All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Team I have the below Json string coming as an event in Splunk logs . after data, the next field could be a, b, c, d  I want to read the x and y fields, How to write a single spath query like  ... See more...
Hi Team I have the below Json string coming as an event in Splunk logs . after data, the next field could be a, b, c, d  I want to read the x and y fields, How to write a single spath query like  | spath input=inputJson  path="data.{*}.x"      {data : {a : { x: { } y: { }}} } {data : {b : { x: { } y: { }}} } {data : {c : { x: { } y: { }}} } {data : {d : { x: { } y: { }}} }      
Hello Experts, Just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether cen we detect ORA-00600 error via AppD Db agent? Please... See more...
Hello Experts, Just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether cen we detect ORA-00600 error via AppD Db agent? Please let us know the process for the same.
Hello,  I need to exclude and prevent the ingestion of data when these events occur. Im using the TA_Linux and this event is the /var/log/audit/audit.log Can you help me? node=MXSPL1VMV803 type=S... See more...
Hello,  I need to exclude and prevent the ingestion of data when these events occur. Im using the TA_Linux and this event is the /var/log/audit/audit.log Can you help me? node=MXSPL1VMV803 type=SYSCALL msg=audit(1707180153.753:128962293): arch=c000003e syscall=87 success=yes exit=0 a0=7fb15c2fae20 a1=7fb0ea759e80 a2=7fb15c2fae20 a3=7fb1c0097b71 items=2 ppid=1 pid=1990 auid=3001 uid=3001 gid=3001 euid=3001 suid=3001 fsuid=3001 egid=3001 sgid=3001 fsgid=3001 tty=(none) ses=1 comm="elasticsearch[n" exe="/etc/elasticsearch/opendistroforelasticsearch/jdk/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete-successful"   Regards
The Config page in my TA-dmarc app is not loading after migration...
Hi all, I need to clarify the correlation searches within SOAR. Is there any way to identify them?
Hi, I want to refresh a lookup file daily. How do I do this? My file type is csv and in a file server. Thanks,
recently upgraded my splunk HF with Splunk enterprise 9.1 version. Also upgraded Splunk TA add-on for New Relic. Privious TA version 2.1.0 New TA version 2.1.6 after the upgrade TA is not able to ... See more...
recently upgraded my splunk HF with Splunk enterprise 9.1 version. Also upgraded Splunk TA add-on for New Relic. Privious TA version 2.1.0 New TA version 2.1.6 after the upgrade TA is not able to make api call to new relic and failing with error invalid api key. I confirmed the api key is correct and I am able to call it feom other client.
Error rate and Target - need to display Target number for latest week. only Hi, I have results for Error rate and Target for last 12 weeks and in visualization Target numbers are interfering wit... See more...
Error rate and Target - need to display Target number for latest week. only Hi, I have results for Error rate and Target for last 12 weeks and in visualization Target numbers are interfering with the error rate in the graph above.  any way to project Target for only latest week from 12 weeks data and project the green line for 12 weeks ? so, it wont interfere with the error rate numbers. Splunk quire below.  index=equipment_error reporttype=p_scada description="No case found with the expected dimensions" OR description="Flight Path Occupied" OR description="Place Position Occupied" OR description="Tray pattern does not comply" AND mark_code=TPO earliest=-12w@w1 latest=-0@w1 | eval APAL=substr(isc_id,2,2) | append [| search index=internal_statistics_1h earliest=-12w@w1 latest=-0w@w1 [| inputlookup internal_statistics | where report="Throughput" AND level="step" AND step="Pallet building" AND measurement IN("Case") | fields id | rename id AS statistic_id] | eval value=coalesce(value,sum_value) | fields statistic_id value group_name location | eval _virtual_=if(isnull(virtual),"N","Y"),_cd_=replace(_cd, ".*:", "") | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup statistic_id _time group_name | fields - _virtual_ _cd_ | lookup internal_statistics id AS statistic_id OUTPUTNEW report level step measurement | eval location=substr(location,12) , location="CaseQty".location | timechart span=1w@1 sum(value) BY location limit=0 | addtotals] | timechart span=1w@1 count(isc_id) as ErrorQty sum(Total) as CaseQty values(mark_code) as mark_code | eval ErrorRate=round((ErrorQty/CaseQty)*10000,1) | fillnull value=0 | eval Target="5" | table _time ErrorRate Target | where ErrorRate>0.001 Appreciate help and Thanks in Advance     
I want to query the user dataset using the from datamodel command. I know how to use nodename in the tstat command. When I run SPL as shown below, an error appears. | from datamodel: test_01... See more...
