All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi , I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should ... See more...
Hi , I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should be triggered. IS the below query good enough for such scneario ? Should I write like index=* X y | stats count by FileName | where count=5
I have *nix add-on installed on all our linux machines and we get all the default data from the add-on , which source or sourcetype gives the user login details with root access. I am trying get ... See more...
I have *nix add-on installed on all our linux machines and we get all the default data from the add-on , which source or sourcetype gives the user login details with root access. I am trying get a list of all the users on hosts logged in as root. Thanks in Advance!
I have events that happen in pairs. A request and a response from a server. What I would like to do is be able to easily table those side by side. Right now they return in the normal table but id lik... See more...
I have events that happen in pairs. A request and a response from a server. What I would like to do is be able to easily table those side by side. Right now they return in the normal table but id like to be able to see them side by side instead. Right now I'm rexing out the data to able it. Is there a way to accomplish this? I need them in pairs of 2. So if some reason there is 4, which isn't normal, it would do two rows with 2 columns. This is what I'm doing right now: [query] | rex field=message "(Received|Sent) raw (?<processor>.*) (response|request) (?<raw_message>.*})" | table raw_message
Is there a way to set a default Role for LDAP users? We want everyone in LDAP to have have the basic "Applications & Dashboards Viewer" role without needing to go to every single user.
I have a search that pulls back a list of values and tables them for the details, what I would like to do is use that same search (so I don't have to run it twice since the base data is the same) and... See more...
I have a search that pulls back a list of values and tables them for the details, what I would like to do is use that same search (so I don't have to run it twice since the base data is the same) and instead distinct count it so that I can have a count of what has came back for quick reference. I.e. If I'm expecting 15 values, but only 10 have came back, then I can proceed from there. Or if I'm expecting 15 and 15 have came back I can stop the search since everything I was looking for has came back even though the time frame may be too wide. How could I accomplish this in a dashboard?
I am building out a report that lists all the lockouts during a given period of time. If I look at the Windows security event ID 4740 on a machine where one of the local accounts show a lock out then... See more...
I am building out a report that lists all the lockouts during a given period of time. If I look at the Windows security event ID 4740 on a machine where one of the local accounts show a lock out then all I can see is that the account was locked out but there is no information in regards to what remote machine made the attempt. If I do a secondary search around the time of the lockout I can see that there is a number of failed logins and I am able to get a Workstation Name, Source Network Address, and the logon type. This info is usually enough to let me know why it was locked out. What I would like to do is run a main search for the lockout then when one is found run a secondary search that looks backwards on that machines logs starting from the time the event is recorded and find the last failed login event right before the lockout happened and maybe even verify if the account on the lockout event matches the account on the failed attempt then pull the Workstation Name, Source Network Address, and the logon type files from that event and append them onto the first event. This would give me an event that might look something like this once you clean up the field names: User Name, Target Computer, Source Computer, Source IP, logon type, Time User Name, Target Computer, and Time come from the first search (AKA lockout search) and Source Computer, Source IP, logon type comes from the second search (AKA last failed attempt search). Doable?
Hi, I would like to view today and yesterday data in the same chart for the required time range. How can that be done. Help required! Thanks!
Dear All, I have created a Python modular input (of multiple instance type) using Splunk's Add-on builder that polls a REST API and pulls JSON data for indexing into Splunk. The parameters of the ... See more...
Dear All, I have created a Python modular input (of multiple instance type) using Splunk's Add-on builder that polls a REST API and pulls JSON data for indexing into Splunk. The parameters of the API are start and end timestamps, for which the data is required. In order to avoid duplication, I am keeping the last_polled time as a checkpoint in my modular input so that on the next execution, the script knows from where to start fetching the data. This works great when the user creates only one input from the modular input but if the user creates another input to ingest the data in a separate other index, the script will be fetching the last_polled time from the first input as checkpoints are shared within a modular input so it will miss some data if their intervals are not the same. Is there any technique to isolate checkpoints for each input so that they are not shared between them? Ideally, I would want them to be isolated according to the index and sourcetype defined by the user. I hope I was able to clear my requirement clearly, let me know if you need more information on this. Will be very happy to receive some direction on this as the documentation has little information. Regards, Umair
I have two indexes indexA and indexB . IndexA contains userID and Salary , IndexB contains userID, Name i want to print a dash board with Name , salary ( matching userIDs from both indexes
Hi, I want to create an alert which gets triggered if the failure count is more than 5 in last 5 minutes: 1- it should run on every 5 minutes 2- it should send an email as well Here is base ... See more...
