL   Please help.
i have issue where i am comparing values from 2 fields which will have same value always, but sometimes it differs. I want to compare between these two feilds and have  status as Match or Mismatch. I... See more...
i have issue where i am comparing values from 2 fields which will have same value always, but sometimes it differs. I want to compare between these two feilds and have  status as Match or Mismatch. I have having issues where even if both fields have some value its showing as mismatch in status.  | eval CheckMatch = if(f1==f2,"Match", "Mismatch") Below is the sample result  f1                       f2               CheckMatch 14552.06   14552.06    Mismatch  
I'm having a hard time getting my stanza setup correctly. I basically want to monitor the maillog directories (maillog + maillog-date) and choose the best appropriate sourcetype However the archive ... See more...
I'm having a hard time getting my stanza setup correctly. I basically want to monitor the maillog directories (maillog + maillog-date) and choose the best appropriate sourcetype However the archive maillog directories aren't coming in Can someone spin me In the right direction on how to better write this stanza? Please resist the urge to send me a splunk doc link as I've been rummaging through those for a while.. it's not clicking   Can someone please help me in rewriting a better stanza [monitor:///var/log] Whitelist =(maillog$) disabled = false sourcetype = maillog Index = linux Currently it's not working where it's pulling in the archive logs. So anything with a date after maillog isn't getting pulled I think I tried [monitor:///var/log/maillog*] without the whitelist but it isn't working
Hi all, I'm configuring Splunk (Docker image 8.1.0) to make SAML authentication on Azure ADFS. Despite all looks right, I get this error in response to the Splunk SAML Request       ... See more...
Hi all, I'm configuring Splunk (Docker image 8.1.0) to make SAML authentication on Azure ADFS. Despite all looks right, I get this error in response to the Splunk SAML Request                   'AADSTS7500529: The value '1a480d8dd87f.4.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51' is not a valid SAML ID. The ID must not begin with a number.' I guess a problem with the ID's format of <samlp:AuthnRequest>, let me show you the content of my SAML requests     <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="1a480d8dd87f.3.DA3C17FD-8DE5-4E39-8F52-5EF91CD63A51"     Whereas Microsoft SAML 2.0 protocol documentation  impose a specific format for it ID Required Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID.   Do you confirm this is a malfunction ? Thank's Arnaud
Hello, I coded a generating custom command using the SDK. It's working fine but: Q: How to i get the selected time range  (earliest_time, latest_time)  forwarded to the python script ? 
Hi Everyone, I have one drop -down in the dashboard .Below is code for the drop-down. <input type="multiselect" token="Teams" searchWhenChanged="true"> <label>Teams</label> <choice value="*">All<... See more...
Hi Everyone, I have one drop -down in the dashboard .Below is code for the drop-down. <input type="multiselect" token="Teams" searchWhenChanged="true"> <label>Teams</label> <choice value="*">All</choice> <choice value="Force">Force</choice> <choice value="Blaz">BLAZ</choice> <choice value="OneForce">Oneforce</choice> <choice value="Auto">Auto</choice> <fieldForLabel>Teams</fieldForLabel> <prefix>(</prefix> <valuePrefix>Teams ="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <suffix>)</suffix> <initialValue>*</initialValue> <default>*</default> </input> I have one panel in same dashboard which is showing below fields. URL and Parent chain and many other fields.        URL                                                              PARENT CHAIN 1)  https:/abcd/process-groups/      MAIN-->root-->BLAZ - E1-->Blaz Transformation - Data Ingestion 2)https:/abc/process-groups/           MAIN-->root-->BLAZ - E3 3)https:/abc/process-groups/           MAIN-->root-->Oneforce-->FXIP My parent chain is coming from inputlookup that I have highlighted. Below is the code for the query: <row> <table> <search> <query>index=abc sourcetype=xyz source="/user.log" process-groups|rename count as "Request Counts" |rex field=Request_URL "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"|stats count by Date ADS_Id Request_Type id ClickHere Request_URL|sort - ADS_Id |join type=outer id [inputlookup chains.csv]</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <fields>"Date", "ADS_Id","Request_Type", "Request_URL", "id", "parent_chain"</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </row> I want when I select say "Blaz" from the teams drop-down then the parent chain which consists of 3rd word as   "-->BLAZ"  like : MAIN-->root-->BLAZ - E1-->Blaz Transformation - Data Ingestion MAIN-->root-->BLAZ - E3 when I select say Oneforce from the teams drop-down then the parent chain which consists of 3rd word as   "-->Oneforce"  like :  MAIN-->root-->Oneforce-->FXIP. Can someone guide me on this. Thanks in advance.
Hello, we are trying out the Splunk App for Infrastructure. With the easy install script for windows, we get the data in. Fine. But we dont want to run the script on every universal forwarder manual... See more...
