All Topics

Top

All Topics

 Hi,  Does anyone have experience in monitoring Azure Integration Services with AppDynamics? Suggestions on a setup would be appreciated. The services will be calling an on-premise .NET application ... See more...
 Hi,  Does anyone have experience in monitoring Azure Integration Services with AppDynamics? Suggestions on a setup would be appreciated. The services will be calling an on-premise .NET application the ability to drilldown downstream is not a must but would be really nice to have. br Kjell Lönnqvist
Hi All, I have a dashboard which has 3 radio buttons both,TypeA and TypeB. Also i have a table. The requirement is that, if i select both or TypeA in radio buttons, columnA and columnB in the table ... See more...
Hi All, I have a dashboard which has 3 radio buttons both,TypeA and TypeB. Also i have a table. The requirement is that, if i select both or TypeA in radio buttons, columnA and columnB in the table should be highlighted. If i select the TypeB, only columnA should be highlighted. How can i achieve this? I have tried using color palette expression like below. But no luck. Anyone have solution for this? <format type="color" field="columnA"> <colorPalette type="list">["#00FFFF"]</colorPalette> </format> <format type="color" field="columnB"> <colorPalette type="expression">if(match(Type,"TypeB")," ", "#00FFFF")</colorPalette> </format>
Hello, Firstly, requirement is we want to monitor the docker containers present on the server, and we were tried aproch to istrument our machine agent inside each docker container, but by this aproc... See more...
Hello, Firstly, requirement is we want to monitor the docker containers present on the server, and we were tried aproch to istrument our machine agent inside each docker container, but by this aproch our docker image is going to heavy and our application performace may decrease beacause of this approch. So, we had instrumented machine agent on docker container, which is present on that local server and that machine agent correctly working and also providing metrics for some containers but not for all containers, so can anyone help me to solve this issue. we have take reffernce from the github repository(https://github.com/Appdynamics/docker-machine-agent.git), but in our environment there are 40 containers and by this method it is monitoring only 9 containers so can anyone help me to solve this issue. here you can see only 9 containers. Regards, Dishant
Hi Splunk Experts, We are trying to integrate CA UIM with Splunk to send Splunk alerts to CA UIM. So, we had installed Nimbus (CA UIM) add-on and configured Alert to trigger events and also we had i... See more...
Hi Splunk Experts, We are trying to integrate CA UIM with Splunk to send Splunk alerts to CA UIM. So, we had installed Nimbus (CA UIM) add-on and configured Alert to trigger events and also we had installed nimbus agent on the Splunk enterprise server where is was deployed on Linux x64 as per the instructions but no alerts are triggering for search even if the condition match.  but when we are checking manually we can see many triggered alerts under trigger section. So, can any one suggest what could be the issue and suggest me to resolve it. Below is the search and alert configuration.   Thank you in advance. Regards, Eshwar    
Hello, One of our MF Local Administrative Group Member rule is generating a significant number of alerts because sccmadmin group removed from MF member server, assistance is needed in refining this ... See more...
Hello, One of our MF Local Administrative Group Member rule is generating a significant number of alerts because sccmadmin group removed from MF member server, assistance is needed in refining this search to minimize unnecessary alerts.   index=foo sourcetype=XmlWinEventLog (EventCode=4732) dest="mf" user!="nt service" NOT (EventCode="4732" src_user="root" MemberSid="Domain Admins" Group_Name="Administrators") NOT (EventCode="4732" MemberSid="NT SERVICE\\*" (Group_Name="Administrators" OR Group_Name="Remote Desktop Users")) | eval user=lower(MemberSid) | eval src_user=lower(src_user) | stats values(user) as user, values(Group_Domain) as Group_Domain, values(dest) as dest by src_user,Group_Name,EventCode,signature _time Thanks...
Hi Guys (and Gals), Hopefully quick question, and it's late, so my brain isn't firing quickly/properly. I need to run a query to get the ingestion over time over two variables: host, index In th... See more...
