All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Greetings Splunkers, I'm attempting to create a dashboard panel that creates a count of "Roles" by Role_Names, however, I need to exclude specific field values from a dynamic field labeled "Roles"... See more...
Greetings Splunkers, I'm attempting to create a dashboard panel that creates a count of "Roles" by Role_Names, however, I need to exclude specific field values from a dynamic field labeled "Roles" based on the Role_Name. For example, if I have Role_Name=Security AND Roles=A, B, C, D, I want to exclude all those "Roles" for that specific "Role_Name and return a count value of "0". However, today, the "Roles" for Role_Name=Security can equal A, B, C, & D but next week it might equal A, B, & F, in this case, I'd want to still exclude A & B but count F. Additionally, Roles can be associated with other Role_Names so I can't just exclude them from the search altogether. I know there's a way to accomplish this I just can't recall it. Any assistance is greatly appreciated.
I have some building occupancy data generated from our wireless network that is logged as one record per floor of each building every 5 minutes. I'm now trying to export a spreadsheet to another us... See more...
I have some building occupancy data generated from our wireless network that is logged as one record per floor of each building every 5 minutes. I'm now trying to export a spreadsheet to another user who has requested a 15 minute resolution of this data. I believe I'm looking for a WHERE clause where the minutes of _time for the event fall within a set of ranges. The data isn't aligned to the clock very well so the first record could be in minute 0 to minute 5, so second would need to be 10-15, etc. But my skill level with using these functions is falling short here.
Hi all I'm new in Splunk and I would like to know if it's possible to get the values set in an visalization option. For example, in a Single Value visualization I set the color and range in the op... See more...
Hi all I'm new in Splunk and I would like to know if it's possible to get the values set in an visalization option. For example, in a Single Value visualization I set the color and range in the option panel, and I see these values in the XML as follows: <option name="rangeColors">["0x53a051","0xf8be34","0xdc4e41","0xdc4e41"]</option> <option name="rangeValues">[95,100,120]</option> Is it possible to get the values in the arrays so I can use them in a token somewhere else in my dashboard? Thanks
I've searched and tried what i can find online and nothing is returning so i thought I'd try here: i need to return the 45 or so values that are in my csv lookup, but NOT in my firewall index. One of... See more...
I've searched and tried what i can find online and nothing is returning so i thought I'd try here: i need to return the 45 or so values that are in my csv lookup, but NOT in my firewall index. One of the issues I ran into was I had to transform the index values to be able to match the string from the csv (hence all the rex) Thoughts are welcome - thank you!! index=gcp_firewall | rename data.jsonPayload.rule_details.reference as FW | search FW = "network:prod*" | rex field=FW "network:prod-a/firewall:(?.*)" | rex field=FW "network:prod-b/firewall:(?.*)" | rex field=FW "network:prod-c/firewall:(?.*)" | rex field=FW "network:prod-d/firewall:(?.*)" | rex field=FW "network:prod-e/firewall:(?.*)" | lookup firewall-exception-prod.csv firewall_rule as fw OUTPUT firewall_rule as fw | dedup fw | table fw
I'm trying to identify arrangement's in one data source that do not exist in another data source. One of the sources has multiple indexes, but assume this should not cause a problem. I'm trying to us... See more...
I'm trying to identify arrangement's in one data source that do not exist in another data source. One of the sources has multiple indexes, but assume this should not cause a problem. I'm trying to use the NOT clause instead of a JOIN clause. The query returns values in both sources; any ideas? index=A | RENAME AR_ID as arrangementId | dedup arrangementId | fields arrangementId NOT [search index=B OR index=C OR index=D | dedup arrangementId | return 10000 arrangementId ] | table arrangementId
I'm currently running the query (changed to a dog-themed query) where I want to join two logs together by the Dog's name and end up getting the dog's id: search "something within logs" | join dog... See more...
I'm currently running the query (changed to a dog-themed query) where I want to join two logs together by the Dog's name and end up getting the dog's id: search "something within logs" | join dog_name_field [search "Dogs Name: "]| table "dog_id" I want another column in the table, which is a subset of the results of the above search, where I get a true or false on whether or not that id belongs to a Golden Retriever. To get the id's for the golden retrievers, I can do something like: search "something within logs" | join dog_name_field[search "Dogs Name: " AND "Golden Retriever"]| table "dog_id" How do I get the ids of all the dogs and have another column saying whether or not that dogs is a golden retriever efficiently.
Hi all, I'm having trouble getting O365 UserAgent data to show up in a search. Currently, my search looks like: sourcetype="o365:management:activity" OR sourcetype="ms:o365:management" Workloa... See more...
