All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I've tried using Splunk Dashboards App Beta and I got to say, It's the best! I'd just like to know if there's a way for some of these features to be added Is there anyway for the data in... See more...
Hi, I've tried using Splunk Dashboards App Beta and I got to say, It's the best! I'd just like to know if there's a way for some of these features to be added Is there anyway for the data in the table to all be in one page and just viewed using the vertical scroll bar? Is there a way for the rows of table be highlighted depending on column value? a RAG status to be specific. Thanks so much for the awesome work.
I changed my props.conf a while ago so that SHOULD_LINEMERGE=false , and since then, I've gotten my desired result—one log line for one event. However, whenever I output my search to a CSV file,... See more...
I changed my props.conf a while ago so that SHOULD_LINEMERGE=false , and since then, I've gotten my desired result—one log line for one event. However, whenever I output my search to a CSV file, it still contains the events that were indexed prior to me changing the props.conf . These events still have multiple log lines under a single timestamp. Is there any way to tell Splunk to retroactively break up those indexed events into their own separate events? Or at least output to a CSV that has one event = one line?
i need to refresh the dashboard again before the CSS starts working correctly. I've used JS and CSS to highlight my table rows abased on the values but whenever I load the dashboard, i need to rel... See more...
i need to refresh the dashboard again before the CSS starts working correctly. I've used JS and CSS to highlight my table rows abased on the values but whenever I load the dashboard, i need to reload it again before the CSS is applied.
I haven't seen much on creating a bell curve in Splunk. I've created a query that returns 30,000 events for 40+ associates over a month. Each event contains the number of minutes they've worked a spe... See more...
I haven't seen much on creating a bell curve in Splunk. I've created a query that returns 30,000 events for 40+ associates over a month. Each event contains the number of minutes they've worked a specific activity. I then use stats to sum the time each associate works: stats sum(hoursWorked) by Associate but I want to use bins to create a bell curve to show the "normal" distribution of each associate's work. I have tried several ways with no success. I'm basically trying to show the number of associates that fall into each bin of number of hours worked. I want it to be something like: bin span=5 hoursWorked | stats count(sum(hoursWorked) by Associate) by hoursWorked but I realize I'm trying to count a table there. Help?
Hi, I want to use field values for a search query and then export the results for each field value to a CSV For example, I have a list of field values Then for each of these values, I will use t... See more...
Hi, I want to use field values for a search query and then export the results for each field value to a CSV For example, I have a list of field values Then for each of these values, I will use them in a search query list = [1,2,3] for LIST_VALUE in list: "index="foo" source="bar" where name=<LIST_VALUE> outputcsv <LIST_VALUE>.csv Is this possible? Thanks!
We are trying to alert on O365 service messages data. Under the "Messages" multivalue field, we are trying to pull the most recent multivalue field based on PublishedTime. We want to separate each mu... See more...
We are trying to alert on O365 service messages data. Under the "Messages" multivalue field, we are trying to pull the most recent multivalue field based on PublishedTime. We want to separate each multivalue field and report the most recent. Search string: index="o365data" sourcetype="o365:service:message" Id=EX212047 | stats count by Messages{}.PublishedTime, WorkloadDisplayName, Messages{}.MessageText, Id | rename WorkloadDisplayName AS Workload Id AS Ticket Messages{}.MessageText AS Messages | fields - count | tail 1 Example output: Raw Event example: {"ActionType": null, "AdditionalDetails": [{"Name": "NotifyInApp", "Value": "True"}], "AffectedTenantCount": 0, "AffectedUserCount": null, "AffectedWorkloadDisplayNames": [], "AffectedWorkloadNames": [], "Classification": "Incident", "EndTime": null, "Feature": "Access", "FeatureDisplayName": "E-Mail and calendar access", "Id": "EX212047", "ImpactDescription": "Users may receive repeated credential prompts within the Outlook client.", "LastUpdatedTime": "2020-05-08T16:59:41.103Z", "MessageType": "Incident", "Messages": [{"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nCurrent status: We're investigating a potential issue with multiple credential prompts. We'll provide an update within 30 minutes.", "PublishedTime": "2020-05-05T14:29:21.21Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nCurrent status: We're analyzing system logs to determine the source of the issue.