All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quo... See more...
Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot; AND $index$ == &quot;2S*&quot;"> <set token="standard">true</set> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label">Standard, Scada, AWS</set> <set token="index_scope">`scada` OR `aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="aws"></unset> <set token="scada">true</set> <set token="index_label"> Standard,  Scada</set> <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label"> Scada,  AWS</set> <set token="index_scope">`scada` OR `aws`</set> </condition> <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS,  Standard</set> <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_label"> Scada</set> <set token="index_scope">`scada`</set> </condition> <condition match="$index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS</set> <set token="index_scope">`aws`</set> </condition> <condition match="$index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <unset token="aws"></unset> <set token="index_label"> Standard</set> <set token="index_scope"> `standard($cmdb_scope$)`</set> </condition>     <input type="checkbox" token="index" searchWhenChanged="true">       <label>Choose  console</label>       <choice value="1T*"> Standard</choice>       <choice value="2A*"> Scada</choice>       <choice value="2S*"> AWS</choice>       <default>1T*, 2A*,2S* </default>       <initialValue>1T*, 2A*,2S* </initialValue>       <change>         <set token="index_label">$label$</set>       </change>       <change>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <unset token="aws"></unset>           <set token="index_scope">`standard($cmdb_scope$)`</set>         </condition>        but this is not working, Only one value is  passed when selecting two values. Thanks!
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and... See more...
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and press it. Each time the result says element not found What i tried so far: 1. Updated the name to CSS and gave the ID and Name of the element - not found 2. Tried to use a selector to select the iframe - the result shows i did not setup my selector correctly Are there any guides online that explain how to setup such a test using a recorder? Thank you in advance
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=gr... See more...
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=grades line=6 AND class=4|return Name]       Can anyone explain this please? I've tried to make it more simple with one search and get rid of the square brackets, but I always get different results.  
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xx... See more...
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  200 0 0 14 2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  302 0 0 0 We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output  of the client machines to the HF server and then place the props and transforms to mask the password.   Kindly help to check and update on the same.
Hi i'm new hier and i still don't understand the difference between summary indexing and data modeling. When should I use each? Or which is the best option for optimizing searches?
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart.  Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format... See more...
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart.  Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format. I have google a lot without finding any answer on it. Hope someone can give me some hints on it.    Thanks Geir 
Hello Splunkers!! I am not getting any data in the internal index for the last 24 hours. Please let me know what will the cause behind it & what i need to check.  
index=os source="/var/log/bitbucket" host=servera* Failed and evaluate them as failed packages  to install.  Failed: python-urllib3.noarch 0:1.10.2-3.el7 python-urllib3.noarch 0:1.10.2-7.el... See more...
index=os source="/var/log/bitbucket" host=servera* Failed and evaluate them as failed packages  to install.  Failed: python-urllib3.noarch 0:1.10.2-3.el7 python-urllib3.noarch 0:1.10.2-7.el7 php subscription-manager-rhsm-1.24.51-1.el7_9.x86_64 subscription-manager-rhsm-1.24.52-2.el7_9.x86_64 python-syspurpose-1.24.52-2.el7_9.x86_64
We have recently upgraded to Splunk Enterprise 9.0. When I try to run a search query without adding the index field into it, the event count are showing wrong. Also if I try to see the respective eve... See more...
We have recently upgraded to Splunk Enterprise 9.0. When I try to run a search query without adding the index field into it, the event count are showing wrong. Also if I try to see the respective event logs, from Verbose mode they are weird and this is not usual format of logs. In other case, if index is mentioned in the query, everything is working fine and asusual. This issue occurs only when the search query have stats or chart commands to visualise the data. Below is the sample search query which I used   host=abc sourcetype=xyz |stats count   I am not sure whether it is a bug in Splunk 9.0 or any other issue from config side (like limitations in search head). Could anyone please help me on this.
I basically have the opposite question as can be seen here: https://community.splunk.com/t5/Splunk-Search/How-to-use-the-head-command-with-group-by/m-p/444439 I am looking for an increase in perfor... See more...
