All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Can someone help me with setting up a search that could pull version information from a Windows Defender event 1151 log? I have the TA for Windows Defender app installed and I believe that the d... See more...
Can someone help me with setting up a search that could pull version information from a Windows Defender event 1151 log? I have the TA for Windows Defender app installed and I believe that the data is being parsed correctly. I am fairly new in getting started with Splunk and have been unable to determine what type of search syntax does what I want it to do.
I have two multivalue fields that are obtained off JSON object. One field has Name, one field has (numeric) Value. I'd like to sort base off NUMERIC values of the Value field, not Lexicographic... See more...
I have two multivalue fields that are obtained off JSON object. One field has Name, one field has (numeric) Value. I'd like to sort base off NUMERIC values of the Value field, not Lexicographical order, and table name and value fields by highest numeric value first. Is there a way to do this in Splunk?
I just added a time picker to one of my dashboards. One of the panels in this dashboard is showing "new" vulnerabilities, which is looking at any vulnerability where the "first_found" field is withi... See more...
I just added a time picker to one of my dashboards. One of the panels in this dashboard is showing "new" vulnerabilities, which is looking at any vulnerability where the "first_found" field is within a certain time range. Previously, I just wanted to see anything first_found within the last 30 days so I used the below query. But now that I've added a time picker, I'm trying to find out how I can use the range selected in the time picker in my search? So my search would be looking at anything first_found between dates selected in my time picker. Any help would be much appreciated, thank you! | eval n=relative_time(now(),"-30d@d") | eval n=strftime(n,"%Y-%m-%dT%H:%M:%S.%QZ") | search first_found < n | So to clarify, I need to use the time picker token in my search string, so that I am seeing events where the "first_found" field (which is a date) is within the date range specified by the time picker.
Here is my attempt to create a new field eval in datamodels (no results): Here is the same data, just not using the datamodel:
I'm trying to figure out how to do a conditional rex statement that looks at a windows file path and determines if the last segment of the path has a ., it creates a field called extension, but if it... See more...
I'm trying to figure out how to do a conditional rex statement that looks at a windows file path and determines if the last segment of the path has a ., it creates a field called extension, but if it doesn't end with an extension, it creates a field called directory and puts the full value (with spaces) of the last directory in the segment. Is there a way to do a conditional statement like this with rex?
Hi all, One Splunkd indexer is failing while other indexers are running. I'm also getting a TCPOutAutoLB-0 error. How can I fix these issues? Thank you in Advance.
Good afternoon. In this panel, I want to remove the decimal precision in the single value while keeping it in the trending value. How can I do this?
I did the installation as suggested of the installation page (https://docs.splunk.com/Documentation/SplunkLight/7.3.5/Installation/InstallonMacOSX) but when I launch the GUI it is throwing this error... See more...
I did the installation as suggested of the installation page (https://docs.splunk.com/Documentation/SplunkLight/7.3.5/Installation/InstallonMacOSX) but when I launch the GUI it is throwing this error : File "/Applications/Splunk/lib/python3.7/site-packages/splunk/clilib/cli.py", line 24, in import splunk.clilib.cli_common as comm ModuleNotFoundError: No module named 'splunk'
I would like to change some of the formatting of a Statistics Table in a dashboard, specifically the following: header row background alternate row backgrounds text colour I have found ... See more...
I would like to change some of the formatting of a Statistics Table in a dashboard, specifically the following: header row background alternate row backgrounds text colour I have found a number of articles that talk about changing rows or cells based on values in the table but that's not what I want. I just need to manipulate the CSS (I guess) so that I can apply our 'house style' to the tables. I would like to apply different colour schemes to different tables in the same dashboard. I am running Splunk Enterprise 8.0.2. Is this possible?
We are receinving the error below in our environment after deploying the Splunk Add-on for Microsoft Windows: ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\spl... See more...
We are receinving the error below in our environment after deploying the Splunk Add-on for Microsoft Windows: ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '$windir\system32\dns\dns.log' The target systems are running Windows Server 2012 R2 Standard, and the universal forwarder is running as the local system account. Splunk Component Versions: Splunk Enterprise 8.0.1 Splunk Universal Forwarder 7.3.4 Splunk Add-on for Microsoft Windows 7.0.0 Any guidance on troubleshooting this would be greatly appreciated.
