All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers, We're going to collect Google G Suite Audit logs into our on-primes Splunk deployment. I can see in the Splunk Add-on for Google Cloud Platform documentation (https://docs.splunk.c... See more...
Hello Splunkers, We're going to collect Google G Suite Audit logs into our on-primes Splunk deployment. I can see in the Splunk Add-on for Google Cloud Platform documentation (https://docs.splunk.com/Documentation/AddOns/released/GoogleCloud/Configureinputsv6topics) that it's doable through Splunk HEC, and in this case it requires a Splunk instance that faces the Internet with static public IP Address. but we don't recommend this approach because its complexity. My question is, can we pull the G Suite Audit logs by other means, I mean can the Audit logs be forwarded to Google Pub/Sub subscription and we pull them from the TA input Cloud Pub/Sub  Regards,
My log sample looks like this:   testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessa... See more...
My log sample looks like this:   testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,   I need to extract a few fields in my table. Eg: PlNumber, Src, SrcId I'm trying like the below:   <mysearch> ... | rex "SrcId=(?<SrcId>.*)" | table PlNumber, Src, SrcId     On the results, the SrcId column is concatenated with the other tail columns, like:   -------------------------------------------------------------- | PlNumber | Src | SrcId | -------------------------------------------------------------- | testPl | testSrc | 1234_src1;1234_src2|TxnId=txn- | | A688|ParentId=|TransactionType=, | --------------------------------------------------------------     What I need:   ------------------------------------------------- | PlNumber | Src | SrcId | ------------------------------------------------- | testPl | testSrc | 1234_src1;1234_src2 | -------------------------------------------------     I know that my Regex is missing something.  Kindly help achieving this.
Hello,  We are trying to monitor certain events that are user generated and can either be placed in the zOS Syslog, which is forwarded to Splunk via the CDP Syslog Forwarder for zOS, or in a sequent... See more...
Hello,  We are trying to monitor certain events that are user generated and can either be placed in the zOS Syslog, which is forwarded to Splunk via the CDP Syslog Forwarder for zOS, or in a sequential file. On on a performance matrix, should we use syslog queries (which would run on the whole syslog sourcetype), or define a new sourcetype as the file that will be forwarded to a listener on the CDP remote server? Will the queries run longer and be more demanding on the Splunk server?   Thanks in advanced.
Is there anyway to check how much log is being generated with DEBUG log mode for a particular index? Let say if index name is my_index and I need to check what is size of log generated for DEBUG m... See more...
Is there anyway to check how much log is being generated with DEBUG log mode for a particular index? Let say if index name is my_index and I need to check what is size of log generated for DEBUG mode log index=my_index DEBUG @woodcock plz help
I have installed splunk add-on for tomcat on search head and indexer and by using Universal Forwarder I am sending my Tomcat logs to SH and indexer. I have configure my Tomcat URL under the setup pag... See more...
I have installed splunk add-on for tomcat on search head and indexer and by using Universal Forwarder I am sending my Tomcat logs to SH and indexer. I have configure my Tomcat URL under the setup page of add-on and I am able to parse the logs and extract the fields. It is good till here, now I am having multiple Tomcat servers to send the logs. How do I configure the multiple server URL's under the this setup page.? Is it meant for accepting the single URL?
AccountName FAILURE SUCCESS IMPACT LOSS% Total Account1 2000 149 0.1 11.33 10804 Account2 2081 262 0.10 9.55 2043 Account3 1630 1554 0.01 9.49 1017   Output was from inn... See more...
AccountName FAILURE SUCCESS IMPACT LOSS% Total Account1 2000 149 0.1 11.33 10804 Account2 2081 262 0.10 9.55 2043 Account3 1630 1554 0.01 9.49 1017   Output was from inner join I want the output like - alignment of field names. Sorting the order of field names. Before -  AccountName    FAILURE SUCCESS  IMPACT LOSS% Total    After sorting  should be -   AccountName    FAILURE SUCCESS Total   IMPACT LOSS%
Hi, How do I compare dates and exclude the event if it is older? I have here my table from transaction command. I want to compare the ReportedTime to Occurtime. If it is older then NeSn will be exc... See more...
Hi, How do I compare dates and exclude the event if it is older? I have here my table from transaction command. I want to compare the ReportedTime to Occurtime. If it is older then NeSn will be excluded.     ReportedTime NeSn Occurtime 2020-07-01 23:38 117629897 29/04/2020 12:03   117629923 11/06/2020 23:26   117629924 11/06/2020 23:26   117629925 11/06/2020 23:26   117629926 11/06/2020 23:26   117629927 11/06/2020 23:26   118106613 5/07/2020 21:30   114218693 14/04/2020 6:32   Regards,
When I generate a pdf off of my dashboard, some pages are only half full, some dashboard panels are put on the following page when there is sufficient space on the current page. It is not just a mat... See more...
When I generate a pdf off of my dashboard, some pages are only half full, some dashboard panels are put on the following page when there is sufficient space on the current page. It is not just a matter of margins, footer, header because there is plenty of space left on many pages. I've been trying to add page breaks on the dashboard pdf, I've also been trying to increase the size of the fonts for my table headers and data, and none of the standard html style commands work with the Splunk proprietary tags. Now, for the panels that have tables in them, the font size of the title and sub-title of the panels are way bigger than the table font size.  How can I change that for my pdf?    I want to override the defaults for my pdf only, because we are hundreds of users using Splunk and generating pdf reports.
Hi, Does any one did Hsm monitoring with splunk?? I installed snmpmodular input app and luna hsm app .when i add my luna device on hsm app it throws out  django error   Error: HTTPError at /en-us/... See more...
