All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,  I currently have the below search will calculates on average how much time is being spent on the alerts that Splunk generates. On average, it has been calculated that 15 minutes would be spe... See more...
Hello,  I currently have the below search will calculates on average how much time is being spent on the alerts that Splunk generates. On average, it has been calculated that 15 minutes would be spent on each alert for investigation etc. Therefore the below search was written.  index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" alert_actions=email savedsearch_name=* | stats count | eval count=count/4 Result example: 14 Results x 15 Minutes = 210 Minutes/3 Hours 30 Minutes. My results are showing as '3.5 Hours. ' How could I change this so my final results will be in the format of '3 Hours 30 Minutes'. Thanks. N.   
Hi , I need to have panel focused on the page when i click on some values in one panel in the same dashboard in the xml.. How to get one  panel auto focused on click of values in another panel ? D... See more...
Hi , I need to have panel focused on the page when i click on some values in one panel in the same dashboard in the xml.. How to get one  panel auto focused on click of values in another panel ? Does we have feature in xml Splunk without js script?
Hi Everyone, I have two search queries with two filter criteria's  1st query: index=abc ns=xyz app_name=sd "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" ... See more...
Hi Everyone, I have two search queries with two filter criteria's  1st query: index=abc ns=xyz app_name=sd "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | stats count, by sourceagent,RID | rename sourceagent as "Source"|fields RID Source 2nd query index=abc ns=xyz app_name=sd"ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | stats count, by sourceagent,RID | rename sourceagent as "Source"|fields RID Source Since the search is same for both only the filter criteria is different like "ARC EVENT RECEIVED FROM SOURCE" and "ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF". How can I make it a single query with two filter criteria. Can someone guide me on that.
Hi, I would like to do a search that gives me the number of systems with a vulnerability per month. I've tried this search but I'm stuck on the _time field, I'm not exactly sure how it works.    ... See more...
Hi, I would like to do a search that gives me the number of systems with a vulnerability per month. I've tried this search but I'm stuck on the _time field, I'm not exactly sure how it works.     | tstats `summariesonly` max(_time) as _time values(Vulnerabilities.severity) as severity from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.dest | `drop_dm_object_name("Vulnerabilities")` |bin span=1mon _time | stats count(dest) as "Scanned systems" by _time     My intuition is that the _time  is some sort of array that contains each time the vulnerability's signature has been detected.  But with my current query I only take the max(_time) which means that all vulnerabilities that have been discovered over 2 months will only be count for the last month. I really would like to know how I could make them count for each month they have been discovered. Thanks,
Hello, I have a CSV file with two fields (ID and description) and I want to know if any of the IDs are found in a search. It would be great if the output comes in a table with count and the descript... See more...
Hello, I have a CSV file with two fields (ID and description) and I want to know if any of the IDs are found in a search. It would be great if the output comes in a table with count and the description. CSV is like: ID, description 1, abc 2, lmn 3, yxz output: ID description count 2 lmn 6 1 abc 3   is that possible? regards Stephan
Hi Everyone, I have one requirement . Below is my search query for my failed RID's index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(... See more...
Hi Everyone, I have one requirement . Below is my search query for my failed RID's index=ABC ns=xyz app_name=abc "ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF"|rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | eval count=1 | table RID, sourceagent, count | rename sourceagent as "Source". I am getting like below: RID Source count f56bce02-750d-451c-a341-4769d7518f2c of1-team_b 1 c09b64eb-45c3-4fcb-9deb-81faa3d5c98b of1-team_b 1   I want when I click in the first row it should show the raw logs for failed RID's and that panel should be hidden It should be only show when we click on particular rows which we want to see. Below are my raw logs  for 1st failed RID: 020-10-01T09:20:57.829079909Z app_name=api environment=e3 ns=c2 pod_container=api pod_name=bhhf5 message=2020-10-01 02:20:57.826 ERROR [service,,,] 1 --- [or-http-epoll-3] c.a.b.a.c.s.impl.SFCallbackService : RID:f56bce02-750d-451c-a341-4769d7518f2c-of1-team_b-ivurtupload EL:1601: ARC FAILED TO UPDATE RESPONSE BACK TO SOURCE OR SF Reason:404 Not Found: [[ { Can someone guide me how can I achieve that?  
output should have result something like below: error       count abc         40 xyz          50    
I would like to integrate AppDynamics and ServiceNow. I have done the below steps: Downloaded and install The AppDynamics Data Sync Utility. On Synchronize with the CMDB, I see 4 relationships ... See more...
