All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi All, one question related to community.splunk.com login page..  so on the login page, we get username textbox, after entering and then enter key or tab key, then only the password textbox appears... See more...
Hi All, one question related to community.splunk.com login page..  so on the login page, we get username textbox, after entering and then enter key or tab key, then only the password textbox appears.  i would like to understand why this design please. is it related to some security things? is it "too much" safe and secure from providing a simple username and password textbox together visible.  may i know some info please. thanks. 
Hi  I want to add a dashboard to my Splunk add-on, so I need an app right. But in the App I am not able to find how to connect the add-on, Could you please help me out? How can I package them toge... See more...
Hi  I want to add a dashboard to my Splunk add-on, so I need an app right. But in the App I am not able to find how to connect the add-on, Could you please help me out? How can I package them together so customers just download App or do they need to download both separately? Thank you in advance. Best regards Krishna
To change the default data model location and cache manager location( smart store enabled) on an indexer  I see we have 2 options.  1) Updating splunk-launch.conf with SPLUNK_DB =<custom file system... See more...
To change the default data model location and cache manager location( smart store enabled) on an indexer  I see we have 2 options.  1) Updating splunk-launch.conf with SPLUNK_DB =<custom file system where hot-buckets are stored > (/splunkdata/data/internal) 2) Updating path of stanza volume:_splunk_summaries > SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf [volume:_splunk_summaries] path = /splunkdata/data/internal > SPLUNK_HOME/etc/system/default/indexes.conf [volume:_splunk_summaries] path = $SPLUNK_DB Do we have to change in both splunk-launch.conf and indexes.conf, If we have an update only one of the above options what is recommended way also what are pros and cons for updating one of them .
Hi,  This might be a super basic question but I have a log and I need to create a dashboard that represents a value found in each log for that day of a file uploaded and the count of the records EX... See more...
Hi,  This might be a super basic question but I have a log and I need to create a dashboard that represents a value found in each log for that day of a file uploaded and the count of the records EXAMPLE : 153 cases created out of 411 import case records for file: clientfile_20201023160218.cdreq.pgp I need a graph that will pull the "153" out of this raw log each day.
Hi folks, host=* AlertType="Warning" |bucket _time span=day| stats count min(count) max(count)  avg(count) stdev(count) by _time This is what the results look like: _time count min(count) max(coun... See more...
Hi folks, host=* AlertType="Warning" |bucket _time span=day| stats count min(count) max(count)  avg(count) stdev(count) by _time This is what the results look like: _time count min(count) max(count) avg(count) stdev(count) _time count min max avg stdev 2020-08-05 71         2020-08-06 109         2020-08-07 282         2020-08-08 44         2020-08-09 45         2020-08-10 36             I get the other columns blank, I want the query to return the Min, Max, Avg, and STD from the data in the Count column Thank you, Marco
Hello, We have a simple XML dashboard in our splunk implementation which works fine when browsing splunk web. We embedded this dashboard in another web through an iframe like follows:   <iframe... See more...
Hello, We have a simple XML dashboard in our splunk implementation which works fine when browsing splunk web. We embedded this dashboard in another web through an iframe like follows:   <iframe src="https://Splunk-Server:8000/account/insecurelogin?username=USER&password=PASWROD&return_to=/app/My-App/Dashboard-to-embed"></iframe>   This works fine on firefox, but chrome doesn't load it. We suspect that chrome is blocking the iframe contents because it won't load splunk's cookies in a third-party web-page, as per this article: https://blog.heroku.com/chrome-changes-samesite-cookie In short, we don't know how to configure splunk's cookie flags to allow them being loaded cross-domain. (SameSite=None, Secure) Or really, if this is the problem at all... We would apreciate any help you can provide. Thank you.
Hi, I'm getting the following error message from the splunk python code in admin.py (the trace is below in bold) every time my input script gets called. Despite the recurrent error the input script ... See more...
