All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, it is possible to change the default color of the sankey diagram? E.g. in xml. I have very simple sankey diagram with 1 start point and 10 end points. I want to change the color of the start poin... See more...
Hi, it is possible to change the default color of the sankey diagram? E.g. in xml. I have very simple sankey diagram with 1 start point and 10 end points. I want to change the color of the start point. Can you help me, please?
Hi, I would like to create a Dashboard with about 10 panels containing different searches. I want to 1) display the actual search fo the panels and then 2) allow the user to trigged the search fo... See more...
Hi, I would like to create a Dashboard with about 10 panels containing different searches. I want to 1) display the actual search fo the panels and then 2) allow the user to trigged the search for each panel I do not want the dashboard to have only one submit button but have a submit or click button for each panel on the dashboard.
Hi! I would like to upgrade my Splunk environment to V8 and one prereq is, to have all dashboards with advanced xml converted or made new in simple xml. How can I find dashboards with advanced xm... See more...
Hi! I would like to upgrade my Splunk environment to V8 and one prereq is, to have all dashboards with advanced xml converted or made new in simple xml. How can I find dashboards with advanced xml? .. because there are a lot of them and maybe there is a special structure on which i can search in file system or maybe there is an option to search in splunk search? Thanks Rob
Hi There, Thanks in advance. I am trying to plot a graph with the request time for each request on the y-axis and minutes on the x axis. Here is an example log entry. 10.xx.xx.xx - - [19/... See more...
Hi There, Thanks in advance. I am trying to plot a graph with the request time for each request on the y-axis and minutes on the x axis. Here is an example log entry. 10.xx.xx.xx - - [19/May/2020:03:15:46 +0000] "POST /web/Authorization?schema=1.3&form=json&httpError=true&cid=cd65b044-426b-4131-8e92-5f239a31cfc5" 200 92131 1 "Apache-HttpClient/4.3.1 (java 1.5)" "" cd65b044-426b-4131-8e92-5f239a31cfc5 miss "{\"authorize\":{\"operations\":[{\"service\":\"offerDataService\",\"instance\":\"offerDataService-gracenote-prod\",\"endpoint\":\"ContentEntitlement\",\"method\":\"GET\"}]}}" Can anyone help me write a Splunk query for it? Best, DP
I have created my lookup file and currently its set to Private. I want to change its permission so that all other users can also access it. Is there a way to change that. I am not able to see p... See more...
I have created my lookup file and currently its set to Private. I want to change its permission so that all other users can also access it. Is there a way to change that. I am not able to see permissions option inline my lookup file in Sharing column. Also please let me know how to check my user role
I was looking at apps such as "Splunk Security Essentials" and "ATP Threat hunting" available in SPLUNK base. The apps have a great mechanism that can be user driven by clicking on tiles to open add... See more...
I was looking at apps such as "Splunk Security Essentials" and "ATP Threat hunting" available in SPLUNK base. The apps have a great mechanism that can be user driven by clicking on tiles to open additional information. I was wondering how these are created and whether there any apps available that allows these to be created. My thought is around having a work instruction available in SPLUNK where some one has an event that they need to investigate and instead of going elsewhere be able to reference the information through a panel such as the 2 apps do above.
Hi Everyone, I want to create a splunk query which can detect url/domain category change in the proxy logs within last 7 days Example Initial domain/url category Domain/url : abc.com Categor... See more...
Hi Everyone, I want to create a splunk query which can detect url/domain category change in the proxy logs within last 7 days Example Initial domain/url category Domain/url : abc.com Category : New Domain Date : 12 May 2020 Final domain/url category Domain/url : abc.com Category : Business Date : 18 May 2020 Kindly help at the earliest Thanks
I have four hosts. H1, H2, H3, H4 each host have cpu_load I want to find min cpu_load and max cpu_load. Find the min/max out of all host. In My scenario out of 4 host, find the min/max. | ... See more...
