All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello,  i'm new on splunk and i want to know the best way to accomplish the following task IINFORMATION INPUT : i have DATA in xml format in the event  the value of ID can be between 1 an... See more...
Hello,  i'm new on splunk and i want to know the best way to accomplish the following task IINFORMATION INPUT : i have DATA in xml format in the event  the value of ID can be between 1 and 500 in the event there is at least 15 ProductX  (it's can be ProductA, ProductB, ProductC, ... ,ProductZ) ProductX can be use for 300 differents ID     <EventData> <Data Name="ID">5</Data> <Data Name="ProductA">Screw 16</Data> <Data Name="ProductB">Screw 11 </Data> <Data Name="ProductC">Screw G</Data> <Data Name="ProductD">Screw 9</Data> ... ... </EventData>     GOAL : i want dynamically parse a field called "Result" which depends of the ID which is in the event EXAMPLE : if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11) if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9) if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11) if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11) and so on.. i try to do the parsing with prop.conf file and trabsforms.conf with INGEST_EVAL and IF and OR but no joy.. any solutions / advices for saving performances / best way to do this please? Thx !!     
Hi all: I hope you are well. I have a query and I don't know if this is the correct thread to do it, I hope so. I have a presentation of differentials with IBM Qradar and among some details that I f... See more...
Hi all: I hope you are well. I have a query and I don't know if this is the correct thread to do it, I hope so. I have a presentation of differentials with IBM Qradar and among some details that I found very interesting within the Battlecard found on the portal, I was struck by the fact that IBM QRadar is a Database-based SIEM solution (Legacy SIEM Solution ), therefore it was difficult for him to correlate historical data. Unlike splunk that if you can do it, it is because of its structure. Based on this, I have reviewed and Splunk also bases its structure on a database display where it stores the indexes, which is the SPLUNK_DB file. Considering this, both solutions do not handle an index storage deployment in Database? Why then the differentiation that one by its architecture is limited in the search for historical correlation? Could you give me some support on the detail of it? distributed search Beforehand thank you very much¡¡¡
I have a dashboard displaying counts on some event types I have created. I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of... See more...
I have a dashboard displaying counts on some event types I have created. I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of the base search. Is this expected ? Any workaroud ?
Hello Everyone.  I want your help to build a interactive dashboard having multiple options. The aim is to perform different actions depending on the column of the dashboard. 1. If I click any fie... See more...
Hello Everyone.  I want your help to build a interactive dashboard having multiple options. The aim is to perform different actions depending on the column of the dashboard. 1. If I click any field in Column A it should open a linked Dashboard In a new tab 2. If I click any field in Column B it should open a search in a new tab for that field-name 3. Do nothing for column C and D. I tried with <condition> in drill-down but the link and search option are not working in the condition tree  I am able to do only "$click.value2$" directly from the UI for all the fields or link to a particular row with $row.value$.    If someone can help with multiple options in a single dashboard will be really helpful. Thank you.   
Hi all, need help in converting the time format. I want to add another 10.5 hrs to the submit date. Below query i tried and failed.   1. | eval Time=strftime(Submit_Date+10.5*3600,"%Y-%m-%d %l:%M... See more...
Hi all, need help in converting the time format. I want to add another 10.5 hrs to the submit date. Below query i tried and failed.   1. | eval Time=strftime(Submit_Date+10.5*3600,"%Y-%m-%d %l:%M:%S %p") 2. | fieldformat Time=strftime(Submit_Date+10.5*3600,,"%Y-%m-%d %H:%M:%S")     Complete code is below.   | dbxquery connection="ITDW" shortnames=true query="SELECT GETDATE() as 'CurrentTime', [Incident_Number], INC.[Company], [Customer], [Summary], [Notes], [Service], [CI], [Impact], [Urgency], [Priority], [Incident_Type], [Assigned_Support_Group], [Assigned_Support_Organization], [Status], [Status_Reason], [Resolution], [Reported_Date], [Responded_Date], [Closed_Date], [Last_Resolved_Date], [Submit_Date], [Last_Modified_Date], [Owner_Group] FROM [shared].[ITSM_INC_MAIN] INC LEFT OUTER JOIN [shared].[ITSM_CMDB_People_Main] PPL ON INC.Customer_ID = PPL.Person_ID WHERE ([Assigned_Support_Group] = 'Ops-WAN and LAN Incidents') AND [Submit_Date] BETWEEN DATEADD(D,-3,GETDATE()) AND GETDATE()" | table Customer, Incident_Number, Submit_Date     How can i edit the time in dbxquery, please help in that. when ever I try strftime, the output is coming blank without no value.
