All Topics

Top

All Topics

Want to hide time picker options like real-time, presets for specific some roles, and admin should see all of them. I am able to hide for all users only with css, but I need to hide for specific use... See more...
Want to hide time picker options like real-time, presets for specific some roles, and admin should see all of them. I am able to hide for all users only with css, but I need to hide for specific user roles.  Thanks in advance.
Hello All, I have created an Scheduled Alert which is tend to run once in every day and alert has a splunk query with sendemail command. I set an alert to send a link to view results and alert de... See more...
Hello All, I have created an Scheduled Alert which is tend to run once in every day and alert has a splunk query with sendemail command. I set an alert to send a link to view results and alert details but when the alert is triggered i am receiving an email but only the results that returns from the search but i don't see the link to results even though i configured while setting up the alert. Can someone assist me on this?
Hello Team, I have got few queries regarding Logs Monitoring in AppDynamics. 1.Where are logs stored in AppDynamics SaaS controller when enabled through Log Analytics? 2.How is the storage managem... See more...
Hello Team, I have got few queries regarding Logs Monitoring in AppDynamics. 1.Where are logs stored in AppDynamics SaaS controller when enabled through Log Analytics? 2.How is the storage management done for logs? 3.Also what is the retention period for the logs and can it be modified? Thanks
Hi Community People. Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the a... See more...
Hi Community People. Our team has stood up a new instance of Splunk, and we have deployed out some cool new apps. One issue I have run into however is that there seems to be a weirdness in how the app is expecting the data. Specifically, the predefined queries (some using macros) seem to not work, unless there is an index specified. Is there an explanation behind this?           sourcetype=[some preconfigured type from the app] | stats count by someField <===doesn't seem to work index=someIndex sourcetype=appDefinedSourceType | stats count by someField <===this works          
    Hi, I have a dashboard with time picker and a dummy search to transform relative timestamps to absolute timestamps:   <search> <query>| makeresults</query> <earliest>$time.earliest$</ear... See more...
    Hi, I have a dashboard with time picker and a dummy search to transform relative timestamps to absolute timestamps:   <search> <query>| makeresults</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <progress> <eval token="timeEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="timeLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> </progress> </search>   Next, I have a chart querying something using the timepicker from the form. Per default, the chart will automatically adjust the X-Axis to the results found, not the entire searched timespan. I want to change this behavior and tried setting chart.axisX to the absolute timestamp values, but it doesn't seem to work. Is there something that I am missing?   <chart depends="$timeEarliest$,$timeLatest$"> <search> <query>... | chart count OVER _time BY some_field</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.axisX.minimumNumber">$timeEarliest$</option> <option name="charting.axisX.maximumNumber">$timeLatest$</option> <option name="charting.chart">column</option> </chart>          
Need to create summary index continuously realtime, now have two questions: 1-run splunk forwarder on client and logs send to splunk server, in each lines lots of data exist so need to create the su... See more...
Need to create summary index continuously realtime, now have two questions: 1-run splunk forwarder on client and logs send to splunk server, in each lines lots of data exist so need to create the summary index as soon as log received and store summary of line on that summary index continuously realtime.   2-is it possible Automatically Create new index for each day like this myindex-20240115, myindex-20240116, as data comings from forwarder?    Thanks
Hi Team i had provided user roles  has Read only access. but user having edit and delete the reports, how to restrict  the user access as Read only access for the reports, The below had provided ... See more...
Hi Team i had provided user roles  has Read only access. but user having edit and delete the reports, how to restrict  the user access as Read only access for the reports, The below had provided  configuration and Roles capablities  had given below.   Please help me  how to restrict the user  access.  User not able to delete option  and not able edit Splunk Queries.     [savedsearches/krack_delete] access = read : [ * ], write : [ power ] export = system owner = vijreddy@xxxxxxxxxxxxx.com version = 9.0.5.1 modtime = 1704823240.999623300    
Hi,  I have a dataset with very poor qulity and multiple encoding error. Some fields contain data like "&#1040;&#1083;&#1077;&#1082;&#1089;&#1077;&#1081;" which sould be "Алексей". My first idea to ... See more...
Hi,  I have a dataset with very poor qulity and multiple encoding error. Some fields contain data like "&#1040;&#1083;&#1077;&#1082;&#1089;&#1077;&#1081;" which sould be "Алексей". My first idea to convert taht, was to search every falty dataset and convert this extermally with a script but I'm curious if theres a better way using splunk. But I have no idea how to get there. I somehow need to cet every &#(\d{4}); and I could facilitate printf("%c", \1) to get the correct unicode character but I have no Idea how to apply that to every occourance in a single field. Currently I have data like this: id name 1 &#1040;&#1083;&#1077;&#1082;&#1089;&#1077;&#1081;   Where I wanno get is that: id name correct_name 1 &#1040;&#1083;&#1077;&#1082;&#1089;&#1077;&#1081; Алексей   Any ideas if that is possible without using python sripts in splunk? Regards Thorsten
Hello, I am looking for any guidance, info about the possibility of using Microsoft AMA agents to forward logs to splunk instead of using Splunk universal forwarders. I know you will say but why?! ... See more...
Hello, I am looking for any guidance, info about the possibility of using Microsoft AMA agents to forward logs to splunk instead of using Splunk universal forwarders. I know you will say but why?! lets say I have some requirements and constraints that oblige me to use AMA agents  I need to know the feasibality of this integration and if there are any known issues or limitations. Thanks you for your help. (excuse me if my question is vague, i am kinda lost here  )
