All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I've downloaded the Sankey Visualisation with the goal of mapping Windows 4688 Events in a way that gives a sort of "process tree" for parents and children processes. This works fine for small volume... See more...
I've downloaded the Sankey Visualisation with the goal of mapping Windows 4688 Events in a way that gives a sort of "process tree" for parents and children processes. This works fine for small volumes of data, but is unusable where it comes to a busy workstation: I started looking at filtering - ideally you'd be able to specify the process name, like "cmd.exe" and see all related parent and child processes for processes with that process name, however that implicitly excludes anything that doesn't have that process name - meaning you lose all parent and child processes that aren't also called "cmd.exe". The only way I can see around this is to exclude by PID - this is a painful process at the best of times, as you've got to go through the diagram and write down each individual PID to exclude, before it removes enough events to be able to view in sufficient detail. Not to mention it's literally impossible if your starting point is a diagram as above. Can anyone see a way around this? The logic would be "where process name = "blah", map out all child processes recursively". That doesn't seem to be possible here. The search syntax I've been using (including process exclusion): index=wineventlog host=TEST EventCode=4688 NOT ProcessID IN (18104,1176,4468,9924) | eval parent=ProcessID." - ".ParentProcessName | eval child=NewProcessID." - ".NewProcessName | stats count(ProcessID) by parent child Producing events like this which are mapped in the Sankey Diagram: 10028 - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe 8596 - C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe 1 10052 - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 10256 - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 1
Hi Experts, I am trying to use "Chameleon IBM DataStage App for Splunk" to monitor my IBM DataStage job and log related information. I have installed the app on the Splunk Enterprise, but there's... See more...
Hi Experts, I am trying to use "Chameleon IBM DataStage App for Splunk" to monitor my IBM DataStage job and log related information. I have installed the app on the Splunk Enterprise, but there's no information on the add-on or inputs.conf that needs to configured on the Splunk UF side so that right data will be indexed on my inderer and the databoards will work. This information is missing on the app page on Splunkbase. Currently, it just shows no data everywhere. If anyone using it, please share the configuration information that will help forward the relevant data Regards, Sarvan
Hi, I have this query : index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now| dedup qid| eval "Error"=id+... See more...
Hi, I have this query : index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now| dedup qid| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"| stats count by "Error" What I am looking for is that it should count the occurrence of either URL or referer dedup the quid as some quid are common in both and then give me result like: 7-name:Impacted-/user/unauth 100 But stat is not working in this case for me ....probably because eval is not used correctly...can someone help?
I have a stats query that I would like to fire only when a new value for a field comes in. I have my alert set up like this: I can run the search in the alert and I see values, but the alert... See more...
I have a stats query that I would like to fire only when a new value for a field comes in. I have my alert set up like this: I can run the search in the alert and I see values, but the alert does not fire, what do I have set up wrong?
Hi, I have processes logs like this: event1: {"snapshot":[{"name":"systemd"},{"name":"gvfsd-trash"},{"name":"gvfsd-metadata"},{"name":"qterminal"},{"name":"bash"},{"name":"systemd-journal"},{... See more...
Hi, I have processes logs like this: event1: {"snapshot":[{"name":"systemd"},{"name":"gvfsd-trash"},{"name":"gvfsd-metadata"},{"name":"qterminal"},{"name":"bash"},{"name":"systemd-journal"},{"name":"systemd-udevd"},],"action":"snapshot"} event2: {"snapshot":[{"name":"systemd"},{"name":"gvfsd-trash"},{"name":"bash"},{"name":"systemd-journal"},{"name":"systemd-udevd"},],"action":"snapshot"} How do I stats all of name except "systemd*" processes? Output is: "gvfsd-trash", "gvfsd-metadata","qterminal", "bash" Thanks.
I'm trying to write a query that search for a users ID, shows what buildings they have accessed and who else has accessed the building in the last 60 minutes. I've got the first two parts working but... See more...
