All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to create an alert which will check how many messages are stuck in the queue and whats the age of messages. Problem is , field for checking the number of messages and age of messages i... See more...
I am trying to create an alert which will check how many messages are stuck in the queue and whats the age of messages. Problem is , field for checking the number of messages and age of messages is same i.e. metric_dimensions. Can someone guide how can we join these two fields with same name , but different values?
Hi, We have Splunk Enterprise. and recently migrated from LDAP TO SAML. And we started observing that non-admin users can't see the owner list in filter drop-down? and a related issue is that the... See more...
Hi, We have Splunk Enterprise. and recently migrated from LDAP TO SAML. And we started observing that non-admin users can't see the owner list in filter drop-down? and a related issue is that the below URL is not able to filter the saved searches by owner. https://splunk..com/en-US/manager/search/saved/searches?app=search&count=10&offset=0&itemType=&owner= Is it a known bug? Any input and suggestion is most welcome to explain why that is happening only to the non-admin users. Note: User will admin role can correctly see the owner list and can filter successfully.
Greetings!!! I need your help on how I can resolve the below issues, I got from message status 1 issue: Health Check: Intelligence download of "Phishtank" has failed on host "Splunksh01" a... See more...
Greetings!!! I need your help on how I can resolve the below issues, I got from message status 1 issue: Health Check: Intelligence download of "Phishtank" has failed on host "Splunksh01" at: Fri Apr 17 12:46:36 2020 "threat list download failed after multiple retries" 2 issue: Getting Warning, says: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reported by the installedFieldHashChecker in Splunkd.log FIle integrity Check view, When I click on warning icon on splunk GUI , I got this message: (yellow Warning icon) splunkd Data Forwarding Splunk-2-Splunk Forwarding (yellow Warning icon) TCPOutAutoLB-0 Kindly help me with the above issue on how I can solve these issues, Thank you in advance!!!
When ingesting Guardicore logs into Splunk. Multiple events are being combined into a single event. Date marks the beginning of a new event and I want to separate each event. Sample Logs: Apr 17... See more...
When ingesting Guardicore logs into Splunk. Multiple events are being combined into a single event. Date marks the beginning of a new event and I want to separate each event. Sample Logs: Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: xxxxx-xxxxx-xxxx-1xxx-1xxxxxxxxxxxxx Affected Agents: xxxxxxxxxx(ip: xx:x:xx:xxx, component_id: None) Message: Agent installation of ‘xxxxxxxxxxx’ was successful Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: Management Affected Agents: xxxxxxxxx (ip: None, component_id: xxxxxxxxxx-xxxxx) Message: Agent was removed upon expiry Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: Management Affected Agents:xxxxxxxxx (ip: xxxxxxxxxx, component_id: None),cccccccccccxxxxxxx (ip: xx:xx:xx:xxxx, component_id: None)Message: Received network event with unknown xxxxxx Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Expected outcome: Event 1: Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: xxxxx-xxxxx-xxxx-1xxx-1xxxxxxxxxxxxx Affected Agents: xxxxxxxxxx(ip: xx:x:xx:xxx, component_id: None) Message: Agent installation of ‘xxxxxxxxxxx’ was successful Event 2: Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: Management Affected Agents: xxxxxxxxx (ip: None, component_id: xxxxxxxxxx-xxxxx) Message: Agent was removed upon expiry Event 3: Apr 17 15:06:32 xx.xxx.xx.xxx New agent log Origin: Management Affected Agents:xxxxxxxxx (ip: xxxxxxxxxx, component_id: None),cccccccccccxxxxxxx (ip: xx:xx:xx:xxxx, component_id: None)Message: Received network event with unknown xxxxxx
I have logs which are structure like such: "There are no delimiters between blocks since they are always 8-bytes wide. The first byte following ^E describes the field. Then the URI is t... See more...
