All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I should monitor a log file in a Splunk all-in-one windows-based. This file contains a sequence of rows with a time in the format HH:MM:SS and in the file name there is the date (DD-MM-YYYY).... See more...
Hi, I should monitor a log file in a Splunk all-in-one windows-based. This file contains a sequence of rows with a time in the format HH:MM:SS and in the file name there is the date (DD-MM-YYYY). How can I associate the right timestamp to the events taking the date from filename and the time from the rows contained in the file? Thanks to everyone for the support.
Hi team, I am receiving multiple events from different servers to dynatrace. so how can I forward all those events from dynatrace to splunk??
Hi, I would like to use the Email Template for the policies triggered. I want to display the Health Rule name in the email body using template variables. I have read this doc https://docs.appdynam... See more...
Hi, I would like to use the Email Template for the policies triggered. I want to display the Health Rule name in the email body using template variables. I have read this doc https://docs.appdynamics.com/display/PRO45/Predefined+Templating+Variables but there is no class or base class for Health Rule. Also, I would like to use the background-color property of HTML in the Email template but it seems like Appdynamics is not recognizing the attribute. Any help will be appreciated. Thanks in advance
Hi i am new to Splunk, Export option is used using below code <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25... See more...
Hi i am new to Splunk, Export option is used using below code <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=Input&amp;outputMode=csv">Export</a> Issue: Search results are not exporting as CSV file, default value (i.e. ) is downloading for search results too. this issue occurs when i use base search option in code. what will be solution if i use export option with base search. kindly help to resolve this issue. **Note:* Here base search is mandatory for us.because export option is working properly without base search. <form> <label>Product</label> <init> <set token="ProductNo">*</set> <set token="TproductNo">*</set> </init> <search> <query>| makeresults | eval x=if($ProductNo$==1,"1","2")</query> <done> <condition match="$result.x$==&quot;1&quot;"> <set token="ProductNo">*</set> <set token="TproductNo">*</set> </condition> <condition> <unset token="TproductNo"></unset> <eval token="TproductNo">substr($ProductNo$,1,len($ProductNo$)-2)</eval> </condition> </done> </search> <search id="baseSearch"> <query> source="log.2020-04-22" host="LTPCHE10CTA0405" | xmlkv maxinputs=10000 | rex field=_raw "((?<Type>(\w*))\s(?<Code>(\d+))\s((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))\s(?<TimeStamp>(\d{8}\s\d{6}))\s(?<TextMsg>([\w\s]+).*))" | rex field=TextMsg "([\w\s]*\W\s*(?<TrkNo>\d+)\s*(,)*(?<Msg2>[\w\s]*.*))" | rex field=TextMsg "((?<Msg1>([\w\s]*))\W\s*)" | rex field=TextMsg "(Before NO = Trk No = (?<TPTrkNo>\d+))" | rename "ts:productname" as productname "ts:productNo" as productNo | eval TLogTimeStamp=strftime(strptime(LogTimeStamp,"%Y%m%d%H%M%S"),"%m/%d/%Y %H:%M:%S %p") </query> </search> <fieldset submitButton="true"> <input type="text" token="ProductNo"> <label>Tracking No</label> <default></default> <change> <condition value=""> <set token="ProductNo">1</set> <unset token="TproductNo"></unset> </condition> </change> </input> <input type="checkbox" searchWhenChanged="true" token="xmlCheckBox"> <label>Raw Data</label> <choice value="1">On</choice> <change> <condition match="$xmlCheckBox$==&quot;1&quot;"> <set token="xmlToken">1</set> <unset token="tkninputPanel">0</unset> </condition> <condition> <set token="tkninputPanel">1</set> <unset token="xmlToken">0</unset> </condition> </change> <delimiter> </delimiter> </input> </fieldset> <row> <panel depends="$tkninputPanel$"> <html depends="$export_button$"> <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=Input&amp;outputMode=csv">Export</a> </html> <table id="table1"> <search base="baseSearch"> <query> search TrkNo=$ProductNo$ OR TPTrkNo=$TproductNo$ | table Type TLogTimeStamp MsgCode TrkNo Msg1 Msg2 productname productNo BWTextMsg | sort -TLogTimeStamp </query> <done> <set token="export_sid">$job.sid$</set> <set token="export_button">1</set> </done> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> <panel depends="$xmlToken$"> <title>XML Results</title> <html depends="$exportXML_button$"> <a class="btn btn-primary" role="button" href="/api/search/jobs/$exportXML_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=InputXML.txt&amp;outputMode=csv">Export</a> </html> <table id="table2"> <search base="baseSearch"> <query> search TrkNo=$ProductNo$ OR TPTrkNo=$TproductNo$ | table TrkNo TLogTimeStamp Msg1 _raw | sort -TLogTimeStamp </query> <done> <set token="exportXML_sid">$job.sid$</set> <set token="exportXML_button">1</set> </done> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>
How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders w... See more...