Hi, I want to create an alert which gets triggered if the failure count is more than 5 in last 5 minutes: 1- it should run on every 5 minutes 2- it should send an email as well Here is base search and settings as well: index=myindex sourcetype=xyz host=“tus3crs” "EventLogger*" AND "Purchase event" vertical=Stationary Type=Notebook (PurchaseStatus=510 OR PurchaseStatus=515 OR PurchaseStatus=530 OR PurchaseStatus=540) | dedup itemId sortBy -_time NOTE- These status are different failure states of the item Please help me with setting up this alert. thank you.
I am trying to schedule reports with an action that would send an AWS SNS alert. I intend to send the results of the report to SNS. For this purpose, I have configured an AWS account in the Splunk Ad... See more...
I am trying to schedule reports with an action that would send an AWS SNS alert. I intend to send the results of the report to SNS. For this purpose, I have configured an AWS account in the Splunk Add-on for AWS. This configuration includes the account name, access key, and secret key. However, when I run the report, it says that the account is not found. Is there something missing here?
Hi I am creating a rule in enterprise security and am trying to use multiple tags. | eval tag="prod_alert" and | eval tag="risk_information" What happens is every time the search runs the s... See more...
Hi I am creating a rule in enterprise security and am trying to use multiple tags. | eval tag="prod_alert" and | eval tag="risk_information" What happens is every time the search runs the second tag overwrites the first tag. What do I need to do differently to use multiple tags in a rule?
When I run Splunk on my local machine, it is at localhost:8081. How do I stop that local server? I'm trying to work with a virtual machine at a different localhost address, but I can't get to it beca... See more...
When I run Splunk on my local machine, it is at localhost:8081. How do I stop that local server? I'm trying to work with a virtual machine at a different localhost address, but I can't get to it because there seems to be a redirect to Splunk's 8081. How can I turn off the redirect or stop the splunk local server?
<form> <label>Backup Report Dashboard Clone</label> <fieldset submitButton="false"> <input type="dropdown" token="sour" searchWhenChanged="true"> <label>Datacentre</label> <searc... See more...
<form> <label>Backup Report Dashboard Clone</label> <fieldset submitButton="false"> <input type="dropdown" token="sour" searchWhenChanged="true"> <label>Datacentre</label> <search> <query>index="backup" sourcetype="csv" | rex field=source "^(?<sour>[^_\.]*)\.csv" |table sour | dedup sour | sort sour</query> <earliest>0</earliest> <latest></latest> </search> <fieldForLabel>sour</fieldForLabel> <fieldForValue>sour</fieldForValue> <selectFirstChoice>true</selectFirstChoice> <suffix>.csv</suffix> </input> </fieldset> <row> <panel> <html> <style type="text/css"> #current .single-result { font-size: 60px !important; color: #00FF00; } </style> </html> </panel> </row> <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> .dashboard-panel h2{ background:#1E90FF !important; color:white !important; text-align: center !important; font-weight: bold !important; border-top-right-radius: 15px; border-top-left-radius: 15px; } </style> </html> </panel> </row> <row depends="$alwaysHideCSSPanel$"> <panel> <html> <style> .dashboard-panel h2{ background:#1E90FF !important; color:white !important; text-align: center !important; font-weight: bold !important; border-top-right-radius: 15px; border-top-left-radius: 15px; } </style> </html> </panel> </row> <row> <panel depends="$alwaysHideCSS$"> <html> <style> #p1{ width:60% !important; } #p2{ width:40% !important; } </style> </html> </panel> </row> <row> <panel> <title>Criteria v/s Service</title> <table> <search> <query> index="backup" sourcetype="csv" source ="$sour$" |dedup extracted_Host |eval BackupType=BackupType." "."Backup" |eval Tier=if(Tier="null","NOT in CMDB",if(Tier="Not Supported","No SLA Defined",Tier)) |stats count as "Total Backup" by Tier |chart values("Total Backup") over "Total Backup" by Tier |fields - "Total Backup" |eval BackupType = "Total Backup" |stats values(*) as * by BackupType ] |append [ search index="backup" sourcetype="csv" source ="$sour$" |dedup extracted_Host |eval BackupType=BackupType." "."Backup" |eval Tier=if(Tier="null","NOT in CMDB",if(Tier="Not Supported","No SLA Defined",Tier)) |eval FinalJobStatus = if(FinalJobStatus="Completed (Exceptions)","Total Success",if(FinalJobStatus="Completed (Failed)","Total