All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm looking specifically at the index for _configtracker to audit changes to serverclass.conf file.  Because the nature of the <filtertype>.n = <value> the behavior is one action to remove all values... See more...
I'm looking specifically at the index for _configtracker to audit changes to serverclass.conf file.  Because the nature of the <filtertype>.n = <value> the behavior is one action to remove all values, then a second action to rewrite all the values in lexi order.  This is making auditing add/removals/static very difficult. I have managed to transact the events so I can compare old values to new values.  I struggle with how to compare the results to identify changes when values list is very long. Current Table Output Unique Ident OldValues NewValues <transact-x> A B C D A C D E   What I'm looking for Unique Ident OldValues NewValue Audit <transact-x> A A NoChange <transact-x> B   Removed <transact-x> C C NoChange <transact-x> D D NoChange <transact-x>   E Added   Assumptions 1) stats values(field): I don't believe any of my samples cross over 10,000 which I believe is default limits for values field 2) values function will lexi order all values regardless of original order in raw data feed
I have the following query that gives the count for port and CPU percent.  index=abc source=xyz SMFID=EDCD SMF119HDSubType=2 | timechart span=60m count by SMF119AP_TTLPort_0001 usenull=f useother=... See more...
I have the following query that gives the count for port and CPU percent.  index=abc source=xyz SMFID=EDCD SMF119HDSubType=2 | timechart span=60m count by SMF119AP_TTLPort_0001 usenull=f useother=f | stats values(*) as * by _time | untable _time Port Count | where Count > 4000 | eval DATE = strftime(_time,"%m/%d/%y %H:%M:%S.%2N") | eval Date = substr(DATE,1,9) | eval Hours = substr(DATE, 11,18) | appendcols [search index=abc source=xyz (SYSNAME=EDCD) ((date_wday=tuesday AND date_hour=*) OR (date_wday=wednesday AND date_hour=*) OR (date_wday=thursday AND date_hour=*) OR (date_wday=friday AND date_hour=*) OR (date_wday=monday AND date_hour=10) OR (date_wday=monday AND date_hour=11) OR (date_wday=monday AND date_hour=12) OR (date_wday=monday AND date_hour=13) OR (date_wday=monday AND date_hour=14) OR (date_wday=monday AND date_hour=15) OR (date_wday=monday AND date_hour=16) OR (date_wday=monday AND date_hour=17) OR (date_wday=monday AND date_hour=18) OR (date_wday=monday AND date_hour=19) OR (date_wday=monday AND date_hour=20) OR (date_wday=monday AND date_hour=21) OR (date_wday=monday AND date_hour=22) OR (date_wday=monday AND date_hour=23) OR (date_wday=saturday AND date_hour=0) OR (date_wday=saturday AND date_hour=1) OR (date_wday=saturday AND date_hour=2) OR (date_wday=saturday AND date_hour=3) OR (date_wday=saturday AND date_hour=4) OR (date_wday=saturday AND date_hour=5) OR (date_wday=saturday AND date_hour=6) OR (date_wday=saturday AND date_hour=7)) | bin span=1h@h _time | eval "Hours"=strftime('_time',"%H:%M:%S.%2N") | eval DATE = strftime('_time',"%m/%d/%y %H:%M:%S.%2N") | eval Date = substr(DATE, 1,9) | eval CPU = round(RCVCPUA/16,2) | stats avg(CPU) as "CPU" by Hours Date | eval CPU=round(CPU,2) ] | table Date Hours Port Count CPU This generates the following result. I want to set an alert only when the count is >5000 and CPU >80. What combined statement can be used to get the desired result?   Date Hours Port Count CPU 08/22/23 7:00:00.00 23050 75787 38.42 08/22/23 8:00:00.00 23050 19854 84.56 08/22/23 9:00:00.00 23008 4126 37.16 08/22/23 9:00:00.00 23050 20121 35.71
Hi, is it possible to search a field value and then count it for example first today and then add the count of the same from the week before ?  I checked this example: https://community.splunk.... See more...
Hi, is it possible to search a field value and then count it for example first today and then add the count of the same from the week before ?  I checked this example: https://community.splunk.com/t5/Splunk-Search/search-a-value-in-previous-time-period-and-add-to-current-count/m-p/566121 and did a query like this   index=my_summary source="my_source" earliest=-1w@w | bucket span=1w _time | where Total_Requests > 10 AND Total_New_Services > 15 | stats values(info_min_time) as earliest values(info_max_time) as latest values(user) as user, values(Total_Requests) as Total_Requests, values(Service_Name) as Service_Name, values(Total_New_Services) as Total_New_Services by Account_Name _time | convert ctime(earliest) ctime(latest) | eventstats sum(Total_Requests) as Total_Requests_last7days sum(Total_New_Services) as Total_New_Services_last7days by Account_Name   only issue I see with my query is the _time values are different and the earliest & latest time values are different (its a summary index btw) but the Total_Requests, Total_Requests_last7days, Total_New_Services, Total_New_Services_last7days are as expected Any help would be appreciated, thank you!    