How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders were configured to send only Application event logs, but now some of the computer owners edit the inputs.conf files themselves on forwarders and try to send the unwanted data’s to splunk which is costing us too much. How can we restrict this kind of activity so that without our permission no one can edit inputs.conf files and send data to splunk through a universal forwarder. Please provide us some suggestions.
Hi to all, I'm new to the splunk use and I have an issue with a software that write logs in a non standard way (of my fresh knowledge of splunk) { "name":"clientLogger", "le... See more...
Hi to all, I'm new to the splunk use and I have an issue with a software that write logs in a non standard way (of my fresh knowledge of splunk) { "name":"clientLogger", "level":30, "levelName":"info", "msg":"[audio] iceServers", "time":"2018-08-27T19:32:57.389Z", "src":"xxxxxx", "v":1, "extraInfo":{ "sessionToken":"e7boenucj1pwkbfc", "meetingId":"183f0bf3a0982a127bdb8161e0c44eb696b3e75c-1535398242909", "requesterUserId":"w_klfavdlkumj8", "fullname":"Ios", "confname":"Demo Meeting", "externUserID":"w_klfavdlkumj8" }, "url":"xxxx", "userAgent":"Mozilla/5.0", "count":1 } and in splunk the log are: the only info I need are: - time - fullname - confname But regex don't work and I don't recognize how to set only the proper field! Some help or how to guide would be helpful! Thanks in advance!
I have to search for three statements in logs 1)CLI 2)ADM 3)GPO How do I search for this and display which one of these is not present? And store the result,for ex:If CLI is not found display... See more...
I have to search for three statements in logs 1)CLI 2)ADM 3)GPO How do I search for this and display which one of these is not present? And store the result,for ex:If CLI is not found display CLI
Hello is there another way to connect these two other than join... I have read that stats is faster than join ... is it possible that stats can connect all these together? SPL 1 (index=* sour... See more...
Hello is there another way to connect these two other than join... I have read that stats is faster than join ... is it possible that stats can connect all these together? SPL 1 (index=* source=/var/log/secure* AND TERM(sudo) AND " root" AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)) AND COMMAND!="*egrep*") OR (index="*" source=/var/log/secure* AND TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port) [ search index=* source=/var/log/secure* AND TERM(sudo) AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)) AND COMMAND!="*egrep*" | regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which" | regex _raw!= ".*user NOT in sudoers.*" | stats latest(_time) as latest earliest(_time) as mod_time | eval earliest= relative_time(mod_time, "-8h@s") | fields earliest latest ]) | regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which|.*bin\/less|.*bin\/more" | rex field=_raw "(?<=sudo:)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?P<command>.*)" | rex field=_raw "(?<=for)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=from).*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)" | eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","") | eval Time = if(match(_raw,"(?<=sudo:)\s*[[:alnum:]]\S*[[:alnum:]]\s*(?=\:).*(?<=COMMAND\=)*") ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()) | eval Date = strftime(_time, "%Y-%d-%m") | eval "Report ID" = "ABLR-007" | eval "Agency HF" = if(isnull(agencyhf),"",agencyhf) | stats list(Time) as Time list("Command/Events") as "Command/Events" latest(ip) as "IP Address" by Users Date host index "Report ID" "Agency HF" | eval counter=mvrange(0,mvcount(Time)) | streamstats count as sessions | stats list(*) as * by sessions counter | foreach Time "Command/Events" [ eval <<FIELD>> = mvindex('<<FIELD>>', counter)] | fields - counter sessions | rename index as Agency, host as Hostname | where Users="root" AND isnull('IP Address') | fields "Report ID" Time Agency Command/Events Hostname Users Date SPL 1 Result SPL 2 (index=* source=/var/log/secure* (TERM(su:) OR TERM(sudo:)) AND "opened for user root") OR (index="*" source=/var/log/secure* AND TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port)) | rex field=_raw ".*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)" | eval Date = strftime(_time, "%Y-%d-%m") | rename host as Hostname | stats values(ip) as "IP Address" by Date Hostname | where isnotnull('IP Address') SPL 2 Result SPL 3 = When is SPL 1 and SPL2 consolidated together by JOIN command (index=* source=/var/log/secure* AND TERM(sudo) AND " root" AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)) AND COMMAND!