All Topics

Top

All Topics

While upgrading from 5.0 to 7.3.0 facing this issue while setting up the account we are facing this error! Can someone help how to fix this issue?
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if ther... See more...
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if there are any out-of-the-box dashboards or recommended searches for putting this monitoring to use. All information I have been able to find online is in regards to an EOL add-on (Splunk App for Infrastructure) or Splunk On-Premise instances (This is a problem I have faced since beginning work on Splunk, huge lack of documentation for Splunk Cloud vs On-Prem) Thank you for any help in advance, Jamie
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users ... See more...
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ?    index="_internal" source=*access.log user!="-" /saml/acs | timechart span=1d count by user index=_audit login action="login attempt" | table _time user action info reason | timechart span=1d count by user     We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well. Thanks in advance.   Pravin
I have an angular 10 application, is there a way of deploying it on the Splunk Enterprise ? Any document reference would be great.    I really appreciate the help
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the co... See more...
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the config file  [monitorNoHandle://C:\Program Files\Crestron\CCS400\User\Logs\CCSFirmwareUpdate.txt] index=Testindx sourcetype=test_sourcetype disabled=0
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" ... See more...
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" }"   need output in below format:- _time Trans_id url Duration sub_duration sub_url sub_trans_id   m1 a.com 33ms 10ms yahoo.com x1   m1 a.com 33ms 20ms google.com x2
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month ... See more...
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month the following alerts were triggered: Use case 1: 15 alerts Use case 2: 10 alerts Use case 3: 3 alerts Use case 4: 0 alerts   I can make this manually in a dashboard but it will take a long time to do when you have 100+ use cases .. Anybody have any insights on how to create this quickly in a (scheduled) report for the previous month?
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <d... See more...
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change> </input> </panel></row> <row> <panel> <chart> <title>Total Pallet</title> <search> <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>    
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux  COPYFILE_DISABLE=1 tar --format ustar... See more...
Hi, Which I am trying to upload the custom app to splunk cloud it is not passing the vetting, how we can fix this issue? I have tried this in the Linux  COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory>   [ Failure Summary ] Failures will block the Cloud Vetting. They must be fixed. check_for_bin_files This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_account.conf.spec This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_multiselect.js This file has execute permissions for owners, groups, or others. File: README/ta_mandiant_advantage_settings.conf.spec This file has execute permissions for owners, groups, or others. File: README/inputs.conf.spec This file has execute permissions for owners, groups, or others. File: static/appIcon.png This file has execute permissions for owners, groups, or others. File: README/addon_builder.conf.spec This file has execute permissions for owners, groups, or others. File: default/collections.conf This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.css This file has execute permissions for owners, groups, or others. File: third_party/pytz_lic.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events.xml This file has execute permissions for owners, groups, or others. File: default/searchbnf.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/inputs.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery_mandiant.js This file has execute permissions for owners, groups, or others. File: app.manifest This file has execute permissions for owners, groups, or others. File: default/ta_mandiant_advantage_settings.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/datamodel_hook.js This file has execute permissions for owners, groups, or others. File: metadata/default.meta This file has execute permissions for owners, groups, or others. File: default/web.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/alerts_input_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/account_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.licenses.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_matched_events_summary.xml This file has execute permissions for owners, groups, or others. File: default/app.conf This file has execute permissions for owners, groups, or others. File: default/server.conf This file has execute permissions for owners, groups, or others. File: default/inputs.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_overview.xml This file has execute permissions for owners, groups, or others. File: appserver/templates/base.html This file has execute permissions for owners, groups, or others. File: appserver/static/js/jquery-3.5.0.min.js This file has execute permissions for owners, groups, or others. File: default/commands.conf This file has execute permissions for owners, groups, or others. File: splunkbase.manifest This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.js This file has execute permissions for owners, groups, or others. File: static/appIcon_2x.png This file has execute permissions for owners, groups, or others. File: appserver/static/indicator_info_send.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/vuln_fields_hook.