I want to query the user dataset using the from datamodel command. I know how to use nodename in the tstat command. When I run SPL as shown below, an error appears. | from datamodel: test_01.evtid.user If you know how, please reply.
Hi Splunk experts, I’m a Splunk beginner. I need help with a requirement. I have fields named 'location,' 'login,' and 'desk' with the following values:   location  login  desk AA             1  ... See more...
Hi Splunk experts, I’m a Splunk beginner. I need help with a requirement. I have fields named 'location,' 'login,' and 'desk' with the following values:   location  login  desk AA             1       0 BB             1       0 CC             0       10 DD             1       1 EE             0       1     My goal is to create a new location called 'ABC,' which should be the sum of all four locations (AA, BB, CC, DD). I've tried the following search, but it's not summing up all four locations:   | appendpipe [search AA BB CC DD | eval location=“ABC”] | stats sum(login) as login by desk   Please guide me on how to achieve this. Thank you.    
The goal is to fire off an alert if there is a lag in metrics for a given index. I can calculate this for each "app" which is reporting metrics: | mstats latest_time(application_ready_time.value) as... See more...
The goal is to fire off an alert if there is a lag in metrics for a given index. I can calculate this for each "app" which is reporting metrics: | mstats latest_time(application_ready_time.value) as latest_ts where index=my-metrics-index host=some-host by app.name | eval past_threshold=if(now() - latest_ts >= 30, "Y", "N") | eval latest=strftime(latest_ts, "%Y-%m-%d %H:%M:%S") | table app.name latest past_threshold x This works, but next I would like to limit the results to only certain values of `app.name`.  For instance, only return a result where `in(app.name, "app1", "app2")` and where `past_threshold="Y"`. In that case, we've detected that the "important" apps have lagged in metric reporting and can trigger an alert. I assume I need to use a subsearch but I could not get it to work / I'm not sure on the proper formatting. Thank you.
I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if ... See more...
I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if B is selected Panel 1 shows Search B  Panel 2 Disappear Panel 3 Disappear if C is selected Panel 1 shows Search C Panel 2 Disappear  Panel 3 Disappear if D is selected Panel 1 shows Search D Panel 2 Disappear  Panel 3 Disappear   <input type="dropdown" token="tokenSearchOption1" searchWhenChanged="true"> <label>Sources</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <condition value="A"> <set token="tokenSearchQuery"> index= search query A</set> </condition> <condition value="B"> <set token="tokenSearchQuery">index= search query B</set> </condition> <condition value="C"> <set token="tokenSearchQuery">index=search query C</set> </condition> <condition value="D"> <set token="tokenSearchQuery">index= search query D</set> </condition> </change> <initialValue>"A"</initialValue> </input> </panel> </row> <row> <panel id="URL test"> <title>Title URL</title> <html> <!-- <style> .dashboard-row Title .dashboard-panel h2.panel-title { font-size: 40px !important; text-align:left; font-weight:bold; } </style>--> <center> <style>.btn-primary { margin: 5px 10px 5px 0;font-size: 40px !important; }</style> <a href="URL for a website" target="blank" class="btn btn-primary"> Click here </a> </center> </html> </panel> </row> <row> <panel depends=dropdown A> <title>Magic</title> <table> <search> <query>Index=Run this search when drop down A </query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel>    
I am installing a new Splunk server on Windows using the trial subscription for now, which may be changed to the free license later.   I have data from another Splunk for Windows server that I would... See more...
I am installing a new Splunk server on Windows using the trial subscription for now, which may be changed to the free license later.   I have data from another Splunk for Windows server that I would like to restore to the new instance.  What is the process for doing that? Thanks, Leo
Hi All,    I am  trying to get ratings and reviews information of an app in Google play store into splunk using website input app. Unlike in apple playstore, I am unable to identify the CSS selec... See more...