I basically have the opposite question as can be seen here: https://community.splunk.com/t5/Splunk-Search/How-to-use-the-head-command-with-group-by/m-p/444439 I am looking for an increase in performance while keeping the search generic. As a minimal example I created this:     | makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | dedup a     I know that I can tremendously speed up the search if I use a template like so, using "| head 1" on each group of a:     | makeresults | append [| makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | search a=1 | head 1 ] | append [| makeresults | eval data=split("1;1,1;2,2;1,2;2",",") | mvexpand data | eval data=split(data,";") | eval a=mvindex(data,0), b=mvindex(data,1) | table a b | search a=2 | head 1 ] | search a=* | table a b     However, this way the search is no longer generic and I have to know what groups "a" can take (1,2 in this example) Question: Is there a way to increase performance on dedup while also keeping the search generic?
Hello, I want to schedule a python script which uses pandas and beautifulsoup4 as librairies. But my splunk does not have those librairies and does not execute the python script. How can I add those... See more...
Hello, I want to schedule a python script which uses pandas and beautifulsoup4 as librairies. But my splunk does not have those librairies and does not execute the python script. How can I add those librairies to my splunk environment?   Thanks.
Hi all, I have the Splunk Add-on for AWS up and running fine and ingesting to a metric index. Now I need to fine  tune it a bit and wondering about Metrics Configuration and Metric Statistics. W... See more...
Hi all, I have the Splunk Add-on for AWS up and running fine and ingesting to a metric index. Now I need to fine  tune it a bit and wondering about Metrics Configuration and Metric Statistics. We get namespace AWS/DX dimension ConnectonId, all metrcs,. But what about Metric Statistics? What should I use to get the best value.... for alerts Average, Sum, Maximum or Minimum? This statics can be 0 "down" OR 1 "up" -J-  
Hello, I am having a hard time with the Splunk Universal Forwarder agent v9.1.1. Got it installed in 100+ servers and it starts and talks to the deployment server , then when I push some configs, it ... See more...
Hello, I am having a hard time with the Splunk Universal Forwarder agent v9.1.1. Got it installed in 100+ servers and it starts and talks to the deployment server , then when I push some configs, it restarts and never comes back. To make it start again, the windows admin had to remove the credentials of Splunk user from the host. I tried installing the agent in multiple ways and even tried using virtual account and experienced the same results Default installation :   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 /quiet   Using Virtual account without password:   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunkfwd USE_VIRTUAL_ACCOUNT=1 /quiet   Using Virtual account with password:   msiexec.exe /i splunkforwarder-9.1.1-64e843ea36b1-x64-release.msi AGREETOLICENSE=yes DEPLOYMENT_SERVER=some_url:8089 SERVICESTARTTYPE=auto LAUNCHSPLUNK=1 SPLUNKUSERNAME=splunkfwd SPLUNKPASSWORD=some_password USE_VIRTUAL_ACCOUNT=1 /quiet   Any thoughts on what could be the issue? Splunk log does not show any anything. And just to add this this, it works fine in some hosts (~5) without any issues
Hi , We are getting the mixed abc and xyz events from sourcetype pqr. Due to this, Network team are getting multiple false tickets . 
Hello Splunkers!! I have upgraded Splunk with 9.1.1 latest version for windows server. But after upgaradtion I can see "loading" page in the top. Due to this most of the capabilities I am not able t... See more...
Hello Splunkers!! I have upgraded Splunk with 9.1.1 latest version for windows server. But after upgaradtion I can see "loading" page in the top. Due to this most of the capabilities I am not able to access and Splunk is not working properly. Please suggest some workaround on this.    
Hi, We need to send some security events to an external party.  We also need this for our internal use. On my test instance I've configured outputs.conf as   [tcpout] defaultGroup = security in... See more...
Hi, We need to send some security events to an external party.  We also need this for our internal use. On my test instance I've configured outputs.conf as   [tcpout] defaultGroup = security indexAndForward = 1 [tcpout:security] server = localhost:9999 Which has got my events flowing to my fake external server and leaves them accessible in the internal side. However I only want to send 2 source types there. How do i filter out the rest of the events?  
I'm curious about Splunk and its role in cybersecurity. Can anyone shed some light on whether Splunk is classified as a cybersecurity tool? How does it contribute to cybersecurity strategies, and are... See more...