="*egrep*") OR (index="*" source=/var/log/secure* AND TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port) [ search index=* source=/var/log/secure* AND TERM(sudo) AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd)) AND COMMAND!="*egrep*" | regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which" | regex _raw!= ".*user NOT in sudoers.*" | stats latest(_time) as latest earliest(_time) as mod_time | eval earliest= relative_time(mod_time, "-8h@s") | fields earliest latest ]) | regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which|.*bin\/less|.*bin\/more" | rex field=_raw "(?<=sudo:)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?P<command>.*)" | rex field=_raw "(?<=for)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=from).*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)" | eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","") | eval Time = if(match(_raw,"(?<=sudo:)\s*[[:alnum:]]\S*[[:alnum:]]\s*(?=\:).*(?<=COMMAND\=)*") ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()) | eval Date = strftime(_time, "%Y-%d-%m") | eval "Report ID" = "ABLR-007" | eval "Agency HF" = if(isnull(agencyhf),"",agencyhf) | stats list(Time) as Time list("Command/Events") as "Command/Events" latest(ip) as "IP Address" by Users Date host index "Report ID" "Agency HF" | eval counter=mvrange(0,mvcount(Time)) | streamstats count as sessions | stats list(*) as * by sessions counter | foreach Time "Command/Events" [ eval <<FIELD>> = mvindex('<<FIELD>>', counter)] | fields - counter sessions | rename index as Agency, host as Hostname | where Users="root" AND isnull('IP Address') | fields "Report ID" Time Agency Command/Events Hostname Users Date | join left Date Hostname 'IP Address' [search (index=* source=/var/log/secure* (TERM(su:) OR TERM(sudo:)) AND "opened for user root") OR (index="*" source=/var/log/secure* AND TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port)) | rex field=_raw ".*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)" | eval Date = strftime(_time, "%Y-%d-%m") | rename host as Hostname | stats values(ip) as "IP Address" by Date Hostname | where isnotnull('IP Address') ]
Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if pre... See more...
Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.
what are the query to use by lookup an IP information like country only for source_IP and destination_IP in your search? ex: index =xxxx action=allowed severity=* src-ip=* dest-ip=* |table h... See more...
what are the query to use by lookup an IP information like country only for source_IP and destination_IP in your search? ex: index =xxxx action=allowed severity=* src-ip=* dest-ip=* |table host, signature,src-ip, dest-ip, action, severity Q/ in the above query, what are the query i can use to fetch src-ip country name and dest-ip country name Thank you in advance!
How to check active nodes sending logs to Splunk forwarder and also how to check that Splunk forwarder is sending all these nodes to Indexer?
Our transaction period can cover five to six days covering sessions by users connected to the company's network. Are there any configurations set-up in limits.conf that we need to be aware of, when... See more...
Our transaction period can cover five to six days covering sessions by users connected to the company's network. Are there any configurations set-up in limits.conf that we need to be aware of, when we use the transaction command?
I would like to know if the Jira App within Phantom can integrate with an on-prem Jira Enterprise instance, or if using Atlassian Cloud is a requirement. The documentation in the Jira Phantom App... See more...
I would like to know if the Jira App within Phantom can integrate with an on-prem Jira Enterprise instance, or if using Atlassian Cloud is a requirement. The documentation in the Jira Phantom App leans very heavily towards Atlassian Cloud and doesn't seem to cover on-prem Jira integration, so I am a bit confused if this will work. If it is possible to use on-prem Jira I would appreciate any links to KB articles or personal blog posts about your adventures in getting this set up. Thank you.
We're sending CSV files from Splunk to an external server. The files are compressed (.gz format). What is the maximum size of the *.csv.gz file that can be generated in Splunk and sent to the ... See more...
We're sending CSV files from Splunk to an external server. The files are compressed (.gz format). What is the maximum size of the *.csv.gz file that can be generated in Splunk and sent to the external server? Thx.
Hello, I'm able to receive almost all eventcodes for wineventlog:security but missing the logs for eventcode 4776 . I have the Windows TA app installed on the universal forwarder and search... See more...
