All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems usin... See more...
Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems using it in splunk. It either can be run using the python script: $ python3 freq.py freqtable2018.freq -m splunk.com (6.0006, 5.0954) Or using curl: $ curl http://127.0.0.1:20304/measure/splunk.com (6.0006, 5.0954) I want to run it against a field for ex. called "query" in my zeek dns logs and calculate the frequency and save it in another field 
Hello Team, help me with splunk query to trigger: 1-Bruteforce attacks, 2- malicious payloads and 3- zeroday exploits by creating , Splunk query and create email Alerts for it? Thank you
I have a below message. how can I only display ResponseID in output? thanks message: <?xml version='1.0' encoding='ISO-8859-1'?><Submission Id="12345" <LastName>XXX</LastName><ResponseID>137ce83fe8d... See more...
I have a below message. how can I only display ResponseID in output? thanks message: <?xml version='1.0' encoding='ISO-8859-1'?><Submission Id="12345" <LastName>XXX</LastName><ResponseID>137ce83fe8ddb052-1698535326634</ResponseID><Date>2023.10.28 23:23:14</Date>
Hello, we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc. Based on EPS, we need about 10 indexer based on splu... See more...
Hello, we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc. Based on EPS, we need about 10 indexer based on splunk recommendation. Now I want to  separate indexer to 4 cluster. one for servers, one for network device, one for services and last one for security such as Firewall and EDR.  each cluster has several indexer and each forwarder send data to the related cluster. data only replicate in the origin cluster not other clusters But I need each search head could search between 4 cluster. for example search for login failure in the all cluster (servers, network device and etc) could I have several cluster with one cluster master?   Best Regards
Hi I have created a basic datamodel called "TEST" I try to query on this datamodel with tstats but the only piece of code which return value is :   | tstats count from datamodel=TEST    But i c... See more...
Hi I have created a basic datamodel called "TEST" I try to query on this datamodel with tstats but the only piece of code which return value is :   | tstats count from datamodel=TEST    But i cant se the events related to this request And if i try to be more explicit in my request like below, I have no results   | tstats count from datamodel=TEST where EventCode=100    So what is the problem? Other question : what is the interest to use datamodel and pivot command since it's possible to query on a datamodel without SPL? Thanks
Hello, I want to copy my custom App, which includes a dashboard created in DashboardStudio, to another Splunk server. I have imported numerous images into DashboardStudio, and I would like to copy... See more...
Hello, I want to copy my custom App, which includes a dashboard created in DashboardStudio, to another Splunk server. I have imported numerous images into DashboardStudio, and I would like to copy those images (including the associated kv-store data). Please let me know if there is a method to do this, such as copying files or using APIs. (By the way, the source server is configured as a search head cluster.)
Hello Team, I have a .log flat file this file give us the data whenever we open and run command it give us some logs, now i am integrating this .log file with Splunk but it is not integrating. I r... See more...
Hello Team, I have a .log flat file this file give us the data whenever we open and run command it give us some logs, now i am integrating this .log file with Splunk but it is not integrating. I ran following command to integrate it, "/splunk/bin ---> ./splunk add monitor [file name]" it give me message that file has been added to monitor list.  However i don't see this file on my Splunk, further if i have this file on Splunk how it will takes data from it whenever we run any command, also this .log file doesn't store data in any other directory whenever we close the file data disappears. Please note the OS im using is Sun Solaris 
Hello Splunkers! I was wondering where I can turn on and view the MITRE ATT&CK posture for every notable in Enterprise Security as shown in the picture:
Hi Team, I have downloaded the Splunk for Salesforce installation file but I have not installed it. can some one will helps us on this issue? And I have created connected app in Salesforce to connec... See more...
Hi Team, I have downloaded the Splunk for Salesforce installation file but I have not installed it. can some one will helps us on this issue? And I have created connected app in Salesforce to connect to Splunk and i have to implement and test the feature one of the Salesforce feature.  Best Regards Siva
Anyone figure out how to use Splunk SOAR IMAP app to connect to exchange mailbox ? The goal is to read new email coming in to the mailbox.
Hi Team,   We need to display single latest event in Splunk by query 
I have field CI extracted from json payload  { "Name": "zSeries", "Severity":5, "Category":"EVENT", "SubCategory":"Service issues - Unspecified", "TStatus": "OPEN", "CI": "V2;Y;Windows;srv048;... See more...
I have field CI extracted from json payload  { "Name": "zSeries", "Severity":5, "Category":"EVENT", "SubCategory":"Service issues - Unspecified", "TStatus": "OPEN", "CI": "V2;Y;Windows;srv048;LogicalDisk;C:", "Component": "iphone" } Further, i want the CI field value extracted using DELIMS = ";". I have created below props & transforms configuration but not working. [source::cluster_test] REPORT-fields = ci-extraction [ci-extraction] SOURCE_KEY = CI DELIMS = ";" FIELDS = CI_V2,CI_1,CI_2,CI_3,CI_4,CI_5 Any help highly appreciated.  
