All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I am trying to create a custom app using add-on builder.  In request I am looking to use global account details. but its throwing an error.  Not sure what I am missing here. Anyone know abo... See more...
Hi, I am trying to create a custom app using add-on builder.  In request I am looking to use global account details. but its throwing an error.  Not sure what I am missing here. Anyone know about this issue ? I am using latest version of Add-on builder. Reference  https://docs.splunk.com/Documentation/AddonBuilder/4.1.3/UserGuide/ConfigureDataCollectionAdvanced Thanks
I was asked to create a query that will allow the user to see only the open ports. An example log looks something like this:     10/24/2023 06:00:04,source=SXXXX-88880000,destination=10.10.100.130... See more...
I was asked to create a query that will allow the user to see only the open ports. An example log looks something like this:     10/24/2023 06:00:04,source=SXXXX-88880000,destination=10.10.100.130,DuBlIn_,11.11.119.111,port_80=True,port_443=True,port_21=False,port_22=True,port_25=False,port_53=False,port_554=False,port_139=False,port_445=False,port_123=False,port_3389=False     it looks easy enough, I want to table port_*=True.   I want destination, src_ip, and the open ports.   I asked our equivalent of Chat GPT about it, and I got this.      index=gpss sourcetype=acl "SXXXXXXX" destination="11.11.111.11" | eval open_ports = case( port_123=="True", "123", port_139=="True", "139", port_21=="True", "21", port_22=="True", "22", port_25=="True", "25", port_3389=="True", "3389", port_443=="True", "443", port_445=="True", "445", port_53=="True", "53", port_554=="True", "554", port_80=="True", "80", true(), null() ) | where open_ports!=null() | mvexpand open_ports | table _time, destination, gpss_src_ip, open_ports     But the open_ports!=null() wasnt allowed.  I get a  Error in 'where' command: Type checking failed. The '!=' operator received different types.   During testing, I have a baseline event, an event with three open Ports, but that search I ran only outputs the first one in the list. It hits port 22 first, since thats the first on in the case statement that is true.  My main question is, How do I successfully tell splunk to only grab the open ports that are True? Can i even do a wildcard somewhere, and request to pull port_* WHERE True   Thank you for any help  
I have a multiselect that does not interact with my Trellis chart. I would say; it's not defined in my base search but not sure how to identify the issue and how to fix? BASE Search: | eval Pat=sp... See more...
I have a multiselect that does not interact with my Trellis chart. I would say; it's not defined in my base search but not sure how to identify the issue and how to fix? BASE Search: | eval Pat=spath(json, "Info.Pat.Time") | eval Con=spath(json, "Info.Con.Time") | eval Cov=spath(json, "Info.Cov.Time") | eval Category = RED | table _time, Pat, Con, Cov, Category  Mulit-Select: | eval SysTime = Category + ":" + _time | fields - Category | untable SysTime Reason CurationValue | eval Category = mvindex(split(SysTime, ":"), 0) | eval _time = mvindex(split(SysTime, ":"), 1) | fields - SysTime | table Reason | dedup Reason Chart: | search Category $t_category$ Reason $t_reason$ | timechart span=1h avg(Pat) as Pat, avg(Con) as Con, avg(Cov) as Cov  
I have a query to retrieve user experience metrics from Dynatrace index. Wanted to compare the response times for 2 different time frames. My query is having sub query as well. In the dashboard, i am... See more...
I have a query to retrieve user experience metrics from Dynatrace index. Wanted to compare the response times for 2 different time frames. My query is having sub query as well. In the dashboard, i am having 2 time range pickers. Main query is picking the time range from time range picker1 and in the sub query using the token from time range picker2.  <<main search>> | appendcols [ search index="dynatrace"  $tr_14AGuxUA.earliest$ - $tr_14AGuxUA.latest$ | spath |output=user_actions path="userActions{}"| stats count by user_actions this is not retrieving any data from the sub query. how to fix this? If i am passing the hard coded values - earliest=10/23/2023:10:00:00 latest=10/23/2023:11:00:00, then its working fine. 
I can't access the support portal, with URL https://www.splunk.com/404?ErrorCode=23&ErrorDescription=Invalid+contact   Does anyone have the same issue?  
Can anyone shed any light on an issue I am having with a Splunk Cloud deployment, I have a Splunk heavy forwarder setup on Red Hat Linux 8 ingesting Cisco Switches via syslog,  This appears to be wor... See more...
