All Topics

Top

All Topics

Hello Splunkers, I wanted to setup an alert for changing password parameters for ex, we have policy of 15 min characters which includes at least 1 number lowercase , 1 number uppercase , 1 special c... See more...
Hello Splunkers, I wanted to setup an alert for changing password parameters for ex, we have policy of 15 min characters which includes at least 1 number lowercase , 1 number uppercase , 1 special characters I want an alert to trigger if someone modifies this password rule.    Thanks!
Hi all, I am trying to use the Single Value Visualization in a dashboard to keep an all time running count of my field "id". The issue I'm running into is I have duplicate logs for "id" that are gi... See more...
Hi all, I am trying to use the Single Value Visualization in a dashboard to keep an all time running count of my field "id". The issue I'm running into is I have duplicate logs for "id" that are giving me an incorrect number. When I am running a search with the SPL below and dedup I get the correct number of events. But when I try to convert that into the Visualization I am having issues. Any help is appreciated, thanks! Index="xx" label="xx" id=* | dedup id
Hello Splunkers, I need some help in understanding the difference between Auditd logging on Linux and the traditional way of capturing the log files under the var/log/* , what is it that Auditd prov... See more...
Hello Splunkers, I need some help in understanding the difference between Auditd logging on Linux and the traditional way of capturing the log files under the var/log/* , what is it that Auditd provides which we cannot get that from var/log/* Secondly, I'm already collecting the basic Audit files that are under /var/log/ using the standard TA_Nix , if i want to go with Auditd , is there a different Add-on for this , What are the available options. Appreciate some insight on this from experienced techies.   Thank you, Moh...!
I have a CSV export from splunk, and two of the columns are timestamps.  Both were converted to human-readable using convert ctime(fieldname) in the splunk query, and show as decimal numbers in the C... See more...
I have a CSV export from splunk, and two of the columns are timestamps.  Both were converted to human-readable using convert ctime(fieldname) in the splunk query, and show as decimal numbers in the CSV file. For example,  01/03/2024 12:49:48.192 is represented as 45294.5345855556 in the CSV file How do I convert that decimal to a human-readable timestamp in Excel? Thanks!
Hey,  Is there a way in which I can export my dashboard pdf using python and splunk-sdk so as to get the same result you would if you clicked on the export button? 
Hi Splunk Team I am having issues while fetching data from 2 stats count fields together. Below is the query: index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="... See more...
Hi Splunk Team I am having issues while fetching data from 2 stats count fields together. Below is the query: index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as TotalCount, count(eval(Priority_Level="Low")) as Low, count(eval(Priority_Level="Medium")) as Medium, count(eval(Priority_Level="High")) as High by TestMQ This gives me result like example below: TestMQ    | TotalCount | Low | Medium | High MQNam1 | 120               | 0       | 0               | 0 MQNam2 | 152               | 0       | 0               | 0 .. The problem is that I am getting "0" value for Low, Medium & High columns - which is not correct. I want to combine both the stats and show the group by results of both the fields. If I run the same query with separate stats - it gives individual data correctly. Case 1: stats count as TotalCount by TestMQ index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as TotalCount by TestMQ Example Output: TestMQ     | TotalCount MQName  | 201 Case 2: stats count as PriorityCount by Priority_Level index=test_index | rex "\.(?<TestMQ>.*)\@" | eval Priority_Level=case(Priority="Low", "Low", Priority="Medium", "Medium", Priority="High", "High") | stats count as PriorityCount by Priority_Level Example Output:  Priority_Level | PriorityCount  High                    |  20 Medium             |  53 Low                     |  78 Please help and suggest. @ITWhisperer - kindly assist. 
How to upgrade existing Add-on apps to newer add-on version on different computers.
Hi experts, We are getting this error consistently while querying data from Splunk Enterprise hosted in the company's internal network.  Exception in receiving splunk data 145java.lang.RuntimeExce... See more...
