All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

  Hello Splunkers!! As per my below query I am not getting group & error_description fields from the query. Please advise what need to be modify in the last line of the query to get the results of ... See more...
  Hello Splunkers!! As per my below query I am not getting group & error_description fields from the query. Please advise what need to be modify in the last line of the query to get the results of those fields. index=2313917_2797418_scada | xpath outfield=ErrorType "//ErrorType" | search ErrorType IN("OPERATIONAL", "TECHNICAL") |xpath outfield=AreaID "//AreaID" | xpath outfield=ZoneID "//ZoneID" | xpath outfield=EquipmentID "//EquipmentID" | xpath outfield=MIS_Address "//MIS_Address" | xpath outfield=State "//State" | xpath outfield=ElementID "//ElementID" | rex field=_raw "eqtext\:Description\>(?P<description>.+)\<\/eqtext\:Description" |rename EquipmentID as equipment ZoneID as zone AreaID as area ElementID as element State as error_status MIS_Address as error | eval isc_id=area.".".zone.".".equipment | search isc_id="*" area="*" zone="*" equipment="*" | eval start_time=exact(coalesce(start_time,'_time')), _virtual_=if(isnull(virtual),"N","Y"), _cd_=replace('_cd',".*:","") | fields + _time, isc_id, area, zone, equipment, element, error, start_time error_status | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup isc_id | fields - _virtual_, _cd_ | eval _time=start_time | lookup isc.csv id AS isc_id output statistical_subject mark_code | lookup detail_status.csv component_type_id AS statistical_subject output alarm_severity description operational_rate technical_rate | search alarm_severity="*" mark_code="*" | fillnull value=0 technical_rate operational_rate | eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_description=((error . "-") . description), group=((isc_id . error) . start_time)
Hello! When I set up to collect Google Workspace's OAuth Token Event log using Google Workspace for Splunk, the following error occurs. The Credential is valid, so other logs (drive, login, etc.) a... See more...
Hello! When I set up to collect Google Workspace's OAuth Token Event log using Google Workspace for Splunk, the following error occurs. The Credential is valid, so other logs (drive, login, etc.) are being collected well. I would like to know the cause and solution.     error_message="'str' object has no attribute 'get'" error_type="&lt;class 'AttributeError'&gt;" error_arguments="'str' object has no attribute 'get'" error_filename="google_client.py" error_line_number="1242" input_guid="{input-guid-number}" input_name="token"   e.g.) google workspace OAuth Token Log  https://developers.google.com/admin-sdk/reports/v1/appendix/activity/token?hl=en
Hi All, Is it possible to use Splunk for tracking logs from SAP CPQ, CPI, C4C? I couldn't find relevant information regarding this anywhere. Appreciate your help!
I am stuck at 'waiting for connection' whereas the agent connection is showing green and connected as shown in the picture below. Can somebody help me, please?   ^ Post edited by @... See more...
I am stuck at 'waiting for connection' whereas the agent connection is showing green and connected as shown in the picture below. Can somebody help me, please?   ^ Post edited by @Ryan.Paredez to edit a screenshot to redact the Controller name and URL. Please do not share your Account name or Controller URL in Community posts for security and privacy reasons.
I am using regex to extract the field from the below json data. I want to extract the fields in key-value pair specially log.message from the json data. Example if I need "action" field from log.mess... See more...
I am using regex to extract the field from the below json data. I want to extract the fields in key-value pair specially log.message from the json data. Example if I need "action" field from log.message clusterName: cluster-9gokdwng4f internal_tag: internal_security log: { [-] message: {"action":"EXECUTE","class":"System-Queue","eventC":"Data access event","eventT":"Obj-Open with role","timeStamp":"Wed 2024 Apr 03, 04:58:28:932"} stack: thread_name: Batch-1 timestamp: 2024-04-03T04:58:28.932Z version: 1 } }
Hi Everyone, Is anyone else having issues with the Client tab not showing the correct Server Classes for the Host Names? For example, we have windows systems that are being labeled as Linux because ... See more...
Hi Everyone, Is anyone else having issues with the Client tab not showing the correct Server Classes for the Host Names? For example, we have windows systems that are being labeled as Linux because we have a server class with a filter * but specific to linux-86_64 Machine Type. This almost gave me a heart attack because I thought the apps tied to this server class was going to replace the Windows ones. However, when I go into the server class itself, the "Matched" tab only shows the devices that match the filter and when I check a handful of Windows devices itself, I don't see the apps that are tied with the Linux server class. Wondering if anyone is experiencing this as well? And if so, if a fix is found.
