All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is it possible to split comma separated values into a single column using field extraction? for example: input: abcd, efgh, ijkl, mnop output: value 1 | value 2 | v... See more...
Is it possible to split comma separated values into a single column using field extraction? for example: input: abcd, efgh, ijkl, mnop output: value 1 | value 2 | value 3 | value 4 ------------------------------------------------ a | b | c | d e | f | g | h i | j | k | l m | n | o | p I know I can use something like <List>(?<val1>\w)(?<val2>\w)(?<val3>\w)(?<val4>\w)</list> however is it possible to repeat the combination an unknown number of times within the brackets?
Is there a way we can exclude weekends from alerts? I have not been able to find cron expression.
Hi, Followed the steps in https://www.netsparker.com/support/netsparker-enterprise-addon-splunk/#how-to-configure-input but getting: ondemand.netsparker.cloud:443 port is closed also tried w... See more...
Hi, Followed the steps in https://www.netsparker.com/support/netsparker-enterprise-addon-splunk/#how-to-configure-input but getting: ondemand.netsparker.cloud:443 port is closed also tried with https://www.netsparkercloud.com but getting: HTTPError: 503 Server Error: Service Unavailable for url: https://www.netsparkercloud.com/api/1.0/issues/allissues?websiteGroupName=&webSiteName=&page=1 Any support from Netsparker tech team? Thanks
Hello guys, I have a python script, which collects Host, Port, username, password to create a connection. After this, it will pass the query and fetches the data from splunk. My script is worki... See more...
Hello guys, I have a python script, which collects Host, Port, username, password to create a connection. After this, it will pass the query and fetches the data from splunk. My script is working perfectly if I run the script in local machine with local machine Host (means, Splunk has installed in the same machine) But when I use the same script to connect with splunk which is running in AWS machine, it is unable to create a connection. So what can be the issue? SSH certificate? if, Yes, how can I specify this attribute in the script? my script has only these: host = host, port = port, username = username, password = password Any other issues?
Hello, I feel super dumb asking this question, but how does one log out of Splunk when there isn't an option under my profile name at the top to do so? This isn't the free version but 7.3.3. ... See more...
Hello, I feel super dumb asking this question, but how does one log out of Splunk when there isn't an option under my profile name at the top to do so? This isn't the free version but 7.3.3. Thanks.
Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why? index=potato | evals | fields | stats index=potato |... See more...
Thought there was an answer on this already but can't find it, but for something like this, which is the most performant and why? index=potato | evals | fields | stats index=potato | evals | stats index=potato | evals | table | stats I would have that just the stats would've been the fastest, but potentially if fields can be done on the indexer that would be faster? Thanks!
In an attempt to bring in some additional Azure AD data we have begun using the Microsoft Azure Add-on for Splunk, however we are not seeing any results actually come back to Splunk, and not seeing a... See more...
In an attempt to bring in some additional Azure AD data we have begun using the Microsoft Azure Add-on for Splunk, however we are not seeing any results actually come back to Splunk, and not seeing any errors in collection. When enabling debug logging I can see that we are getting a http status code of 200, but a content length of 'None' 2020-03-20 19:44:33,920 DEBUG pid=62692 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-13T19%3a29%3a45.102703Z+and+activityDateTime+le+2020-03-20T19%3a22%3a45.501341Z&$skiptoken=f207127ca72cc8e1dca1f7873280c23e_326040 HTTP/1.1" 200 None And the python which generates the logs to see that the length is the final attribute of that log message in connectionpool.py:_make_request:400 log.debug("%s://%s:%s \"%s %s %s\" %s %s", self.scheme, self.host, self.port, method, url, http_version, httplib_response.status, httplib_response.length) The service continues to run and get 200 responses, and even finding the next link to go to from @odata.nextLink within the JSON returned, even though the debug logging shows no content length. 2020-03-20 19:44:34,136 DEBUG pid=62692 tid=MainThread file=base_modinput.py:log_debug:286 | _Splunk_ nextLink URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-13T19%3a29%3a45.102703Z+and+activityDateTime+le+2020-03-20T19%3a22%3a45.501341Z&$skiptoken=a05e0f88b9ed79f47b8955baefdf862c_327085 I have been able to replicate the action being used by the TA within Postman using the Microsoft Graph Collection and environment (https://docs.microsoft.com/en-us/graph/use-postman) where I can see plenty of data returned from each one of the URLs provided and I am using the exact same Azure AD application with the same client id and secret. I am trying to dig through the actual python but I have not been able to find anything in relation to causing this issue yet.
Hi All, Is there a way to list out all the dependent addons for Splunk Enterprise Security app? For instance, SA-IdentityManagement SA-Utils Thanks.
I have integrated JIRA app for Splunk using the link: https://splunkbase.splunk.com/app/1438/ inputs.conf [jira://JIRATEST] sourcetype = jira interval = 60 server = abc-XXX-a001 proto... See more...
I have integrated JIRA app for Splunk using the link: https://splunkbase.splunk.com/app/1438/ inputs.conf [jira://JIRATEST] sourcetype = jira interval = 60 server = abc-XXX-a001 protocol = https port = 8443 jql = issueType in (epic, story) fields = * username = splunk123 password = splunk321 disabled = 0 ~ config.ini [jira] hostname = abc-XXX-a001 username = splunk123 password = splunk321 jira_protocol = https jira_port = 8443 ~ ~ This setup worked and pulled just 1 JIRA(out of 1000s) event and stopped. After that I see every 1 min in /lib_jira.log INFO pid=29870 tid=MainThread file=jira.py:collect_events:334 | ADDED 0 events What change do I need to do ?
