All Topics

Top

All Topics

Could we get some additional information on our Google chat splunk alert? For now I am only able to find  a way to put $name$ in the message text, but is there a way to add additional information... See more...
Could we get some additional information on our Google chat splunk alert? For now I am only able to find  a way to put $name$ in the message text, but is there a way to add additional information so we can display some of the search query details? like the sample below? Splunk Alert:  "Splunk Alert name" Status: <status code> Resource: <resource> logs: https://... Splunk results: https://...  
Does anyone have a thorough explanation of the certs in Splunk? And why they are all different yet the same? Can i use the same cert for all situations? Here's a table: https://docs.splunk.com/Docu... See more...
Does anyone have a thorough explanation of the certs in Splunk? And why they are all different yet the same? Can i use the same cert for all situations? Here's a table: https://docs.splunk.com/Documentation/Splunk/9.2.1/CommonCriteria/Commoncriteriainstallationandconfigurationoverview#List_of_certificates_and_keys   These tables aren't very specific, and splunk generated different certs for each one. I need to use company specific certs, and am a bit confused on which ones can be the same, and which ones can't...
As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now you can head to class in style with a new, exclusive Splunk University long-sleeve tee. Jus... See more...
As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now you can head to class in style with a new, exclusive Splunk University long-sleeve tee. Just register for Splunk University and .conf24 and collect your free gift onsite at .conf24.   Dive into the extraordinary world of Splunk University! Far from your everyday educational event, we bring our vibrant community of customer-users together for an fun-filled journey of career growth and skills-building. Choose from 1-, 2-, or 3-day bootcamps packed with hands-on activities and unbeatable networking opportunities. Come to enhance your Splunk skills, leave feeling empowered and inspired.    Pro Tip: We've got several open seats for our popular Transitioning to Cloud Bootcamp, ITSI Administrator Bootcamp, Architect Bootcamp, andObservability Bootcamps -- see details below!   Bootcamp Deep Dive – In Your New Splunk Tee Prepare to embark on a journey filled with learning opportunities tailored to all skill levels. Whether you're a beginner, intermediate, or advanced user, we've got you covered with a diverse range of sessions designed to meet your needs. Here's a glimpse of what awaits you: Three-day Bootcamps (Sunday through Tuesday) | 240 Training Units Name Description Power User Bootcamp This three-day Bootcamp takes you from A-Z for a Splunk Power User, including topics on how to search, manipulate, correlate, and model data. It combines content from the following courses: Working with Time, Statistical Processing, Comparing Values, Result Modification, Creating Knowledge Objects, Creating Field Extractions, Correlation Analysis, and Data Models. Enterprise Administrator Bootcamp This three-day bootcamp prepares administrators to install, configure, and deploy on-prem Splunk environments. It combines content from Splunk Enterprise System Administration and Splunk Enterprise Data Administration. Advanced Enterprise Administrator Bootcamp This three-day bootcamp prepares administrators to install, configure, and troubleshoot standalone and clustered Splunk deployments. It combines content from Troubleshooting Splunk Enterprise and Splunk Cluster Administration. App Developer Bootcamp This three-day bootcamp prepares developers to visualize, integrate, and package data in Splunk. It combines content from Advanced Dashboards and Visualizations, Building Splunk Apps and Developing with Splunk’s REST API. Observability Bootcamp This three-day bootcamp prepares DevOps and SRE teams to use Splunk Observability Cloud to monitor and troubleshoot their microservice and monolithic application environments. It combines content from: Introduction to Splunk Observability Cloud, Fundamentals of Metrics Monitoring, Using Splunk APM, Configuring Tracing and Profiling, Using Splunk RUM, and Using Splunk Synthetic Monitoring. Analytics and Data Science Bootcamp This two-day Bootcamp prepares users to perform more scientific analysis on their data with the Machine Learning Toolkit. It includes content from Splunk for Analytics & Data Science.     