I need email alert query if count is zero for about 30 mins and i need only one email alert saying count is zero. For Ex: I have one service whose count is said to be 0 btw 11-11:30 AM, then i must... See more...
I need email alert query if count is zero for about 30 mins and i need only one email alert saying count is zero. For Ex: I have one service whose count is said to be 0 btw 11-11:30 AM, then i must receive email alert as count is zero. Help me plzzzz....
Hello Team, I have installed Splunk in my Ubuntu with localhost 127.0.0.1:8000. Earlier I could open the Splunk localhost with login details. Now I can't log in, and it's showing me an error sayi... See more...
Hello Team, I have installed Splunk in my Ubuntu with localhost 127.0.0.1:8000. Earlier I could open the Splunk localhost with login details. Now I can't log in, and it's showing me an error saying Firefox can't establish a connection to the server at  127.0.0.1:8000. Can anyone help with this matter? Thanks Ram
Hi Team, Can you please let me know what should be the configuration done at the heavy Forwarder Splunk instance so that the saved search results that are indexed into the Summary index can be forwa... See more...
Hi Team, Can you please let me know what should be the configuration done at the heavy Forwarder Splunk instance so that the saved search results that are indexed into the Summary index can be forwarded to the Receiving instance.  Currently, i have configured HF1 to forward data to Search Peer 1.   This allows me to route all the Splunk DB Connect query results to Search Peer instance without fail. However if i have a Saved search created at the HF instance (There is a need to have a saved search configured in my-case at HF), how can the saved search results be routed to the Search Peer.  Can i configure the HF instance HF1 to be another Search Peer for the Search Peer1 instance  to obtain the data. Will appreciate any help on this regard.
Greetings, I'm designing a deployment server component for my team and inputs.conf are a question I haven't fully worked out. Since inputs are arbitrary, one-off decisions made by a client, would a... See more...
Greetings, I'm designing a deployment server component for my team and inputs.conf are a question I haven't fully worked out. Since inputs are arbitrary, one-off decisions made by a client, would a valid approach be to just make a serverclass configuration for each specific input as our clients request them? Is there such a thing as grouping inputs?  Right now I'm thinking about having a serverclass for each index, then for the Client Name include the case number, and assign the apps/indexes accordingly.  I'm curious to learn about about success or failure stories.  Thanks again!
I ended up finding the answer to this question. It took me several hours to figure out, so I thought I'd post it here for future Splunkers. I added some custom visualizations in a Splunk dashboard. ... See more...
I ended up finding the answer to this question. It took me several hours to figure out, so I thought I'd post it here for future Splunkers. I added some custom visualizations in a Splunk dashboard. I print these dashboards to a PDF and want to preserve the color. I was trying to figure out why my charts did not print out in color, but other Splunk charts did. It turns out that it has to do with the Splunk CSS. It has a print configuration like the following: @media print {   .visualization-controls {   display: none !important;   } } If the element doesn't contain the "!important" property, the formatting is removed when printing. So when setting the color of my objects, I had to add "!important", like the following:      color: darkred!important Otherwise, just doing "color: darkred" will not pass through the color when printing.    
Hello there! I am trying to highlight a table row whenever clicked: This is the JavaScript I use to highlight a row based on a cell string value:   require([ 'underscore', 'jquery', ... See more...