Hi all, I'm having trouble getting O365 UserAgent data to show up in a search. Currently, my search looks like: sourcetype="o365:management:activity" OR sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | dedup user | iplocation ActorIpAddress | table user, City, Region,UserAgent, ActorIpAddress, _time | rename ActorIpAddress AS IP | search NOT Region=Pennsylvania | sort-_time I've tried a few different methods of getting UserAgent data into the table view but haven't had any luck. The data is in the Event log, I just can't seem to extract it. Any suggestions would be greatly appreciated!
I looked over your git_stateful_snapshot.sh script, and it doesn't look like it does any sort of upload (like git push) to GIT. It does everything else like add the files, etc. How was it intended ... See more...
I looked over your git_stateful_snapshot.sh script, and it doesn't look like it does any sort of upload (like git push) to GIT. It does everything else like add the files, etc. How was it intended to be run? Thanks
I am wanting to kick off a playbook when the container owner value changes from NULL to Not NULL. So far I have created a playbook which will trigger on events with an assigned label and check if con... See more...
I am wanting to kick off a playbook when the container owner value changes from NULL to Not NULL. So far I have created a playbook which will trigger on events with an assigned label and check if container owner value has been populated(NOT NULL). If this condition is met, it will trigger off a sub-playbook. If condition is not met(i.e. container owner value is NULL), the no op Phantom API action is run to sleep for 60 seconds. I would like to insert a custom function after no op sleep() to loop back to the first step of checking container owner value. Can someone assist with this?
How can I go about preventing the offset messages from being indexed in a splunk cloud environment? Do I need them?
So I have a list of 11 applications and I want all the user IDs and number of logins attempts for each user over a specified period of time. But I only want the application name to show once. So th... See more...
So I have a list of 11 applications and I want all the user IDs and number of logins attempts for each user over a specified period of time. But I only want the application name to show once. So the report would look something like: AppNameTitle User ID Login Attempts AppName1 User ID1 10 User ID 2 19 User ID 3 25 Right now my report looks like: AppNameTitle User ID Login Attempts AppName1 User ID1 10 AppName1 User ID 2 19 AppName1 User ID 3 25 My main search terms are: | stats count(USER_ID) as count, values(USER_ID) as USER_ID by APPLICATION_NAME Any advice? Thanks.
I am trying to generate report using the following command but it is not showing any result . i just want to make sure is everything right in the code or not . As i was learning splunk from pluralsig... See more...
I am trying to generate report using the following command but it is not showing any result . i just want to make sure is everything right in the code or not . As i was learning splunk from pluralsight. source="airbnb.csv" index="airbnb" "Review Scores Rating"<70 neighbourhood_group="*" | top limit=5 neighbourhood_group
Hi, I have 3 different instances that are totally separate. First one is Standalone single SH Enterprise server Indexer Clustering Enterprise Servers In this 3rd instance, I want to create ... See more...
Hi, I have 3 different instances that are totally separate. First one is Standalone single SH Enterprise server Indexer Clustering Enterprise Servers In this 3rd instance, I want to create a kind of Distributed Search to get 2 separate data/search-result from first and second instances. Which architecture and configuration is the best to collect data from mix of architectures? Distributed Search? Any API? curl? -etc... Thanks
Hi , my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note. Domain_IOC.csv list includes two columns Domain and ioc_note (... See more...
Hi , my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note. Domain_IOC.csv list includes two columns Domain and ioc_note (example picture attached of lookup table) I want the output to be if there was matches with domain is to include the ioc_note column as well. Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column) index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain] | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | stats values(Domain) as IOC by Date,host,Account,IP,Action For your kind support.
I'm searching through several long blocks of free text (from a csv file uploaded into splunk) and I'm interested in the last entry in each long block of text (each entry is time stamped) so in my sea... See more...
I'm searching through several long blocks of free text (from a csv file uploaded into splunk) and I'm interested in the last entry in each long block of text (each entry is time stamped) so in my search expression I am using this code at the moment: rex max_match=0 field=Paragraph "(?ms)(?<timestamp>\d{2}\.\d{2}\.\d{4}\s\S+\sUTC)\s(?<msg>.+?)(?=\d{2}|$)" | eval lastTimestamp=mvindex(timestamp,-1), lastMsg=mvindex(msg,-1) However using that code, I'm finding that the field 'lastMsg' does not contain the full text of the last entry but rather stops after it reaches a closing parenthesis ")" present in every entry (the one at the end of the username - see below format/example). The format of each entry is: dd.mm.yyyy hh:mm:ss UTC <first name of mechanic> <surname of mechanic> (<username of the mechanic, which is a bunch of letters followed by 1 or 2 numbers between 0 and 9) <any amount of characters with no limit, including new lines, bullet chars copied from Word, multiple spaces, it's a free text field so it can be anything> And there can be 1 or more of those in each block of text I'm searching through, also note that the symbols "<" and ">" are not part of the format, I just used them there to specify different sections of each entry. Example of a long block of text I'm sifting through: 25.12.2019 07:24:06 UTC Andrew Nelson (anelson1) Initial text entry. Please look at this machine asap. 25.12.2019 09:50:52 UTC Amanda Nelson (anelson78) Should this be cancelled? I ask as there's no additional information found 26.12.2019 05:55:51 UTC Andrew Nelson (anelson1) No issues from this machine today this can be cancelled So using the search expression above with that example I get lastMsg = 26.12.2019 05:55:51 UTC Andrew Nelson (anelson1) Where I need it to be 26.12.2019 05:55:51 UTC Andrew Nelson (anelson1) No issues from this machine today this can be cancelled Hope that makes some sense...can someone please help?
