All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery proce... See more...
I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery process, and a list of normal logins is not known. At the moment, the exclusions are done with individual search commands for readability. But this query search lines are getting bigger by the day. <base-search> | search NOT (accountName=svcAPP01 AND computerName=srv-APP1-blah) | search NOT (accountName=svcAPP02 AND computerName=srv-APP02-*) | search NOT (accountName=svcAPP03 AND computerName=srv-APP03-blah computerName=ws-somename-blah) | table _time, accountName, computerName Is it possible to create an inputlookup table for such an exclusion, where the criteria are a combination of two fields; accountName and computerName?
Hi, I want to send all the event to two target group but do not want spend specific log event to specific target but it should get rest of the data.  This config need to be define on Splunk HF. Pl... See more...
Hi, I want to send all the event to two target group but do not want spend specific log event to specific target but it should get rest of the data.  This config need to be define on Splunk HF. Please help me in that.
Hi, I'm new to creating self-signed SSL certificates. I've been following the Splunk documentation https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/Self-signcertificatesforSplunkWeb I've... See more...
Hi, I'm new to creating self-signed SSL certificates. I've been following the Splunk documentation https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/Self-signcertificatesforSplunkWeb I've created both the Root Cert and the Server Cert but as I approach the end of the documentation, I notice it is specified that the Server, Intermediate and Root Certs need to be appended to each other. No where in the steps followed, was there any creation of an intermediate certificate and so I am unsure where to get this from / how to create one to complete the steps outlined in this documentation. Any assistance would be greatly appreciated. Thanks!
Hi , I have onboarded teradata data in splunk via splunk db connect. Since they have some columns as empty when we ingest in splunk only columns with data are being returning and empty columns are n... See more...
Hi , I have onboarded teradata data in splunk via splunk db connect. Since they have some columns as empty when we ingest in splunk only columns with data are being returning and empty columns are not onboarded and Some empty columns are having data in some rows  any suggestions please ?   
Hi, I'm running Splunk Phantom in VM workstation pro. I encountered the errors below while trying to connect IMAP and SMTP app. I have enabled IMAP access and turn on less secure app in my gmail.  ... See more...
Hi, I'm running Splunk Phantom in VM workstation pro. I encountered the errors below while trying to connect IMAP and SMTP app. I have enabled IMAP access and turn on less secure app in my gmail.  IMAP connectivity SMTP connectivity
I need to safely store encrypted credentials on a UF. I have a scripted input that needs to call an authenticated API endpoint. The authentication is not simple, hence using a scripted input. I hav... See more...
I need to safely store encrypted credentials on a UF. I have a scripted input that needs to call an authenticated API endpoint. The authentication is not simple, hence using a scripted input. I have found that passwords.conf does not work on a UF, as creating the file seems to do nothing and hitting the create endpoint of the UF API returns "Method not allowed" for POST and "Not Implemented" for GET. Given the UF binary supports the show-decrypted function I should be able to manually encrypt my password and store it that way, but there doesn't seem to be an opposite to show-encrypted to do that. hash-passwd returns a non-reversible hash. How can I safely store encrypted credentials on a UF within the Splunk ecosystem from an app deployed by a DS?
hello, splunker I have question. plz I upgraded 7.0.1 to 8.0.6 but, my uf is 6.4.10 for win7. I saw the document late. (8.0 is not support for uf under 7.x). document: https://docs.splunk.com/Doc... See more...
hello, splunker I have question. plz I upgraded 7.0.1 to 8.0.6 but, my uf is 6.4.10 for win7. I saw the document late. (8.0 is not support for uf under 7.x). document: https://docs.splunk.com/Documentation/Splunk/8.0.6/Installation/AboutupgradingREADTHISFIRST my forwarder os win7. so i can't upgrade to 7.x however, I using  enterprise 8.0.6 & uf 6.4.10 well. no problem. Why block Splunk upgrade? ty all!
Hello everyone, I'm at an impasse with this. I have no idea why this would not work. Not the best at CSS so I'm probably missing something. Would appreciate any insight!   <form> <label>DEV DASH... See more...
Hello everyone, I'm at an impasse with this. I have no idea why this would not work. Not the best at CSS so I'm probably missing something. Would appreciate any insight!   <form> <label>DEV DASH</label> <description>IN DEVELOPMENT.</description> <row> <panel id="panel_1"> <html> <p> <u> <a href="" target="_blank"> <b>Test &amp; Testing</b> </a> </u> <li>List Item 1</li> <li>List Item 2</li> <li>List Item 3</li> </p> </html> </panel> <panel id="panel_2"> <html> <p> <u> <h2> <a href="" target="_blank"> <b>Test &amp; More Tests</b> </a> </h2> </u> <li>List Item 3</li> </p> </html> </panel> ..... <row depends="$STYLES$"> <panel> <html> <style> #panel_1 .dashboard-panel, #panel_2 .dashboard-panel, #panel_3 .dashboard-panel { background:#C9E5A0; !important; } #panel_4 .dashboard-panel, #panel_5 .dashboard-panel, #panel_6 .dashboard-panel { background:#AEF0D9 !important; } #panel_7 .dashboard-panel, #panel_8 .dashboard-panel, #panel_9 .dashboard-panel { background:#F0D3DA !important; } </style> </html> </panel> </row> </form>   @niketn if you would be so kind 
Hi everyone, I'm new to Splunk. I've got this search query: host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =... See more...
