All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am currently trying to read logs file of size 10Gb. I have changed thruput to 0 but still takes about 30 min-1 hr for Splunk to finish reading the file. Is there a way to increase the readin... See more...
Hi, I am currently trying to read logs file of size 10Gb. I have changed thruput to 0 but still takes about 30 min-1 hr for Splunk to finish reading the file. Is there a way to increase the reading speed further for splunk UF.
Assuming there are 2 columns - Date & count and there are duplicates date. How to dedup on Date and pick the maximum count value ? 2020-02-27 1522 2020-02-27 1680 2020-02-28 1639 2020-02-28... See more...
Assuming there are 2 columns - Date & count and there are duplicates date. How to dedup on Date and pick the maximum count value ? 2020-02-27 1522 2020-02-27 1680 2020-02-28 1639 2020-02-28 1639 2020-02-29 5 2020-02-29 5 Please guide.
We are unable to see data on AppD dashboard. Controller: [Redacted] Publish Schema: PerformanceDelegatePublish   It was working last week. But unable to see data now. What coul... See more...
We are unable to see data on AppD dashboard. Controller: [Redacted] Publish Schema: PerformanceDelegatePublish   It was working last week. But unable to see data now. What could be the reason? You can reach me through email too. [redacted]   ^ Post edited by @Ryan.Paredez to remove controller URL and email. Please do not share or Controller URLs or emails on community posts. 
All, The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linux_messages_syslog. How ever there is a host overwrite in the def... See more...
All, The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linux_messages_syslog. How ever there is a host overwrite in the default install of Splunk. Is there a formal way to disable this? This stanza is in /opt/splunk/etc/system/default. [syslog-host] DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1 I was just going to create a local transforms.conf that uses a different variable, [syslog-host] DEST_KEY = MetaData:Extracted_Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1 but figure I can't be the first person to run into this. So probably a better way to do it.
I have this search, where I am charting usage over id field (which is on x-axis) split by two columns - two values of Day field. source=foo resource=foobar earliest=-1d@d latest=now | eval D... See more...
I have this search, where I am charting usage over id field (which is on x-axis) split by two columns - two values of Day field. source=foo resource=foobar earliest=-1d@d latest=now | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)" | chart latest(usage) over id by Day | where Yesterday!=Today | table id Yesterday Today | sort Today Is there a way to limit the result to a certain number? I tried | sort 5 Today . | sort Today breaks when I add a limit - as if it stops sorting by Today and starts sorting by id . When I use sort 5 Now it results in sorting by id while I actually want to sort by usage in Today column. Is that possible? Thank you.
Is it possible to restrict indexes to accept data from specific forwarder/subnets in a multi tenant clustered environment? Is this possible with a single indexer cluster or will I need to setup multi... See more...
Is it possible to restrict indexes to accept data from specific forwarder/subnets in a multi tenant clustered environment? Is this possible with a single indexer cluster or will I need to setup multiple indexer clusters? We have a search head cluster and an indexer cluster and are looking for a method to restrict index access so that customers cannot accidentally send data to the wrong index. I understand there are methods for restricting forwarder to indexer access but not forwarder to index. I also understand that with proper forwarder configurations this shouldn't be an issue but given data sensitivity requirements from my customers we need to see if there is a solution available. Currently on Splunk Enterprise 8.0.0.
tl;dr Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment. Scenario: Multi tenant environment with a se... See more...
tl;dr Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment. Scenario: Multi tenant environment with a search head cluster and an indexer cluster. Search heads are configured to forward to indexes and live behind a load balancer. The index cluster lives behind its own load balancer for direct ingest. We have multiple customers with each sending data to their assigned indexes: customer A is hitting index A and customer B is hitting index B. Customer A pushes data through the SH cluster so they can manage their sourcetype filters. Custom B pushes data directly to the indexer cluster since they don't need to manage special sourcetypes. Maybe I've missed something in the documentation but I have not yet seen a way to restrict forwarder to index access so that customer A and B cannot send data to the other's index. There's documentation for restricting forwarder to indexer access but not specifically for index access. Any thoughts on this?
For an events index , I would do something like this: |tstats max(_indextime) AS indextime WHERE index=_* OR index=* BY index sourcetype _time | stats avg(eval(indextime - _time)) AS latency BY ... See more...
For an events index , I would do something like this: |tstats max(_indextime) AS indextime WHERE index=_* OR index=* BY index sourcetype _time | stats avg(eval(indextime - _time)) AS latency BY index sourcetype | fieldformat latency = tostring(latency, "duration") | sort 0 - latency I know that _indextime must be a field in a metrics index , too, but accessing time fields is complicated as evidenced by the special earliest_time() and latest_time() functions. I have tried everything to access both _time and _indextime in a metrics index (both mstats and mcatalog ) and have failed. Is there any way?