Hi All, I am having a requirement like this.  First I need to fetch all the failed searches (lets say skipped searches) by their savedsearch_name and scheduled_time.  If it is skipped on that sche... See more...
Hi All, I am having a requirement like this.  First I need to fetch all the failed searches (lets say skipped searches) by their savedsearch_name and scheduled_time.  If it is skipped on that scheduled_time, Then I need to check if that scheduled_time lies between  durable_cursor AND next scheduled_time Lets say savedsearch_name- called ABC failed (Skipped) at 1712121019.  So now I need to search if this above failed scheduled_time value lies between upcoming durable_cursor and next scheduled_time. The next scheduled_time is 1712121300 and in this event I see durable_cursor value is 1712121000. Which means my failed time covered in this run.  How to detect this via a splunk query. My failed searches are covered or not in next run. I tried to apply subsearch logic to get failed savedsearch_name and scheduled_time. I can pass savedsearch_name but not the scheduled_time. So my idea is I need to run a first query to take failed savedsearch name and its associated failed scheduled_time. And in the second query I need to check if scheduled_time lies between durable_cursor and next scheduled_time. How to achieve this.    Any inputs would be appreciated. Thanks 
안녕, 난 릴리야. 아래 차트를 저장했습니다. 하지만 내 대시보드에는 아래와 같이 표시됩니다. 왜 다르게 표시되나요?  
Hi All, We wanted to collect Events/Metrics/Data/Logs from New Relic and send it to Splunk Enterprise and Splunk ITSI (Please provide a suitable method for this). Simultaneously, we wanted to c... See more...
Hi All, We wanted to collect Events/Metrics/Data/Logs from New Relic and send it to Splunk Enterprise and Splunk ITSI (Please provide a suitable method for this). Simultaneously, we wanted to create a new environment for Splunk Enterprise and Splunk ITSI. Please mention the suitable specification for new Splunk Enterprise and Splunk ITSI architecture.
open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity
Hello,  I need to event break the following events, but they have a different date format. At the beginning, only at the end, it ends with the 'keyprotectiontype' field, which sometimes has 'NA'. Ad... See more...
Hello,  I need to event break the following events, but they have a different date format. At the beginning, only at the end, it ends with the 'keyprotectiontype' field, which sometimes has 'NA'. Additionally, it must always have the 'reason' field at the beginning.   Apr 2 22:18:08 04-02 22: 17:39#011reason=Allowed#011event_id=7353490211603742721#011protocol=HTTP#011action=Allowed#011transactionsize=345241#011responsesize=344806#011requestsize=435#011urlcategory=Operating System and Software Updates#011serverip=92.123.121.156#011requestmethod=GET#011refererURL=None#011useragent=Microsoft BITS/7.8#011product=NSS#011location=Road Warrior#011ClientIP=12.2.11.10#011status=206#011user=lvtorrea@lula.com.es#011url=2.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/20c818db-67ad-44d4-8409-4d9dd7986af1?P1=1712128627&P2=404&P3=2&P4=OEkaO+U5XHKvf+lM41oEFDeIKRAD9S6SWgch3BSzA/yxusk1LA44YVdjNg94soDh+D8bYKjPHLpS4296pI6Tcw==#011vendor=Zscaler#011hostname=dkdkdk #011clientpublicIP=1.111.120.11#011threatcategory=None#011threatname=None#011filetype=None#011appname=General Browsing#011pagerisk=0#011threatseverity=None#011department=XXXXX (1422)#011urlsupercategory=Information Technology#011appclass=General Browsing#011dlpengine=None#011urlclass=Business Use#011threatclass=None#011dlpdictionaries=None#011fileclass=None#011bwthrottle=NO#011contenttype=application/octet_stream#011unscannabletype=None#011devicehostname=MAA#011deviceowner=lvtorrea#011keyprotectiontype= Software Protection#0122024-04-02 22:17:39#011reason=Allowed#011event_id=7353490211788947457#011protocol=SSL#011action=Allowed#011transactionsize=9568#011responsesize=4934#011requestsize=4634#011urlcategory=Microsoft_WVD_URL#011serverip=20.189.173.26#011requestmethod=NA#011refererURL=None#011useragent=Unknown#011product=NSS#011location=Road Warrior#011ClientIP=192.168.0.147#011status=NA#011user=jlvaldezo@lula.com.es#011url=us-v10c.events.data.microsoft.com#011vendor=Zscaler#011hostname=dkdkdk#011clientpublicIP=1.19.72.10#011threatcategory=None#011threatname=None#011filetype=None#011appname=General Browsing#011pagerisk=0#011threatseverity=None#011department=xxxxxxx MANAGEMENT#011urlsupercategory=User-defined#011appclass=General Browsing#011dlpengine=None#011urlclass=Bandwidth Loss#011threatclass=None#011dlpdictionaries=None#011fileclass=None#011bwthrottle=NO#011contenttype=Other#011unscannabletype=None#011devicehostname=KDKD#011deviceowner=jlvaldezo#011keyprotectiontype=N/A#012202     Can you help me?
