Hi!
We have some searches on a dashboard that work way too long as they include several subsearches and calculate data for the latest 30 days, that lead daily scheduled pdf of that dashboard not to...
See more...
Hi!
We have some searches on a dashboard that work way too long as they include several subsearches and calculate data for the latest 30 days, that lead daily scheduled pdf of that dashboard not to send pdf by email with pdf-sending error.
We splitted heavy searches into several ones but from day to day it may take different time to complete each of them.
Is there a way to set up saved searches to run in sequence not only by setting a sparse schedule for them?
My application wants to sent dat to SPLUNK via Monitor files and directories and meantime via HTTP Event Collector. My application will format the data them required. Can I use the same data source ...
See more...
My application wants to sent dat to SPLUNK via Monitor files and directories and meantime via HTTP Event Collector. My application will format the data them required. Can I use the same data source type to sent to data with different format via different method(Monitor files and directories and meantime via HTTP Event Collector).
We wonder whether the WinEventLog can be applied to the Endpoint datamodels.
It seems to us that -
Endpoint.Process fits greatly win event id 4688 (A new process has been created).
Endpoint....
See more...
We wonder whether the WinEventLog can be applied to the Endpoint datamodels.
It seems to us that -
Endpoint.Process fits greatly win event id 4688 (A new process has been created).
Endpoint.Service could be populated with win event ID 4697 (A new service was installed)
However Source types for the Splunk Add-on for Windows lists for the CIM data models -
Application State, Authentication, Change Analysis, Performance, Updates and Vulnerabilities, while Application State is listed as deprecated.
I have some questions that i hope someone can help me clarifying them :
1) In an indexer cluster, can i install apps and add-ons on each indexer separatly without pushing all using the cluster mast...
See more...
I have some questions that i hope someone can help me clarifying them :
1) In an indexer cluster, can i install apps and add-ons on each indexer separatly without pushing all using the cluster master?
2)If i will use cluster master, should i untar the apps and add-ons that i put in /master-apps or no need for the unpacking step ?
3)how to use sendtoindexer app if i have an indexer cluster ?, I mean , what should be written in the text file exactly ?
thanks in advance
Is there a way to grasp user engagement within splunk. For example, in regards to all users under "user" role, I would like to try to report on the following: 1) how long they stay on a specific da...
See more...
Is there a way to grasp user engagement within splunk. For example, in regards to all users under "user" role, I would like to try to report on the following: 1) how long they stay on a specific dashboard 2) login / log off time 3) are they experiencing any errors
help on any of the above would be greatly appreciated.
Is there an environment variable or a setting for defaul.yml I can set for python.version = python3 so that it is added to the server.conf?
docker run -dt --restart=always --name=splunk--hostname...
See more...
Is there an environment variable or a setting for defaul.yml I can set for python.version = python3 so that it is added to the server.conf?
docker run -dt --restart=always --name=splunk--hostname=splunk --privileged -p 8000:8000 -p 8001:8001 \
-v /home/user/mysplunkinstallation/default.yml:/tmp/defaults/default.yml \
-e SPLUNK_START_ARGS=--accept-license \
-e SPLUNK_PASSWORD=splunk\
splunk/splunk:8.0.2
I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole:
Could some expert guide me how?
Queries Blocked
tag=dns tag=network tag=resolution query_type=bl...
See more...
I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole:
Could some expert guide me how?
Queries Blocked
tag=dns tag=network tag=resolution query_type=blocked |stats count
Total Queries
sourcetype="pihole:log*" tag=dns tag=network tag=resolution query |stats count
How do I create splunk query to get the total percentage of the two results
Queries Blocked/Total queries x 100 = ?
I just need the exact value so i can just simply copy and paste the good answer here to my splunk field.
Your input is highly appreciated.
I have two query
1: sourcetype=A error=499
2: sourcetype=A X=*
2nd query is almost equal to total transactions.
I would like to make timechart of % of error count on X events.
Basicall...
See more...
I have two query
1: sourcetype=A error=499
2: sourcetype=A X=*
2nd query is almost equal to total transactions.
I would like to make timechart of % of error count on X events.
Basically I want to make timechart that will tell if error code increase is because of volume increase etc,
Would appreciate suggestions on how and what to change in our IdP environment and/or our Splunk instance's SAML configuration, to get around this "Saml response does not contain group information" er...
See more...
