All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi I create report and share with users (join to ldap server). they can see report but when click on numbers that show on table do not have result. while admin user do the same thing and result loa... See more...
Hi I create report and share with users (join to ldap server). they can see report but when click on numbers that show on table do not have result. while admin user do the same thing and result load successfully. FYI: 1-give read permission to all users. 2-report run as report owner. 3-give permission to users to access index. 4-give permission to users to access data model. 5-inspect job : INFO UserManager - Unwound user context: myuser-> NULL 6-As you see i have 2 search, when user delete whatever exist in second search users able to see events. Any idea?
Hi Experts, I'm trying to build a lookup table that will update based on the latest time a user logged into a particular application. Ideally, it has a few tracking columns at the end to track las... See more...
Hi Experts, I'm trying to build a lookup table that will update based on the latest time a user logged into a particular application. Ideally, it has a few tracking columns at the end to track last updated and first added. Something like the table that follows. Date added would be the date the user had first logged into any application. Not all users use all applications. Lastupdate should always equal the latest date in one of the application columns. The table below should hopefully self-explain the desired outcome. UserID,app1,app2,app3,app4,DateAdded,LatestLogin Jdoe,05/06/20,,,03/04/20,02/02/20,05/06/20 Ksmith,,04/20/20,,,01/15/20,04/20/20 Jfrank,,,03/03/20,,03/03/20,03/03/20 Each user would only appear once, and we would only update where they had an application login. We've been able to successfully append the lookup using a combination of input and outputlookup but unable to modify a specific row. We created the following to build it (And added an "inlist" column that says "True" based on other examples) but are struggling to 'update' once built. | multisearch [| search index=app1 status=success userid=* | rename _time as app1] [| search index=app2 status=success userid=* | rename _time as app2] [| search index=app3 status=success userid=* | rename _time as app3] [| search index=app4 status=success userid=* | rename _time as app4] | stats values(userid) as userid values(app1) as app1 values(app2) as app2 values(app3) as app3 values(app4) as app4 by userid | convert timeformat="%m/%d/%Y" ctime(app1) ctime(app2) ctime(app3) ctime(app4) | fillnull value=true inlist | table userid inlist app1 app2 app3 app4 | outputlookup appaccess.csv Thank you in advance, as always. Finally, Happy Mothers Day!
I' struggle with joining two following table: Table1 Table 2 The row company of table 1 contains two industry_id, which I want to joint with the second table. The result should be l... See more...
I' struggle with joining two following table: Table1 Table 2 The row company of table 1 contains two industry_id, which I want to joint with the second table. The result should be like this: ` ADIDAS AG | 194677F8-7774-4685-896D-9FB45E248245 | Sshwaz | 4418BACC-BF07-452C-B3A7-BACBAD469FFD | Retail DEUTSCHE LUFTHANSA AG ` Is there anyway to get that result?
Hello, I would like to ask you for your help. I have two sources (indexes) in Splunk and need to link it together via query and receive results which IP addres hit a malicious domain. The tabs ar... See more...
Hello, I would like to ask you for your help. I have two sources (indexes) in Splunk and need to link it together via query and receive results which IP addres hit a malicious domain. The tabs are as follow: Index1name DNS_domain IP adress 1 Index2name query IP address 2 The point of intersection (link) for both tables is: Index1name - DNS_domain Index2name - query If I run the following query, it works properly and I receive desired results which IP address 2 hit example.com. index= Index1name DNS_domain="example.com" | rename DNS_domain AS query | join query [search index= Index2name query="example.com"] …but I need to have a query, that will provide me with the same results for all such detections where the match of DNS_domain and query is in place. If I modify query above with “*”, it will not return me back any results )o: I appreciate your help. Thank you. Regards Thomas
Hello, I have this query : index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallba... See more...
Hello, I have this query : index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" | timechart span=1m count BY eventtype which gives me results that looks like this : _time csm-messages-dhcpd-eth1-nosubnet-declared csm-messages-dhcpd-lpf-eth0-listening csm-messages-dhcpd-lpf-eth0-sending csm-messages-dhcpd-send-socket-fallback-net csm-messages-dhcpd-write-zero-leases 2019-08-05 10:24:00 1 1 1 1 1 I have few questions : 1. is there a way to write the query in such way that will return more than 5000 results? 2. how can i check this terms: If count is not equal for all rules: Find timestamps of instances that don’t match count For each unique timestamp from the previous step, alert “CSM DHCP Anomaly” as ”Medium” thanks
Hi, I have a list of values getting displayed in one of the columns - Error Messages (for all languages) which i have collected in one row for each of the error code. So is there a way that i can sho... See more...
