All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have multiple IIS web servers that all host multiple sites. Each sites logs are saved to the default location of: C:\inetpub\logs\LogFiles\W3SVC*\*.log This is the stanza I use on each server... See more...
We have multiple IIS web servers that all host multiple sites. Each sites logs are saved to the default location of: C:\inetpub\logs\LogFiles\W3SVC*\*.log This is the stanza I use on each server: [monitor://C:\inetpub\logs\LogFiles*\*.log] disabled = 0 sourcetype = iisw3c index = iis The odd thing is depending on they day and time I might see logs from W3SVC2 but nothing on W3SVC1 or 2. Then on another server I might see W3SVC2 and 3 but not 1. It just seems random on what logs it will pull from on any given server on any given day. I checked a couple of the servers to make sure logs were getting generated even though Splunk was not showing any ingested and they were. Am I missing something here like you need to make a stanza per website or something like that?
I have a deployment with SHC and IDC (3 indexers), when I took down an indexer, all SHs would only see 2 search peers. I know that I could check from indexer cluster master that there are 2 running i... See more...
I have a deployment with SHC and IDC (3 indexers), when I took down an indexer, all SHs would only see 2 search peers. I know that I could check from indexer cluster master that there are 2 running indexers while the other is down. Is there an easy way to get the same information (mostly GUID, hostname and URI) from SHs?
Hello, I am currently tracking a total count of VPN Users. I want to track the total over a timechart to see when the high and low parts are through out the day. Below I have provided the search I am... See more...
Hello, I am currently tracking a total count of VPN Users. I want to track the total over a timechart to see when the high and low parts are through out the day. Below I have provided the search I am using to get the total VPN Count. Could you please assist on editing the search to show it in timechart and the total count by each hour. index=cisco_asa Cisco_ASA_user=* | transaction fields=Cisco_ASA_user maxspan=12h30m connected=f startswith="*connection established*" | search eventtype!=cisco_vpn_end | dedup user | stats count by Cisco_ASA_user | eventstats sum(count) as totalCount | rename totalCount as "Total Count" | table "Total Count" Thanks, Cooper J
The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those d... See more...
The FS-ISAC Threat Intelligence STIX TAXII has been enabled in our environment. We received all IOCs from 4/2 but did not receive any on 4/3 or 4/9. I am trying to determine what happened on those days. I believe we are getting the files but I can't tell if there's an issue maybe with parsing or somewhere else. The download log shows: 2020-04-13 09:12:41,658+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:314 | status="Retrieved document from TAXII feed" stanza="FS-ISAC" collection="system.Default" 2020-04-13 09:12:41,113+0000 INFO pid=21356 tid=MainThread file=init.py:_poll_taxii_11:60 | Auth Type: AUTH_CERT_BASIC 2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:download_taxii:289 | status="TAXII feed polling starting" stanza="FS-ISAC" 2020-04-13 09:12:40,981+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:435 | status="retrieved_checkpoint_data" stanza="FS-ISAC" last_run="1586725961.53" 2020-04-13 09:12:40,877+0000 INFO pid=21356 tid=MainThread file=threatlist.py:run:421 | status="continuing" msg="Processing stanza" name="threatlist://FS-ISAC" The intel manager shows: 2020-04-13 15:04:17,057+0000 INFO pid=269178 tid=MainThread file=stix_parser.py:preprocess:178 | status="Finished parsing STIX documents" filename="/opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/FS-ISAC_TAXII_system.Default_2020-04-09T16-57-49.076713.xml" success="323" failed="0" So it looks like they were successful but I do not see them in IP_intel, File_intel, etc. Where else can I look to see any issues or what else can I do? Any help us greatly appreciated.
Hi, I have data that contains Sessions ID labeled as (SES) and User ID labeled as (ABC). When I look at the events, I am seeing below variations. RegEx should grab anything that is 14 digits f... See more...
Hi, I have data that contains Sessions ID labeled as (SES) and User ID labeled as (ABC). When I look at the events, I am seeing below variations. RegEx should grab anything that is 14 digits followed by 0 or more groups of dash/hyphen with 9 digits or dash/hyphen with 0 digits. I need a RegEx that extract the SES and ABC into separate fields from below variations. Formats seen: SES SES-ABC SES—ABC SES—ABC- SES-ABC-ABC Sample data: 1234567-123456789--- 1234567-1234567890-123456789-- 12345678-123456789--A12345678-123456789 123456789 12345678900000 12345ac4-1234-1a12-9as9-1aa111as23aa 12345678900000-123456789 12345678900000-123456789-1234567890 Thanks in-advance
Hello, I'm thinking is real simple, but I have been digging in the weeds for so long I am unable to see this simple answer. Field Names: File, Method Field Values: File - A, B, C Method - Su... See more...
