All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello all, In Enterprise Security I need to write searches for below scenario can some help in writing this? 1.Search that shows hosts that have had more and more vulnerabilities over three ... See more...
Hello all, In Enterprise Security I need to write searches for below scenario can some help in writing this? 1.Search that shows hosts that have had more and more vulnerabilities over three months. The intent is to find servers that have never been patched a.There should actually be 2 searches, one for workstations and one for servers 2.Incorporate software versions from Rapid7 and show vulnerabilities per version. This should then allow for a way to view the servers that are associated with these most vulnerable software versions a.There should actually be 2 searches, one for workstations and one for servers Thanks in advance
If there were a field that one wanted to overwrite, say it was an API token for example, and it had already been logged in Splunk. Deleting may not be an option, how about overwriting that field... See more...
If there were a field that one wanted to overwrite, say it was an API token for example, and it had already been logged in Splunk. Deleting may not be an option, how about overwriting that field with something like 'xxx'? Thanks in advance!
Hello, I'm testing Splunk Enterprise 8.0.3 locally on my laptop (Windows 10 Home) and trying to set up the IBM MQ Input Modular (https://splunkbase.splunk.com/app/3004/#/overview). I followed t... See more...
Hello, I'm testing Splunk Enterprise 8.0.3 locally on my laptop (Windows 10 Home) and trying to set up the IBM MQ Input Modular (https://splunkbase.splunk.com/app/3004/#/overview). I followed the instructions on github repo of the add-on (https://github.com/jjjw420/splunk-ibm-websphere-mq-add-on) The prerequisites are installed : - IBM MQ Server - OK - IBM MQ Client - OK - pymqi-1.10.1 64bits - get and build OK - mq_ta add-on copied in /etc/apps - OK - The pymqi built libs are copied in /etc/apps/mq_ta/bin - OK But, when I tested the import of pymqi with the embedded python3 (whichs is python 3.7.4) interpreter of Splunk, I got "ImportError: No module named pymqe" error. However, when I tried the same import with python 3.8.2 installed on my system, everything was OK, no error. Is it because the pymqi is not supported by python 3.7.4 or windows 10 ? Is there anyway to tell Splunk to use another python version other than the one that came with the product ? Thanks in advance for your help
I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working. These are my config files: cat inputs.conf [monitor:///var/log/nginx/access.log] disabl... See more...
I have set up a new server, and I'm trying to get nginx access logs into splunk. This is not working. These are my config files: cat inputs.conf [monitor:///var/log/nginx/access.log] disabled = false sourcetype = access [monitor:///var/log/nginx/error.log] disabled = false sourcetype = error [default] host =hostname outputs.conf [tcpout-server://hostname:8089] [deployment-client] clientName = qpp-nginx [target-broker:deployment-server] targetUri = hostname:8089 I am not seeing any errors in the Splunk logs, although the Splunk agent is running Splunk btool check reports, but detects no errors If I do a search for sourcetype=access.log nothing comes up, neither host="ip address" or host="hostname"
Hi Everyone, I am new to splunk configuration. So looking for guidance and step by step configuration. I need to configure primarily aws CloudWatch log groups (ec2 instances /var/log/messages a... See more...
Hi Everyone, I am new to splunk configuration. So looking for guidance and step by step configuration. I need to configure primarily aws CloudWatch log groups (ec2 instances /var/log/messages and tomcat logs, vpc logs) and cloud trails to an on-premise splunk server. I am looking for a solution where I am planing to create a server as universal forwarder which collects all these logs and pushes to the splunk server (port 9997). Can a universal forwarder collects all the logs mentioned above and send it to splunk, that’s first step. I am assuming I might have to get aws add on installed on splunk server. How do I configure log stream in splunk with or without aws add on. I would step by step guide as I am new go splunk. Thanks in advance.
Hi, I need a query to show me all occurrances when the same message is logged within 200ms. Log example: Message="Landed on page" xxxxxx yyyyyyy Message="Landed on page" zzzzzzz uu... See more...
Hi, I need a query to show me all occurrances when the same message is logged within 200ms. Log example: Message="Landed on page" xxxxxx yyyyyyy Message="Landed on page" zzzzzzz uuuuu jjjjjjjjjjj Message="Landed on page" I need to show all Message="Landed on page" which happened only with 200ms time from each other. Thanks!
Hello, Whenever I am updating my Splunk application, each time I have to upgrade several numbers of Splunk Forwarders which really takes my valuable hours as I am currently working on my website ht... See more...