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox.\n\nNext update by: Tuesday, May 5, 2020, at 5:00 PM\u00a0UTC", "PublishedTime": "2020-05-05T15:04:35.827Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Some users may receive repeated credential prompts within the Outlook client.\n\nMore info: Some users have reported that after multiple credential prompts they are able to access the service.\n\nCurrent status: Our investigation into the system logs did not provide enough data to determine the source of the issue. We're contacting affected users to gather Fiddler network trace logs, Support and Recovery Assistant logs, and examples of users that can reproduce the issue so that we can understand the root cause and create a strategy to remediate impact.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox.\n\nNext update by: Wednesday, May 6, 2020, at 6:30 PM\u00a0UTC", "PublishedTime": "2020-05-05T16:39:57.187Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: As a workaround, customer who are able to use Modern Authentication may enable it to mitigate impact for affected users. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We're analyzing trace logs provided by affected users to isolate the origin of the issue and determine our next steps. We've received some reports that enabling Modern Authentication mitigates the problem, though we're investigating how this relates to the cause of the problem.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox.\n\nNext update by: Wednesday, May 6, 2020, at 8:30 PM\u00a0UTC", "PublishedTime": "2020-05-06T17:45:17.867Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: As a workaround, customer who are able to use Modern Authentication may enable it to mitigate impact for affected users. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We're continuing to investigate the Fiddler network traces and data supplied by impacted users to isolate the cause.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox.\n\nNext update by: Wednesday, May 6, 2020, at 10:30 PM\u00a0UTC", "PublishedTime": "2020-05-06T20:34:02.627Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue. Additionally, customers who are able to use Modern Authentication may enable it to mitigate impact for affected users. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We've created test accounts using various configurations to help us understand the exact circumstances that causes this issue to better define the scope of the problem and how we may go about resolving the impact.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox.\n\nNext update by: Thursday, May 7, 2020, at 1:30 AM\u00a0UTC", "PublishedTime": "2020-05-06T22:29:05.717Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue. Additionally, customers who are able to use Modern Authentication may enable it to mitigate impact for affected users. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We've determined that a recent Exchange Online update contains a code issue which is resulting in repeated credential prompts. We've halted deployment of the build to prevent further spread of impact and we're discussing mitigation steps for this event. We've confirmed that this issue appears to only affect basic authentication configuration users.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox. Additionally, this issue only affects users that are attempting to connect via basic authentication.\n\nRoot cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Thursday, May 7, 2020, at 3:30 AM UTC", "PublishedTime": "2020-05-07T00:33:22.087Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue. Additionally, customers who are able to use Modern Authentication may enable it to mitigate impact for affected users. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We've developed a fix and we're performing extensive validation to confirm that it'll resolve the issue. We expect to begin deployment of the fix within the next 14 hours.\n\nScope of impact: This issue may affect any user that has service-based search or Focused Inbox. Additionally, this issue only affects users that are attempting to connect to their Outlook Desktop clients via basic authentication. \n\nStart time: Tuesday, May 5, 2020, at 4:00 AM\u00a0UTC\n\nRoot cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Thursday, May 7, 2020, at 5:00 PM\u00a0UTC", "PublishedTime": "2020-05-07T02:33:29.743Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue.\n\nThis issue only impacts customers using Basic Authentication. Further, customers who are able to use Modern Authentication may enable it to mitigate impact for affected users; however, this process can require several hours to take effect for some customers.\n\nDetails on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nCurrent status: We're continuing to perform validation of our fix and expect this process to complete within the next three to four hours. Once complete, we\u2019ll initiate deployment of our solution to the affected infrastructure.