All Topics

Top

All Topics

Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry... See more...
Hello I have a very long xml record that I am trying to spath some data from but I cant seem to get it to work. Can someone possibly give me some assistance? Here's what the record looks like(sorry its SUPER long)     2024-01-08 12:09:43.000, LOAD_DATE="2024-01-08 12:09:43.0", EVENT_LENGTH="14912", ID="3f29f958-af6e-4050-919e-fb23fc27e2bc", MSG_src="PXXXX", MSG_DOMAIN="APP", MSG_TYPE="INBOUND", MSG_DATA="<?xml version='1.0' encoding='UTF-8'?> <Message> <header> <domain>APP</domain> <source>PXXXX</source> <messageType>INBOUND</messageType> <eventId>f8y6jk45-af6e-4050-919e-fb23fc27e2bc</eventId> </header> <parsing> <parsingStatus>SUCCESS</parsingStatus> <parsingStatusDesc>Success</parsingStatusDesc> <formType>1234</formType> </parsing> <ABC> <Code>ABC</Code> <Number>209819</Number> <sequence>0236</sequence> <ReceiptDate>2024-01-08T00:00:00.000-05:00</ReceiptDate> <FirstDate>2024-01-08T00:00:00.000-05:00</FirstDate> <Status>SUCCESS</Status> <location>xxxxxxxx</location> <id>ci1704729189245.431902@fdsahl86ceb40c</id> <format>ABCD</format> </ABC> <applicationDetails> <applicationGlobalId>500168938</applicationGlobalId> <applicationType>ABC</applicationType> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationNumber>123456</applicationNumber> <applicationRelationships> <applicationRelationship> <ReasonCode>XYZ</ReasonCode> <Desc>BLAH BLAH BLAH</Desc> <applicationGlobalId>123456789</applicationGlobalId> <applicationNumber>123456</applicationNumber> <applicationSubtype>UNKNOWN</applicationSubtype> <applicationType>RED</applicationType> </applicationRelationship> </applicationRelationships> <applicationPatents/> <applicationStatuses> <applicationStatus> <statusCode>APPROVED</statusCode> <statusDescription>APPROVED</statusDescription> <statusStartDate>2017-11-30T00:00:00.000-05:00</statusStartDate> </applicationStatus> </applicationStatuses> <applicationProperties/> </applicationDetails> <InboundDetails> <InboundType>Reply</InboundType> <InboundSubtype>Reply2</InboundSubtype> <InboundSequenceNumber>0236</InboundSequenceNumber> </InboundDetails> <form> <attributes>123-4560910-0001"/> <attribute description="EXPIRATION DATE" name="Expiration Date" value="03/31/2024"/> <attribute description="name" name="name_holder" value="Place Inc."/> <attribute description="NUMBER" name="number" value="209819"/> <attribute description="Bunch of strings" name="Desc"/> </attributes> <List> <items/> </List> <infoList> <info> <Type>Information goes here</Type> <name>Me Formal</name> <phoneNumber>+1 (111) 222-333</phoneNumber> <addressLine1>1234 Road Drive</addressLine1> <city>Place, MO</city> <zipCode>12345</zipCode> <emailAddress>me.formal@domain.com</emailAddress> <partyContacts> <partyContact> <Date>2024-01-04T00:00:00.000-05:00</Date> <state>MO</state> <emailAddress>me.formal@domain.com</emailAddress> <addressLine1>1234 Road Drive</addressLine1> <city>Place</city> <country>UNITED STATES</country> <phoneNumber>+1 (111) 222-333</phoneNumber> <zipCode>12345</zipCode> <name>Me Formal</name> <contactType>United States</contactType> </partyContact> </partyContacts> </info> </infoList> </form> <Information> <Number>11,222,333</Number> <IssueDate>2023-12-12</IssueDate> <ApprovalDate>2017-11-30</ApprovalDate> <ExpirationDate>2035-11-06</ExpirationDate> <SubType>Y</SubType> <Status>SUCCESS</Status> </Information> <index/> <additionalInfo> <attributes> <attribute description="title" name="title" value="Letter"/> </attributes> <fileDetails> <fileDetail> <Toc>application||form</Toc> <title>FABDC REDS</title> <fileName>file.pdf</fileName> <fileType>pdf</fileType> <formType>Long sting of data</formType> <filePath>\\filepath\file.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>v1-place||v1-2-file-name</abcdToc> <title>Letter</title> <fileName>letter.pdf</fileName> <fileType>pdf</fileType> <filePath>\\us\letter.pdf</filePath> </fileDetail> <fileDetail> <abcdToc>information</abcdToc> <title>11-222-333</title> <fileName>11-222-333.pdf</fileName> <fileType>pdf</fileType> <filePath>\\ab\11-222-333.pdf</filePath> </fileDetail> </fileDetails> <tags/> </additionalInfo> </Message>"     At the end, I am trying to get the data from the "<fileDetails>" section, specifically the "<title>" for each file. It would have to be multi-value since there may, for a single record, be a single OR multiple Titles. I've tried a few variations of spath, as well as xmlkv, but as of yet haven't found anything that has given me the results I am expecting. For the example above I would expect to have 3 "Titles":     FABDC REDS Letter 11-222-333     Any ideas how to get this data out? Thanks for the help!