Two-day Bootcamps (Monday through Tuesday) | 180 Training Units Name Description ITSI Administrator Bootcamp This two-day bootcamp prepares IT practitioners to install, design, implement, monitor and maintain mission-critical services in IT Service Intelligence. It includes new content and content from Using ITSI and Implementing ITSI. Enterprise Security Analyst Bootcamp This two-day Bootcamp prepares security practitioners to identify and track security incidents in Splunk Enterprise Security. It includes content from Using Splunk Enterprise Security. Enterprise Security Administrator Bootcamp This two-day bootcamp prepares architects and systems administrators to install, configure and manage Splunk Enterprise Security. It includes content from Administering Splunk Enterprise Security. Cloud Administrator Bootcamp This two-day bootcamp prepares new administrators to manage users and get data in Splunk Cloud. It includes content from Splunk Cloud Administration. NOTE: This bootcamp is for Splunk Cloud Administrators who are new to Splunk. If you have experience as a Splunk Administrator on-premise, or have taken the Splunk System and / or Data Administration courses, the Transition to Cloud Bootcamp (1-day) is designed for you. SOAR Administrator Bootcamp This two-day bootcamp prepares security practitioners to configure, manage, and use SOAR to investigate, analyze, and automate response to security incidents. It combines content from Investigating Incidents, Administering SOAR, and Developing SOAR Playbooks.     One-day Bootcamps (repeats each day; Sunday, Monday, and Tuesday) | 100 Training Units Name Description Dashboard Studio Bootcamp This one-day bootcamp is designed for power users who want to learn best practices for building dashboards and forms in Dashboard Studio. It combines content from Introduction to Dashboards and Dynamic Dashboards. Transition to Cloud Bootcamp This one-day bootcamp highlights key differences between Splunk Enterprise deployed on-premises and Splunk Enterprise Cloud to allow Splunk Administrators to transition to Splunk Cloud. It includes content from Transitioning to Cloud. NOTE: This bootcamp is designed for experienced Splunk Administrators who have worked with Splunk Enterprise on-premise and are newly responsible for Splunk Cloud Administration. If you are new to Splunk, the Cloud Administrator Bootcamp (2-day) is designed for you. Architect Bootcamp This one-day bootcamp prepares Splunk architects to design, plan, and implement a Splunk deployment. It includes content from Architecting Splunk Enterprise Deployments. ITSI Analysts Bootcamp This one-day bootcamp prepares IT practitioners to monitor and visualize services, investigate issues and integrate dashboards. This course contains content from Using ITSI and additional new content. Blue Team Academy: Cybersecurity Defense Analyst Essentials This one-day bootcamp combines Splunk knowledge with security best practices to bring new analysts up to speed fast. Get hands-on practice working events and hunting for threats using Splunk Core and Enterprise Security. Blue Team Academy: Cybersecurity Defense Engineer In this one-day bootcamp you will learn to optimize SOC workflows using Splunk Enterprise Security and Splunk SOAR. We will explore the art and realities of crafting correlation and risk rules, as well as the basics of automating with SOAR playbooks.   Test Your New Knowledge Take your bootcamp game to the next level with on-site Splunk Certification. At .conf24, you'll have the opportunity to take any Splunk certification exam with PearsonVUE in Las Vegas for only $25 — a steal considering the usual $130 value. Don't miss this chance to showcase your expertise and stand out in the crowd – with a new badge and a new Splunk University long-sleeve t-shirt!   Then, celebrate with us at the “Bragging Rights Spotlight Event” on June 12 in the source=*Pavilion on the Spotlight Stage. RSVP here.   Don’t miss out on Splunk University! Invest in your professional development and take your Splunk expertise to new heights in Las Vegas, June 9-11 and then stay for the fun and excitement of .conf24. Learn more about the full Splunk University and conf24 experience here.  Happy Learning!   – Callie Skokos on behalf of the Splunk Education Crew
Hi, I got the following error message when trying to connect to an eventhub, Error occurred while connecting to eventhub: CBS Token authentication failed. Status code: None Error: client-error CBS ... See more...