Hi everyone, I'm new to Splunk. I've got this search query: host="..." earliest=-30d latest=now | stats distinct_count(v_id) AS v_id count(eval(req_type="[POST])) AS req_type by host | eval ratio =v_id/req_type What I want to get a table with v_id and req_type of the earlier week and of the current week (currently I get only for the whole month). Moreover, if there is a better, easier to do this, please also share. Thanks!
I've configured okta with splunk a dozen times.  However this time it keeps telling me that:   Failed to load trusted certificate: Error: failed to load pem certificate. Verify the full path includ... See more...
I've configured okta with splunk a dozen times.  However this time it keeps telling me that:   Failed to load trusted certificate: Error: failed to load pem certificate. Verify the full path including the filename is correct and points to the certificate from the IDP. and in logs: Saml - Unable to load cert(s) from path="/opt/splunk/etc/auth/idpCerts/idpCert.pem".   But the cert exists there and splunk has ownership of the full and the entire path to the file.  What gives??
hi there, i created a dashbord with drilldown values with backslash. how can i escape those backslash to ged values in my search
Hi, I am a newbie to SPL and would like some help. I want to find the latest date field in my lookup file file. My test.csv file look like this name,size,datum AA,11,12-09-2020 AA,18,14-09-20... See more...
Hi, I am a newbie to SPL and would like some help. I want to find the latest date field in my lookup file file. My test.csv file look like this name,size,datum AA,11,12-09-2020 AA,18,14-09-2020 AB,33,15-04-2020 AB,34,16-04-2020 AB,35,15-06-2020 AC,23,14-05-2020 AC,14,08-07-2020 If i want to find the maximum value of column "size"  i succeed   |inputlookup test.csv | eval foo=[ |inputlookup test.csv |stats max(size) as dtx | return $dtx ] | table foo Result: 35 35 .. But when i try this with the date value i get this |inputlookup tabs.csv | eval foo=[ |inputlookup tabs.csv |stats max(datum) as dtx | return $dtx ] | table foo i get -2008 -2008 .. How to i match the latest date value ? Thank you in advance. Reagrds, Harry
In search mode, there is a progression object in the top left corner that shows:  "#number of  24,040 events matched" until the search is complete.  Example:   I would like to use the same in ... See more...
In search mode, there is a progression object in the top left corner that shows:  "#number of  24,040 events matched" until the search is complete.  Example:   I would like to use the same in a dashboard panel instead of "waiting for data..."  OR at least as a token value that can be applied to the <title>.                
I understand that Splunk CSS defaults any <input> class to reside at the top of any panel. I would like to override this setting, and put an input (such as radio, or checklist) at the bottom of the ... See more...
I understand that Splunk CSS defaults any <input> class to reside at the top of any panel. I would like to override this setting, and put an input (such as radio, or checklist) at the bottom of the panel, under a results table. None of the css positioning alterations using panel ID work for <input> class, even with !important.  Any ideas? 
How can I chart/graph out the 5 most recent events? When an event occurs, the data/time is stored in whenCreated.  whenCreated has the format of 00:00.00 AM, Weekday DD/MM/YYYY.  Can I use this form... See more...
How can I chart/graph out the 5 most recent events? When an event occurs, the data/time is stored in whenCreated.  whenCreated has the format of 00:00.00 AM, Weekday DD/MM/YYYY.  Can I use this format? I want to print the eventName and whenCreated.  But dedup eventName so that it only shows different values. Here is my normal query:   index=main admonEventType=* | sort - whenCreated | dedup eventName | table eventName whenCreated | head 5   It looks like I can possibly do this with a statistics table using:   | chart values(*) by eventName   Could I put this in a bar chart?  
I'm wondering if the following table structure is possible (without custom JS). Raw events are from Jenkins plugin. Below one event example. I get one per job/test/build.     { [-] build_numbe... See more...