Hello, I'm thinking is real simple, but I have been digging in the weeds for so long I am unable to see this simple answer. Field Names: File, Method Field Values: File - A, B, C Method - Success, Fail Counting the number of events by File/Method combination Searching for File(s) where the count of Fail is greater than the count of Success. | stats count(status) AS numEvents BY file, statusMsg | sort numEvents | stats list(statusMsg) AS "HTTP Method", list(numEvents) AS "Events by Method", sum(numEvents) AS sumEvents BY file | rename file AS "File Name", sumEvents AS "Events by File" | sort -"Events by File" ... This is a file we don't want in our results. badNum.doc 500 Internal Server Error 12 200 Success 149 This is a file we do want in our results. UPDATE_NEW.doc 200 Success 116 500 Internal Server Error 475 Thanks and God bless, Genesius
I have a field called "bunit" and I need to filter on results that either have a null value OR a value that contains "servers". I need to use wildcard with the servers because all the results are di... See more...
I have a field called "bunit" and I need to filter on results that either have a null value OR a value that contains "servers". I need to use wildcard with the servers because all the results are different, I just need to see anything that contains servers in it. Adding where isnull(bunit) to the end of my search gives me all of the null results but how do I add the part where I look for any result with servers as a value?(using wildcard) So I want it to show both any field with null value or any field that contains servers in it. Thank you!
Has anyone found a way to send an email for an ES notable based on Severity level? So the exact use case is, EDR events will generate an ES notable in incident review. These notable events will have ... See more...
Has anyone found a way to send an email for an ES notable based on Severity level? So the exact use case is, EDR events will generate an ES notable in incident review. These notable events will have a different severity levels based on multiple variables that make up the event. We want to have one rule; an ES notable for each event; but only send an email if the severity is Critical or High, no need for an email if the severity is low. We have only been able to accomplish this with two correlation rules. Any ideas are appreciated.
Hi I want to search the multiple keyword in the field and it needs to be highlighted in the dashboard with different color I have achieved to search one keyword word at a time. Can anyone help... See more...
Hi I want to search the multiple keyword in the field and it needs to be highlighted in the dashboard with different color I have achieved to search one keyword word at a time. Can anyone help me to do it. I have pasted the JS in static folder of app XML code: <form script="highlightToken.js"> <label>Highlight_text</label> <fieldset> <input type="time" token="field1"> <label></label> <default> <earliest>-5m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="highlightToken" searchWhenChanged="true"> <label>Search Word</label> <default>splunk*</default> <initialValue>searchword</initialValue> </input> </fieldset> <row> <panel> <title>$highlightToken$</title> <table id="highlightTable1"> <search id="highlightSearch1"> <query>index=_internal | stats count by sourcetype</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table id="highlightTable2"> <search id="highlightSearch2"> <query>index=_internal | stats count by sourcetype | head 5</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <table id="highlightTable3"> <search id="highlightSearch3"> <query>index=_internal | stats count by sourcetype | head 5</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table id="highlightTable4"> <search id="highlightSearch4"> <query>index=_internal sourcetype="splunkd" | stats count by sourcetype | head 5</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <table id="highlightTable5"> <search id="highlightSearch5"> <query>index=_internal | stats count by sourcetype | head 5</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> Javascript: require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/searchmanager", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!" ], function (, $, mvc, SearchManager, TableView) { var defaultTokenModel = mvc.Components.get("default"); // var strHighlightText = "" var strHighlightText = defaultTokenModel.get("highlightToken"); var customCellRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { return cell.field !== "_time"; }, render: function ($td, cell) { var strText = cell.value; if (strHighlightText !== "*" && strHighlightText !== "") { var regEx = new RegExp(strHighlightText, "gi"); strText = strText.replace(regEx, '$&'); } $td.addClass('string').html(.template(strText)); } }); function highlightTable() { var maxCount = 6; for (i = 0; i < maxCount; i++) { var tableItem = mvc.Components.get("highlightTable" + i); if (typeof (strHighlightText) !== "undefined" && typeof (tableItem) !== "undefined") { var search = mvc.Components.get("highlightSearch" + i); if (search !== undefined) { console.log("highlightSearch:", i) search.startSearch(); } console.log("highlightToken:", strHighlightText, " tableId:", i) tableItem.getVisualization(function (tableView) { tableView.addCellRenderer(new customCellRenderer()); }); } } } defaultTokenModel.on("change:highlightToken", function (model, value, options) { if (typeof (value) !== "undefined" || value !== "$value$") { strHighlightText = value; highlightTable(); } }); highlightTable(); });
Hey all, I am really struggling to create a parser for a specific section of the Windows-TerminalServices-Gateway/Operational Event log. Everything I have added to props & transforms appears to... See more...
