All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunkers, We have requirement to monitor wineventlogswith sourcename MSSQL and will be sent to different sets of IDX. For global IDX,  the wineventlogs inputs will be sourcename MSSQL only For... See more...
Hi Splunkers, We have requirement to monitor wineventlogswith sourcename MSSQL and will be sent to different sets of IDX. For global IDX,  the wineventlogs inputs will be sourcename MSSQL only For abc-region, the wineventlogs inputs will be sourcename MSSQL and ComputerName with ending in "abc.com" domain (e.g. XXXXX.abc.com, YYYY.abc.com). With this, is the configurations below correct? Looking forward to your insights.   ########################################## inputs.conf ##################################### [WinEventLog://Application] index=mssql_idx whitelist= SourceName=%MSSQL% sourcetype=mssql:app disabled=false _TCP_ROUTING=idx-all-global crcSalt=<SOURCE> [WinEventLog://Application] index=mssql_idx whitelist= SourceName=%MSSQL% ComputerName=%abc.com% sourcetype=mssql:app disabled=false _TCP_ROUTING=idx-abc-region crcSalt=<SOURCE> ########################################## outputs.conf ########################################## [indexAndForward] index=false [tcpout] defaultGroup= idx-all-global, idx-abc-region [tcpout:idx-all-global] server=global-idx1:9997, global-idx2:9997 [tcpout:idx-abc-region] server= abc-region-idx1:9997, abc-region-idx2:9997  
How to convert CSV lookup to DBXlookup? The lookup using CSV worked just fine. The CSV was moved to the database and when I converted lookup to DBXLookup, it didn't work. Please suggest. Thank... See more...
How to convert CSV lookup to DBXlookup? The lookup using CSV worked just fine. The CSV was moved to the database and when I converted lookup to DBXLookup, it didn't work. Please suggest. Thanks The following is only an example of a concept what I am trying to do, but it's not a real data. I don't know how to simulate index vs dbxquery on a test data. index=vuln_index | lookup host_ip.csv ip_address as ip OUTPUTNEW ip_address, hostname, os_type | dbxlookup connection="test" query="select * from host_ip"   ip_address as ip OUTPUTNEW ip_address, hostname, os_type Data CSV => DBX ip_address hostname ostype 192.168.1.1 host1 ostype1 192.168.1.2 host2 ostype2 192.168.1.3 host3 ostype3 192.168.1.4 host4 ostype4 index=vuln_index    ip vuln 192.168.1.1 vulnA 192.168.1.1 vulnB 192.168.1.2 vulnC 192.168.1.2 vulnD   Expected result ip_address hostname ostype vuln 192.168.1.1 host1 ostype1 vulnA 192.168.1.1 host1 ostype1 vulnB 192.168.1.2 host2 ostype2 vulnC 192.168.1.2 host2 ostype2 vulnD
Hello everyone, I have a question for tags configuration in Eventgen. For a basic, the structure is: [your condition] yourtag1=enabled yourtag2=disabled For example: [action=created] change... See more...
Hello everyone, I have a question for tags configuration in Eventgen. For a basic, the structure is: [your condition] yourtag1=enabled yourtag2=disabled For example: [action=created] change=enabled So, the question is: If i want to tag an event with more than one condition, how can i do it? I tried "AND" "OR" operator but it does not work. And, "enabled" assigns the tag to an event, what does "disabled" do? Thank you for your reading  
Let's say I have a database that is pulled from an application on a daily basis into Splunk and accessed via DBXquery. Sometimes there are some changes in the data that might be caused by the system... See more...
Let's say I have a database that is pulled from an application on a daily basis into Splunk and accessed via DBXquery. Sometimes there are some changes in the data that might be caused by the system migration, including the number of fields, the number of rows, the order of the fields, etc. How do I validate the data before and after the migration to make sure there are no discrepancies? I am thinking of creating a query to display the fields and number of rows and compare them before and after. Please suggest. Thank you so much.
Hi, I wanted to have a bar graph that has different colour for better represention of my dashboard. I do have a search like below"   type="request" "request.path"="prod" | stats count by account_na... See more...
Hi, I wanted to have a bar graph that has different colour for better represention of my dashboard. I do have a search like below"   type="request" "request.path"="prod" | stats count by account_namespace | sort - count | head 10   I tried adding the "<option name="charting.seriesColors">[0x1e93c6, 0xf2b827, 0xd6563c, 0x6a5c9e, 0x31a35f, 0xed8440, 0x3863a0, 0xa2cc3e, 0xcc5068, 0x73427f]</option>" but I still get a single colour in my bar graph. I believe since i only one series for my query hence the single colour output.  Is there a way for me to have my bar graph contains multiple colour?
One of my alerts is having an issue with the email link to the results not working. I get a 404 that says Oops. Page not found! I'm the admin, so I don't think it's a permissions issue. Other alerts... See more...
One of my alerts is having an issue with the email link to the results not working. I get a 404 that says Oops. Page not found! I'm the admin, so I don't think it's a permissions issue. Other alerts from the same app are working fine. Any ideas?
