All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I see that the Splunk answers page has been updated a few weeks ago.  In the previous version, I used to save or favorite many questions that I was interested in.  Where can I find those q... See more...
Hi, I see that the Splunk answers page has been updated a few weeks ago.  In the previous version, I used to save or favorite many questions that I was interested in.  Where can I find those questions now ? And also the questions that I have asked previously , where can I find those ?  thanks
Hi,   I have knowledge based on how to do assign dynamic sourcetype for the events based on the source values.  But I want to know is it possible to assign the props.conf for the out coming sour... See more...
Hi,   I have knowledge based on how to do assign dynamic sourcetype for the events based on the source values.  But I want to know is it possible to assign the props.conf for the out coming sourcetype values.  Thanks, 
I have an admin-in-training, that requires access to see everything but NO access to change anything. I am on version 7.3.3. Is there a way to create an Admin-read-only role? If not, any best prac... See more...
I have an admin-in-training, that requires access to see everything but NO access to change anything. I am on version 7.3.3. Is there a way to create an Admin-read-only role? If not, any best practices (in splunk enterprise) to audit a user with admin-role, is greatly appreciated.   Thank you
I am trying to filter the windows event based on the Application Name and EventCode. Application_name I am trying to blacklist are splunkd.exe & zabbix_agentd.exe  EventCode: 5156 & 5158 Sample Ev... See more...
I am trying to filter the windows event based on the Application Name and EventCode. Application_name I am trying to blacklist are splunkd.exe & zabbix_agentd.exe  EventCode: 5156 & 5158 Sample Event:  06/18/2020 10:00:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=GURUABC.ad.xyz.com TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1759943456 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 8873 Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 112.31.122.191 Source Port: 49346 Destination Address: 11.213.158.112 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 66887 Layer Name: Connect Layer Run-Time ID: 87 Inputs.conf on UF: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 I have tried the following different different blacklisting options under inputs.conf UF. # Option 1: blacklist1=EventCode="5156" Message=”Application Name:\s(?\device\harddiskvolume2\program files\zabbix agent\zabbix_agentd.exe)” blacklist2=EventCode="5156" Message=”Application Name:\s(?\device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe)” blacklist3=EventCode="5158" Message=”Application Name:\s(?\device\harddiskvolume2\program files\zabbix agent\zabbix_agentd.exe)” blacklist4=EventCode="5158" Message=”Application Name:\s(?\device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe)” # Option 2: blacklist1=EventCode="5156" ”Application\sName:\s(?\device\harddiskvolume3\program files\splunkuniversalforwarder\bin\splunkd.exe)" blacklist2=EventCode="5158" ”Application\sName:\s(?\device\harddiskvolume3\program files\splunkuniversalforwarder\bin\splunkd.exe)" # Option 3: blacklist1=EventCode=%^5158$% Message=%*zabbix_agentd.exe% blacklist2=EventCode=%^5158$% Message=%*splunkd.exe% # Option 4: blacklist1=EventCode=%^5156$% Application Name=%(*\bin\splunkd.exe|*\zabbix_agentd.exe)% blacklist2=EventCode=%^5158$% Application Name=%(*\bin\splunkd.exe|*\zabbix_agentd.exe)% # Option 5: blacklist1 = EventCode="5156" Application Name:"(*splunkd.exe|*zabbix_agentd.exe)" blacklist2 = EventCode="5158" Application Name:"(*splunkd.exe|*zabbix_agentd.exe)" # Option 6: [WinEventLog://Security] blacklist1=EventCode="5156" Message="Workstation Name:\s+*zabbix_agentd.exe*" blacklist2=EventCode="5158" Message="Application Name:\s+*zabbix_agentd.exe*" # Option 7: I have tried following under props & transforms on HF for routing the data to null queue. On HF : In props.conf, [WinEventLog] TRANSFORMS-null= setnull In transforms.conf [setnull] REGEX = (?s)EventCode=(5156|5158).*Application Name:\s.device.*\\splunkd.exe DEST_KEY = queue FORMAT = nullQueue Unfortunately non of the above is working. Please suggest. Thanks in advance.
Hello Support I am trying to configure my mule application with the below configuration in LOG4J2. I am getting the below error message and logs are not writing to Splunk. Please help. Splunk is con... See more...