Hi, Does any one did Hsm monitoring with splunk?? I installed snmpmodular input app and luna hsm app .when i add my luna device on hsm app it throws out  django error   Error: HTTPError at /en-us/deviceinformation/setup/ HTTP 400 Bad Request -- The following required arguments are missing: activation_key.  
Hi all, I have created a Splunk Cloud trial account. I need to get access to API. As per the documentation, when I click on Splunk Support portal from this link https://docs.splunk.com/Documentation... See more...
Hi all, I have created a Splunk Cloud trial account. I need to get access to API. As per the documentation, when I click on Splunk Support portal from this link https://docs.splunk.com/Documentation/Splunk/8.0.4/RESTTUT/RESTandCloud it gives me 404-Page not found error. Could you please help me to find how to fix above issue? or do I need to buy splunk support license to get API access. Please let me know the process. Thanks in advance.  
I've a scenario where I've got around 250 servers where UF has to be installed. These data would be forwarded to Indexer cluster or heavy forwarder via Intermediate Forwarder.  I need to use Interme... See more...
I've a scenario where I've got around 250 servers where UF has to be installed. These data would be forwarded to Indexer cluster or heavy forwarder via Intermediate Forwarder.  I need to use Intermediate forwarder(Universal forwarder itself). Now I need to route data from Intermediate Forwarder in this way: if hostname=x ( Indexer Cluster  AND Other Splunk Enterprise Instance)  else if hostname=y (Heay Forwarder AND Other Splunk Enterprise Instance)    Note: Splunk Enterprise Instance is other independent instance which has no relation with Indexer cluster and heavy forwarder) What should by inputs.conf & outputs.conf in UF and Intermediate Forwarder? How can I achieve this?  
Hi, I have created a Splunk account today & selected 'Splunk Cloud Trial'. But when I click on instances(right top) it gives '404 Error: Page not found' error. Please let me know how to solve this ... See more...
Hi, I have created a Splunk account today & selected 'Splunk Cloud Trial'. But when I click on instances(right top) it gives '404 Error: Page not found' error. Please let me know how to solve this problem.  
Hi,  I manage to get the view i want using below search command.   May I know how to group the events by Month_Year format and display on the table besides the events?  Current View Expected ... See more...
Hi,  I manage to get the view i want using below search command.   May I know how to group the events by Month_Year format and display on the table besides the events?  Current View Expected  
Hello I have the following fields on EventCode=4625 (failed login events), Fields: _time, Source_Network_Address,Account_Name,Workstation Name,EventCode And i want to create anomaly creation ru... See more...
Hello I have the following fields on EventCode=4625 (failed login events), Fields: _time, Source_Network_Address,Account_Name,Workstation Name,EventCode And i want to create anomaly creation rules based on the source address field, to check if there is a relative high amount of failed login from the same source address. I am currently using a static threshold (...| where count > 50) but i want it to be dynamic to the week,weekends / morning night changes. Anyone can give me some direction or a query example? Thanks
I am trying to create a real time pie-chart for vulnerable PC's in my environment. I start with a simple query like: index=qualys (STATUS=NEW OR RE-OPENED OR ACTIVE) | ... However, most of the PC ... See more...
I am trying to create a real time pie-chart for vulnerable PC's in my environment. I start with a simple query like: index=qualys (STATUS=NEW OR RE-OPENED OR ACTIVE) | ... However, most of the PC names start with same letters like IN, PH, etc. How to group them together in the pie-chart?  
Hi Everyone, We are using do-nut visualization in Splunk Dashboard. But we are getting this error  "Error rendering donut visualization"  before loading this Viz. In the Splunk Base documentation ... See more...
Hi Everyone, We are using do-nut visualization in Splunk Dashboard. But we are getting this error  "Error rendering donut visualization"  before loading this Viz. In the Splunk Base documentation mentioned about this issue is it will get if  you  are running on Safari v11.0+  But in our case we are using Google Chrome. Link: https://splunkbase.splunk.com/app/3150/#/details Please help us to resolve this issue. Thanks & Regards, Manikanth  
Hello, Recently I been getting Bucket error in index processor everyday. I am rebooting the Splunkd service everyday to get rid of this error. How to identify the root cause of this issue and fix i... See more...
Hello, Recently I been getting Bucket error in index processor everyday. I am rebooting the Splunkd service everyday to get rid of this error. How to identify the root cause of this issue and fix it.   error attached Thanks  
Hi @gcusello , User is complaining that she is unable to view the alert. The following error she is getting. Is there any permission issue? Regards, Rahul
I want to have a report scheduled to be sent via email, but unfortunately the data in the pdf report is not formatted as it is on the dashboard. For example:   $11,323,665  shows as 11323665 in the ... See more...
I want to have a report scheduled to be sent via email, but unfortunately the data in the pdf report is not formatted as it is on the dashboard. For example:   $11,323,665  shows as 11323665 in the pdf.  I converted the dashboard to html, the html code contains the number formatting, but it doesn't show on the html dashboard. Multiple dashboard panels have a table with one row, the row of data is displayed in very small characters, hard to read, and the numbers that are not formatted are even harder to read because they are displayed much smaller.  How can I change the formatting on the pdf ?
Hi @gcusello , When I am running the same query in verbose mode it is giving me results where as the same query in fast mode it is not giving me the results. Please guide me how to change f... See more...
Hi @gcusello , When I am running the same query in verbose mode it is giving me results where as the same query in fast mode it is not giving me the results. Please guide me how to change from fast mode to verbose mode in dashboard panel. I tried with different solutions available on the solutions but it did not worked. Please help. Regards, Rahul