I have four hosts. H1, H2, H3, H4 each host have cpu_load I want to find min cpu_load and max cpu_load. Find the min/max out of all host. In My scenario out of 4 host, find the min/max. | stats min(host of cpu_load) as Min, max(host of cpu_load) | eval diff=max-min | alert based on diff Any help is appreciated. Thank you
Hi Splunkers. I've manually uploaded a STIX file into ES. The file has uploaded successfully (file can be seen in /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/lookups) but I am unable to verif... See more...
Hi Splunkers. I've manually uploaded a STIX file into ES. The file has uploaded successfully (file can be seen in /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/lookups) but I am unable to verify that the artifacts from the file have been integrated into ES Threat Intel. In ES, Security Intelligence -> Threat Artifacts, I don't see artifacts from the file showing up when a search is done. i.e. files, domains etc. Additionally, these artifacts do not appear in relative consolidated lookup files i.e. threatintel_by_(domain|process|cidr) etc., Items from existing configured threat intel downloads do show up in ES threat artifacts as well as the lookup files. **Am I assuming correctly that artifacts from ad-hoc uploads show up alongside those from scheduled intel downloads and do not get processed differently? Unless I'm missing something, this indicates the integration of the artifacts from the STIX file into the consolidated has not taken place. **Are there any other places to look to debug why the STIXX file integration into the threat intel lookup files is not happening? Thanks.
I blacklist lookups from bundle replication by size in distsearch.conf as below [replicationSettings] excludeReplicatedLookupSize = 2 I now have a requirement to bypass the above condition fo... See more...
I blacklist lookups from bundle replication by size in distsearch.conf as below [replicationSettings] excludeReplicatedLookupSize = 2 I now have a requirement to bypass the above condition for a specific lookup that is greater than 2 MB. Is there a way I can craft the white list to take precedence just for the lookup that I need? The reason I need this as part of the bundle is because I use this lookup as an auto lookup and is growing in size.
Hi All, Is there an option to handle API returned json data using Addon Builder? I want to sort a field in descending order and create a checkpoint against it. API doesn't have a feature/Met... See more...
Hi All, Is there an option to handle API returned json data using Addon Builder? I want to sort a field in descending order and create a checkpoint against it. API doesn't have a feature/Method to sort by field. And one more question,if I do checkpoint using the sorted timestamp field, checkpoint always get events greater than the timestamp? Because API doesn't have a feature to include >timestamp field. My requirement is: Call the end point and index only unique values. Everytime I make a call , getting whole events again and again. The API is very basic and doesn't have some kind of filters and sorts. There is a timestamp field exist in the results that I can use in search to get dedup values but the license consumption is lot since we are getting same data again and again. Thanks
I am trying splunk unique visitors from my Akamai Logs. Akamai determine a unique visitor by combining client ip and xforwarded for. Here is my simple search index="akamai-webcdn-afl-app-s... See more...
I am trying splunk unique visitors from my Akamai Logs. Akamai determine a unique visitor by combining client ip and xforwarded for. Here is my simple search index="akamai-webcdn-afl-app-s" | stats count by event.message.cliIP, event.reqHdr.xFrwdFor which results in event.message.cliIP event.reqHdr.xFrwdFor count 103.246.36.21 192.168.6.122 3 108.171.134.189 1.43.141.112 1 108.171.134.189 139.163.132.183 2 114.119.160.107 10.179.80.58 1 114.119.160.177 10.179.80.112 1 Each line represents a unique visitor How can I get a count of unique visitors each minute as the below does not work and just give 0 results index="akamai-webcdn-afl-app-s" | stats count by event.message.cliIP, event.reqHdr.xFrwdFor | timechart span=1m count(event.message.cliIP) Thank you for your help
I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configurin... See more...
I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configuring the connection and when doing any ldapsearch search: External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden -- insufficient permission to access this resource" ". I'm using a local admin account with all the capabilities needed to perform the configuration: admin_all_objects , list_storage_passwords , and edit_tcp . P.S. The add-on works with another search head. My Splunk version is 7.3.1 and my add-on version is 2.1.4. Any help will be appreciated, thanks!
