All Topics

Top

All Topics

I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any hel... See more...
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any help would be greatly appreciated.   Thanks -David 
Pls can i get a query that shows statistics on search activity in splunk 
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the log... See more...
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the logs and found this error. Anyone have an experience with this or know of any fix? TsidxStats - sid:summarize_1591771322.7666 Failed to contact the server endpoint https://127.0.0.1:8089 from touchSummary()
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv f... See more...
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv file for Asset and identity management. Once ewe uploaded those files, when we ran a search we got this situation: the search is executed, but erros about inability to load lookups that store merged asset and identity data in Splunk Enterprise Security are collected. Error syntax is the following:   [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dest [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-src [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dest [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-src   First think I thought: ok, this is probably a permission issue. BTW, even when I execute the search with admin user that loaded .csv in assent and identity inventory, I got the same error.  I can add that we modified some OOT DM, to add some fields needed by our SOC. What could be the root cause?
we have data in Splunk for user sessions in an app and I am trying to produce a line graph to show usage every hour. the session information is added 4 times an hour so trying to remove the extra res... See more...
we have data in Splunk for user sessions in an app and I am trying to produce a line graph to show usage every hour. the session information is added 4 times an hour so trying to remove the extra results per hour below is an example for one user but there will be other user data as well  userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:00:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:30:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T12:45:00Z userName: fred sessionKey: a0b360d9-a471-45a1-9dcc-0dee39ed6ba8 timestamp: 2024-05-20T13:00:00Z
Hi All, How to map splunk dashboard link based on the values  on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard E... See more...
Hi All, How to map splunk dashboard link based on the values  on the field. And i have existing dashboard so i need to map based on the values onclick the link it will open the existing dashboard Ex: Name link abc click here bbc click here ccd clik here  
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on t... See more...
Hey guys, I'm having trouble joining two datasets with similar values I'm trying to join two datasets, both have a common "name" field, but the one on the left has the correct value and the one on the right has this pattern: left dataset name field + some characters e.g.: left dataset name right dataset name RU3NDS RU3NDS_sdsavdg_SoKdsVI3   Is there any way to use a wildcard when joining?
Hello community, I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recor... See more...
Hello community, I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recorded as true in the 'Is_managed_device' field; otherwise, it should be marked as false. However, upon executing this query, I'm obtaining identical results for all IPs, irrespective of whether they match the CIDR range.  I have created a new lookup definition for the lookup and implemented the following changes:- Type = file-based min_matches = 0 default_match = NONE filename = zscalerip.csv match_type = CIDR(CIDR) CIDR IP range in lookup file :-  CIDR 168.246.*.* 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 Splunk Query :- | makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::" | makemv delim=" " src_ip | mvexpand src_ip | lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match | eval Is_managed_device=if(cidrmatch(CIDR_match,src_ip), "true", "false") | table src_ip Is_managed_device getting result in below format:- src_ip Is_managed_device 10.0.0.0 FALSE 166.226.118.0 FALSE 136.226.158.0 FALSE 185.46.212.0 FALSE 2a03:eec0:1411:: FALSE  
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck.   If yes, in which version we can increase... See more...
I'm trying to change the font size of a table in a dashboard studio visualization. How is this done in the code? I've tried a few ways but having no luck.   If yes, in which version we can increase the font size of a table. Thanks in advance and I appreciate the help.
Looking to build an interactive dashboard from csv file which contains timestamp.  If we select last 7 days, am looking to filter 19th May to 13th May of data from this below sample table.  Sample ... See more...
Looking to build an interactive dashboard from csv file which contains timestamp.  If we select last 7 days, am looking to filter 19th May to 13th May of data from this below sample table.  Sample data:  _time Index Sourcetype 19-05-2024 05:30 x y 18-05-2024 05:30 x y ...       One of the input am planning is Time frame, so if i've to pass the token to the panels am trying to use |eval Time=relative_time(now(),"$time_tok$") which is not working as time token comes with earliest and latest timestamps. So, I've tried strptime to convert but still no luck over there.  Can someone suggest a better way?   