Failure",if(FinalJobStatus="Completed (Success)","Total Success",if(FinalJobStatus="Canceled","Total Canceled",if(FinalJobStatus="Running","Total Running","Total Recovered"))))) |chart count(FinalJobStatus) over FinalJobStatus by Tier |sort FinalJobStatus |rename FinalJobStatus as BackupType ] | eval Rank=case(BackupType="Total CI","1",BackupType="Total Backup","2",BackupType="Total Success","9",BackupType="Total Failure","10",BackupType="Total Running","11",BackupType="Total Recovered","12",BackupType="Daily-Incremental-Backup","4",BackupType="Daily-Full-Backup","5",BackupType="Not Backedup","3",BackupType="Monthly-Full-Backup","7",BackupType="Weekly-Full-Backup","6",BackupType="Yearly-Full-Backup","8",BackupType="Total Backup Size (GB)","13") | sort WHS, Rank | fields - Rank |rename BackupType as "Criteria" |table Criteria Gold,Silver,Bronze,"NOT in CMDB","No SLA Defined" =================== </query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown target="_blank"> <condition field="Total"> <set token="t1">$click.value$</set> <set token="t2">$click.value$</set> <set token="t3">$click.value$</set> <set token="t4">$click.value$</set> </condition> <condition field="*"> <set token="t1">$click.value$</set> <set token="Tier">$click.name2$</set> <set token="Criteria">$click.value$</set> </condition> <condition field="*"> <set token="t2">$click.value$</set> <set token="Tier">$click.name2$</set> <set token="TotalBackup">$click.value$</set> </condition> </drilldown> </table> ============== </panel> </row> <row> <panel depends="$t1$"> <title>List of Hosts - $Tier$ - $Criteria$</title> <table> <search> <query>index="backup" sourcetype="csv" source ="$sour$" |dedup extracted_Host |eval BackupType=BackupType." "."Backup" |eval Tier=if(Tier="null","NOT in CMDB",if(Tier="Not Supported","No SLA Defined",Tier)) |eval FinalJobStatus = if(FinalJobStatus="Completed (Exceptions)","Total Success",if(FinalJobStatus="Completed (Failed)","Total Failure",if(FinalJobStatus="Completed (Success)","Total Success",if(FinalJobStatus="Canceled","Total Canceled",if(FinalJobStatus="Running","Total Running","Total Recovered"))))) |search Tier="$Tier$" |search FinalJobStatus="$Criteria$" |rename "extracted_Host" as Hosts |table Hosts</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">6</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="link.exportResults.visible">1</option> <option name="link.inspectSearch.visible">1</option> <option name="link.openPivot.visible">0</option> <option name="link.openSearch.visible">1</option> <option name="link.visible">0</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <drilldown target="_blank"> <unset token="TypeBackup"></unset> <unset token="TotalBackup"></unset> <unset token="NotBackedup"></unset> <unset token="t2"></unset> <unset token="t3"></unset> <unset token="t4"></unset> </drilldown> </table> </panel> </row> <row> <panel depends="$t2$"> <title>List of Hosts - $Tier$ - $Criteria$</title> <table> <search> <query>index="backup" sourcetype="csv" source ="$sour$" |dedup extracted_Host |eval BackupType=BackupType." "."Backup" |eval BackupType = "Total Backup" |eval Tier=if(Tier="null","NOT in CMDB",if(Tier="Not Supported","No SLA Defined",Tier)) |search Tier="$Tier$" |search BackupType="$Criteria$" |rename "extracted_Host" as Hosts |table Hosts</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">6</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="link.exportResults.visible">1</option> <option name="link.inspectSearch.visible">1</option> <option name="link.openPivot.visible">0</option> <option name="link.openSearch.visible">1</option> <option name="link.visible">0</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <drilldown target="_blank"> <unset token="Criteria"></unset> <unset token="TypeBackup"></unset> <unset token="NotBackedup"></unset> <unset token="t1"></unset> <unset token="t3"></unset> <unset token="t4"></unset> </drilldown> </table> </panel> </row> </form> ================================ when on-click on d values form main search query the panels are changing but a single query is only being run but not choosing accordingly to click.value and always below query os only being run <query>index="backup" sourcetype="csv" source ="$sour$" |dedup extracted_Host |eval BackupType=BackupType." "."Backup" |eval Tier=if(Tier="null","NOT in CMDB",if(Tier="Not Supported","No SLA Defined",Tier)) |eval FinalJobStatus = if(FinalJobStatus="Completed (Exceptions)","Total Success",if(FinalJobStatus="Completed (Failed)","Total Failure",if(FinalJobStatus="Completed (Success)","Total Success",if(FinalJobStatus="Canceled","Total Canceled",if(FinalJobStatus="Running","Total Running","Total Recovered"))))) |search Tier="$Tier$" |search FinalJobStatus="$Criteria$" |rename "extracted_Host" as Hosts |table Hosts</query>