Hi, I got the following error message when trying to connect to an eventhub, Error occurred while connecting to eventhub: CBS Token authentication failed. Status code: None Error: client-error CBS Token authentication failed. Status code: None" Can someone help here? We have a HF in our network zone and want to connect to the MS eventhub via proxy. Which we configued within the app itself. We use the Add-on for MS Cloud Services version 5.2.2   Thanks
SAML authenticated users are unable to access either REPORTS or ALERTS from the search app @ ./app/search/reports or from the top level menu @ Settings/Searches, reports, alerts.  When they attempt t... See more...
SAML authenticated users are unable to access either REPORTS or ALERTS from the search app @ ./app/search/reports or from the top level menu @ Settings/Searches, reports, alerts.  When they attempt to access reports from the Search app, the page stalls at "Loading Reports".  When they attempt to filter on reports or alerts from "Settings/Searches, reports, alerts" a small icon appears at the bottom stating "server error".  The reports are listed, but none are accessible.  If the user is provided a URL to any report, everything works fine.  The ability to browse the list is what is broken.  Finally, if a user goes to "Settings/Searches, reports, alerts" and DOES NOT leaves "Type:All", everything works fine.  If the selection is changed to "Type:Reports" or "Type:Alerts" the error appears at the bottom Debug logs do not reveal anything obvious The permissions used for the SAML users is the default "power" role.  I tried moving test users to Admin role, no change.  Also, all local authenticated users in the same role work fine
I have a visualization of type splunk.table in Dashboard Studio (version 9.0.2). The source table contains columns "id" from which I have derived the column "link". sourcetype="x" | eval link = "ht... See more...
I have a visualization of type splunk.table in Dashboard Studio (version 9.0.2). The source table contains columns "id" from which I have derived the column "link". sourcetype="x" | eval link = "https://xyz.com/" + id | table id, link  I want the "link" column be visible as hyperlink (blue and underlined) in the dashboard, such that, each value of the column when clicked, opens the respective link in a new tab. I tried making below changes, not sure what am i doing wrong here:         "viz_jZKnPQQG": {             "type": "splunk.table",             "title": "x",             "dataSources": {                 "primary": "ds_GresBkrN"             },             "options": {                 "tableFormat": {                     "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableRowBackgroundColorsByTheme)"                 },                 "count": 8,                 "backgroundColor": "> themes.defaultBackgroundColor",                 "showRowNumbers": true,                 "fontSize": "small",                 "showInternalFields": false             },             "eventHandlers": [                 {                     "type": "drilldown.customUrl",                     "options": {                         "url": "$row.link$",                         "newTab": true                     }                 }             ]         },      
Hi team,  I have created a Splunk dashboard using the below query where we are displaying a metric as per stack IDs [i.e, "mdq.sId"]. The dashboards are displayed with legends showing the IDs 54 and... See more...
Hi team,  I have created a Splunk dashboard using the below query where we are displaying a metric as per stack IDs [i.e, "mdq.sId"]. The dashboards are displayed with legends showing the IDs 54 and 10662. I want to display these IDs with a different name corresponding to the stack IDs on the legends.  For example, 54 is stack-ind and 10662 is stack-aus.     index="pcs-ing" ins="ingestion-worker" "metric.ingestion.api.import.time" "mdq.sId" IN ("54","10662") | timechart span=60m limit=0 count as ingestion_cycles by mdq.sId     is it possible to search by the stackID but display on legends using alias names? For example, in the above dashboard, I want '54'  to be shown as 'stack-ind' and '10664' as 'stack-aus'   
Hello,  I get Splunk Enterprise 6-month 10gb licenses., for free home use, as I use Splunk heavily at work, and try things in my home lab first. I was on vacation for some time, and let my license l... See more...
Hello,  I get Splunk Enterprise 6-month 10gb licenses., for free home use, as I use Splunk heavily at work, and try things in my home lab first. I was on vacation for some time, and let my license lapse. This caused multiple items to stop working, primarily the search feature. I added a new license this morning, but search is still restricted.  I have tried searching to request a reset license, calling to get a reset license, and submitting a support ticket for a reset license. Because I'm on a free account, nothing will allow me to actually request a reset license.  For free personal use enterprise licenses, can anyone share how to request a reset license so I can resume searching function?
