All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed... See more...
Hello   i m unable to see data / tenant data in prod dashboards by searching by tenant id , cannot see tenant id but it is visible in lower domains , i have verified all beats metrics are installed on servers
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the ... See more...
Hello, I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result.  Log:            {"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}}         Query:         | makeresults ns=project* | eval _raw="\"totalTimeTaken\":4" | rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)" | stats avg(response_time)           Could I know where I'm going wrong?
I tried to whitelist an ip address for HEC log ingestion and got the error message "Subnet overlaps Private IP block"   Does anyone know what this means? Thanks
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solut... See more...
I'm getting this error message in the log file, solnlib.credentials.CredentialNotExistException: Failed to get password of realm=.  According to this page, https://splunk.github.io/addonfactory-solutions-library-python/credentials/#solnlib.credentials.CredentialNotExistException , this is due to the username not being valid.  I'm trying to work out how to get what is passed to credentials.py since the information in the username doesn't make sense to me.  Is there anyway of debugging credentials.py, I tried to put print statements in, but the TA UI didn't like it.  I had to remove the print statements to get the UI working again.  I've tried debugging via command line but always get stuck at this point, session_key = sys.stdin.readline().strip().  I can't work out what I need to do to see where the user information is coming from.  Any help on how I can debug this? TIA, Joe
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I... See more...
I am trying to create a dashboard to examine group policy processing errors.  I would like to create a drop-down based on the values returned for EventCode which is the Windows EventID. 1.  How do I create a dynamic drop-down to show the EventIDs (EventCode) returned by the search? 2.  I see you can enter a whole new search, but technically that is different than the main search, right?  How do I base it on the main search? 3.  What are Label (fieldForLabel) and Value (fieldForValue) for?  Why are they required?     <form version="1.1" theme="light"> <label>GP Errors</label> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-90m@m</earliest> <latest>now</latest> </default> </input> <input type="text" token="Computername"> <label>Computer Name</label> <default>*</default> </input> <input type="dropdown" token="EventID"> <label>Event ID</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>EventID</fieldForLabel> <fieldForValue>EventID</fieldForValue> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error | stats values(EventCode)</query> <earliest>-90m@m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>index=winevent source="WinEventLog:System" SourceName="Microsoft-Windows-GroupPolicy" Type=Error host=$Computername$ EventCode=$EventID$ | table host, EventCode, Message, _time | rename host AS Host, EventCode AS EventID | sort _time desc</query> <earliest>-90m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>    
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table... See more...
We want all the hosts in index=aws that are NOT in index=windows.  Example :  | tstats count where index=aws by host | table host | search NOT [| tstats count where index=windows by host | table host]
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we ca... See more...
Hi all,   We have a Splunk Intermediate Forwarder (Heavy Forwarder) set up to receive logs from Universal Forwarders that sit in different networks. The Forwarding is working fine for logs as we can see the internal logs and Windows Events in our index cluster. This issue is with the Windows Performance Metrics which aren't in our performance metrics indexes. I can see the Universal Forwarders are collecting the metrics from the Internal logs as these are being forwarded successfully.  Any suggestions would be helpful
hello all, I would need the logs to be sent to my S3 bucket smartstorage after 1 month from my security index, but they should still be accessible for another 5 months.
Hi,  app        https://splunkbase.splunk.com/app/5530       shows that it's cloud compatible but failing the vetting process while installation.   
I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is r... See more...
I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is recorded in splunk. But the service ess is really down, and never entered into running state we need to be alerted. I want to write splunk to alert only when the service ess went into stopped state but never entered into running state for 25 hosts. Same service is running on 25 hosts and all servers has network glitches.
Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry a... See more...
Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry at 05:26 pm will be visible. On the dashboard the default time is last 15 minutes.
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on cl... See more...
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on clicking on the tab. #input_link_split_by.input-link button{ width: 120px !important; border-top-color: rgb(255, 255, 255); border-top-style: solid; border-top-width: 1px; border-right-color: rgb(255, 255, 255); border-right-style: solid; border-right-width: 1px; border-left-color: rgb(255, 255, 255); border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; }
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match t... See more...
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query. (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
Is there anyone who have integrated Azure WAF with splunk. If yes let me know which app or add-on you used.
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo pr... See more...
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo processInfo.pid processChain 2024-03-07T07:46:27Z randomuser:staff bash 51097 /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task   I dont know how to search.....please help me ,Thank you!!, This is my json data   { "timestamp": "2024-03-07T07:46:27Z", "eventName": "ProcessEvent", "computer": { "name": "randomMacBook-Pro.local", "uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c" }, "processInfo": { "imageName": "bash", "pid": 51097, "systemProcess": false, "imagePath": "/bin/bash", "commandLine": "-c pmset -g batt", "exeHash": { "sha1": "87FD78930606102F09D607FC7305996CEFA6E028", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-07T07:46:27Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "randomprocess1", "pid": 51097, "systemProcess": false, "imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1", "commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched", "exeHash": { "sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-07T07:46:27Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "randomprocess2", "pid": 603, "systemProcess": false, "imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2", "commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched", "exeHash": { "sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-01T08:02:32Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "launchd", "pid": 603, "systemProcess": false, "imagePath": "/sbin/launchd", "commandLine": "", "exeHash": { "sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-03-01T08:02:32Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "launchd", "pid": 1, "systemProcess": false, "imagePath": "/sbin/launchd", "commandLine": "", "exeHash": { "sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-03-01T07:57:30Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "kernel_task", "pid": 1, "systemProcess": true, "imagePath": "kernel_task", "commandLine": "", "exeHash": { "sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-02-27T10:17:35Z", "currentDirPath": "", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "kernel_task", "pid": 0, "systemProcess": true, "imagePath": "kernel_task", "commandLine": "", "exeHash": { "sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-02-27T10:17:35Z", "currentDirPath": "", "isCompromised": false, "lnkPath": "" } } } } } } }, "eventType": "Process/PosixExec" }    
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still se... See more...
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still see alot of fields with value unknown for dest  while running stats or tstats command .I can see the the dest field when i specifically search it within a datamodel with a src ip . can anyone help to tell how do i rectify that .   Thanks.
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a c... See more...
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a complex value for it. Would it be possible to clarify if this value should be complex and if it is simple it could cause a security breach or not? If someone knows this value, can it be a threat to the cluster and gain access to the cluster or not? Thank you
When we create a notable, we want to use certain fields such as source IP and destination IP,   When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works... See more...
When we create a notable, we want to use certain fields such as source IP and destination IP,   When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works, but in 7.3.0 it does not show any result.  
Hello All,   I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes.   We have a requirements to su... See more...
Hello All,   I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes.   We have a requirements to summarize in a table  Like below, If error is found in index need table value as YES if not found it should be No. Same for Exception if Exception is found then table should be Yes or else no. Note Error's, exceptions and retuncodes are in content of Index with field - Message log. TraceNumber   Error     Exception    ReturnCode 11111                  YES          NO                   YES 1234                     YES          NO                    YES Any help would be appreciated
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and t... See more...
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and the rest of the values will be printed in the next event, respectively. Kindly suggest here. correlation_id: ******** custom_attributes: { [-]      campaign-id: ****      campaign-name: ******      country:      entity-internal-id: [ [-]        12345678        87654321      ]      lead-id: [ [-]        11112222        33334444      ]      marketing-area: *****      record_count:      root-entity-id: 2 }