All Topics

Top

All Topics

Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on cl... See more...
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on clicking on the tab. #input_link_split_by.input-link button{ width: 120px !important; border-top-color: rgb(255, 255, 255); border-top-style: solid; border-top-width: 1px; border-right-color: rgb(255, 255, 255); border-right-style: solid; border-right-width: 1px; border-left-color: rgb(255, 255, 255); border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; }
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match t... See more...
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query. (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
Is there anyone who have integrated Azure WAF with splunk. If yes let me know which app or add-on you used.
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo pr... See more...
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo processInfo.pid processChain 2024-03-07T07:46:27Z randomuser:staff bash 51097 /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task   I dont know how to search.....please help me ,Thank you!!, This is my json data   { "timestamp": "2024-03-07T07:46:27Z", "eventName": "ProcessEvent", "computer": { "name": "randomMacBook-Pro.local", "uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c" }, "processInfo": { "imageName": "bash", "pid": 51097, "systemProcess": false, "imagePath": "/bin/bash", "commandLine": "-c pmset -g batt", "exeHash": { "sha1": "87FD78930606102F09D607FC7305996CEFA6E028", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-07T07:46:27Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "randomprocess1", "pid": 51097, "systemProcess": false, "imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1", "commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched", "exeHash": { "sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-07T07:46:27Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "randomprocess2", "pid": 603, "systemProcess": false, "imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2", "commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched", "exeHash": { "sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E", "sha256": null }, "sid": "", "username": "randomuser:staff", "sidNameUse": 0, "startTime": "2024-03-01T08:02:32Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "launchd", "pid": 603, "systemProcess": false, "imagePath": "/sbin/launchd", "commandLine": "", "exeHash": { "sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-03-01T08:02:32Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "launchd", "pid": 1, "systemProcess": false, "imagePath": "/sbin/launchd", "commandLine": "", "exeHash": { "sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-03-01T07:57:30Z", "currentDirPath": "/", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "kernel_task", "pid": 1, "systemProcess": true, "imagePath": "kernel_task", "commandLine": "", "exeHash": { "sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-02-27T10:17:35Z", "currentDirPath": "", "isCompromised": false, "lnkPath": "", "parentProcess": { "imageName": "kernel_task", "pid": 0, "systemProcess": true, "imagePath": "kernel_task", "commandLine": "", "exeHash": { "sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659", "sha256": null }, "sid": "", "username": "root:wheel", "sidNameUse": 0, "startTime": "2024-02-27T10:17:35Z", "currentDirPath": "", "isCompromised": false, "lnkPath": "" } } } } } } }, "eventType": "Process/PosixExec" }    
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still se... See more...
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still see alot of fields with value unknown for dest  while running stats or tstats command .I can see the the dest field when i specifically search it within a datamodel with a src ip . can anyone help to tell how do i rectify that .   Thanks.
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a c... See more...
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a complex value for it. Would it be possible to clarify if this value should be complex and if it is simple it could cause a security breach or not? If someone knows this value, can it be a threat to the cluster and gain access to the cluster or not? Thank you
When we create a notable, we want to use certain fields such as source IP and destination IP,   When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works... See more...
When we create a notable, we want to use certain fields such as source IP and destination IP,   When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works, but in 7.3.0 it does not show any result.  
Hello All,   I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes.   We have a requirements to su... See more...
Hello All,   I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes.   We have a requirements to summarize in a table  Like below, If error is found in index need table value as YES if not found it should be No. Same for Exception if Exception is found then table should be Yes or else no. Note Error's, exceptions and retuncodes are in content of Index with field - Message log. TraceNumber   Error     Exception    ReturnCode 11111                  YES          NO                   YES 1234                     YES          NO                    YES Any help would be appreciated
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and t... See more...
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and the rest of the values will be printed in the next event, respectively. Kindly suggest here. correlation_id: ******** custom_attributes: { [-]      campaign-id: ****      campaign-name: ******      country:      entity-internal-id: [ [-]        12345678        87654321      ]      lead-id: [ [-]        11112222        33334444      ]      marketing-area: *****      record_count:      root-entity-id: 2 }
hello,  How to change the font size of y-values in a Splunk dashboard barchart?   I try..       <html>        <style>             #rk g[transform] text {             font-size:20px !important... See more...
hello,  How to change the font size of y-values in a Splunk dashboard barchart?   I try..       <html>        <style>             #rk g[transform] text {             font-size:20px !important;             font-weight: bold !important;             }             g.highcharts-axis.highcharts-xaxis text{             font-size:20px !important;             }             g.highcharts-axis.highcharts-yaxis text{             font-size:20px !important;             }         </style> </html>  