\n\nScope of impact: This issue affects a subset of customers and users who are connecting to the service using basic authentication and utilize service-based search or a Focused inbox.\n\nStart time: Tuesday, May 5, 2020, at 4:00 AM UTC\n\nRoot cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Thursday, May 7, 2020, at 11:00 PM UTC", "PublishedTime": "2020-05-07T16:54:26.367Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue.\n\nThis issue only impacts customers using basic authentication. Customers who are able to use Modern Authentication may enable it to mitigate impact for affected users; however, this process can require several hours to take effect for some customers.\n\nWhile we understand this may not be a viable workaround for all customers we're committed to identifying and provided all potential solutions. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online.\n\nCurrent status: We've initiated deployment of our solution and users should experience service restoration as the fix reaches their environment. We will provide an estimated resolution timeline as soon as one is available.\n\nScope of impact: This issue affects a subset of customers and users who are connecting to the service using Basic Authentication and utilize service-based search or a Focused inbox.\n\nStart time: Tuesday, May 5, 2020, at 4:00 AM UTC\n\nPreliminary root cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Friday, May 8, 2020, at 3:00 AM UTC", "PublishedTime": "2020-05-07T20:41:29.763Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue.\n\nThis issue only impacts customers using basic authentication. Customers who are able to use Modern Authentication may enable it to mitigate impact for affected users; however, this process can require several hours to take effect for some customers.\n\nWhile we understand this may not be a viable workaround for all customers we're committed to identifying and providing all potential solutions. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online.\n\nCurrent status: We're continuing deployment of the fix and expect it reach all of the affected environments within the next 72 hours.\n\nScope of impact: This issue affects a subset of customers and users who are connecting to the service using Basic Authentication and utilize service-based search or a Focused inbox.\n\nStart time: Tuesday, May 5, 2020, at 4:00 AM UTC\n\nPreliminary root cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Friday, May 8, 2020, at 5:00 PM UTC", "PublishedTime": "2020-05-08T00:13:31.147Z"}, {"MessageText": "Title: Multiple credential prompts in the Outlook client\n\nUser Impact: Users may receive repeated credential prompts within the Outlook client.\n\nMore info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue.\n\nThis issue only impacts customers using basic authentication. Customers who are able to use Modern Authentication may enable it to mitigate impact for affected users; however, this process can require several hours to take effect for some customers.\n\nWhile we understand this may not be a viable workaround for all customers we're committed to identifying and providing all potential solutions. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online\n\nFor some customers who have disabled Modern Authentication, there is a secondary issue that is causing the client to attempt to use Modern Authentication regardless of the setting. Once the fix has been deployed, the client and service should use the expected configuration.\n\nCurrent status: We're closely monitoring progress of the fix deployment which has reached approximately 33 percent of the affected infrastructure. We expect that the deployment will complete within the next 48 hours.\n\nScope of impact: This issue affects a subset of customers and users who are connecting to the service using Basic Authentication and utilize service-based search or a Focused inbox.\n\nStart time: Tuesday, May 5, 2020, at 4:00 AM UTC\n\nEstimated time to resolve: Based on current progress, we expect deployment of the solution to complete by 11:00 PM UTC on Sunday, May 10, 2020. Customers should experience incremental service restoration as the deployment progresses.\n\nPreliminary root cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users.