Hello Splunkers, I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string T... See more...
Hello Splunkers, I appended two different searches within Splunk. Then I created a table, and now I need to filter the values of the Terminated_List attribute that do not contain the string Terminated . I am using the following search, but the final where is not working properly: index=employees [search index=employees source="*_Terminated_Employee_*" | stats latest(source) AS source] | dedup Email_Address | fields Email_Address Terminated_List |eval e_Mail=tostring(upper(Email_Address)) | eval Terminated_List="Terminated Employees" | append [search index=employees [search index=employees source="*Terminated IT Contractor*" | stats latest(source) AS source] | dedup Email | fields Email Terminated_List |eval e_Mail=tostring(upper(Email)) | eval Terminated_List="Terminated Contractors"] | table e_Mail Terminated_List | where Terminated_List!="*Terminated*" Any ideas or suggestions?? Thank you!!
Hi, I need to write a search that shows both the success percentage and failure count in a dual axis combo chart. I am able to do it independently, but unable to do it in a combo chart, which... See more...
Hi, I need to write a search that shows both the success percentage and failure count in a dual axis combo chart. I am able to do it independently, but unable to do it in a combo chart, which is only showing the trend for the last 7 days (y-axis) while failure events will give the overall count for the day (x-axis). "requestMethod=POST AND "/customerentitlementsservice/v1/ces/account*" responseStatus" Success trend: |dedup requestId |eval FailureCount=if((responseStatus != 200) OR like(Status,"%,%"),1,0) |bin _time span=1d |stats count as Total, sum(FailureCount) as Fail by _time |eval successrate=Round(((Total-Fail)*100)/Total,2 ) |eval Date =strftime(_time, "%m/%d/%y") |chart values(successrate) AS Successrate% by Date
Hello, I have created the following search to show fieldsummary on 4 fields: devicename , ip , platform , and market as below. I want to filter the fieldsummary results further by ... See more...
Hello, I have created the following search to show fieldsummary on 4 fields: devicename , ip , platform , and market as below. I want to filter the fieldsummary results further by market which shows devicename , ip , platform with individual market combinations, and show null counts and percentages computed in search. Can the search be modified to further group the devicename , ip , platform by market for null values? environment=test sourcetype=API1 | fields + devicename,Ip,platform,market | fieldsummary maxvals=10 | where (values like "%null%" OR isnull(values) OR values like "%NULL%") | fields - is_exact, max , mean, min, numeric_count, stdev, distinct_count | rex field=values "null\",\"count\":(?\d+)"| eval Percentage_null=if(isnull((null_count/count)*100),0,round((null_count/count*100),2)) | fieldformat count=tostring(count,"commas") | fieldformat null_count=tostring(null_count,"commas")| sort Percentage_null,values desc Current results: field Percentage_null count null_count values devicename 1.60 4,388 130 [{"value":"null","count":701},cf28ng==","count":24}] IP 1.33 4,388 212 [{"value":"null","count":512},{"value":"44.55.5.55":206}] platform 0.45 4,388 852 [{"value":"null","count":273},{"value":"Android":4000}] market 0.14 4,388 100 [{"value":"null","count":2000},{"value":"CA","count":2000},{"value":"JP","count":6}
I am in desperate need of some help on regex/blacklisting process names in Windows Event logs. Our regex to exclude / filter out specific Process Name executables is not working and I would guess it... See more...