Hi Guys (and Gals), Hopefully quick question, and it's late, so my brain isn't firing quickly/properly. I need to run a query to get the ingestion over time over two variables: host, index In the specific case, need to determine if the data ingestion from a specific set of hosts, and whether the data inbound has been increasing more than normally expected.  So the query would look like:   index=linuxos host IN (server1, server2, server3...) [or possibly you may have a lookup of the set of hosts] | eval sum(the data per host over hour {or whatever regular chunk of time you want} for a 7 day period) | timechart xyz ==> chart over a line graph     Also, if there is relevant dashboard/console in the monitoring console I am not thinking of please direct me to the relevant menu or docs. Appreciate any assistance.    
Join The Event Get Resiliency in the Cloud on January 18th, 2024 (8:30AM PST)  You will hear from the industry experts from Pacific Dental Services, IDC, The Futurum Group CEO, Daniel Newman and Spl... See more...
Join The Event Get Resiliency in the Cloud on January 18th, 2024 (8:30AM PST)  You will hear from the industry experts from Pacific Dental Services, IDC, The Futurum Group CEO, Daniel Newman and Splunk leaders on how to build resilience for your expansion to the cloud. You will learn about the drivers that lead enterprises to build data-centric security and observability use cases on Splunk Cloud Platform, delivered as a service and it's benefits.  Additionally, you will learn about: How digital transformation is influencing businesses expand to cloud  Cloud transformation journey from Pacific Dental Services with Splunk New advancements in Splunk Cloud Platform that accelerate journey to cloud Achieving faster value realization with Splunk services Register today for the event Get Resiliency in the Cloud happening on January 18th, 2024 (8:30AM PST) 
Register here. This thread is for the Community Office Hours session with the Splunk Threat Research Team on Threat Detection and Response Content on Wed, Mar 27, 2024 at 1pm PT / 4pm ET.    This i... See more...
Register here. This thread is for the Community Office Hours session with the Splunk Threat Research Team on Threat Detection and Response Content on Wed, Mar 27, 2024 at 1pm PT / 4pm ET.    This is your opportunity to ask questions about using the latest security content developed by the Splunk Threat Research Team. Including: How to access security content in the Splunk ES Content Update (ESCU) app Best practices and practical tips for using content from the Splunk Threat Research team to enhance threat detection Specific questions about new content that’s been released for detecting DarkGate malware, Office 365 account takeover, and Windows Attack Surface Reduction events Anything else you'd like to learn!   Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).    Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.   Look forward to connecting!
Hello, I have a search that's coming back with 'src' which is the source IP of a client, and I have a lookup file  called "networks.csv" that has a column with a header 'ip' which is a list of CID... See more...
Hello, I have a search that's coming back with 'src' which is the source IP of a client, and I have a lookup file  called "networks.csv" that has a column with a header 'ip' which is a list of CIDR networks. I have gone into the lookup definitions and set under the advanced options "CIDR(ip)" for that lookup file. I can see the headers being automatically being extracted in that UI. However, when I run the search and try to pull the category for the 'src' respective network, it does not work.  basesearch | lookup networks.csv ip as src_ip OUTPUT category I have validated that it's a CIDR issue by doing a "...| rex mode=sed field=src_ip " and placing a literal CIDR entry in there and having the category come out. Thank you for your help!
Hi,  Is it possible to create a tab on a dashboard while also creating a redirection to a new dashboard when the tab is clicked without having to click the clone the dashboard. Thanks in adva... See more...
Hi,  Is it possible to create a tab on a dashboard while also creating a redirection to a new dashboard when the tab is clicked without having to click the clone the dashboard. Thanks in advance! 
I have an index that is receiving JSON data from a HEC, but with 2 different data sets and about 2M per day: DS1 {guid:"a1b2",resourceId="enum",sourcenumber:"55512345678"} DS2 {guid:"a1b2",re... See more...