I have defined a number.input field in Dashboard Studio (Version:9.0.2) so that the user can select a number representing a date (between 1-31). I want the date to be set to current day's date by def... See more...
I have defined a number.input field in Dashboard Studio (Version:9.0.2) so that the user can select a number representing a date (between 1-31). I want the date to be set to current day's date by default when the user opens the dashboard.. But "defaultValue": "$token_curr_date$" in the code below throws error  - Incorrect Type. Expected "number" {     "options": {         "defaultValue": "$token_curr_date$",         "token": "num_date",         "min": 1,         "max": 31     },     "title": "Select Date",     "type": "input.number" }   In "dataSources" I have defined below search and token:           "ds_current_date": {             "type": "ds.search",             "options": {                 "query": "| makeresults | eval token_curr_date=strftime(now(), \"%d\") | fields token_curr_date"             },             "token": "token_curr_date"         }   How do set the default value of input.number to current date? 
Hi All, I need you help.   I have trained few services and added the next_30m_avg_score in a Glass table but I don´t know how do I add dynamic color to the Score.   What modification do I do in t... See more...
Hi All, I need you help.   I have trained few services and added the next_30m_avg_score in a Glass table but I don´t know how do I add dynamic color to the Score.   What modification do I do in the source code to add the color   My source code is: `itsi_predict(40588288-a7ed-42b9-8dec-0c0379e058f9,health_score,app:itsi_predict_40588288_a7ed_42b9_8dec_0c0379e058f9_RandomForestRegressor_d1258935c9f0529f3d510eae_1713353848355)` | table next30m_avg_hs   This is how the Glass Table look:    Please suggest
I have 2 Index in Index Cluster Hot, Cold, Frozen  Hot and Cold are different disks Frozen will use same disk for both Index my question is: " The log will be replicated, Or Can I save just one I... See more...
I have 2 Index in Index Cluster Hot, Cold, Frozen  Hot and Cold are different disks Frozen will use same disk for both Index my question is: " The log will be replicated, Or Can I save just one Index into a Frozen and use it for backup Index Cluster?"
Hello Splunk Team, who we are? L Squared is a leading digital signage service provider, offering the Hub Content Management System (CMS). This platform empowers users to effortlessly manage and... See more...
Hello Splunk Team, who we are? L Squared is a leading digital signage service provider, offering the Hub Content Management System (CMS). This platform empowers users to effortlessly manage and display media content on digital signage screens. we want integrate Splunk powerful data analytics platform, into our ecosystem.   What we want? Integrating a read-only version of Splunk app's dashboards into L Squared Hub via an iframe. Implementing OAuth 2.0 authentication for secure access token generation or any other authentication method to get access token securely. Providing users with a list of Splunk apps and their respective dashboards for selection. How to do? To achieve these objectives, users will follow these steps: Initiate an OAuth 2.0 authentication request to Splunk for access token generation or utilize client credentials such as username, password, and secret key. Upon successful authorization, users gain access to Splunk REST API endpoints, including: Retrieving a list of installed Splunk apps using the following API call: E.g. "curl -k -u admin:password https://localhost:8089/services/apps/local?output_mode=json" Fetching a list of dashboards for a specific Splunk app via the following API call: e.g. curl -k -u admin:password https://localhost:8089/servicesNS/{username}/{app_name}/data/ui/views?output_mode=json&search=((isDashboard=1 AND (rootNode="dashboard") AND isVisible=1) AND ((eai:acl.sharing="user" AND eai:acl.owner="{username}") OR (eai:acl.sharing!="user"))) Finally, embed the selected Splunk app's dashboard read-only version onto L Squared Hub using an iframe. Who are our end users? This integration empowers organizations to seamlessly monitor and analyze their data through large displays. It enables teams to access up-to-date Splunk data conveniently, enhancing decision-making and operational efficiency. if you know right person or right way to get solution, please share with us ideas. Thanks in advance! @MuS @elizabethl_splu @richgalloway 
After i updated tha add-on to 6.3.x I am not able to create or update account setting under account type  Tenable.sc credentails (deprecated) I have tried version 6.3.2 and 6.3.6 both failed with e... See more...