I'm curious about Splunk and its role in cybersecurity. Can anyone shed some light on whether Splunk is classified as a cybersecurity tool? How does it contribute to cybersecurity strategies, and are there specific use cases that make it stand out in the realm of cybersecurity tools? Appreciate any insights or experiences you can share.     Regards: @marksmith991 
Hello, I am fairly familiar to spunk, but I do need to improve on indexes. I am currently working on a new client environment and they have a large amount of indexes within splunk, however some of th... See more...
Hello, I am fairly familiar to spunk, but I do need to improve on indexes. I am currently working on a new client environment and they have a large amount of indexes within splunk, however some of them are inactive.  A couple of question: >How can I determine if an index is active/connected properly >is there an easier way to show the above; for example if there's 100 indexes how can I find out which are still active in a graph or a more visual view.  Hope it makes sense. Thank you in advance for any advice. 
Hi, One of our three clustered indexers is having search errors and high CPU fluctuations for splunkd main process after an improper reboot as follows: In splunk web search: remote search process... See more...
Hi, One of our three clustered indexers is having search errors and high CPU fluctuations for splunkd main process after an improper reboot as follows: In splunk web search: remote search process failed on peer Search results might be incomplete: the search process on the peer:[Affected indexer] ended prematurely. Check the peer log, such as $SPLUNK_HOME/var/log/splunk/splunkd.log and as well as the search.log for the particular search. [Affected indexer] Search process did not exit cleanly, exit_code=111, description="exited with error: Application does not exist: Splunk_SA_CIM". Please look in search.log for this peer in the Job Inspector for more info. In splunkd.log of affected indexer: WARN SearchProcessRunner [31756 PreforkedSearchesManager-0] - preforked process=0/101006 with search=0/127584 exited with code=111 ERROR SearchProcessRunner [31756 PreforkedSearchesManager-0] - preforked search=0/127584 on process=0/101006 caught exception: used=1, bundle=7471316304185390773, workload_pool=, generation=11, age=7.418, runtime=7.203, search_started_ago=7.204, search_ended_ago=0.000 ERROR SearchProcessRunner [31756 PreforkedSearchesManager-0] - preforked process=0/101006 with search=0/127584 and cmd=splunkd\x00search\x00--id=remote_SH-ES_scheduler__splunkadmin__SplunkEnterpriseSecuritySuite__RMD5852d4ed30e6a890b_at_1698892200_90939\ x00--maxbuckets=0\x00--ttl=60\x00--maxout=0\x00--maxtime=0\x00--lookups=1\x00--streaming\x00--sidtype=normal\x00--outCsv=true\x00--acceptSrsLevel=1\ died on exception (exit_code=111): Application does not exist: SplunkEnterpriseSecuritySuite   WARN PeriodicReapingTimeout [30157 DispatchReaper] - Spent 10650ms reaping search artifacts in /splunk/var/run/splunk/dispatch WARN DispatchReaper [30157 DispatchReaper] - The number of search artifacts in the dispatch directory is higher than recommended (count=6608, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.   WARN DispatchManager [13827 TcpChannelThread] - quota enforcement for user=splunk_user1, sid=soc_user1_c29jX2Njb191c2VyMQ__SplunkEnterpriseSecuritySuite__RMD57f02abc0263583b0_1697962710.21728, elapsed_ms=23865, cache_size=1591 took longer than 15 seconds. Poor search start performance will be observed. Consider removing some old search job artifacts.   Regards, Zijian
Hello, How to calculate sum of a field based on other distinct field? For example: How to find sum for score of distinct vulnerability (exclude 0) group by ip?  Thank you so much Before calcu... See more...
Hello, How to calculate sum of a field based on other distinct field? For example: How to find sum for score of distinct vulnerability (exclude 0) group by ip?  Thank you so much Before calculation ip vuln score 1.1.1.1 vuln1 0 1.1.1.1 vuln1 0 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln2 3 1.1.1.1 vuln3 7 1.1.1.1 vuln3 7 2.2.2.2 vuln1 0 2.2.2.2 vuln4 0 2.2.2.2 vuln5 5 2.2.2.2 vuln5 5 After calculation 1.1.1.1:   sum  (vuln 2 [score]) + sum(vuln 3 [score])  = 3 + 7 = 10 2.2.2.2  : sum (vuln 5 [score]) = 5  ip sum (score of distinct vuln) 1.1.1.1 10 2.2.2.2 5