All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the ... See more...
Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario) My query for  the alerts is : | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" My query for bookmarks is:  | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Gr... See more...
Hello , I have a transaction which is coming as multievent. i can use the  "| transaction" command to club as one event.  1)  I want the transaction ID extracted  based on the below-highlighted ( Green)  2) Now, I want to  get the transaction time  based on the below-highlighted  (Yellow) Below is the raw event log.   Thanks In advance!      
  Hello Splunkers!! As per the below screenshot, you can see jobs are running fine. But events are not collecting into summary index. Please help me to suggest some potential reason and fixes ... See more...
  Hello Splunkers!! As per the below screenshot, you can see jobs are running fine. But events are not collecting into summary index. Please help me to suggest some potential reason and fixes   Scheduled search with push data to summary index.      
I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba... See more...
I want to manually add an event to an index, using collect seems to be the most straight forward method. I am asking for a method to use makeresults and eval to add field quotes like the native Aruba SNMP log format to send in raw format to an index Background: We had a power outage at one of our sites. Report and Alert searches look for active user Wi-Fi sessions. Because the access points were offline, when users left for the day the Wi-Fi session end log events were not sent from Aruba to Splunk , which is causing false positive alerts. The Aruba SNMP logs look like this:  timestamp=1723828026 notification_from_address = "172.20.0.69" notification_from_port = "34327" SNMPv2-SMI::mib-2.1.3.0 = "10679000" SNMPv2-SMI::snmpModules.1.1.4.1.0 = "1.3.6.1.4.1.14823.2.3.1.11.1.2.1219" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = "0x07e808100a0706002d0700" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = "192.168.50.54" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = "0xd8be1f2f9c1a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = "0x2462ce8053b1" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = "RAP1053a" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = "0" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = "2" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = "11" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = "1" My search: | makeresults | eval timeStamp=now() | eval logEvent="timestamp=1723830464 notification_from_address = \"172.20.0.17\" notification_from_port = \"43015\" SNMPv2-SMI::mib-2.1.3.0 = \"2063900\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = \"0x07e8080e0d310f002d0700\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.51.0 = \"192.168.50.67\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.52.0 = \"0xd8be1f7d1076\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.3.0 = \"0x482f6b06b171\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.94.0 = \"AP7\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.28.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.59.0 = \"0\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.103.0 = \"2\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.136.0 = \"10\" SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.137.0 = \"1\"" | collect index=aruba_snmp sourcetype=snmp_traps output_format=raw testmode=true The search result looks like what I want but when sent in raw format the escape \ are visible. How do I obscure or remove the \ in raw format? Thank you for any help in advance.
Hi Experts, Is it possible to change the "Return to Splunk" link on the home page so that it goes to custom URL instead of default URL? If anyone knows how to do this, I'd appreciate the help! ... See more...
Hi Experts, Is it possible to change the "Return to Splunk" link on the home page so that it goes to custom URL instead of default URL? If anyone knows how to do this, I'd appreciate the help! Thanks
Hello, There is an index named "linux" in our environment that needs to have the source universal forwarder changed to reflect a new server that is forwarding data. In other words, a server "syslog... See more...
Hello, There is an index named "linux" in our environment that needs to have the source universal forwarder changed to reflect a new server that is forwarding data. In other words, a server "syslog_01.server.net" was migrated to a new server "syslog_02.server.net". (not the actual domains.) The index "linux", I believe, is still listening to syslog_01, and needs to be changed to syslog_02. The universal forwarder was installed on the syslog_02 server. So I have two fairly high-level questions: 1.) How would I go about see the current configuration of the "linux" index (at least in terms of where it is listening?) 2.) How would I change where this index is listening? I've inherited the Splunk environment and am still a little fuzzy on how it was originally configured (the person who set it up no longer works here), but it looks like the data path goes like this: Universal forwarder  > heavy forwarder server > two index servers < master server to control index servers. I believe this is a standard configuration. The person who set up the environment left scant documentation regarding universal forwarder configuration. Apparently, universal forwarders are "Configured automatically by adding new universal forwarder server to linux_outputs or windows_outputs class" in the master server. However in the master server (splunk_home/etc/system/local), serverclass.conf doesn't contain any data. Although, I'm not entirely sure this would be the correct config file to change. Again, I'm fairly new to this environment and not sure how to proceed. Any and all input would be appreciated. Thank you!