Hello, Whenever I am updating my Splunk application, each time I have to upgrade several numbers of Splunk Forwarders which really takes my valuable hours as I am currently working on my website https://ezytilingservices.com.au, I have to make sure each second that "Is everything is going well with my updating issues". I want to know that how can I handle this migration prompt issue or there is any script which helps me to skip this migration prompt? I want to find a way by which all these updating issues will be worked automatically and there will no need for any user input, especially from my side. I am sure that I will get all my answers after submitting this query in your database. Thanks for reading my query and hope that anyone who has knowledge about it will able to reply to me as soon as possible.
In my props.conf, I have LINE_BREAKER=field1 this breaks the events how I want but it removes field1 from every event. Is there any way to keep field1 in my events but still break events after it oc... See more...
In my props.conf, I have LINE_BREAKER=field1 this breaks the events how I want but it removes field1 from every event. Is there any way to keep field1 in my events but still break events after it occurs? Thanks in advance
Greetings experts, I have an alert configured to output the search results to a lookup file. And I need to be able to match one of the fields with a wildcard. The process seems straightforward eno... See more...
Greetings experts, I have an alert configured to output the search results to a lookup file. And I need to be able to match one of the fields with a wildcard. The process seems straightforward enough, but my search using the lookup is matching the literal wildcard character (*) instead. Here's what I have so far. Simplified scheduled alert search that populates the lookup: * | eval MachineNodeWildcard=Machine."-*" Lookup definition (transforms.conf on search head): [machines] batch_index_query = 0 case_sensitive_match = 0 filename = Machines.csv match_type = WILDCARD(MachineNodeWildcard) max_matches = 1000 min_matches = 0 CSV file sample (with header): host,"_time",Machine,MachineNodeWildcard host1,1586334808,machineA,"machineA-*" SPL using lookup (host is returned null): | makeresults | eval MachineNodeWildcard="machineA-1" | lookup machines MachineNodeWildcard OUTPUT host This SPL works but isn't what I need (host is resolved): | makeresults | eval MachineNodeWildcard="machineA-*" | lookup machines MachineNodeWildcard OUTPUT host There are several other inquiries about wildcard fields in lookups, but I was unable to find a suitable solution from them. Thank you.
Hello I have some data in a txt file that I am working on extractions for. It extracts fine except that in some of the urls there is/are spaces and it throws the rest of the extractions off. fo... See more...
Hello I have some data in a txt file that I am working on extractions for. It extracts fine except that in some of the urls there is/are spaces and it throws the rest of the extractions off. for example this works just fine Type AppliesTo Path Snap Hard Soft Adv Used --------------------------------------------------------------------------------------------------------- directory DEFAULT /place/here2/test No 1.00G - 990.00M 12 However this does not Type AppliesTo Path Snap Hard Soft Adv Used --------------------------------------------------------------------------------------------------------- directory DEFAULT /place/here/fileservers/host16/App Management No 100.00G - 98.00G 90.073G due to spaces in the path the extarctions after that dont work. Here are my props [ storage:data ] CHARSET=UTF-8 DATETIME_CONFIG=CURRENT FIELD_DELIMITER=whitespace HEADER_FIELD_LINE_NUMBER=1 LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=null SEDCMD-removeDash=s/---------------------------------------------------------------------------------------------------------//g SEDCMD-removeDash2=s/^-.*$//g SHOULD_LINEMERGE=false disabled=false pulldown_type=true The issue is using whitespace as the delimiter I suppose but if I dont use that I dont get any field extractions. Any ideas?
we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers. In splunk we have created a index(vmware_log) and create... See more...
we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers. In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?
Hello, I'm having an issue where clam av logs aren't breaking the events correctly. I'm confident the line_breaking regex is fine. Time: \d+\.\d+ sec \(\d+ m \d+ s\)() The issue i'm having is... See more...
