All Topics

Top

All Topics

I want to know which saved search is generating a particular lookup , How do I do that?
Hi Splunkers,   i already done configuration of HF and install uf credentials. but i can't see the logs of palo alto in Splunk Cloud    for HF   Inputs.conf [udp://5000] index = xxxxx_pan di... See more...
Hi Splunkers,   i already done configuration of HF and install uf credentials. but i can't see the logs of palo alto in Splunk Cloud    for HF   Inputs.conf [udp://5000] index = xxxxx_pan disabled = false sourcetype = pan_log   but HF and Splunk Cloud instance have communicating.    please help me 
Hi All, I've been exploring various documentation and tutorials, but I'd love to hear from those who have hands-on experience. What are the best practices and recommended steps for configuring Kuber... See more...
Hi All, I've been exploring various documentation and tutorials, but I'd love to hear from those who have hands-on experience. What are the best practices and recommended steps for configuring Kubernetes logs to seamlessly integrate with Splunk Enterprise? Are there any specific considerations or challenges I should be aware of during the setup process? Thanks in advance for sharing your expertise!
Hi Mentors, I have searched in youtube, external sources to check for usecase creation. i could see by using splunk essential we could create the usecase but i am new to the splunk and know about ... See more...
Hi Mentors, I have searched in youtube, external sources to check for usecase creation. i could see by using splunk essential we could create the usecase but i am new to the splunk and know about only the basics of splunk like fields and commands etc. i have asked even literally everyone treated me in a bad way when i ask them to teach me how to create the usecase even my team leader is also not ready to teach me but he got learned in the institution 5 years back. i dont have any friends who has knowledge in splunk.  I beg u please any one please teach me how to create the usecase in splunk and what is the basic of creating the usecase. i need this ......i am a first graduate from my family and i cannot afford huge amount of fees to learn splunk. Any mentors please help me i want to learn splunk and i want to teach the same to my team members in a simple in which way they could understand....... Please help me Mentors....
We are looking into Splunk Cloud as a solution, instead of our regular Splunk Enterprise (On Premise) Setup. To be able to test the feasibility of sending data from external sources (Jira Cloud, Red... See more...
We are looking into Splunk Cloud as a solution, instead of our regular Splunk Enterprise (On Premise) Setup. To be able to test the feasibility of sending data from external sources (Jira Cloud, Redmine) , I wanted to install our own Custom App for testing. Unfortunately, there is no current way for us to do that in the Free Trial I have. We simply want to test if we can index data from Jira Cloud to Splunk Cloud, without having to use a Heavy Forwarder or Universal Forwarder. Ways to replicate: Splunk Cloud Login > Manage Apps > No button for uploading a custom app / add-on. Questions:  1. Is there a way to directly install Custom Apps / Add-ons (that are originally built for Splunk Enterprise), in Splunk Cloud? We were thinking about compatibility issues, and if the apps would work the same way.  2. Is there a way to gauge whether or not the quantity of data that we want to send from external sources, would require us to install a Heavy / Universal Forwarder? (We are trying to avoid additional costs by taking Splunk Cloud, so we were wondering if we could do without them)  
Hi all, I have read through the splunk documentation for session timeout here, but these seems to be for splunk overall. Configure user session timeouts - Splunk Documentation However I am not a... See more...
Hi all, I have read through the splunk documentation for session timeout here, but these seems to be for splunk overall. Configure user session timeouts - Splunk Documentation However I am not able to make the user timeout to be user or role specific. Is there any solution for that? I read in one of the posts previously that someone is able to perform such role-specific wise which also works for me if it can be done: Session timeout for a Single username (not group) ... - Splunk Community However there wasn't much information on how he/she was able to do so. The main intent for me is to set admin users / normal users the usual timeout eg 1 hour, and dashboard accounts to not be logged out on the other hand. Any possible advice, as it seems to be doable.
How to correlate index with dbxquery with condition or interation? See the sample below.   Thank you for your help. index=company CompanyID CompanyName Revenue A CompanyA 3,000,000 ... See more...