I really need help I'm trying to get my panels to move from red to green based on live stats, but nothing works. I tried the UI and I'm pretty sure I got the right thing selected but my panels won't ... See more...
I really need help I'm trying to get my panels to move from red to green based on live stats, but nothing works. I tried the UI and I'm pretty sure I got the right thing selected but my panels won't show up red, yellow or green can anyone please help me out. So, I figured out that percentages don't work well with dynamic element backgrounds how can I work around that?   
Hi, I have a scenario where I want to calculate the duration between 1st and last event. The thing is these events can happen multiple times for the same session.  The 1st event can happen multiple ... See more...
Hi, I have a scenario where I want to calculate the duration between 1st and last event. The thing is these events can happen multiple times for the same session.  The 1st event can happen multiple times and everytime it is the exact same thing but I only want the transaction to start from very first event so that we know what is the exact duration. Sample events below - See the last 2 events where one says MatchPending and another one says MatchCompleted. What I want is to calculate the duration between 1st event and last event where it says MatchCompleted   2024-08-16 13:43:34,232|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:38,630|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Response Received in 114 milliseconds "200 OK" response for GET request to https://myapi.com/test: "status":"MatchPending" 2024-08-16 13:43:50,516|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:57,630|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Response Received in 114 milliseconds "200 OK" response for GET request to https://myapi.com/test: "status":"MatchPending" 2024-08-16 13:44:15,516|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Sending GET request to https://myapi.com/test 2024-08-16 13:43:50,510|catalina-exec-192|INFO|LoggingClientHttpRequestInterceptor|Response Received in 114 milliseconds "200 OK" response for GET request to https://myapi.com/test: "status":"MatchCompleted"     Any help is appreciated.  Best Regards, Shashanlk
In 9.21 How to change width of multiselect inputs in Dashboard Studio
Hi, I am looking to have the sum of users per vlan, for example vlan=xxx is used by username=A, B, C so I would have a table with VLAN = xxx and sum of users = 3, Thx
Hi, Need some help with the following JSON data. ModifiedProperties: [ [-] { [-] Name: Group.ObjectID NewValue: 111111-2222222-333333-444444 OldValue: } { [-] ... See more...
Hi, Need some help with the following JSON data. ModifiedProperties: [ [-] { [-] Name: Group.ObjectID NewValue: 111111-2222222-333333-444444 OldValue: } { [-] Name: Group.DisplayName NewValue: Group A OldValue: } { [-] Name: Group.WellKnownObjectName NewValue: OldValue: } ] I want to extract the 2nd set of values for each event such that Group.DisplayName can become a field in itself, e.g. Group.DisplayName.NewValue=A, Group.DisplayName.OldValue=B. But right now, default extraction is doing something like this     How can I create KV pairs for Group.DisplayName within this JSON array? I tried few combinations using spath but was not successful.   Thank you
Hi Team, In a Dashboard we have 30 Panels, i want to do the pagination, lets take under page i should view 5 Panels, Pls help how to proceed/query for that. Below is the example, under 1st dot page... See more...
Hi Team, In a Dashboard we have 30 Panels, i want to do the pagination, lets take under page i should view 5 Panels, Pls help how to proceed/query for that. Below is the example, under 1st dot page I should view 5 panel, 2nd page should have 5 page so on.  
Dear Splunkers, I would like ask your advice in order to complete following search result. My table checks for consecutive level breaches events in window of 3 counts. ACC CR count 0 ... See more...
Dear Splunkers, I would like ask your advice in order to complete following search result. My table checks for consecutive level breaches events in window of 3 counts. ACC CR count 0 0 1 0 0 2 0 0 3 1 1 1 1 0 2 1 0 3 2 1 1 3 1 2 4 1 3         If there is a level breach CR column will change to 1 and the ACC column will change to upcoming number. Now I would like to create an alert if 3 consecutive levels breached as shown in bolded example in bold.  Can you suggest how to complete the query and display only 3 consecutive results so that I can create an Alert? Thank you
Hi, I can't connect in my splunk enterprise account, i am having this errore; connection failure And there is no way to recover the account , i need help please
Hello to everyone! I am in the process of trying to fetch vulnerability information from the national vulnerability database. I found an app that can do this task via API - this is NVD-CVE-Fetcher-... See more...