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.js This file has execute permissions for owners, groups, or others. File: static/appLogo_2x.png This file has execute permissions for owners, groups, or others. File: TA-mandiant-advantage.aob_meta This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/0.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/mktoform.js This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/matched_events_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_details.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/globalConfig.json This file has execute permissions for owners, groups, or others. File: appserver/static/correlation_details_button.js This file has execute permissions for owners, groups, or others. File: appserver/static/vulnerability_overview.css This file has execute permissions for owners, groups, or others. File: static/appIconAlt_2x.png This file has execute permissions for owners, groups, or others. File: default/transforms.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/configuration.xml This file has execute permissions for owners, groups, or others. File: static/appIconAlt.png This file has execute permissions for owners, groups, or others. File: appserver/static/img/mandiant_img2.png This file has execute permissions for owners, groups, or others. File: default/savedsearches.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/entry_page.licenses.txt This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/3.licenses.txt This file has execute permissions for owners, groups, or others. File: CP_mandiant_advantage.tar.gz This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/5.js This file has execute permissions for owners, groups, or others. File: static/appLogo.png This file has execute permissions for owners, groups, or others. File: appserver/static/js/underscore-min.js This file has execute permissions for owners, groups, or others. File: default/addon_builder.conf This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/custom/input_hook.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/dtm_alerts.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/1.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_issues.xml This file has execute permissions for owners, groups, or others. File: third_party/tenacity_lic.txt This file has execute permissions for owners, groups, or others. File: appserver/static/pop_up.js This file has execute permissions for owners, groups, or others. File: default/data/ui/views/threat_intelligence_overview.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/views/vulnerability_overview.xml This file has execute permissions for owners, groups, or others. File: default/props.conf This file has execute permissions for owners, groups, or others. File: README.txt This file has execute permissions for owners, groups, or others. File: default/data/ui/views/security_validation_details.xml This file has execute permissions for owners, groups, or others. File: default/data/ui/nav/default.xml This file has execute permissions for owners, groups, or others. File: appserver/static/js/build/4.js This file has execute permissions for owners, groups, or others. File: default/restmap.conf This file has execute permissions for owners, groups, or others. File: default/macros.conf This file has execute permissions for owners, groups, or others. File: default/data/ui/views/asm_entities.xml   Thanks in advance
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section.   Reason to remove the universal forwarder app wa... See more...
Hi Everyone, Due to an issue we had with our Universal Forwarder not visible on Splunk cloud, we uninstalled the app from manage apps section.   Reason to remove the universal forwarder app was as we couldn't find the forward option under data inputs which is strange. So we tried to reinstall the app to the cloud but, App is no longer visible in All Apps.     Is there any way to reinstall the Universal Forwarder App to Splunk Cloud?   Thank you
Hey Guys,  I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found   Eg: LookupFile : Column n... See more...
Hey Guys,  I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found   Eg: LookupFile : Column name is States and the values are as below: Alaska Arizona Arkansas California Colorado Now I want to search each of the states one after the other in a search and display the results with the column (States, IP, Country, user, workstation) . Pls help.   Thank you   
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. Ther... See more...
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input:   Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1   However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result  
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table.  According to this blog post,  a "Link to search" option was added a few months ago, but ... See more...
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table.  According to this blog post,  a "Link to search" option was added a few months ago, but I don't see the option in my editor in Splunk 9.1.2:                          I've also tried adding the JSON directly:     "eventHandlers": [ { "type": "drilldown.linkToSearch", "options": { "type": "auto", "newTab": true } } ]    and that didn't work either.   Any help is appreciated.  
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance  ... See more...
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance  @phanTom  @SOARt_of_Lost 
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in th... See more...
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in the Dashboard Studio. https://docs.splunk.com/Documentation/Splunk/9.0.2/DashStudio/chartsSV#Single_value_icon
Welcome to the Splunk Community! We’re so glad you’re here! The Splunk Community programs are intended to provide connections that promote the community and its content, leading to better experienc... See more...