Hello there! I am trying to highlight a table row whenever clicked: This is the JavaScript I use to highlight a row based on a cell string value:   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc, TableView) { var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { // Enable this custom cell renderer for status field return _(["host"]).contains(cell.field); }, render: function($td, cell) { // Add a class to the cell based on the returned value var value = cell.value; // Apply interpretation for status field // Since we have picked only one row for applying range Class, following if is not required. if (cell.field === "host") { //Add range class based on cell values. if (value == "test") { $td.addClass("range-cell").addClass("range-green"); } } // Update the cell content with string value $td.text(value).addClass('string'); } }); mvc.Components.get('highlight').getVisualization(function(tableView) { tableView.on('rendered', function() { // Add a delay to ensure Custom Render applies to row without getting overridden with built in reder. setTimeout(function(){ // Apply class of the cells to the parent row in order to color the whole row tableView.$el.find('td.range-cell').each(function() { $(this).parents('tr').addClass(this.className); }); },100); }); // Add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); });   It works with this dashboard:   <dashboard script="script.js"> <label>test</label> <row> <panel> <table id="highlight"> <search> <query>| makeresults | eval host="test" | append [| makeresults | eval host="hello"] | table host</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">cell</option> <drilldown> <set token="clicked_row_tok">$click.value$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>$def$</title> <html> <style> #highlight tr.range-green td { background-color: #F2B827 !important; } </style> </html> </panel> </row> </dashboard>   But instead of highlighting a row based on a value, I would like to highlight the clicked row (token $clicked_row_tok$) So I guess I have to implement something like this:   // Access the "default" token model var defaultTokenModel = mvc.Components.get("default"); defaultTokenModel.on("change:clicked_row_tok", function(newTokenName, clicked_row_tok, options) { ... } });   To be able to do this:   if (cell.field == clicked_row_tok) {   But I am struggling mixing them both so I am here for help
Sendemail apparently stopped working and python.log  has the log messages as below repeating whenever I test "sendemail" or email alert was triggered. But then the email appears to be discarded silen... See more...
Sendemail apparently stopped working and python.log  has the log messages as below repeating whenever I test "sendemail" or email alert was triggered. But then the email appears to be discarded silently. The mail server doesn't have any logs from the SH which means, according to Email admin, there's no connection attempted from the SH. Symptoms: no accounds including admin are able to send email alert. Log message in python.log 2020-08-05 09:10:42,196 -0700 ERROR sendemail:1421 - Only absolute URIs are allowed. uri = No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_adm.m.11905a0d206502752431c8c204542692^M No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_adm.m.11905a0d206502752431c8c204542692^M <SNIP> No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_vik.b.69565216b720a1546ffc9ae8d5aa120b^M No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_wil.p.1294be4f866029819ac22bdc54e1695b^M No mapping for safe name: D:\Program Files\Splunk\etc\users\users.ini: pac_xao.c.6f1004219c3b1ceb9a5cee5f5dea227d^M https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/_new?output_mode=json  
I have two apps installed on Windows clients.  One looks like the full blown Windows_TA app and one looks like a truncated one.  I worked with a PS to get all these apps initially installed.  Everyt... See more...
I have two apps installed on Windows clients.  One looks like the full blown Windows_TA app and one looks like a truncated one.  I worked with a PS to get all these apps initially installed.  Everything in the full Win_TA looks to be disabled. The truncated one looks very simple and has some stanzas from the Win_TA app. I made a change to the truncated one (a blacklist addition) and I believe this has taken. Am I assuming correctly that the one app that has a truncated version of Windows TA is the actual app that is telling what logs for the Win hosts to send? Also, if my assumption are correct, is this common practice?
Hello Splunk Community I would like to know if I can create a new column field from a multivalue field MV field =  1, 2, 3, 4  then I have another MV field a, b,c,d  after that I want my sear... See more...
Hello Splunk Community I would like to know if I can create a new column field from a multivalue field MV field =  1, 2, 3, 4  then I have another MV field a, b,c,d  after that I want my search result to look like in the picture Thanks in advance
Hey All, I am looking to revamp our Splunk test environment and build a new one from scratch that better suits our needs.  Our production environment consists of both a search head cluster and an in... See more...