I have logs which are structure like such: "There are no delimiters between blocks since they are always 8-bytes wide. The first byte following ^E describes the field. Then the URI is terminated by a ^E, and every field begins with a letter" In addition to that the log entries are URL Encoded and also contain key/value pairs which are separated with "=". Writing a props.conf entry for this is proving to be difficult. Any suggestions? Edit: Here's an example of an entry 0afd165b5e8a6ea9000003e800000002/lite_klonk_ws/results_app_install?dp=kochava&ai=1189345596&mi=7270C021-C7E5-4F60-BF2F-C023815F8081&ar=validated_claim&arid=de632e12-7797-11ea-be9a-008cfa5b3d60-7fc7b21bb700\x{05}x0afd165b\x{05}Z4cc04\x{05}AB38975\x{01}A10.253.22.91\x{01}C10.253.22.91\x{01}D38975\x{01}E10.215.175.36\x{01}F4080\x{05}wapi.attribution.example.net\x{05}gApache-HttpClient/4.5.5 (Java/1.8.0_242)\x{05}Kapplication/json\x{05}mPOST 0ad2de265e8a6ea900000fa000000196/lite_klonk_ws/app-install?ai=sniper.honor.real3d.shooter.assassin.free.android&mi=da172421-d9bb-4bd0-9a96-fb203358c0cb&dp=adjust&id=a196563a53482b8b989229405cd97171-1586130599704&it=1586130599000&ua=an%3Dsniper.honor.real3d.shooter.assassin.free.android%3Bav%3D1.7.1%3Bon%3Dandroid%3Bov%3D9%3Bdo%3DGalaxyJ6&ip=130.193.195.36\x{05}x0ad2de26\x{05}Z4cc04\x{05}AB60156\x{01}A10.210.222.38\x{01}C10.210.222.38\x{01}D60156\x{01}E10.215.175.36\x{01}F4080\x{05}wapi.attribution.example.net\x{05}gYHC/1.0\x{05}Kapplication/json\x{05}mGET 0ad4f0325e8a6ea900000fa00000019c/lite_klonk_ws/in-app?a=8&.yp=10096341&dp=adjust&ai=deezer.android.app&mi=b3e39498-4cbc-4c51-ac40-a04e818233c6&js=no&ec=&ea=ActivatedApp&gv=0&gc=USD&id=efcd439004ca20026334173cfbdec4c9-1586130600022&et=1584361977000&ir=&ua=an%3Ddeezer.android.app%3Bav%3D6.1.21.66%3Bon%3Dandroid%3Bov%3D10%3Bdo%3DGalaxyS10%252B&ip=86.201.55.19\x{05}x0ad4f032\x{05}Z4cc04\x{05}AB42355\x{01}A10.212.240.50\x{01}C10.212.240.50\x{01}D42355\x{01}E10.215.175.36\x{01}F4080\x{05}wapi.attribution.example.net\x{05}gApache-HttpClient/4.5.5 (Java/1.8.0_242)\x{05}Kapplication/json\x{05}mGET 0ad2de265e8a6ea9000017700000016b/lite_klonk_ws/app-install?ai=530168168&mi=8AA4C40D-3D1E-4C66-A6AC-DCDCC8CB75D0&dp=kochava&id=0405235001YGZW3EM4GV751679890&it=1586130586000&ua=Mozilla%2F5.0+%28iPad%3B+CPU+OS+13_3_1+like+Mac+OS+X%29+AppleWebKit%2F605.1.15+%28KHTML%2C+like+Gecko%29+Mobile%2F15E148&ip=73.28.254.14\x{05}x0ad2de26\x{05}Z4cc04\x{05}AB60156\x{01}A10.210.222.38\x{01}C10.210.222.38\x{01}D60156\x{01}E10.215.175.36\x{01}F4080\x{05}wapi.attribution.example.net\x{05}gYHC/1.0\x{05}Kapplication/json\x{05}mGET
Hello, I want to change the field "other(n)" in a pie chart within the search results, not in a dashboard panel. Instead of other(n) with n being the number of events, I want OTHERS nn%, where nn... See more...