You'd be surprised at how many times a user will type their password in the UserID field. This shows up in a Windows EventCode=4625. By itself it wouldn't be an issue since in a single 4625 event y... See more...
You'd be surprised at how many times a user will type their password in the UserID field. This shows up in a Windows EventCode=4625. By itself it wouldn't be an issue since in a single 4625 event you don't know the userID. However, if you correlate that to other events on the same host, you probably can figure out both the username and password. You'd want to keep the usernames in the field if they didn't look like a password. So my question is this: Q: How would one propose to selectively find usernames that look like passwords and then substitute a character string (e.g. "********") at index time?
trying to install Microsoft 365 app for Splunk. Unable to find or open m365_default_index macro to edit. tried searching and editing in view objects.
I'm using DB connect 3.2 on Splunk 8.0.1. I have an input that brings in data from a mysql database. It looks like thins: 2020-03-17 10:29:16.000, f1="10", f2="2020-03-17 10:29:16", f3="something... See more...
I'm using DB connect 3.2 on Splunk 8.0.1. I have an input that brings in data from a mysql database. It looks like thins: 2020-03-17 10:29:16.000, f1="10", f2="2020-03-17 10:29:16", f3="something", f4="{"really": ["long"], "and": {"deep": "json"}}", f5="casdca", f6="more" Field f4 contains about 13k of JSON. When viewing the event right now, f1, f2, f3 come out find. Splunk can't see f4 as containing JSON so it isn't parsed. f5 and f6, which you'd think are parsed right are not. They appear as being part of the value of the JSON f4 field. What I would like is a way to have f5 and f6 properly parsed as fields and f4 to be expanded fully as their own JSON fields so that I can pull out fields as part of the search. Being a huge bit of JSON search time extraction is preferred. I've tried setting KV_MODE to JSON and I've tried playing with transforms logic: [forseti_violations_all_fields] REGEX = , ([a-zA-Z0-9-_]+)="(.*)"(, |$) FORMAT = $1::$2 But none of it has worked at all. Any ideas? Thanks!
So pretty much, -Grabs the list of all vulnerabilities from big fix and/or tenable -get subnets of the modes we will need to pull vulnerabilities from BigFix -Have the returned list filter out o... See more...
So pretty much, -Grabs the list of all vulnerabilities from big fix and/or tenable -get subnets of the modes we will need to pull vulnerabilities from BigFix -Have the returned list filter out ones for specific modes or either have the program use another program that does that task -After all the list are sent to their respected Actions well have the program run the DNS, whois, and BigFix FISMA ID query tools After all these tasks are completed we would like for Phantom to create a report of the findings and send them to our distro list. "it would be broken down into individual reports that we can use to add to a remedy ticket"
Hi all, I am trying to add appdynamics to my react native project. But I see errors: "TypeError: null is not an object (evaluating 'InstrumentationConstants_1.instrumentationConstants.BREADCRUMB... See more...
Hi all, I am trying to add appdynamics to my react native project. But I see errors: "TypeError: null is not an object (evaluating 'InstrumentationConstants_1.instrumentationConstants.BREADCRUMB_VISIBILITY_CRASHES_ONLY')"" My react-native version is the latest.  Thanks, Susan
Hi All, It is recommended to use the i3.8xlarge instance type which comes with ephemeral storage for Splunk indexers if leveraging Smartstore for remote storage (per the Deploying Splunk Enterpris... See more...
Hi All, It is recommended to use the i3.8xlarge instance type which comes with ephemeral storage for Splunk indexers if leveraging Smartstore for remote storage (per the Deploying Splunk Enterprise on Amazon Web Services tech note by Splunk). This ephemeral storage as I understand will hold the cached storage. What I’m trying to understand is how the good people here have set up there indexer to leverage SmartStore (S3) while also using an ephemeral disk(if at all) for local cache since the non-cache data (e.g., config files in /opt/splunk will be lost on a restart or reboot of the server). - Are folks attaching an EBS volume for the indexer configuration? I feel like an attached EBS volume will undercut the cost saving of going the route of a smartstore somewhat - Are they leveraging automation to accomplish a rebuild of the server each time it is restarted/rebuilt? - What does your indexer setup look like while using SmartStore (i.e. Servertype (e.g AWS Server Type, Storage Volume(s), remote storage type That’s the hole in my understanding as of the moment. Any clarification is highly appreciated. Regards, Splunker Next Door.
Hello Splunk Community, I am trying to create dashboard with the following query but the query returns no results. I am using the query to: extract the batch size and duration (they are in diff... See more...
