All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show detai... See more...
I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show details for a particular user, but I would like to create a list of all users and set an alert if not authenticated after 30 days. index=duo object=<user1> OR username=<user1> | eval _time=strftime(_time,"%a, %m/%d/%Y %H:%M") | table _time, object, factor, action, actionlabel, new_enrollment, username | rename object AS "Modified User", username AS "Actioned By" | sort _time desc   So if actionlabel="added user' exists, I would like to return new_enrollment=false   Object(actionlabel=added user) = username(new_enrollment=false)   Here's how the output I'm searching for    User Created Authentications since created (After 31 days) Last Authentication user1 7/25/2023 0   user2 7/27/2023 3 8/19/2023
Hi All, Can any one pls share a regex for the below events to exclude(text in red). 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Wind... See more...
Hi All, Can any one pls share a regex for the below events to exclude(text in red). 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{5484D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:27:56.545195800Z'/><EventRecordID>2371</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='18656'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x37</Data><Data Name='NewProcessId'>0x140</Data><Data Name='NewProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Data><Data Name='TokenElevationType'>%j1936</Data><Data Name='ProcessId'>0x3520</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> 2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{hh}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0000000</Keywords><TimeCreated SystemTime='2023-09-26T18:00:46.762007500Z'/><EventRecordID>146821602</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='24996'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>03e7</Data><Data Name='NewProcessId'>0511c</Data><Data Name='NewProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2010</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Need a single regex to exclude 1& 2 events. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T17:44:16.666598900Z'/><EventRecordID>146821089</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='2136'/><Channel>Security</Channel><Computer>secu</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SEC</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x51</Data><Data Name='NewProcessName'>C:\Windows\System32\conhost.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3ec</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>   <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{449'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:24:19.611633300Z'/><EventRecordID>146822267</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='19952'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x4a18</Data><Data Name='NewProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\get_proxy.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xdd0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Thanks...  
Hi Everyone, I've recently applied a blacklist file path regex to one of the apps inputs.conf in the serverclass on the host in DS. How can I determine  it's working or not?
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do... See more...
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do in order to make our index working thanks
We are seeing some Timeout and Authentication error while collecting data from OTEL kubernetes collector through HEC, Could anyone please let me know if there is a need to change limits in config fil... See more...
We are seeing some Timeout and Authentication error while collecting data from OTEL kubernetes collector through HEC, Could anyone please let me know if there is a need to change limits in config files.   Below are the errors 2023-09-26T14:47:17.613Z info exporterhelper/queued_retry.go:433 Exporting failed. Will retry the request after interval. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Post \"https://xyz:8088/services/collector\": net/http: request canceled (Client.Timeout exceeded while awaiting headers)", "interval": "2.769200676s"}   2023-09-26T14:47:11.590Z error exporterhelper/queued_retry.go:401 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Permanent error: \"HTTP/1.1 401 Unauthorized\\r\\nContent-Length: 148\\r\\nCache-Control: private\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/xml; charset=UTF-8\\r\\nDate: Tue, 26 Sep 2023 14:47:11 GMT\\r\\nServer: Splunkd\\r\\nVary: Authorization\\r\\nX-Content-Type-Options: nosniff\\r\\nX-Frame-Options: SAMEORIGIN\\r\\n\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<response>\\n <messages>\\n <msg type=\\\"WARN\\\">call not properly authenticated</msg>\\n </messages>\\n</response>\\n\"", "dropped_items": 31}
Blocked auditqueue can cause random skipped searches, scheduler slowness on SH/SHC and slow UI.
In the following description it is written at point 1 to download and install AppD app on SNOW store. But then you say you need to do something else before doing the thing at point number 1. Am I... See more...
In the following description it is written at point 1 to download and install AppD app on SNOW store. But then you say you need to do something else before doing the thing at point number 1. Am I mistaken in understanding the order and logic on how this is communicated? Regards
Hi,       is there a way to to change which versions of Forwarders are in support according to the Cloud Monitoring Console? Currently at the moment, v9.1.1 is showing as out of support?   Many Th... See more...