Hello Support I am trying to configure my mule application with the below configuration in LOG4J2. I am getting the below error message and logs are not writing to Splunk. Please help. Splunk is configured on a cloud server. Log4j2 configuration <Http name="Splunk" url="http://<server>:8088/services/collector/raw"> <Property name="Authorization" value="Splunk <token>" ></Property> <PatternLayout pattern="%-5p %d [%t] %X{correlationId}%c: %m%n" ></PatternLayout> </Http>   <AsyncRoot level="INFO"> <AppenderRef ref="file" /> <AppenderRef ref="Splunk" ></AppenderRef> </AsyncRoot> Error Message 2020-06-24 01:02:47,675 Log4j2-TF-7-AsyncLoggerConfig-4 ERROR Unable to send HTTP in appender [Splunk] java.net.ConnectException: Connection timed out: connect   Best Regards Sandeep
Hi, I am attempting to chart the calculated pass and failure percentages over time along with the total passed and failed jobs. I can successfully create a table that shows the FailureRate and Succ... See more...
Hi, I am attempting to chart the calculated pass and failure percentages over time along with the total passed and failed jobs. I can successfully create a table that shows the FailureRate and SuccessRate along with my passed and failed totals by using this syntax: ...BASE SEARCH... | stats count(eval(match(job_result, "FAILURE"))) AS Failed, count(eval(match(job_result, "SUCCESS"))) AS Passed, count(eval(match(job_result, "ABORTED"))) AS Aborted count as t | eval s = t-f, percF = (Failed/t)*100, percS=100-percF | rename t as Total, percF as FailureRate, percS as SuccessRate | table Total Passed Failed Aborted FailureRate SuccessRate When I attempt to make this a chart over time I am not able to overlay the FailureRate and SuccessRate over the same timechart. (Note I had to change to stats count(...) to streamstats(...) to get any output of the total passed, failed, aborted) .  ...BASE SEARCH... | streamstats count(eval(match(job_result, "FAILURE"))) AS Failed, count(eval(match(job_result, "SUCCESS"))) AS Passed, count(eval(match(job_result, "ABORTED"))) AS Aborted count as t | eval s = t-f, percF = (Failed/t)*100, percS=100-percF | rename t as Total, percF as FailureRate, percS as SuccessRate | timechart count by job_result I am unsure why I am not able to overlay the FailureRate and SuccessRate calculations over time to see the changes as time goes by. Any help is appreciated as I have scoured this site for some hints on what I am doing wrong. Thanks! 
i want to pass value in token, from the point we select on the MAP. I am using geostats command to generate results. Eg, if we click on green bubble on MAP, i want to pass the value "Blue Water" ... See more...
i want to pass value in token, from the point we select on the MAP. I am using geostats command to generate results. Eg, if we click on green bubble on MAP, i want to pass the value "Blue Water" in my token. I tried all the option from custom drilldown, but none of them worked.
We have an object like below. { "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "MARKETING", "compress": false, "appName": "dev-sys-netsuite-int-v1", "relational_correlationId": "c96563d1-... See more...
We have an object like below. { "mirId": "Mule-111", "appVersion": "v1", "businessGroup": "MARKETING", "compress": false, "appName": "dev-sys-netsuite-int-v1", "relational_correlationId": "c96563d1-acb3-11ea-9d9b-0654f1d3f281", "tracePointDescription": "Capture payload", "threadName": "[MuleRuntime].cpuLight.13: [adaptive-logger-test].adaptive-loggerFlow.CPU_LITE @6dbce5f9", "content": { "exception": "", "payload": "https://s3.console.aws.amazon.com/s3/object/unilever-ai-operationalframework/LEVEREDGE/prod/dispatchAdvice/c96d4fa0-a5fb-11ea-95a5-0281bc7d1468ERROR-2020-06-04T00:39:25.154Z1591231167.txt?region=us-east-2&amp;tab=overview", "businessFields": [ { "key": "File_Name", "value": "ASN_200622170087026.xml" }, { "key": "IDOC_NAME", "value": "0000001408187026" } ], "category": "org.unilever.apps.adaptiveloggertest" }, "environment": "TJ-MARKETING-Dev", "LogMessage": "Test-TJ-SCHED", "correlationId": "c98f8110-acb3-11ea-9d9b-0654f1d3f281", "interfaceName": "netsuite-salesapi", "tracePoint": "START", "timestamp": "2020-12-06T13:59:21.133Z" } Now we need to create a regex for matching the key & value from businessFields array. And the values of "key" , "value" should be stored as multi-value fields. we need to use this regex in transforms.conf for creating indexed-fields.