I think what I am trying to do is relatively easy ? I want to query looking back -8 hours then count the # of events that are in a specific 4 hour window. index=anIndex sourcetype=aSourceType ... See more...
I think what I am trying to do is relatively easy ? I want to query looking back -8 hours then count the # of events that are in a specific 4 hour window. index=anIndex sourcetype=aSourceType aString earliest=-481m latest=-1m | eval aTime2 = _time | eval A = if (aTime2 > relative_time(now(),"-241m@m") AND aTime2 < relative_time(now(),"-1m@m"),(A+1),A) | table A, aTime2 I would also want a count for the next sliding 4 hr window (-300m to -60m), there are few more but just trying to figure out the first one for now. I was expecting my variable "A" to show how many of my matched events occur within the first 4 hr period but its empty ? Am I going about this incorrectly, not seeding "A" with a 0 start value ? What am I missing ?  
I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that ... See more...
I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that alert off, or I could look at the actual resources available on the machine. Looking through it, it looks as if i may need more resources. Looks like i only have 2 cores? and about7 GB of ram.    Min Specs recommended by Splunk are: An x86 64-bit chip architecture. 12 physical CPU cores, or 24 vCPU at 2 GHz or greater per core. 12 GB RAM. This is what i have: Would this explain these errors:   System iowait reached red threshold of 3 Maximum per-cpu iowait reached red threshold of 10 Sum of 3 highest per-cpu iowaits reached red threshold of 15   Before I started trying to re do our Dev env from the ground up, we were receiving these errors and they haven't gone away.    Thanks for any help
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credentialed, I looked at som... See more...
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credentialed, I looked at some events, and it indicates the check type: local. Is this means the scan is credential ?  Also tried to look into the events to see if there are anything that indicated that the scan is authenticated. Thanks in advance for any information may help.
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk ent... See more...
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk enterprise security and Splunk soar app will be installed on the same server as well. The lab is just for the demo and some RND purpose and the daily ingestion will be less than 100 mb.  I have the license and the Enterprise security package from my previous lab setup. Needed some suggestion with what vCPU, storage and RAM I should proceed with.   Thanks in advance
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time... See more...
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time series I take it I will have to use a rex command to extract the bolded values from the message field. How would I go about this? {"bootcount":10,"device_id":"71ff6686fa5347828e3668e59249d0be","environment":"prod_walker", "event_source":"appliance","event_type":"GENERIC","location": {"city":"","country":"XXX","latitude":XXX,"longitude":XXX,"state":""}, "log_level":"info","message":"hardware_controller: TestState { target: Temp(315600), state: Temp(315600), cavity: 178900, fuel: None, shutdown: None, errors: test() }", "model_number":"XXXX","sequence":1411,"serial":"XXXX","software_version":"2.2.2.7641","ticks":158236,"timestamp":1717972790}  
Hello, I hope all is well. Need your help to monitor the F5 Interface utilization throughput (performance Monitor). Any Idea! @community  #performanceMonitor
Hello, as questions. I'd like to ask if it is possible to convert Elasticsearch machine learning anomaly detector model to Splunk machine learning toolkit model?
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (f... See more...
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (false positives thanks god). At this point I have two issues: - The field "Body" is always empty.   Reviewing the macros included in the app, they seem to be created for the non-XML sysmon events. I changed the inputs.conf from the TA-Windows-Sysmon addon without success. The events continue flowing in in XML format.     [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 0 source = WinEventLog:Microsoft-Windows-Sysmon/Operational     Did anyone face the same issue? how did you solve it? - I also would like to add an exception list of processes to reduce the amount of alerts, whitelisting some well known windows executables or tools. have anyone done that? could you tell me the approach you took? thanks a lot. I am checking other alternatives like Cyences https://splunkbase.splunk.com/app/5351. any opinion?
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user mak... See more...
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes.   Can you help?
How do I format a returned int into a phone number with the hyphen using the eval random function.    What I have so far:  | eval PhoneNumber = (random() )
Any details on adding the use of AWS IAM Roles Anywhere with the Splunk addon for AWS
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credential, I looked at some ... See more...
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credential, I looked at some events, and it indicates the check type: local. Is this means it is credential ?  Thanks in advance for any information may help.
how to do for loop one liner in splunk soar playbook for i in code_1__output1: code_1__output5 == i.split(":")[0] if code_1__output5 == "ipaddress": code_1__output4 == s... See more...
how to do for loop one liner in splunk soar playbook for i in code_1__output1: code_1__output5 == i.split(":")[0] if code_1__output5 == "ipaddress": code_1__output4 == str(code_1__output5)
Hello! I have the following search: | mstats avg(*) as * WHERE index=indexhere host=hosthere span=1 by host |timechart span=1m latest(*) as * What i am trying to do is only show the fie... See more...
Hello! I have the following search: | mstats avg(*) as * WHERE index=indexhere host=hosthere span=1 by host |timechart span=1m latest(*) as * What i am trying to do is only show the fields that contains the word "read" somewhere in the field name. Each field name is different and doesn't have "read" in the same place or before/after the same special characters either. I have tried fixing with with different commands but can't seem to find a good solution.  Thanks in advance