I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules... See more...
I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules{}).   Lookup File combinedrules{} 324252 543246 search     Combinedrules{} Search(index) Inputlookup file 324252 No Yes 432324 No Yes
Hi,  I have the following log lines: 2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/adm... See more...
Hi,  I have the following log lines: 2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/admin/master/console/* 2023-08-23 06:28:04,446 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-70) Recalculated absoluteURI to https:// foo.com/admin/realms/master/users and so on.... I need to create a query and extract "foo.com" from the url so I can create an alert anytime the url is  "bar.com"   Very new to splunk. so please bare with me.  Thanks
Dear All I am trying to create a dashboard which will have two global inputs. Input1: IPAddress Input2: Panel Name Based on Input2, the layouts and views, tables with change. For example, i... See more...
Dear All I am trying to create a dashboard which will have two global inputs. Input1: IPAddress Input2: Panel Name Based on Input2, the layouts and views, tables with change. For example, if Input2 was selected as Firewall traffic, it would show network traffic for that IPAddress. If Input2 was selected as Windows, it would show windows activity from that IP with different layouts, tables, and panels.
1st query:  index="A" event_tag="event1" build_number=1 job_name=job1 type=completed   2nd query:  index="B" event_tag="event2" build_number=1 job_name=job1 We have some events in indexA and some e... See more...
1st query:  index="A" event_tag="event1" build_number=1 job_name=job1 type=completed   2nd query:  index="B" event_tag="event2" build_number=1 job_name=job1 We have some events in indexA and some events in indexB ,how to combine these using common fileds are build_number and job_name. What will the query  
I have a splunk query to get execution time of methods shown below   basesearch | where like(method,"A") OR like(method,"B") | table method,time    This will show execution time of method A ... See more...
I have a splunk query to get execution time of methods shown below   basesearch | where like(method,"A") OR like(method,"B") | table method,time    This will show execution time of method A and method B present in the same flow for multiple calls. Results are something like below   method time A 110 B 95 A 120 A 110 B 101 A 110 B 95 A 125 A 115 B 80 B 85 B 90   I want to filter results such that execution time of A>=110 and corresponding execution time of B  something like below   A B 110 85 120 101 110 95 125 100 115 95    
log sample [6724268.575s][debug][gc,age] GC(10561) Desired survivor size 33554432 bytes, new threshold 1 (max threshold 15) I am getting timestamp parsing errors for the above source logs using ... See more...
log sample [6724268.575s][debug][gc,age] GC(10561) Desired survivor size 33554432 bytes, new threshold 1 (max threshold 15) I am getting timestamp parsing errors for the above source logs using below props DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false TRUNCATE = 999999 TZ = America/New_York
Hi Splunkers, Everyday i have received a mail with attachment csv , Here i need to push this csv data into splunk .  Pls suggest any app or any script (Python) .   Thanks you in Advance.   
Hi, sir. I am a developer working for a multinational company. I am now responsible to find a solution that allows our manager view our DAU data on mobile phone. I noticed that Splunk provides RUM wh... See more...
Hi, sir. I am a developer working for a multinational company. I am now responsible to find a solution that allows our manager view our DAU data on mobile phone. I noticed that Splunk provides RUM which can collect user data and also provide a mobile app called `Splunk mobile`.  My question is: Can I view the RUM charts in Splunk mobile? It's important because managers do not always near their computer, so using a native mobile app can help them master the data anywhere. 
Hi guy I'm installing DB Connect, when configuring I get this error: I got the JDK path according to the command: echo $JAVA_HOME. Is Oracle JDK error?  
Hi,   When I extract any fields from json log, following error is generated  "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractio... See more...
