All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing... See more...
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:    Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue. Thanks for taking your time reading and replying to my post
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspa... See more...
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspace remaining =9620 has breached the yellow threshold for filesystems=C:]Program Files \splunk\var\lib\splunk\_metrics\colddb. But i have free space in c drive.Please clarify  
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityP... See more...
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityPosturedashboard
What are some good dashboards for displaying data ingested from AWS CloudWatch/CloudTrail?   thanks in advance 
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "sy... See more...
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "syslog" sourcetype doesn't suit the events coming from my source. I was searching the web for some tutorials on how to create your own add-on in Splunk in order to parse the unusual logs like in my case, but I haven't found any.  Could someone please help me with that? Does anyone have any tutorial or guide on how to create your own parser, or can maybe explain what is needed for that, in case it's not a difficult task? If someone decides to provide answer themselves, by explaining how to create your own add-on, I would really appreciate detailed description that will involve such notes as: required skills, difficulty, how long it will take, and whether it's the best practice in such situations or there are more efficient ways. Again, the main goal for me is to get my logs from Fudo PAM (coming over syslog) parsed properly.  Thank you for taking your time reading my post and replying to it
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "... See more...
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "internal" pages that run underneath. Anyone has experience in configuring EUM/JavaScript agent for APEX to give us a hint of how to improve the default configuration to detect all pages used within the application? Thanks, Roberto
Hello   I'm wondering if warnings like "Local KV Store has replication issues" are shown to any admin user on any Splunk web (DMC server and any SHC member) ? Thanks.    
Logging a single line to Splunk is taking about 30ms with the HEC appender.  e.g, the result of the below is 30ms. Long start1 = System.currentTimeMillis(); log.info("Test logging"); Long start2 ... See more...
Logging a single line to Splunk is taking about 30ms with the HEC appender.  e.g, the result of the below is 30ms. Long start1 = System.currentTimeMillis(); log.info("Test logging"); Long start2 = System.currentTimeMillis(); log.info("logTime={}", start2 - start1);   This is our logback config -  Taking 30 ms is too long for a single log action. Are we missing anything in the config ?  
Event Actions > Show sources failing at 100/1000 events with the below 2 errors -  [e430ac81-66f7-40b8-8c76-baa24d2813c6_wh-1f2db913c0] Streamed search execute failed because: Error in 'surrounding... See more...
Event Actions > Show sources failing at 100/1000 events with the below 2 errors -  [e430ac81-66f7-40b8-8c76-baa24d2813c6_wh-1f2db913c0] Streamed search execute failed because: Error in 'surrounding': Too many events (> 10000) in a single second.. Failed to find target event in final sorted event list. Cannot properly prune results The result sets are not huge.. maybe 150 events. What does the above errors mean and how do we resolve this error?
From the below xml we created  a drop down for site, its working as expected, but we need a dropdown for country as well. But country data is not present in the logs. We have 2 countries, China and ... See more...
From the below xml we created  a drop down for site, its working as expected, but we need a dropdown for country as well. But country data is not present in the logs. We have 2 countries, China and India. We need a drop with country and based on country site  also should be shown. How can we do this?? <form version="1.1" theme="light"> <label>Dashboard</label> <fieldset submitButton="false"> <input type="time" token="timepicker"> <label>TimeRange</label> <default> <earliest>-15m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="site"> <label>SITE</label> <choice value="*">All</choice> <prefix>site="</prefix> <suffix>"</suffix> <default>*</default> <fieldForLabel>site</fieldForLabel> <fieldForValue>site</fieldForValue> <search> <query> | makeresults | eval site="BDC" | fields site | append [ | makeresults | eval env="SOC" | fields site ] | sort site | table site </query> </search> </input> </fieldset> <row> <panel> <table> <title>Total Count Of DataRequests</title> <search> <query> index=Datarequest-index $site$ | rex field= _raw "application :\s(?<Reqtotal>\d+)" |stats sum(Reqtotal) </query> <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentageRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <form>  
We want to add a TA (app) to our indexers at the path /opt/splunk/etc/master-apps by running the command /opt/splunk/bin/splunk apply cluster-bundle My question is if we can deploy an indexer app w... See more...
