All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,    Can someone help me locate a Universal Forwarder install for Windows server 2003 ?    The oldest on the site at present does not appear to support Windows Server 2003 .    Many thanks  M
Hi fellow Splunkers, I've stumbled upon a cool piece of code, namely the ASX app that allows you to load configurations from Splunk's security content API and run/schedule analytic stories in the c... See more...
Hi fellow Splunkers, I've stumbled upon a cool piece of code, namely the ASX app that allows you to load configurations from Splunk's security content API and run/schedule analytic stories in the context of ES. Question: It's probably just me, but is there an easy way to configure HTTP proxy for the app, other than tweaking the code? I'm somewhat reluctant to touch the .py libs since I assume I have just overlooked the documentation that says: " asx.conf: proxy=http://<user>:<passwd>@<proxy>:<port>" Has anybody hit the same snag and can help with a little code? Cheers Oliver
Hi, I'm trying to filter certain Windows event IDs which need to be sent to Indexer and the rest to be dropped. My Props.conf looks as below:   [WinEventLog:Security] TRANSFORMS-security = adlog,... See more...
Hi, I'm trying to filter certain Windows event IDs which need to be sent to Indexer and the rest to be dropped. My Props.conf looks as below:   [WinEventLog:Security] TRANSFORMS-security = adlog, dropadlog   And my transforms.conf looks as below:   [dropadlog] REGEX = . DEST_KEY = queue FORMAT = nullQueue [adlog] REGEX = (?msi)^EventCode=(4624|4625|4688|4768|4769|4771|4773|4776|4740) DEST_KEY = queue FORMAT = indexQueue    On querying through search head, I don't see any events coming through the HF. Rather I see events from other hosts that are configured to directly send events to Indexers Could someone help me understand what's going wrong with HF configuration? My inputs.conf is below:   [default] host = Hostname of HF [splunktcp://9997] disabled = false   And Outputs.conf:   [tcpout] defaultGroup = default-autolb-group [tcpout-server://Indexer1:9997] [tcpout-server://Indexer2:9997] [tcpout:default-autolb-group] disabled = false server = Indexer1:9997,Indexer2:9997,Indexer3:9997 [tcpout-server://Indexer3:9997]    
We have a couple of good use cases for Splunk mobile and Splunk TV so I am experimenting with it to understand the care and feeding. For a Splunk mobile user to see what they should only be allowed t... See more...
We have a couple of good use cases for Splunk mobile and Splunk TV so I am experimenting with it to understand the care and feeding. For a Splunk mobile user to see what they should only be allowed to see I register their device with their username and password. We use AD LDAP Auth. We require 90 day password changes. When this change rolls around and password is changed the Splunk mobile app is broken and must be re-registered. I've seen similar behavior with Splunk TV however use of a service account there is possible so can be mitigated if necessary. How are other people working around this? Currently this would be a nightmare if I tried to roll it out. Thanks for your help. Lee.
Hello Working to get Splunk integrated with AWS and in setting up the account in the app in Splunk I get an SSL error. Im using a proxy and have allowed the connection to the URL but Im not sure th... See more...
Hello Working to get Splunk integrated with AWS and in setting up the account in the app in Splunk I get an SSL error. Im using a proxy and have allowed the connection to the URL but Im not sure the app uses the correct address. I go to add the account and enter the required info: Name Key ID Secret Key I select GovCloud as the Region Category and add the connection and I get an error like this:   SSL validation failed for https://sts.us-gov-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:742)     But where does https://sts.us-gov-west-1.amazonaws.com/ come from? This isn't the URL we use to hit the console, is this the correct one to use? Is there a need to add a custom URL to the app?   Thanks for the assistance
Hello all,  I have what is probably a pretty basic question about configuration files. I know the precedence goes like this: 1. System local directory -- highest priority 2. App local directories ... See more...
Hello all,  I have what is probably a pretty basic question about configuration files. I know the precedence goes like this: 1. System local directory -- highest priority 2. App local directories 3. App default directories 4. System default directory -- lowest priority But if I have only a few things addressed in my inputs.conf in my system\local directory like : [WinEventLogs://Security] [WinEventLogs://Application] [WinEventLogs://System] Do the additional stanzas in my system\default directory inputs.conf file get applied as well and only the ones I specifically addressed above override whats in the default conf? Or is this file ignored because I have an inputs.conf in my local directory?