Hi,   When I extract any fields from json log, following error is generated  "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."   Aug 24 13:16:20 192.168.2.24 fenotify-333875.warning: { "alert": { "ack": "no", "action": "blocked", "alert-url": "***************", "appliance-id": "C4:00:AD:B6:C5:33", "attack-time": "2023-08-24T04:16:08Z", "dst": { "ip": "192.168.2.148", "mac": "fc:34:97:03:fe:98", "port": "80" }, "explanation": { "analysis": "content", "cnc-services": { "cnc-service": { "address": "192.168.2.148", "channel": "POST /album.php HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 273\r\nHost: 192.168.2.148\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nc=jO0wkeKc25qk/jg9NkqHPYA1XRkb0eqAPErxNwK5fmcXnTY0m3qFMPT2&kaiikog=M4orW66CyB5IjuC7TFuXRXOu&uce=er+Z6Z0jmOjNDtX5cONg+rVQo6oNPYQ0leujF838&oa=JIcmHxXfQvOJUgRbe7md5RBz9uZx&ssqwy14=+gDzCdPBlfSipfJIxWZ/O6jp&mmmkii=Ejrq8elTUzQqMMrfBs2oCZkoqZFLbvdKd5YyiQgp50Qsaw+JBOzLVsxbAfJCDaY=", "host": "192.168.2.148", "port": "80", "protocol": "tcp", "sid": "86134347", "sname": "Trojan.Bedep", "type": "CncSigMatch", "url": "hxxp://192.168.2.148/album.php" } }, "malware-detected": { "malware": { "name": "Trojan.Bedep", "sid": "86134347", "stype": "bot-command" } }, "protocol": "tcp" }, "id": "333875", "interface": { "interface": "pether3", "label": "A1", "mode": "tap" }, "name": "malware-callback", "occurred": "2023-08-24T04:16:08Z", "product": "Web MPS", "root-infection": "7717", "sc-version": "1397.140", "sensor": "Coupers-NX", "sensor-ip": "192.168.2.21", "severity": "crit", "src": { "ip": "192.168.2.154", "mac": "00:0c:29:07:f9:d1", "port": "58061", "vlan": "0" }, "uuid": "62206b77-a649-4dfe-aba9-67debda3e52f", "version": "9.1.5.986166" }, "appliance": "Coupers-CM.couperscm.com", "appliance-id": "3C:EC:EF:8E:64:9E", "msg": "normal", "product": "CMS", "version": "9.1.5.986166" }
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection ?" (link).  I have a similar issue that I need to display panels dynamically depends ... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection ?" (link).  I have a similar issue that I need to display panels dynamically depends on user selection in a filter. However, the user selection is no longer in categories, but from the packet_size in index="my index" within 24 hours. Therefore, the options in this filter becomes dynamic and what the user selects is dynamic as well. This is the search code in this filter:   index="my_idx" "*PING DATA*" | stats count by ping_pkt_size    and the output will be: ping_pkt_size Count 40 111 128 30 520 10 ... other ping_pkt_size are possible. Is it possible to display panels accordingly and dynamically depends on user selection?  ex. if the user selects 40, then display the analysis table for packet_size=40. If the user selects 128 and 520, then display 2 analysis tables, one for packet_size=128 and one for packet_size=520. Do anyone have idea about how to implement this? Thank you.
Hi, I have the "Upgrade Readiness App" version 4.1.2 installed on my prod and non-prod splunks. https://splunkbase.splunk.com/app/5483 I had a problem with it so uninstalled it and was going to... See more...
Hi, I have the "Upgrade Readiness App" version 4.1.2 installed on my prod and non-prod splunks. https://splunkbase.splunk.com/app/5483 I had a problem with it so uninstalled it and was going to reinstall it but I see the latest version on splunkbase is now 4.1.1. What happened to 4.1.2 - was it withdrawn?  Is that documented anywhere? Thanks, Keith  
I have a requirement to build a dashboard, when selected between through date and time range suppose  8/16/2023 17:00:00 and  8/16/2023 18:00:00. And want to show results for these dates as well as ... See more...
I have a requirement to build a dashboard, when selected between through date and time range suppose  8/16/2023 17:00:00 and  8/16/2023 18:00:00. And want to show results for these dates as well as the previous day same hour results todays count  yesterdays count 100 200   is it possible to have auto search and show two results through one time picker selection?
Hello, How do I create a job to update CSV file frequently using DBXquery? I have a company.csv file that was created by running a DBXquery search and uploaded into Splunk lookups. Whenever there i... See more...
Hello, How do I create a job to update CSV file frequently using DBXquery? I have a company.csv file that was created by running a DBXquery search and uploaded into Splunk lookups. Whenever there is an update on the data, I need to manually run DBXquery search, download the CSV file, delete the existing CSV file, then re-upload it to Splunk lookups.   In order to automate the process, I am thinking to use a job that executes DBXquery and outputlookup. Please suggest Thank you All for your help. Query: | dbxquery query="select * from tableCompany" Table 1: company.csv ip_address company location 192.168.1.1 Comp-A Loc-A 192.168.1.2 Comp-B Loc-B 192.168.1.5 Comp-E Loc-E
I'm running VT4Splunk 1.6.0  https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer. I'm trying to edit the index names, but get a generic error: "Unexpected error when En... See more...
I'm running VT4Splunk 1.6.0  https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer. I'm trying to edit the index names, but get a generic error: "Unexpected error when Enabling/Disabling saved searches." Any ideas?
I uploaded csv lookup table has 2 field location and iprange. iS THERE WAY TO GET WHAT ARE POSSIBLE IP IN EACH RANGE. SO I CAN ENTER IP address it will return the location for that range?
Hello,   I want to give the contact email details on one of my dashboads which is built in dashboard studio. I have tried link to url and gave "mailto:example@abc.com" , but this is not working. ... See more...
Hello,   I want to give the contact email details on one of my dashboads which is built in dashboard studio. I have tried link to url and gave "mailto:example@abc.com" , but this is not working. I want once someone clicks on the mail should open up.   Thanks  Sudha A