All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid             count 1528               1  122... See more...
Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid             count 1528               1  1228               1 1015              1 1558              1 12                    1 1698              1 1589.15        1 1589              1   am looking for an output like below BotId                                                               count 1528,1228,1015,1558                              1 12,1698,1589.2,1589                                2       thanks in advance
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "... See more...
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "." right after the last word sample events: the current status is START system goes on … the current status is STOP please do ….. the current status is PENDING. And my rex will extract the words from “status is “ and the word right after, but if that word has a period right after, I don’t want to extract. I only been able to retrieve everything using the following, but not able to exclude those with a period right after. rex field=_raw "status is\s(?<status>[^\s]+)"
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in... See more...
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in extracting this using rex Any help is much appreciated
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do n... See more...
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do not change the background color or text. I checked the console.log output (Ver 4.0.2) and got some logs. Can anyone give me some advice? Thank you.
    May I know is there  any search query using which I can find "Indexers in license violations" or is there any information I can get regarding this directly from splunk?
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) wh... See more...
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) which number resembles which service?
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0.  Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1.... See more...
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0.  Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1. Unable to locate this information from the Add-On release note or installation guide. Thanks and Rgds    
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may ... See more...
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may experience different behaviors for the UI preferences that used to persist and show latest preferences by updating ui-prefs.conf on the fly. Now after upgrade to 9.0.5+ or 9.1.0+ its behavior changed and no longer uses ui-prefs.conf to remember the user's UI level preferences, but instead, uses the url in the request or localStorage/Web Storage. In Firefox I found this webappsstore.sqlite in my ../Library/Application Support/Firefox/Profiles/e0fxb1hs.default-release which is similar to the above.  Is this where the ui-prefs.conf information was moved to?  I've had a request from a user that wants to set the 'Selected fields', but after the upgrade to 9.1.2 the changes would be stored in a sqlite DB.  Is this correct?  Is there any way of changing the 'Selected fields' other than using the backend?  Does this work for other apps beyond Search? TIA, Joe
Hi Folks, I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it. I've l... See more...
Hi Folks, I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it. I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far: _____inputs.conf_____ blacklist3 = EventCode="4688" new_process_name=".*Teams.exe" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>" None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well: _____props.conf_____ [WinEventLog:Security] TRANSFORMS-null = 4688cleanup _____transforms.conf_____ [4688cleanup] REGEX = "Teams\.exe<\/Data>" DEST_KEY = queue FORMAT = nullQueue And this: _____transforms.conf_____ [4688cleanup] REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data> DEST_KEY = queue FORMAT = nullQueue None of these have worked so far and I'd appreciate any input y'all have. Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event> And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>     Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks! -SplunkUser5
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I use... See more...
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I used "| sort 0 Score desc", it will give me 50,000 rows. What is the different between using sort - and sort desc?    Why doesn't sort - only limit to 10,000?   Thank you so much  index=test | sort - 0 Score ==>   only 10,000  rows          I need to use "| sort Score desc"   Name Score Name1 5 Name2 0 Name3 7 Name4 0 ….   Name50000 9
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. ... See more...
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. But when I access it with IP, it is not secure. So, do I need to provide IP in SAN? Is there an alternate way, that the browser should only be accessible through hostname:8000 and not IP:8000   Please pour in your suggestions
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated!  *Edit Sorry we have t... See more...
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated!  *Edit Sorry we have the user role and user created but we are unable to restrict it to a single dashboard, we can specify an app such as ES but have been unsuccessful in getting a default dashboard set. When you land on ES there is the "Security Posture"  "Incident Review" "App Configuration" etc settings. Would it be possible to change one of these from "Security Posture" to "Executive Summary" so that way they are just a click away from the appropriate dashboard? Thank you!
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I ... See more...
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I take my default Windows inputs.conf file from my Universal Forwarders and apply it to my Heavy Forwarders or will this cause a "logging loop" where the Heavy Forwarder is logging itself logging? I am completely guessing but maybe I could copy over my UF inputs.conf file but disable the wineventlog:application logs? What would be the equivalent on a Linux HF?
WebSphere Application Server 8.5 for z/OS SMF type record 120 support implementation
Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases.  Are there any l... See more...
Hello, I'm looking to buy a single 5GB/day or 6GB/day Splunk Enterprise license and then divide that license up into about 30 smaller licenses for my different production use cases.  Are there any limits to the license divisions from Splunk support?  As in, will Splunk support limit the number of times I can divide a license - can I divide my 5GB license into 30 smaller licenses or is there a limit to how many divisions they'll do?  Relatedly, is there a limit to how small (in terms of daily ingestion) they'll divide my smaller licenses into?  For example, I have a few production standalone instances where I would only require 60MB/day for licensing... I've heard mixed answers to this license division question - from Splunk sales reps and Fezzes, so I'm not sure what the truth is anymore, especially now that Cisco owns Splunk. Thank you.
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like  Splunk Alert:  DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD ... See more...
Hello, I'm trying to create an alert in DEV Environment to include "DEV" with subject something like  Splunk Alert:  DEV - MyAlert I can't hardcore this since we deploy the same alert to PROD through GIT and we can't make corrections to the code.  So I'm looking something (Splunk Alert:  $env$- $name$) if there is way to implement this.  My splunk cloud urls DEV : xydev.splunkcloud.com PROD : xyprod.splunkcloud.com
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and ho... See more...
I have installed the Onelogin TA and there is a sourcetype parser from that TA that has taken over everything and it is jacking the logs up (onelogin:user). Anybody know why this is happening, and how I can prevent this? 
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and u... See more...
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and understand the cause / fix.  Splunk was running but seemed to hand when I tried to restart from the webUI. After that I get this error when trying to start. If I try to stop via CLI I it says splunkd is not running. Help is very much appreciated as this is getting to be a real pain. 
Can an event be searched using the transaction without any index or source values? Yes or No breif answer on selection
I keep getting an error message when I am attempting to this command  * EventCode=* user=* WinEventLog:Application | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR E... See more...
I keep getting an error message when I am attempting to this command  * EventCode=* user=* WinEventLog:Application | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No") | stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user | eval time=strftime(time,"%c") | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures" | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures" I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.