All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on t... See more...
I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on the first two octets of the IP address schema.   Example: Texas: 192.168.x.x California: 172.16.x.x    index=Exampe_index "ssh" sourcetype="Example_audit" "res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count      
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf ... See more...
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf INFO ServerRoles [1045 MainThread] - Declared role=cluster_master. INFO ServerRoles [1045 MainThread] - Declared role=cluster_manager. ERROR ClusteringMgr [1045 MainThread] - pass4SymmKey setting in the clustering or general stanza of server.conf is set to empty or the default value. You must change it to a different value. ERROR loader [1045 MainThread] - clustering initialization failed; won't start splunkd what exactly the problem is ? i am defined the exact proper legth of pass4SymmKey , but still it is not working . below is the server.conf file ,  The server.conf file for updated version will look like below : [general] serverName = *** pass4SymmKey = generated_pass4SymmKey_value [sslConfig] sslPassword = *** description = ABCDEFGH peers = * quota = MAX stack_id = *** description = ABCDEFGH peers = * quota = MAX stack_id = forwarder [***:ABCDEFGH] description = ABCDEFGH peers = * quota = MAX stack_id = free [indexer_discovery] [clustering] cluster_label = *** mode = manager replication_factor = 3 search_factor = 2 pass4SymmKey_minLength = 32 what am i missing ? 
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable t... See more...
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources(indexes). Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users within that AD group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am worried to click on it.
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-... See more...
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD So I would like to find  records where Reference(Abc1) with status (Done) is present  in another record whose NewReference is equal to Referenc eof earlier record (Abc1) and status is OPEN The logs will have thousands of records Thanks
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why th... See more...
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why this might be happening?
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subseq... See more...
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events. It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in. I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it... See more...
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it as NETWORK?  
I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of success ,but nothing is being extracted and this eventcode constitutes ma... See more...
I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of success ,but nothing is being extracted and this eventcode constitutes majority of the data .the status is being extracted correctly  as success.does anyone know how action is being extracted for this eventcode.    
Hi all Is there a way to use one deploy server to push app to 2 different search head clusters? for example I have search head cluster named site1 and I want to install a new search head cluster na... See more...
Hi all Is there a way to use one deploy server to push app to 2 different search head clusters? for example I have search head cluster named site1 and I want to install a new search head cluster named site2 then push to site1 some apps, and to push a different apps to site 2, so I can control which app will be pushed to each site   
Hello Every one I have a problem in protocol detection in splunk logs! I see bittorrent Every where in my logs and the traffic is not a bittorrent one! But i track the traffic and its between a ne... See more...
Hello Every one I have a problem in protocol detection in splunk logs! I see bittorrent Every where in my logs and the traffic is not a bittorrent one! But i track the traffic and its between a network device and a monitoring tool. I have DPI (deep packet inspection) installed as an Aux but it seems to be a wrong app detection in splunk. what should i do? is there any help with that? #SPLUNK
Hello, I'm doing a detection for an event on the same index with 2 logs, I want to filter events of Event A based on if the username field exists with the same value in Event B. I tried doing a sub-... See more...
Hello, I'm doing a detection for an event on the same index with 2 logs, I want to filter events of Event A based on if the username field exists with the same value in Event B. I tried doing a sub-search but I get errors going by the below query, I want to filter Event A by if there are any events from Event B with the same original_user       (index=<my index>) EventType="A" EventType=A | rename username as original_user | eval Id= mvindex((newValue),0) | eval Name= mvindex((newValue),1) [ search index=<same index> <filtering by a string> | eval src_email= mvindex((newValue),3) | rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)" | fields original_user] | stats values(*) as *       The above query says my eval is malformed Is there any way to solve it? Append/Join?   I also tested the query inside the sub-search by itself and it works with no issues  
Hello, new to splunk. I am trying to exclude certain applications in an SPL search, specifically by app name.  What field would I need to consider in order to apply the '!=' boolean plus app name? Th... See more...
Hello, new to splunk. I am trying to exclude certain applications in an SPL search, specifically by app name.  What field would I need to consider in order to apply the '!=' boolean plus app name? Thanks again.
Hello, Anyone has experience configuring Splunk DBconnect with informix database?  Do we need to install the drivers explicitly for this to be configured? if yes, anyone has the link to it where i c... See more...
Hello, Anyone has experience configuring Splunk DBconnect with informix database?  Do we need to install the drivers explicitly for this to be configured? if yes, anyone has the link to it where i can download these drivers?I am using linux environment.   Thanks in advance.
HI, i am new to Splunk and trying to gain hands-on experience, i am facing trouble to search the data based on this query "Which age group performed the most fraudulent activities and to what merchan... See more...
HI, i am new to Splunk and trying to gain hands-on experience, i am facing trouble to search the data based on this query "Which age group performed the most fraudulent activities and to what merchant?" can any one help me to figure out the soulution . 
While monitoring Real User Monitoring, should the performance of the web application deteriorate for any reason, we would like to pause RUM agent and resume the monitoring later on based on the situa... See more...
While monitoring Real User Monitoring, should the performance of the web application deteriorate for any reason, we would like to pause RUM agent and resume the monitoring later on based on the situation. Request the necessary Splunk RUM agent API reference documentation that provides full list of API methods include pause. resume and other methods
Hello, for more than two weeks, I have been trying to access the site in order to create my account and be able to download the Splunk Phantom. But I can't access the site (my.Phantom.us) what to do ... See more...
Hello, for more than two weeks, I have been trying to access the site in order to create my account and be able to download the Splunk Phantom. But I can't access the site (my.Phantom.us) what to do please
 but value are not change 
I want to change the color of the bars to green for approved and red for declined. I have tried using seriesColorsByField, but it does not change the color    
Hi All, using below query but not getting complete output. If there is no data present  for Response time for particular days but values present for Fordresponsetime for same days  it is not showing... See more...
Hi All, using below query but not getting complete output. If there is no data present  for Response time for particular days but values present for Fordresponsetime for same days  it is not showing up in the table   |tstats avg(TotalResponseTime) as ResponseTime avg(FordResponseTime) as Fordresponsetime where index=app-index NOT TERM(timeout) by _time   QueryOutput: _time ResponseTime Fordresponsetime 2024-01-01 12.67 34.00 2024-01-02 34.94 56.89 2024-01-03 24.78 52.70 2024-01-04 34.70 42.87 ExpectedOutput: _time ResponseTime Fordresponsetime 2024-01-01 12.67 34.00 2024-01-02 34.94 56.89 2024-01-03 24.78 52.70 2024-01-04 34.70 42.87 2024-01-05 0 33.56 2024-01-06 0 23.77 2024-01-07 0 34.78  
Hello,  I did the splunk ES installation following all the steps noted here - https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity i did all the steps and now when t... See more...
Hello,  I did the splunk ES installation following all the steps noted here - https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity i did all the steps and now when trying to find those index, even on the /opt/splunk/etc/apps/SplunkEnterpriseSecuritSuite/local or default and there is no indexes.conf, with in them I am trying to find index=notable, notable_summary, risk to see notable events from correlation search  How am i supposed to get these indexes in apps inside ES, like shown here as well.  https://docs.splunk.com/Documentation/ES/7.3.2/Install/Indexes Any help would be appreciated