Would appreciate suggestions on how and what to change in our IdP environment and/or our Splunk instance's SAML configuration, to get around this "Saml response does not contain group information" error:
Screenshot of our internal SSO IdP configuration:
Relevant bits from authentication.conf :
[authentication]
authSettings = saml
authType = SAML
[userToRoleMap_SAML]
doerj001 = admin::::joe.doer@whatever.local
smitr003 = user::::roger.smith@whatever.local
incom017 = user::::margarita.incognito@whatever.local
[roleMap_SAML]
admin = doerj001
user = smitr003;incom017
[saml]
clientCert = /opt/splunk/etc/auth/server.pem
entityId = monitor.splunk.bu.whatever.local
fqdn = https://monitor.splunk.bu.whatever.local
idpCertPath = idpCert.pem
idpSSOUrl = https://idp.myid.whatever.local/idp/SSO.saml2
inboundSignatureAlgorithm = RSA-SHA256
issuerId = https://idp.myid.whatever.local
nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
redirectAfterLogoutToUrl = https://monitor.splunk.bu.whatever.local/en-US/account/login?loginType=splunk
redirectPort = 443
replicateCertificates = false
signAuthnRequest = true
signatureAlgorithm = RSA-SHA256
signedAssertion = false
sloBinding = HTTP-POST
sslPassword = ************
ssoBinding = HTTP-POST
[authenticationResponseAttrMap_SAML]
role = sapid
Excerpt from the SAML response:
<saml:AttributeStatement>
<saml:Attribute Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Roger</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="middlename" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"></saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="preferred_username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">smitr003</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">roger.smith@whatever.local</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Appreciate specific suggestions on what we need to change and how, to get this working. (Please do not send me to RTFM - been doing this for the past week and my head hurts - unless the pages you're sending me to contain those specific suggestions.)
Thanks!
Search --
|source1 | stats count(source1.field1) by (source1.field2) | sort 0 source1.field2
Search Output
source1.field2 | count
dev | 6
prod | 5
uat | 7
qa | 8
How can we add count values of 'prod' and 'uat' & also to display the field value as below , Is this doable ? *
source1.field2 | count
dev | 6
prod + uat | 12
qa | 8
search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098"
Y-098 || Count
1.Instagram -- 56
2.twitter -- 78
search query 2 | stats count by source2...
See more...
search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098"
Y-098 || Count
1.Instagram -- 56
2.twitter -- 78
search query 2 | stats count by source2.field2 | where blah ==blah | rename field2 as "Vr-234"
Vr-234 || Count
1.Instagram_active_user -- 34
2.twitter_active_user --21
How can i combine the above 2 searches to be displayed under one output as shown below to be used in Overlay Chart , also is there any way to rename the "Count" Field
Field-Name-1 | Count | Field-Name-2 | Count
Instagram | 56 | Instagram_active_user | 34
twitter | 78 | twitter_active_user | 21
I'd like to know if there's a way to get alerted if a dashboard is not performing as expected for a user. How do i query for list of all reports that are throwing errors in a dashboard? Is that possi...
See more...
I'd like to know if there's a way to get alerted if a dashboard is not performing as expected for a user. How do i query for list of all reports that are throwing errors in a dashboard? Is that possible?
Splunk n00b here with a question.
I have a query I would like to display on a bar graph dashboard visual. Here is the query:
index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_servic...
See more...
Splunk n00b here with a question.
I have a query I would like to display on a bar graph dashboard visual. Here is the query:
index=wsi_tax_summary sourcetype=stash partnerId=* error_msg_service=* ein=* ein!="" tax_year=2019 capability=109*
| eval error_msg_service = case(match(error_msg_service, "OK"), "Success", 1==1, "Fail")
| stats dc(intuit_tid) as Total by partnerId error_msg_service
| chart limit=0 useother=f sum(Total) as Total by partnerId error_msg_service
| eval total_request = Fail + Success
| eval "Success Rate" = round(((Success/total_request)*100),2)
| fieldformat "Success Rate"=tostring('Success Rate')+"%"
| sort "Success Rate"
| fields partnerId "Success Rate"
Since I'm aiming for a bar graph, the values on Y axis should be partnerId and the X axis should be a value called "Success Rate", which I created with several eval statements. When I click into "visual", nothing produces. Looks like I can only do it with a chart or timechart function
Anyone know how I can achieve this?
HI, I have a critical issue , When I run $SPLUNK_HOME/bin/splunk apply shcluster-bundle it runs successfully but when i open the searh head members no apps are installed !! . Is there any additional ...
See more...
HI, I have a critical issue , When I run $SPLUNK_HOME/bin/splunk apply shcluster-bundle it runs successfully but when i open the searh head members no apps are installed !! . Is there any additional command that must be done for the bundle to take place and for the apps to appear in the search heads? or there is something wrong that i did ?
Hi splunkers,
My entprise security threat artifacts dashboard doesn't working.
It's stuck in "search waiting for input" .
I don't change any configuration.