I'm wondering if the following table structure is possible (without custom JS). Raw events are from Jenkins plugin. Below one event example. I get one per job/test/build.     { [-] build_number: 615 build_url: job1 event_tag: build_report job_name: jobname job_result: FAILURE metadata: { [+] } page_num: 1 testsuite: { [-] duration: 1968 errors: 0 failures: 6 passes: 7 skips: 0 testcase: [ [-] { [-] classname: Testsuites.MyCallCenter duration: 122 failedsince: 0 groupname: Testsuites skipped: false status: PASSED testname: Login uniquename: Testsuites.MyCallCenter.Login } { [-] classname: Testsuites.MyCallCenter duration: 148 failedsince: 0 groupname: Testsuites skipped: false status: PASSED testname: Edit Calendar uniquename: Testsuites.MyCallCenter.Edit Calendar } { [+] } ] tests: 13 time: 1968 total: 13 } user: (timer) }       Can I create a table, which has a dynamic build number in the header somehow like this?     classname | testname | build-613 | build-614 | build-615 Testsuites.MyCallCenter | Login | PASSED | PASSED | PASSED Testsuites.MyCallCenter | Edit Calendar | PASSED | FAILED | PASSED      
Hi Splunk Team, I have a quick question.  I'm writing a join query wherein i want the query A ("Birth Test") to execute as per the timepicker in Dashboard but the query-B( "Modem Details") should d... See more...
Hi Splunk Team, I have a quick question.  I'm writing a join query wherein i want the query A ("Birth Test") to execute as per the timepicker in Dashboard but the query-B( "Modem Details") should default execute the last 30 days  index="o2a" application="publisher-v2" "Birth Test" "Request received" | rex field=message "(?msi)(?<json_message>\{.+\})" | spath input=json_message output=externalReferenceId path=correlationId | table externalReferenceId,_time | eval BTActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time | join type=outer externalReferenceId [ search index="o2a" application="publisher-v2" "Modem Details" "Request received" | rex field=message "(?msi)(?<json_message>\{.+\})" | spath input=json_message output=externalReferenceId path=correlationId | table externalReferenceId,_time | eval ModemActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time ] |table ModemActivityStartTime,BTActivityStartTime,externalReferenceId,OrderID  Could you please assist? Thanks so much.   
Hello,guys I using the [network toolkit] application to monitor remote device,Set in Data inputs> ping 5 pings in 60 seconds,search field with Visualization,Below is my search code       index=... See more...
Hello,guys I using the [network toolkit] application to monitor remote device,Set in Data inputs> ping 5 pings in 60 seconds,search field with Visualization,Below is my search code       index="pingstatus" "dest=192.168.0.210" | chart avg(packet_loss)       I add about 20 devices,But the dashboard shows no search results No results found after a few minutes Below is my time limit & refresh code       <search> <query>index="pingstatus" "dest=192.168.0.12" | chart avg(packet_loss)</query> <earliest>-60s</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>30s</refresh> <refreshType>delay</refreshType> </search>     Warning message appears on the page   The instance is approaching the maximum number of historical searches that can be run concurrently.   And I check$SPLUNK_HOME/var/log/splunk/splunkd.log and there are warning messages   10-22-2020 14:18:56.436 +0800 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently. 10-22-2020 14:19:31.376 +0800 WARN DispatchSearchMetadata - could not read metadata file: /opt/splunk/var/run/splunk/dispatch/admin__admin__search__search4_1603347571.892/metadata.csv     splunk version :splunk-enterprise 8.0.6 network toolkit version:1.4.3 virtualbox: Operating system : Ubuntu 18.0.4(64bit) CPU Cores(Physical/Virtual):1/1 Disk Usage(GB):80 Physical Memory Capacity(MB):1489 ------------------------------------------------------- Anyone can help me ? Or does anyone have other ideas for monitoring remote devices? Thanks a lot!
I created a Role with the following restriction: 1- origen::chile OR ( index::_audit AND user="secchi") But still can see the data models with any origen. I can filter a data model in search and re... See more...
I created a Role with the following restriction: 1- origen::chile OR ( index::_audit AND user="secchi") But still can see the data models with any origen. I can filter a data model in search and reporting like this:  2- | datamodel "Authentication"   search | search Authentication.origen="chile" But a don't know how to combine the 1 and 2 into one single restriction to include it into the Role restrict search. Any ideas? Thank you   
I have a user field where the name may or may not be prefixed with DOMAIN\ as shown below: DOMAIN\CWIX-USER-SC-4 a.roset.nor b.cwix.usa DOMAIN\b-cwix-usa b.mccartney.pld c.merri.bel I used reg... See more...
I have a user field where the name may or may not be prefixed with DOMAIN\ as shown below: DOMAIN\CWIX-USER-SC-4 a.roset.nor b.cwix.usa DOMAIN\b-cwix-usa b.mccartney.pld c.merri.bel I used regex.com PCRE (PHP) to craft the following expression: (\S+\\)?(?P<username>[(\S+|\S+)]+) However, when I use that expression in my search query, I'm getting the following error: Error in 'rex' command: Encountered the following error while compiling the regex '((\S+\)?(?P<username>[(\S+|\S+)]+))': Regex: missing closing parenthesis. Here is the line in the search query: | rex field=user "((\S+\\)?(?P<username>[(\S+|\S+)]+))" I have used the rex field statement many times in previous searches so I'm kind of lost at what is going on here. It's been a long week crafting dashboards and an extra set of eyes would be appreciated.