All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi folks,   This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name ... See more...
Hi folks,   This has been bugging me for a while. When I click on a custom-made correlation search in the Security Posture's Top Notable Events dashboard pane, it doesn't filter for that rule name in the incident review, it just shows all of them. Where do I configure it to drill down properly?   Thanks!  
I am trying to make email templates for the "send email" alert actions. So far I have edited the "alert_actions.conf" and put that in a new app I created. But what it is doing is just overriding the ... See more...
I am trying to make email templates for the "send email" alert actions. So far I have edited the "alert_actions.conf" and put that in a new app I created. But what it is doing is just overriding the "send email" alert action and that's not what I want to do. What I want is to have multiple send email actions, Is there a way to not override the base "send email" action? What I fear is I will have to create a copy of the "sendemail.py" and make a small edit then post that in my app in the bin folder. Then rename it like "sendSREemail.py" alert_actions.conf: [email] label = SRE Email Template icon_path = mod_alert_icon_email.png from = xxxxx@xxxx.com mailserver = xxxxxx.com pdf.header_left = none pdf.header_right = none use_tls = 1 hostname = xxxxxx.com message.alert = Alert: $name$\ Why am I receiving this alert? (Give a brief description of the alert and why this alert is triggering)\ \ How do I fix it?\ 1. Step 1\ 2. Step 2\ 3. Step 3 Thanks again Splunk community.  
I am trying to deploy Splunk 9.2.1 in air gapped environment.    As I go through STIG list to harden the system, one of the item asks me to turn FIPS and Common Criteria mode on. Turning FIPS mode ... See more...
I am trying to deploy Splunk 9.2.1 in air gapped environment.    As I go through STIG list to harden the system, one of the item asks me to turn FIPS and Common Criteria mode on. Turning FIPS mode on is easy but Common Criteria seems to have some other requirements. I am trying to read upon Common Criteria for Splunk but not 100% clear about it and also, not sure if I need it in air gapped environment.    Has someone here gone through enabling it? Can you please provide more info on it? Specially, if not needed, I can present that to my ISSO.  Thanks in advance.  
Hello Everyone, Recently, I am trying to ingest the logs from my server. But it is not getting indexed. The log file which I am trying to ingest has different timestamp with same events. Events i... See more...
Hello Everyone, Recently, I am trying to ingest the logs from my server. But it is not getting indexed. The log file which I am trying to ingest has different timestamp with same events. Events in log file: 1712744099:{"jsonefd":"1.0","result":"1357","id":1} 1712744400:{"jsonefd":"1.0","result":"1357","id":1} 1712745680:{"jsonefd":"1.0","result":"1357","id":1} 1714518017:{"jsonefd":"1.0","result":"1378","id":1} 1715299221:{"jsonefd":"1.0","result":"1366","id":1} I tried with crcsalt but still no luck. Kindly help if anyone faced this issue before.  I would like to ingest the events even the events are same with different timestamps.
Hey all,  I recently upgraded our Splunk server to 9.1.3.  I have a single UF running 8.2 which connects, however my newly deployed 9.1.3 forwarder on server 2 (Windows Server) doesn't connect.  This... See more...
Hey all,  I recently upgraded our Splunk server to 9.1.3.  I have a single UF running 8.2 which connects, however my newly deployed 9.1.3 forwarder on server 2 (Windows Server) doesn't connect.  This is net new and has never connected.  I am seeing mixed info on whether or not SSL certs need to be configured on the forwarder.  I see the UF talking to our Enterprise server on port 9997.  I am using CA signed certs on the Slunk server and default certificates on the server which uses the UF.   Can anyone point me in the right direction to get this working?  The output.conf is as follows:   [tcpout] defaultGroup=default-autolb-group [tcpout:default-autolb-group] server=<SPLUNK_IP_SERVER>:9997 useSSL=false [tcpout-server://<SPLUNK_IP_SERVER>:9997]
trying to get 2 different lines one for HDX and the other for RDP, can anyone help please?    
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts.  I am trying to add tokens which show me query result in serviceNow ticket descriptio... See more...
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts.  I am trying to add tokens which show me query result in serviceNow ticket description as same as we are getting in email notification when we check  Inline Table fields. can you help me to add same in serviceNow ticket as well. so that I can get query result in ticket as well. right now its showing me only title of the alerts. due to which I need to go to splunk every time when alert trigger  and need to run alerts search to validate alerts manually.      
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see... See more...
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see 'azure:monitor:aad' logs. Can someone help me understand what changes need to be made on the Azure side to be able to view these logs? Thank you in advance.
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any hel... See more...
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any help would be greatly appreciated.   Thanks -David 
Pls can i get a query that shows statistics on search activity in splunk 
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the log... See more...
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the logs and found this error. Anyone have an experience with this or know of any fix? TsidxStats - sid:summarize_1591771322.7666 Failed to contact the server endpoint https://127.0.0.1:8089 from touchSummary()
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv f... See more...