Hello to everyone! I am in the process of trying to fetch vulnerability information from the national vulnerability database. I found an app that can do this task via API - this is NVD-CVE-Fetcher-App. The app link is here: https://splunkbase.splunk.com/app/7121?ref=hub.metronlabs.com The problem is that using NAT isn't allowed in our organization, so I was forced to use a proxy. I tried to use a system proxy, but the application ignored the system setting and tried to access the API URL directly. So, two questions: 1. Did anyone try to use the NVD-CVE-Fetcher-App in the proxy-acess scenario? 2. Did anyone resolve a similar task using other approaches? For example, another app or handmade script
Hello, I ran the following code - from __future__ import print_function import urllib.request, urllib.parse, urllib.error import httplib2 from xml.dom import minidom baseurl = '<url>' userName =... See more...
Hello, I ran the following code - from __future__ import print_function import urllib.request, urllib.parse, urllib.error import httplib2 from xml.dom import minidom baseurl = '<url>' userName = '<username>' password = '<password>' searchQuery = <query> # Authenticate with server. # Disable SSL cert validation. Splunk certs are self-signed. serverContent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.parse.urlencode({'username':userName, 'password':password}))[1] sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue # Remove leading and trailing whitespace from the search searchQuery = searchQuery.strip() # If the query doesn't already start with the 'search' operator or another # generating command (e.g. "| inputcsv"), then prepend "search " to it. if not (searchQuery.startswith('search') or searchQuery.startswith("|")): searchQuery = 'search ' + searchQuery print(searchQuery) # Run the search. # Again, disable SSL cert validation. print(httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.parse.urlencode({'search': searchQuery}))[1]) I get this error - "TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond" Is my url format wrong? Thanks
Hello,  How can I get my eval case like to match all values  except a  specific value ? I have below values for a field called rule_name MMT01_windows_brute_force MMT02_linux_root_login MMT03... See more...
Hello,  How can I get my eval case like to match all values  except a  specific value ? I have below values for a field called rule_name MMT01_windows_brute_force MMT02_linux_root_login MMT03_Aws_guardduty_alert How to get eval to match everything except anything with AWS in the name ? I need to use wildcard % for the matching part because there r many matches but just exclude AWS ones. I  found a similar post here where the answer was to user AND! To exclude  But that syntax is no longer supported it seems. | eval rule_type= case(like(rule_name,"MHE0%"),onprem,cloud) Expected result: rule_type should end up having 2 values for MMT01 and 02  using a wildcard and MMT03 should be  considered as cloud
Hello, I send a GET request to Postman as follows - curl -u <username> -k https://<url>.net:8089/services/jobs/export -d search="<query>" Why does it fail? "Cloud Agent Error: Couldn't resolve hos... See more...
Hello, I send a GET request to Postman as follows - curl -u <username> -k https://<url>.net:8089/services/jobs/export -d search="<query>" Why does it fail? "Cloud Agent Error: Couldn't resolve host. Make sure the domain is publicly accessible or select a different agent." And a variation passes but while I add "-d output_mode csv" at the end, I do not get any csv. Where can I see the same result as I see inside Splunk (enterprise) i.e tabular output? Thanks
Hi,   I have a table with dynamic fields, some of these fields contain no value or NULL, how do I remove these fields when I dont know the field name beforehand?   The field names are never the s... See more...
Hi,   I have a table with dynamic fields, some of these fields contain no value or NULL, how do I remove these fields when I dont know the field name beforehand?   The field names are never the same so I cannot simply do | fields - name1, name2 etc..   Is there are way to remove every field containing no value in a table?
I am trying to ingest data from Cortex via API, the API works 100% but getting the following script errors in splunkd.log Also attached the log from my partners environment where we need to comple... See more...
I am trying to ingest data from Cortex via API, the API works 100% but getting the following script errors in splunkd.log Also attached the log from my partners environment where we need to complete the integration.  8-14-2024 10:30:27.459 +0200 ERROR ScriptRunner [12760 TcpChannelThread] - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\bin\runScript.py execute':    return func(*args, **kwargs) 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last): 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\utils.py", line 153, in wrapper 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     return func(*args, **kwargs) 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\credentials.py", line 137, in get_password 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     f"Failed to get password of realm={self._realm}, user={user}." 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings, user=proxy. 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: . 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last): 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\utils.py", line 153, in wrapper 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     return func(*args, **kwargs) 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\credentials.py", line 137, in get_password 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     f"Failed to get password of realm={self._realm}, user={user}." 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings, user=additional_parameters. Please advise.  Palo Alto Cortex XDR Palo Alto Networks Add-on for Splunk