Meta woot doesn't appear to show metrics indexes. can you tell me what I need to adjust to fix that in the app?
Our search head crashed, saying - -- Apr 23 09:00:35 kernel: Out of memory: Kill process 2137 (splunkd) score 162 or sacrifice child Two instances of the TA-check-point-app-for-splunk ran - one f... See more...
Our search head crashed, saying - -- Apr 23 09:00:35 kernel: Out of memory: Kill process 2137 (splunkd) score 162 or sacrifice child Two instances of the TA-check-point-app-for-splunk ran - one for 21 minutes consuming 21 GBs of memory and the other for 11 minutes, consuming 11 GBs. How can we put safe-guards to prevent it?
Hi everyone, this is my first time here. I'm currently trying to set a limit that queries can use in my environment and i've successfully set a global config in limits.conf. But how can I make an e... See more...
Hi everyone, this is my first time here. I'm currently trying to set a limit that queries can use in my environment and i've successfully set a global config in limits.conf. But how can I make an exception to this config? Say I want to allow a single app to use more memory because it really needs it. Where should I put this exception? Inside a limits.conf in app/default? Couldn't find anything related to that on the doc for limits.conf Many thanks in advance.
Is it possible to restore a deleted lookup table and its related lookup definition / automatic lookup?
Hi all, I've got an issue whereby my license expired on my test server: I reinstalled it and added the wrong instance to the license master, so the license expired on my test server. I've readded ... See more...
Hi all, I've got an issue whereby my license expired on my test server: I reinstalled it and added the wrong instance to the license master, so the license expired on my test server. I've readded it and it's removed the license warning from the license master, but I'm still unable to run searches on the server itself. Is there anything I can do to kick it back into life? I can confirm that it's been added to the licensed pool and the license master can see the data coming in (it's only doing a few MB a day), but when I try to run any searches I get the license expired message. I can see in the licensing section that it's connected to the license master. I can also see search is disabled through the features: features {'RcvData': 'ENABLED', 'MultisiteClustering': 'ENABLED', 'Alerting': 'ENABLED', 'SyslogOutputProcessor': 'ENABLED', 'MultifactorAuth': 'ENABLED', 'UnisiteClustering': 'ENABLED', 'AdvancedXML': 'ENABLED', 'AllowDuplicateKeys': 'DISABLED_DUE_TO_LICENSE', 'RcvSearch': 'ENABLED', 'HideQuotaWarnings': 'DISABLED_DUE_TO_LICENSE', 'LDAPAuth': 'ENABLED', 'DistSearch': 'ENABLED', 'SigningProcessor': 'ENABLED', 'ScheduledSearch': 'ENABLED', 'NontableLookups': 'ENABLED', 'ScriptedAuth': 'ENABLED', 'SearchheadPooling': 'ENABLED', 'DeployServer': 'ENABLED', 'FederatedSearch': 'DISABLED_DUE_TO_LICENSE', 'DisableQuotaEnforcement': 'DISABLED_DUE_TO_LICENSE', 'DeployClient': 'ENABLED', 'ScheduledReports': 'ENABLED', 'ArchiveToHdfs': 'ENABLED', 'ResetWarnings': 'DISABLED_DUE_TO_LICENSE', 'FederatedSearchPremium': 'DISABLED_DUE_TO_LICENSE', 'SubgroupId': 'DISABLED_DUE_TO_LICENSE', 'Acceleration': 'ENABLED', 'AdvancedSearchCommands': 'ENABLED', 'SplunkWeb': 'ENABLED', 'KVStore': 'ENABLED', 'CustomRoles': 'ENABLED', 'FwdData': 'ENABLED', 'DataFabricSearch': 'DISABLED_DUE_TO_LICENSE', 'GuestPass': 'ENABLED', 'SAMLAuth': 'ENABLED', 'Auth': 'ENABLED', 'LocalSearch': 'DISABLED_DUE_TO_VIOLATION', 'ScheduledAlerts': 'ENABLED', 'AWSMarketplace': 'DISABLED_DUE_TO_LICENSE', 'RollingWindowAlerts': 'ENABLED'} How do I get it to allow me to search my data again? Thanks! Best regards, Alex
HI , I am trying to get the number of hits of users for very 3 minutes . And am able to generate the chart with below command. index=jira source="/opt/access_log.2020-04-23" host="xyz | bu... See more...