We want to add a TA (app) to our indexers at the path /opt/splunk/etc/master-apps by running the command /opt/splunk/bin/splunk apply cluster-bundle My question is if we can deploy an indexer app without a restart of the indexer? The TA we want to deploy is an extension to the nix TA, and all it does is run some simple bash scripted inputs.    
Here's a part of my query, ignoring where the data is coming from:   | eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min"... See more...
Here's a part of my query, ignoring where the data is coming from:   | eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min", dur > 240, "More than 4min") | eval sort_field=case(bucket="Less than 30sec", 1, bucket="30sec - 60sec", 2, bucket="1min - 2min", 3, bucket="2min - 4min", 4, bucket="More than 4min", 5) | sort sort_field | stats count as "Number of Queries" by bucket   The problem I have is that the results are ordered alphabetically by the name of each bucket.  I'd prefer to have the order always be from quickest to slowest: <30s, 30-60s, 1-2m, 2-4m, >4m What I get:   1min - 2min | <value> 2min - 4min | <value> 30sec - 60sec | <value> Less than 30sec | <value> More than 4min | <value>   What I want:   Less than 30sec | <value> 30sec - 60sec | <value> 1min - 2min | <value> 2min - 4min | <value> More than 4min | <value>   I've tried a number of different approaches, none seeming to do anything.  Is this possible?
Hi, I am quite new to Splunk, so sorry in advance if I ask silly questions. I have below task to do: "The logs show that Windows Defender has detected a Trojan on one of the machines on the ComTech... See more...
Hi, I am quite new to Splunk, so sorry in advance if I ask silly questions. I have below task to do: "The logs show that Windows Defender has detected a Trojan on one of the machines on the ComTech network. Find the relevant alerts and investigate the logs." I keep searching but dont get the right logs. I seached below filters:  source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" I would really appreciate if you could help. Thanks, Pere    
I need my trial extended 14 more days.  I have to do a demo for my bosses on Tuesday  User : https://app.us1.signalfx.com/#/userprofile/GM-tC55A4AA  
5/17/24 12:45:46.313 PM persistuse Environment = LTQ3   In the above event character "r" is missing on word persistuse ( but exist in raw_data on host )  hence the events are creating without ti... See more...
5/17/24 12:45:46.313 PM persistuse Environment = LTQ3   In the above event character "r" is missing on word persistuse ( but exist in raw_data on host )  hence the events are creating without timestamp and getting data quality issues how this can be fixed 
We are generating HEC tokens on a deployment server and pushing them out to the HECs.  HEC tokens are disabled by default on the HECs and the deployment server and need to be enabled in global setti... See more...
We are generating HEC tokens on a deployment server and pushing them out to the HECs.  HEC tokens are disabled by default on the HECs and the deployment server and need to be enabled in global settings.  What I've done so far is: -authorize.conf, this is for user tokens and isn't working for HEC tokens -the CLI command for token enable isn't working because it's not enabled globally -inputs.conf has [http] disabled=0   The only thing that has worked is enabling it via the UI. Is there a way to enable these over CLI?
Hi Team,   is it possible to update/enrich a notable after executing a playbook in splunk soar and that execution output must be attached in the Splunk notable. Example:   Assume I have correlat... See more...
Hi Team,   is it possible to update/enrich a notable after executing a playbook in splunk soar and that execution output must be attached in the Splunk notable. Example:   Assume I have correlation search named one and this triggers a notable and run a playbook actions. Now once the search triggers and notable is created, the action run a playbook should execute in soar and attach that output to the notable created. You think of this attaching ip reputation/geo locations of an ip to the notable so that soc can work without logging into virus total or any other sites.   Thank you
Hello, Can 8089 port traffic be encrypted? What are the pros and cons?
If I have 6 search peers configured in the distsearch.conf file but 3 of them go down, can Splunk recognize that a host is down and continue skipping down the list until it gets a live host?
Hello, Does Splunk 9.0 compatible with Oracle Linux?