All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, Does the below log paths of windows logs can be ingested into Splunk and if this is available in any add-on's? Microsoft\Windows\Privacy-Auditing\Operational EventLog Thanks
Team, I got 3 logs, I need to fetch Transaction_id,Event and Total_Count from LOG1. After that I need to join the 3 logs to get Successfull and Failures. successfull transaction will have only LOG2... See more...
Team, I got 3 logs, I need to fetch Transaction_id,Event and Total_Count from LOG1. After that I need to join the 3 logs to get Successfull and Failures. successfull transaction will have only LOG2. Failure transactions will have both LOG2 and LOG3 Finally I need data in timechart (span=1h). _time Event Total_Count Successfull Error LOG1 = 024-05-29 12:35:49.288 [INFO ] [Transaction_id] : servicename : access : Event : process : Payload: LOG2 = 2024-05-29 12:11:09.226 [INFO ] [Transaction_id] : application_name : report : servicename (Async) : DB save for SubscribersSettingsAudit record completed in responseTime=2 ms LOG3 = 2024-05-24 11:25:36.307 [ERROR] [Transaction_id] : application_name : regular : servicename (Async) : Couldn't save the SubscribersSettings record in DB
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I wa... See more...
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I want to find the user related to the UserID 123 (which comes up after my search). I want to do this by getting the User emal from Source B.  My search runs in Source A since there are some fields I need from there. 
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all dri... See more...
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all drives on both windows and Unix Application Crashes. System or Service Failures. Windows Update Errors. Windows Firewall. Clearing Event Logs. Software and Service Installation. Account Usage Kernel Driver Signing.
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick ... See more...
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick fix? Cheers Andy  
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered en... See more...
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me.   Thanks in advance 
https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Listcorrelationsearches Hi, I'm using the searches mentioned in the documentation. There is a field named triggered_alert_count which gives me wh... See more...
https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Listcorrelationsearches Hi, I'm using the searches mentioned in the documentation. There is a field named triggered_alert_count which gives me what I want but it returns the same number of alerts across all time ranges.    | rest splunk_server=local count=0 /services/saved/searches | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain, triggered_alert_count as number_of_alerts | search app="SplunkEnterpriseSecuritySuite" | table number_of_alerts, csearch_label, app, security_domain, description   Ideally I would like to see the total number of alerts as far back as Splunk remembers. Thanks.
Hi, Seems like this link below is no longer working. https://splunk-sizing.appspot.com/   Does Splunk have online splunk sizing that we can use to do capacity planning estimates?
Hi Splunk experts, I have made a dashboard which show my App's service status in Dashboard Studio and I want to display color based on value as show below. This was achieved in Dashboard classic by... See more...
Hi Splunk experts, I have made a dashboard which show my App's service status in Dashboard Studio and I want to display color based on value as show below. This was achieved in Dashboard classic by editing the source and appending the format as below.   </format> <format type="color" field="Requester"> <colorPalette type="expression">case (match(value,"DOWN"), "#E34234",match(value,"NA"), "#F8BE34",match(value,"UP"),"#4F7942")</colorPalette> <format type="color" field="Stripping"> <colorPalette type="expression">case (match(value,"DOWN"), "#E34234",match(value,"NA"), "#F8BE34",match(value,"UP"),"#4F7942")</colorPalette> </format>   Can the same be achieved in Dashboard studio as well ? If so how it can be done. Can you guys please help me out on this.TIA      
Hello, is there a way to use a rest api and search for containers that contain the word  computer or the word process in the container name? I only manage to filter for “contains” or the filter “in”... See more...
Hello, is there a way to use a rest api and search for containers that contain the word  computer or the word process in the container name? I only manage to filter for “contains” or the filter “in”, , but i failed to use both. 
Hello everyone, I have a question. is it possible to use opentelemetry to send traces, metrics from a javascript application (not containerized), to my splunk enterprise? If so, what are the steps... See more...
Hello everyone, I have a question. is it possible to use opentelemetry to send traces, metrics from a javascript application (not containerized), to my splunk enterprise? If so, what are the steps? Is there any documentation or tutorial to try? Thanks!
Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Than... See more...
Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Thank You
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire ... See more...
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire after 24 hours. it will show me the search has probably expired or deleted. How can i set to 7 days  to prevent expired?
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team applicat... See more...
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team application. I want to restrict write access (but allow read access) to "Test" dashboard from any users outside "App1"  I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard. If I set the following setting (see below),  users from outside App1 can go inside the App1 and edit the dashboard. Please suggest.  Thank you!!  
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field ... See more...
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field into past data in a summary index? If it's not possible ,  How to move summary index to another summary index with updated fields? Thank you Below is an example  index=summary   report="test_1" _time Order Customer 05/01/2024 Pizza Customer1 05/01/2024 Hamburger Customer2 05/02/2024 Spaghetti Customer3 05/02/2024 Pizza Customer4 05/03/2024 Noodle Customer1 05/03/2024 Rice Customer2 index=summary   report="test_2" _time Order Customer Phone 05/01/2024 Pizza Customer1 1111 05/01/2024 Hamburger Customer2 2222 05/02/2024 Spaghetti Customer3 3333 05/02/2024 Pizza Customer4 4444 05/03/2024 Noodle Customer1 1111 05/03/2024 Rice Customer2 2222
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain wor... See more...
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain words in the path for example (source="*dev-ksm*" OR source="*int-ksm*" OR source="*qa-ksm*" OR source="*amq-*-ksm*") For this scenario I'd like to route events that their source contains the above matching sources to an index2 Was thinking in something like this: props.conf [index::current_index] TRANSFORMS-routing=filter-to-new_index   transforms.conf [filter-to-new_index] DEST_KEY = _MetaData:Index SOURCE_KEY = MetaData:Source REGEX = (?i)(.*dev-ksm.*|.*int-ksm.*|.*qa-ksm.*|.*amq-.*-ksm.*) FORMAT = new_index   Does not seem to be currently working. Hence the question if its possible to do something like this.   Thanks in advance.    
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains... See more...
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains their team is responsible for. Is this something that can be done from the app configuration itself in SOAR? Or would this be something done in the Microsoft tenant? Or are there any other options?
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | AD... See more...
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | ADAudit Plus (manageengine.com) Also contacted ManageEngine support which has not be able to figure out the issue.  I searched the forum and found this old thread but no one had a response. How to get audit plus manager logs into splunk ent... - Splunk Community Any help is appreciated, thanks.
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like th... See more...
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like the host name to be FQDN  (server1.x.xx)instead of it's current version (server1). It doesn't seem to pull from any Splunk .conf files that I can see located on any Windows UF. For reference, this only applies to Windows servers running Splunk UF agent. I have already modified the inputs.conf (host = $decideOnStartup) and server.conf (hostnameOption = fullyqualifiedname) to no avail. Any help will be greatly appreciated.
what command can i run if am not sure where an index for a data associated with a sourcetype is stored in splunk