All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi all, I am using slack webhook as a alert trigger action to send the alert details to our MS teams channel. My problem is to format the message sent. As of now I am getting everything in a sing... See more...
Hi all, I am using slack webhook as a alert trigger action to send the alert details to our MS teams channel. My problem is to format the message sent. As of now I am getting everything in a single line. Should I pass a JSON or plain text? Please help. 
Hi, I have field as Jan , Feb ,Mar .... Dec with values for each month and I want to take sum of current month and last month. I was truing to first check the current month and last month using e... See more...
Hi, I have field as Jan , Feb ,Mar .... Dec with values for each month and I want to take sum of current month and last month. I was truing to first check the current month and last month using eval like below and this eval gives me the current month name(Jul) , last month as Jun eval curr_mon=strftime(now(), "%b") eval last_mon= strftime(relative_time(now(),"-mon"),"%b") Now I have field names Name     id            Jan Feb Mar Jul Jun Aug xyz      123A         10    20  20    25   30   15 ABC    145B          20    15  30   25   30    20 Want to take sum of current month and last month field with stats, I tried like below but got no results; stats sum('curr_mon') as current_total sum('last_mon') as last_total I want this search to automatically show the current month's sum, and not using a static value in the stats sum expression. Please suggest.
Since we updated Lookup Editor to version 3.4.5 and then 3.4.6, horizontal scrollbar disappeared and we cannot go to the right. Also there's some issues scrolling down, where it goes to line 100 and... See more...
Since we updated Lookup Editor to version 3.4.5 and then 3.4.6, horizontal scrollbar disappeared and we cannot go to the right. Also there's some issues scrolling down, where it goes to line 100 and blocks, then only with the arrows of the keyboard can we go down. Thanks
Hi, Is there a way to sync the account configuration created by Splunk Add-on Builder in a Search Head Cluster? It uses a custom conf <app_name>_account.conf where it save account and username,... See more...
Hi, Is there a way to sync the account configuration created by Splunk Add-on Builder in a Search Head Cluster? It uses a custom conf <app_name>_account.conf where it save account and username, in passwords.conf it save only account and password. Since the <app_name>_account.conf is not synced among the cluster's members, every new account is added using the interface it is not replicated, and then it is unusable. What configuration am I missing? Is the only way to edit the replication to whitelist and add the file? Thanks, Andrea
HI ,  I have a log message like " total accounts for user is 11 retrieved in 67 milliseconds".  How to extract 11 as totalaccounts and 67 as seconds and visualize a chart
Hello, I wrote a query for windows AD to detect Brute-force attack index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-" | stats count(Keywords) as Attempts, count(... See more...
Hello, I wrote a query for windows AD to detect Brute-force attack index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-" | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Account_Name | where Attempts>=5 AND Failed>=5 AND Success>0 | eval FirstAttempt=strftime(FirstAttempt,"%x %X") | eval LatestAttempt=strftime(LatestAttempt,"%x %X")   So same like this can anyone share the exact query for two scenarios. 1. Linux machines 2. ForgeRock authentication
example file : Stocks.csv  Stock ticker Stock price IBM 120 NFLX 240 APPL 999   And in the dashboard it will show:  Number of stocks selected by input 3 User has a text... See more...
example file : Stocks.csv  Stock ticker Stock price IBM 120 NFLX 240 APPL 999   And in the dashboard it will show:  Number of stocks selected by input 3 User has a text input where they can put a search term that will search both columns at once. ( The token for the search query is $Stocks$) If the user puts in say "L"  This is what will return :  Stock ticker Stock price NFLX 240 APPL 999       And in the dashboard it will show:  Number of stocks selected by input 2 I've tried this query :  |inputlookup Stocks.csv |stats count as Total    ( which only gets the total number of stocks back in the csv file.... NOT the actual number of stocks selected by the user from their text input......)   However is there any way possible to get the " Number of stocks selected by input" correctly ? 
I have Splunk set up in 2 different environments. Splunk in environment A is accessible to all users. Splunk in environment B is accessible to limited users. Data in environment B is indexed into mul... See more...