Hi, I have a list of values getting displayed in one of the columns - Error Messages (for all languages) which i have collected in one row for each of the error code. So is there a way that i can show only the english messages in display with being able to count all the error messages for all languages. Error Code Message Count 302 Eng, fra 2 200 spa,fra,italian, arabic, eng 5 So i want the o/p as Error Code Message Count 302 Eng 2 200 eng 5 I tried to use mvindex but its failing since some of the error message come at top while some at last. Please note that i don't want the count to be changed
Hi team, I have used windows add on to get events from server to my splunk instance using universal fowarder. I want some of the monitoring examples that has bean already implemented so that I wi... See more...
Hi team, I have used windows add on to get events from server to my splunk instance using universal fowarder. I want some of the monitoring examples that has bean already implemented so that I will go through that, get to practice and apply... please share some of the example links...
Hi experts, I have a filed called names as shown below, if i search with first line of strings then search returning the complete filed event but not second and third line of filed strings. I used ... See more...
Hi experts, I have a filed called names as shown below, if i search with first line of strings then search returning the complete filed event but not second and third line of filed strings. I used | eval names= mvfilter(names="32") and also | eval names= mvfilter(match("32", names)) but not worked for me. Please help me on this, Thanks in advance. names 1121 - sample name 3247 - sample names 9876 - simple name required out put: if I search with names=1121* or names=3247* or names=9876* then complete event has to be returned.i,e as i shown above.
Below query i am able to get the snap date. i need to capture correct date and timing. index=vmware-inv sourcetype="vmware:inv:vm" host="*****" | dedup moid sortby time | spath changeSet.summa... See more...
Below query i am able to get the snap date. i need to capture correct date and timing. index=vmware-inv sourcetype="vmware:inv:vm" host="*****" | dedup moid sortby time | spath changeSet.summary.runtime.powerState output=powerState | spath changeSet.name output=name | makemv delim=" " time | eval time=mvindex(time,0) | stats latest(powerState) as PowerState by moid,name,time | search PowerState=PoweredOff | sort time
Has this app been tested on 8.0.3? After install on SH, the app front page loads, but the inputs and configuration pages do not.
Attempting to install on Search Head Install works. Front page of the app works. But click on Inputs, Configuration and does nothing. Nothing in the app log (its empty),Attempting to get this... See more...
Attempting to install on Search Head Install works. Front page of the app works. But click on Inputs, Configuration and does nothing. Nothing in the app log (its empty),Attempting to get this working with Splunk 8.0.3 Installed the app onto the Search Heads. Nothing in logs (the app log is empty). Click Configuration or Inputs tabs and it just hangs. Any ideas?
Hello, i have what i believe is a basic search and what should work however it doesnt seem to display anything when i search for it. Effectively what i want it to do is, when you type in X number... See more...
Hello, i have what i believe is a basic search and what should work however it doesnt seem to display anything when i search for it. Effectively what i want it to do is, when you type in X number that will pass into the search as X_token and then search for the number you have just input. could i have some guidance on this please. Covid_19 <input type="text" token="X_token" searchWhenChanged="false"> <label>Enter X number for individual information</label> </input> <panel> <table> <search> <query>index=* $X_token$ | table "X number" "First Name" Surname "Mobile Number" Cell Role</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>
Below are my events. Event1:contains Messages Id and Status Event2: contains Messages Id and Origin Event3: contains Messages Id Event Type and number of events in si... See more...
Below are my events. Event1:contains Messages Id and Status Event2: contains Messages Id and Origin Event3: contains Messages Id Event Type and number of events in single messages Event4: contains Messages Id Before event Event5: contains Messages Id and Number of events from mq. My requirement is write query on below mentioned splunk events to display number of events from a single message(Event3) and Event Type(Event3) and number of Before events(Event 4) and number of events from mq(Event5) and Origin of Message(Event2) and status of Message(Event1) Can some one help me on best way to write query. Event1: 314 <14>1 2020-05-08T06:32:27.152225+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] BankListener:299 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 , status: CONFIRMED Event2: 373 <14>1 2020-05-08T06:32:27.144325+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] MonetaryListener:294 - dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 Origin: MQ.DEV.BANK Event3: 495 <14>1 2020-05-08T06:32:26.93318+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [Kafkapublish-2] Kafkapublish$KafkapublishCommand:164 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, EventType: SAVINGS, dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Num Events: 1, JMS TS: Fri May 08 02:32:26 EDT 2020, DOM TS: Fri May 08 02:32:26 EDT 2020, Kafka TS: Fri May 08 02:32:26 EDT 2020 Event4: 326 <14>1 2020-05-08T06:32:26.92776+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:439 - Before event, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 / Bank: 123 313 <14>1 2020-05-08T06:32:26.405266+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:408 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, events from mq: 2
Hi I create report and share with users (join to ldap server). they can see report but when click on numbers that show on table do not have result. while admin user do the same thing and result loa... See more...