Hi  Can you please tell me how can i  extract the events for which the difference of current_time and timestampOfReception is greater that 4 hours for the below Splunk query :    `eoc_stp_event... See more...
Hi  Can you please tell me how can i  extract the events for which the difference of current_time and timestampOfReception is greater that 4 hours for the below Splunk query :    `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001 (messageType= seev.047* OR messageType= SEEV.047*) status = SUCCESS targetPlatform = SRS_ESES NOT [ search (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Received Disclosure Response Command" | spath input=Properties.appHdr | rename bizMsgIdr as messageBusinessIdentifier | fields messageBusinessIdentifier ] | eval Current_time =strftime(now(),"%Y-%m-%d %H:%M:%S ") | eval diff= Current_time-timestampOfReception | fillnull timestampOfReception , messageOriginIdentifier, messageBusinessIdentifier, direction, messageType, currentPlatform, sAAUserReference value="-" | sort -timestampOfReception | table diff , Current_time, timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform, | rename timestampOfReception AS "Timestamp of reception", originPlatform AS "Origin platform", sourcePlatform AS "Source platform", targetPlatform AS "Target platform", senderIdentifier AS "Sender identifier", receiverIdentifier AS "Receiver identifier", messageOriginIdentifier AS "Origin identifier", messageBusinessIdentifier AS "Business identifier", direction AS Direction, currentPlatform AS "Current platform", sAAUserReference AS "SAA user reference", messageType AS "Message type"
We are using a SAAS based controller. If we needed to restore aspects of our configuration from yesterday, or from perhaps a week or month ago, what is the process for us to do that? Do you perform r... See more...
We are using a SAAS based controller. If we needed to restore aspects of our configuration from yesterday, or from perhaps a week or month ago, what is the process for us to do that? Do you perform regular (and granular) backups on our behalf, or are we expected to download configurations ourselves? If so, what options are there that allow us to automate this? E.g. APIs, jobs etc
i need to masking email on my data, i'm tring using transforms.com but [emailaddr-anonymizer] REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}) FORMAT = ********@********* DEST_KEY = _raw  if I d... See more...
i need to masking email on my data, i'm tring using transforms.com but [emailaddr-anonymizer] REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}) FORMAT = ********@********* DEST_KEY = _raw  if I do this the entire log is masked, however I want only the email to be masked, please can someone help me
Hi I didn't find an email address from the developer Christopher Caldwell so I try it this way. The BlueCat Address Manager Restful API changes from version 1 to version 2 and version 1 will be r... See more...
Hi I didn't find an email address from the developer Christopher Caldwell so I try it this way. The BlueCat Address Manager Restful API changes from version 1 to version 2 and version 1 will be removed in 2025. Are there any plans to update the Add-on to support the new API? I would be very pleased! Greetings, Mirko
Hello Splunkers, I've a Region filter over the dashboard. This Region filter has values AMER and EMEA.   I've a requirement to reorder the above fields based on the selection of Region filter ... See more...
Hello Splunkers, I've a Region filter over the dashboard. This Region filter has values AMER and EMEA.   I've a requirement to reorder the above fields based on the selection of Region filter as follows. I want "<Region> Mandatory" field to be appear before "<Region> All" Thanks in advance. @tscroggins @yuanliu @bowesmana     
Hello Community, We have a challenge with our SysMon Instance. While testing compatibilities we noticed that after SysMon gets upgraded it no longer talks to the SIEM for some weird reason.  Has a... See more...
Hello Community, We have a challenge with our SysMon Instance. While testing compatibilities we noticed that after SysMon gets upgraded it no longer talks to the SIEM for some weird reason.  Has anyone experienced anything like this before? Regards, Dan
while configuring RF and SH, can we configure that only one server should be used for saving all copies of data and does not participate in indexing, only participate in searching when needed.
 recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts i... See more...
 recently , I converted lookup files to .csv lookup files and after converting them the result of the dashboard is It is showing nothing but only this. and if this helps we have custom scripts in backend.
HI All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results... See more...
HI All, I need to display the results same as like below  |chart count over API by StatusCode  API  200 300 400 400 total --   ---      ----     --      --- but I need to display the results behind API more fields like host and method as well API host method 200 300 400  total  --     ---    ---              --      ---    ---- please help to get the results
Hi  Can someone help to explain how we can use Not-exists in Splunk.  Example is attached below for which i need to use this  function in Splunk.  1) Search1 generates a set of results.  2) Searc... See more...
Hi  Can someone help to explain how we can use Not-exists in Splunk.  Example is attached below for which i need to use this  function in Splunk.  1) Search1 generates a set of results.  2) Search2 also generated a set of results.  There is a common field between the 2 Searches. I want to add a search in splunk as below :  Results of Search1 (Not exists (results of Search2 )) common field = Field1    Search1 `eoc_stp_events_indexes` host=p* OR host=azure_srt_prd_0001   | table timestampOfReception, messageOriginIdentifier, messageType, status, messageBusinessIdentifier, originPlatform, direction, sourcePlatform, currentPlatform, targetPlatform, senderIdentifier, receiverIdentifier, currentPlatform Search2 : (index=events_prod_srt_shareholders_esa OR index=eoc_srt) seev.047 Name="Created Disclosure Response Status Advice Accepted" | table  messageBusinessIdentifier Field1 messageBusinessIdentifier      
Hi, Will disable the app (ES Content Updates)  affect the functionality of Enterprise Security? Thanks Regards