I have an index that is receiving JSON data from a HEC, but with 2 different data sets and about 2M per day: DS1 {guid:"a1b2",resourceId="enum",sourcenumber:"55512345678"} DS2 {guid:"a1b2",resourceId="enum",disposition:"TERMINATED"} Now, counting terminated is easy and fast, this runs in 1s for all calls yesterday.   index="my_data" resourceId="enum*" disposition="TERMINATED" | stats count   But counting TOP 10 TERMINATED is not so much, this takes almost 10m on the same interval (yesterday):   index="my_data" resourceId="enum*" | stats values(*) as * by guid | search disposition="TERMINATED" | stats count by sourcenumber   I found some help before using subsearches and found this | format thing to pass in more than 10k values, but this still takes ~8m to run:   index="my_data" resourceId="enum*" NOT disposition=* [ search index="my_data" resourceId="enum*" disposition="TERMINATED" | fields guid | format ] | stats count by sourcenumber | sort -count   The issue is I need 'data' from DS1 when it 'matches guid' from DS2, but I've learned that 'join' isn't very good for Splunk (it's not SQL!) Thoughts on the 'most optimized' way to get Top 10 of data in DS1 where certain conditions of DS2? NOTE - I asked a similar question here, but can't figure out how to get the same method to work since it's not excluding, it's more 'joining' the data: https://community.splunk.com/t5/Splunk-Search/What-s-best-way-to-count-calls-from-main-search-excluding-sub/m-p/658884 As always, thank you!!!    
I'm not exactly sure what I need here.  I have a multiselect:       <input type="multiselect" token="t_resource"> <label>Resource</label> <choice value="*">All</choice> <prefi... See more...
I'm not exactly sure what I need here.  I have a multiselect:       <input type="multiselect" token="t_resource"> <label>Resource</label> <choice value="*">All</choice> <prefix>IN(</prefix> <suffix>)</suffix> <delimiter>,</delimiter> <fieldForLabel>resource</fieldForLabel> <fieldForValue>resource</fieldForValue> <search base="base_search"> <query>| dedup resource | table resource</query>       Table visual search:     | search status_code $t_code$ resource $t_resource$ HourBucket = $t_hour$ | bin _time span=1h | stats count(status_code) as StatusCodeCount by _time, status_code, resource | eventstats sum(StatusCodeCount) as TotalCount by _time, resource | eval PercentageTotalCount = round((StatusCodeCount / TotalCount) * 100, 2) | eval 200Flag = case( status_code=200 AND PercentageTotalCount < 89, "Red", status_code=200 AND PercentageTotalCount < 94, "Yellow", status_code=200 AND PercentageTotalCount <= 100, "Green", 1=1, null) | eval HourBucket = strftime(_time, "%H") | table _time, HourBucket, resource, status_code, StatusCodeCount, PercentageTotalCount, 200Flag     I also have a table, sample data below: _time resource 1/10/2024 Red 1/10/2024 Green   When the user select the multiselect dropdown and selects "ALL" (which is the default) the resource column should aggregate all the resource and display the resource as "All". But If the user select individual resources, such as "Red" and "Green" these should be shown and broken down by resource.   
I have a Dashboard created in Dashboard Studio and have added a simple dropdown to select "Production", "UAT, "SIT',"Development" and it sets a correspnding value that I use in the $api_env$ token as... See more...