I have an urgent requirement to build a datasets where I have to create multiple fields based on a flag field. eg. but if the flag field(Flag_columnA ) has value 1 then 4 fields should be loaded wit... See more...
I have an urgent requirement to build a datasets where I have to create multiple fields based on a flag field. eg. but if the flag field(Flag_columnA ) has value 1 then 4 fields should be loaded with data. Flag_columnA = 1, ColumnA1= ***, ColumnA2= ***, ColumnA3= ***, ColumnA4= ***( 4 fields created) but if the flag field has value 4 then these 4 column should be repeated 4 times( replication of 4 Fields created ) if Flag_ColumnA1=4, ColumnA1= ***, ColumnA2= ***, ColumnA3= ***, ,ColumnA4= ***, ColumnA1= ***, ColumnA2= ***, ColumnA3= ***, ,ColumnA4= ***, ColumnA1= ***, ColumnA2= ***, ColumnA3= ***, ,ColumnA4=***, ColumnA1= ***, ColumnA2= ***, ColumnA3= ***, ,ColumnA4= ***, Can you please let me know how to achieve this.
Hello I download cisco asa add-on from splunk base and in default folder/transforms.conf some regexes cannot be used in Splunk UI using regex/rex command as there is comming error for missing closin... See more...
Hello I download cisco asa add-on from splunk base and in default folder/transforms.conf some regexes cannot be used in Splunk UI using regex/rex command as there is comming error for missing closing parenthesis but I dont understand as the regex is supposed to be correct as no customizations are made. Its multiple regexes with same error so it seems that there is some difference between regex interpretator in splunk from transforms.conf and this in UI.   Can someone confirm this or explain why this happens? exmaple regex : [cisco_asa_message_id_302014_302016] REGEX = -30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?  Error in 'rex' command: Encountered the following error while compiling the regex '\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?': Regex: missing closing parenthesis. BTW: the regex is working fine in regex101.com
My question is, how can I prove that the Splunk server.conf enableSplunkdSSL is indeed working and with the sslVersions is as per my settings, preferably with splunk internal logs SPL showing that? ... See more...
My question is, how can I prove that the Splunk server.conf enableSplunkdSSL is indeed working and with the sslVersions is as per my settings, preferably with splunk internal logs SPL showing that?  
I have splunk cloud trial version. I am trying to make rest call through postman for login and search jobs. But it gives Error: Request timed out Below are apis I am trying : https://prd-p-xxxx.spl... See more...
I have splunk cloud trial version. I am trying to make rest call through postman for login and search jobs. But it gives Error: Request timed out Below are apis I am trying : https://prd-p-xxxx.splunkcloud.com:8089/services/auth/login https://prd-p-xxxx.splunkcloud.com:8089/services/search/jobs/ Can someone answer how to resolve Timeout error?
Hello, I'm a complete newbie to Splunk so correct me if I'm wrong somewhere. I'm trying to monitor LDAP request, I have more than 21sites in our Domain. I'm using the Splunk App for Windows Infras... See more...
Hello, I'm a complete newbie to Splunk so correct me if I'm wrong somewhere. I'm trying to monitor LDAP request, I have more than 21sites in our Domain. I'm using the Splunk App for Windows Infrastructure and IT Operation. Is there any way I can get 30days LDAP request from these applications or Splunk. I'm taking out the logons weightage but it is taking almost forever to even get 5 days records -      Note - I don't have any admin privilege and no configuration can be allowed in the Splunk. Only READ-ONLY mode is available HELP ME SUGGEST SOMETHING SO THAT I CAN GET THE LDAP REQUESTS FROM THE DC. TOTAL DC COUNT - 69   THANKs
I have a dashboard in which there are multiple panels and it has 3 base searches defined in it. I'm getting the below errors while scheduling PDF delivery for the dashboard but while manually exporti... See more...
I have a dashboard in which there are multiple panels and it has 3 base searches defined in it. I'm getting the below errors while scheduling PDF delivery for the dashboard but while manually exporting the PDF I'm not getting any errors.I'm getting the below errors for only 2 panels of the Dashboard:- Server reported HTTP status=400 while getting mode=results<?xml version="1.0" encoding="UTF-8"?><response> <messages> <msg type="FATAL">Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearch_ident '$subsearch_sid3$'.</msg> </messages></response> Both the Panel Searches are using loadjob commands.Loadjob command is using the SID of previous searches to get the results. Kindly, help me out on this one?