Hello, we are trying out the Splunk App for Infrastructure. With the easy install script for windows, we get the data in. Fine. But we dont want to run the script on every universal forwarder manually. Because of this, we want to deploy the inputs.conf through our deployment server. But in every inputs.conf are an _meta option where the dimensions are defined.  Has someone a solution to deploy the configuration through deployment server and also set the dimension options right ?
Hello Everyone, We have configured CyberArk logs to index into splunk based on the instructions provided in the splunk documentation. We configured to receive logs via syslog-ng through port 514, we... See more...
Hello Everyone, We have configured CyberArk logs to index into splunk based on the instructions provided in the splunk documentation. We configured to receive logs via syslog-ng through port 514, we are receiving logs but these logs are not getting processed properly by syslog-ng and we see below error: Error processing log message: <5>1 and continued by the logs from the CyberArk. We are using 3.5.6 version of syslog-ng, anyone faced this kind of error? this error is because of the structure of the data? Your inputs are of great help! Thanks in advance! Regards, BK
Hello, I tired to sum two timecharts in another one, using tokens. It's easy to sum counted value using stats, but I have problem with timecharts, is there any way to do this?     <form> <labe... See more...
Hello, I tired to sum two timecharts in another one, using tokens. It's easy to sum counted value using stats, but I have problem with timecharts, is there any way to do this?     <form> <label>Single Value Token</label> <fieldset submitButton="false"> <input type="time" token="tokTime" searchWhenChanged="true"> <label></label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <single> <title>Panel 1 (Error)</title> <search> <query>index=_internal sourcetype=splunkd log_level="Error" | timechart count as Error</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> <done> <condition match="$job.resultCount$==0"> <set token="tokError">0</set> </condition> <condition> <set token="tokError">$result.Error$</set> </condition> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <single> <title>Panel 2 (Warn)</title> <search> <done> <condition match="$job.resultCount$==0"> <set token="tokWarn">0</set> </condition> <condition> <set token="tokWarn">$result.Warn$</set> </condition> </done> <query>index=_internal sourcetype=splunkd log_level="WARN" | timechart count as Warn</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <single> <title>Panel 3 (Sum)</title> <search> <query>| makeresults | eval ratio=$tokError$+$tokWarn$ |table ratio | timechart count as ratio</query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="numberPrecision">0.000</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> </form>     Code give me value 1.000 in Panel 3 (Sum)  Or there is another way to save trends?    
Hii Are there other dashboard themes besides "dark"/"light"?  can i make new one using simple XML? thanks:)
Hello In the search below, I need to do a jointure after the appendcols command like in the first part of the search     | inputlookup lookup_pana | rename "name0" as HOSTNAME | fields HOSTNAME ... See more...
Hello In the search below, I need to do a jointure after the appendcols command like in the first part of the search     | inputlookup lookup_pana | rename "name0" as HOSTNAME | fields HOSTNAME HealthState0 | where HealthState0 < 85 | join HOSTNAME [| inputlookup fo_all where TYPE="In" | fields SITE COUNTRY RESPONSIBLE DEPARTMENT HOSTNAME] | stats count as NbHostHealthInf85 | appendcols [| inputlookup fo_all where TYPE="Ind" | fields SITE COUNTRY RESPONSIBLE DEPARTMENT HOSTNAME | stats count as NbIndHost]   So I done this but it doesnt works | appendcols | inputlookup lookup_pana | rename "name0" as HOSTNAME | join HOSTNAME [| inputlookup fo_all where TYPE="Ind" ( | fields SITE COUNTRY RESPONSIBLE DEPARTMENT HOSTNAME | stats count as NbIndHost] How to do this please?  
Hello Here is the beginning of my search As you can see, I cross the USERNAME there is in my inputlookup with `wire` macro It works But I woul be able to delete the last line | lookup lookup_fo H... See more...
Hello Here is the beginning of my search As you can see, I cross the USERNAME there is in my inputlookup with `wire` macro It works But I woul be able to delete the last line | lookup lookup_fo HOSTNAME as USERNAME output SITE ROOM COUNTRY because normaly all this fields are in my inputlookup? But when I am doing this, I lose this fields  Do I am obliged to use this last line or how to do for being able to cross this ield with `wire` macro?     [| inputlookup lookup_fo where TYPE="WW" (DOMAIN=A OR DOMAIN=BOR) (CATEGORY = U OR CATEGORY =W) (STATUS = P) | table HOSTNAME | rename HOSTNAME as USERNAME] `wire` | fields AP USERNAME SEEN | eval USERNAME=upper(USERNAME) | eval LASTSEEN=strptime(SEEN, "%Y-%m-%d %H:%M:%S.%1N") | lookup lookup_fo HOSTNAME as USERNAME output SITE ROOM COUNTRY     Thanks in advance