HI , I am trying to get the number of hits of users for very 3 minutes . And am able to generate the chart with below command. index=jira source="/opt/access_log.2020-04-23" host="xyz | bucket _time span=3m | chart count over user by _time This generated the table but when viewing the events the events are showing only for a particular time and not time span. eg:Its showing events for 12:00 but i need 12:00 to 12:03? Can anyone tell what am i doing wrong?
Hi Team, How to display two queries output as single output. Please help. index = * sourcetype=test earliest=@d latest=now | eventstats count as INSTANCES| dedup Microservices | eventstats cou... See more...
Hi Team, How to display two queries output as single output. Please help. index = * sourcetype=test earliest=@d latest=now | eventstats count as INSTANCES| dedup Microservices | eventstats count as APP | dedup Space | eventstats count as SPACE | dedup Org | eventstats count as ORG | table ORG SPACE APP INSTANCES | head 1 index = * sourcetype=test earliest=@d latest=now |table Instance_state | rename Instance_state as status | stats count(eval(status="running")) AS Running, count(eval(status="down")) AS Down,count(eval(status="crashed")) AS Crashed Expected Output ORG SPACE APP INSTANCES Running Down Crashed 3 37 386 820 627 103 90
Good day. I did not find the answer to my question, so I made a new topic. My device sends data from IDS in JSON format. I get this data in Splunk. The data is presented below in the screenshot. I tr... See more...
Good day. I did not find the answer to my question, so I made a new topic. My device sends data from IDS in JSON format. I get this data in Splunk. The data is presented below in the screenshot. I try to search on various data, but it doesn’t work. I see that the search is successful, but I don’t see the fields I need. In the "questions and answers" section, I found a recommendation to change the value of the "KV_MODE" field, but this did not help. Please tell me what I'm doing wrong. What I need to pay attention to. The data has the following structure: Apr 22 18:09:26 172.20.8.2 Apr 22 18:09:54 vpnfw dmutmd[1505]: { "source": "IDS", "message": { "alert": { "action":"allowed", "category":"A Network Trojan was detected", "gid":1, "metadata": { "affected_product":["Windows_XP_Vista_7_8_10_Server_32_64_Bit"], "attack_target":["Client_Endpoint"], "created_at":["2015_03_13"], "deployment":["Perimeter"], "former_category":["ADWARE_PUP"], "group_tss":["2"], "malware_family":["Loadmoney"], "performance_impact":["Low"], "priority":["1"], "signature_severity":["Minor"], "tag":["Loadmoney"], "updated_at":["2019_10_07"] }, "rev":8, "severity":1, "signature":"ET MALWARE Loadmoney User Agent", "signature_id":2024249 }, "app_proto":"http", "dest_ip":"5.9.80.173", "dest_port":80, "event_type":"alert" } } I'm doing a search with the following query: "IDS | spath path=message.alert.category" and get a result.
hi all, I confused about strptime. My goal search is this.(this is a sample. I have month field. I get token in my dashboard and do this search.) |makeresults |eval test=strptime("$token$", "... See more...
hi all, I confused about strptime. My goal search is this.(this is a sample. I have month field. I get token in my dashboard and do this search.) |makeresults |eval test=strptime("$token$", "%Y-%m") |where month>strftime(relative_time(test, "-2mon"), "%Y-%m") AND month<="$token$" I did this search, but test is no result. |makeresults |eval test=strptime("2020-02", "%Y-%m") |where month>strftime(relative_time(test, "-2mon"), "%Y-%m") AND month<="2020-02" How to change time? Am I wrong using strptime? Thank you for helping. (this is easy question, I know, but today, I am stumbling on this problem for some reason.)
When deployed a user role checker app noticed that all the customized apps in the splunk environment got replaced with the user role checker app? Can anyone help on resolving this issue ?