\n\nNext update by: Saturday, May 9, 2020, at 11:00 PM UTC", "PublishedTime": "2020-05-08T16:59:41.103Z"}], "PostIncidentDocumentUrl": null, "Severity": "Sev2", "StartTime": "2020-05-05T04:00:00Z", "Status": "Restoring service", "Title": "Multiple credential prompts in the Outlook client", "UserFunctionalImpact": "", "Workload": "Exchange", "WorkloadDisplayName": "Exchange Online"} Syntax Highlighted Event Example: { [-] ActionType: null AdditionalDetails: [ [+] ] AffectedTenantCount: 0 AffectedUserCount: null AffectedWorkloadDisplayNames: [ [+] ] AffectedWorkloadNames: [ [+] ] Classification: Incident EndTime: null Feature: Access FeatureDisplayName: E-Mail and calendar access Id: EX212047 ImpactDescription: Users may receive repeated credential prompts within the Outlook client. LastUpdatedTime: 2020-05-08T16:59:41.103Z MessageType: Incident Messages: [ [-] { [-] MessageText: Title: Multiple credential prompts in the Outlook client User Impact: Users may receive repeated credential prompts within the Outlook client. Current status: We're investigating a potential issue with multiple credential prompts. We'll provide an update within 30 minutes. PublishedTime: 2020-05-05T14:29:21.21Z } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [+] } { [-] MessageText: Title: Multiple credential prompts in the Outlook client User Impact: Users may receive repeated credential prompts within the Outlook client. More info: While we're focused on remediation, users that have access to other protocols such as Outlook on the web or mobile devices can access their email without issue. This issue only impacts customers using basic authentication. Customers who are able to use Modern Authentication may enable it to mitigate impact for affected users; however, this process can require several hours to take effect for some customers. While we understand this may not be a viable workaround for all customers we're committed to identifying and providing all potential solutions. Details on how to enable Modern Authentication can be found here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online For some customers who have disabled Modern Authentication, there is a secondary issue that is causing the client to attempt to use Modern Authentication regardless of the setting. Once the fix has been deployed, the client and service should use the expected configuration. Current status: We're closely monitoring progress of the fix deployment which has reached approximately 33 percent of the affected infrastructure. We expect that the deployment will complete within the next 48 hours. Scope of impact: This issue affects a subset of customers and users who are connecting to the service using Basic Authentication and utilize service-based search or a Focused inbox. Start time: Tuesday, May 5, 2020, at 4:00 AM UTC Estimated time to resolve: Based on current progress, we expect deployment of the solution to complete by 11:00 PM UTC on Sunday, May 10, 2020. Customers should experience incremental service restoration as the deployment progresses. Preliminary root cause: A recent update to the Exchange Online service contains a code issue that is causing repeated credential prompts for basic authentication users. Next update by: Saturday, May 9, 2020, at 11:00 PM UTC PublishedTime: 2020-05-08T16:59:41.103Z } ] PostIncidentDocumentUrl: null Severity: Sev2 StartTime: 2020-05-05T04:00:00Z Status: Restoring service Title: Multiple credential prompts in the Outlook client UserFunctionalImpact: Workload: Exchange WorkloadDisplayName: Exchange Online }
So I am trying to parse the description of the ET Rules which is downloaded as json.gz So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file. ... See more...
So I am trying to parse the description of the ET Rules which is downloaded as json.gz So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file. The beginning of the file starts with a { Its rule starts like this "2012742":{ And each rule ends like this: :"2012742"}, I have tried to do line breaks, indexed extractions=json , I thought BREAK_AFTER= }, But I am not good with regex and so it's not working. Thanks for any assistance.
I need to do one search with value A in the logs to get value B, then search on value B in another, independent search to get other information. How do I do this in Splunk (ideally without a join)?
Dear All, I want to extract fields from the below events. The problem I'm facing is that the fields are not in harmony. For example, in event 1, "action" is the second last key however in event 2,... See more...
Dear All, I want to extract fields from the below events. The problem I'm facing is that the fields are not in harmony. For example, in event 1, "action" is the second last key however in event 2, it is the last one. Similarly, some of the fields that are available in event 2, do not exist in event 1. Can you guide me in extracting the fields from these events? Event 1 Fri May 08 11:44:37 PDT 2020|{"timestamp":1588963477939,"caller":"xyz@abc","applicationId":null,"applicationName":null,"action":"LOGIN","message":"User [xyz@abc] logged in successfully"} Event 2 Fri May 08 18:44:38 UTC 2020|{"timestamp":1588963478783,"caller":"xyz@abc","applicationId":20575244,"applicationName":"TIB_TST","entityType":"APPLICATION","entityId":20575244,"entityName":"TIB_TST","changes":[{"property":"name","value":"TIB_TST"}],"action":"OBJECT_CREATED"}
We're working on the setup of a new Splunk installation. As an intermediate step during the migration work we would like to point the old Indexer Cluster to the new License Master. The problem we'... See more...
