All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I'm trying to figure out how to search and compare values in subsequent/sequential JSON messages where a user is the same. Scenario: "UserA" auth-validates from location A, but finishes au... See more...
Hello, I'm trying to figure out how to search and compare values in subsequent/sequential JSON messages where a user is the same. Scenario: "UserA" auth-validates from location A, but finishes authentication from location B. Auth validation and auth completion messages are in two separate JSON blobs of different types (one for auth-validation one for auth-success). I'd like to show a table by user showing: User, Validation City, Success City. In pseudo code: [Event A] message.Type="auth-validation" for "UserA" = client.City "x" and in a subsequent JSON entry for "UserA", [Event B] message.Type"auth-success" NOT = client.City="x" Example fields I'm working with: index=auths (example of event at 03:45:01AM) user="UserA" message.Type="auth-validation" client.City="Los Angeles" (example of event at 03:45:02AM) user="UserA" message.Type"auth-success" client.City="Houston"
Hi, I have the following log format, How can I break this multiline event on condition that "2020-03-23 16:41:08,207" arrives. Note that the log needs to be indexed with Local Time. 2020... See more...
Hi, I have the following log format, How can I break this multiline event on condition that "2020-03-23 16:41:08,207" arrives. Note that the log needs to be indexed with Local Time. 2020-03-23 16:41:08,207 INFO [Thread-1] [server01IS] Skipping server01 Integration Server Server, NO WinServices detected... 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] APPLICATION DETECTION 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] server01HM: Release 4.1.2 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] Application Type: server01 uAgent Windows 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] ...On Windows: x32 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] RegistryKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] Detecting Application Instances... 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] RegistryKey: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] Detecting Application Instances... 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uAgentWin] TOTAL server01 uAgent Windows Detected: 0 2020-03-23 16:41:08,207 INFO [Thread-1] [server01uCIv8] SERVER DETECTION
All, Any service you recommend for doing domain classification and lookups against my Squid proxy logs? Just general classification and of course alerts for malware.
Trying to build user activity/configuration changes monitoring for meraki logs in splunk.
I'm trying to use the VPC security dashboards in splunk app for aws. They end up blank, with zeros for totals. I edited it to see the searches, and saw the error that aws_vpc_flow_logs either didn'... See more...
I'm trying to use the VPC security dashboards in splunk app for aws. They end up blank, with zeros for totals. I edited it to see the searches, and saw the error that aws_vpc_flow_logs either didn't exist or was empty. Well, if I search on that index there certainly seems to be nothing in it. I see it's built by 3 saved searches, that do a bunch of calculations on the raw flow data, which does exist in my aws index, and then does a | collect into aws_vpc_flow_logs. I can run those saved searches and get pages of data, but nothing ever ends up in the aws_vpc_flow_logs index, and I don't get an error anywhere I can find. Any idea why the collect wouldn't, well, collect?
The app's example visualizations aren't working and when I investigated the I found that the two CSVs that they reference as inputlookups (bitcoin_transactions.csv and firewall_traffic.csv) aren't pr... See more...
The app's example visualizations aren't working and when I investigated the I found that the two CSVs that they reference as inputlookups (bitcoin_transactions.csv and firewall_traffic.csv) aren't present in the app's lookups directory. I have MLTK v5.1.0 and Python for Scientific Computing v2.0.0 installed in a deployment running Enterprise 7.3.4 Are these two lookups provided by another app that I need to install or have they been simply been accidentally left out during packaging? Or something else ...
Any plans on upgrading from python 2.7 since it's EOL?
Hi, I have 8 server...in which 4 indexers, 3 search heads - in which one server is acting as a DS and last server is acting as Master node/LM/Deployer. Now i'm enabling the monitoring console on th... See more...
Hi, I have 8 server...in which 4 indexers, 3 search heads - in which one server is acting as a DS and last server is acting as Master node/LM/Deployer. Now i'm enabling the monitoring console on the Master Node in the distributed mode. There are two section showns: 1. This instance : * Here the masternode host name and server name is shown, which are same, say hostname is abc.com and servername is also abc.com 2. Remote Instance * Here all the indexers peers and search head members will be shown (added through distributed search >> search peers) * The search head members also have the same hostname and servername, say hostname is search1.com and severname is search1.com, similarly for the other members as search2.com, search3.com * The indexer peers hostname and server name are different(masternode hostname is shown, instead of indexer1 hostname), say hostname is abc.com and servername is indexer1.com, similary for the other peers as hostname is abc.com and server name is indexer2.com Due to which will apply the chnages, it throws a error message as "Duplicate Instance - hostname should be unique" In the Indexer Peers - under the system/local/server.conf and inputs.conf - the hostname and servername same , say "indexer1.com" Can you please tell how to resolve the same, so that indexer peers hostname is same as the servername of the indexer peers. Also for all the instance under the "Remote Insatnce" the status is New, how to enable as configured?
Hello, I'm trying to create entities (servers) from search, i'm importing fields as title, alias and info. Problem is when in some column there is more than one value. In this case i cannot filter ... See more...