I'm trying to write a query that search for a users ID, shows what buildings they have accessed and who else has accessed the building in the last 60 minutes. I've got the first two parts working but I'm struggling to implement the time portion of the query. I've scoured the doco, tried evals and transactions but I'm missing something and just can't narrow my search down any further. It just keeps returning all the results in the time range I specified (24hrs). index=security sourcetype="sec:doorlogs" [search Who="Person A" AND Status="Success" | fields Status Location _time ] | table Location Status Who _time | sort -_time This produces the following; Location Status Who _time Building A Success Person 6 2020-03-19T17:30:42.000+1000 Building A Success Person 5 2020-03-19T15:57:01.000+1000 Building A Success Person 4 2020-03-19T15:38:09.000+1000 Building A Success Person 3 2020-03-19T13:49:59.000+1000 Building B Success Person 2 2020-03-19T12:48:22.000+1000 Building A Success Person A 2020-03-19T12:50:08.000+1000** Building B Success Person 2 2020-03-19T12:38:45.000+1000 Building A Success Person 7 2020-03-19T12:36:57.000+1000 Building B Success Person 8 2020-03-19T11:50:56.000+1000 Building B Success Person A 2020-03-19T11:39:05.000+1000** Building A Success Person 9 2020-03-19T10:39:02.000+1000 Building A Success Person 10 2020-03-19T09:30:55.000+1000 Building A Success Person 1 2020-03-19T08:38:35.000+1000 I'm trying to achieve; Location Status Who _time Building A Success Person 3 2020-03-19T13:49:59.000+1000 Building A Success Person A 2020-03-19T12:50:08.000+1000** Building A Success Person 7 2020-03-19T12:36:57.000+1000 Building B Success Person 8 2020-03-19T11:50:56.000+1000 Building B Success Person A 2020-03-19T11:39:05.000+1000**
Hello community!  New to AppD and Windows here, just started at a new company and have a DB Agent problem. I am encountering an issue or two with running multiple DB Agents on a single windows serve... See more...
Hello community!  New to AppD and Windows here, just started at a new company and have a DB Agent problem. I am encountering an issue or two with running multiple DB Agents on a single windows server.  I am trying to install the service with the installservice.vbs script but I can't get it to change the name of the service.  Which will allow me to run multiple instances of the DB Agent. Also, in order to run multiple instances of the DB Agent, do I have to have a copy of the install files in a different location for each instance that I run?   Thanks, WM
One item in particular that I'm seeing is the aws:cloudtrail sourcetype which is that the aws:cloudtrail sourcetype is not extracting fields as it is for other aws-related sourcetypes (e.g. aws:descr... See more...
One item in particular that I'm seeing is the aws:cloudtrail sourcetype which is that the aws:cloudtrail sourcetype is not extracting fields as it is for other aws-related sourcetypes (e.g. aws:description). This also appears to only occur on our SHC instead of the our standalone search head which does show the field extractions as expected. Both search head environments are using the same TA content (being sourced by our Git repository) so the only difference is that the standalone search head is using the deployment server to get the TA while the search head cluster is getting the TA via deployer. I will attach screenshots of both environments as well as the correctly parsed aws:description data to demonstrate the issue.
I am trying to convert a date / time into 24 hour format using strptime. Here's the example: OpenedAt = 5/4/2019 9:04:46 PM I convert it to epoch using the following statement: eval new_time=s... See more...
I am trying to convert a date / time into 24 hour format using strptime. Here's the example: OpenedAt = 5/4/2019 9:04:46 PM I convert it to epoch using the following statement: eval new_time=strptime(OpenedAt,"%m/%d/%Y %H:%M:%S %p") When I test it again, it still dosn't show in 24 hour format: eval new_time2=strftime(new_time,"%m/%d/%Y %T") 05/04/2019 09:04:46
Is anyone able to pull logs using Splunk Connect for Zoom. I have installed the app and configured as per documentation , also have created webhook only app in Zoom and subscribed the events for Splu... See more...
Is anyone able to pull logs using Splunk Connect for Zoom. I have installed the app and configured as per documentation , also have created webhook only app in Zoom and subscribed the events for Splunk endpoint, I still cannot see anything in my index. Please let me know if it is working for you.
Hello Everyone, I'm assuming this has come up before, but for the life of me I cannot find the answer. I am trying to get the value of a field in the triggered alert name. I am using the search b... See more...
Hello Everyone, I'm assuming this has come up before, but for the life of me I cannot find the answer. I am trying to get the value of a field in the triggered alert name. I am using the search below to find out if any sourcetypes haven't reported between 24 and 48 hours. | metadata type=sourcetypes | eval age = now() - lastTime | eval days = age / 86400 | where age >= 86400 and age < (86400*2) The above search returns a table and one of the columns is sourcetype . I'd like to take the value of that cell (Source A) and lace it into the alert name when it fires. Example: Source Type (Source A) has not reported in over 24 hours. I have tried $result.sourcetype$ , but this only works in emails. I would like this to show up in the notable as well. If I'm not at all clear or looking at this issue correctly, please let me know.
Hi, I m using app - OKTA identity cloud deployed on Indexer has built -in sourcetype OktaIM2:log - field extractions . I am seeing those fields when I am running query on Indexer . But the same ... See more...