Hi, I'm getting the following error message from the splunk python code in admin.py (the trace is below in bold) every time my input script gets called. Despite the recurrent error the input script gets all the data imported successfully. I've checked inputs.conf many times and tried different parameters according to the spec to see if it made any difference but no. There are no errors in the script itself. There is no impact on the app functionality but this error pollutes the log which is the issue I'm trying to solve. Any clues what could trigger this? Thanks   File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 137, in init     mode = ((len(sys.argv) &gt; 1) and sys.argv[1] in ARGS_LIST) and sys.argv[1] or usage()   File "/opt/splunk/lib/python3.7/site-packages/splunk/admin.py", line 16, in usage     raise UsageException("Usage: %s [%s].  (Got: %s)" % (sys.argv[0], str.join(str(" | "), ARGS_LIST), sys.argv)) splunk.admin.UsageException: Usage: /opt/splunk/etc/apps/myapp/bin/myscript.py [setup | execute | persistent].  (Got: ['/opt/splunk/etc/apps/myapp/bin/myscript.py'])  
Is it possible for the "Run Playbook in Phantom" adaptive response action in ES to automatically run a specific playbook instead of showing a popup window to manually select the playbook, Sensitivity... See more...
Is it possible for the "Run Playbook in Phantom" adaptive response action in ES to automatically run a specific playbook instead of showing a popup window to manually select the playbook, Sensitivity, Severity and Label? Specifically, I'm referring to the "Next Steps" box in the Notable adaptive response action, where I can include both text and additional adaptive response actions for the analyst to go thru.    See screenshot below for what I have currently.  In the notable event that it generates, it turns into a link that give a popup of an empty Run Playbook box and I have to manually fill in the playbook, Severity, Sensitive and Label.  Can I tweak the text inside the [[ ]] so it will pre-populated the playbook information? Ultimately I'm trying to replicate what I saw during BOTS where one of the notable events that we had to investigate had this really detailed "Next Steps" box (screenshot below).  For step 6, the link will automatically call that "Compromised Account" playbook.
Dear Team, This is my setup for analyzing log from S3: 1 - splunk enterprise 8.1 for standalone VM. 2 - S3 IAM role for bucket with logs. 3 - I installed Splunk Add-on for AWS 4 - for first run,... See more...
Dear Team, This is my setup for analyzing log from S3: 1 - splunk enterprise 8.1 for standalone VM. 2 - S3 IAM role for bucket with logs. 3 - I installed Splunk Add-on for AWS 4 - for first run, everything is okay. However, i shutdown the VM, and increased the RAM for this VM. and here the problem start: Query from the health Check: Index=“_internal”  (host=“*”)   (sourcetype=aws:s3:log OR sourcetype=aws:logs:log OR sourcetype=aws:sqsbaseds3:log OR sourcetype=aws:description:log OR sourcetype=aws:cloudwatch:log)   (datainput=“*”)   level=ERROR                  message=“Failed to collect data through generic S3.” | fillnull value=“” ErrorCode, ErrorDetail                 | eval ErrorDetail = if((ErrorDetail == “” or ErrorDetail == “‘’“) and !isnull(message), message, ErrorDetail) Response: 2020-10-24 01:23:18,036 level=ERROR pid=25464 tid=Thread-7 logger=splunk_ta_aws.modinputs.generic_s3.aws_s3_data_loader pos=aws_s3_data_loader.py:index_data:91 | datainput=“bucket-log” bucket_name=“logs-storage” | message=“Failed to collect data through generic S3.” start_time=1603473783 job_uid=“f852cf4b-f1fe-4197-bf93-3494f3d2adb7" Traceback (most recent call last):   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 86, in index_data     self._do_index_data()   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 107, in _do_index_data     self.collect_data()   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 153, in collect_data     self._discover_keys(index_store)   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 233, in _discover_keys     for key in keys:   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 227, in get_keys     for key in keys:   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 196, in bucket_lister     encoding_type=encoding_type)   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/solnlib/utils.py”, line 172, in wrapper     raise last_ex   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/solnlib/utils.py”, line 159, in wrapper     return func(*args, **kwargs)   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 186, in get_all_keys     encoding_type=encoding_type)   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/boto/s3/bucket.py”, line 474, in get_all_keys     ‘’, headers, **params)   File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/boto/s3/bucket.py”, line 412, in _get_all     response.status, response.reason, body) boto.exception.S3ResponseError: S3ResponseError: 400 Bad Request <?xml version=“1.0" encoding=“UTF-8”?> <Error><Code>ExpiredToken</Code><Message>The provided token has expired.</Message><Token-0>xxxx</Token-0><RequestId>aaaaaaa</RequestId><HostId>Ibbbbb</HostId></Error>   I would like to know what the root cause of this? and how to fix it?