Also threat_artifacts view file %...
See more...
Hi splunkers,
My entprise security threat artifacts dashboard doesn't working.
It's stuck in "search waiting for input" .
I don't change any configuration.
Also threat_artifacts view file %100 correct , I check in splunk free enterprise security service in cloud.
All of dashboards view in same page. it's a another problem.
How ı fix this. Or how can ı find a problem. ?
Data example:
<Asset href="/company/rest-1.v1/Data/Story/2530981/6709286" id="Story:2530981:6709286"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-107445</Attribute><A...
See more...
Data example:
<Asset href="/company/rest-1.v1/Data/Story/2530981/6709286" id="Story:2530981:6709286"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-107445</Attribute><Attribute name="Name">Upgrade Splunk Windows TA</Attribute><Attribute name="ChangeDate">2020-01-29T13:49:44.337</Attribute><Attribute name="CreateDate">2019-03-12T12:49:22.703</Attribute><Attribute name="Owners.Name"><Value>owner one</Value><Value>owner two</Value></Attribute></Asset>
&
<Asset href="/company/rest-1.v1/Data/Story/3644941/6720976" id="Story:3644941:6720976"><Attribute name="Status.Name">Ready</Attribute><Attribute name="Number">B-143465</Attribute><Attribute name="Name">Review/Upgrade Splunk_TA_Nix to v7</Attribute><Attribute name="ChangeDate">2020-01-30T12:54:07.103</Attribute><Attribute name="CreateDate">2020-01-15T10:40:49.307</Attribute><Attribute name="Owners.Name"><Value>owner one</Value></Attribute></Asset>
I've gotten my XML to seperate into events finally, but I'm being thrown by trying to get the fields to work. I'd like to have
Status.Name = Ready
Number = B-143465
ChangeDate = 2020-01-30T12:54:07.103
and so on
I created this regex using the field extractor and regex101:
^(?:[^>\n]*>){2}(?P<Status_Name>\w+\s+\w+|\w+)(?:[^>\n]*>){2}(?P<Number>\w+\-\d+)[^ \n]* \w+="\w+">(?P<Name>[^<]+)[^ \n]* \w+="\w+">(?P<ChangeDate>[^<]+)(?:[^"\n]*"){2}>(?<CreateDate>[^<]+)(?:[^"\n]*"){2}><\w+>(?P<Owners_Name>\w+\s+\w+)
which gets me most of the way there, but it won't work for the multiple owner values.
Can someone suggest a fix here? Also, if you could also suggest some help in implementing the regex in a transforms, I'd appreciate it. I think I can call it using
PROPS
...
REPORT-V1 = v1_fields
TRANSFORMS
[v1_fields]
REGEX = ^(?:[^>\n]*>){2}(?P<Status_Name>\w+\s+\w+|\w+)(?:[^>\n]*>){2}(?P<Number>\w+\-\d+)[^ \n]* \w+="\w+">(?P<Name>[^<]+)[^ \n]* \w+="\w+">(?P<ChangeDate>[^<]+)(?:[^"\n]*"){2}>(?<CreateDate>[^<]+)(?:[^"\n]*"){2}><\w+>(?P<Owners_Name>\w+\s+\w+)
But I don't know if I need to add a FORMAT = $1::$2 line (nor do I know what that line does ... )
Any help you can provide here would be great.
I've also tried KV_MODE=xml on the search head, but that doesn't give me the field names I want, just values for
Asset.Attribute
Asset.Attribute.Value
etc
Thanks
I'm having to search across two indexes and am looking for a particular string of text, called "sampletext"
Example:
index=sso sourcetype="ping*" "my sampletext here"
Now, I would also like t...
See more...
I'm having to search across two indexes and am looking for a particular string of text, called "sampletext"
Example:
index=sso sourcetype="ping*" "my sampletext here"
Now, I would also like to search the sourecetype=Active Directory for two of its fields as I would like to include Active Directories department and description fields to my query:
Example:
index=msad sourcetype=ActiveDirectory department=* description=*
The problem is it's not pulling the Active Directory fields because I am searching for a particular string of text "sampletext" and it's only pulling back the fields under the sso index.
How do I pull the event data that contains the string text under index=sso AND pull the Active Directory fields, department and description under those events too? Is this possible?
Any help is greatly appreciated!
After I run my query, I am unable to see the logs it pulls under events. I can't see them using the raw, list or table options. I used to be able to see them but can't know. I"m experiencing this ...
See more...
After I run my query, I am unable to see the logs it pulls under events. I can't see them using the raw, list or table options. I used to be able to see them but can't know. I"m experiencing this both in Chrome and MSIE browsers. Does anyone know what is going on?