I would like to integrate AppDynamics and ServiceNow. I have done the below steps: Downloaded and install The AppDynamics Data Sync Utility. On Synchronize with the CMDB, I see 4 relationships 1.Tier to Tier 2.Tier to Remote (Remote Services) 3.Tier to Application 4.Node-to-Server CI For Point 4 it says To use this feature, a Machine Agent with Server Visibility enabled must be installed and running on each host that supports an imported AppDynamics Node. See Machine Agent with Server Visibility. What if I do not have this license? Can I log the ServiceNow tickets without this? I want to know what exactly this flag "APPDYNAMICS_SIM_ENABLED" drives. My aim is to just raise a ticket if some health rule violates in AppDynamics. Any help will be appreciated.
Hi everyone, Just want to get some opinions on Splunk cloud vs on prem. Originally when we first started using splunk we were on prem. This was all going fine and then the director decided to move ... See more...
Hi everyone, Just want to get some opinions on Splunk cloud vs on prem. Originally when we first started using splunk we were on prem. This was all going fine and then the director decided to move to cloud due to being sold the whole deal about speed and not having to look after Splunk so much.  As time has gone by i have found cloud to be quite restrictive (especially when it comes to scripted inputs and app creation) and its getting annoying have to raise a case constantly for splunk to do something. Would be good to hear some opinions from yourselves about both sides? 
Hello, I'm currently facing a curious issue on the lookup : LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action The lookup seems working (it appears in my interesting field... See more...
Hello, I'm currently facing a curious issue on the lookup : LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action The lookup seems working (it appears in my interesting fields and i can also see values count). But, when I try to perform a search like : index=firewall action=allowed, the search returns 0 events after only 1 second. If I do the search with the field vendor_action, it works correctly. I confirmed the issue is also present with TA 6.2.0. TA 6.2.0 was working perfectly with Splunk 7.0.3. So i suppose the Splunk upgrade changed something. Other TA are not impacted by this issue. Thank you for your help.
Hi, I'm trying to split this event into a name value FieldA false FieldB 5 key-value table   org.Data@28c839cfname=FieldA, value=false, org.Data@49b45b79name=FealedB, value=5,   ... See more...
Hi, I'm trying to split this event into a name value FieldA false FieldB 5 key-value table   org.Data@28c839cfname=FieldA, value=false, org.Data@49b45b79name=FealedB, value=5,   Query:  1. base_query |  extract pairdelim="  ", kvdelim=" " | table _raw 2. base_query |  extract pairdelim="org.data*=", kvdelim=" " | table _raw is it possible? Thanks
I created correlation search and add Notable action as "Adaptive Response Actions". By running search there are some events and actually Activity>Jobs shows events are existing. However "Incident R... See more...
I created correlation search and add Notable action as "Adaptive Response Actions". By running search there are some events and actually Activity>Jobs shows events are existing. However "Incident Review" doesn't display any event. #I configure "Throttling" disable by setting "Window duration" as "0".
Hello, What is the best third party app to monitor Windows File Server event logs such as (file read, file creation, permission modification etc.)? I want my file server logs to be simplified and o... See more...
Hello, What is the best third party app to monitor Windows File Server event logs such as (file read, file creation, permission modification etc.)? I want my file server logs to be simplified and organized.    
Hi Everyone, I have one requirement. I am showing my RID with their source and their counts as of now its coming like this: My search query: index=ABCns=XYZ app_name=DF "ARC EVENT RECEIVED FROM SO... See more...