Has anyone been able to get this to work "Use a REST API to manually trigger DB inputs" to ,anually trigger DB Inputs with REST API and be able to track the state of its execution (in-process, comple... See more...
Has anyone been able to get this to work "Use a REST API to manually trigger DB inputs" to ,anually trigger DB Inputs with REST API and be able to track the state of its execution (in-process, completed successfully, failed, etc)? When i followed the instructions, it seem to lead to an output that matches to getting the settings for a specific db input.  Does anyone know how to run a curl command to remotely trigger or fire a db connect input to run an pull data from sql server to indexer? (this would be the equivalent of modifying the cron job to run 1x through the UI BUT using curl)    
I want to compare one field between two index. For example Field A. index A: Field A, Field B, Field C index B: Field A, Field D, Field E Now I want to grab all the data in tabular format as follo... See more...
I want to compare one field between two index. For example Field A. index A: Field A, Field B, Field C index B: Field A, Field D, Field E Now I want to grab all the data in tabular format as follows: Field A Field B Field C Field D Field E   I tried using join function but the limitation of the join function is that the Field D and Field E are not captured in the search and displayed due to inner join.  Is there something with full join functionality and displaying the results as displayed when using join function?    My attempt: index = A sourcetype = A Field H = something | table Field A Field B Field C  | join Field A [ search index = B sourcetype= B | table Field D Field E ] Desired result: Field A Field B Field C Field D Field E
having a problem creating proper TIME_FORMAT for the following data.  Seeing "Could not use strptime to parse timestamp " " and not sure what I am missing defining both the milliseconds and timezone ... See more...
having a problem creating proper TIME_FORMAT for the following data.  Seeing "Could not use strptime to parse timestamp " " and not sure what I am missing defining both the milliseconds and timezone offset designation as far as I can tell.   [ <SOURCETYPE NAME> ] SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 MAX_TIMESTAMP_LOOKAHEAD=30 disabled=false TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N %z TIME_PREFIX=^ TZ=America/Chicago   2020-10-23 10:57:55,983 -0500 DEBUG - [ <?xml version='1.0' encoding='utf-8'?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><query xmlns="http://ws.csd.rsa.com"><request><actionTypeList><genericActionTypes>GET_USER_STATUS</genericActionTypes></actionTypeList><identificationData><orgName>OLB_#####</orgName><userName>###############################</userName><userType>NONPERSISTENT</userType></identificationData><messageHeader><apiType>DIRECT_SOAP_API</apiType><requestType>QUERY</requestType><version>7.0</version></messageHeader><securityHeader><callerCredential>*****</callerCredential><callerId>########</callerId><method>PASSWORD</method></securityHeader><channelIndicator>WEB</channelIndicator></request></query></soap:Body></soap:Envelope>] 2020-10-23 10:57:55,978 -0500 DEBUG - [ <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:challengeResponse