All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,   I have the below string and I'm trying to extract out the downstream status code by using this expression.  I used to do this a long time ago but it appears those brain cells have aged out. ... See more...
Hi,   I have the below string and I'm trying to extract out the downstream status code by using this expression.  I used to do this a long time ago but it appears those brain cells have aged out.   Regex that works in regex 101 but not Splunk   rex "DownstreamStatus..(?<dscode>\d+)"|stats count by dscode   String   {"ClientAddr":"blah","ClientHost":"blah","ClientPort":"50721","ClientUsername":"-","DownstreamContentSize":11,"DownstreamStatus":502,"Duration":179590376953,"OriginContentSize":11,"OriginDuration":179590108721,"OriginStatus":502,"Overhead":268232,    
Hi team, I'm trying to set up the integration between Jamf Protect and Splunk according to the steps provided in the following link: Jamf Protect Documentation - Splunk Integration When I follow t... See more...
Hi team, I'm trying to set up the integration between Jamf Protect and Splunk according to the steps provided in the following link: Jamf Protect Documentation - Splunk Integration When I follow the steps under the "Testing the Event Collector Token" heading, specifically the part that says "Using the values obtained in step 1, execute the following command:", I can see the logs sent from my local machine on the Splunk search head, but I can't see the JamfPro logs coming from other clients. However, I can see the logs when I use curl to send them. Additionally, when I open tcp dump on the heavy forwarder to check the logs, I can see that the logs are being received, but I can't see them when searching. What could be the reason for this? Furthermore, where can I check the error logs from the command line to examine any issues? Thanks
Hello, good day community, I have a problem and I hope you can help me, I need to configure an asset of the http app to make a get request, when configuring it in the asset settings tab there is a fi... See more...
Hello, good day community, I have a problem and I hope you can help me, I need to configure an asset of the http app to make a get request, when configuring it in the asset settings tab there is a field called base_url, this is mandatory to fill out , the detail is that I need that base url dynamic, since I am going to take it from the artifacts through a flow, each url is different, until now I have not been able to solve it, I hope for your help, thank you
I am trying to replace default value of drop down with all the values from a column in lookup table Example: Lookup table  Name log_group Name 1 Log1 Name 2 log 2 Name 3 log3  ... See more...
I am trying to replace default value of drop down with all the values from a column in lookup table Example: Lookup table  Name log_group Name 1 Log1 Name 2 log 2 Name 3 log3   I need drop down default taken as log1,log2,log3
While upgrading from 5.0 to 7.3.0 facing this issue while setting up the account we are facing this error! Can someone help how to fix this issue?
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if ther... See more...
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if there are any out-of-the-box dashboards or recommended searches for putting this monitoring to use. All information I have been able to find online is in regards to an EOL add-on (Splunk App for Infrastructure) or Splunk On-Premise instances (This is a problem I have faced since beginning work on Splunk, huge lack of documentation for Splunk Cloud vs On-Prem) Thank you for any help in advance, Jamie
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users ... See more...
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ?    index="_internal" source=*access.log user!="-" /saml/acs | timechart span=1d count by user index=_audit login action="login attempt" | table _time user action info reason | timechart span=1d count by user     We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well. Thanks in advance.   Pravin
I have an angular 10 application, is there a way of deploying it on the Splunk Enterprise ? Any document reference would be great.    I really appreciate the help
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the co... See more...
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the config file  [monitorNoHandle://C:\Program Files\Crestron\CCS400\User\Logs\CCSFirmwareUpdate.txt] index=Testindx sourcetype=test_sourcetype disabled=0
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" ... See more...
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" }"   need output in below format:- _time Trans_id url Duration sub_duration sub_url sub_trans_id   m1 a.com 33ms 10ms yahoo.com x1   m1 a.com 33ms 20ms google.com x2
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month ... See more...
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month the following alerts were triggered: Use case 1: 15 alerts Use case 2: 10 alerts Use case 3: 3 alerts Use case 4: 0 alerts   I can make this manually in a dashboard but it will take a long time to do when you have 100+ use cases .. Anybody have any insights on how to create this quickly in a (scheduled) report for the previous month?
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <d... See more...
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change> </input> </panel></row> <row> <panel> <chart> <title>Total Pallet</title> <search> <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>    
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux  COPYFILE_DISABLE=1 tar --format ustar... See more...