Hi All,    I am  trying to get ratings and reviews information of an app in Google play store into splunk using website input app. Unlike in apple playstore, I am unable to identify the CSS selector for the values of reviews and ratings. Could someone please help. TIA  Nithin
I need to find new added hosts using lookup files. The solutions in blog didn't work for me. I will create a lookup file with all my hosts. ( I did) If any new host will be added , it will be disp... See more...
I need to find new added hosts using lookup files. The solutions in blog didn't work for me. I will create a lookup file with all my hosts. ( I did) If any new host will be added , it will be displayed. Any help will be appreciated.  
Having issues with fetching investigations in incident review. Investigation is added for the alert but when accessing the alert I get the error "There was an error fetching related investigations... See more...
Having issues with fetching investigations in incident review. Investigation is added for the alert but when accessing the alert I get the error "There was an error fetching related investigations" under related investigations. My assumption is that it is a permissions issue since admins are able to view it with no problems. However it appears that all the permissions that are needed are in place. Any help is greatly appreciated. Follow up question - Is there a way to auto add notables to investigations that share the same artifacts?
Hi all, How can we resolve the issue of Cycognito Correlation search not triggering any alerts in Splunk over the past month? index= cycog sourcetype="cycognito:issue" severity="Critical" | stats ... See more...
Hi all, How can we resolve the issue of Cycognito Correlation search not triggering any alerts in Splunk over the past month? index= cycog sourcetype="cycognito:issue" severity="Critical" | stats count, values(affected_asset) as affected_asset, values(title) as title, values(summary) as description, values(severity) as severity, values(confidence) as confidence, values(detection_complexity) as detection_complexity, values("evidence.evidence") as evidence, values(exploitation_method) as exploitation_method, earliest(first_detected) as first_detected, latest(last_detected) as last_detected, values(organizations) as organization by cycognito_id | eval date_found=strptime(first_detected,"%Y-%m-%dT%H:%M:%S.%QZ") | eval control_time = relative_time(now(), "-24h") | where date_found >control_time   Thanks in advance..
Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.  I cant figure out a query that can accurately do this per host given the... See more...
Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.  I cant figure out a query that can accurately do this per host given the following stipulations. Given the first event within the query time range, it can be assumed the host was in the opposite state prior. Only calculate transitions between the 2 states, if there are multiple same events within transitions, calculate of the time of the first occuring. Include the latest condition up until the time the search is run.
My current search that is working is -  | from datamodel:Remote_Access_Authentication | rex field=dest_nt_domain "^(?<dest_nt_domain>[^\.]+)" | join dest_nt_domain [|inputlookup Domain | rename nam... See more...
My current search that is working is -  | from datamodel:Remote_Access_Authentication | rex field=dest_nt_domain "^(?<dest_nt_domain>[^\.]+)" | join dest_nt_domain [|inputlookup Domain | rename name AS dest_nt_domain | fields dest_nt_domain] | table dest_nt_domain My problem is that this search only returns values that match.  How can I change this to an evaluation?  If the two items match "Domain Accout" if != "Non Domain Account" My input lookup only contains one item.  
Hi, We have a datamodel built against application data. All the tstats searches against the DM were running fine, including the ones using summariesonly=true. I was noticing some discrepancy betwee... See more...
Hi, We have a datamodel built against application data. All the tstats searches against the DM were running fine, including the ones using summariesonly=true. I was noticing some discrepancy between data model and raw data when plotting timechart for the exact same time range. Checked on the Data Model and found _time field was not added. But after adding that and re-accelerating the data model, now i cant use summariesonly=true. No results are returned.  I do get data back without summariesonly=true.    What could have gone wrong here?   UPDATE I am able to search using  summariesonly=true (Maybe DM needed more time to regenerate) but now I see massive difference in counts between  summariesonly=true. Vs false. Data with false closely matches the raw data stats. Before that _time change, even  summariesonly=true was matching the counts precisely.  I see the _time field is set to "required" in the model but I don't think that would be preventing certain events from going into summary. All events in raw data do have default _time field.  Am I missing some key fact here on how summary calculation might have changed with addition of this _time field?