How to correlate index with dbxquery with condition or interation? See the sample below.   Thank you for your help. index=company CompanyID CompanyName Revenue A CompanyA 3,000,000 B CompanyB 2,000,000 C CompanyC 1,000,000 |  dbxquery query="select * from employee where companyID in (A,B,C)" OR  Iteration: |  dbxquery query="select * from employee where companyID ='A' |  dbxquery query="select * from employee where companyID ='B' |  dbxquery query="select * from employee where companyID ='B' CompanyID EmployeeName EmployeeEmail A EmployeeA1 empA1@email.com A EmployeeA2 empA2@email.com A EmployeeA3 empA2@email.com B EmployeeB1 empB1@email.com B EmployeeB2 empB2@email.com B EmployeeB3 empB3@email.com C EmployeeC1 empC1@email.com C EmployeeC2 empC2@email.com C EmployeeC3 empC3@email.com Expected result: CompanyID CompanyName Revenue EmployeeName EmployeeEmail A CompanyA 3,000,000 EmployeeA1 empA1@email.com A CompanyA 3,000,000 EmployeeA2 empA2@email.com A CompanyA 3,000,000 EmployeeA3 empA2@email.com B CompanyB 2,000,000 EmployeeB1 empB1@email.com B CompanyB 2,000,000 EmployeeB2 empB2@email.com B CompanyB 2,000,000 EmployeeB3 empB3@email.com C CompanyC 1,000,000 EmployeeC1 empC1@email.com C CompanyC 1,000,000 EmployeeC2 empC2@email.com C CompanyC 1,000,000 EmployeeC3 empC3@email.com OR  CompanyID CompanyName Revenue EmployeeName EmployeeEmail A CompanyA 3,000,000 EmployeeA1, EmployeeA2, EmployeeA3 empA1@email.com, empA2@email.com, empA2@email.com B CompanyB 2,000,000 EmployeeB1, EmployeeB2, EmployeeB3 empB1@email.com, empB2@email.com, empB3@email.com C CompanyC 1,000,000 EmployeeC1, EmployeeC2, EmployeeC3 empC1@email.com, empC2@email.com, empC3@email.com
Hello fellow Splunkers. Just a quick posting to say hello, I've recently taken on a role where I'll be working with Splunk quite a lot. Previously I worked with LogRhythm quite a bit. So far, init... See more...
Hello fellow Splunkers. Just a quick posting to say hello, I've recently taken on a role where I'll be working with Splunk quite a lot. Previously I worked with LogRhythm quite a bit. So far, initial impressions are good. The search within Splunk is impressive, the training and community seems good too. Looking forward to learning more and will no doubt ask various questions in future.
I'm currently using the token $results_link$ to get a direct link to alerts when they get triggered. I've also set the "Expires" field to 72 hrs. However, if the alerts get triggered over the weekend... See more...
I'm currently using the token $results_link$ to get a direct link to alerts when they get triggered. I've also set the "Expires" field to 72 hrs. However, if the alerts get triggered over the weekend, the results are always expired when checking them after 48 hours. Is it possibe to have the alert results not expire in 48hrs?
I have 2 events : Event 1 : Timestamp A  UserID:ABC  startevent  Event 2:  Timestamp B  ID:ABC  endevent I want to find time difference between start event and end event . In first event field i... See more...
I have 2 events : Event 1 : Timestamp A  UserID:ABC  startevent  Event 2:  Timestamp B  ID:ABC  endevent I want to find time difference between start event and end event . In first event field is named "UserID" and in second event field is named "ID" .These two fields holds the value of the user for which start and subsequent end event is generated.   How can i get time difference here ? To use transaction i need a shared field .When i use transaction like below:   | transaction userId startswith=(event="startevent") endswith=("endevent") maxevents=2 , i get very few results .        
I'm running into a limitation with Splunk custom apps where I want the admin to be able to set some API key for my 3rd party app and I want everyone to have access to this secret in order to actually... See more...
I'm running into a limitation with Splunk custom apps where I want the admin to be able to set some API key for my 3rd party app and I want everyone to have access to this secret in order to actually run the custom commands that call the 3rd party API, without the admin having to give out list_storage_passwords for everyone if possible. Is there any workaround to this or are we still limited to the workarounds described below? E.g. having to give list_storage_passwords to everyone and then retroactively apply fine-grained access controls to every secret. How are devs accomplishing this? https://community.splunk.com/t5/Splunk-Dev/What-are-secret-storage-permissions-requirements/m-p/641409 --- This idea is 3.5 years old at this point. https://ideas.splunk.com/ideas/EID-I-368  
Oct 30 06:55:08 Server1 request-default Cert x.x.x.x - John bank_user Viewer_PIP_PIP_env vu01 Appl Test [30/Oct/2023:06:54:51.849 -0400] "GET /web/appWeb/external/index.do HTTP/1.1" 200 431 7 9 80809... See more...
