All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Everyone, I have searched for this everywhere but have not found any suitable answer. I have Splunk App for Windows Infrastructure installed and I can see the group policy changes in it. Howev... See more...
Hello Everyone, I have searched for this everywhere but have not found any suitable answer. I have Splunk App for Windows Infrastructure installed and I can see the group policy changes in it. However, it only shows the name of the GPO and the user who changed it. I also need to know which GPO attribute was changed by the user. I am not sure how to achieve that using Splunk. I also tried the app "MS Windows AD Objects" but that too doesn't show any relevant information. I have checked the following link for answers:  https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/469984#M10908 https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-change/td-p/159210 and all the links within this answer thread. It would be great if someone can please assist me with this as it's very important for the Organization.   Thanks, Rahul  
Hi, We are trying to ingest logs from S3 bucket to splunk, we are not seeing any error at splunk end, but logs are not getting ingested into splunk. Let me know how to proceed further. Thanks, Vijay S... See more...
Hi, We are trying to ingest logs from S3 bucket to splunk, we are not seeing any error at splunk end, but logs are not getting ingested into splunk. Let me know how to proceed further. Thanks, Vijay Sri S
hi all, We are not able to add any other colleagues as collaborator for the invetsigations. Can someone please help me what role has to be added. ESS Analyst has below roles related to investig... See more...
hi all, We are not able to add any other colleagues as collaborator for the invetsigations. Can someone please help me what role has to be added. ESS Analyst has below roles related to investigation already added. manage_all_investigations Thanks! SM
Is it possible to replace the default search command within an app with a custom one?   Basically what I would like to do is create a custom application where when you are in that application, and ... See more...
Is it possible to replace the default search command within an app with a custom one?   Basically what I would like to do is create a custom application where when you are in that application, and you type in the search bar, the query goes to a custom script (a generating command) instead of the default search utility. The only way I know is to have to prefix everything with `|mycmd ...`. But this is less than ideal for 2 reasons: 1. It would be easier on users to be able to just type their query without having to remember the generating command they have to use. 2. When using the UI to select values and "add to search"/"exclude from search"/"new search", it appends `|search ...` to the query instead of passing the filter to the generating command. This results in the generating command gathering a ton of data that's just going to be filtered out. My command is capable of handling the filtering and it would be much more performant if the filter terms were passed to it directly.
I have below setting to generate incidents in Servicenow. This alert is schedule  to trigger after every 5 min. But it will create number of incidents in Servicenow as coorelation_id is unique for ev... See more...
I have below setting to generate incidents in Servicenow. This alert is schedule  to trigger after every 5 min. But it will create number of incidents in Servicenow as coorelation_id is unique for every alert.  I need to stop flodding of incidents in servicenow. I need to  1)Create incident in Servicenow if alert triggers e.g P1 2)Update the same  incident P1 till the time its state is closed or resolved in Servicenow. 3)If incident_state is resolved /closed . Then only it will create new incident P2.  So that it can prevent flodding of incident in Servicenow. also, not sure how we can set-up coorelation_id in that case. Please help    
Hi, Below is my results set-   latitude| longitude| values -77.123 | 123.123 | 5 -77.223 | 123.223 | 51 -77.323 | 123.323 | 25    I want to display geo heatmap and based... See more...
Hi, Below is my results set-   latitude| longitude| values -77.123 | 123.123 | 5 -77.223 | 123.223 | 51 -77.323 | 123.323 | 25    I want to display geo heatmap and based on values field I want to change color on map. like maximum value should be highlighted as red and min value as green. can it be possible to achieve it on map? Thanks,
Hi, I am using a drilldown url like below, and in the riskscore_token i have values like "1/4" or "2/4" or "3/4" or "4/4" so when passing this to the drilldown page thats getting converted to risksc... See more...
Hi, I am using a drilldown url like below, and in the riskscore_token i have values like "1/4" or "2/4" or "3/4" or "4/4" so when passing this to the drilldown page thats getting converted to riskscore_token="1597788000.000" which ideally should be riskscore_token="4/4" https://url/app/drilldown_page?riskscore_token='$click.value$' How to get rid of this passing exact string value and not as numeric Thanks
Hi all, I'm a bit of a newbie to splunk but I was trying to create a dashboard using the stats count by function for a field called 'Labels' Within the labels field you can have multiple labels. An... See more...