Hi I create report and share with users (join to ldap server). they can see report but when click on numbers that show on table do not have result. while admin user do the same thing and result load successfully. FYI: 1-give read permission to all users. 2-report run as report owner. 3-give permission to users to access index. 4-give permission to users to access data model. 5-inspect job : INFO UserManager - Unwound user context: myuser-> NULL 6-As you see i have 2 search, when user delete whatever exist in second search users able to see events. Any idea?
I faced an question about data cannot update to search head real time. i created serveral local app folder on one windows client. and part of monitor logs updates to search head real time. part of mo... See more...
I faced an question about data cannot update to search head real time. i created serveral local app folder on one windows client. and part of monitor logs updates to search head real time. part of monitor log data disappears in search head suddenly and after several hours it updates data again and can find all data before. And i checked the log updated real time but not updated to splunk real-time. i wrote inputs.conf like this: [monitor://\XAWSCSPLUNK\MIPC_Ping*.csv] index = mxa_mipc_ping sourcetype = mipcpinglog ignoreOlderThan = 7d crcSalt = [monitor://\xawmodapp01\ModTrace\ModAutoSpooler\Trace*.txt] index = mxa_mes_mod sourcetype = xawmodapp01log ignoreOlderThan = 7d crcSalt = Anyone know what should i do for that all log can upload real-time?
When we navigate to Network Dashboard tab for one of our  applicaiton "Ennova Digital - TEC" the network flow map pane is showing  the message "Creating  Flow Map.." for  a very long time. When we lo... See more...
When we navigate to Network Dashboard tab for one of our  applicaiton "Ennova Digital - TEC" the network flow map pane is showing  the message "Creating  Flow Map.." for  a very long time. When we look at the JS errors we see below message:  It was all working fine until we see this lately. Please suggest the best course of action for us to fix this. adrum.js:29 TypeError: Cannot read property 'dbBackendStatus' of null at BackendNodeRenderer.getShapeIconURL (apm-module.c155ad1140545bbbc9ff.webpack.min.js:1) at SVGImageElement.xlink:href (apm-module.c155ad1140545bbbc9ff.webpack.min.js:1) at SVGImageElement.<anonymous> (MainAppModuleCode.webpack.min.js?7f44b2139151cdbd42ab312abbdc167c:1) at MainAppModuleCode.webpack.min.js?7f44b2139151cdbd42ab312abbdc167c:1 at P (MainAppModuleCode.webpack.min.js?7f44b2139151cdbd42ab312abbdc167c:1) at Array.pa.each (MainAppModuleCode.webpack.min.js?7f44b2139151cdbd42ab312abbdc167c:1) at Array.pa.attr (MainAppModuleCode.webpack.min.js?7f44b2139151cdbd42ab312abbdc167c:1) at BackendNodeRenderer.decorateNode (apm-module.c155ad1140545bbbc9ff.webpack.min.js:1) at BackendNodeRenderer.DefaultNodeRenderer.render (apm-module.c155ad1140545bbbc9ff.webpack.min.js:1) at BackendNodeRenderer.render (apm-module.c155ad1140545bbbc9ff.webpack.min.js:1)
Hi Team, I have the following as raw event INFO : [0:HLog][20200507 12:25:25.739 -0400] [CFarmdHealth.java:538] +1{"garbage_collec: {"total_collections_time":16539,"last_minute_collections":5,"... See more...