Our pro license has been expired and wanted to check on the procedure for the upgraded license file
I've two counter streams, I would like to display that as a percentage as B/(B+C)  in the chart but it always gives me an error.  B = data('prod.metrics.biz.l2_cache_miss', rollup='rate', ext... See more...
I've two counter streams, I would like to display that as a percentage as B/(B+C)  in the chart but it always gives me an error.  B = data('prod.metrics.biz.l2_cache_miss', rollup='rate', extrapolation='zero').publish(label='B') C = data('prod.metrics.biz.l2_cache_hit', rollup='rate', extrapolation='zero').publish(label='C') How can I create a new metrics out of these two to find either cache hit or miss percentage? 
Hi All, I am attempting to use lookup table "is_windows_system_file"  for the following SPL where the Processes.process_name needs to match the filename from the lookup table. Once these results are... See more...
Hi All, I am attempting to use lookup table "is_windows_system_file"  for the following SPL where the Processes.process_name needs to match the filename from the lookup table. Once these results are obtained I then want to attempt to see processes that are not running from C:\Windows\System32 or C:\Windows\SysWOW64    | tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name=* by Processes.aid Processes.dest Processes.process_name Processes.process _time  
Has anyone tried this integration, I am facing issues while integrating this using this app https://splunkbase.splunk.com/app/6535  . This add-on only pulls the activity once from our TFS server  and... See more...
Has anyone tried this integration, I am facing issues while integrating this using this app https://splunkbase.splunk.com/app/6535  . This add-on only pulls the activity once from our TFS server  and does not pull it continuously at said interval. No errors observed in the internal  logs. Has any one tried using this add-on for this integration? Azure DevOps (Git Activity) - Technical Add-On 
Hey Experts, I am encountering an issue  with using filter tokens in specific row on my dashboard. I have two filters named ABC and DEF, tokens represented for ABC is $abc$ and DEF is $def$.  I... See more...
Hey Experts, I am encountering an issue  with using filter tokens in specific row on my dashboard. I have two filters named ABC and DEF, tokens represented for ABC is $abc$ and DEF is $def$.  I want to pass these tokens only to one specific row, while for others, I want to reject them.  For the rows where i need to pass the tokens, I've used the following syntax:  <row depends="$abc$ $def$"></row> For the row where i don't want to use the token, I've used the following syntax;  <row rejects="$abc$ $def$"></row>. However when i use the rejects condition, the rows are hidden. I want these rows to still be visible. Any help or example queries would be greatly appreciated. Thank You!
Hi All,  @ITWhisperer @renjith_nair @woodcock  From the above "Textbox" input and panel for (_time, EventID, Server, Message, Severity) "Textbox" Settings:             <input type="text... See more...
Hi All,  @ITWhisperer @renjith_nair @woodcock  From the above "Textbox" input and panel for (_time, EventID, Server, Message, Severity) "Textbox" Settings:             <input type="text" token="eventid" searchWhenChanged="true">             <label>Search EventID</label>             </input> When I search in the "Textbox" using an "EventID", it only displays results based on the EventID values. However, when I search using other parameters such as "_time", "Server", "Message", or "Severity", it does not retrieve any results. Can anyone assist me with creating a conditional search for any of the following fields in a above  table: _time, EventID, Server, Message, or Severity? When I search for any value in these fields, I want the corresponding records to be displayed. Either in UI or Source need the settings.  
Hi Team, I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Like... See more...
Hi Team, I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Likewise calculate for last 3 months. Then calculate the average of 3 months peak hourly volume. Below table is the sample requirement.   January-24 February-24 March-24 Avg Volume service1 20 50 20 30 service2 4 3 8 5 service3 20 30 40 30 service4 30000 30000 9000 23000 service5 200 300 400 300
I’m using Splunk Enterprise 9 with Universal Forwarder 9 on Windows. I'd like to monitor several structured log files but only ingest specific lines from these files (basically each line begins with ... See more...
I’m using Splunk Enterprise 9 with Universal Forwarder 9 on Windows. I'd like to monitor several structured log files but only ingest specific lines from these files (basically each line begins with a well-defined string so easy to create matching regular expression or simple match against it). I’m wondering where this can be achieved? Q: Can the UF do this natively or do I need to monitor the file as a whole then drop certain lines at the indexer?
Hello Splunk Community, I'm encountering an issue with the SA-cim_validator add-on where it's returning no results, and I'm hoping someone here can help me troubleshoot this further. Here's what I'... See more...
Hello Splunk Community, I'm encountering an issue with the SA-cim_validator add-on where it's returning no results, and I'm hoping someone here can help me troubleshoot this further. Here's what I've done so far: Confirmed that the app has read access for all users and write access for admin roles. Checked that the configuration files are correctly set up. Splunk Common Information Model (Splunk_SA_CIM) is installed and up to date. Verified that the indexes and sourcetypes specified in the queries are present and contain data. Reviewed time ranges to include periods with log generation. Ensured that data models are accelerated as needed. Looked through Splunk's internal logs for any errors related to the SA-cim_validator but found nothing. Despite these steps, every time I run a search query within the CIM Validator, such as index=fortigate sourcetype=fortigate_utm, it yields no results, regardless of the indexes or targeted data model or search parameters I use. Does anyone have any insights or suggestions on what else I can check or any known issues with the add-on? Any assistance would be greatly appreciated! Thank you, Alex_Mics
What is the version of Python at Splunk 9.2?  We are currently at Splunk 9.1.0.2 and that version of Python (3.7.16) is already EOL.  In our environment, we need to be at a supported version of Python.