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv file for Asset and identity management. Once ewe uploaded those files, when we ran a search we got this situation: the search is executed, but erros about inability to load lookups that store merged asset and identity data in Splunk Enterprise Security are collected. Error syntax is the following:   [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dest [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-src [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dest [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-src   First think I thought: ok, this is probably a permission issue. BTW, even when I execute the search with admin user that loaded .csv in assent and identity inventory, I got the same error.  I can add that we modified some OOT DM, to add some fields needed by our SOC. What could be the root cause?
we have data in Splunk for user sessions in an app and I am trying to produce a line graph to show usage every hour. the session information is added 4 times an hour so trying to remove the extra res... See more...
we have data in Splunk for user sessions in an app and I am trying to produce a line graph to show usage every hour. the session information is added 4 times an hour so trying to remove the extra results per hour below is an example for one user but there will be other user data as well  userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:00:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:30:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:45:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T13:00:00Z
Hi All, How to map splunk dashboard link based on the values  on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard E... See more...
Hi All, How to map splunk dashboard link based on the values  on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard Ex: Name link abc click here bbc click here ccd clik here  
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on t... See more...
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on the right has this pattern: left dataset name field + some characters e.g.: left dataset name right dataset name RU3NDS RU3NDS_sdsavdg_SoKdsVI3   Is there any way to use a wildcard when joining?
Hello community, I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recor... See more...
Hello community, I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recorded as true in the 'Is_managed_device' field; otherwise, it should be marked as false. However, upon executing this query, I'm obtaining identical results for all IPs, irrespective of whether they match the CIDR range.  I have created a new lookup definition for the lookup and implemented the following changes:- Type = file-based min_matches = 0 default_match = NONE filename = zscalerip.csv match_type = CIDR(CIDR) CIDR IP range in lookup file :-  CIDR 168.246.*.* 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 Splunk Query :- | makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::" | makemv delim=" " src_ip | mvexpand src_ip | lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match | eval Is_managed_device=if(cidrmatch(CIDR_match,src_ip), "true", "false") | table src_ip Is_managed_device getting result in below format:- src_ip Is_managed_device 10.0.0.0 FALSE 166.226.118.0 FALSE 136.226.158.0 FALSE 185.46.212.0 FALSE 2a03:eec0:1411:: FALSE  
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck.   If yes, in which version we can increase... See more...
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck.   If yes, in which version we can increase the font size of a table. Thanks in advance and I appreciate the help.
Looking to build an interactive dashboard from csv file which contains timestamp.  If we select last 7 days, am looking to filter 19th May to 13th May of data from this below sample table.  Sample ... See more...
Looking to build an interactive dashboard from csv file which contains timestamp.  If we select last 7 days, am looking to filter 19th May to 13th May of data from this below sample table.  Sample data:  _time Index Sourcetype 19-05-2024 05:30 x y 18-05-2024 05:30 x y ...       One of the input am planning is Time frame, so if i've to pass the token to the panels am trying to use |eval Time=relative_time(now(),"$time_tok$") which is not working as time token comes with earliest and latest timestamps. So, I've tried strptime to convert but still no luck over there.  Can someone suggest a better way?   
i get Value in stanza [eventtype=snort3:alert:json] in /opt/splunk/etc/apps/TA_Snort3_json/default/tags.conf, line 1 not URL encoded: eventtype = snort3:alert:json   my tags.conf contains     [e... See more...
i get Value in stanza [eventtype=snort3:alert:json] in /opt/splunk/etc/apps/TA_Snort3_json/default/tags.conf, line 1 not URL encoded: eventtype = snort3:alert:json   my tags.conf contains     [eventtype=snort3:alert:json] ids = enabled attack = enabled       Any help appreciated im at a loss
We recently upgraded from 9.0.2 to 9.2.1 and started seeing some new errors on all indexer peer nodes as shown below. -------- 05-17-2024 14:35:07.225 +0000 ERROR DispatchCommandProcessor [949840... See more...
We recently upgraded from 9.0.2 to 9.2.1 and started seeing some new errors on all indexer peer nodes as shown below. -------- 05-17-2024 14:35:07.225 +0000 ERROR DispatchCommandProcessor [949840 TcpChannelThread] - Search results may be incomplete, peer <indexer peer ip>'s search ended prematurely. Error = Peer <indexer peer hostname> will not return any results for this search, because the search head is using an outdated generation (search head gen_id=4626; peer gen_id=4969). This can be caused by the peer re-registering and the search head not yet updating to the latest generation. This should resolve itself shortly. -------- The master has logs like below. -------- splunkd.log.1:05-17-2024 12:06:59.491 +0000 WARN CMMaster [950487 CMMasterServiceThread] - got a large jump in gen_id suggestion=4921 current pending=1 reason=event=addPeerParallel Success guid=xxx adding_peers=7 -------- I tried suggestion actions from below discussion but no luck so far and ERROR is continuing for days now. https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-receiving-this-error-quot-The-search-head-is-using-an/td-p/599044 It looks like the problem is with the primary master as we could see that when switching to the standby master, the error goes away. Can anyone advise on this? What is a generation/gen_id and if there is a way to reset this to fix the issue?