Hello Splunk Community, I am trying to create dashboard with the following query but the query returns no results. I am using the query to: extract the batch size and duration (they are in different source types. duration is in sourcetype = "AAA"and batch size is in sourcetype = "BBB") than extract the batch size =1, find the duration for that same request by joint both events using transaction ID and search for batch size = 1. But when I add the following line: | timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" > 10 the query return noting. index =ose_index source="ent-splunk-pyx" (svc=/service/detokenize AND "duration") OR ("Batch Detokenization Operation, batch size:") | rex field=raw "Batch Detokenization Operation, batch size: (?\d+)" | rex field=_raw "txid=(?([a-z0-9.-]+))" | eval duration = round(duration/1000, 3) | stats max(duration) as Duration values(Batch_Size) as Batch_Size by ID | search Duration=* Batch_Size=1 | timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" > 10 If I remove the last line and use "| stats avg(Duration) " I am getting the avg result but this is not the way I want it. I must use "| timechart span=5m eval(round(avg(duration),0)) as AVG_Response_Time(ms) | search "AVG_Response_Time(ms)" > 10" because it is a part of a template that the company is using and I can't change this part.
I am doing a fresh install of the Slack notification add-on to our on-prem enterprise Splunk. It requires Slack Webhook Alert. Are there substantial differences between Slack Webhook Alert and Sl... See more...
I am doing a fresh install of the Slack notification add-on to our on-prem enterprise Splunk. It requires Slack Webhook Alert. Are there substantial differences between Slack Webhook Alert and Slack Webhook Alert v3? Should I simply install v3 because it is newer and I am not doing an update/install? tia, ray
We are using splunk enterprise in our organization. Is it possible to view the alerts created by another user? I went to Reports and Dashboards -> Alerts Clicked on All. Searched for the oth... See more...
We are using splunk enterprise in our organization. Is it possible to view the alerts created by another user? I went to Reports and Dashboards -> Alerts Clicked on All. Searched for the other user's name in the searchbox but no results come up. Thanks for reading.
Currently we are running Splunk 7.1.8 and want to upgrade to 8.0 and have the following questions 1) Do we need to upgrade python on all splunk instances to 3.0 .If needed to be upgraded what is th... See more...
Currently we are running Splunk 7.1.8 and want to upgrade to 8.0 and have the following questions 1) Do we need to upgrade python on all splunk instances to 3.0 .If needed to be upgraded what is the location of it? 2)Do we need to install java as well? Thanks in Advance
Hello I have a structured data source that puts out data in a table with headers and a footer row with a total. I got all the extractions working BUT there is a field called path that may contai... See more...
Hello I have a structured data source that puts out data in a table with headers and a footer row with a total. I got all the extractions working BUT there is a field called path that may contain spaces: directory DEFAULT /abc/path/fileservers/xxxd19/acb123 Cost Estimate No 10.00G - 9.00G 292.14M directory DEFAULT /abc/path/fileservers/xxxd19/A12 No 120.00G - 113.00G 50.549G The second path works great, extracts properly. The first however truncates "Cost Estimate" because of the space then throws off the rest of the fields. The props look like this: [storage:data] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = SHOULD_LINEMERGE = false disabled = false pulldown_type = true FIELD_DELIMITER = whitespace HEADER_FIELD_LINE_NUMBER = 1 SEDCMD-removeDash = s/---------------------------------------------------------------------------------------------------------//g SEDCMD-removeDash2 = s/^\-.*$//g Any ideas on how to make the field include the portion of the path that includes spaces? Thanks in advance for the help!
Hi everyone, I have the following event format: _time logindate logoutdate userid 2019-07-25 09:41:21 25/07/2019 09:41:21 25/07/2019 13:47:52 ... See more...
Hi everyone, I have the following event format: _time logindate logoutdate userid 2019-07-25 09:41:21 25/07/2019 09:41:21 25/07/2019 13:47:52 USER1 2019-07-25 09:41:02 25/07/2019 09:41:02 25/07/2019 11:43:17 USER2 2019-07-25 09:39:56 25/07/2019 09:39:56 25/07/2019 13:01:17 USER4 2019-07-25 09:39:45 25/07/2019 09:39:45 25/07/2019 11:39:58 USER3 2019-07-25 09:39:15 25/07/2019 09:39:15 25/07/2019 10:32:34 USER2 2019-07-25 09:38:04 25/07/2019 09:38:04 25/07/2019 11:39:07 USER1 logindate and _time have the same value, because splunk considered the logindate field as the event _time automatically. What I need to accomplish is to count distinctively the number of users that were logged in at the same time. I have studied the concurrency command, but I don't think it solves my problem since I need to count distinct users. I was able to solve this in SQL (where these values are acctualy stored) by creating an auxliary table with just timestamps ranging from the earliest logindate to the latest logout date, incremented by the hour and then inner joining that table to data table whenever the timestamp from the dummy table was between logindate and logoutdate. Could I accomplish something similar or better in Splunk?