We're working on the setup of a new Splunk installation. As an intermediate step during the migration work we would like to point the old Indexer Cluster to the new License Master. The problem we're facing is that, in the old installation we're not using SSL for port 8089 communications and in the new installation we are. To sum up, SSL is not configured in the client (the old Indexer Cluster) but is enabled in new License Master. After setting the master_uri in [license] stanza to https://newlm.com:8089 (in /opt/splunk/etc/system/local/server.conf) the following messages started to popup: Failed to contact license master: reason='Unable to connect to license master=https://newlm.com:8089 Error connecting: SSL not configured on client As a side note openssl output looks clean: >openssl s_client -connect newlm.com:8089 -CAfile /opt/splunk/etc/auth/cacert.pem Verify return code: 0 (ok) Anyway to set up this mixed environment? Could we possibly use SSL just for the communication with the License Master? Could these calls be "proxied" by a License Slave? What is the minimum setup to support this kind of communication? It would be the bummer if we have to set up the entire old installation for SSL just to contact the License Master! Thanks in advance.
Hi all, Well i have a data and i want to get alerted when we hav spike in 5xx errors corresponding to endpoints. All endpoints have different trend of 5xx errors in general. And traffic also is va... See more...
Hi all, Well i have a data and i want to get alerted when we hav spike in 5xx errors corresponding to endpoints. All endpoints have different trend of 5xx errors in general. And traffic also is variable depending on day and night. So if traffic is more than we will probably see more 5xx compared to the one when traffic is low. I tried to use interquartile range method to check for outliers but I doubt the usage of that as when traffic is going to increase them it will alert without any reason. Is there any other apt way to do that. Index= rxc sourcetype=rxcapp status=5* endpoint=*| stats count as error by status endpoint This would be my base query I tried using below but then traffic is variable so in morning time there will be a little more errors than at night in such case this alert is always going to trigger and create spam Is there ny better way to work with dynamic thresholds like may be calculating percentage change but then how to decide threshold in that case Index= rxc sourcetype=rxcapp status=5* endpoint=* earliest=-20m@m latest=now| bucket _time span=2m|stats count as error by_time status endpoint| streamstats median (error) as med p75(error) as p75 p25(error) as p245 by status endpoint| eval iqr=(p75-p25)| eval lower=(med-iqr*1.5) | eval upper=(med+iqr*1.5)| where error>upper| fields _time endpoint error status upper lower med iqr
Just installed both versions of Microsoft Azure Add on for Splunk on Heavy forwarder. When I open the inputs area nothing happens, just spins. Eventually, the following error shows up in messages... See more...
Just installed both versions of Microsoft Azure Add on for Splunk on Heavy forwarder. When I open the inputs area nothing happens, just spins. Eventually, the following error shows up in messages: Unable to initialize modular input "azure_event_hub" defined in the app "TA-MS-AAD": Introspecting scheme=azure_event_hub: script running failed (exited with code 1) Any assistance would be great.
All, I am trying to manage lookup csv files using REST API. 1) I create the lookup file on the stage folder: : [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/* ... See more...
All, I am trying to manage lookup csv files using REST API. 1) I create the lookup file on the stage folder: : [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/* -rw-r--r-- 1 root root 1631 May 8 17:49 /opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv 2) I am able to upload it using REST: curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv It works fine, but it creates the lookup under search app: <content type="text/xml"> <s:dict> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">search</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">1</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">ggarcia</s:key> <s:key name="perms"/> <s:key name="removable">1</s:key> <s:key name="sharing">user</s:key> </s:dict> </s:key> <s:key name="eai:appName">search</s:key> <s:key name="eai:data"><![CDATA[/usr/ssn/splunk/etc/users/ggarcia/search/lookups/nagios_gg.csv]]></s:key> <s:key name="eai:userName">ggarcia</s:key> </s:dict> </content> If I move it to different app using: curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg2.csv Enter host password for user 'ggarcia': <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">An object with name=nagios_gg.csv does not exist</msg> </messages> </response> How can I create it in different APP and be able to update using REST? Thank you!
Hello all, The Splunk documentation does not have an answer to this that I can find. I need to turn off recurring inputs for entity creation. We are running a 9 member SHC for our ITSI deployment. ... See more...
Hello all, The Splunk documentation does not have an answer to this that I can find. I need to turn off recurring inputs for entity creation. We are running a 9 member SHC for our ITSI deployment. I have tried logging into a single node and going to the data input settings screen. Clicking on the object noted in the documentation simply tells me I cannot add any other inputs because I'm currently in a SHC. So how am I supposed to be able to turn off these re-occurring imports?