After i updated tha add-on to 6.3.x I am not able to create or update account setting under account type  Tenable.sc credentails (deprecated) I have tried version 6.3.2 and 6.3.6 both failed with error "please enter valid address, username and password or configure valide proxy settings or verify ssl certificate" I am using credentials only and no proxy. Using version 6.1.0 of the add-on i can create/update account with the same info.
As almost all the video on youtube using splunk server on the same victim computer that have "Local windows network monitoring", the server on kali does not have it. And i don't know how to catch the... See more...
As almost all the video on youtube using splunk server on the same victim computer that have "Local windows network monitoring", the server on kali does not have it. And i don't know how to catch the event of the attack, although using TAwinfw Technology Addon for Windows Firewall. But when searching index="firewall", it return no results. Can someone help me, pls?
Hi,   I have to replace all the possible delimiters in the field with space so that I capture each word separately. Example: 5bb2a5-bb04-460e-a7bc-abb95d07a13_Setgfub.jpg I need to remove the exte... See more...
Hi,   I have to replace all the possible delimiters in the field with space so that I capture each word separately. Example: 5bb2a5-bb04-460e-a7bc-abb95d07a13_Setgfub.jpg I need to remove the extension as well it could be anything so .csv or .xslx or .do I need the output as below 5bb2a8d5 bb04 460e a7bc bb995d07a13 Setgfub   I came up with expression which works fine but i need this either in regular expression or eval expression as I am using it for data model.     | makeresults | eval test="ton-o-mete_r v4.pdf" | rex field=test mode=sed "s/\-|\_|\.|\(|\)|\,|\;/ /g" | eval temp=split('test'," "      
Hi all My Splunk model is configured behind a proxy to access the Internet. The proxy will allow access to the specified URL. I want to use "Find More Apps" to download Apps directly without having ... See more...
Hi all My Splunk model is configured behind a proxy to access the Internet. The proxy will allow access to the specified URL. I want to use "Find More Apps" to download Apps directly without having to download and upload SPL files. Which URL do I need to open the rule to? Thanks
I have created a .tar.gz file using splunk tools and I am unable to upload the app, there is no error but the file after I choose to upload is not showing in UI. are there any file  permissions is e... See more...
I have created a .tar.gz file using splunk tools and I am unable to upload the app, there is no error but the file after I choose to upload is not showing in UI. are there any file  permissions is expected for .tar.gz file to upload. Also, the file has 777 permission, I changes it to upload
Hello, So I have to count the number of resulted fields, it doesn't go far than this. for my search I have index=example sourcetype=example source=example, and the goal is to know how many fields ... See more...
Hello, So I have to count the number of resulted fields, it doesn't go far than this. for my search I have index=example sourcetype=example source=example, and the goal is to know how many fields are extracted from the results of this search.   Can anyone help please ?
We have a splunk forwarder installed in a server where the logs were pushed to splunk cloud.  Without any restart or any interruption, the splunk service has stopped Found the Below Log in uf. WARN... See more...
We have a splunk forwarder installed in a server where the logs were pushed to splunk cloud.  Without any restart or any interruption, the splunk service has stopped Found the Below Log in uf. WARN DispatchReaper [ DispatchReaper] - Received shutdown signal during startup reaping and did not complete all reaping tasks. Reaping will be performed upon next startup. There are no other logs related to the shutdown of splunk service. Any idea what could be the reason for the service shutdown?
Hello Experts, We are using AppDynamics On-prem version 23.1.3-66. Is there any best practice to exclude App, Machine Agents installation directory from the Antivirus scan?  If yes then also pr... See more...
Hello Experts, We are using AppDynamics On-prem version 23.1.3-66. Is there any best practice to exclude App, Machine Agents installation directory from the Antivirus scan?  If yes then also provide the AppD documentation link, thanks.