Hi,       is there a way to to change which versions of Forwarders are in support according to the Cloud Monitoring Console? Currently at the moment, v9.1.1 is showing as out of support?   Many Thanks
Hi All, I have two csv files.  File1.csv -> id, operation_name, session_id File2.csv -> id, error, operation_name I want to list the entries based on session_id like ->id, operation_name, sessi... See more...
Hi All, I have two csv files.  File1.csv -> id, operation_name, session_id File2.csv -> id, error, operation_name I want to list the entries based on session_id like ->id, operation_name, session_id, error. Basically all the entries from file1.csv for the session_id and errors from file2.csv.  Could you please help how to combine these csv? Note: I am storing the data to CSV as a output lookup since I couldn't find a way to search these via single query. So trying to join from csv.
Hi, in the official compatibility matrix there is no column for Indexer 8.0.x anymore as its no longer supported. https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibi... See more...
Hi, in the official compatibility matrix there is no column for Indexer 8.0.x anymore as its no longer supported. https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers   Does anyone know up to which version of the Universal Forwarder is compatibel with an 8.0.x Indexer (with an 8.0.x Heavy Forwarder infront) ?
Hello, We ingest logs from another vendor to Splunk, each event contains a "score" field which is predetermined by the 3rd party ranging from 0 - 100. Is there away to add that field value to the r... See more...
Hello, We ingest logs from another vendor to Splunk, each event contains a "score" field which is predetermined by the 3rd party ranging from 0 - 100. Is there away to add that field value to the risk object score instead of a static risk score in the Risk analysis Adaptive response?  Have been looking at using the Risk factor editor but cant see a way other than setting the static value in the Adaptive response to 100 then creating 100 risk factor like this if('score'="10",0.1,1) if('score'="11",0.11,1) if('score'="12",0.12,1) so on and so on. Thanks       
We use the ansible-role-for-splunk project found in GitHub: https://github.com/splunk/ansible-role-for-splunk Now we want to install third-party apps from Splunkbase. The framework seem to rely on ... See more...
We use the ansible-role-for-splunk project found in GitHub: https://github.com/splunk/ansible-role-for-splunk Now we want to install third-party apps from Splunkbase. The framework seem to rely on all Splunk apps being available from a git repository. How are third-party apps such as "Splunk Add-on for Amazon Web Services (AWS)" supposed to be installed unless extracted to a custom git repository first?
I had an issue with storage.  I was at another site for 2 weeks and we reached the max limit on our drive.  I had to reprovision in VMware and while it was out of storage we had issues, I can't remem... See more...
I had an issue with storage.  I was at another site for 2 weeks and we reached the max limit on our drive.  I had to reprovision in VMware and while it was out of storage we had issues, I can't remember the error message but it was related to storage.  Fixed the storage issue and rebooted and had to reset my certificate and everything looked fine.  A day later we started getting the license issue.  I read the articles in the community.  I didn't fully understand.  I think its polling the environment for the time that my storage limits were reached? It's been 4 days with us being over the licensing limit.  Looking back over the last year, we have never been close to our limits. Any help would be appreciated. 
Hi Team,  I have a got a request to plot graph of previous 30 days. But the org has a retention period of 7days set on the data set.  As a solution, I am pushing data from query having HTTP status ... See more...
Hi Team,  I have a got a request to plot graph of previous 30 days. But the org has a retention period of 7days set on the data set.  As a solution, I am pushing data from query having HTTP status captured to a lookup file. The CSV file consists of following fields: 1. _time 2. 2xx 3. 4xx 4. 5xx Also, I have created a time-based lookup definition. But when I try to plot the graph, "_time" field is not coming up in x-axis.  Can you please help with how this can be achieved? 
Splunk Forwarder did not send any data
Hi All, Hope this find you well, I have built a pretty simple search query for my dashboard, plotting line chart graph (for monitoring payments done by different debit/credit card types e.g., Giro,... See more...