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be ... See more...
Most of the time this applies to using "Counts" in a certain Dashboard. Is it possible to show an Expected value? For example, I have a dashboard that counts a certain log each day. There should be 30 each day, but sometimes there are only 29 due to errors. Is it possible to visualize that info against the expected number of 30? Or even just visualize it on the dashboard report as 29/30?
Hello, I'd like to know the process of compiling a Splunk app in a Windows environment, specifically using the default folder containing the props file to create a customized app. Thanks
we have an scheduled alert configured in splunk which is working  fine as per event from the user logs but its delayed in sending email as alert notification 
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one to... See more...
We are using splunk metrics-toolkit app to check the logs. created two indexes 1.metrics 2. platform_benefits and one token for the index metrics In metrics-toolkit app.dev file we are using one token  As a result it's is logging only metrics index data in splunk, we have both metrics and platform_benefits dashboards  Is there any way to configure  two tokens inside the app.dev yaml file to get both index logs? https://github.com/mulesoft-catalyst/metrics-toolkit/blob/main/src/main/resources/properties/secure/_template.yaml
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_s... See more...
Hi , I have two queries, that have a common field someField one helps me find inconsistencies: sourcetype="my_source" someLog inconsistencies  other helps me find consistencies sourcetype="my_source" someLog consistencies  This gives me both consistencies and inconsistencies: sourcetype="my_source" someLog  Note that someLog  is just a text used an identifier that's common for both the queries. if the someField was logged as inconsistent it can be logged as consistent in the future.   How can I find those values of someField that are truly inconsistent in a given time frame, retrospectively?i.e. if currently values are inconsistent I want to be able to search (in the past or future relative to the current search) those values that are truly inconsistent - not part of the consistent results in that time frame
What is the latest version of Splunk Enterprise supported on RHEL 7.x?
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after add... See more...
Hi, Instead of passing the username and password in a plain text format, I was trying the basicauth extension for authentication and monitoring the oracledb and require some assistance, as after adding the below details in the agent_config.yml , The splunk otel collector is not starting up and am seeing error. Kindy help. In agent_config.yml extensions:    basicauth:    htpasswd:        file: /etc/otel/collector/.htpasswd receivers:   oracledb/demo:   protocols:      http:        auth:           authenticator: basicauth    endpoint: <hostname:port>    service: <DBname> service:    metrics:        receivers: [oracledb/demo]    
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index... See more...
I am working on building a query to search retrospectively and potentially run a report. Let's say the first search is index=some_index "inconsistencies" | dedup someField and the second is index=some_index "consistent" someField IN (fieldValuesFromPrevMsg) | dedup someField   I want to check whether a field seen in the first search is part of the second search (which has a slightly different query but has same field) in a custom time frame.(could be in the future relative to the first search or in the past) I'm new to splunk, can someone please help me with this?    
Hi, I am fetching data from service now add on to splunk for one of the service now cmdb table. While fetching the field name is splitting as below  How do i fix this
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if ... See more...
Hi, it's unclear from the app description about what this app allows for. Is it helping for radius configuration for splunk authentication ? Or is it for monitoring any radius server logs, even if you don't use it within splunk ?
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains tim... See more...
Hello,  I have seen a few of the spath topics around, but wasn't able to understand enough to make it work for my data.  I would like to create a line chart using pointlist values - it contains timestamp in epoch and CPU% Search I tried but not working as expected to extract this data: index="splunk_test" source="test.json" | spath output=pointlist path=series{}.pointlist{}{} | mvexpand pointlist | table pointlist Please see below sample json. {"status": "ok", "res_type": "time_series", "resp_version": 1, "query": "system.cpu.idle{*}", "from_date": 1698796800000, "to_date": 1701388799000, "series": [{"unit": [{"family": "percentage", "id": 17, "name": "percent", "short_name": "%", "plural": "percent", "scale_factor": 1.0}, null], "query_index": 0, "aggr": null, "metric": "system.cpu.idle", "tag_set": [], "expression": "system.cpu.idle{*}", "scope": "*", "interval": 14400, "length": 180, "start": 1698796800000, "end": 1701388799000, "pointlist": [[1698796800000.0, 67.48220718526889], [1698811200000.0, 67.15981521730248], [1698825600000.0, 67.07217666403122], [1698840000000.0, 64.72434584884627], [1698854400000.0, 64.0411289094932], [1698868800000.0, 64.17585938553243], [1698883200000.0, 64.044969119166], [1698897600000.0, 63.448143595246194], [1698912000000.0, 63.80226399404451], [1698926400000.0, 63.93216493520908], [1698940800000.0, 63.983679174088145], [1701331200000.0, 63.3783379315815], [1701345600000.0, 63.45321248782884], [1701360000000.0, 63.452383398041064], [1701374400000.0, 63.46314971048991]], "display_name": "system.cpu.idle", "attributes": {}}], "values": [], "times": [], "message": "", "group_by": []} can you please help how I can achieve this? Thank you. Regards, Madhav
Hi, i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the al... See more...
