All Topics

Top

All Topics

Hi i have stats table with following     
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY     VMware I have an index with ASA Firewall log which I want to search and find events for ... See more...
Hello Splunk members! I have a CSV Lookup file with 2 columns ClientName HWDetSystem BD-K-027EY     VMware I have an index with ASA Firewall log which I want to search and find events for all the ClientNme in the CSV 234654252.234 %ASA-3-2352552: Certificate was successfully validated. serial number: 1123423SSDDG23442234234DSGSGSGGSSG8, subject name: CN=BD-K-027EY.bl.emea.something.com. Between the CSV lookup file and event the common is the ClientName and a portion of the subject name. If I look for successfully and provide a single client name i get the event I want, but I am struggling to look it up for all the clients and make it uniqe. At the end I just want a list of ClientName for which the even was logged. thanks  
Hi, We have two indexes wich are stuck in fixeup task.  Our environment exist off  some indexing peers  wich are atached to smartstore.   This mornig there is a warning no sf and rf is met. Two ind... See more...
Hi, We have two indexes wich are stuck in fixeup task.  Our environment exist off  some indexing peers  wich are atached to smartstore.   This mornig there is a warning no sf and rf is met. Two indexes are in this degraded state. Checking the bucket status there are two buckets from two different indexes whish doesn't get fixed. Those buckets are mentioned in the search factor fix, replication factor fix and generation. The last has the notice "No possible primaries". Searching on the indexer which is mentioned in the bucket info it says: DatabaseDirectoryManager [838121 TcpChannelThread] - unable to check if cache_id="bid|aaaaaa~183~839799B0-6EAF-436C-B12A-2CDC010C1319|" is stable with CacheManager as it is not present in CacheManager and ERROR ClusterSlaveBucketHandler [838121 TcpChannelThread] - Failed to trigger replication (err='Cannot replicate remote storage enabled warm bucket, bid=aaaaaa~183~839799B0-6EAF-436C-B12A-2CDC010C1319 until it's uploaded' what can be wrong, and what to do about it?   Thanks in advance Splunk enterprise v9.0.5,  on premisse smartstore.
I have a lookup file like below, the query should send mails to each person with that respective row information. and if mail1 column is empty, then query should consider mail2 column value to send m... See more...
I have a lookup file like below, the query should send mails to each person with that respective row information. and if mail1 column is empty, then query should consider mail2 column value to send mails. and if mail2 column is empty, the query should consider mail3 column value to send mail. and if mail1, mail2 are empty then query should consider mail3 column value to send mail. Emp occupation location firstmail secondarymail thirdmail abc aaa hhh aa@mail.com gg@mail.com def ghjk gggg bb@mail.com ff@mail.com ghi lmo iiii   hh@mail.com jkl pre jjj     dd@mail.com mno swq kkk aa@mail.com ii@mail.com   example, aa@mail.com..should receive mail like below in tabluar format Emp occupation location firstmail secondarymail thirdmail abc aaa hhh aa@mail.com gg@mail.com mno swq kkk aa@mail.com ii@mail.com   so likewise query should read complete table and send mails to persons individually....containing that specific row information in tabluar format. Please help me with the query and let me know incase of any clarification on the requirement.
Hello fellow Splunkthusiasts! TL;DR: Is there any way to connect one indexer cluster to two distinct license servers?   Our company has two different licenses: one acquired directly by the compa... See more...
Hello fellow Splunkthusiasts! TL;DR: Is there any way to connect one indexer cluster to two distinct license servers?   Our company has two different licenses: one acquired directly by the company (we posses the license file) the other was acquired by a corporate group to which our company belongs, it is provided to us through group's license server (it is actually some larger license split to several pools, one of them being available to us). The obvious solution is to have one IDXC for each license with SHs searching both clusters. However, both licenses together are approximately 100GB/day, therefore building two independent indexer clusters feels like a waste of resources. What is the best way to approach this?
Hi, After migrating to version 9.1.2 we have to rewrite some classic dashboards in dashboard studio. Is there a way to send the colored lines to the back or send the circles to the front? It simply... See more...
Hi, After migrating to version 9.1.2 we have to rewrite some classic dashboards in dashboard studio. Is there a way to send the colored lines to the back or send the circles to the front? It simply won't work to put any figure on top of lines, the lines will always be on top. I tried to insert some html customization but still nothing (<row> <panel> <html> <style> div[data-id*="_CIRCLE"]{ z-index: 100; } </style> </html> </panel> </row>) Any help would be much appreciated.
Hello, I am a presale engineer at a Splunk partner and I recently started presenting training workshops for our customers. For my own training and enrichment I attended a workshop where someone pre... See more...
Hello, I am a presale engineer at a Splunk partner and I recently started presenting training workshops for our customers. For my own training and enrichment I attended a workshop where someone presented the SOAR hand-on workshop. However, when I tried to find the workshop in Splunk Show, I could find no trace of it. I assume the workshops available to me are affected by which corresponding courses I take in the Splunk Learning Center but couldn't find a course by that name. Can someone explain to me exactly how the availability of courses/workshops work? The fact that I can't even see some courses until I passed others on the same path is very frustrating. It makes planning my training much less transparent than I would like.  Having everything visible but locked until I complete the prerequisites would be so much better, and it seems to be the case inside series but not for the series themselves in general... Anyway, please help me gain access to the Splunk SOAR hands-on workshop and let me know what path I need to take. Thanks in advance for any help.
Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid             count 1528               1  122... See more...