Oct 30 06:55:08 Server1 request-default Cert x.x.x.x - John bank_user Viewer_PIP_PIP_env vu01 Appl Test [30/Oct/2023:06:54:51.849 -0400] "GET /web/appWeb/external/index.do HTTP/1.1" 200 431 7 9 8080937 x.x.x.x /junctions 25750 - "OU=00000000+CN=John bank_user Viewer_PIP_PIP_env vu01 Appl Test,OU=st,O=Bank,C=us" bfe9a8e8-7712-11ee-ab2e-0050568906b9 "x509: TLSV12: 30" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" I have above in the log.  I have field extraction (regular expressions) to extract user and in this case "John bank_user Viewer_PIP_PIP_env vu01 Appl Test".  The alert did find this user but reported the user name as "john".  There are some other users, who have space in the name shows up in alert fine. How do I fix the extraction so entire user name shows up in the alert?
I am trying to use the following search to make a timechart on security incident sources, but Splunk is reporting zeros for all the counts which I can confirm is NOT accurate at all. I think the issu... See more...
I am trying to use the following search to make a timechart on security incident sources, but Splunk is reporting zeros for all the counts which I can confirm is NOT accurate at all. I think the issue is because I need to use a different time field for the timeline. Can someone assist me in making this chart work?   index=sir sourcetype=sir | rex field=dv_affected_user "(?<user>[[:alnum:]]{5})\)" | rex mode=sed field=opened_at "s/\.0+$//" | rex mode=sed field=closed_at "s/\.0+$//" | rename opened_at AS Opened_At, closed_at AS "Closed At", number AS "SIR Number", dv_assignment_group AS "Assignment Group", dv_state AS State, short_description AS "Short Description", close_notes AS "Closed Notes", dv_u_organizational_action AS "Org Action", u_concern AS Concern, dv_u_activity_type AS "Activity Type", dv_assigned_to AS "Assigned To" | eval _time=Opened_At | eval Source=coalesce(dv_u_specific_source, dv_u_security_source) | fillnull value=NULL Source | table Source, _time, "SIR Number" | timechart span=1mon count usenull=f by Source  
APM and infrastructure agents are powerful tools for instrumenting applications, but the complexities of installing and managing tens of thousands of agents can lead to slow deployments and outdate... See more...
APM and infrastructure agents are powerful tools for instrumenting applications, but the complexities of installing and managing tens of thousands of agents can lead to slow deployments and outdated systems.  Join our webinar to discover our newly released agent lifecycle management solution, Smart Agent for Cisco AppDynamics, and its centralized user interface — which help you simplify and accelerate application instrumentation at scale.  Simplify agent lifecycle management with Smart Agent for Cisco AppDynamics You’ll learn how to:  Save time and drive efficiency by managing any size agent fleet with just a few clicks.  Shorten the deployment time for instrumenting new applications and automated upgrades.  Easily identify out-of-compliance agents and automate the upgrade process to minimize risk.  Register now to revolutionize your approach to application instrumentation with Smart Agent for Cisco AppDynamics.  Go live times: AMER: February 14 at 11 a.m. PST / 2 p.m. EST APAC: February 15 at 8:30 a.m. IST / 11 a.m. SGT / 2 p.m. AEDT EMEA: February 15 at 10 a.m. GMT / 11 a.m. CET Speaker: Aaron Schifman, Senior Technical Product Marketing Manager, Cisco AppDynamics Aaron Schifman is a Senior Technical Product Marketing Manager at Cisco AppDynamics, with over two decades of experience thriving in challenging globally based environments as an engineer, technical product marketing manager, pre-sales consultant, and professional services leader. Having worked with Elastic and Dell EMC in highly technical customer-facing roles, Aaron brings a passion for articulating the role of AppDynamics in helping customers overcome their most pressing business challenges.
In Dashboard studio i have a panel with a list of the top 10 issuetypes. I want to set 3 tokens with nr 1, 2 and 3 of this top 10 to use thes in a different panel search to show the (full) events. i... See more...
In Dashboard studio i have a panel with a list of the top 10 issuetypes. I want to set 3 tokens with nr 1, 2 and 3 of this top 10 to use thes in a different panel search to show the (full) events. index=.....      ("WARNING -" OR "ERROR -") | rex field=_raw "(?<issuetype>\w+\s-\s\w+)\:" | stats count by application, issuetype | sort by -count | head 10 The result depends and might be: count issuetype 345 ERROR - Connectbus 235 Warning - Queries 76 Error - Export 45 Error - Client 32 Warning - Queue … Now i want to show the events of the top 3 issuetypes of this list in the following panels by storing the first 3 issuetypes in $tokenfirst$ $tokensecond$ and $tokenthird$ and searching for those values. I selected use search result as token, but how do i select only the first 3 results in 3 different tokens (and of course after the top 10 is calculated )
I am migrating to using auth0 for SAML which authenticates with active directory for splunk. Currenlty splunk just uses active directory. I have the realName field set to the “nickname” attribute in ... See more...