Hey All, I am looking to revamp our Splunk test environment and build a new one from scratch that better suits our needs.  Our production environment consists of both a search head cluster and an indexer cluster along with all of the other various Splunk components.  I would love to replicate our clusters on a smaller scale to ensure our test environment pretty closely mirrors production.  It appears though that the Dev/Test License doesn't support clustering. Does anyone have any recommendations on how to best go about it? I can setup standalone instances with no problem, just curious how other's have addressed this as newer versions of Splunk sometimes make changes to clustering services and I want to ensure they are close to 100% tested before production upgrades. Also whats the best way to get test data into the test environment? Is the best route to just forward some data from production? Is there a way to mask the data or a way to create dummy data? Thanks in advance! Andrew
Hi, I need to collect Azure container log into splunk. I will utilize azure monitor app for splunk. It is pulling log from event hub as I know. Then, Azure container has to send container log to even... See more...
Hi, I need to collect Azure container log into splunk. I will utilize azure monitor app for splunk. It is pulling log from event hub as I know. Then, Azure container has to send container log to event hub. Is it possible?   What is the best intention method to collect data from Azure container into splunk?
I have set up a Splunk Enterprise trial instance on a red-hat Linux server. I enabled and setup the HEC, however when I try the curl command to check:  Case 1: I get a successful response if I us... See more...
I have set up a Splunk Enterprise trial instance on a red-hat Linux server. I enabled and setup the HEC, however when I try the curl command to check:  Case 1: I get a successful response if I use localhost or <server name> from within the server. curl -k http://<servername>:8088/services/collector -H "Authorization: Splunk <token>" -d '{"event": "hello world again"}' {"text":"Success","code":0} Case 2: I get a 404 error when I use the <servername> in the command from outside the server curl -k http://<servername>:8088/services/collector -H "Authorization: Splunk <token>" -d '{"event": "hello world again"}' {"text":"The requested URL was not found on this server.","code":404} I verified that the outside world can telnet the port 8088 on the server.  Also, the console opens on port 8000.  Are there any changes I need to make on the server? Or any configs on the Splunk end?
I am trying to get a subsearch to return a single value which represents an IP address and I am getting an error "Error in 'eval' command: the number (ip address) is invalid"   eval a= [ search in... See more...
I am trying to get a subsearch to return a single value which represents an IP address and I am getting an error "Error in 'eval' command: the number (ip address) is invalid"   eval a= [ search index=pan sourcetype=pan:traffic dest_port=22 | stats count as c by src_ip | sort - c | head 1|return $src_ip]   any ideas?
What's everyone doing for collecting both Windows Event Logs & Sysmon? Are you collecting all Even IDs or only a small subset? What Sysmon config are you using? Have you tuned it to your environmen... See more...
What's everyone doing for collecting both Windows Event Logs & Sysmon? Are you collecting all Even IDs or only a small subset? What Sysmon config are you using? Have you tuned it to your environment or just using something like SwiftOnSecurity's Sysmon config?   I ask because our Windows license has grown from ~120G to ~250G and I need to reduce our license but don't want to miss anything.
How to include the events even with the not present field when selecting All in the dashboard? Explanation: I have got a dashboard where there are two dropdown inputs. (Ex. Input A and Input B). ... See more...
How to include the events even with the not present field when selecting All in the dashboard? Explanation: I have got a dashboard where there are two dropdown inputs. (Ex. Input A and Input B). Input B is being populated with a lookup with fields like a, b, c, etc. Now there are some entries in the lookup where field a is not present (null).  And all those entries are never visible in the dashboard. Reason: Query of Input B is like:    | inputlookup mylookup | search a="$tkn_A$" | table b, c   So, even when I select the value "All" (*) for Input A, these values still don't show.  How can I show these values in the filter when "All"(*) is selected in Input A?