Hello All, We were using Splunk_TA_ipfix to collect the NetScaler Appflow logs and send them to our index cluster. With the release of Splunk_TA_citrix_netscaler 7.0.1, it states to collect Appfl... See more...
Hello All, We were using Splunk_TA_ipfix to collect the NetScaler Appflow logs and send them to our index cluster. With the release of Splunk_TA_citrix_netscaler 7.0.1, it states to collect Appflow logs using Splunk Stream. I am not sure what I am doing wrong. Here is my distributed environment: 2 Non-Clustered ADHOC SH 1 Non-Clustered ES SH 13 Node Index cluster I installed the NetScaler TA on all SHs and all indexers I installed Stream one of my ADHOC SH that is not busy I installed Stream TA on a heavy forwarder that was configured to receive data Appflow data when ipfix TA was installed. Splunk_TA_stream configuration files: streamforward.conf : [streamfwd] netflowReceiver.0.ip = 0.0.0.0 netflowReceiver.0.port = 4739 netflowReceiver.0.protocol = udp netflowReceiver.0.decoder = netflow inputs.conf : [streamfwd://streamfwd] splunk_stream_app_location = https://adhoc_sh_1:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0 I do not see any data being forwarded to the ad hoc SH nor do I see any data being sent to the indexers for the NetScaler appflow sourcetype. The instructions for collect IPFIX/APPFLOW are as about as clear as mud on a moonless night on a cloudy night in the middle of winter. I know I do not have the inputs setup properly and I am not sure what else I have wrong. Any help would be greatly appreciated. Thanks, Ed
I need some help getting me config right in pros.conf. When the data comes I can see the _time is not set to the value passed for TimeStamp. It is set to the time the event was ingested. For legac... See more...
I need some help getting me config right in pros.conf. When the data comes I can see the _time is not set to the value passed for TimeStamp. It is set to the time the event was ingested. For legacy reasons we will have a queue between the app and logging hosts so there will be latency on the messages so setting it to the passed time is critical... The one thing I have noticed is that the decimal places on TimeStamp vary form 5 to 7 digits and we are using %9N. I tried setting this to %3N hoping it would just ignore the characters after but no joy. Do we need to make sure we fix the number of decimals in the logging code? I do not see any data issues when checking DataQuality. Any help is very much appreciated! I am using the following query to evaluate the drift. I know it is not being set as I have cause a delay by sitting on a breakpoint in the logging code. index=telemetry_*_event_* | fields _time, TimeStamp, index | fields - _raw | eval epoch_time_span=strptime('TimeStamp',"%Y-%m-%dT%H:%M:%S.%9N") | eval diff=epoch_time_span - _time | table _time, TimeStamp, epoch_time_span, diff, index | sort diff Sample results: _time TimeStamp epoch_time_span diff 2020-05-08T16:04:10.324-0600 2020-05-08T16:04:04.5663643Z 1588953845 -5.758 2020-05-08T16:01:19.641-0600 2020-05-08T16:01:19.5349868Z 1588953680 -0.106 2020-05-08T15:54:05.559-0600 2020-05-08T15:54:05.4668267Z 1588953245 -0.092 2020-05-08T15:54:17.723-0600 2020-05-08T15:54:17.715911Z 1588953258 -0.007 2020-05-08T16:01:31.924-0600 2020-05-08T16:01:31.9176148Z 1588953692 -0.006 2020-05-08T16:01:34.754-0600 2020-05-08T16:01:34.7519748Z 1588953695 -0.002 Here is the _raw data from splunk: {"TimeStamp":"2020-05-08T16:04:20.6492094Z","Level":"Debug","Properties":{"Action":"XXXX","Channel":"XXXX","CorrelationID":"7c003283-a81e-4b11-97ff-c926e53f4fa6","Host":"XXXX","ServiceID":{"Application":{"Name":"XXXX"},"Environment":"development","Tenant":"XXXX"},"ProcessID":"22908","ProcessName":"XXXX","ThreadID":"18872","ThreadName":"XXXX","User":{"Domain":"XXXX","ID":"4","Name":"XXXX","Location":"XXXX","Custom":{"OrganizationCode":"XXXX"}},"Performance":{"DataCallCount":1,"ElapsedTime":122.0,"ElapsedTimeSpan":"0:00:00.122","HasError":false,"Outbound":false,"Ticks":1223834}},"Version":"0.0.1.19100"} Here is the config: [telemetry_source_type] #Internal pulldown_type = true #Meta data category = Structured description = JSON based source Type for Telemetry events disabled = false #We can change these ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = false DATETIME_CONFIG = NONE KV_MODE = json LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N TIME_PREFIX = "TimeStamp":" TRUNCATE = 4194304 TZ = GMT
Hello All, I have a situation where I need to figure out a creative solution before sending out a specific alert but having a hard time. Problem: Security needs to know when Macfee mail logs "s... See more...