Query required : If a count of certain condition in the last rolling 12 hours exceeds 10% more than the avg daily number of count of certain condition for the last 7 days
I'd like to calculate K/D ratio for the game Insurgency. it game battery iphone it hot I have two searches that can calculate #kills and number of deaths #killer I'd like to calculate the ration o... See more...
I'd like to calculate K/D ratio for the game Insurgency. it game battery iphone it hot I have two searches that can calculate #kills and number of deaths #killer I'd like to calculate the ration of K v. D's. index=insurgency sourcetype="insurgency" killed | rex "killed \"(?<killed>.*?)<" | rex ":\s+\"(?<killer>.*?)<" | stats count by killer I'd like the calculate the ration of Kills/Deaths. Any suggestions? Read More: Thay pin iPhone - Thay pin iPhone 11
Hi Team I am searching to confirm the SPL to poll a KV Store check the status of the es_notable_events when a status changes and then send an email, also would like to check timestamps to work out w... See more...
Hi Team I am searching to confirm the SPL to poll a KV Store check the status of the es_notable_events when a status changes and then send an email, also would like to check timestamps to work out what the newest event is   The SPL i have working to send (most of the time) is below  | inputlookup es_notable_events where status="1" | sendemail to=email@address.com format=raw subject=Splunk Notable Event sendresults=true Appreciate any help   
Can a html dashboard be sent on email?? I have created an html dashboard with modified css and html code and I want that to be sent as email?? 
I have a savedsearch which is a result of json data. Similarly I have a master csv. I have Assettag field common in both savedsearch and csv. Now, I want to combine both json and csv and get matching... See more...
I have a savedsearch which is a result of json data. Similarly I have a master csv. I have Assettag field common in both savedsearch and csv. Now, I want to combine both json and csv and get matching and unmatching results from both and also if Assettag is available in savedsearch but not in csv then it should be given Validation as Newly Scanned and if Assettag is available in csv but not in savedsearch then the Validation is Unscanned and if Assettag is available in both then it is Scanned. where Validation is a new field which should be created. How can I do this? 
I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across mu... See more...
I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across multiple lines. So we are dealing with windows events. index=wineventlog source=wineventlog:security EventCode=4624. I have an extracted field (from windows infrastructure app) called member_id. This contains two values which seem to be separated by a new line as they are vertically stacked and looks like when listed in stats or tables: NULL SID NT AUTHORITY\SYSTEM This below search will match the events I'm after correctly: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID NT AUTHORITY\\SYSTEM" However this does not work: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\nNT AUTHORITY\\SYSTEM" and neither does this: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\r\nNT AUTHORITY\\SYSTEM" or index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\n\rNT AUTHORITY\\SYSTEM" In my inputs.conf file I have tried the following and it is not working. I suspect because the blacklist is not expecting to span multiple lines and doesn't know where to start and end. inputs.conf (for the universal forwarder on the windows endpoint) [WinEventLog://Security] disabled = 0 blacklist = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID NT AUTHORITY\\SYSTEM" blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID <Redacted>\\<Redacted>$" My Google fu has failed me and I don't seem to be able to find out how to do this. I hope some Splunk Guru will be able to help me solve this. Thanks in advance,   Sean
Hello? I have a several question when using export pdf. If I made a dashboard in splunk enterprise, I getting pdf. So I export PDF clicked. But.. I wanna fixed pdf. How can I do?
I have the following query working in SQL and am struggling to get a working Splunk query that will return the same result set. SQL as follows: SELECT logA.ref, to_char(logA.edate, 'DD-MON-YYYY HH24... See more...
I have the following query working in SQL and am struggling to get a working Splunk query that will return the same result set. SQL as follows: SELECT logA.ref, to_char(logA.edate, 'DD-MON-YYYY HH24:MI:SS') as edate FROM logger logA WHERE logA.event = 'string1' AND sysdate > logA.adate AND NOT EXISTS (SELECT logB.ref FROM logger logB WHERE logB.event like 'string2' AND logB.foo = 'bar' AND logB.ref = logA.ref) order by ref desc Essentially I want a table of all events that match search1, but only if there is no events in search2 that have the same value for 'ref' as search1. The data is a single sourcetype in a single index. I've tried both subsearch and join but have not had any luck. Any tips would be appreciated.