Hi, To explain my scenario I created sample dashboard in xml (see below). Here selection of Group input will Populate from lookup table as per selected sourcetype and now currently I am showing... See more...
Hi, To explain my scenario I created sample dashboard in xml (see below). Here selection of Group input will Populate from lookup table as per selected sourcetype and now currently I am showing bytes value in pre-selected multiselect filter from lookup as per selection of sourcetype and Group. Now My requirement is - I want to combine two multiselect filter i.e. pre-selected bytes should have values as per Group and sourcetype selection and allow user to select more bytes(if required) by using Select bytes multiselect input query (index="_internal" sourcetype="$sourcetype$"|stats count by bytes sourcetype) . for ex.- I selected sourcetype-splunkd_access , Group-simple_test then pre select multiselect will get auto populate with values- 5633,5643,167 and on clicking Select bytes multiselect filter it shows few bytes values and I want to shows all those values for selection in pre-selected bytes. so that there will be only one multiselect input. I want to add All Group option in select Group dropdown and on selection of All Group in pre-selected bytes all value should get populate. Please let me know how I can achieve this. I tried to combine two multiselect queries but did not get any success. Thanks. <form script="group.js"> <label>bytesgroup</label> <fieldset submitButton="false"> <input type="dropdown" token="sourcetype" searchWhenChanged="true"> <label>sourcetype</label> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <search> <query>index=_internal|stats count by sourcetype</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> </input> <input type="dropdown" token="Group" searchWhenChanged="true" id="grp"> <label>select group</label> <fieldForLabel>Group</fieldForLabel> <fieldForValue>Group</fieldForValue> <search> <query>|inputlookup group.csv|search sourcetype="$sourcetype$"|stats count by Group</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> </input> <input type="multiselect" token="field1" id="idSelectIndex"> <label>pre-selected bytes</label> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>bytes="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bytes</fieldForLabel> <fieldForValue>bytes</fieldForValue> <search id="idSearchSelectIndex"> <query>|inputlookup group.csv|search sourcetype="$sourcetype$" AND Group="$Group$"|fields bytes</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> <choice value="*">All</choice> </input> <input type="multiselect" token="selected_bytes"> <label>Select bytes</label> <delimiter> </delimiter> <fieldForLabel>bytes</fieldForLabel> <fieldForValue>bytes</fieldForValue> <search> <query>index="_internal" sourcetype="$sourcetype$"|stats count by bytes sourcetype</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> </input> <input type="time" token="time_slice"> <label>time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal sourcetype=splunkd_access $field1$|stats count by bytes</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">5</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> group.js code- var deps = [ "splunkjs/ready!" ]; require(deps, function(mvc) { console.log("js is read"); var idSelectIndex = mvc.Components.get('idSelectIndex'); var tokens = mvc.Components.get("default"); var defaultTokenModel = mvc.Components.get("default"); var idSearchSelectIndex = mvc.Components.get("idSearchSelectIndex"); var idSearchSelectIndex_results = idSearchSelectIndex.data("preview"); idSearchSelectIndex_results.on("data", function() { var allValues = []; $.each(idSearchSelectIndex_results.data().rows, function( Vehicle, value ) { // console.log(" Inside Loop to predined vehicle loop field1"); allValues.push(value[0]); }); idSelectIndex.settings.set("default",allValues); var grpp = defaultTokenModel.get("Group"); console.log("Group: ",grpp); }); }); and group.csv lookup- sourcetype,Group,bytes splunkd_access,testing,167 splunkd_access,testing,114 splunkd_access,testing,1700 splunkd_access,simple_test,5633 splunkd_access,simple_test,5643 splunkd_access,simple_test,167
When closing a notable event in SPLUNK Enterprise Security, there are typically the following fields available Status Change urgency Owner Description Summary/Notes Is there a way to ad... See more...