Hi, i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result. and maybe to click on the alert and get the last search. is it possible to create an alerts dashboard? thanks, Maayan
Hi, I need to find all time_interval for each machine where there is no data (no row for Name) . (to goal is to create an alert if there was no data in a time interval for a machine) for example... See more...
Hi, I need to find all time_interval for each machine where there is no data (no row for Name) . (to goal is to create an alert if there was no data in a time interval for a machine) for example, if we look at one day and machine X. if there was data in time interval 8:00-10:00, 10:00-12:00. I need to return X and the rest of the interval (12:00-1:00,1:00-2:00,..) i wrote the following command:  | chart count(Name) over machine by time_interval i get a table with all interval and machines. cell=0 if there is no data. i want to return all cell =0 (i need the interval and machine where cell=0) but i didn't succeed. i also tried to save the query and do left join but it doenst work. it's a very simple mission, some can help me with that? thanks, Maayan
Query should return last/latest available data when there is no data for the selected time range
I am trying to set up custom user data to capture user id of the user using Ajax request payload via HTTP method and URL method but unable to execute with both methods and it is not showing up in the... See more...
I am trying to set up custom user data to capture user id of the user using Ajax request payload via HTTP method and URL method but unable to execute with both methods and it is not showing up in the Network tab under developer tools. Could someone help me what could be the issue?
Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time range (... See more...
Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time range (start time and end time)? Last question : if an alert event exists, does it means that this event will be created many times in the incident review dashboard? I need to creat just an incident for the same alert. How to do this? Thanks in advance  
Hi All, I have created a detector that monitors splunk environment. I am trying to customize message in alert message and trying to pass {{dimensions.AWSUniqueId}}. When the alert notification is ... See more...
Hi All, I have created a detector that monitors splunk environment. I am trying to customize message in alert message and trying to pass {{dimensions.AWSUniqueId}}. When the alert notification is sent, this variable is empty. Can anyone please let me know why is this happening. Regards, PNV
Hi All, I recently installed/configured the "Microsoft Teams Add-on for splunk" to ingest call logs and meeting info from Microsoft Teams. I have run into an isuue I was hoping someone could help wi... See more...
Hi All, I recently installed/configured the "Microsoft Teams Add-on for splunk" to ingest call logs and meeting info from Microsoft Teams. I have run into an isuue I was hoping someone could help with me. [What I would like to do] Ingesting call logs and meeting info from Microsoft Teams via "Microsoft Teams Add-on for splunk". [What I did] I have followed the instructions and configured the "Subscription", "User Reports", "Call Reports" and "Webhook". Instructions:https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-microsoft-teams-data.html [issue]"User Reports" and "Webhooks" has worked, but "Subscription" and " Call reports" has not worked. As a results, Teams logs are not ingested. I have granted all of the required permissions in Teams/Azure based on the instructions. [error logs] I checked the internal logs and detected many error logs, but reading the errors did not reveal a clear cause. Among the logged problems indicated were the following: From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA_MS_Teams#configs/conf-ta_ms_teams_settings, user=proxy. message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions [environment] Add-On Version: 1.1.3 Splunk Enterprise Verison: 9.1.2 Add-On is installed on a Splunk Enterprise. Is the error in the error log due to the call log and subscriptions not working properly? Or does the webhook URL have to be https to work properly? If anyone knows the reason, let me know. Any help would be greatly appreciated. Thanks,
On Splunk Enterprise 9.0.4, we are using the Proofpoint Isolation TA to download Isolation data into Splunk from the Proofpoint Isolation cloud.  However, when we activated SSL decryption on the URLs... See more...
On Splunk Enterprise 9.0.4, we are using the Proofpoint Isolation TA to download Isolation data into Splunk from the Proofpoint Isolation cloud.  However, when we activated SSL decryption on the URLs at our firewall for other necessary reasons, the TA stopped working, giving these errors in the logs:   2024-01-09 19:09:52,554 WARNING pid=9240 tid=MainThread file=connectionpool.py:urlopen:811 | Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))': /api/v2/reporting/usage-data?from=2023-11-29T01%3A17%3A33.000&to=2024-01-10T01%3A09%3A52.188&pageSize=10000 2024-01-09 19:09:52,657 ERROR pid=9240 tid=MainThread file=base_modinput.py:log_error:309 | Call to send_http_request failed: HTTPSConnectionPool(host='urlisolation.com', port=443): Max retries exceeded with url: /api/v2/reporting/usage-data?from=2023-11-29T01%3A17%3A33.000&to=2024-01-10T01%3A09%3A52.188&pageSize=10000 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) The error makes sense, since it's not (yet) a "trusted root" cert for this Splunk instance. How do I properly configure Splunk (or, perhaps, the Python client) to recognize this firewall root certificate as valid, or at the very least to stop validating the certificates provided by the outside server.  The latter would be my least-preferred choice, obviously.