xmlns:ns1="http://ws.csd.rsa.com"><ns1:challengeReturn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns1:ChallengeResponse"><ns1:identificationData><ns1:delegated>false</ns1:delegated><ns1:orgName>OLB_#####</ns1:orgName><ns1:sessionId>ab95:c958c855571:44aa3923-||1603487243547</ns1:sessionId><ns1:transactionId>bb95:c958c855571:44aa3923-_TRX</ns1:transactionId><ns1:userName>#####################</ns1:userName><ns1:userStatus>VERIFIED</ns1:userStatus><ns1:userType>PERSISTENT</ns1:userType></ns1:identificationData><ns1:messageHeader><ns1:apiType>DIRECT_SOAP_API</ns1:apiType><ns1:requestType>CHALLENGE</ns1:requestType><ns1:timeStamp>2020-10-23T15:57:55.585Z</ns1:timeStamp><ns1:version>7.0</ns1:version></ns1:messageHeader><ns1:statusHeader><ns1:reasonCode>0</ns1:reasonCode><ns1:reasonDescription>Operations were completed successfully </ns1:reasonDescription><ns1:statusCode>200</ns1:statusCode></ns1:statusHeader><ns1:credentialChallengeList xsi:type="ns1:CredentialChallengeList"><ns1:challengeQuestionChallenge><ns1:payload><ns1:callStatus><ns1:statusCode>SUCCESS</ns1:statusCode><ns1:statusDescription></ns1:statusDescription></ns1:callStatus><ns1:challengeQuestions><ns1:challengeQuestion><ns1:questionId>Q3.2</ns1:questionId><ns1:questionText>What was your favorite restaurant in college?</ns1:questionText></ns1:challengeQuestion></ns1:challengeQuestions></ns1:payload></ns1:challengeQuestionChallenge></ns1:credentialChallengeList></ns1:challengeReturn></ns1:challengeResponse></soapenv:Body></soapenv:Envelope>] 2020-10-23 10:57:55,914 -0500 DEBUG - [ <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:updateUserResponse xmlns:ns1="http://ws.csd.rsa.com"><ns1:updateUserReturn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns1:UpdateUserResponse"><ns1:deviceResult><ns1:authenticationResult><ns1:authStatusCode>SUCCESS</ns1:authStatusCode><ns1:risk>0</ns1:risk></ns1:authenticationResult><ns1:callStatus><ns1:statusCode>SUCCESS</ns1:statusCode><ns1:statusDescription></ns1:statusDescription></ns1:callStatus><ns1:deviceData><ns1:bindingType>HARD_BIND</ns1:bindingType><ns1:deviceTokenCookie>PMV66QJ84yt0WNgy4pp1DQY6xTh7lKeTmaMYj1Qf17P4I9%2BOw%2FxkJliLPguyuloMdgQzUrpwtbrhXORfQUgUEKBg17qA%3D%3D</ns1:deviceTokenCookie><ns1:deviceTokenFSO>##################################</ns1:deviceTokenFSO><ns1:lookupLabel>No Label</ns1:lookupLabel></ns1:deviceData></ns1:deviceResult><ns1:identif </ns1:reasonDescription><ns1:statusCode>200</ns1:statusCode></ns1:statusHeader><ns1:deviceManagementResponse><ns1:acspAccountId>##############</ns1:acspAccountId><ns1:callStatus><ns1:statusCode>SUCCESS</ns1:statusCode><ns1:statusDescription></ns1:statusDescription></ns1:callStatus><ns1:deviceData><ns1:bindingType>HARD_BIND</ns1:bindingType><ns1:lookupLabel>No Label</ns1:lookupLabel></ns1:deviceData></ns1:deviceManagementResponse></ns1:updateUserReturn></ns1:updateUserResponse></soapenv:Body></soapenv:Envelope>]  
How can one change the ITSI status of multiple episodes at once?  I need to close numerous old episodes and don't have time to do it individually.
I'm passing description text for tickets to be created in Service Now, and need to know what to insert in that text to cause a carriage return when it is displayed in Service Now.  I've verified that... See more...
I'm passing description text for tickets to be created in Service Now, and need to know what to insert in that text to cause a carriage return when it is displayed in Service Now.  I've verified that \n does not work.