Hi All,   I am new to splunk. Just doing a POC. So i have a splunk enterprise trial application which i am using for indexing and searching.  On same machine I have a universal forwarder. I am tr... See more...
Hi All,   I am new to splunk. Just doing a POC. So i have a splunk enterprise trial application which i am using for indexing and searching.  On same machine I have a universal forwarder. I am trying to forward the logs from UF to Inderxer. When i am giving path to my syslog or splunk logs i can see logs in inderxer. Below is the input.conf -  [monitor:C:\Program Files\Splunk\var\log\splunk] disabled = 0   But when i change it to some other folder for logs like - [monitor:C:\test\testlogs] disabled = 0   Its not forwarding any logs. I do have files in this location, those files are logs but not running logs.   Also Do i need to change only "etc\system\local" or "etc\apps\SplunkUniversalForwarder\local" also  
Does anyone know what c:\program files\splunkuniversalforwarder\bin\srm.exe is? Our AV has flagged the file as suspicious and I want to confirm it's a valid Splunk provided executable. Frank  
Hi, I have created a data collector for a particular response to be captured. I want only a certain part of it to be captured and am using the split function. So the response is below Success ... See more...
Hi, I have created a data collector for a particular response to be captured. I want only a certain part of it to be captured and am using the split function. So the response is below Success { "data": { "customerId": "1128477", "contactInformation": { "email": "test_1@test.com", "mobileCountryCode": "0091", "mobileNumber": "1234567890" I want to capture the customerId and the data collector I am using is getData().toString().split("customerId":).[1].split(,).[0]  and this gives me output  [CANNOT EVALUATE: No target specified] Am I missing something or doing something wrong? The initial part getData().toString() gives me all the response details but when I try to split it to capture customerId then it gives me the above error. Please help Regards, Gopikrishnan
I have the following query for PAN firewall logs: index=pan app=ssl | stats count by src This would give me a list of all src IPs of devices that use SSL.  How would I create a query to give me th... See more...
I have the following query for PAN firewall logs: index=pan app=ssl | stats count by src This would give me a list of all src IPs of devices that use SSL.  How would I create a query to give me the opposite results?  I want the list of src IPs that never have SSL traffic.
Hello My apologies as this feels like the dumbest question. I signed up for a free cloud instance last Thursday. Did not receive any login email from Splunk (checked junk etc.) trudged on as I am tr... See more...
Hello My apologies as this feels like the dumbest question. I signed up for a free cloud instance last Thursday. Did not receive any login email from Splunk (checked junk etc.) trudged on as I am trying to do the labs.   My login works and I can see my training. When I try to get to my instances from the drop down from my profile where it says "instances" I get https://www.splunk.com/404?ErrorCode=18&ErrorDescription=Invalid+account I'm on chrome. I have no direct link because no email from splunk. I did open a ticket but no word back on that. Anything else I can try? Thanks for any thoughts. My free instance clock is ticking down on my 15 day trial.
Hello All, I am building a dashboard in which I have a Checkbox to trigger a different search when it gets enabled, so this is how my xml looks like:   <input type="multiselect" token="multiselect... See more...
Hello All, I am building a dashboard in which I have a Checkbox to trigger a different search when it gets enabled, so this is how my xml looks like:   <input type="multiselect" token="multiselect_value" searchWhenChanged="true"> <search> <query> |inputlookup myFile.csv | fields values </query> </search> <delimiter> OR </delimiter> <valuePrefix>ServiceName</valuePrefix> <valueSuffix>"</valueSuffix> <prefix>(</prefix> <suffix>)</suffix> <choise value="*">ALL</choice> <initialValue>*</initialValue> </input> <input type="checkbox" token="test_checkbox"> <choise value="true">Enable</choise> <change> <condition match="$test_checkbox$=&quot;true&quot;"> <set token=base_query> "normal search without any token" </set> </condition> <condition> <set token=base_query> "search with a token inside" $multiselect_value$ </set> </condition> </change> </input>     Now, the problem is that the $multiselect_value$ is never taken, I already tried to use the <![CDATA[$multiselect_value$]]> but is not working, is there any other way to do this? if not how could you suggest to tokenize these queries in the condition?   Thanks in advance!