I have Splunk set up in 2 different environments. Splunk in environment A is accessible to all users. Splunk in environment B is accessible to limited users. Data in environment B is indexed into multiple indexes.  I want data from index A to be forwarded to the indexer of Splunk in environment A. I have modified outputs.conf of indexer in Splunk B with below values: [tcpout] indexAndForward = true forwardedindex.filter.disable = false forwardedindex.2.whitelist = os_abc forwardedindex.0.blacklist = history forwardedindex.1.blacklist = main forwardedindex.2.blacklist = os_cde forwardedindex.3.blacklist = summary [tcpout:ostravam] disabled = false server = hostip:port Error from logs from the indexer server as mentioned below: 07-21-2020 00:45:57.221 -0400 ERROR TcpOutputFd - Read error. Connection reset by peer 07-21-2020 00:45:57.221 -0400 WARN TcpOutputProc - Applying quarantine to ip=10.145.243.21 port=9997 _numberOfFailures=2 07-21-2020 00:45:57.224 -0400 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled. Error from logs of the server I was connecting to: 07-21-2020 15:39:48.975 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35248. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 07-21-2020 15:39:48.979 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35250. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Is there anything that could assist me in getting around this?
Hi there, I have a bit of a tough one. I have a log with multiple entries of the same field, basically a list of values. I am trying to merge these values into a single new field, with a line for ev... See more...
Hi there, I have a bit of a tough one. I have a log with multiple entries of the same field, basically a list of values. I am trying to merge these values into a single new field, with a line for every value that was in the RAW event. An example: 2020-07-21T01:52:37+00:00 devicename=device1 | id=a522131 | date=2020-07-21T01:51:20 | name=peter | score=5 | action=read | randomfield1=nothingimportant | score=2 | action=read | score=2 | action=write | score=2 | action=write | randomfield2=nothingimportant The intended resulting table where "actions" is a mv field, listing all actions (merging "score" and "action" as well), each on a line, but within the single field (actions): name=peter actions= 5:read 2:read 2:write 2:write
I'm trying to display failed user login information by using a timechart but I'm not sure how to show the time and date of the logins for each of the user This is my code : source="General-linux-... See more...
I'm trying to display failed user login information by using a timechart but I'm not sure how to show the time and date of the logins for each of the user This is my code : source="General-linux-sql.log" AND sourcetype="Linux" AND "Failure Audit" AND "Logon " | rex "User Name\: (?<User_Name>[^\s]+)" | timechart count by User_Name This is the output that I get. Also, how do I change it so that all the users are separated?
Hello Splunk Enterprise Server 8.0.5 ES: splunk-enterprise-security_620.spl I proceeded to install exactly as indicated on the page https://docs.splunk.com/Documentation/ES/6.2.0/Install/InstallE... See more...
Hello Splunk Enterprise Server 8.0.5 ES: splunk-enterprise-security_620.spl I proceeded to install exactly as indicated on the page https://docs.splunk.com/Documentation/ES/6.2.0/Install/InstallEnterpriseSecurity   I restart the server and access via web and I see the APP I start the SETUP process and I get the error message “Error in 'essinstall' command: install_apps failed - Splunkd daemon is not responding: ('Error connecting to /services/apps/local: The read operation timed out',)”   I see that other people have presented the same error and a link is shared where they refer to compatibility issues https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix compatibility exists but error persists
Hi,   "All-time" in the search interface means "now and in the future". "Since" in the search interface means "since, up until now". I have always just accepted that "since" behaves weirdly in this... See more...
Hi,   "All-time" in the search interface means "now and in the future". "Since" in the search interface means "since, up until now". I have always just accepted that "since" behaves weirdly in this way   Today I discovered that "all-time" to the report scheduler means "up until now". That is, it does not populate `dispatch.latest_time` in `savedsearches.conf`. To me it seems extremely dangerous to have two different meanings of "all time" in the search interface vs. the scheduler, especially because you might have all-time search in the search interface that then doesn't work as a savedsearch   What is the logic behind this?
Hello all, I've tried to search here and through search engines with no luck.  I can't seem to get the knack for referencing which event's information I want to pick from. I'm trying to join togeth... See more...
Hello all, I've tried to search here and through search engines with no luck.  I can't seem to get the knack for referencing which event's information I want to pick from. I'm trying to join together information from two different events, in the same sourcetype, but picking the relevant information from each of the two raw events into a singular more meaningful event. An example: Event 1:   45 1 191 2020-07-20 20:55:26.540 1 873 23 NULL NULL cn13mhy SSS_ABC123_DB NULL NULL ; ; ; ; , 8.8.8.8, network password sybase encryption; ; cn13mhy/ase;   Event 2:   1 0 191 2020-07-20 20:55:26.543 1 873 NULL NULL NULL cn13mhy sybsystemprocs NULL NULL CLIENTAPPINFO;app_name=PPP host_pid=17544 NULL   The first numeric is the event number.  45 is the Sybase ASE login event.  1 is an application/vendor generated event lower into the application.  Each event, 45 and 1, has useful information.  Event=45, which will always generate with the older timestamp, has IP information within the extrainfo field.  Event=1 has the application name and the host PID in the extrainfo field. I'm looking to merge those two events, with slightly dissimilar timestamps, into a single event where I can display 45's timestamp, 45's database name (SSS_ABC123_DB),  the userid (ch13mhy in both), 1's app_name,  and 1's host_pid
I'm trying to close a Notable in ES from Phantom. I'm using the update event action from the Splunk app (v1.3.41) but it's failing when trying to validate my ES event_id. That action validates the n... See more...