Hi Team, I have the following as raw event INFO : [0:HLog][20200507 12:25:25.739 -0400] [CFarmdHealth.java:538] +1{"garbage_collec: {"total_collections_time":16539,"last_minute_collections":5,"last_minute_collections_time.:38,"totalcollections":2313},"current_state": {"event_processing_metric":0.6647058823529413,"message_queues":{"maintenanceWindowManager":"0/-","Hibernate":"0/-","Default Cookbook":"0/-","Alert Workflows":"0/-",.StatCollector":"0/-","bus_thread_pool":"0/-","Event Workflows":"0/-","SituationMgr":"0/-","SituationRootCause":"0/-","Remedy":.0/-","AlertBuilder":"0/-","TeamsMgr":"0/-","xMatters":"0/-","Housekeeper":"0/-","Situation Workflows":"0/-","Indexer":"0/-","MaintManager":"0/-","NCAlertBuilder":"0/-","SMCEnricher":"0/-","xmattersINS":"0/-",.AlertRulesEngine":"0/-"},"in_memory_entropies.:781,"cookbook_resolu _queue":0,"active_async_tasks_count":0},"interval_totals":{"created events":621,"created_external_situations.:0,"created_situations":0,"messages_processed": {"maintenanceWindowManager":621,"Default Cookbook":548,"Alert Workflows":621,"StatCollector":0,"Event Workflows":597,"situationRootCause":0,"SituationMgr":0,"AlertBuilder":597,"TeamsMgr":0,"xMatters":0,"Indexer":666,"Situation Workflows":0,"maintManager":666,"SMCEnricher":621,NCAlertBuilder":597,xMattersINS":0,"AlertRulesEngine":548},"alerts_added_to situations":0,"situation_db_update_failure":0},JVM_memor] {"heap_used":314179032,"heap_committed":488636416,"heap_init":195035136,"nonheap_committed":290652160,"heap_max":3107979264,"nonheap_init":7667712,"nonheap_used":263293720,"nonheap_max" 1},"totals":{"created_events":178016,"created_external_situations":0,"created_situations":0,"alerts_added_to situations":0,"situation_db_update_failure":0}}1+ Now i have to build the kind of tables in the attachment out of above highlighted text in the event, Can you please help
I have one instance setup successfully and its pulling down data. But I haven't instance that is not working. i get the following events in ta_ms_aad_azure_event_hub.log 2020-05-09 04:44:18,079 ... See more...
I have one instance setup successfully and its pulling down data. But I haven't instance that is not working. i get the following events in ta_ms_aad_azure_event_hub.log 2020-05-09 04:44:18,079 INFO pid=7997 tid=MainThread file=connectionpool.py:new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-09 04:44:18,912 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-09 04:44:19,548 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-09 04:44:20,655 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1 2020-05-09 04:44:21,757 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO 2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled! 2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=client_abstract.py:init_:161 | u'eventhub.pysdk-008cb880': Created the Event Hub client 2020-05-09 04:44:21,762 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to 2020-05-09 04:44:21,921 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to 2020-05-09 04:44:21,943 INFO pid=7997 tid=MainThread file=connection.py:work:259 | 'Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR' I see from other posts this is often a wrong primary or secondary key but I'm using the copy to clipboard icon under RootManageSharedAccessKey and pasting into the connection string field. I've tried both primary and secondary many times. For the eventhub, I've gone to the namespace, clicked eventhubs under entities and copied my only configured eventhub. I believe I've used the same process as the input that's working. Comparing tcpdump between the 2 connections, I see traffic both ways on port 5671. But at the point the one stops, the successful connection has some kind of TLS exchange... This is part of that packet: Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT TLS CA 40... Ehttp://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt0"..+.....0...http://ocsp.msocsp.com So I'm using Microsoft Azure Add on for Splunk version 2.02 (I've tried 2.10 as well) I'm using Splunk Enterprise Version 7.1.7 (also tried Splunk 7.3.5) Any suggestions on what I can check or do to fix?? thank you...
Hi, Anyone using threat connect app for Splunk. There are a bunch of commands built-in with this app. Do you know how to use them? We tried to run the tcaddindicator command. But it doesn't seem to ... See more...
Hi, Anyone using threat connect app for Splunk. There are a bunch of commands built-in with this app. Do you know how to use them? We tried to run the tcaddindicator command. But it doesn't seem to work.
Hi, I've tried using Splunk Dashboards App Beta and I got to say, It's the best! I'd just like to know if there's a way for some of these features to be added Is there anyway for the data in... See more...
Hi, I've tried using Splunk Dashboards App Beta and I got to say, It's the best! I'd just like to know if there's a way for some of these features to be added Is there anyway for the data in the table to all be in one page and just viewed using the vertical scroll bar? Is there a way for the rows of table be highlighted depending on column value? a RAG status to be specific. Thanks so much for the awesome work.