Hi all, I'm a bit of a newbie to splunk but I was trying to create a dashboard using the stats count by function for a field called 'Labels' Within the labels field you can have multiple labels. An example would be: Log1: Field name(Labels): RCA_Required, Sev1 Log2: Field name(Labels): RCA_Required, Sev2, Med_Ex Log3: Field name(Labels):  Sev2 if I use the the function 'stats count by', I'll get: RCA_Required: 2 Sev2: 2 Med_Ex: 1 Sev1: 1 My question is how can I remove 'RCA_Required' from the list without removing that log or missing the rest of the labels associated with that log. My expected results would be: Sev2: 2 Med_Ex: 1 Sev1: 1 Thank you.
Posting a new question similar to my query from post: https://community.splunk.com/t5/Getting-Data-In/Index-time-masking-maintaining-string-length/td-p/514705 I have same requirement but for differe... See more...
Posting a new question similar to my query from post: https://community.splunk.com/t5/Getting-Data-In/Index-time-masking-maintaining-string-length/td-p/514705 I have same requirement but for different  format of string. I am trying to customize the rex/sed (SEDCMD=s/(?=[^\|]+\w{4}]$)./#/g) for this format but have not been able to achieve it yet.   2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "00000123456                 " 1 240 should give me: 2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "0000012XXXX                 " 1 240
Hello all, We have splunk enterprise  in our company and our developers need the training advanced searching and reporting and fundamentals 2. I can see 2 courses on different sites: https://www.sp... See more...
Hello all, We have splunk enterprise  in our company and our developers need the training advanced searching and reporting and fundamentals 2. I can see 2 courses on different sites: https://www.splunk.com/en_us/training/courses/advanced-searching-and-reporting.html this one says you need also splunk 3 to complete? Is this a hard demand? however:  https://education.splunk.com/course/advanced-searching-and-reporting-with-splunk-7x-iod this one says nothing about prerequisites.   We use splunk 7 in our company. And what is the difference in these 2 urls.. do they point to the same courses or are they different? Thanks!
I have a string like this below {ABC,DEF,GHI,JKL} i am able to show it as below in my result  1. ABC     DEF     GHI     JKL But i want each one in separate row 1.ABC 2.DEF ... See more...
I have a string like this below {ABC,DEF,GHI,JKL} i am able to show it as below in my result  1. ABC     DEF     GHI     JKL But i want each one in separate row 1.ABC 2.DEF 3.GHI 4.JKL  
Hi Experts... We have a requirement where we need to integrate Multiple Azure AD with Splunk Enterprise for Authentication. I have gone through blogs and articles and noticed that from Splunk con... See more...
Hi Experts... We have a requirement where we need to integrate Multiple Azure AD with Splunk Enterprise for Authentication. I have gone through blogs and articles and noticed that from Splunk console it allows us to do SAML configuration at a single time and due to this bit confused and need an input that will it allow us to integrate with Multiple AD. Request folks to share thoughts on the above requirement and please share if someone has already tried the same.
Hi Team, I got few questions from Autobahn Security team who tried to connect their custom app to Splunk. They found problem in transfering data from their platform to splunk. Here are their questi... See more...
Hi Team, I got few questions from Autobahn Security team who tried to connect their custom app to Splunk. They found problem in transfering data from their platform to splunk. Here are their questions: How to get around to building a plug-in/connector that integrates the two apps? What accesses do we need from a DevOps standpoint to orchestrate this? Is  Splunk web-app also the same as Splunk enterprise? How to setup a Universal Forwarder connecting our API endpoint to Splunk enterprise app?
Some of my team mates modified my existing alert and i want to know the query modification which he did. I am able to find who and when he modified the alert but not able to find compare the old and ... See more...
Some of my team mates modified my existing alert and i want to know the query modification which he did. I am able to find who and when he modified the alert but not able to find compare the old and new search query.  Is there any way to find the original query and modified query to compare?
Hello,   i'm running this dashboard :     <form> <label>LSAP</label> <fieldset submitButton="true" autoRun="true"> <input type="text" token="lsap_token" searchWhenChanged="true"> <... See more...
