All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi guys, I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying t... See more...
Hi guys, I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying to learn threat hunting with splunk and found a lot of great queries that can help but I ran into few questions that confused me and hoping to find answers here Every customer we have has different index names and sourcetypes like for example if i want run a query than has index=auditd and sourcetype=fgt_traffic. And this query will not work for every splunk that i want to search into because I dont know what index has like web logs or what firewall is in what sourcetype. How can I know what index and what sourcetype Names and if they named it a name that doesn’t match what it does how can I know what kind of logs in this sourcetype or index? My other question is. I know that XmlwineventLog and wineventlog have logs for events that happened but what if i want to see logs for linux what sourcetype would that be? Thank you all
in my Splunk ES i want to find below search Count of New Notables created in last 30 days Count of Modified Correlation Searches in last 30 days Time of Notable Closure Can some one he... See more...
in my Splunk ES i want to find below search Count of New Notables created in last 30 days Count of Modified Correlation Searches in last 30 days Time of Notable Closure Can some one help in sending search please.. Thanks in advance
All, I am having issues with all versions of UF. I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4 It has the following stanza in the local/inputs.conf: [m... See more...
All, I am having issues with all versions of UF. I installed Splunk_TA_nix 7.0.0 on some Splunk UF 8.0.2.1 and old Splunk UF 6.2.4 It has the following stanza in the local/inputs.conf: [monitor:///var/log] whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out) blacklist=(lastlog|anaconda.syslog)disabled = 0 For some reason I have many different sourcetypes: | tstats count where (source=*cron earliest=-4h) by source sourcetype source sourcetype count 1 /var/log/cron cron 40884 2 /var/log/cron cron-2 41597 3 /var/log/cron cron-3 15487 4 /var/log/cron cron-4 3019 5 /var/log/cron cron-5 681 6 /var/log/cron cron-too_small 3192 7 /var/log/cron monolith_tool_usage 169 8 /var/log/cron sendmail_syslog 1732 9 /var/log/cron syslog 58095 I tried everything to find how this sourcetype is set, I cannot see anything in our indexer of UF props.conf. All the sources in the same stanza have the same issue, but cron is so far the worse. Any help will be very appreciated, Gerson Garcia
Hello Siegfried Puchbauer, Hope you are doing well. I am writing this message to let you know that, we have been using the App "Slack Notification Alert" (https://splunkbase.splunk.com/app/2878/) ... See more...
Hello Siegfried Puchbauer, Hope you are doing well. I am writing this message to let you know that, we have been using the App "Slack Notification Alert" (https://splunkbase.splunk.com/app/2878/) on our Splunk Enterprise, to page out our operations team members and notify our customers whenever, something goes wrong in our servers or platform. However, we recently upgraded our Splunk Enterprise Platform from 7.3.3 to 8.0.1 and we no longer are getting paged out on slack and looks like this alert action is no longer supported for 8.0.1. We did reach out to Splunk Support and understood that, this was a developer app and that is the reason why we are reaching out to you. Kindly help to provide us a solution or an alternative as to what we could utilize as a work around for this application or alert action add on. Look forward to hearing from you. Thanks and regards, Vishwa
I have running docker with image"mlkt-container-tf-cpu" in deep learning toolkit also I have access to the jupyter notebook in the toolkit but when I want to run a use case for instance "neural netwo... See more...
I have running docker with image"mlkt-container-tf-cpu" in deep learning toolkit also I have access to the jupyter notebook in the toolkit but when I want to run a use case for instance "neural network classifier" I get an error which is "Error in fit command. Error while initializing algorithm 'MLTKContainer': local variable 'url' referenced before assigned"
Unable to initialize modular input "whois" defined in the app "SA-NetworkProtection": Introspecting scheme=whois: script running failed (exited with code 1) Also while opening content management w... See more...
Unable to initialize modular input "whois" defined in the app "SA-NetworkProtection": Introspecting scheme=whois: script running failed (exited with code 1) Also while opening content management windows : Getting Could not load analytical stories Kindly suggest!!
I'm struggling to find a working solution to show cumulative active VPN sessions on a timechart with 20m data points. Using transaction and timechart doesn't really work as it only shows a count bas... See more...