Hi there. Did you saw in many events, exploding the event to detail, the _time field has a "+" icon on its side? Exploding it, give the detail of created _time field, What's that? I... See more...
Hi there. Did you saw in many events, exploding the event to detail, the _time field has a "+" icon on its side? Exploding it, give the detail of created _time field, What's that? In other events i can't see the "+" icon, also on same server/path/log, Is it some kind of, "+" == I, SPLUNK INDEXER, ELABORATED THE TIMESTAMP WITH MY ALGORITHMS BY MYSELF IN THIS WAY clean, no "+" == automatic timestamp calculation, no elaboration, i found it yet cooked ?   Thanks.
I am planning on teaching others how to use Splunk to search through data, similar to the Splunk boss of the soc challenges- https://github.com/splunk/botsv3 Similarly, I would like to export the d... See more...
I am planning on teaching others how to use Splunk to search through data, similar to the Splunk boss of the soc challenges- https://github.com/splunk/botsv3 Similarly, I would like to export the data I generated in my Splunk instance to then have students import into there's to follow along. The only way I can figure out how to do this is from running a search and using the export feature. Is there a recommendation for this? 
I need to ask if i want to move splunk servers to another data store (vsphere)   would this affects anything regarding splunk it self?    
Hi Team Can anyone help me with Splunk search query to split the successful login from invalid?  Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid paramet... See more...
Hi Team Can anyone help me with Splunk search query to split the successful login from invalid?  Ex - I want to exclude OK from the search, want to see only the locket out, invalid, invalid parameter   Thanks     
Hi  Can anyone help me with below query  I have created a pie chart based on the error message, however i am not sure how to add country along  index=test | iplocation Properties.ip | dedup Prop... See more...
Hi  Can anyone help me with below query  I have created a pie chart based on the error message, however i am not sure how to add country along  index=test | iplocation Properties.ip | dedup Properties.ip | stats count by event.Properties.errMessage        
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not i... See more...
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not in accountB and objective is to find that gap.   sourcetypeA accid   nameA  addressA cellA 002         test1   tadd1    1234 003         test2    tadd2    1256 003      test2         tadd2    5674 004         test3     tadd3   2345 005         test4      tadd4  4567 006        test5      tadd5   7800 006    test5           tadd5   9900   sourcetypeB accid   nameB  addressB cellB 002       test1        tadd1    1234 003      test2         tadd2    5674 004     test3          tadd3   2345 005     test4           tadd3  4567 006    test5           tadd5   9900   Output will be: 003         test2    tadd2    1256 006        test5      tadd5   7800   Any Recommendation will be highly appreciated.  
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the ... See more...
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user.
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded ... See more...
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded field which gives a "p" thing as a result. Examples of | Search NOT:   Example of Stats resulted "p": | rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<process_enc>[A-Za-z\d+/=]*)?" | decrypt field=process_enc b64 emit('process_decoded') | stats count by process_decoded Could someone please provide guidance on the correct syntax to exclude or search the decoded field using search not or using a lookup and help clarify the "P" thing from stats command? DECRYPT2 
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there i... See more...
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there is no option to select posting alerts to a shared channel. The channel just does not appear in the list. Is this a known limitation of the app? On the integration guide here https://help.victorops.com/knowledge-base/microsoft-teams-integration-guide/ it states that  "Note that installing into any channel in a team will make Splunk>VictorOps available for all channels in that team."   Has the app been set up to allow integration with Shared channels in MS Teams? References: https://learn.microsoft.com/en-us/microsoftteams/shared-channels https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/shared-channels