I'm trying to close a Notable in ES from Phantom. I'm using the update event action from the Splunk app (v1.3.41) but it's failing when trying to validate my ES event_id. That action validates the notable event ID by checking the incident review lookup. This lookup doesn't automatically have an entry for new notables - only when their status/comments/other is changed. The validation code in question - from splunk_connector.pyc - is as follows:   search_query = ('|`incident_review` | search rule_id={0}').format(ids) ret_val = self._run_query(search_query, action_result) if phantom.is_fail(ret_val): return action_result.set_status(phantom.APP_ERROR, ('Error occurred while validating the provided event ID. Error: {0}').format(action_result.get_message())) if int(action_result.get_data_size()) <= 0: return action_result.set_status(phantom.APP_ERROR, 'Please provide a valid event ID')      
Hi  As I see many documents and comments here, Universal forwarder do not break line. with "LINE_BREAKER" in props.conf. It is the role of Indexer. This is what I am understanding. But I tested it ... See more...
Hi  As I see many documents and comments here, Universal forwarder do not break line. with "LINE_BREAKER" in props.conf. It is the role of Indexer. This is what I am understanding. But I tested it by myself, and I saw that Universal forwarder is able to do line breaking. -props.conf [test_srctype] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) [monitor:///home/ec2-user/test.log] disabled = false index = test_idx sourcetype = test_srctype   Is my understanding wrong?
I am trying to setup Gsuite SAML for Splunk. I followed the steps mentioned in this link:  https://clevertap.com/blog/saml-sso-authentication-for-splunk-with-g-suite/ However, I am getting `No arg... See more...
I am trying to setup Gsuite SAML for Splunk. I followed the steps mentioned in this link:  https://clevertap.com/blog/saml-sso-authentication-for-splunk-with-g-suite/ However, I am getting `No arguments found.` error on Splunk UI.  Can someone advise... Thanks.
Hello, I'm trying to replace a custom app that had all references of a word changed to another (like a company rename thing) such as in saved search titles, panel titles etc. I delete the old app fo... See more...
Hello, I'm trying to replace a custom app that had all references of a word changed to another (like a company rename thing) such as in saved search titles, panel titles etc. I delete the old app folder and paste over the new app folder (same app but used a script to replace all word 'x' to word 'y'), ensure file permissions are inherited and double checked, restart splunk.  But when I try to navigate to that app I get the Splunk's version of 404 page not found (picture of buttercup in a black splunk shirt). Am I missing a key step?  Maybe some reference to the original app path in system?  Maybe should work and the issue is the script that replaced the keyword could have broken something?
We have 5 host and 3 on west 2 on east, and each of them take x% of request, the stats we have right now looks like: host                |      percentage  ip-1-west.    |        15 ip-2-west.    ... See more...
We have 5 host and 3 on west 2 on east, and each of them take x% of request, the stats we have right now looks like: host                |      percentage  ip-1-west.    |        15 ip-2-west.    |.        15 ip-3-west.    |.         20 ip-4-east.     |.         20 ip-50-east   |.         30 Now I'm trying to group the percentage by east and west so I can have the statics like: host      |      percentage  west.    |         50 east.     |         50   Can someone help me with this?
Hello everyone, I have a splunk query that returns the connection ranges with the start and end of the connection. Below is an example. user DateMin DateMax 1234 2020-07-14 04:54:21 2020-07-14 06:02:5... See more...
Hello everyone, I have a splunk query that returns the connection ranges with the start and end of the connection. Below is an example. user DateMin DateMax 1234 2020-07-14 04:54:21 2020-07-14 06:02:54 I would just like to display connections that last at least 6 minutes. Thanks.
Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events.  I end up literally chasing my own tail. Is there a search term I can a... See more...
Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events.  I end up literally chasing my own tail. Is there a search term I can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event?  I know I can use a NOT user=me, but that's super explicit and that can't be the solution. There has to be a feature to handle this, right? Thanks