Welcome to the Splunk Community! We’re so glad you’re here! The Splunk Community programs are intended to provide connections that promote the community and its content, leading to better experiences with Splunk products. While you are here, we expect that you observe the community guidelines below as well as our Terms of Use. For the most up-to-date information regarding the community, please visit community.splunk.com.    Guidelines for Community members   Be nice Splunk values open dialogue, communication, and respectful humor. We expect Community members to be kind to one another and foster an atmosphere of belonging. Keep in mind that our members are at varying levels of familiarity with Splunk products. Our Community is comprised of new users and experts alike, so please be considerate and patient. Keep it clean Keep it SFW; offensive, explicit, illegal, or disrespectful content is forbidden. Splunk does not pre-approve any content but reserves the right to edit or remove posts that don't foster a welcoming environment. When posting, please refrain from tagging multiple members. Trolling and spam posting is forbidden. If you come across a user that does not follow these guidelines, please report them to a Community Team member and refrain from publicly responding to the user. Respect others’ (and your own) privacy Do not share sensitive information. Avoid discussions or sharing of information that could violate intellectual property, privacy, competition, and antitrust laws. Stay on topic When posting on Splunk Answers or Slack: Refrain from posting duplicate messages. Respect people's time by asking specific questions. Provide context about any troubleshooting you’ve conducted so far. If a secondary or new question arises, begin a new conversation thread.  No advertising or solicitation.  We’re all human We value each community member’s unique point of view. Post your own content proudly and don’t try to pass off others’ work as your own. In the event that you need to quote or build on others’ work, provide proper attribution. Content gleaned from AI generators (e.g. ChatGPT) must be identified as such. Community content is predominantly user-generated. Splunk is not responsible for the accuracy or integrity of the information posted by the members of the community. Violations of Community Guidelines Sometimes missteps happen. We get it. But we take our guidelines very seriously, and we expect every community member to take them seriously, too. To that end, we've established the following guidelines for how community moderators will handle violations of our established guidelines.  First Violation - Warning - Moderators will explain which guideline(s) were violated, and how to avoid future violations. Second Violation - Temporary Loss of Privileges - Moderators will again explain which guideline(s) were violated, which privileges will be suspended and for how long, and how to avoid future violations.  Third Violation - Banning from Splunk Community - Moderators will again explain which guideline(s) were violated, they will review the history of violations, and they will inform the user of their banning from the site and remove all access privileges.  More Questions? Check out our FAQ, or reach out to us anytime!
First of all, welcome to the Splunk Community! Our community is organized into a few programs and sections, many of which are part of this site's experience, and a few that will direct you to ... See more...
First of all, welcome to the Splunk Community! Our community is organized into a few programs and sections, many of which are part of this site's experience, and a few that will direct you to our other sites and resources.  Splunk Answers This is our product questions-and-answer program - a place to ask questions, get answers, and find technical solutions, for any product in the Splunk portfolio, from passionate members of our community. Splunk Answers is organized into a series of categories and boards, and topics are further organized with Labels and Tags (see below). Here you can start a discussion, join a conversation, build your career, or just have fun! There are areas and boards for things like Security, IT Operations, DevOps, our Splunk Tech Talks, and even a casual #Random board. Community Slack Lastly, join us over on our splunk-usergroups Community Slack workspace! There, you'll have even more opportunities to ask questions, get answers, and connect with your fellow Splunk practitioners. User Groups We have a robust Splunk User Group program, with more than 130 user groups worldwide! This link will take you to our User Group site, where you can find and join your local group and see which in-person and virtual events are coming up. SplunkTrust We recognize our most engaged, most passionate, and most contributing community members with a special MVP program we call the SplunkTrust. Here, you'll find a little more information about the program and its members. 