I have configured an input through REST API to get data into splunk .Recently I have disabled one input since there was high volume of data coming in.If we enable it back do we get all the historical... See more...
I have configured an input through REST API to get data into splunk .Recently I have disabled one input since there was high volume of data coming in.If we enable it back do we get all the historical data , since there is no time stamp? . How to get only the latest data from the time it was enabled and ignore the historical data Sample event: [quartzJobExecutor-1] INFO c.c.c.r.c.s.m.i.DataSetMatcherServiceImpl - Computing similarity scores took 0 ms
Hi, I have a legacy Splunk Enterprise cluster that consists of: 1 cluster master 3 indexers, forming an indexer cluster 1 search head 1 license master This cluster will stop receiving... See more...
Hi, I have a legacy Splunk Enterprise cluster that consists of: 1 cluster master 3 indexers, forming an indexer cluster 1 search head 1 license master This cluster will stop receiving data. I need to downgrade it from cluster to standalone, and I need to preserve its existing data in such a way that it remains searchable. That is, I need to downgrade this cluster to only one instance: a single standalone instance that contains the same data as the indexer cluster. Is this possible? What steps should I perform?
Hi, Is there a way to send a single email with 3 different PDF's. I have 3 different dashboard under same app and I want to schedule PDF delivery of all these via single email. Is that possible to ... See more...
Hi, Is there a way to send a single email with 3 different PDF's. I have 3 different dashboard under same app and I want to schedule PDF delivery of all these via single email. Is that possible to do in Splunk?
Hello, We have a weird warning on the integrity of the file etc/users/users.ini, if we look at the file, it contains: [contains-uppercase] user@domain> =user@domain_.5ec8143af5fe7888fddd625f69... See more...
Hello, We have a weird warning on the integrity of the file etc/users/users.ini, if we look at the file, it contains: [contains-uppercase] user@domain> =user@domain_.5ec8143af5fe7888fddd625f69d704b3 It might have occured when we created a user and made a mistake with their username, we used their email address as username but we forgot to remove the ">" at the end. But anyway, now we have this stanza with this entry and a warning on file integrity. We deleted the user and recreated it with the correct username "user@domain". The file is still the same... We checked on other Splunk instances where we don't have the integrity problem and the file users.ini is always empty. So we tried to remove the stanza from the file to make the file empty but when we restart splunk it tells us that the file is missing a stanza... In the end we re-added the content of the file, just in case, to not have an error on restart. This file doesn't seem to have an impact on Splunk (?), but how can we remove or fix this integrity warning ? Thank you for your help
Hi, we have a syslog message like: Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage with a sedcmd I can remove the first part until the year. ... See more...
Hi, we have a syslog message like: Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage with a sedcmd I can remove the first part until the year. Then I have: 2020-20-03 16:27:02,486 hostname messsage If there is another timestring in the message I have to us TIME_RPEFIX in props.conf. What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex? What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event? Torsten
How to fetch configured correlation data, Query notable events, including associated correlation rules for an app?
I am needing to strip a portion out of email's. I have a list of email addresses where some of them contain -priv before the @ that I need stripped out leaving what would be the "normal" email addre... See more...
I am needing to strip a portion out of email's. I have a list of email addresses where some of them contain -priv before the @ that I need stripped out leaving what would be the "normal" email address. example address example-priv@email.com I want to be left with example@email.com can someone help me with the rex for this? thank you
I am trying to get data from spotify using addon. I had configure input but i am not getting access code
I am trying to change the font size of the time in the trellis, you can see that when all D H M are double digits t both sides are cut off, the label of each trellis was also being cut off, but using... See more...
I am trying to change the font size of the time in the trellis, you can see that when all D H M are double digits t both sides are cut off, the label of each trellis was also being cut off, but using this css that I found in another I was able to change the font size, but I cannot figure out how to change the other font. I am assuming facet- is what I am missing. When I remove -label no formatting is changed, but I cannot figure out what to put that changes the result in the trellis. CSS: <style> .viz-panel.viz-facet-size-medium .facet-label{ font-size:11px !important; font-weight: bold !important; } </style>
Hi Experts, I have a requirement. I have a field called 'exception' and it has two values. one as 'open file' and another one is 'half open file'. Exceptions starts with 'half open file' and t... See more...
Hi Experts, I have a requirement. I have a field called 'exception' and it has two values. one as 'open file' and another one is 'half open file'. Exceptions starts with 'half open file' and these events are typically more than 50 and then follows with 'open file' and this count might be anything more than 100. This count is in just span of 5mins. Now, my requirement is to display both values for 'open file' and 'half open file'. My output rows should be exactly 10 rows. 'half open file' events should be displayed with tail 5 and 'open file' should display with head 5. That equals both count to 10 events.
Hello experts and splunkers, I have a splunk environment which consists of 2 Search Heads, which are not clustered - let's say SH1 and SH2, and 2 Indexers, which are clustered. (Please assume, due... See more...
Hello experts and splunkers, I have a splunk environment which consists of 2 Search Heads, which are not clustered - let's say SH1 and SH2, and 2 Indexers, which are clustered. (Please assume, due to an organisational reason, I can't cluster SH1 and SH2) There is an existing app deployed in SH1 - let's say App1. We are developing a new app in SH2 - let's say App2. App1 has a lookup (let's say lookup1) and App2 in SH2 wants to use the lookup1. I don't seem to be able to find a way to configure to enable App2 to access the lookup1. Is it possible at all?