Hi All, I am trying to find: Users using event code 4769 The count of computers a user connects to within 1hr which is greater >4 The count of the event code 4769 >50 by that user within 1hr I h... See more...
Hi All, I am trying to find: Users using event code 4769 The count of computers a user connects to within 1hr which is greater >4 The count of the event code 4769 >50 by that user within 1hr I have got myself very confused any help would be appreciated!      sourcetype = windowseventcodes Event_Code=4769 | bucket _time span=1h | stats count by ComputerName AccountName | stats count(ComputerName) as CNC by AccountName | eventstats sum(CNC) as total_count        
Splunk Cloud Version:7.2.10.2 Splunk CyberArk Vault Action Codes question Thank you for helping me! - Example sample queries. I am looking to query our Splunk cloud for the vault action codes examp... See more...
Splunk Cloud Version:7.2.10.2 Splunk CyberArk Vault Action Codes question Thank you for helping me! - Example sample queries. I am looking to query our Splunk cloud for the vault action codes example logon or retrieve password or use password - what would the sample Splunk query be?. I can see traffic from our HA pair usually via the active nodes IP - We have the Splunk translator file enabled in DB PARM. Do I need the CyberArk add on for Splunk? OR the other way for the Splunk system Do I need the CyberArk add on for Splunk ? I'm not new to SIEM I ha worked with parsers and QRADAR etc. Thanks for your help! Please let me recap: I'm looking for a sample Splunk query to extract vault action codes I'm looking for a sample Splunk query to extract services like DR stopped Does anyone have a dashboard they can recommend Splunk dashboard Thank you genuinely Eddie
The AWS Gaurdduty app from Splunk is not pulling in S3 details, when they normally are included in Gaurdduty alerts. Normally, there would be a section for S3 details, when it is a part of an AWS Ga... See more...
The AWS Gaurdduty app from Splunk is not pulling in S3 details, when they normally are included in Gaurdduty alerts. Normally, there would be a section for S3 details, when it is a part of an AWS Gaurdduty finding. AWS documentation can be seen here: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-summary.html. Wanted to see if anyone else is experiencing this same issue. This occurs with on-poll/ingestion or if using the action to go get the findings.
We have some external third-party managed systems whose logs should be indexed using Universal Forwarder. As we do not have exclusive control over its configuration we need to ensure that those Forwa... See more...
We have some external third-party managed systems whose logs should be indexed using Universal Forwarder. As we do not have exclusive control over its configuration we need to ensure that those Forwarders don't add data to a wrong index. So we want to restrict them to some allowed indices. Unfortunately I couldn't find any solution for this up to now. So how could this be achieved?
Hello, I need to create a db output, however when I try to do this the option to choose schema and table are grayed out: The corresponding connection works fine, I am able to select, insert, cr... See more...
Hello, I need to create a db output, however when I try to do this the option to choose schema and table are grayed out: The corresponding connection works fine, I am able to select, insert, create a table using it. Also when I do the "select * from schemas" using this connection I am getting a result back, so it does not look like an authorization issue of the corresponding user / identity. First I thought it may be an issue with the corresponding SAP HANA jdbc driver, so I swapped it against the newest one, no success.  Could anyone advice how I would track this further? I was trying to scan the logs for any sign of error, but somehow without much luck. Where would I search and what could be the reason for the above? Kind Regards, Kamil  
I'm using Splunk 8.1.0 on CentOS 7 and TA-dmarc 3.2.1. When the app loads, I get the following error:    Unable to initialize modular input "dmarc_pop3" defined in the app "TA-dmarc": Introspecting... See more...
I'm using Splunk 8.1.0 on CentOS 7 and TA-dmarc 3.2.1. When the app loads, I get the following error:    Unable to initialize modular input "dmarc_pop3" defined in the app "TA-dmarc": Introspecting scheme=dmarc_pop3: script running failed (exited with code 1)   Not sure what to make of it or how to even start troubleshooting. Thanks, Aaron