Hello, I want to change the field "other(n)" in a pie chart within the search results, not in a dashboard panel. Instead of other(n) with n being the number of events, I want OTHERS nn%, where nn% is a percentage of the whole, just like all the other chart values. Thanks and God bless, Genesius
The app is shown on splunkbase as supporting Splunk Enterprise 8.0, however it doesn't seem to work due to missing libraries in python3: ERROR ModularInputs - <stderr> Introspecting scheme=citrix... See more...
The app is shown on splunkbase as supporting Splunk Enterprise 8.0, however it doesn't seem to work due to missing libraries in python3: ERROR ModularInputs - <stderr> Introspecting scheme=citrix_netscaler: File "/opt/splunk/etc/apps/Splunk_TA_citrix-netscaler/bin/ta_util2/job_scheduler.py", line 7, in <module> ERROR ModularInputs - <stderr> Introspecting scheme=citrix_netscaler: import Queue ERROR ModularInputs - <stderr> Introspecting scheme=citrix_netscaler: ModuleNotFoundError: No module named 'Queue' ERROR ModularInputs - Introspecting scheme=citrix_netscaler: script running failed (exited with code 1). ERROR ModularInputs - Unable to initialize modular input "citrix_netscaler" defined in the app "Splunk_TA_citrix-netscaler": Introspecting scheme=citrix_netscaler: script running failed (exited with code 1).. Does this app support python3 enabled Splunk 8?
Hello, I was reviewing a previous Splunk Answer (https://answers.splunk.com/answers/447037/how-to-edit-my-search-to-trigger-when-an-account-i.html) that has an great answer, but it seems the SPL ha... See more...
Hello, I was reviewing a previous Splunk Answer (https://answers.splunk.com/answers/447037/how-to-edit-my-search-to-trigger-when-an-account-i.html) that has an great answer, but it seems the SPL has an error in it that was never corrected and the Splunk user who answered it is no longer active. I've tried to play with it to solve the error, but I'm not sure what in the stats command is causing the error despite the message presented. (Below) The Error: Error in 'stats' command: The eval expression for dynamic field 'eval(if(lockout="Yes"), _time null())' is invalid. Error='The operator at ', _time null()' is invalid.'. sourcetype="WinEventLog:Security" (EventCode="4740" OR EventCode==644 OR EventCode=4625 OR EventCode=4771) user="admin*" | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR EventCode==4740,"Yes","No") | stats latest(eval(if(lockout="Yes"), _time, null())) as time, latest(src_nt_host) as host, latest(lockout) as locked out values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user | eval time=strftime(time,"%c") | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures" | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures" Any assistance would be wonderful. Thank you.
We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the in... See more...
We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the inputs.conf to monitor the audit log directory. The events are being sent to the correct index, I can see them in a search. However, the events are still not being parsed correctly. Is there any other configurations I need to do on the universal forwarder to get the events parsed correctly? Is there anything we need to do to get this working? We cannot use DBConnect to grab the logs due to legacy database issues. Thanks in advance.
Hello, I want to transmit all logs to Splunk's SIEM. Therefore, there are some questions. Q1. In our network system, Splunk's Forwarder will be used as an agent for log transmission. I'm wonderin... See more...
Hello, I want to transmit all logs to Splunk's SIEM. Therefore, there are some questions. Q1. In our network system, Splunk's Forwarder will be used as an agent for log transmission. I'm wondering what kind of log can be sent to SIEM for each forwarder (Universal, Light and Heavy). Q2. The Windows event logs as well as process variable logs are stored on our workstation. - Process variable logs Time | Variable | Status 00:00:00 99 On-line 00:00:01 89 On-line ...... 01:01:03 76 Off-line Can these logs be analyzed in Splunk's SIEM? If possible, can it be sent to SIEM through Splunk's forwarder? Thanks,
How can I compare CSV file test.csv with one column, lets name the column"DNS" to index=myindex with field name "host"? Preferably I'd like to output the results in a pie chart where the indexed data... See more...
How can I compare CSV file test.csv with one column, lets name the column"DNS" to index=myindex with field name "host"? Preferably I'd like to output the results in a pie chart where the indexed data is the total and I can do a dif against the test.csv DNS column.