Splunk 8.0.2.1 We have deployed a search head cluster and are experiencing an issue where Admin users of a specific App have intermittent issues where they cannot view the Settings > Data > Source ... See more...
Splunk 8.0.2.1 We have deployed a search head cluster and are experiencing an issue where Admin users of a specific App have intermittent issues where they cannot view the Settings > Data > Source Types menu. This issue is random in its occurrence. Their role allows them to edit sourcetypes for their App. Some days they will logon and can edit and others the option is missing.
I am having 4 pie charts in a row and because of which people who are using small screen laptops finding it difficult to read the pie chart information. As there is blank white space in the pie chart... See more...
I am having 4 pie charts in a row and because of which people who are using small screen laptops finding it difficult to read the pie chart information. As there is blank white space in the pie chart panel which I think can be utilized to increase the size of pie chart image. I am using simple XML and want to implement this change in it. Anyone have any idea how to do it?
Data is not flowing continuously from forwarder to indexer. Please suggest what are possible ways of troubleshooting.
MY SPL (index=* source="/var/log/authlog" "sudo" AND ("tar -x*f" OR "pkg install" OR "pkg uninstall")) OR (index=* source="/var/log/authlog" "Accepted" "ssh*") | regex _raw!= ".which." | r... See more...
MY SPL (index=* source="/var/log/authlog" "sudo" AND ("tar -x*f" OR "pkg install" OR "pkg uninstall")) OR (index=* source="/var/log/authlog" "Accepted" "ssh*") | regex _raw!= ".which." | regex _raw!= ".man." | regex _raw!= ".user NOT in sudoers." | rex field=_raw ".(?<=])\s(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=:).(?<=COMMAND=)(?P.)" | rex field=_raw ".(?<=for)\s(?P[[:alnum:]]\S*[[:alnum:]])(?=\sfrom).(?<=from)\s(?[[:digit:]]+.[[:digit:]]+.[[:digit:]]+.[[:digit:]]+)(?=\sport)" | eval "Command/Events" = replace(command,"^(\/usr\/bin\/|\/usr\/sbin\/)","") | eval Time = case(match(_raw,".sudo.*COMMAND."),strftime(_time, "%Y-%d-%m %H:%M:%S")) | eval Date=strftime(_time, "%Y-%d-%m") | eval "Report ID" = "ABLR-028" | stats values(Time) as Time list("Command/Events") as "Command/Events" values(ip_address) as ip by Users host index Date "Report ID" | where Time !="" Result... Row 1 b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:50:17, pkg uninstall vsftpd (10.54.32.2,10.54.32.32) Ip address as multivalue field Row 2 b_wayne, s11, storage_b, 2020-30-04, ABLR-028, 2020-30-04 14:54:49, pkg uninstall rsyslog (10.54.32.2,10.54.32.32) Ip address as multivalue field
Have tried to setup HTTPEventCollector via cli using splunk documentation link: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UseHECfromtheCLI Commands i have executed are as below: ... See more...
Have tried to setup HTTPEventCollector via cli using splunk documentation link: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UseHECfromtheCLI Commands i have executed are as below: /opt/splunk/bin/splunk http-event-collector create sdapp01 -uri https://localhost:8089 -description "this is a new token" -disabled 1 /opt/splunk/bin/splunk http-event-collector enable -name sdapp01 -uri https://localhost:8089 -auth admin:changeme curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http splunk http-event-collector send -uri https://localhost:8089 -token 206f9ca0-24bd-48fd-95e8-dfdcaa17657a {"this is some data"} curl -k https://localhost:8089/services/collector -H 'Authorization: Splunk 206f9ca0-24bd-48fd-95e8-dfdcaa17657a' -d '{"sourcetype": "demo", "event":"Hello, world!"}' while sending data am getting error as below: <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="WARN">call not properly authenticated</msg> </messages> </response> Config details are as mentioned below: local/inputs.conf [http://sdapp01] disabled = 0 token = 206f9ca0-24bd-48fd-95e8-dfdcaa17657a default/inputs.conf [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true Not sure what have i missed. Token is enabled, not expired. Have tried creating multiple tokens but stuck with same issue. Can someone please help.