All Topics

Top

All Topics

I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new to splunk Name                                                ... See more...
I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new to splunk Name                                                                                                Status assetPortfolio_ValidateAddAssetForOthers                    passed assetPortfolio_ValidatePLaceHolderText                         failure assetPortfolio_ValidateIfFieldUpdated                              passed { "name": "behaviors",  "children": [      {      "name": "assetPortfolio_ValidateAddAssetForOthers",      "status": "passed"      },      {      "name": "assetPortfolio_ValidatePlaceHolderText",      "status": "failure"      },      {      "name": "assetPortfolio_ValidateIfFieldUpdated",      "status": "passed"     }   ] }
We had upgraded to Splunk 9.0.4 on a RHEL7.9 machine. STIG RHEL-07-040000 states the following: Operating system management includes the ability to control the number of users and user sessions tha... See more...
We had upgraded to Splunk 9.0.4 on a RHEL7.9 machine. STIG RHEL-07-040000 states the following: Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. The fix is the following: Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : * hard maxlogins 10 Will this any way impact Splunk functionality?  Is this ok to make this change and not impact Splunk?
Hi, I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g., index=blah NOT "*test*" NOT "*exe*" Level=Error | eval AppName = case( (SourceName="Foo... See more...
Hi, I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g., index=blah NOT "*test*" NOT "*exe*" Level=Error | eval AppName = case( (SourceName="Foo" AND Message="*Bar*"), "app1", (SourceName="Foo"), "app2", (source="Mtn" AND 'Properties.Service'="Barf"), "app3", (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4", ) | stats count as ErrorCount by AppName What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app.  e.g., for the above example, the queries would be: index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo" AND Message="*Bar*") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo") index=blah NOT "*test*" NOT "*exe*" Level=Error (source="Mtn" AND 'Properties.Service'="Barf") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")) The problem I am having is how to make the drilldown xml node function thusly.  I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes. Please help! Thanks, Orion
Hello, I have just installed the ML toolkit for Splunk. However I keep getting this error when I attempt to create a fit model: "Error in 'fit' command: (ImportError) DLL load failed while importing ... See more...
Hello, I have just installed the ML toolkit for Splunk. However I keep getting this error when I attempt to create a fit model: "Error in 'fit' command: (ImportError) DLL load failed while importing _arpack: The specified procedure could not be found." I have installed the Python for Scientific Computing Module before this. I've already tried uninstalling and reinstalling, but I keep getting the same error. Any help would be much appreciated!  
Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the bes... See more...
Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the best way to go about this? index="postgresql" sourcetype="postgres" host=FLSM-ZEUS-PSQL-* | table host, node_name, node_id, active, type | where NOT isnull(node_name)   host node_name node_id active type FLSM-ZEUS-PSQL-02 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-02 flsm-zeus-psql-01 1 t primary FLSM-ZEUS-PSQL-01 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-01 flsm-zeus-psql-01 1 t primary  
Hi there: I have two events shown below: Event #1 source=foo1 eventid=abcd Event #2 source=foo2 event_id=abcd I am trying to query the above events. The event source is different. One is foo1... See more...
Hi there: I have two events shown below: Event #1 source=foo1 eventid=abcd Event #2 source=foo2 event_id=abcd I am trying to query the above events. The event source is different. One is foo1 and the other foo2. I want to find these events where they are linked with their event_id (from event #1 where source is foo1) and eventid (from event #2 where the source is foo2). Basically the value for eventid and event_id must be the same. Do u know how i can construct the query for this? Thanks!
  splunk 6.1 error and cannot search :   Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting ... See more...
  splunk 6.1 error and cannot search :   Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com....   The search job has failed due to an error. You may be able view the job in the Job Inspector   when i check settings->system->licensing and click "show all messages, there are 5 messages on Nov 3rd, 4th, 7th, 8th, 9th "This pool has exceeded its configured poolsize=21474836480 bytes. A warning has been recorded for all members"   How do we tshoot and resolve this to get search working again? We do not have an active splunk support contract.   Regards, Jason
Hi, is it possible to organize users by functional area for example : Security, IT, NetOps,.... In these areas, each team might monitor specific metrics related to their functional area, or they mig... See more...