Hi All, Hope this find you well, I have built a pretty simple search query for my dashboard, plotting line chart graph (for monitoring payments done by different debit/credit card types e.g., Giro, Mastercard etc. for every 5 minutes) using transaction command and then searching for the card type in the log and then extracting the value using regex in the field named "Card Type".       index=idx-stores-pos sourcetype=GSTR:Adyen:log | transaction host startswith="Transaction started" maxpause=90s | search "*Additional Data : key - cardType*" | eval Store= substr(host,1,7) | eval Register= substr(host,8,2) | rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)" | eval girocard=if((CardType=="girocard"),1,0) | timechart span=5m sum(girocard) AS "Girocard"     Now I have to modify the query in order to filter it out based on Country and Store, query I am using is-     index=idx-stores-pos sourcetype=GSTR:Adyen:log | transaction host startswith="Transaction started" maxpause=90s | search "*Additional Data : key - cardType*" | eval Store= substr(host,1,7) | eval Register= substr(host,8,2) | rex field=_raw "AdyenPaymentResponse.+\scardType;\svalue\s-\s(?<CardType>.+)" | eval girocard=if((CardType=="girocard"),1,0) | append [| inputlookup Stores_TimeZones.csv where Store=tkg* ] | timechart span=5m sum(girocard) AS "Girocard" latest(Country) AS Country latest(City) AS City     I am unable to get the output for Country and City, what am I doing wrong? Please help. Thanks in advance
Hi, I cant start the controller, I have attached the error that I am getting. Please suggest how can I solve this issue. Thanks. 
How to not send splunk report via email if no result are found .I cannot change it to alert and use number of results  >0 as I need to send it as a report with records . So I need to implement this a... See more...
How to not send splunk report via email if no result are found .I cannot change it to alert and use number of results  >0 as I need to send it as a report with records . So I need to implement this as a report only not as alert.I have gone through the existing posts but could not find a solution ?   Is there any settings in advanced Edit which could help?
hi I try to configure my alert with an advanced slot time like this earliest = -60m@m latest = -40m@m But when I save, splunk tell me "The changes you have done to this alert slot time will be not... See more...
hi I try to configure my alert with an advanced slot time like this earliest = -60m@m latest = -40m@m But when I save, splunk tell me "The changes you have done to this alert slot time will be not saved" and "the slot time has not been updated, Change the alert type in order to modify the slot time" what is wrong please? And i try to use the cron below, but the cron is not taken into account */20**** Thanks for your help
Event and Report extract rules Use the payment business events to identify Transactions which have ACCP clearing status (NPP 1012.NPP 1013) with missing Settlement Notification event NPP 1040 "NPP ... See more...
Event and Report extract rules Use the payment business events to identify Transactions which have ACCP clearing status (NPP 1012.NPP 1013) with missing Settlement Notification event NPP 1040 "NPP 1033_CR_INBOUND "NPP 1012 CECARING_INBOUND" • "NPP 1013_RETURN_INBOUND" I "NPP 1040 SETTLEMENT RECEIVED" Report should include the following fields Time from NPP 1033 TXID from NPP 1033 Amount from NPP 1012 or NPP 1013   Already i have created query    index-nch_apps_nonprod applications fis-npp source fis-npp-sit4 ((NPP 1012 CLEARING INBOUND OR NPP 1013 RETURN INBOUND) OR NPP 1033 CR INBOUND or rex field-message "eventName=\"(?<eventName> *?)\"." rex field-message "txId\"(?<txId>. *?)\," Κ I rex field-message "amt=\"(?<amt>.2)\"." rex field-message ibm.datetime-(?<ibm_datetime> *)," + Participant 1 eval Participant substr(txId,1,8) stats values(eventName) as eventName, min(ibt datetime) as Time, values(amt) as amt by (eventName, NPP 1840 SETTLEMENT RECEIVED) < 0 table Time eventName Participant amt where mycount (eventName) >= 3 AND mvfind (eventName, npp 1040) but not getting any result