Can anyone shed any light on an issue I am having with a Splunk Cloud deployment, I have a Splunk heavy forwarder setup on Red Hat Linux 8 ingesting Cisco Switches via syslog,  This appears to be working fine for the vast majority of devices, I can see the individual directories and logs dropping into /opt/splunklogs/Cisco/, There is just one Cisco device that isn't being ingested ? I have compared the config on the switch to the others and it is setup correctly logging host/trap etc, I can telnet from the switch to the interface on the Linux server and see the syslog hitting the interface via tcpdump, I have never had to populate an allow list for the switch IP's it looks to do them automatically on the forwarder, I can see the Cisco directories in the forwarder are generated by SPLUNK. For some reason this one switch just isn't being ingested. Does anyone have any guidance on some troubleshooting steps to try and establish what the issue is ? Thanks
hi My Splunk server is reachable from : http://127.0.0.1:8000/fr-FR/app/launcher/home I try to send data in my splunk server with the curl command below curl -H "Authorization: Splunk 1f5de11f-ee... See more...
hi My Splunk server is reachable from : http://127.0.0.1:8000/fr-FR/app/launcher/home I try to send data in my splunk server with the curl command below curl -H "Authorization: Splunk 1f5de11f-ee8e-48df-b4f1-eb1bbb6f3db0" https://localhost:8088/services/collector/event -d '{"event":"hello world"}'  But I have the message : curl: (7) Failed to connect to localhost port 8088 after 2629 ms: Couldn't connect to server  Could you help please?
I have data that has multiple columns that contain timings for particular tasks on particular dates.  I want to hide all but the last column when in a line chart.  The sticking point is I want the li... See more...
I have data that has multiple columns that contain timings for particular tasks on particular dates.  I want to hide all but the last column when in a line chart.  The sticking point is I want the line chart to still show the x-axis labels "process" names from the previous data collected, it just wouldn't connect the lines until that task is complete.  This will allow the chart to show progression.  I believe found the CSS method for doing this, but I'm not sure how to accomplish this in dashboard studio code. Example: Process 08/24/2023 10:15:45 09/24/2023 11:15:44 10/24/2023 10:45:00 Task1 2.44 1.44 8.55 Task2 1.44 18.44 8.43 Task3 8.22 4.24   Task4 4.44 8.12     The idea would be that the line chart would only show the last column in the list above, but still show all the process tasks on the x-axis.  The example I created in paint below shows the X axis has the labels still, but the lines haven't been connected yet since those haven't completed yet.
Hello, is it possible to have mydirectory\*.log monitor stanza to route data to usual indexers (or any specific monitor stanza) AND another specific mydirectory\file.log to another specific _TCP_ROU... See more...
Hello, is it possible to have mydirectory\*.log monitor stanza to route data to usual indexers (or any specific monitor stanza) AND another specific mydirectory\file.log to another specific _TCP_ROUTING ? Thanks.  
Can multiple wildcards be used in serverclass.conf whitelist file?  whitelist.from_pathname = /lookup/host.txt   Examples: M*WEB* *WBS*  
I have the below Trellis, is there a way to change the color for each Trellis? My code from Classic Dashboard.    search Cu $t_c$ En $t_e$ | timechart span=1h avg(Value) as AvgValue_Secs by Ca... See more...
I have the below Trellis, is there a way to change the color for each Trellis? My code from Classic Dashboard.    search Cu $t_c$ En $t_e$ | timechart span=1h avg(Value) as AvgValue_Secs by Category     I want something like this:  
Hello to all my dear friends We have SH-Cluster with 5 Search head and Enterprise Security(ES). When I want to add a new Threat List as a URL, I have to go to this address: ES APP\Configure\Data Enr... See more...
Hello to all my dear friends We have SH-Cluster with 5 Search head and Enterprise Security(ES). When I want to add a new Threat List as a URL, I have to go to this address: ES APP\Configure\Data Enrichment\Threat Intelligence Management But what happens after clicking on this page, the message Oops is displayed, can anyone help? Is the Input.local method the right method? Special Thank to Splunk  
Hello to all my dear friends In the past, I was able to import the logs of malware detected by mcafee into Splunk using Splunk DBConnect, now my question is, can I have a log of access to the centra... See more...
Hello to all my dear friends In the past, I was able to import the logs of malware detected by mcafee into Splunk using Splunk DBConnect, now my question is, can I have a log of access to the central management console of mcafee? Also, in which table are the logs related to the USB connection stored and how can I receive them in Splunk?
Hi, I have a 'complex' (for me at least) question.  What I want to achieve is the following: 1)  index=abc msg="*firewall off*" |table _time,hostname,msg >this will give me, for example: hos... See more...
Hi, I have a 'complex' (for me at least) question.  What I want to achieve is the following: 1)  index=abc msg="*firewall off*" |table _time,hostname,msg >this will give me, for example: hostname = machine1 msg = "the firewall has been turned off" >> I want to be triggered if someone turns off the firewall Now, the actual issue I have now is the following:  A few seconds before this event, I might get a "system update event" that updates the firewall (agent update), which is OK, and I do NOT want this event. I would need to combine both queries into 1 alert.   2)  index=abc hostname=machine1 NOT msg="*system updated*" I want to see the result of 1, but only if it was not preceeded by 2. I hope this makes sense.
Hi All, I am having an issue creating an alias simply going from DestinationPort to dest_port for SysMon EventID 3 I have tested:   index=my_index source=Sysmon | eval destinationPort=dest_p... See more...
Hi All, I am having an issue creating an alias simply going from DestinationPort to dest_port for SysMon EventID 3 I have tested:   index=my_index source=Sysmon | eval destinationPort=dest_port   I have seen in Splunk TA Sysmon that there is FIELDALIAS-dest_port=DestinationPort AS dest_port but still cannot convert DestinationPort to dest_port at Search time. Any suggestions, please? There are no other apps contradicting the precedence. Thank you!
Hello,  We are implenting splunk in our environment and right now i import every 7 days our vulnerability scan to splunk. My Task is to filter the Host and the CVE Number and get the output which h... See more...
Hello,  We are implenting splunk in our environment and right now i import every 7 days our vulnerability scan to splunk. My Task is to filter the Host and the CVE Number and get the output which host and CVE is new in the newest scan "New", which was in the old scan but is not there in the new scan "finished" and which is in both scan and is "unchanged"  The Problem is i do not have any information in the log data that the Host is finished or anything else . I have only 4 Fields: CVE ,extracted_Host, RISK Level = Critical,High and Medium and _time of course. Thats my try: index=vulnerability_scan Risk=Critical earliest=-7d latest=now | stats values(CVE) as CVE_7d by extracted_Host | appendcols [ search index=vulnerability_scan Risk=Critical earliest=now -7d latest=now | stats values(CVE) as CVE_now by extracted_Host ] | eval Status=case(isnull(CVE_7d) AND isnotnull(CVE_now), "New", isnotnull(CVE_7d) AND isnull(CVE_now), "Finished", isnotnull(CVE_7d) AND isnotnull(CVE_now), "Not Changed") | table extracted_Host, Status Problem with this i get only the output "finished" but most of the scans are in the old scan means that they are "unchanged". For me It is possible to split out the 3 outputs then i would build a Dashboard with the 3 Informations. I dont know if Splunk is the best tool to compare 2 timestamps like i will do? The Time Range is every time 7 days - maybe in the next time it will be  shorter but right now its 7 days.  Thanks for the help
I need to configure a service in Splunk ITSI, while creating a KPI am facing an issue. I gave a search string but when its generating a search I get an error in the result: Error in 'SearchParser': ... See more...
I need to configure a service in Splunk ITSI, while creating a KPI am facing an issue. I gave a search string but when its generating a search I get an error in the result: Error in 'SearchParser': The search specifies a macro 'aggregate_raw_into_entity' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.   Is there any way to modify the Generated Search. 
Is Rhel 8.2 Compatible with Splunk Agent? Is there any existing server RHEL 8.2 with Splunk Agent? Or new costing? Please advice. Thank you in advance.
Hi In the example below, I clearly understand that the "hello world" will be updated in a Splunk event { "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-ge... See more...
Hi In the example below, I clearly understand that the "hello world" will be updated in a Splunk event { "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}' Now imagine that my json file contains many items like below { "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } { "time": 1426279538, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello eveybody!" } Is the curl command to use should be like this? curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'  Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else Is anybody has good examples of that? thanks