Hi, Below is my current search at the moment,  index=o365 sourcetype=* src_ip="141.*" | rex field=_raw "download:(?<download_bytes>\d+)" | rex field=_raw "upload:(?<upload_bytes>\d+)" | dedup ... See more...
Hi, Below is my current search at the moment,  index=o365 sourcetype=* src_ip="141.*" | rex field=_raw "download:(?<download_bytes>\d+)" | rex field=_raw "upload:(?<upload_bytes>\d+)" | dedup UserId, ClientIP | table UserId, download_bytes, upload_bytes | head 10 I am trying to get downloaded bytes and uploaded bytes into a table and find out if anything suspicious is going on in the network however I have been unable to return anything other than the source ip.   Thanks in advance.
I have three indexes I am trying to join that have at least three similar columns each. I want to table the results in order to generate a report and alert. What would be the fastest method to work a... See more...
I have three indexes I am trying to join that have at least three similar columns each. I want to table the results in order to generate a report and alert. What would be the fastest method to work around using the join command if possible? Because my environment is built to min specs I need to not utilize something that is not resource heavy. Below is my query the "| table" is where I am having issues. Cyber is my elevated account vault AD is my active directory and the unix is for my redhat environment. I am a little lost currently as I have not played with Splunk in a couple of years. index=cyber  AND index=AD  AND index=unix | table _eventtime, issuer, requestor, purpose (for cyber) | table user, issuer, elevID, action (for AD) | table user, path, cmd (for unix)
Hello,   I have requirement to create a Orange button in splunk dashboard and upon orange button click need to load few panels.   Kindly let me know how this can be accomplished?   Thanks
I'm confused how to truncate from this log. how do I do it from props.conf or from the SPL command? Can anyone provide a solution to this?   <11>1 2021-03-18T15:05:30.501Z abcdefghi-jajaj-b1bc070... See more...
I'm confused how to truncate from this log. how do I do it from props.conf or from the SPL command? Can anyone provide a solution to this?   <11>1 2021-03-18T15:05:30.501Z abcdefghi-jajaj-b1bc07001-xb0k7.abcdefghi-user - - - [Originator@7776 kubernetes__container_name="abcdefghi-jajaj" docker__container_id="a1bbddc80312d8501f1b1ac015d525722f105a71d6521be0728e8b057066eda1" kubernetes__pod_name="abcdefghi-jajaj-b1bc07001-xb0k7" bosh_index="0" stream="stbcd" kubernetes__namespace_name="abcdefghi-develop" bosh_id="e0700d15-ca5a-1f35-8e01-bd83d3eb705a" bosh_deployment="service-instance_f08cb851-fa53-1206-0a6b-705f3fa0f301" docker_id="a1bbddc80312d" tag="kubernetes.var.log.containers.abcdefghi-user-b1bc07001-xb0k7_abcdefghi-develop_abcdefghi-user-a1bbddc80312d8501f1b1ac015d525722f105a71d6521be0728e8b057066eda1.log" instance_type="werkir"] 2021-03-18 22:05:00.210 INFO [abcdefghi-jajaj,3010acf256f7c7e0,717ea36c0d67f3da,true] 6 --- [nio-0020-exec-1] c.id.bankabcde.common.util.SplunkUtil : [LOGIN_abc]|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|uobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|sessionID=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|appVersion=ABC123|mobilePhone=ABC123|custGroup=ABC123   i want to cut it to something like this: [LOGIN_abc]|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|uobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|sessionID=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|appVersion=ABC123|mobilePhone=ABC123|custGroup=ABC123   THANKYOU
Hello, Does stats values command combine unique values? For example: company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 index=regular_index | stats v... See more...
Hello, Does stats values command combine unique values? For example: company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 index=regular_index | stats values(company) by ip | table company, ip Should the command above produce the following output? company ip companyA 1.1.1.1 companyB 1.1.1.2 Thank you so much  
I've downloaded the splunk security essential files all into my laptop, but I can't figure out how to upload into into splunk enterprise as an app. What is my next step and where do I go to do this?
Hello I have 3 queries that i need to join between them but there is a catch  query number 1 checks for users who sent sms query number 2 checks if we tried to resend the sms query number 3 check... See more...
Hello I have 3 queries that i need to join between them but there is a catch  query number 1 checks for users who sent sms query number 2 checks if we tried to resend the sms query number 3 check if we got verification that the sms sent in the end - i want to see only the cases where we have sent, resend and verify - all of them by id when im using simple join - i get all the results and not only those with the resend method 
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines... See more...
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines are not balanced. Pipeline 0 is still congested while Pipeline 1 is barely utilized.   Digging around, this seems to be because 80% of our input is on a single UDP port. Will splitting the UDP ports on the source itself solve this issue? i.e. having multiple UDP Inputs on the HF instead of one?