Hi, is it possible to organize users by functional area for example : Security, IT, NetOps,.... In these areas, each team might monitor specific metrics related to their functional area, or they might monitor a general set of metrics for the specific systems they manage, or both.
Hi, Splunk Enterprise latest New to splunk. Ingesting from some appliances via Syslog on a UDP port. All is fine for INGESTING logs. Event numbers are actively increasing, however, when I go into "... See more...
Hi, Splunk Enterprise latest New to splunk. Ingesting from some appliances via Syslog on a UDP port. All is fine for INGESTING logs. Event numbers are actively increasing, however, when I go into "Search", it has completely stopped. For example, I have 50k events and a latest update of 10:52. I click on the data source "udp:9006" and the last event shown is from 10:30. Things were working great and in real time up until 10:30, then it just stops completely. Any ideas? Thanks
In today's hyper connected digital world, ensuring reliability and security is top of mind concerns for most businesses. Factoring in the hybrid and multi-cloud reality, larger attack surfaces, ... See more...
In today's hyper connected digital world, ensuring reliability and security is top of mind concerns for most businesses. Factoring in the hybrid and multi-cloud reality, larger attack surfaces, and continuing expansion of the cloud, adds to the complexity that is unlike anything organizations have faced. As a result IT leaders are continuously looking for ways to build a stronger foundation of resiliency and security for their cloud.  Splunk delivers a better way for your business to drive higher resiliency and security while you move deployments to the cloud. By migrating deployments to Splunk Cloud Platform - Splunk Platform capabilities delivered as software as a service (SaaS), your teams can focus on high-value tasks while your organization benefits from Splunk’s deep expertise and continuous investment in innovation. When your teams don’t have to worry about maintaining or regularly updating your cloud platform for security, compliance and performance, since Splunk does it all, your teams can focus more on harnessing data’s full potential to drive higher business efficiency and scale. In this cloud community campaign, we will take you through the journey of migrating to Splunk Cloud Platform with success, and share the tools and resources you will need to accelerate your journey to the cloud. As part of this campaign over the next few months we will share with you why Splunk Cloud Platform delivered as a service is an ideal solution to move your on-prem deployments to cloud and show you how you can: Build Value Examine the considerations and benefits that are driving enterprises to migrate to Splunk Cloud Platform to build higher efficiency, security, at scale.     Get Your Cloud On Get started by getting data in Splunk Cloud Platform using a variety of methods. Splunk is here to help answer any questions to make your transition to cloud easy. Deploy Use Cases Explore the Security and IT Modernization use cases that can be accomplished with the Splunk Cloud Platform. Take your use cases to the next level with ML and AI. Realize Value Get simplified experience to administer and extract more value from your cloud platform using Splunk tools and resources designed for your success.   So, fasten your seat belts and embark on the journey of Building a Foundation of Resilience for Your Cloud. Let’s start the journey by experiencing the drivers and business benefits from leaders and practitioners who chose migrating to Splunk Cloud Platform as a better way to supercharge their value realization. Download the new IDC analyst report to learn from current Splunk customers HSBC, Pacific Dental Services and GAF on how moving deployments to the Splunk Cloud Platform helped them achieve their desired business outcomes:  HSBC: Accelerated time to value and increased scalability by >300% Pacific Dental Services: Increased operational efficiencies by more than 40% GAF: Realized annual cost savings by 20%  Get more information on Migrating to Splunk Cloud Platform here.
Hello, i am reaching out to ask if there is any way to make the chart that was generated with the scheduled PDF report option look any better.  We have this dashboard:     It looks fine. Ever... See more...
Hello, i am reaching out to ask if there is any way to make the chart that was generated with the scheduled PDF report option look any better.  We have this dashboard:     It looks fine. Everything looks nice and clean. When we use the schedule PDF, and we generate a pdf, it does not look good. It looks like  As an fyi, the above SS included both types for chart formatting, one had the values in the middle, and one had values above. Both look good in the dashboard, but neither look good in the pdf.  Is there a way to edit the chart bars so they have more space, or to edit the size of the numerals above the bars?    Is there an app that allows better editing of PDF within splunk? I feel like we have done everything we can to make the pdf look good, but we can not seem to be able to get the numbers to look good on the pdf.    Thank you for any guidance.  