I have a Dashboard created in Dashboard Studio and have added a simple dropdown to select "Production", "UAT, "SIT',"Development" and it sets a correspnding value that I use in the $api_env$ token as shown below.  This works correctly and results in CA03430-cmsviewapi-prodox as I expect. I want to use the value in the $api_env$ token to programmatically change the index between wf_wb_cbs and wf_cb_cbs_np. How do I do that?  I tried adding eval idx=if() at the front of my query but when it gets to the existing index= portion it flags an error "Unknown search command 'index' Thanks for any assistance! Here is the query as it now shows in my dashboard: "ds_search_1_new_new": {             "type": "ds.search",             "options": {                 "query": "index=wf_wb_cbs CA03430 sourcetype=\"cf:logmessage\" cf_app_name=\"CA03430-cmsviewapi-$api_env$\"| spath \"msg.customerIdType\" \r\n| eval eventHour = strftime(_time,\"%H\") | where eventHour >= \"07\" and eventHour < \"20\" \r\n| stats count by \"msg.customerIdType\"",                 "queryParameters": {                     "earliest": "$global_time.earliest$",                     "latest": "$global_time.latest$"                 }             },             "name": "cmsviewapi_activitybyrole"         },   And here is my input:         "input_w8NFtYlK": {             "options": {                 "items": [                     {                         "label": "Production",                         "value": "prodox"                     },                     {                         "label": "UAT",                         "value": "uathra"                     },                     {                         "label": "SIT",                         "value": "sit"                     },                     {                         "label": "Development",                         "value": "dev"                     }                 ],                 "token": "api_env",                 "defaultValue": ""             },             "title": "Environment",             "type": "input.dropdown",             "dataSources": {}         }  
I am aware of forwarder -> indexer -> search head. However, when reading about streaming commands, Splunk states "A distributable streaming command runs on the indexer or the search head, depending o... See more...
I am aware of forwarder -> indexer -> search head. However, when reading about streaming commands, Splunk states "A distributable streaming command runs on the indexer or the search head, depending on where in the search the command is invoked." I am very confused as I read this as saying that there are searches on the indexer, and then there searches on the search head. But my understanding is that the search head is used to search events on the indexer, and that there is no searching the indexer without the search head.  What is the difference between a search on the indexer and a search on the search head?  https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Commandsbytype
Artificial intelligence is the talk of the town nowadays, with industries of all kinds wondering how they can harness the power of Generative AI. Although ChatGPT has received most of the attention, ... See more...
Artificial intelligence is the talk of the town nowadays, with industries of all kinds wondering how they can harness the power of Generative AI. Although ChatGPT has received most of the attention, generative AI actually encompasses a variety of technologies and techniques, including Large Language Models (LLMs), Generative Adversarial Networks (GANs), Diffusion Models, and Autoencoders. For security teams, each of these techniques has something to offer, so it’s important to understand their differences and potential uses. Join members of the Splunk Machine Learning for Security (SMLS) team, Abhinav Mishra and Kumar Sharad, for a comprehensive overview of these techniques, including: The particular strengths of different generative AI techniques Real-world security scenarios that these techniques can support Practical tips for implementing these techniques to enhance threat detection Watch the full Tech Talk here:
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for ... See more...
I have written and tested some rules using "Ingest Actions". I used the "Sample" indexed data and everything seems fine, so I saved my rules.  There is a button "Deploy" with one option, Export for Manual Deployment. Do I have to do that?
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the v... See more...
I have a dashboard built with Dashboard Studio with several Single Value Visualizations. When I enable showLastUpdated, the "Open in Search", "Layers", "Clone" and "Delete" options are lost for the visualizations on the left side of the browser window because the hover-over option menu is cut off by the edge of the window.  I have attempted to adjust the zoom level but that does not change the issue. This is happening in both Safari and Chrome::     For now, the work-around of disabling showLastUpdated is the only way of resolving this, but I would like to have it enabled and to see the full options bar.   Thanks!  -SR 
Why I can't  I see data on Splunk ES Non-corporate Web Uploads? When I click on the user, I get mariangelie.rodriguez+castellano is not a known identity.  
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login pag... See more...
Hello. Is there a Way to show splunk dashboard with digital signage display? I know you can use software like magic info, but the splunk web page require login and i cannot see a supported login page in magic info. Are the other softwares that can be used to broadcast splunk dashboards? I am aware that there is a splunk app name SLIDESHOW, but that also require splunk login. Thank you
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the ... See more...
Hello, I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?   index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]   My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel