All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to exact a string 'GUID" from the log right after "customers". This regex expression works in https://regex101.com/ but not in Splunk.  My field name is log: 2023-06-19 15:28:01.726 ERROR [co... See more...
I want to exact a string 'GUID" from the log right after "customers". This regex expression works in https://regex101.com/ but not in Splunk.  My field name is log: 2023-06-19 15:28:01.726 ERROR [communication-service,6e72370er2368b08,6e723709fd368b08] [,,,] 1 --- [container-0-C-1] c.w.r.acc.commservice.sink.ReminderSink : Reminder Message processed, no linked customers aaf60d69-99a9-41f5-a081-032224284066   | rex field=log "(?<cids>).*customers\s(.*)"  
Hello, I am trying to change the email address of my Splunk community account. I went to My settings > Personal > Email and set the new email address. I got the verification email and verified the n... See more...
Hello, I am trying to change the email address of my Splunk community account. I went to My settings > Personal > Email and set the new email address. I got the verification email and verified the new email address. Now the new email address was displayed under My settings. However, when I logged out and then logged back in, the old email address is shown again. Is this a known issue?
Hi All, We have Splunk Security ENT 6.6.2 - EOL, I know! our admins guys are working on upgrading. My Problem. We created 2 new user groups. Team A and Team B We gave Team A - Total access to dat... See more...
Hi All, We have Splunk Security ENT 6.6.2 - EOL, I know! our admins guys are working on upgrading. My Problem. We created 2 new user groups. Team A and Team B We gave Team A - Total access to data in half the indexes. Role restrictions on indexes We gave Team B - Total access to data in the other half the indexes. Role restrictions on indexes The outcome was as expected, Team A can only see data from indexes for their role and likewise for Team B. This is where we have a problem, Both Teams need to user the Incident Review Dashboard and Both teams need to assign notable events to users within their own Team. As Owners. However, they cannot, and the system gives errors. If we take the role restriction off. So both teams can see all Data. Then they can assign notable events. Our internal Splunk admin, say it is a bug in this version and the system needs to be upgraded. My questions, Has anyone experienced similar?  Is there a bug and if so, any reference that can be found on the bug? Are there any workarounds regarding this problem? We have 2 teams that need to use the Incident Review to respond to alerts. However, these teams need to be independent and should not be able to see data within indexes that belongs to the other Team. Thanks for any advise.
I have a few questions on how splunk sees and displays the license warning counts. Yes if you go over your pool size then that equals a warning count. However, several instances I see some conflictin... See more...
I have a few questions on how splunk sees and displays the license warning counts. Yes if you go over your pool size then that equals a warning count. However, several instances I see some conflicting information like when I add a new license that is bigger than the previous one, I would think the warning count would reset but it doesn’t. I also have a search that looks at the license usage.log and shows me how many times I have went over my size in the last 30 days. This also has different counts than what is shown in the warning count section. The final weird issue I see is when I had a sever warning count at 44 but a week later within any changes, the number decreased to 37. What’s causes so many different numbers with the Splunk licenses
since moving to 9.2.1, now my df.sh events are now a single event when searching. also notice the format is bad when running the script compared to the built in df. novice linux guy here looking to s... See more...
since moving to 9.2.1, now my df.sh events are now a single event when searching. also notice the format is bad when running the script compared to the built in df. novice linux guy here looking to see if anyone else has come across this. thanks! splunk df     linux df         splunk event
Hello all, I need to configure SAML/SSO with Splunk but i m having the following issues: - I have 3 search heads in a cluster (without a load balancer )    => I can create a dedicated SAML confi... See more...
Hello all, I need to configure SAML/SSO with Splunk but i m having the following issues: - I have 3 search heads in a cluster (without a load balancer )    => I can create a dedicated SAML config for each search head and disable the replication of the authentication.conf - we have many tenants and we have users connecting from the different tenants to Splunk (currently we have multiple LDAP configurations)  => I understood that Splunk only accepts one IdProvider with SAML, so users from other tenants will not be able to access splunk with SSO. - ideally, we must have some users connecting with LDAP, but Splunk doesn't allow enabling both LDAP and SAML simultaneously  or it is possible but requires a custom script for that. Questions: 1-  does anyone have worked on a script to enable LDAP and SAML ?  2- Any idea about the best config from Azure ID regarding the multi-tenants and the B2B collaboration? 3- Any advice in general how to better approach this issue?  Best  
Lets say we have the following data set:   Fruit_ID Fruit_1 Fruit_2 1 Apple NULL 2 Apple NULL 3 Apple NULL 4 Orange NULL 5 Orange NULL 6 Orange NULL 7 Apple Orange 8 Apple Orange 9 Apple... See more...
Lets say we have the following data set:   Fruit_ID Fruit_1 Fruit_2 1 Apple NULL 2 Apple NULL 3 Apple NULL 4 Orange NULL 5 Orange NULL 6 Orange NULL 7 Apple Orange 8 Apple Orange 9 Apple Orange 10 Apple Orange   Now I am trying to count the total amount of every fruit, in the above example it should be 7 apples and 7 oranges, the problem is that these fruits are seperated in 2 different columns because a fruit name can be both an apple AND an orange, how do I deal with this when counting the total amount of fruit? Counting one at a time works: | stats count by Fruit_1 But how do I count both to give a total number since they are 2 seperate columns I tried combining both columns so its all in 1 long list of values in 1 column but I could not get a definitive answer on how to do this. I tried appending results so first count Fruit_1, then append count Fruit_2 but I did not get the right result of Apple: 7 Orange: 7. Its either 1 or the other. Does anybody have a fix for how to count over multiple fields like this and combine the result together in 1 field?
hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.   example: current time June 19  resul... See more...
hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.   example: current time June 19  result should be:   drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo   ---------------------- DATA START below ----------------------- /opt/var.dp2/cores/: total 4.0K drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo /opt/var.dp2/cores/crashinfo: total 0 /var/cores/: total 8.0K drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo drwxr-xr-x 2 root root 4.0K May 28 06:05 crashjobs /var/cores/crashinfo: total 0 /var/cores/crashjobs: total 0 /opt/panlogs/cores/: total 0 /opt/var.cp/cores/: total 4.0K drwxr-xr-x 2 root root 4.0K May 28 06:06 crashjobs /opt/var.cp/cores/crashjobs: total 0 /opt/var.dp1/cores/: total 8.0K drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs /opt/var.dp1/cores/crashinfo: total 0 /opt/var.dp1/cores/crashjobs: total 0 /opt/var.dp0/cores/: total 8.0K drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs /opt/var.dp0/cores/crashinfo: total 0 /opt/var.dp0/cores/crashjobs: total 0   ---------------------- DATA END above -----------------------
Hi all, We are indexing different topics from our kafka cluster to an index say, index1. But we now have a requirement to retain a subset of those topics for longer period of time. Is there a way to... See more...
Hi all, We are indexing different topics from our kafka cluster to an index say, index1. But we now have a requirement to retain a subset of those topics for longer period of time. Is there a way to implement this while we still get all the data into the same index? I can think of the subset of topics that I need longer retention being searched, filtered out and collected to a new index. But this involves licensing if we want to retain the source/sourcetype and other fields I believe which is not practical for us. We want to retain the original source/sourcetype etc and have the subset of topics that we need longer retention be copied over to another index, say index2, that has longer retention. We also need the original copy in index1 as we have lot of dependant searches and alerts that use this index to search for the same data.    
Hi, which URLs have to be opened in the firewall for the ES Contant Update App? What else may need to be opened in the firewall for the app to work properly?   Regards, Alex
Hi All, Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still install... See more...
Hi All, Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still installed on same Path on the same machine else not found.   so far I have created a kvstore lookup to store the data but cannot come up with logic to compare the data I have added sample data below. All help is appreciated.   HostNameExeVersion Path ProductName RunDate sourcetype xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\f\notepad.exe null 2024-06-13 07:41:37 feed xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\r\notepad.exe null 2024-06-14 07:41:37 feed
Hi all I'm trying to count the number of selected items in a Multiselect control. I've tried eval and stats but no luck with either   | eval selected_total = count($element$)     | stats cou... See more...
Hi all I'm trying to count the number of selected items in a Multiselect control. I've tried eval and stats but no luck with either   | eval selected_total = count($element$)     | stats count($element$) as selected_total       Thanks
I have an integration between Opsgenie and Splunk in order to create Opsgenie alerts whenever some Splunk alerts are created. The thing is I've been having some issues with one of the dynamic proper... See more...
I have an integration between Opsgenie and Splunk in order to create Opsgenie alerts whenever some Splunk alerts are created. The thing is I've been having some issues with one of the dynamic properties available for such integration, the {{results_link}}. This link is such a useful asset since it allows devs to be forwarded to the specific search that raised the alert in Splunk. However, we've been seeing some weird behaviour with these results link. For some reason, they seem to stop working at some point. Here's an example of an alert that was generated in Splunk and hence created an alert in Opsgenie through the integration, which had a field with the {{results_link}} property added. The following screenshots are for the exact same link at different times (yesterday afternoon and this morning) where you can see it was a valid query and then it isn't.        We need help understanding why this link stops working at some point and how could we avoid that behaviour. Thanks
trial
Hi all,, working with the "Crypto and Encoding Add-On" from splunkBase, I can't manage to make it work on my environment.   The "hash" command specifically fails when using the "salt" option, like... See more...
Hi all,, working with the "Crypto and Encoding Add-On" from splunkBase, I can't manage to make it work on my environment.   The "hash" command specifically fails when using the "salt" option, like the following: "| hash algorithm=sha256 salt=test_salt test_field"   When removing the salt option, this works just fine, but I really need to add the salt to it for my use case.   The returned error is the following: ValueError at "/cs/splunk/search/etc/apps/TA-cryptosuite/bin/hash.py", line 122 : Specified salt file "test_salt" does not exist. Please check the spelling of your specified salt name or your configured salts.   I created the entry in the "Key and Salt Management" dashboard, but with no success. I wonder what it could be, since roles and accesses to the app are all open.   Any help here would be really appreciated. Thanks!   @hRun 
Hello, I installed on Splunk IronStream Data Monitor to receive Json data created by an IBM i server and transmitted by python code. I can also send the data in syslog format. I searched but I didn... See more...
Hello, I installed on Splunk IronStream Data Monitor to receive Json data created by an IBM i server and transmitted by python code. I can also send the data in syslog format. I searched but I didn’t find documentation on how to set it on Splunk to receive the data. I would also like to know if there are specific column names for the SIEM to understand the data received. Example in my json file the Remote_IP column is the area that retrieves the attacker’s ip address. thanks for reading.
Hello Splunkers! I want a below visualization as per attached screenshot. I have mentioned complete SPL also. Please let me know how to achieve it.   index=ABC sourcetype="st... See more...
Hello Splunkers! I want a below visualization as per attached screenshot. I have mentioned complete SPL also. Please let me know how to achieve it.   index=ABC sourcetype="stalogmessage" | fields _raw | spath output=statistical_element "StaLogMessage.StatisticalElement" | spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject" | fields - _raw | spath input=statistical_element output=statistical_item "StatisticalItem" | spath input=statistical_item output=StatisticalId "StatisticalId" | spath input=statistical_item output=Value "Value" | spath input=statistical_subject output=SubjectType "SubjectType" | mvexpand SubjectType | where SubjectType="ORDER_RECIPE" | lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName Unit | mvexpand Unit | search Unit="%" | mvexpand SymbolicName | where SymbolicName="UTILISATION" | mvexpand Value | mvexpand StatisticalId | table StatisticalId Value Unit  
Hi, I want to learn the Splunk Enterprise Security from scratch could anyone pls share the links? Thanks.
Using SplunkJs, by clicking button, token value is getting set but not passing to drilldown panel searches. Can you please help on why its not working? Steps: 1. Create Splunk js to enable toke... See more...
Using SplunkJs, by clicking button, token value is getting set but not passing to drilldown panel searches. Can you please help on why its not working? Steps: 1. Create Splunk js to enable token on click of a button 2. In dashboard, add a HTML button with required details (please refer the code attached) 3. Create a panel and update search with the token_name Observation: Token value is getting set but not sure if the value is passed to down panels or panel is not identifying the token value that has been set by clicking on button   Source code: <dashboard script="start_tracking_1.js" version="1.1"> <label>test_dashboard 3</label> <row id="tab_menu"> <panel> <title>$clickedButtonValue$</title> <html> <button type="button" class="btn button_tab" id="StartTracking" data-value="value1"> <h2 style="text-align: center;"> <span style="color: #000000;"> <strong>Start Tracking</strong> </span> </h2> </button> </html> </panel> </row> <row> <panel> <table> <title>Drilldown Panel</title> <search> <query>index=_internal source="$clickedButtonValue$" | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>   Splunk JS: require([ 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, ready, $) { var defaultTokenModel = mvc.Components.getInstance('default'); // Add click event listener to button with id 'StartTracking' $('#StartTracking').on('click', function() { var value = $(this).data('value'); // Correct jQuery method to get data-value console.log('Button clicked, data-value: ' + value); defaultTokenModel.set('clickedButtonValue', value); // Set token value }); });
Hi Team, We have onboarded csv data into Splunk and each row in csv is ingested into _raw field . I need to bring this back to tabular format and run query against it. Kindly assist. Note- We are n... See more...
Hi Team, We have onboarded csv data into Splunk and each row in csv is ingested into _raw field . I need to bring this back to tabular format and run query against it. Kindly assist. Note- We are not supposed to add csv files directly into the Splunk via "Add inputs" option. Regards, Sid