Hey all, I am really struggling to create a parser for a specific section of the Windows-TerminalServices-Gateway/Operational Event log. Everything I have added to props & transforms appears to be correct, and I can get the sections I want to parse via SPL but whenever I add it to the sourcetype and refresh nothing changes. inputs.conf on the Windows 2016 Server [WinEventLog://Microsoft-Windows-TerminalServices-Gateway/Operational] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml = true index = windows [WinEventLog://Microsoft-Windows-TerminalServices-Gateway/Admin] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml = true index = windows props.conf on search head [XmlWinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational] rename = XmlWinEventLog [XmlWinEventLog:Microsoft-Windows-TerminalServices-Gateway/Admin] rename = XmlWinEventLog [xmlwineventlog] REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data,userdata_xml_kv,userdata_xml_attributes [XmlWinEventLog] REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data,userdata_xml_kv,userdata_xml_attributes transforms.conf on search head [userdata_xml_kv] # Extracts anything in the form of <tag>value</tag> as tag::value SOURCE_KEY = UserData_Xml REGEX = (?ms)<(\w*)>([^<]*)<\/\1> FORMAT = $1::$2 MV_ADD = 1 [userdata_xml_attributes] # Extracts values from following fields: # EventInfo: xmlns SOURCE_KEY = UserData_Xml REGEX = (?ms)([^\s=]+)\s*=\s*(\'[^<\']*\'|"[^<"]*") FORMAT = $1::$2 MV_ADD = 1
Hello Everyone. I m new to splunk and I have one search which is taking a bit longer than others. Is there any suggestion on how to improve this search ? index=mydatasource_* (sourcetype = x_c... See more...
Hello Everyone. I m new to splunk and I have one search which is taking a bit longer than others. Is there any suggestion on how to improve this search ? index=mydatasource_* (sourcetype = x_connections OR sourcetype= x_collectors) engine="engine" Src_SubnetName = "vpn"| eval src= if(isnull(src),name, src) | eval Dates = _time | eval Src_SubnetName = Src_Sitename | convert timeformat="%Y-%m-%d" ctime(Dates) | stats dc(src) by src,Src_SubnetName, Dates
Hello, I am trying to find a query to run to find out all blocked inbound traffic from my external PAN and F5 ASM. Can someone please show me show that is done. Any assistance would be greatly app... See more...
Hello, I am trying to find a query to run to find out all blocked inbound traffic from my external PAN and F5 ASM. Can someone please show me show that is done. Any assistance would be greatly appreciated. I look forward to your response. Thanks, Cosm0360
I am trying to setup the add-on on the heavy forwarder to bring in the following information below for both west and east gov cloud regions. ec2_volumes ec2_instances ec2_reserved_instances ebs_... See more...
I am trying to setup the add-on on the heavy forwarder to bring in the following information below for both west and east gov cloud regions. ec2_volumes ec2_instances ec2_reserved_instances ebs_snapshots classic_load_balancers application_load_balancers vpcs vpc_network_acls cloudfront_distributions vpc_subnets rds_instances ec2_key_pairs ec2_security_groups ec2_images ec2_addresses lambda_functions s3_buckets iam_users Details: Add-On Version: 4.6.0 Installed: Heavy Forwarder Configured in the GUI for AWS GovCloud (US) for the region. Uses an Assumed Role for EC2 Metadata based on Permissions outlined in the Add-On Guide. And trusted entity of "The identity provider(s) ec2.amazonaws.com" We have EC2 assets in both the west and east regions, but when I configure this input, it only seems to pull in west region data and nothing from east. Anyone know why that is? Is there an underlying issue with the script, a limitation of gov cloud or something else entirely? The permissions are global, so I would not think that would be an issue as it is in the same account. Any help is much appreciated.
Hi All, Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution. https://answers.splunk.com/answers/815659/how-to-get-multiple-events-into-singl... See more...