I'm struggling to find a working solution to show cumulative active VPN sessions on a timechart with 20m data points. Using transaction and timechart doesn't really work as it only shows a count based on when the sessions connected and doesn't show persistence across subsequent time points. Looking at the following examples; User 1's connection and disconnect Mar 18 09:09:30 host Mar 18 2020 09:09:30 host : %ASA-4-xxx: Group <xxx> User <User1> IP <123.123.123.123> IPv4 Address <123.123.123.123> IPv6 address <::> assigned to session Mar 18 09:26:33 host Mar 18 2020 09:26:33 host : %ASA-4-xxx: Group = xxx, Username = User1, IP = 123.123.123.123, Session disconnected. Session Type: SSL. Duration: 17m:3s, Bytes xmt: 6403456, Bytes rcv: 1776534, Reason: User requested User 2's connection and disconnect Mar 18 09:09:30 host Mar 18 2020 09:09:30 host : %ASA-4-xxx: Group <xxx> User <User2> IP <123.123.123.123> IPv4 Address <123.123.123.123> IPv6 address <::> assigned to session Mar 18 09:10:33 host Mar 18 2020 09:10:33 host : %ASA-4-xxx: Group = xxx, Username = User2, IP = 123.123.123.123, Session disconnected. Session Type: SSL. Duration: 1m:3s, Bytes xmt: 6403456, Bytes rcv: 1776534, Reason: User requested I'd expect my chart to show; 08:40 - 0 09:00 - 2 09:20 - 1 09:40 - 0 Does anyone have a solution for this please?
Hi all, I'm trying to create a view according to "geo_us_states" for Germany. So far I was able to add/create the required "geospatial lookup". | inputlookup geo_us_states | inpu... See more...
Hi all, I'm trying to create a view according to "geo_us_states" for Germany. So far I was able to add/create the required "geospatial lookup". | inputlookup geo_us_states | inputlookup geo_germany What I currently don't understand within the geom command I can specify the following: | geom geo_us_states featureIdField="state" I checked the kml file and I couldn't detect an XML tag explaining what "state" is. Where does Splunk store/retrieve this information? Does any one know how I can apply it for my "Germany" purpose? Thank you in advance for any hints.
hello, I am using the new feature of Dash studio, can you tell me how to export an existing dashboard? Thanks in advance, Olivier 
Is that possible to create multiple kpi alerting per entity? Currently Multi KPI works only with aggregate service.
There are multiple programs running every day and I want to visualise the volume and duration of each program by day. The data looks like this : _time, programtype, volume, daily 20/01/2020... See more...
There are multiple programs running every day and I want to visualise the volume and duration of each program by day. The data looks like this : _time, programtype, volume, daily 20/01/2020,program1,8000,5444 20/01/2020,program2,8000,1224 21/01/2020,program1,1000,1123 21/01/2020,program2,1000,1122 If i use a timechart, (e.g. | timechart span=1d values(volume) sum(duration) by programtype to display the data, I would get 4 graphs being shown. VolumeProgram1 VolumeProgram2 DurationProgram1 DurationProgram2 What i want to show is, 3 graphs with the volume being generic. *All programs will always have the same volume on the day. How would the query look like if i want to show : Volume DurationProgram1 DurationProgram2 Is there a way to merge the data ? Thanks
I am trying to create a field extraction for events from the source: WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational I am able to save it, but when I go to set permissions on ... See more...
I am trying to create a field extraction for events from the source: WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational I am able to save it, but when I go to set permissions on it (or edit/move it), I get the following in Splunk web: Splunk could not perform action for resource data/props/extractions (404, u'Splunk cannot find "data/props/extractions/source::WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG". [HTTP 404] https://127.0.0.1:8089/servicesNS//search/data/props/extractions/source%253A%253AWinEventLog%253AMicrosoft-Windows-TerminalServices-Gateway%252FOperational%20%3A%20EXTRACT-TestRDG?safe_encoding=1; [{\'type\': \'ERROR\', \'text\': \'Could not find object id=source%3A%3AWinEventLog%3AMicrosoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG\', \'code\': None}]') I am able to delete it though. It looks like the forward slash in the source is the problem. Has anyone encountered this before or know of a work around for it?
hi , I have a lookup file with million of records, there are user name with lower or upper case. I need to match the user name irrespective of case. I have added a lookup defn ( with case sensitiv... See more...
hi , I have a lookup file with million of records, there are user name with lower or upper case. I need to match the user name irrespective of case. I have added a lookup defn ( with case sensitive check box unticked). I can see in transform.conf that match_case_sensitive=0 But still search is running with case sensitive. I am using Splunk 8.0. Any suggestions?