Hi everyone, i need an alternative for the transaction command, bcoz its taking to much time to load the dashboard, this is my actual data Botid             count 1528               1  1228               1 1015              1 1558              1 12                    1 1698              1 1589.15        1 1589              1   am looking for an output like below BotId                                                               count 1528,1228,1015,1558                              1 12,1698,1589.2,1589                                2       thanks in advance
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "... See more...
So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions: 1) the last word before space 2) exclude those with a period "." right after the last word sample events: the current status is START system goes on … the current status is STOP please do ….. the current status is PENDING. And my rex will extract the words from “status is “ and the word right after, but if that word has a period right after, I don’t want to extract. I only been able to retrieve everything using the following, but not able to exclude those with a period right after. rex field=_raw "status is\s(?<status>[^\s]+)"
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in... See more...
Hello Team, I need help in extracting the following date and time from the log, sample log: -0900, 04.25.01 THU 22FEB24 nDD62320I I need the 04.25.01 THU 22FEB24 part, could someone please help in extracting this using rex Any help is much appreciated
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do n... See more...
Currently, I am switching to a higher version of the Lookup Editor app, but I am having "issues" as described below. Ver 3.3.3 Ver 4.0.2 Cells have values (low, medium, high, ..) that do not change the background color or text. I checked the console.log output (Ver 4.0.2) and got some logs. Can anyone give me some advice? Thank you.
    May I know is there  any search query using which I can find "Indexers in license violations" or is there any information I can get regarding this directly from splunk?
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) wh... See more...
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) which number resembles which service?
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0.  Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1.... See more...
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0.  Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1. Unable to locate this information from the Add-On release note or installation guide. Thanks and Rgds    
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may ... See more...
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may experience different behaviors for the UI preferences that used to persist and show latest preferences by updating ui-prefs.conf on the fly. Now after upgrade to 9.0.5+ or 9.1.0+ its behavior changed and no longer uses ui-prefs.conf to remember the user's UI level preferences, but instead, uses the url in the request or localStorage/Web Storage. In Firefox I found this webappsstore.sqlite in my ../Library/Application Support/Firefox/Profiles/e0fxb1hs.default-release which is similar to the above.  Is this where the ui-prefs.conf information was moved to?  I've had a request from a user that wants to set the 'Selected fields', but after the upgrade to 9.1.2 the changes would be stored in a sqlite DB.  Is this correct?  Is there any way of changing the 'Selected fields' other than using the backend?  Does this work for other apps beyond Search? TIA, Joe
Hi Folks, I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it. I've l... See more...
Hi Folks, I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it. I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far: _____inputs.conf_____ blacklist3 = EventCode="4688" new_process_name=".*Teams.exe" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>" None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well: _____props.conf_____ [WinEventLog:Security] TRANSFORMS-null = 4688cleanup _____transforms.conf_____ [4688cleanup] REGEX = "Teams\.exe<\/Data>" DEST_KEY = queue FORMAT = nullQueue And this: _____transforms.conf_____ [4688cleanup] REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data> DEST_KEY = queue FORMAT = nullQueue None of these have worked so far and I'd appreciate any input y'all have. Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event> And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process): <Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>     Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks! -SplunkUser5
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I use... See more...
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I used "| sort 0 Score desc", it will give me 50,000 rows. What is the different between using sort - and sort desc?    Why doesn't sort - only limit to 10,000?   Thank you so much  index=test | sort - 0 Score ==>   only 10,000  rows          I need to use "| sort Score desc"   Name Score Name1 5 Name2 0 Name3 7 Name4 0 ….   Name50000 9
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. ... See more...
I recently received CA Certificates from my Organization´s PKI Team. In CSR, I provided Server Hostname in CN and SAN and hence when I am accessing the GUI using hostname the connection is secure. But when I access it with IP, it is not secure. So, do I need to provide IP in SAN? Is there an alternate way, that the browser should only be accessible through hostname:8000 and not IP:8000   Please pour in your suggestions
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated!  *Edit Sorry we have t... See more...
Is there a way to give a user read-only access to only a specific dashboard on Splunk ES such as the Executive Summary dashboard? Any assistance would be greatly appreciated!  *Edit Sorry we have the user role and user created but we are unable to restrict it to a single dashboard, we can specify an app such as ES but have been unsuccessful in getting a default dashboard set. When you land on ES there is the "Security Posture"  "Incident Review" "App Configuration" etc settings. Would it be possible to change one of these from "Security Posture" to "Executive Summary" so that way they are just a click away from the appropriate dashboard? Thank you!
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I ... See more...
I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder? For example, can I take my default Windows inputs.conf file from my Universal Forwarders and apply it to my Heavy Forwarders or will this cause a "logging loop" where the Heavy Forwarder is logging itself logging? I am completely guessing but maybe I could copy over my UF inputs.conf file but disable the wineventlog:application logs? What would be the equivalent on a Linux HF?