I am in desperate need of some help on regex/blacklisting process names in Windows Event logs. Our regex to exclude / filter out specific Process Name executables is not working and I would guess it likely is due to improper regex. I could definitely use any advice or help on the below regex as I am by no means an expert, but have done my best to try and get it working, but I just can't seem to get it. Right now the 4663 processes are completely overwhelming our licensing due to the amount of events being generated. Here is our regex code that is not functioning (blacklist8). Below that is our full blacklist. This is being done via Windows_TA inputs.conf file within the local directory being deployed to all universal forwarders. I am trying to exclude any message received by Windows that shows Process Name as one of the executables. Thank you so much for your help! Line that is not working: blacklist8 = EventCode="(4660|4663|4688|4689)" Message="Process Name:\s+*Tei.Content.ContentPublisher.exe|*BBL.exe|*BESRootServer.exe|*BESClient.exe|*elasticsearch-service-x64.exe|*bactalk.exe|*mcshield.exe|*splunk-optimize.exe|*splunk-winevtlog.exe|*bactalk.exe|*w3wp.exe|*Microsoft.Exchange.Diagnostics.Service.exe|*MSExchangeHMWorker.exe|*SearchProtocolHost.exe|*SearchIndexer.exe|*PSMONITORSRV.exe|*nslookup.exe|*traceroute.exe|*postgres.exe|*wmiapsrv.exe|*wmiprvse.exe" Full blacklist: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" blacklist4 = EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" blacklist5 = EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." blacklist6 = EventCode="(4660|4663|4688|4689)" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|mongod|splunkd|python|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|optimize|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe)" blacklist7 = EventCode="4663" Message="(?:Object Name:)(?s).*(\\REGISTRY\\)" blacklist8 = EventCode="(4660|4663|4688|4689)" Message="Process Name:\s+*Tei.Content.ContentPublisher.exe|*BBL.exe|*BESRootServer.exe|*BESClient.exe|*elasticsearch-service-x64.exe|*bactalk.exe|*mcshield.exe|*splunk-optimize.exe|*splunk-winevtlog.exe|*bactalk.exe|*w3wp.exe|*Microsoft.Exchange.Diagnostics.Service.exe|*MSExchangeHMWorker.exe|*SearchProtocolHost.exe|*SearchIndexer.exe|*PSMONITORSRV.exe|*nslookup.exe|*traceroute.exe|*postgres.exe|*wmiapsrv.exe|*wmiprvse.exe" index = security_wineventlog renderXml = false Here is what I see when I search (obviously not working) image?
I have a need to reconcile Splunk ES rule changes. I am using the rest API to pull the "updated" rule changes. The issue with this is the logs in splunk don't identify the user who updates the rule... See more...
I have a need to reconcile Splunk ES rule changes. I am using the rest API to pull the "updated" rule changes. The issue with this is the logs in splunk don't identify the user who updates the rule. I have another index that is our change management system. This system may or may not have the exact splunk rule somewhere in the description field. The change mgmt system has a beginning and ending time range. The "updated" time should fall w/in that range. The only way to correlate these two indexes, would be to take the "updated" timestamp and check the change mgmt logs for the "begin_chg_time > updated AND updated < end_chg_time". Basically I believe I'm stuck on taking the field "updated" and checking for the change record in the change mgmt index. Any help would be greatly appreciated.
Hello, newbie here again. Trying to use 2 inputs for a form but separate the searches (these 2 inputs will be 2 different alerts) and incorporate search results into one graphical view. is this pos... See more...
Hello, newbie here again. Trying to use 2 inputs for a form but separate the searches (these 2 inputs will be 2 different alerts) and incorporate search results into one graphical view. is this possible? Thank you again.
Hello, I'm working with some ldapsearch queries in my environment, but I have the following problem. Even if I execute the command from an admin account it says this: External search comma... See more...
Hello, I'm working with some ldapsearch queries in my environment, but I have the following problem. Even if I execute the command from an admin account it says this: External search command 'ldaptestconnection' returned error code 1. Script output = "error_message= # host: xxx.xx.xx.1: Could not access the directory service at ldaps://xxx.xx.xx.x:636: password is mandatory in simple bind " Then I tried installing the ldapsearch add-on in my QA environment, and the connection test passed the first time, but the second one didn't. And when I execute any ldapsearch command queries the error is the same: External search command 'ldaptestconnection' returned error code 1. Script output = "error_message= # host: xxx.xx.xx.1: Could not access the directory service at ldaps://xxx.xx.xx.x:636: password is mandatory in simple bind " Even using an admin system role can delete role account with all the required capabilities. Thanks in advance!