All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Friends, I am trying to include rules using "RegEx match on the URL" while instrumenting certain pages in EUM . Any documentation is there which I can refer ? e.g https://www.abcxyz.com/app/... See more...
Hello Friends, I am trying to include rules using "RegEx match on the URL" while instrumenting certain pages in EUM . Any documentation is there which I can refer ? e.g https://www.abcxyz.com/app/#/app/account/<GUID>/overview https://www.abcdef.com/app/#/app/account/<GUID>/overview I am looking for adding two separate rules for the above mentioned pages in EUM.How to write regex for these. Any lead will be appreciated. Thanks in Advance ! Regards, Arup
Hello,  Im a splunk newbie, we dont have FMC module. How do I send logs to Splunk without using FMC ? I only have access to Firepower Device Manager. 
I have obtained the below results from my search. I want to write a dbxquery in splunk db connect which can use this data as input. For each category there should a different query. The resultan... See more...
I have obtained the below results from my search. I want to write a dbxquery in splunk db connect which can use this data as input. For each category there should a different query. The resultant query should be : 1. When Category is "Fruits" | dbxquery connection="connect" query="select * from abc.def where category="Fruits" and (items="Apple" or items="Orange" or items="Pear")"  2. When Category is "Colours" | dbxquery connection="connect" query="select * from abc.def where category="Colours" and (items="Red" or items="Black" or items="Maroon")"    Is there a way I can write this query ?
I have a lookup file containing this sort of data Field Interval Scores FieldName 0,15,30,60,300,3600 5,4,3,2,1,0   What I am doing is to look at a field value 'MedDelta' and working ... See more...
I have a lookup file containing this sort of data Field Interval Scores FieldName 0,15,30,60,300,3600 5,4,3,2,1,0   What I am doing is to look at a field value 'MedDelta' and working out in which range of Interval values it sits between and assigning it the corresponding Score value from the Score field like this   | lookup scores.csv Field | eval Interval=split(Interval,","), Scores=split(Scores,",") | eval ind=mvmap(Interval, if(MedDelta<=Interval,1,0)) | eval ScoreCount=mvcount(Scores) - 1 | eval t=mvfind(ind,"1"), Score=if(isnull(t), mvindex(Scores, ScoreCount, ScoreCount), mvindex(Scores,t-1,t-1))   So, if I have MedDelta=10, then Score is 5 (range 0-15), MedDelta is 93, then Score is 2 (range 60-300). However, mvmap is Splunk 8 and I need to deploy this to Splunk 7.4. I cannot use mvexpand Anyone know some cool Splunk trickery to do the same thing without mvmap?  
Hello friends, We have Splunk ES and we stored our data in different indexes (OS logs, Network logs, ...) I have a question about correlation searches. Some correlation searches didn't use Data Mod... See more...
Hello friends, We have Splunk ES and we stored our data in different indexes (OS logs, Network logs, ...) I have a question about correlation searches. Some correlation searches didn't use Data Models and just used simple search commands, how I can change these correlation rules to use our indexes? at first,  is it needed to change anything? My second question is which permission or user will ES use to run Correlation Searches? I mean I have to grant access to our indexes to which Roles/Users? thanks.
Any documentation on how to write into Splunk from a API build on Sprint Boot app
Hi, Although I have added 5 APIC's to the Splunk integration list, I can see only 1 APIC populating in the APIC host list of Splunk. Can someone help me figure out how to get otherAPIC's populate... See more...
Hi, Although I have added 5 APIC's to the Splunk integration list, I can see only 1 APIC populating in the APIC host list of Splunk. Can someone help me figure out how to get otherAPIC's populated in the host list? Splunk 8.0 Centos version installed  
Hi   Is there any way to export data to csv from Single value panel which is configured in Dashboard. I created a Dashboard with Single value panel to get the total no of  'Success' status from th... See more...
Hi   Is there any way to export data to csv from Single value panel which is configured in Dashboard. I created a Dashboard with Single value panel to get the total no of  'Success' status from the Index.  Now I want to export all the 'Success' status data to csv when I click on export button of the panel.        
Splunk Cron expression for Everyone day 6 a.m to 6 p.m in every one hour And except Saturday 2 a.m to 8 a.m.
Hi, If a user is added as local admin and also local admin group. What's the difference and is there any security risk? Regards, Shashank
I'm facing issue setting up modular input for Proofpoint TAP. splunkd.log:   INFO ModularInputs - Autologin succeeded, but there was an auth error on next request. Something is very wrong. WARN Mo... See more...