Hello, I'm having an issue where clam av logs aren't breaking the events correctly. I'm confident the line_breaking regex is fine. Time: \d+\.\d+ sec \(\d+ m \d+ s\)() The issue i'm having is sometimes the events show up in splunk where: "------------------------------------------" <-- This hashed line is an event. it shouldn't be it's own event. It should be included at the start of every event not it's own event. So the end of the event seems to be satisfied with the line_breaker on the time field but how do i force splunk to understand the hashed line is the start of every event.. as of now it works sometimes where the hashed line is included in the event, and sometimes it does not (hashed line is it's own event) Anyway to enforce this, perhaps with some sort of index time field parsing stanza i'm missing? you can see from the blob i'm pasting below examples of the logs (3 separate events) ------------------------------------------------------------------------------- WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200021_ow7PXV: Permission denied WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200026_aPhSxB: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1727.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1770.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1785.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1742.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200003_aWcbM9: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200007_cPewso: Permission denied WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200001_02GigF: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200037_PR0YIo: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200028_4tocVD: Permission denied WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied ----------- SCAN SUMMARY ----------- Known viruses: 5995098 Engine version: 0.99.2 Scanned directories: 6366 Scanned files: 41938 Infected files: 0 Total errors: 83 Data scanned: 3329.70 MB Data read: 4610.58 MB (ratio 0.72:1) Time: 4296.029 sec (71 m 36 s) ------------------------------------------------------------------------------- WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200001_n3Udh3: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200071_HSWmZ6: Permission denied WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200003_3gLmvy: Permission denied WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200016_ZuL9m4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200048_CG4mxR: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200051_5IDsNl: Permission denied WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200049_70bzRj: Permission denied WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied ----------- SCAN SUMMARY ----------- Known viruses: 6319346 Engine version: 0.99.2 Scanned directories: 7233 Scanned files: 45947 Infected files: 0 Total errors: 100 Data scanned: 3594.28 MB Data read: 4821.47 MB (ratio 0.75:1) Time: 485.906 sec (8 m 5 s) ------------------------------------------------------------------------------- WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200048_SKap8h: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200071_e3US5K: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200021_IfCsp4: Permission denied WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1587.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1566.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1578.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1611.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1583.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1596.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1582.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1620.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1577.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1591.log: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied WARNING: Can't open file /tmp/tmp.0qPyyvkhIw: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200065_NZfYE4: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200003_Ysuwzs: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200001_VezxBM: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200049_zrBoRF: Permission denied WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200051_5uiGLr: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200047_iM0nZM: Permission denied WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200016_7hh0tc: Permission denied WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200062_Y3tkcC: Permission denied WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied WARNING: Can't open file /tmp/tmp.KgPSpEWZwR: Permission denied WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied WARNING: Can't open file /tmp/krb5cc_1846200067_xWpi42: Permission denied ----------- SCAN SUMMARY ----------- Known viruses: 6319470 Engine version: 0.99.4 Scanned directories: 8003 Scanned files: 47590 Infected files: 0 Total errors: 105 Data scanned: 4118.82 MB Data read: 5005.36 MB (ratio 0.82:1) Time: 556.020 sec (9 m 16 s)
Hi After looking on the forum, I don't find a solution to solve my issue. I use drilldown on a table to open a link on another application. <drilldown> <link target="_blank">https://cmp.<... See more...
Hi After looking on the forum, I don't find a solution to solve my issue. I use drilldown on a table to open a link on another application. <drilldown> <link target="_blank">https://cmp.<blablabla>/$row.Id$/overview</link> </drilldown> But the link will change depanding of a token set trough an input <fieldset submitButton="false"> <input type="dropdown" token="env_portal"> <label>Environment</label> <choice value="prd">PRD</choice> <choice value="tvp">TVP</choice> <initialValue>prd</initialValue> </input> </fieldset> I tried to add a condition in the drilldown but it doesn't work <drilldown> <condition match=" $env_portal$ == 'prd' "> <link target="_blank">https://cmp.<blablabla>/$row.Id$/overview</link> </condition> <condition match=" $env_portal$ == 'tvp' "> <link target="_blank">https://cmp-tvp.<blablabla>/$row.Id$/overview</link> </condition> </drilldown> How I can do a seach condition ? Regards
Hello group, I have some questions around the configuration of Local Event Log collection. In reviewing our existing configuration I noticed that Event Log Collection for our Windows Splunk Serve... See more...
Hello group, I have some questions around the configuration of Local Event Log collection. In reviewing our existing configuration I noticed that Event Log Collection for our Windows Splunk Server has been configured via "Settings=>Data Input=>Remote event log collecitons using "localhost" " versus "Settings=>Data Input=>Local event log collections". My first question would be are there are any differences (positive or negative) between these two approaches? Since there are no noticeable problems, I am assuming no, but did want to get your thoughts on this. Secondly, Does local collection configured as either "Local" or "Remote" "Local inputs" methods both use WMI to obtain the logs? Lastly, is there is a local monitoring alternative to using WMI for Security Log Collection on a heavily audited Splunk Server? Alternatively, does local monitoring with WMI (with AD Account versus LocalSystem) actually contribute to File and Object Access? Thank you for your review and comments, Greg
Hi guys, I am having some issues extraction a comparaison between two different search, Let's assume the following: Result search A: ID X_584 X_571 X_568 X_999 Result search B: ... See more...