Hi Everyone, I have one requirement. I am showing my RID with their source and their counts as of now its coming like this: My search query: index=ABCns=XYZ app_name=DF "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)" | stats count(RID) as count, values(RID) as RID by sourceagent| rename sourceagent as "Source"|fields  Source count what I want now is like for Source of1-team_b the count is 5 and all the RID's are coming in one block. RID Source count 8730e34b-d619-40c9-9f1b-6b39f534daea of1-team_a 1 07cefd49-ec3f-44b4-b313-24eb486dda02 5b23febe-1817-405d-8e7f-c4388feb9fbc 9cc7154e-11a2-43e1-a970-590d359fbadd c09b64eb-45c3-4fcb-9deb-81faa3d5c98b f56bce02-750d-451c-a341-4769d7518f2c of1-team_b 5   Now I want to show only and the count so I want each RID should come separately like this: RID Source count 8730e34b-d619-40c9-9f1b-6b39f534daea of1-team_a 1 07cefd49-ec3f-44b4-b313-24eb486dda02 of1-team_b 1   5b23febe-1817-405d-8e7f-c4388feb9fbc       of1-team_b 1   Means each RID should be separately . Can someone guide me on this.
Hi, I have concatenated my DATE & TIME Field as below | eval DATE&TIME=DATE." ".TIME EXAMPLE:(%m/%d/%Y  %H:%S) 12/09/2017 23:28 01/27/2019 00:49 04/14/2018 23:42 How to sort my DATE&TIME field... See more...
Hi, I have concatenated my DATE & TIME Field as below | eval DATE&TIME=DATE." ".TIME EXAMPLE:(%m/%d/%Y  %H:%S) 12/09/2017 23:28 01/27/2019 00:49 04/14/2018 23:42 How to sort my DATE&TIME field now .I want to show the latest date and time field at the beginning? Any suggestions? Thank you   
Hi, I am trying to produce a macro with an event summary that would contain both the field name and field value and a single field my query is as follows:   | makeresults | eval time="2020-10-05... See more...
Hi, I am trying to produce a macro with an event summary that would contain both the field name and field value and a single field my query is as follows:   | makeresults | eval time="2020-10-05 05:44:27" | eval file="Generic.exe" | eval signature="Generic" | eval Event_Summary="" | foreach time file signature [ eval Event_Summary=Event_Summary."|"."<<FIELD>>".": ".'<<FIELD>>'] | eval Event_Summary=split(Event_Summary,"|")   how do i make the macro such that the arguments i throw in, will become the fields in the foreach statement? The macro i have tried to create is :   | eval Event_Summary="" | foreach $fields$ [ eval Event_Summary=Event_Summary."|"."<<FIELD>>".": ".'<<FIELD>>'] | eval Event_Summary=split(Event_Summary,"|")   Hoping to achieve the below:   | makeresults | eval time="2020-10-05 05:44:27" | eval file="Generic.exe" | eval signature="Generic" | eval fields="time file signature" `Summarize(fields)` |table Event_Summary   But i can't figure out how to change the argument string to fields Edit: one more condition is that i would want the macro to be flexible in being able to take in any number of fields and not just a fixed number of 3 fields/arguments.  
Hello I'm new to Splunk community and I'd like to start using Splunk as a syslog server for all traffic generated from our firewall. We'd like to send all the logs from the firewall to the Splunk m... See more...
Hello I'm new to Splunk community and I'd like to start using Splunk as a syslog server for all traffic generated from our firewall. We'd like to send all the logs from the firewall to the Splunk machine, using the FortiGate add-on.   Our firewall is sending the traffic log as source/destination IP address format, and we'd like to present it in the Splunk dashboard as hostnames. Like every IP subnet presented as a name. for example: -- all source IPs from subnet 192.168.1.0/24 presented in Splunk dashboard as : company1_123_PO1_region1 -- all source IPs from subnet 192.168..2.0/24 presented in Splunk dashboard as : company2_321_PO2_region2 We already have a csv file which has all this information. How can we accomplish this task?   Thanks
after installing nagios addon on splunk web showing page not found is there anyone who can help on this???
Hi , In our existing  Splunk environment we are mananging  all the UF , indexer and Search head apps in one deployment server which caused issue in the knowledge objects that was created over the Se... See more...
Hi , In our existing  Splunk environment we are mananging  all the UF , indexer and Search head apps in one deployment server which caused issue in the knowledge objects that was created over the Search Head.  Whenever there is a refresh . It rolls back to older changes Now we want to manage the search head apps from Deployer instead of Deployment server. In this process , how to to safely remove the server class that was created for SH apps in deployment server. On doing so will it delete the apps in Search head?   Thanks 
Why i am getting "Error in 'script': Getinfo probe failed for external search command 'predict'. " error while executing predict command. Is that due to Splunk version Update?