I have a Time selector. Each time it's clicked, a certain set of tokens must always recalculate, including one which determines the span of time in between earliest and latest. I have 2 panels. ... See more...
I have a Time selector. Each time it's clicked, a certain set of tokens must always recalculate, including one which determines the span of time in between earliest and latest. I have 2 panels. Only 1 panel must be shown at a time, depending on how long the span is between earliest and latest. Within 1 day, show the "comparison" panel, longer than 1 day, show the "single" panel The xml below always sets both tokens, "showPanelSingle" and "showPanelComparison", but I can only have 1 set at a time. <input type="time" token="time" searchWhenChanged="false"> <label>Time Frame</label> <default> <earliest>-1d@d</earliest> <latest>@d</latest> </default> <change> <eval token="time.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest'))</eval> <eval token="time.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest'))</eval> <eval token="time_difference">$time.latest_epoch$-$time.earliest_epoch$</eval> <eval token="form.span">if($time_difference$&gt;2592000,"1d",if($time_difference$&gt;86400,"1h","1m"))</eval> <eval token="showPanel">if($time_difference$&gt;86400,"Comparison","Single")</eval> <eval token="showPanelSingle">if($showPanel$="Single","true","")</eval> <eval token="showPanelComparison">if($showPanel$="Comparison","true","")</eval> </change> </input> The xml below never sets either token, even after selecting the Time. <form theme="dark"> <label></label> <init> <condition match="$showPanel$, &quot;Single&quot;"> <eval token="showPanelSingle">true</eval> </condition> <condition match="$showPanel$, &quot;Comparison&quot;"> <eval token="showPanelComparison">true</eval> </condition> </init> Note, the Time calculations must always run, so I can't add them to a condition, but I need condition on the rest, and Splunk doesn't allow this hybrid approach, nor is it allowed to qualify multiple condition tags. How can I accomplish where 1 and only 1 of them is set (and the correct one) upon clicking "Submit" in the input filters.
Hi All, I want to build a splunk query which will give us the host details, last_time_stamp, number_of_days_aged not reporting to splunk. The condition is that if the number of current day hosts n... See more...
Hi All, I want to build a splunk query which will give us the host details, last_time_stamp, number_of_days_aged not reporting to splunk. The condition is that if the number of current day hosts not reporting is greater than 50 when compared with the current week number of hosts not reporting, then it should alert us with the details.
Will the Slideshow app work on a search head cluster? I have not tried to put it on my SHC yet so wanted to check before going down that path. Thanks.
Hello, There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an... See more...
Hello, There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk. Thanks for the help.
I want to create a triggered alert for when an inactive user suddenly becomes active. Ideally, it would be used for a multitude of applications (i.e., AD or Microsoft 365). I've searched around and c... See more...
I want to create a triggered alert for when an inactive user suddenly becomes active. Ideally, it would be used for a multitude of applications (i.e., AD or Microsoft 365). I've searched around and couldn't find anything pertinent to this. If anyone has anything like this setup already please feel free to chime in! My first guess would be to create a lookup to get things started? Any sort of guidance would be greatly appreciated!
Hi Team, I am trying to create timechart addtotals value. But when I using the query, I am getting Total, others and few more lines. Please let me know how to suppress/hide all line other than ad... See more...
Hi Team, I am trying to create timechart addtotals value. But when I using the query, I am getting Total, others and few more lines. Please let me know how to suppress/hide all line other than addtotals (Total) value. index=int_gcg_apac_pcf_application_dm_169688 OR index=int_gcg_apac_pcf_foundation_dm_169688 cf_org_name=* cf_space_name=* cf_app_name=* instance_index=*|bucket _time span=1m| dedup _time cf_org_name cf_space_name cf_app_name instance_index| fields _time cf_org_name cf_space_name cf_app_name instance_index|timechart span=1m count(instance_index) by cf_app_name | addtotals Regards, Tom
Hi, I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/). But I never see anything. I've adjusted the macros for our window logs. I've created the threathunting ... See more...
Hi, I am trying to us the ThreatHunting app (https://splunkbase.splunk.com/app/4305/). But I never see anything. I've adjusted the macros for our window logs. I've created the threathunting index as docs suggests, but nothing ever ends up in that index. My searches did not reveal anything. thx afx