Hello All, I have a situation where I need to figure out a creative solution before sending out a specific alert but having a hard time. Problem: Security needs to know when Macfee mail logs "status" shows as "Emailed Deferred". Currently they get the alert based on the cron schedule set for the alert and it works, However it can appear as a false positive as sometimes they'll get this alert, login to the email system just to see that the status is no longer deferred (it sent out). How do I bake logic into this alert where splunk won't send out an alert unless the status has been that way over x amount of time? It's like the logic would need to look at each email, check the time stamp of each event, if the status switches to Email deferred monitor that email/host for x amount of time incase there's an email sent event within your set time period. So the idea is, if that if an email is Deferred perhaps monitor that email (by subject) for 10 minutes. If an "email sent" event is found for that same subject within 10 minutes do not send alert. But if no "email sent" event is found then send the alert as normal after that 10 minutes have expired. Index=mcafee sourcetype=Meg status="Emailed Deferred"| stats values(_time) as Time values(sender) as Sender values(dest) as Destination values(status) as Status by host|sort-Time
Hello all, Right now I started to use Splunk, and I have so many doubts. When I GET the data via REST-API, I get a lot of data and well I finally find how to create fields and other things. ... See more...
Hello all, Right now I started to use Splunk, and I have so many doubts. When I GET the data via REST-API, I get a lot of data and well I finally find how to create fields and other things. How do I make Splunk get only new data and not collect old data to evade duplicate data?
Hi Experts, I have a even like below generated from my application. { "index": "exp_prod", "host": "myhost.com", "source": "app.logs", "sourcetype": "_json", "... See more...
Hi Experts, I have a even like below generated from my application. { "index": "exp_prod", "host": "myhost.com", "source": "app.logs", "sourcetype": "_json", "event": [ { "Sender": "AZSB", "Status": "COMPLETED", "ApplicationMessageType": "utility", "CustomStatus": "COMPLETED", "ApplicationMessageId": "", "MessageGuid": "AF61XzlbeOSc7c1yBkfQ-dTqo8VI", "LogStart": "2020-05-08T13:31:37.053", "Receiver": "JMS", "CorrelationId": "AF61Xzm4KCX0sO8q3PGewmmlZqem", "LogEnd": "2020-05-08T13:31:37.063" }, { "Sender": "AZSB", "Status": "COMPLETED", "ApplicationMessageType": "Article", "CustomStatus": "NA", "ApplicationMessageId": "180730", "MessageGuid": "AF61Xzkb-vFb_xEgpfQw1mgNbPc5", "LogStart": "2020-05-08T13:31:37.046", "Receiver": "JMS", "CorrelationId": "AF61XzkvcPiugQGqmXc6LrN3GQ42", "LogEnd": "2020-05-08T13:31:37.063" } ] } Now when I send this event to Spluk Cloud using HEC, it create two event's but the timestamp if the event is the current timestamp. However I want event time stamp to be populated from LogStart. How to achieve this? I tried customer source type like below, but the result is same. Please assist.
When running a search for syslogs within 7 days, Splunk is retuning some logs that are months old. Timestamp is correct in the event description (Linux Day, Month, Time) but the Splunk timestamp indi... See more...
When running a search for syslogs within 7 days, Splunk is retuning some logs that are months old. Timestamp is correct in the event description (Linux Day, Month, Time) but the Splunk timestamp indicates the logs were within the 7 days search parameters. Other results within the same search are correctly returned, doesn't seem to be any pattern.