Team, I would like assistance with creating regex,specifically to blacklist 1 host name - happens to be the spunk server- very noisy.   Alternately would like direction to site or resource that cou... See more...
Team, I would like assistance with creating regex,specifically to blacklist 1 host name - happens to be the spunk server- very noisy.   Alternately would like direction to site or resource that could help with creation of regex and debugging. I have had no luck- too many hours to quantify.  This was the best so far- but even as submitted (results all green)  regex did not work. http://regjex.com/          
Team, i wish to utilize Powershell scripts, deployed to remote clients via the GUI interface - or CLI Whichever can be made to work. 1. The CLI (Inputs.conf) works if created and maintained on eac... See more...
Team, i wish to utilize Powershell scripts, deployed to remote clients via the GUI interface - or CLI Whichever can be made to work. 1. The CLI (Inputs.conf) works if created and maintained on each client 2. The remote script  GUI only seems to work for bat files. 3. The V3 modular input only seems to work for localhost   History:  i have successfully utilized  powershell scripts with in the inputs.conf (placed on each forwarder) example :    script = . "C:\Program Files\Splunk\etc\apps\My-App\bin\script.ps1 ( I chose to use the full path as the env variable does not seem to stick-- set or setx does not seem to matter) The downfall of this is the script/ inputs.conf has to be updated manually on each client.   i have successfully utilized batch from the GUI (settings > data inputs >remote scripts) $SPLUNK_HOME/etc/apps/_server_app_W64_NETWORK_INFO/bin/netstat.bat Attempts with .ps1 scripts does not work.     Tried utilizing the Powershell v3 Modular Input that method only targets the local host (server)   
So im fairly new to this.... i have installed gateway trying to work the mobile app...on my device, i have registered it....my device can see all of the dashboards but when i go to click on them...th... See more...
So im fairly new to this.... i have installed gateway trying to work the mobile app...on my device, i have registered it....my device can see all of the dashboards but when i go to click on them...the i formation doesnt populate...i get an error that says "server error occured which prevented the dash board from loading" ... any ideas on where to look?
Hello, I'm currently using the MS O-365 reporting add on in Splunk to ingest message trace logs. However, It doesn't support the ingestion of header information of each email.  Does anyone know of ... See more...
Hello, I'm currently using the MS O-365 reporting add on in Splunk to ingest message trace logs. However, It doesn't support the ingestion of header information of each email.  Does anyone know of a way to ingest header information into Splunk too? A different add on perhaps? Thank you in advance.
Within Splunk Enterprise 7.3.3 we are using AWS App,  and  the Add-on (4.6.1) mostly successfully. Several inputs work just fine with no issues. Recently we noticed that the "aws:config" snapshot da... See more...
Within Splunk Enterprise 7.3.3 we are using AWS App,  and  the Add-on (4.6.1) mostly successfully. Several inputs work just fine with no issues. Recently we noticed that the "aws:config" snapshot data is only being partially indexed.  Dumbed down with example numbers:   We have 20 Lambdas visible in both AWS Console site and  AWS:description type in Splunk.   15 show up in sourcetype aws:config even after forcing new snapshot.   Through trial and error we modified the tags on one and it suddenly showed up. We also confirmed through debug that the API response is returning said missing Lambdas, they are just not indexed/searchable. Is there a set of qualifications/conditions the aws:config input type is filtering the response through before fully indexing? i.e. age of item, last modified, etc.? Any other input or suggestions on forcing all items to be searchable for aws:config sourcetype would be helpful. The aws:description input does not include some fields that we are trying to report on.
Hi, i am new to splunk, i need to find the number of days different between indexed time date and the field exists date , i first converted my field to epoc and finding the difference between printed... See more...
Hi, i am new to splunk, i need to find the number of days different between indexed time date and the field exists date , i first converted my field to epoc and finding the difference between printedA_epoch and _indextime (as it return epoc by default) but am getting return data as blank . and i need to assign a var to 1 if it is grater than 0  the printedtimestrampA data is "2020-06-20T01:23:23.693-0700" | eval printedA_epoch=strptime(printedtimestrampA,"%Y-%m-%dT%H:%M:%S.%Q") | eval indextime=_indextime | eval fdata=round(((_indextime-printedA_epoch)/86400),0) | eval daysA= if(fdata>0,1,0) | table _indextime,printedA_epoch,fdata