When closing a notable event in SPLUNK Enterprise Security, there are typically the following fields available Status Change urgency Owner Description Summary/Notes Is there a way to add a new field with a custom drop down into the closure of the notable event. For example (using the example above), I would create a new field called Category with a drop down list to select the type of category. Status Change urgency Owner Category Description Summary/Notes
Hello, I'm having problems when trying to connect to a database through DB Input, when I click on validate the following error message appears: "com.zaxxer.hikari.pool.HikariPool $ PoolInitiali... See more...
Hello, I'm having problems when trying to connect to a database through DB Input, when I click on validate the following error message appears: "com.zaxxer.hikari.pool.HikariPool $ PoolInitializationException: failed to initialize the pool: the driver was unable to establish a secure connection to SQL Server using Secure Sockets Layer (SSL) encryption. Error:" SQL Server did not return a answer. The connection has ended. ClientConnectionId: 5d293ec3-b435-4981-9f69-31103f087942 ". I tried with the SSL option enabled and disabled, but both without success. Can someone help me? Thank you! Att, Jefferson
We are seeing two types of dmesg errors on the linux VMs which are acting as our indexers: 1) “task blocked for more than 120 seconds, hung_task_timeout_secs, call trace” - https://del.dog/120blk.... See more...
We are seeing two types of dmesg errors on the linux VMs which are acting as our indexers: 1) “task blocked for more than 120 seconds, hung_task_timeout_secs, call trace” - https://del.dog/120blk.txt 2) “sd 0:0:0:0: [sda] task abort on host 0” - https://del.dog/tskabrt.txt These issues seem to be also causing high I/O for all VMs on the same vcenter cluster that the indexers are on. As soon as we get the indexers powered down, performance is restored across the cluster. Things I've tried: -Full yum update -Disabling Huge Pages -Tried booting with older kernel two versions back, and latest ones. -Initially we were on RDM backed by EMC VNX SAN for hot space. This was converted to VMDK (still backed by VNX). -Initially the hot drives were thin. They were converted to Eager Thick. -Initially the hot drives were formatted with XFS. I have migrated them to EXT4. -I tried tuning system cacheing / flushes per this explanation: https://www.blackmoreops.com/2014/09/22/linux-kernel-panic-issue--fix-hung_task_timeout_secs-blocked-120-seconds-problem/
Hi All, Would like to know if something like this will work or will there be any other possible solutions. Chart count over field1 by field2, field3 And i would want to visualise the chart in... See more...
Hi All, Would like to know if something like this will work or will there be any other possible solutions. Chart count over field1 by field2, field3 And i would want to visualise the chart in trellis mode on the basis of field3. Kindly suggest. Thanks in advance
Right now, we have Splunk setup to monitor Print Jobs. However, the print title in Event Viewer simply shows up as "Document X". We are trying to figure out how to get Event Viewer and subsequently S... See more...
Right now, we have Splunk setup to monitor Print Jobs. However, the print title in Event Viewer simply shows up as "Document X". We are trying to figure out how to get Event Viewer and subsequently Splunk to show the actual title of the Document which is printed.