I'm facing issue setting up modular input for Proofpoint TAP. splunkd.log:   INFO ModularInputs - Autologin succeeded, but there was an auth error on next request. Something is very wrong. WARN ModularInputs - Argument validation for scheme=proofpoint_tap_siem failed: Autologin succeeded, but there was an auth error on next request. Something is very wrong.   API principle and server work well when tested with curl. Tested on 7.3.0 and 8.0.6 splunk heavy forwarder. Splunk is behind squid proxy with not SSL manipulation. Other TA's on this box don't have issues accessing data on the internet. @eckolp2003 any hints where to look ?
How can I add little space between two panels in same row using HTML and CSS? Both the panels contain table.   Thanks
How to find the difference of events between hosts ? If the number of events on different hosts differs by 15 ?
How to calculate Load Average from linux Servers in Splunk ?
HI all, I have this rule: "Unapproved Port Activity Detected" - I know this rule creates many alerts, how can i find the daily count of this specific event? and what is trigger?  
I have multiple devices in a given location maintaining it lookup table with location and device. Using location from index I am trying to get device list but output is coming in single row. I want ... See more...
I have multiple devices in a given location maintaining it lookup table with location and device. Using location from index I am trying to get device list but output is coming in single row. I want list of devices as separate row. How to achieve it. My query is like this index =myindex | lookup mylookup location OUTPUT devices  | table devices  
Current report for the following event log index=windows  EventType=4 host=* | table _time host EventCode Message /// EventType=4 Type=Information ComputerName=NOYO.asus.com Message=Installatio... See more...
Current report for the following event log index=windows  EventType=4 host=* | table _time host EventCode Message /// EventType=4 Type=Information ComputerName=NOYO.asus.com Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.323.1450.0) // I try to filter away if event if message contains Security Intelligence Update for Microsoft Defender Antivirus index=windows  EventType=4 host=*   | where Message="%Security Intelligence Update for Microsoft Defender Antivirus%" | table _time host EventCode Message But seems message cannot filter
I have an issue with Splunk saved searches. When I'm using the Splunk web interface, I can see ALL of the saved searches in my web browser, edit them or run. But when I'm using Splunk SDK, I can't ge... See more...
I have an issue with Splunk saved searches. When I'm using the Splunk web interface, I can see ALL of the saved searches in my web browser, edit them or run. But when I'm using Splunk SDK, I can't get some of the freshly created reports. I have about 70 saved search queries right now and 60 of them are working properly. But the remaining 10 are not visible at all from SDK. I am running SDK version 1.6.14 and my saved searches run under admin user. I have also tried to run a sample script that outputs all of the saved searches: https://github.com/splunk/splunk-sdk-python/blob/master/examples/saved_searches.py and it shows me a really big output with about 69k lines in which I don't see my new 10 saved searches. Any tips?
Hi everyone I do a search in Splunk and this is the results Name Price Date apple 23568 9/18/2020 apple 23346 9/18/2020 apple 22697 9/18/2020 apple 20 9/18/2020 apple 2... See more...
Hi everyone I do a search in Splunk and this is the results Name Price Date apple 23568 9/18/2020 apple 23346 9/18/2020 apple 22697 9/18/2020 apple 20 9/18/2020 apple 22674 9/19/2020 apple 25987 9/19/2020 apple 26796 9/19/2020 apple 25341 9/19/2020   I have a lookuptable file named apple.csv which is comprised of these contents. Name Date Max_Price Min_Price apple 9/18/2020 24250 22120 apple 9/19/2020 26920 24250   So I want to add the Max_Price and Min_Price to the main search something like this Name Price Date Max_Price Min_Price apple 23568 9/18/2020 24250 22120 apple 23346 9/18/2020 24250 22120 apple 22697 9/18/2020 24250 22120 apple 20 9/18/2020 24250 22120 apple 22674 9/19/2020 26920 24250 apple 25987 9/19/2020 26920 24250 apple 26796 9/19/2020 26920 24250 apple 25341 9/19/2020 26920 24250   and then I can determine the wrong result. I mean the following result is not acceptable to me and they're may be wrong or something else. apple 20 9/18/2020 apple 22674 9/19/2020   Thanks in advance
Hi, I have a question regarding license usage. I am trying to calculate the license usage increase related, to a few new network devices. I have a great query that shows me exactly the data volume... See more...
Hi, I have a question regarding license usage. I am trying to calculate the license usage increase related, to a few new network devices. I have a great query that shows me exactly the data volume increase related to each device. My question is -  what about the firewall traffic increase? each new device is generating new fw traffic. Is there a way to isolate the fw traffic increase related to each device? Thanks