i get Value in stanza [eventtype=snort3:alert:json] in /opt/splunk/etc/apps/TA_Snort3_json/default/tags.conf, line 1 not URL encoded: eventtype = snort3:alert:json   my tags.conf contains     [e... See more...
i get Value in stanza [eventtype=snort3:alert:json] in /opt/splunk/etc/apps/TA_Snort3_json/default/tags.conf, line 1 not URL encoded: eventtype = snort3:alert:json   my tags.conf contains     [eventtype=snort3:alert:json] ids = enabled attack = enabled       Any help appreciated im at a loss
We recently upgraded from 9.0.2 to 9.2.1 and started seeing some new errors on all indexer peer nodes as shown below. -------- 05-17-2024 14:35:07.225 +0000 ERROR DispatchCommandProcessor [949840... See more...
We recently upgraded from 9.0.2 to 9.2.1 and started seeing some new errors on all indexer peer nodes as shown below. -------- 05-17-2024 14:35:07.225 +0000 ERROR DispatchCommandProcessor [949840 TcpChannelThread] - Search results may be incomplete, peer <indexer peer ip>'s search ended prematurely. Error = Peer <indexer peer hostname> will not return any results for this search, because the search head is using an outdated generation (search head gen_id=4626; peer gen_id=4969). This can be caused by the peer re-registering and the search head not yet updating to the latest generation. This should resolve itself shortly. -------- The master has logs like below. -------- splunkd.log.1:05-17-2024 12:06:59.491 +0000 WARN CMMaster [950487 CMMasterServiceThread] - got a large jump in gen_id suggestion=4921 current pending=1 reason=event=addPeerParallel Success guid=xxx adding_peers=7 -------- I tried suggestion actions from below discussion but no luck so far and ERROR is continuing for days now. https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-receiving-this-error-quot-The-search-head-is-using-an/td-p/599044 It looks like the problem is with the primary master as we could see that when switching to the standby master, the error goes away. Can anyone advise on this? What is a generation/gen_id and if there is a way to reset this to fix the issue?
Hi all I am ingesting k8s data with Opentelemetry in my enterprise environment. I would like to know if there is a list of available metrics and their description. Or if there is any example dash... See more...
Hi all I am ingesting k8s data with Opentelemetry in my enterprise environment. I would like to know if there is a list of available metrics and their description. Or if there is any example dashboard that can help me to visualize the states and behaviors of clusters, pods, containers. I need to put order to show it to the different teams. Thanks and cheers   JAR
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing... See more...
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:    Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue. Thanks for taking your time reading and replying to my post
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspa... See more...
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspace remaining =9620 has breached the yellow threshold for filesystems=C:]Program Files \splunk\var\lib\splunk\_metrics\colddb. But i have free space in c drive.Please clarify  
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityP... See more...
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityPosturedashboard
What are some good dashboards for displaying data ingested from AWS CloudWatch/CloudTrail?   thanks in advance 
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "sy... See more...
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "syslog" sourcetype doesn't suit the events coming from my source. I was searching the web for some tutorials on how to create your own add-on in Splunk in order to parse the unusual logs like in my case, but I haven't found any.  Could someone please help me with that? Does anyone have any tutorial or guide on how to create your own parser, or can maybe explain what is needed for that, in case it's not a difficult task? If someone decides to provide answer themselves, by explaining how to create your own add-on, I would really appreciate detailed description that will involve such notes as: required skills, difficulty, how long it will take, and whether it's the best practice in such situations or there are more efficient ways. Again, the main goal for me is to get my logs from Fudo PAM (coming over syslog) parsed properly.  Thank you for taking your time reading my post and replying to it
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "... See more...
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "internal" pages that run underneath. Anyone has experience in configuring EUM/JavaScript agent for APEX to give us a hint of how to improve the default configuration to detect all pages used within the application? Thanks, Roberto
Hello   I'm wondering if warnings like "Local KV Store has replication issues" are shown to any admin user on any Splunk web (DMC server and any SHC member) ? Thanks.