Hi, can someone help me? I'm trying to call a webhook on AWX Tower (Ansible) using the Add-On Builder. This is my script but it doesn't work, but I don't get an error message either:   # encoding... See more...
Hi, can someone help me? I'm trying to call a webhook on AWX Tower (Ansible) using the Add-On Builder. This is my script but it doesn't work, but I don't get an error message either:   # encoding = utf-8 def process_event(helper, *args, **kwargs): """ # IMPORTANT # Do not remove the anchor macro:start and macro:end lines. # These lines are used to generate sample code. If they are # removed, the sample code will not be updated when configurations # are updated. [sample_code_macro:start] # The following example gets the alert action parameters and prints them to the log machine = helper.get_param("machine") helper.log_info("machine={}".format(machine)) # The following example adds two sample events ("hello", "world") # and writes them to Splunk # NOTE: Call helper.writeevents() only once after all events # have been added helper.addevent("hello", sourcetype="sample_sourcetype") helper.addevent("world", sourcetype="sample_sourcetype") helper.writeevents(index="summary", host="localhost", source="localhost") # The following example gets the events that trigger the alert events = helper.get_events() for event in events: helper.log_info("event={}".format(event)) # helper.settings is a dict that includes environment configuration # Example usage: helper.settings["server_uri"] helper.log_info("server_uri={}".format(helper.settings["server_uri"])) [sample_code_macro:end] """ helper.log_info("Alert action awx_webhooks started.") # TODO: Implement your alert action logic here import requests url = 'https://<AWX-URL>/api/v2/job_templates/272/gitlab/' headers = {'Authorization': 'X-Gitlab-Token: <MYTOKEN>'} response = requests.post(url, headers=headers, verify=False) print(response.status_code) print(response.text)  
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a M... See more...
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a Microsoft engineer, and he mentioned that the following URLs may not work past Dec 31 2024:    API_ADVANCED_HUNTING = "/api/advancedhunting/run" API_ALERTS = "/api/alerts" API_INCIDENTS = "/api/incidents This link shows the difference between some of the old vs new urls :  Use the Microsoft Graph security API - Microsoft Graph v1.0 | Microsoft Learn I know it's a while off.  However, it comes quick at times.  Just trying to understand the process so I can stay ahead of it.  Also, I have seen add-ons that have the option for legacy inputs and also for current.  It would be great to have an option like that before the URL switch for this add-on.
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=... See more...
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=Foo "bar(" app 2 is identified by SourceName=Foo "quill(" app 3 is identified by SourceName=Foo app 4 is identified by source=abcde app 5 is identified by sourcetype=windows eventcode=11111 I would like to count the number of errors per app, but not having luck yet.  I've tried regexes & an eval case match pattern, & I can't seem to google the correct words to find a similar scenario in others' posts. Please help.  Thanks, Orion
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding ... See more...
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding and exact steps, that will be helpful. Thanks
Hi Team, I want to get DB top 10 query wait states in AppD dashboard. Kindly suggest.
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retri... See more...
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retrieve it with this query :       | inputlookup ES_identity_kvstore       while that one :       index=my_index | lookup ES_identity_kvstore...       throws me an error :       [comma separated list of my indexers] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'ES_identity_kvstore'..       still, with this following query forcing the SH to run the lookup I can retrieve my new field :       index=my_index | lookup local=true ES_identity_kvstore...       collections.conf (with replicate=true) and props.conf are correctly updated on the SH so I think I am maybe missing something on my indexers configuration but can not figure out what it is...  Do you have any idea ? Thanks !
Which specific file or folder inside Splunk root folder we can map with IIS which can pick the web files or binaries/distributable that can be rendered on the browser?
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use po... See more...
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use port 1433. Does anyone know why this change is happening and how? How do I solve this? Note: already has a firewall rule created for port 1433 Connection String jdbc:sqlserver://myhost.database.windows.net:1433;databaseName=mydb;selectMethod=cursor;encrypt=false Error: Connection failure reason: The TCP/IP connection to the host myhost.database.windows.net, port 6666 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.". Diagnosis: Either the database is unavailable, or the specified host/port is incorrect, or you are blocked by a firewall Troubleshooting recommendation: Make sure the database is running on the server and you or the database are not blocked by a firewall.