Hi guys, I am having some issues extraction a comparaison between two different search, Let's assume the following: Result search A: ID X_584 X_571 X_568 X_999 Result search B: ID | Valid 1 | X (571) 2 | X (584) 3 | X (382), X (584), X (571), X (568) 4 | X (568), X (571) Desired result ID | count | Exist X_584 | 2 | True X_571 | 3 | True X_568 | 2 | True X_999 | 0 | False I tried to join and use match , but the problem persists first because : - Search A has values with "_" while in search B is with space " ( )" --> tried to rex field but the search seemed so complicated Then i was stuck on how to string match both values and put an eval for Exist field Do you guys have any clue on how to solve this? kind regards to those who thought about this
サーチが遅れている旨のエラーが表示されるようになりました。 どのサーチがどのくらい遅れているのか、状況を確認したいのですが、 どのように確認するのが適切でしょうか。 【エラー内容】 The percentage of non high priority searches delayed (21%) over the last 24 hours is very high and ... See more...
サーチが遅れている旨のエラーが表示されるようになりました。 どのサーチがどのくらい遅れているのか、状況を確認したいのですが、 どのように確認するのが適切でしょうか。 【エラー内容】 The percentage of non high priority searches delayed (21%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=669. Total delayed Searches=141
Hey Splunkers, There is no drilldown functionality in : https://splunkbase.splunk.com/app/3238/. To get that, i have tried with css, and also got the reference to write js for click events, f... See more...
Hey Splunkers, There is no drilldown functionality in : https://splunkbase.splunk.com/app/3238/. To get that, i have tried with css, and also got the reference to write js for click events, for drill down. But how can i integrate that js with css. Below is my code: Donut Chart with CSS <panel> <html depends="$alwaysHideCSSStyle$"> <style> g.c3-shapes.c3-shapes-WARN path.c3-shape.c3-arc-WARNING{ fill:amber !important; } g.c3-shapes.c3-shapes-ERROR path.c3-shape.c3-arc-CRITICAL{ fill:red !important; } g.c3-shapes.c3-shapes-ERROR path.c3-shape.c3-arc-NORMAL{ fill:green !important; } div.c3-tooltip-container table.c3-tooltip tr.c3-tooltip-name--WARNING td.name span{ background-color:amber !important; } div.c3-tooltip-container table.c3-tooltip tr.c3-tooltip-name--CRITICAL td.name span{ background-color:red !important; } div.c3-tooltip-container table.c3-tooltip tr.c3-tooltip-name--NORMAL td.name span{ background-color:green !important; } g.c3-legend-item-WARN line.c3-legend-item-tile{ stroke:amber !important; } g.c3-legend-item-ERROR line.c3-legend-item-tile{ stroke:red !important; } g.c3-legend-item-NORMAL line.c3-legend-item-tile{ stroke:green !important; } </style> </html>
We would like to use Wildcards in Consuming JMS Queues. As for example all queues starting with AQ* should be browsed: [jms-tst] activation_key = xxxxxxyyyyyyyy browse_mode = stats browse_queue_o... See more...
We would like to use Wildcards in Consuming JMS Queues. As for example all queues starting with AQ* should be browsed: [jms-tst] activation_key = xxxxxxyyyyyyyy browse_mode = stats browse_queue_only = 1 durable = 0 hec_batch_mode = 0 hec_https = 0 index = jms index_message_header = 0 index_message_properties = 0 init_mode = jndi jms_connection_factory_name = ConnectionFactory jndi_initialcontext_factory = org.apache.activemq.jndi.ActiveMQInitialContextFactory jndi_provider_url = failover:ssl://<hostname1>,ssl://<hostname2>:61617 output_type = stdout strip_newlines = 1 jndi_pass = xx jndi_user = xx destination_pass = xx destination_user = xx browse_frequency = 600 [jms-tst://queue/dynamicQueues/AVQ.TO.FTX.MKDI.AVAST11] sourcetype = jms:ftx [jms-tst://queue/dynamicQueues/AVQ*] sourcetype = jms:ftx Is this possible? Or is there another way to achieve this without adding all the queues? Thanks Ben
i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Tran... See more...
i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app the results table has fields Transaction_GroupName, count:v, avg_time:v
Hello Everyone. I had following problem: existing data from kvstore has been overwritten. Is there any way to restore data ? Thanks