Hello, I'm able to receive almost all eventcodes for wineventlog:security but missing the logs for eventcode 4776 . I have the Windows TA app installed on the universal forwarder and search head. I have tried the following: I uncheck the box labeled "Overwrite field values" which should Splunk from overwriting the existing Error_Code field (it did not work). Then, created props.conf in the search head with this: source::WinEventLog:Security FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code Then, restarted the search head. None of those steps are working. I checked the blocklist in the input file but code 4776 is one of them. Could you please help? Thanks
I have a couple of apps that I am trying to update on my Indexer (TA's) and am constantly seeing a 400 bad request error when trying to update them. I ran the ./splunk remove app on the indexe... See more...
I have a couple of apps that I am trying to update on my Indexer (TA's) and am constantly seeing a 400 bad request error when trying to update them. I ran the ./splunk remove app on the indexer and it successfully removes the app. Splunk is then restarted on the server. Within a couple of minutes, the folders reappear at the same old version. What is going on with this and how to prevent the apps from recreating themselves? I am running Splunk Enterprise v8.03 on Ubuntu 18.04.
Hi, I want to automatically set ownership to admin whenever new alerts are added in savedsearches.conf . As of now, whenever my team has a new alert I have to add it to the savedsearches.conf ... See more...
Hi, I want to automatically set ownership to admin whenever new alerts are added in savedsearches.conf . As of now, whenever my team has a new alert I have to add it to the savedsearches.conf AND also local.meta to make it owned by admin with the exact same title written in savedsearches.conf (if it does not match, it doesn't take effect) like the stanza below: [savedsearches/new alert] owner = admin However, I don't want to keep editing 2 different files when 1 alert is created (too much work if we have a lot of new incoming alerts). There should be a way to set default ownership of alerts (and also dashboards) to admin when they're first created. I suspect default.meta has something to do with it. Looking for any suggestion, Thank you
Hi, I'm looking for the proper way to set the 'search' property of a PostProcessManager in splunkjs within an app that runs outside of Splunk Enterprise. Documentation on this is not clear, and my t... See more...
Hi, I'm looking for the proper way to set the 'search' property of a PostProcessManager in splunkjs within an app that runs outside of Splunk Enterprise. Documentation on this is not clear, and my trials have been unsuccessful, as follows: myManager.set("search", <mysearchstring>) is apparently syntactically correct, but returns no results myManager.settings.set("search", <mysearchstring>) is apparently syntactically correct, but returns no results myManager.search.set(<mysearchstring>) is apparently syntactically correct but causes no update in the display myManager.query.set(<mysearchstring) is also syntactically correct but causes no update in the display NOTES: - After setting the search query, I'm also calling 'startSearch()' on the search manager, and then render() on the chart - Before responding, please note that this is for apps outside of Splunk and not otherwise. See examples for this type of apps in https://dev.splunk.com/enterprise/docs/developapps/webframework/codeexamplefw/splunkjsstack/searchcontrolseventsjs This is where the 'manager.search.set' and 'manager.query.set' are used in examples with plain SearchManager instances) Thanks in advance for any help.
I have a single instance deployment. I have a server that is sending Perfmon logs to my main index but I never told it to send those logs. Where do I check those settings? I want to keep it sending l... See more...
I have a single instance deployment. I have a server that is sending Perfmon logs to my main index but I never told it to send those logs. Where do I check those settings? I want to keep it sending logs but to the correct index. So I made a perfmon index but I cannot find where on the server this configuration files is. I checked etc/system/local couldn't find anything.
In looking at the app "Webtools Add-On" (https://splunkbase.splunk.com/app/4146/#/overview - @jkat54 ), I'm curious on syntax translation from CLI to the UI. For example, I am prototyping an API c... See more...
In looking at the app "Webtools Add-On" (https://splunkbase.splunk.com/app/4146/#/overview - @jkat54 ), I'm curious on syntax translation from CLI to the UI. For example, I am prototyping an API call to my sprinkler system (IoT demonstration use case) made by Rachio. Rachio publishes their API curl commands here: https://rachio.readme.io/docs/getting-started. A typical curl command looks like this: curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer 8e600a4c-0027-4a9a-9bda-abc8d5c90350d" https://api.rach.io/1/public/person/info How would this translate to the inputs within the Webtools (Configuration) UI? I've tried a few different permutations and receive errors as outputs in search results (looks like the auth key isn't passed as expected by the endpoint). What would the UI look like in relation to the above CLI Curl command? Thank you! Kelly