Hi experts, We are getting this error consistently while querying data from Splunk Enterprise hosted in the company's internal network.  Exception in receiving splunk data 145java.lang.RuntimeException: HTTPS hostname wrong: should be <splunk_enterprise_url - splunk.org.company.com>   The line of code that causes this is String query = "<splunk valid query>"; Job job = service.getJobs().create(query);   Splunk SDK Version used: 1.9.5   Connection to Splunk is established as follows: String token = System.getenv("SPLUNK_TOKEN"); ServiceArgs loginArgs = new ServiceArgs(); loginArgs.setPort(8089); loginArgs.setHost("splunk.org.company.com"); loginArgs.setScheme("https"); loginArgs.setToken(String.format("Bearer %s", token)); service = new Service(loginArgs); log.info("service val is {}", service.toString()); Service.setValidateCertificates(false); This was working few days ago and suddenly it has stopped. We checked the server certificate and it valid till March 2024.  The program querying the splunk is called from a runner hosted on AWS and it has no network restrictions.  Not sure what is the issue. But this issue is getting reproduced consistently.   Note: Surprisingly, the same program runs fine on local machine.  Cannot find out what would be the issue? Any help will be appreciated.       
I want to have a query that can show me the percentage of error rate in the "AccountDetailsController" service of my application. We have the metrics data coming in from splunk so If that has to be u... See more...
I want to have a query that can show me the percentage of error rate in the "AccountDetailsController" service of my application. We have the metrics data coming in from splunk so If that has to be used or however we can do this. Please help
Hi, I have requirement to add the lookup data into dashboard panels. Please could you review and help on this? how to add the lookup data into the spl query to display region fullname? SPl:   ind... See more...
Hi, I have requirement to add the lookup data into dashboard panels. Please could you review and help on this? how to add the lookup data into the spl query to display region fullname? SPl:   index=abc sourcetype=a.1 source=a.2  | search region IN (a,b,c,d,e,f,g,h,i,j,l,m) | chart count by region Lookup data: look file name regiondetails.csv Alias Name a america b brazil c canada d dubai
I would want to know how to view those deleted messages from the splunk bar?  Example, if i accidentally deleted a messages from the splunk bar, how can i view those messages again either from the we... See more...
I would want to know how to view those deleted messages from the splunk bar?  Example, if i accidentally deleted a messages from the splunk bar, how can i view those messages again either from the web ui or cli.
Hi, How can we install the Splunk Enterprise Compatibility app on Splunk Cloud? Are there any modifications needed to ensure it's compatible with Splunk Cloud?
Here are the screenshots: In incident review setting, I have already labeled signature: Then in Correlation Search content setting, also I have setting the search query which could result in fi... See more...
Here are the screenshots: In incident review setting, I have already labeled signature: Then in Correlation Search content setting, also I have setting the search query which could result in fields with signature. This search can be run normally in search head and show the result I want. But here related to drill-down search or description, this $signature$ can not show in notable of incident review:   May I ask how to solve this issue?
We have a sandbox environment  with vpsphere and it works mostly just fine we believe the time sync is corect because we have it set to use internet to auto update and for the sake or being free of ... See more...
We have a sandbox environment  with vpsphere and it works mostly just fine we believe the time sync is corect because we have it set to use internet to auto update and for the sake or being free of errors we have disabled firewalld. (this is a  mostly linux env) howerever we are getting the following erorrs see attached
this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024.... index="*" source="*" |eval timestamp=strftime(_time, "%m/%d/%Y") | chart limit=30 count as count ... See more...
this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024.... index="*" source="*" |eval timestamp=strftime(_time, "%m/%d/%Y") | chart limit=30 count as count over DFOINTERFACE by timestamp    
Register here. This thread for the Office Hours session on Dashboards & Dashboard Studio on Wed, Feb 28, 2024 at 1pm PT / 4pm ET.   This is your opportunity to ask questions related to your specifi... See more...
Register here. This thread for the Office Hours session on Dashboards & Dashboard Studio on Wed, Feb 28, 2024 at 1pm PT / 4pm ET.   This is your opportunity to ask questions related to your specific Dashboard challenge or use case, including:  Getting started with Dashboard Studio Basic dashboard designs (charts, buttons, etc.) How to use searches Advanced interactivity features (drilldowns, maps, dynamic coloring, etc.) Customization (background images, custom layout, colors, etc.) How to migrate your dashboards from Classic to Dashboard Studio Anything else you'd like to learn!   Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).    Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.    Look forward to connecting!