Hi, I m using app - OKTA identity cloud deployed on Indexer has built -in sourcetype OktaIM2:log - field extractions . I am seeing those fields when I am running query on Indexer . But the same query when run on Search head , I am seeing less field extractions - specially the ones in advanced section . Attached is the screenshot of the advanced setting of sourcetype. Why is this happening ? I have not faced this issue before ?
I am getting the following data from a stats command. How would i translate this into a timechart? when i do try and add a time chart after manipulating a second date field into _time i get no more d... See more...
I am getting the following data from a stats command. How would i translate this into a timechart? when i do try and add a time chart after manipulating a second date field into _time i get no more data. The stats command give me the data i need i just need help formatting it day over day with vulnID totals broken down by Category. Have tried: | timechart span=1d dc(VulnID) by Category output is blank for this timechart. Stats command: | stats dc(VulnID) by Category _time Category _time dc(VulnID) Critical 2020-04-14 53 High 2020-04-07 424 High 2020-04-08 4 High 2020-04-09 34 High 2020-04-13 138 High 2020-04-14 4427 High 2020-04-15 719 High 2020-04-16 5416 High 2020-04-22 6 Low 2020-04-06 1 Low 2020-04-07 926 Low 2020-04-08 2 Low 2020-04-09 11 Low 2020-04-13 3364 Low 2020-04-14 89049 Low 2020-04-15 443
I have event logs with a % in them and I want to break them apart and show them on their own: My event log looks like this: Tue May 5 12:55:01 PDT 2020 /dev/sde2 9460988 7233068 175... See more...
I have event logs with a % in them and I want to break them apart and show them on their own: My event log looks like this: Tue May 5 12:55:01 PDT 2020 /dev/sde2 9460988 7233068 1751044 81% /Volumes/Media 2 /dev/sdc1 13245631 12470714 107304 100% /Volumes/Media Id like to turn it into this: But with it showing the %'s as a total out of 100% (so 100% used and 81% used)
Hi all, I am trying to use the boundaries of the time range picker in my dashboard to calculate a value in my search query. let me explain my situation: I am calculating on / off durations f... See more...
Hi all, I am trying to use the boundaries of the time range picker in my dashboard to calculate a value in my search query. let me explain my situation: I am calculating on / off durations for different pieces of equipment. I receive messages when there is a change in state so each row in the table is a change of state. To calculate the duration I use delta on time to get the difference in time. See a results table example below: Search time range: 11:00 am - 1:00pm, _time is in descending order by equipment Where I run into an issue is when the equipment changes. A delta between the last fan event and the first heater event would generate a duration that does not make sense. This is where the time range picker range comes in. I want the duration for the highlighted event to be the time of the event to the latest boundary of the time range picker. Like below: | eval duration = if(equipchange=NO, duration, $time_token.latest$ - duration) I'm not sure if this is possible since I have no been able to get it to work. Any suggestions would be greatly appreciated! Let me know if I can offer more clarification.
I have a list of URLs in my website that is critical. So, I have marked all those URLs with a tag::critical using eventtype. However, I am unable to use tag field to filter data within the datamo... See more...
I have a list of URLs in my website that is critical. So, I have marked all those URLs with a tag::critical using eventtype. However, I am unable to use tag field to filter data within the datamodel. So, I want to setup a field called content_priority that should have value of "critical" if the event has a critical tag , else set the field value to "normal" . I have configured a calculated field with following eval expression: if(tag=critical,"critical","normal") However it does not seem to work at all. So, I am stuck with it now. Any guidance would be much helpful and appreciated.
Is there any way to find out that my sourcetype is reading props? does it have any logs to check that whats all props my sourcetype is leveraging
I can see multiple critical violations regarding "Code Deadlock"(JVM Deadlock Detected). Please explain what does it actually means? Is it affecting any kind of application? How to remove this viola... See more...
I can see multiple critical violations regarding "Code Deadlock"(JVM Deadlock Detected). Please explain what does it actually means? Is it affecting any kind of application? How to remove this violation? Best Regards, Sania.
is there a way to utilize Azure Tags for serverclasses so Splunk knows what deployment-apps need to be pushed out to the server? Thanks for any advice.
Hello there, I'm new to Splunk, and I have setup an alert to that returns some field including _raw field. The thing is that _raw field is to big, I'm wondering if there is a way to return mayb... See more...
Hello there, I'm new to Splunk, and I have setup an alert to that returns some field including _raw field. The thing is that _raw field is to big, I'm wondering if there is a way to return maybe the top two or three rows of it.