We're so glad you're here! The Spunk Community is place to connect, learn, give back, and have fun! It features Splunk enthusiasts from all kinds of backgrounds, working at just about every ki... See more...
We're so glad you're here! The Spunk Community is place to connect, learn, give back, and have fun! It features Splunk enthusiasts from all kinds of backgrounds, working at just about every kind of organization, and working in a variety of roles and functions. If you're landed here, you belong here. And we welcome you! This space is home to several community programs and supported by both a team at Splunk and growing group of our community members, including the SplunkTrust. Please connect with any and all of us, and we've made it pretty easy to tell who's who by their Ranks and profiles.  Meet the Splunk Community Team! Meet the folks who make up our Community Team! If you ever have any questions, concerns, or just want someone to digitally high-five, we're here for you! Anam S Brian W Gretchen F Kara D Jenny B Ryan P  Looking for a spot to introduce yourself?  Drop us a comment below and let us know where you're joining us from!  To get started... Have a look around! You can navigate through our community and programs by using the main navigation, and you can learn a little more about specific programs and areas in this post. Review our Community Guidelines! These spell out some of our expectations and requirements of all community members. So be sure to take a few minutes to review them, and be sure to abide by them.  Ask questions! Splunk Answers is the place to ask questions, get answers, and find technical solutions, for any product in the Splunk portfolio. Join us on Slack! There, you'll have even more opportunities to ask questions, get answers, and connect with your fellow Splunk practitioners. Again, we're so glad you're here!  -- Splunk Community Team 
Hi guys, So heres  what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to popul... See more...
Hi guys, So heres  what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to populate additional fields in my data set. Here is a very stripped down version of what i am doing.  First I have a basic lookup csv. It has  3 columns: active flagtype colorkey yes sticker blue yes tape red no tape pink then my search which creates a couple test records looks like this: | makeresults count=4 | streamstats count | eval number = case(count=1, 25, count=2, 39, count=3, 31, count=4, null()) | eval string1 = case(count=1, "I like blue berries", count=3, "The sea is blue", count=2, "black is all colors", count=4, "Theredsunisredhot") | table flagtype, flag, string1, ck |search [ inputlookup templookup.csv | eval string1 = "string1=" + "\"" + "*" + colorkey + "*" + "\"" | return 500 $string1 ] | eval flag = "KEYWORD FLAG" | table flagtype, flag, string1, colorkey my 4 column output results are: flagtype flag string1 colorkey empty   KEYWORD FLAG   I like blue berries     empty empty   KEYWORD FLAG   The sea is blue          empty empty   KEYWORD FLAG   Theredsunisredhot empty How do  I populate the two empty columns using other columns in the lookup table. Thanks in advance for any help I can get.
Hello, I'm writing some field extractions for a Tomcat access log. The logging format is "%{E M/d/y @ hh:mm:ss.S a z}t %h (%{X-Forwarded-For}i) > %A:%p &quot;%r&quot; %{requestBodyLength}r %D %s %B... See more...
Hello, I'm writing some field extractions for a Tomcat access log. The logging format is "%{E M/d/y @ hh:mm:ss.S a z}t %h (%{X-Forwarded-For}i) > %A:%p &quot;%r&quot; %{requestBodyLength}r %D %s %B %I &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; %u %S %{username}s %{sessionTracker}s" The X-Forwarded Field has multiple headers, so multiple X-Forwarded-For IP's are being logged for a small, but important, percentage of these events. An example log is Thu 1/18/2024 @ 06:52:30.918 PM UTC 00.000.00.000 (00.000.000.000, 00.000.00.00, 00.000.00.00) > 00.000.00.0:0000 "PUT /uri/query/here HTTP/1.1" -  1270 200 3466 https-openssl-nio-00.000.00.0-000-exec-15 "hxxps://url.splunk.com/" "user_agent" - - - - How can I perform a multivalue field extraction to grab 0, 1, 2 or 3 x-forwarded-for IP's?