Hi All, Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution. https://answers.splunk.com/answers/815659/how-to-get-multiple-events-into-single-row-or-tabl.html As i see partial logout sessions too. I need to have searchmatch either Successful logout or Partial logout should match timestamp and it should reflect in the report. If I use asterisk "1030105*:5" it display another event country timestamp event. 103010521:5 -- Successful logout 103010502:5 -- Partial logout 103010502:5 -- resource assigned 103010009:5 -- username 103010500:5 -- country 103010506:5 -- User Agent index=xyz hostname=device_* session_id=* | rename COMMENT as "limit to needed fields" | fields hostname, session_id, username, country, clientip | rename COMMENT as "set the start and end times" | eval session_start=if(searchmatch("103010005:5"),_time,null()) | eval session_end=if(searchmatch("103010521:5"),_time,null()) | rename COMMENT as "roll the records together" | stats values(*) as * by hostname session_id | rename COMMENT as "format the time fields" | convert ctime(session_start) ctime(session_end) | rename COMMENT as "present the results" | table hostname, session_id, username, country, clientip, session_start, session_end I need session end time either of the event Successful -logout or Paritial logout event. it should calculate whichever event is reflected first/last. 103010521:5 -- Successful logout / 103010502:5 -- Partial logout
Same version of splunk forwarder (8.0.2) on 2 linux servers are behaving differently. One lists all files under a folder to monitor. However other one shows only few of them. What's the issue.
Hi I want to compare a date time value with many entities in my message. I have an eval(IST_time_latest) with the value 2020-04-13 00:00:00 and I want to check whether this eval is equal to all the ... See more...
Hi I want to compare a date time value with many entities in my message. I have an eval(IST_time_latest) with the value 2020-04-13 00:00:00 and I want to check whether this eval is equal to all the datetimes in (message.abc.cat, message.abc.dog, message.abc.man, message.abc. hello) The event message is like this:- { message: { [-] abc: { [-] cat: 2020-04-13 00:00:00 dog: 2020-04-13 00:00:00 man: 2020-04-13 00:00:00 hello: 2020-04-13 00:00:00 } } } | eval flag_cat=if( (IST_time_latest=='message.abc.cat') ,"TRUE","FALSE") | eval flag_dog=if( (IST_time_latest=='message.abc.dog') ,"TRUE","FALSE") |table flag_cat, flag_dog So there are 50+ entities like this in the messages and I do not want to create a flag like this for all of them. Can you please suggest an alternative??
Hi guys, I installed my own instance on Windows. I had some javascript files that will improve my look and field as a visual carousel for single panels ( e.g: https://www.splunk.com/en_us/blog/tip... See more...
Hi guys, I installed my own instance on Windows. I had some javascript files that will improve my look and field as a visual carousel for single panels ( e.g: https://www.splunk.com/en_us/blog/tips-and-tricks/animate-simplexml-dashboard-elements-with-a-carousel.html ). In my instance, everything is working fine! When I had tried to apply also into the production (Apache Server) in the console appear this error: Failed to load resource: the server responded with a status of 404 (Not Found) https://splunk-euops.internal.vodafone.com/en-US/static/js/lib/jquery.cloud9carousel.js In my carousel.js from 'opt/splunk/etc/apps/app/vf_euops_reporting/appserver/static' I have the following path: require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!', '/static/app/vf_euops_reporting/js/lib/jquery.cloud9carousel.js' ], function(_, $, mvc, Carousel) { .... I have tried to change the path to: 'js/lib/jquery.cloud9carousel.js' 'app/vf_euops_reporting/js/lib/jquery.cloud9carousel.js' '/static/app/vf_euops_reporting/js/lib/jquery.cloud9carousel.js' and none working.... But If I add in the URL after the static '/app/vf_euops_reporting' (this is the APP where I would like to install) https://splunk-euops.internal.vodafone.com/en-US/static/app/vf_euops_reporting/js/lib/jquery.cloud9carousel.js it will found... Any suggestions, please? Thank you in advance!
Hi, Will this app be updated to support 8.0? Specifically, Spunk Cloud 8.0? Thanks, Byron
if the field is mix of json and some other type. is it possible to parse the field at index time or search time without using spath ? my data is some what mix of json and other format. how should ... See more...
if the field is mix of json and some other type. is it possible to parse the field at index time or search time without using spath ? my data is some what mix of json and other format. how should I parse it without using spath command (i mean parsing at index time or search time), so that I can alias the key value pair in json format and the one in anther format: Below is my raw logs pattern: ssoId:023serwerwef32, RBA Request : key=value&key=value&&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value&key=value ,RBA Response : {"key":value","key":value","key":value","key":value","key":value","key":value","key":value","key":value".........} Note: Value of the above RBA Response is multiple nested json for varying sizes in different log.
Hi Splunkers, Do splunk alerts have functionality to highlight field name in the alert subject? TIA