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux  COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory>   [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_for_bin_files This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_account.conf.spec This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_multiselect.js This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_settings.conf.spec This file has execute permissions for owners, groups, or others. File: README/inputs.conf.spec This file has execute permissions for owners, groups, or others. File: static/appIcon.png This file has execute permissions for owners, groups, or others. File: README/addon_builder.conf.spec This file has execute permissions for owners, groups, or others. File: default/collections.conf This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.css This file has execute permissions for owners, groups, or others. File: third_party/pytz_lic.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events.xml This file has execute permissions for owners, groups, or others. File: default/searchbnf.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/inputs.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery_mandiant.js This file has execute permissions for owners, groups, or others. File: app.manifest This file has execute permissions for owners, groups, or others. File: default/ta_mandiant_advantage_settings.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/datamodel_hook.js This file has execute permissions for owners, groups, or others. File: metadata/default.meta This file has execute permissions for owners, groups, or others. File: default/web.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/alerts_input_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/account_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.licenses.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events_summary.xml This file has execute permissions for owners, groups, or others. File: default/app.conf This file has execute permissions for owners, groups, or others. File: default/server.conf This file has execute permissions for owners, groups, or others. File: default/inputs.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_overview.xml This file has execute permissions for owners, groups, or others. File: appserver/templates/base.html This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery-3.5.0.min.js This file has execute permissions for owners, groups, or others. File: default/commands.conf This file has execute permissions for owners, groups, or others. File: splunkbase.manifest This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.js This file has execute permissions for owners, groups, or others. File: static/appIcon_2x.png This file has execute permissions for owners, groups, or others. File: appserver/static/indicator_info_send.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/vuln_fields_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.js This file has execute permissions for owners, groups, or others. File: static/appLogo_2x.png This file has execute permissions for owners, groups, or others. File: TA-mandiant-advantage.aob_meta This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/mktoform.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/matched_events_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_details.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/globalConfig.json This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.js This file has execute permissions for owners, groups, or others. File: appserver/static/vulnerability_overview.css This file has execute permissions for owners, groups, or others. File: static/appIconAlt_2x.png This file has execute permissions for owners, groups, or others. File: default/transforms.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/configuration.xml This file has execute permissions for owners, groups, or others. File: static/appIconAlt.png This file has execute permissions for owners, groups, or others. File: appserver/static/img/mandiant_img2.png This file has execute permissions for owners, groups, or others. File: default/savedsearches.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.licenses.txt This file has execute permissions for owners, groups, or others. File: CP_mandiant_advantage.tar.gz This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/5.js This file has execute permissions for owners, groups, or others. File: static/appLogo.png This file has execute permissions for owners, groups, or others. File: appserver/static/js/underscore-min.js This file has execute permissions for owners, groups, or others. File: default/addon_builder.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/input_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dtm_alerts.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_issues.xml This file has execute permissions for owners, groups, or others. File: third_party/tenacity_lic.txt This file has execute permissions for owners, groups, or others. File: appserver/static/pop_up.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_overview.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_overview.xml This file has execute permissions for owners, groups, or others. File: default/props.conf This file has execute permissions for owners, groups, or others. File: README.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_details.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/nav/default.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/4.js This file has execute permissions for owners, groups, or others. File: default/restmap.conf This file has execute permissions for owners, groups, or others. File: default/macros.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_entities.xml   Thanks in advance
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section.   Reason to remove the universal forwarder app wa... See more...
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section.   Reason to remove the universal forwarder app was as we couldn't find the forward option under data inputs which is strange. So we tried to reinstall the app to the cloud but, App is no longer visible in All Apps.     Is there any way to reinstall the Universal Forwarder App to Splunk Cloud?   Thank you
Hey Guys,  I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found   Eg: LookupFile : Column n... See more...
Hey Guys,  I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found   Eg: LookupFile : Column name is States and the values are as below: Alaska Arizona Arkansas California Colorado Now I want to search each of the states one after the other in a search and display the results with the column (States, IP, Country, user, workstation) . Pls help.   Thank you   
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. Ther... See more...
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input:   Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1   However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result  
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table.  According to this blog post,  a "Link to search" option was added a few months ago, but ... See more...
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table.  According to this blog post,  a "Link to search" option was added a few months ago, but I don't see the option in my editor in Splunk 9.1.2:                          I've also tried adding the JSON directly:     "eventHandlers": [ { "type": "drilldown.linkToSearch", "options": { "type": "auto", "newTab": true } } ]    and that didn't work either.   Any help is appreciated.  
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance  ... See more...
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance  @phanTom  @SOARt_of_Lost 
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in th... See more...
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in the Dashboard Studio. https://docs.splunk.com/Documentation/Splunk/9.0.2/DashStudio/chartsSV#Single_value_icon
Hi guys, So heres  what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to popul... See more...
Hi guys, So heres  what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to populate additional fields in my data set. Here is a very stripped down version of what i am doing.  First I have a basic lookup csv. It has  3 columns: active flagtype colorkey yes sticker blue yes tape red no tape pink then my search which creates a couple test records looks like this: | makeresults count=4 | streamstats count | eval number = case(count=1, 25, count=2, 39, count=3, 31, count=4, null()) | eval string1 = case(count=1, "I like blue berries", count=3, "The sea is blue", count=2, "black is all colors", count=4, "Theredsunisredhot") | table flagtype, flag, string1, ck |search [ inputlookup templookup.csv | eval string1 = "string1=" + "\"" + "*" + colorkey + "*" + "\"" | return 500 $string1 ] | eval flag = "KEYWORD FLAG" | table flagtype, flag, string1, colorkey my 4 column output results are: flagtype flag string1 colorkey empty   KEYWORD FLAG   I like blue berries     empty empty   KEYWORD FLAG   The sea is blue          empty empty   KEYWORD FLAG   Theredsunisredhot empty How do  I populate the two empty columns using other columns in the lookup table. Thanks in advance for any help I can get.