Hello, I'm trying to create entities (servers) from search, i'm importing fields as title, alias and info. Problem is when in some column there is more than one value. In this case i cannot filter out entities using this field, nevertheles if improt this as alias or info field. I have noticed also, when i add alias field manually (the same content, just copy paste) filtering works for me. Even regular expressions work also like a charm (which is important for me). So looks like the problem is when entities (fields) are imported and there is column which has more than one value. had anyone have similar problem? Or there is some known limitation? Thanks for any help. Splunk 8.0 ITSI 4.4.1 Windows 2016 java 64bit 1.8.0_241
Can certain Splunk configurations be modified to increase concurrency? Can searches be modified to better use CPU?
I running a subsearch where i use a ID to find events from the index B in the index A. What I want to do is: list the ID's from the index B that was not found in the index A The subsearch struc... See more...
I running a subsearch where i use a ID to find events from the index B in the index A. What I want to do is: list the ID's from the index B that was not found in the index A The subsearch structure is : search index=A search index=B |table ID's How can I list the ID's that wasn't found?
Is there any way in splunk to pull all the list of dashboards, macros, saved searches, and data models that uses the splunk internal indexes (_*)? Any suggestions or ideas would be great.
I want to find in my linux and unix environments which users are active, inactive, blocked or disable. I try looking in /etc/shadow file, but some times this file is inaccessible, so which file I ha... See more...
I want to find in my linux and unix environments which users are active, inactive, blocked or disable. I try looking in /etc/shadow file, but some times this file is inaccessible, so which file I have to search and maybe You can help whit the search you used. Thanks.
is there any splunk query to search for send, recipient and subject in msexchange email logs? I know there is msexchange app but could it be done via simple query, regex? thanks for your help
Hi , I am running a query to get count of unique users like | stats dc(user) How do I get list of those unique users?
Splunk forwarder 8.0.2 - All on Windows. Case is, we do have a server which, due to licensing issues of a product is shared for all preprod environments. Logs are structured like this d:\logs\sit... See more...
Splunk forwarder 8.0.2 - All on Windows. Case is, we do have a server which, due to licensing issues of a product is shared for all preprod environments. Logs are structured like this d:\logs\sites - Dev - <sitename> - messagelogs - w3c - Test - <sitename> - messagelogs - w3c - Qa - <sitename> - messagelogs - w3c For each environment I have configured inputs.conf like this [monitor://d:\logs\sites\dev\*\*Exceptions.log] Replacing the name of the environment in every file. The rest of the stanza is fine, because the servers which are pr. environment has the same stanza, but omitting the name of the environment - like this [monitor://d:\logs\sites\*\*Exceptions.log] If I am not totally mistaken, the use of the wildcard is correct and means "One level, any name", compared to three dots '...' which means "any levels down until you find a match". Therefore the two example-stanzas should not 'collide' and also the inputs.conf for the other enviroments should also not cause an issue since they have their unique name in the path. But still - no events logged from that server. Exept for - realzing now when writing this - that the stanzas [monitor://C:\Windows\System32\LogFiles\HTTPERR\httperr*.log] [monitor://d:\logs\powershell\*.log] are identical in all inputs.conf, but it seems that the "first" index takes preference for that and indexes it to the dev-index. But still, cannot see that it could break the rest. No errors logges when restarting the forwarder, not running the btool --debug (Just warnings found on all the other servers as well)
How do i ingest data into Splunk Phantom ?
Hi Folks, Hope you are well!! We want to password protect the Splunk reports while delivering to user emailbox so that only users who having key they can access it, can we do it on Splunk or Do w... See more...
Hi Folks, Hope you are well!! We want to password protect the Splunk reports while delivering to user emailbox so that only users who having key they can access it, can we do it on Splunk or Do we have any Splunkbase Application for this?
Hi, Event is successfully getting displayed on AOB output console but it is not getting indexed to splunk and it shows 0 events. Here is the code: import os import sys import time import... See more...
Hi, Event is successfully getting displayed on AOB output console but it is not getting indexed to splunk and it shows 0 events. Here is the code: import os import sys import time import datetime import requests import json import splunk import random def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" pass def collect_events(helper, ew): # To create a splunk event #myindex = service.indexes["test_index"] data = str(random.randint(0,100)) event_data = { "info": data, "info2": data } json_data = json.dumps(event_data) event = helper.new_event(index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=json_data) try: ew.write_event(event) except Exception as e: raise e
Hi, I am trying to bring back two interesting fields from multiple hosts. My search looks like this. index=IIS (host=Host1 OR host=Host2 OR host=Host3 OR host=Host4) c_ip=Range OR Client_IP=Range ... See more...
Hi, I am trying to bring back two interesting fields from multiple hosts. My search looks like this. index=IIS (host=Host1 OR host=Host2 OR host=Host3 OR host=Host4) c_ip=Range OR Client_IP=Range This search is only bringing back c_ip results not Client_IP results. It should be bringing back both.