Hello,   i'm running this dashboard :     <form> <label>LSAP</label> <fieldset submitButton="true" autoRun="true"> <input type="text" token="lsap_token" searchWhenChanged="true"> <label>lsap</label> <default>*</default> <change> <condition match="$lsap_token$ == &quot;BCG29&quot;"> <set token="limit_token">""</set> </condition> <condition match="$lsap_token$ == &quot;COL41&quot;"> <set token="limit_token">"127.0.0.1 tomcat: Starting dataload"</set> </condition> </change> </input> </fieldset> <row> <panel> <title>LSAP Dashboard</title> <table> <search> <query>index="prod" $lsap_token$ $limit_token$ | append [ search index="prod" sourcetype=flights | dedup Tail_no, Actual_time_departure | sort 0 -Actual_time_departure | streamstats last(Origin) as last_origin by Tail_no current=false | eval _time=strptime(Actual_time_arrival, "%Y-%m-%d %H:%M"), Destination=if(Destination=last_origin, Destination, "UNKNOWN") | rename Tail_no as tail_id] | sort 0 _time | streamstats latest(Destination) as airport by tail_id time_window=1mon | search sourcetype!=flights | fillnull value="UNKNOWN" airport | fillnull value="unassigned" eventtype | eval Date=strftime(_time, "%Y-%m-%d") | table Date,tail_id,_raw, airport, eventtype | sort tail_id, Date</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>     after refreshing the page with F5 button im getting "unknown sid" error. it is not happening when im removing $limit_token$ from the search    any suggestions what is wrong ?   thanks
Hi , I am trying add a logo beside to title section of a panel. Not able getting any idea to add. If anyone having any idea about please share with. Like below image I want to see in Panel title.  ... See more...
Hi , I am trying add a logo beside to title section of a panel. Not able getting any idea to add. If anyone having any idea about please share with. Like below image I want to see in Panel title.  Thanks in advance.
hello  i have a table like this  ID ACTION USER 1 success Admin 2 success user2 3 Fail user2 4 Fail user2 5 Fail user2 6 success user2 7 Fail Admin 8 F... See more...
hello  i have a table like this  ID ACTION USER 1 success Admin 2 success user2 3 Fail user2 4 Fail user2 5 Fail user2 6 success user2 7 Fail Admin 8 Fail Admin 9 Fail user2 10 Fail user2 11 Fail Admin 12  Fail  user2  13 Fail user2   if I want to show by users all the action (success) if the last 3 previous action = fail  the result shoud show : --the raw with (id = 1 ==> because the admin in her previous status have 3 fail (id=7, id=8, id=11)  --the raw with (id = 2 ==> because the  user2 in her previous status have 3 fail (id= 3, id =4, id=5) --the raw with (id = 6 ==> because the  user2 in her previous status have 3 fail (id= 9, id=10, id=12) and if I want to show by users all the action (fail) if the last 3 previous action = fail  the result shoud show : --the raw with (id = 9 ==> because the  user2 in her previous status have 3 fail (id=10, id=12, id= 13 )  
Hi, I got 1 question: Since I cannot find the Autobahn Security (World most impactful web vulnerability scan engine) app in Splunkbase, I create custom Splunk app add-on for API integration. We hav... See more...
Hi, I got 1 question: Since I cannot find the Autobahn Security (World most impactful web vulnerability scan engine) app in Splunkbase, I create custom Splunk app add-on for API integration. We have a plan to integrate our API engine and have the data exported to splunk for our client that uses splunk.  We want to see the data vulnerability point, create an add-on to Splunk base, but it's hard to display in Splunk. How to push the data from the our software, integrated to Splunk?    
Hey!   I want to set token value from my custom visualisation. How can i do it? When i trying to use splunkjs/mvc i catch Cannot resolve module 'splunkjs/mvc'
Hi Splunkers, I try to get some fields on datamodel. And my search is ;      | tstats `summariesonly` count from datamodel=Change where nodename=All_Changes.Account_Management.Accounts_Created b... See more...
Hi Splunkers, I try to get some fields on datamodel. And my search is ;      | tstats `summariesonly` count from datamodel=Change where nodename=All_Changes.Account_Management.Accounts_Created by All_Changes.src_user       And src_user field inherit from Account_Management root node. This search return a results but not showing in web page. But I do same thinks on data model pivoting, result is showing.   How ı fix the problem ?    Thank you.