Register here. This thread for the Office Hours session on Dashboards & Dashboard Studio on Wed, Feb 14, 2024 at 1pm PT / 4pm ET.   This is your opportunity to ask questions related to your specifi... See more...
Register here. This thread for the Office Hours session on Dashboards & Dashboard Studio on Wed, Feb 14, 2024 at 1pm PT / 4pm ET.   This is your opportunity to ask questions related to your specific Dashboard challenge or use case, including:  Getting started with Dashboard Studio Basic dashboard designs (charts, buttons, etc.) How to use searches Advanced interactivity features (drilldowns, maps, dynamic coloring, etc.) Customization (background images, custom layout, colors, etc.) How to migrate your dashboards from Classic to Dashboard Studio Anything else you'd like to learn!   Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).    Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.    Look forward to connecting!
Per documentation: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/ChartConfigurationReference The property charting.chart.showDataLabels only allow the type (all | minmax | none). I am atte... See more...
Per documentation: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/ChartConfigurationReference The property charting.chart.showDataLabels only allow the type (all | minmax | none). I am attempting to hide data labels for a specific field, but enable data labels for other specified fields. I am attempting to do something similar to charting.fieldColors which uses maps, but the types are obviously not accepted for the showDataLabels property:   <option name="charting.chart.showDataLabels"> {"field1":none, "field2":all} </option>   Is there a workaround possible for this objective?
I have a report that lists malware received by email that is part of a dashboard. Some months the list for each person can have dozens of events listed. Management would like to only show the latest ... See more...
I have a report that lists malware received by email that is part of a dashboard. Some months the list for each person can have dozens of events listed. Management would like to only show the latest 5 events for each person. I'm having difficulty finding a good way to accomplish this. Search: index="my_index" [| inputlookup InfoSec-avLookup.csv | rename emailaddress AS msg.parsedAddresses.to{}] final_module="av" final_action="discard" | rename msg.parsedAddresses.to{} AS To, envelope.from AS From, msg.header.subject AS Subject, filter.modules.av.virusNames{} AS Virus_Type | eval Time=strftime(_time,"%H:%M:%S %m/%d/%y") | stats count, list(From) as From, list(Subject) as Subject, list(Time) as Time, list(Virus_Type) as Virus_Type by To | search [| inputlookup InfoSec-avLookup.csv | rename emailaddress AS To] | sort -count | table Time,To,From,Subject,Virus_Type | head 5 Current Output: time - user1 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time - user2 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time - user3 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B I'd like to limit it to the latest 5 events by user time - user1 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time - user2 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B time - user3 - sender1@xyz.com - Subject1 - Virus_A time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_C time -              - sender2@xyz.com - Subject1 - Virus_B time -              - sender2@xyz.com - Subject1 - Virus_B Any help greatly appreciated! Thank you!  
Hello, I have a standalone Splunk Enterprise system (version 9.x) with 10 UFs reporting (Splunk Enterprise and the UFs are all Windows OSs) - the Splunk Enterprise standalone system is an all-in-one... See more...
Hello, I have a standalone Splunk Enterprise system (version 9.x) with 10 UFs reporting (Splunk Enterprise and the UFs are all Windows OSs) - the Splunk Enterprise standalone system is an all-in-one: indexer, search head, deployment server, license manager, monitoring console... I created a deployment app which to push out a standard outputs.conf file to all the UFs and it pushed out successfully, just like all the other deployment apps.  I deleted the ~etc\system\local\outputs.conf from the UFs, restarted Splunk UF, made sure that the deployment app showed up in ~etc\apps\ (it did).  But now that the outputs.conf is no longer in ~etc\system\local, I'm getting this: WARN AutoLoadBalancedConnectionStrategy [pid TcpOutEloop] - cooked connection to ip=<xx.xx.xxx.xxx>:9997 timed out  I've made sure there isn't any other outputs.conf, especially not in ~etc\system\local it that it doesn't mess with the order of precedence, restared the UF, and everytime I get the same Warning...and of course, the logs aren't being sent to the indexer.  But it does still phone home, but no actual logs. When I run: btool --debut outputs.conf list  I don't get any output. But as soon as I get rid of this deployment app and put the same outputs.conf file back in ~etc\system\local, restart the UF, logs are being sent to the indexer.  And my deployment app's structure is the same as the other deployment apps that do work...What am I doing wrong? Thanks.