I am migrating to using auth0 for SAML which authenticates with active directory for splunk. Currenlty splunk just uses active directory. I have the realName field set to the “nickname” attribute in the saml response which is the username but when I run searches or make dashboards/alerts it is assigned to the user_id attribute which is gibberish. I’m wondering how we can make the knowledge objects assigned to the friendly username instead of the user_id because I’m curious if a user will still be able to see their historical knowledge objects since the owner value is now different. Unless it is somehow mapped to it. 
Hi, I am looking for some solution how to find in Splunk scheduled searches not used for several weeks by users or apps (for example user left and search is not checked). I tried to focus to audit lo... See more...
Hi, I am looking for some solution how to find in Splunk scheduled searches not used for several weeks by users or apps (for example user left and search is not checked). I tried to focus to audit logs for non ad hoc searches and rest API saved searches but I wasn't able to find some meaningful result for it
Hello, I had to rename a bunch of rules yesterday so I cloned them from the Searches, Reports, and Alerts dashboard. They all have global permissions (all apps). For some reason I can't find none of... See more...
Hello, I had to rename a bunch of rules yesterday so I cloned them from the Searches, Reports, and Alerts dashboard. They all have global permissions (all apps). For some reason I can't find none of the rules under the Content Management section. Is there a reason why the cloned rules aren't showing there? Thanks!  
I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it woul... See more...
I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?
Cisco AppDynamics Smart Agent will transform how you manage agent lifecycles across your environment  Video Length: 9 min 3 seconds    CONTENTS | Video | Key Points and Timestamps | Resources ... See more...
Cisco AppDynamics Smart Agent will transform how you manage agent lifecycles across your environment  Video Length: 9 min 3 seconds    CONTENTS | Video | Key Points and Timestamps | Resources Cisco AppDynamics Smart Agent will transform how you manage your agent lifecycle. It orchestrates your agent lifecycle tasks through an enhanced UI, or through an advanced CLI.  Learn about the recently released Smart Agent and Agent Management for Cisco AppDynamics in the video below. It includes an overview and short demonstration of the primary use case: identifying agents that must be updated, and how to perform agent updates in bulk.    Key Video Points Following are key points covered in the demonstration video. For your convenience, we've included timestamps where you can find the topics in the video.    The ABCs of Smart Agent 00:00:22 - 00:00:39 Adhere to versioning compliance standards Bolster installations, upgrades, and rollback processes—at scale Centralize agent management control   A single Smart Agent Prerequisite. 00:00:44 To get started, first install the Smart Agent on any machine hosting applications that are or will be monitored. This process is very straight-forward:  Launch your console of choice  Install Smart Agent just like you would have installed the old agent.  TIP | We published Debian in RPM packages to make it super convenient, or use one of our recently released Ansible Playbooks to distribute your Smart Agent at scale, use the Smart Agent CLI to distribute it, or integrate with your existing CICD tooling pipeline.    Smart Agent UI and two use cases Following, see a demonstration of the two use cases, (1) identifying agents that must be updated, and (2) how to perform agent updates in bulk, including an overview of the Smart Agent UI and capabilities. 00:01:23 The UI has been enhanced to indicate Agent statuses and provide agent management tools.  App Server Agents tab 00:01:54 Status shows each agent's status Managed column: Easily check to see whether or not Smart Agent is installed on each of your hosts as needed  Filter button: Use to show the hosts that are managed or unmanaged  Clickable list: on the right panel, see a list of agents that need review or attention Bulk agent upgrades 00:04:40 Bulk upgrades are for agents of the same type Select the upgrade version  Make setting changes as needed or use the default configuration  Repeat steps as needed for different agent types Smart Agents tab 00:06:41 Check Smart Agents statuses, as well as what agents are connected to each of them  See the Tasks in Process tab to view any upgrade process underway  Troubleshooting: Under the History tab, see process status and access log files for completed, incomplete, or stalled processes Export grid data 00:07:32  View a grid of all agents under management control Apply available filters, including out-of-date, update available, latest, unknown, specific applications, tiers, Smart Agent ID, monitoring status  Download for use with Excel or other reporting utilities  Additional Resources  In the Agent Management documentation:  Supported Platforms Smart Agent Smart Agent Command Line Utility  Supported Automation Tools to Deploy Agents: Ansible | Docker | Cloud Foundry | Kubernetes