I built a regular expression to extract fields from a log file. However, after extracting I am not able to display the extracted fields in table format. The regular expression seems to be working onl... See more...
I built a regular expression to extract fields from a log file. However, after extracting I am not able to display the extracted fields in table format. The regular expression seems to be working online. https://regex101.com/r/ZcYOhG/2 I want to display the extracted fields in a table format. Can someone help me?
Hi I have a Windows Server Collecting WinEventLogs from a number windows host endpoints. I was told the Server was a WEC, Windows Event Collector, unfortunately I don't have access to it. The ... See more...
Hi I have a Windows Server Collecting WinEventLogs from a number windows host endpoints. I was told the Server was a WEC, Windows Event Collector, unfortunately I don't have access to it. The UF is install and has the following inputs.conf however I am not receiving the ForwardedEvents. Is this inputs correct for collecting the Forwarded Events? Any advise T-shooting is appreciated. Thank you! [WinEventLog://Application] disabled=0 index = <idx_name> [WinEventLog://Security] disabled=0 index = <idx_name> [WinEventLog://System] disabled=0 index = <idx_name> [WinEventLog://ForwardedEvents] disabled=0 index = <idx_name>
We have enabled Password Policy Management & need to know how will the expiration alert come if we have set 15 days as value for expiration alert to come & 90 days for password expiration for the loc... See more...
We have enabled Password Policy Management & need to know how will the expiration alert come if we have set 15 days as value for expiration alert to come & 90 days for password expiration for the local accounts. Does it comes as a message on the UI? Will it notify every local account user? How the warnings come? We just have the process defined under https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/Configurepasswords
I have created a scripted input and deployed it from the deployment server to the universal forwarder, but it's giving me the following error: ERROR ExecProcessor - message from "/opt/splunk/etc/a... See more...
I have created a scripted input and deployed it from the deployment server to the universal forwarder, but it's giving me the following error: ERROR ExecProcessor - message from "/opt/splunk/etc/apps/tmdb/bin/tmdb.sh" curl: (77) Problem with the SSL CA cert (path? access rights i gave all permissions to these files and folders, but was unable to resolve the issue: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pempwd /etc/pki/CA/certs /etc/pki/CA/cri I have my clusters on GCP (Google Cloud Platform). Could someone please help me to resolve this?
Is there any internal logs on datamodels that could help me get better insight into their performance? Specifically I want to know their percent completion at any given time.
Hi, I am installing an App and fill out the required information under Asset Info and Asset settings. Under Asset settings, I enter the the correct username and API key that I get from the vendor po... See more...
Hi, I am installing an App and fill out the required information under Asset Info and Asset settings. Under Asset settings, I enter the the correct username and API key that I get from the vendor portal. However, when I save the configuration, I get a message that pops up (right corner) that reads 'Missing required fields secrect,key'. I do not see any other required fields. Does anyone know what the error means or referencing? Splunk phantom version 4.5.15922 App is a 3rd party vendor app.
I'm new to Splunk and just installed Splunk Add-on for Unix and Linux. We have 2 same processes running, both named processA. I ran a search for "last 30 seconds": sourcetype="ps" processA ... See more...
I'm new to Splunk and just installed Splunk Add-on for Unix and Linux. We have 2 same processes running, both named processA. I ran a search for "last 30 seconds": sourcetype="ps" processA | stats count This gives event count(1) which I don't want. How do I modify the search so that it gives the search count which is the number of process, in this case 2. I checked many samples which uses rex which doesn't work for me. Thanks in advance!
Is there a way to reverse query IP addresses in Splunk Cloud? If so how? Please share the documentation.
While setting up the Workday Add-On I started running into a certificate error when the app attempts to connect to the workday REST API. SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate ver... See more...
While setting up the Workday Add-On I started running into a certificate error when the app attempts to connect to the workday REST API. SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741) Has anyone else successfully set this up and know if that is an issue with my server configuration, the app, or something on the Workday side?