All Topics

Top

All Topics

Hi Team, Our company bought the learning courses, but now we cannot access them. We sent email to education@splunk.com report all the details three time, every time we only receive three case numbe... See more...
Hi Team, Our company bought the learning courses, but now we cannot access them. We sent email to education@splunk.com report all the details three time, every time we only receive three case number below from noreply@splunk.com: 3311455 was generated on Sep 18 3317590 was generated   on Sep 26 3319058 was generated on Sep 27 these three cases are for the same issue, but we haven't received any reply yet. May I ask who knows the Splunk's complaint contact information?
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involve... See more...
How do we capture multiple URLs in a single event? Log1: type=EXECVE msg=audit(1695798790.101:25214323): argc=17 a1="http://127.0.0.1:8080" a2="http://10.0.2.20" a3="https://google.com/data/involvement/" a4=cat   Log2: type=EXECVE msg=audit(1695798790.100:25214323):  a2="https://facebook.com" a3="-o" a4="http://127.0.0.1/index.html" a5="-kis" a6="-x" a7="http://10.0.0.10:8080"   Currently I'm using below regex which captures only one URL, | rex field=_raw ".*\"(?<URL>((http|https):\/\/(\S+|\d+\.\d+\.\d+\.\d+\S+)))\"" Need all the URLs in the output.  
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working.  Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to con... See more...
Hi, We have just upgraded to 9.1.1 and our HEC seems to have stopped working.  Calling it from a simple PowerShell script worked the day before and running it now throws this error : Unable to connect to the remote server No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:8088 So, headed over to the Forwarder where it should be listening, and the tokens do still exist in the Inputs.conf in "/opt/splunkforwarder/etc/apps/splunk_httpinput/local" However, issuing the list command gives us the following : $SPLUNK_HOME/bin/splunk http-event-collector list -uri https://localhost:8089 Token Not Found The HEC is Enabled in the Global Settings but we are also not seeing anything listening on Port 8088 Splunk Enterprise on a Linux build.
Hello, looks like when we enable or disable app from deployment server (GUI for instance) then app.conf in deployment-apps is edited, pushed on forwarders then edited again? Thanks.
Hi ,  I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA    FieldB ho... See more...
Hi ,  I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input : FieldA    FieldB host1        26 host2        29 host3        29 I want to compare all field values from fieldB , and if its not same then i want to fetch that count with its fieldA value. eg :  here 26 is not equal to other 2 field values , then fieldB value with fieldA values has to be displayed. I tried with if condition | eventstats list(fieldB) as counts | eval value1=mvindex(counts,-2) | eval value2=mvindex(counts,-1) | | eval value3=mvindex(counts,-0) | eval value=if(('value1'=='value2') AND ('value2'=='value3'),"0",""1") Also with below query: |stats dc(metric_value) as count | eval value=if(count>1,"0","1") But with above 2 , i m not able pull its host name where that value is not same. Note: fieldB is dynamic Help me with this !!
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change dur... See more...
Hi, There is a bug in the Splunk Enterprise Installer for 9.1.1 on Windows. During the upgrade (coming from 8.2.8) it processes the dashboard XML files obvisously looking for statments to change during the upgrade. There seems to be an errorneous conversion of UTF8 files when the upgrade process saves them again on Windows and all special characters like äÄöÖüÜ got eliminated and replaced by special characters across all dashboards by the upgrade. We had to manually check all dashboards after the upgrade. Be warned. Regards
I had a interview question that what is search sequence of knowledge object in splunk.Please helpme regarding this,  
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_C... See more...
Hi there, I have a dashboard and I want to subtract the total number of events of 2 queries but not sure how to do it, can you help? Query 1:   index=mssql sourcetype=SQL_Query source=Sales_Contracts_Activations* OR source=Sales_Contracts_Activations_BOM     Query 2:   index=mssql sourcetype=SQL_Query source=Esigns CALLBACK_STATUS="SUCCESS" STATUS=Complete  
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_... See more...
Hello all, We have a Splunk alert that searches for high temperature events on Juniper routers, it's a very straight forward search:   index=main CHASSISD_FRU_HIGH_TEMP_CONDITION OR CHASSISD_OVER_TEMP_SHUTDOWN_TIME OR CHASSISD_OVER_TEMP_CONDITION OR CHASSISD_TEMP_HOT_NOTICE OR CHASSISD_FPC_OPTICS_HOT_NOTICE OR CHASSISD_HIGH_TEMP_CONDITION OR (CHASSISD "Temperature back to normal") NOT UI_CMDLINE_READ_LINE     I'd like this Splunk alert to ignore temperature alarm events on the host router4-utah when FPC 11 = FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/* is running hot, the events always come in the following order within 25 seconds of each other:   The alarm trigger events:   Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_BLOWERS_SPEED_FULL: Fans and impellers being set to full speed [system warm] Sep 27 05:26:00 re0.router4-utah alarmd[7895]: Alarm set: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:00 re0.router4-utah craftd[7730]: Minor alarm set, Temperature Warm Sep 27 05:26:00 re0.router4-utah chassisd[7726]: CHASSISD_HIGH_TEMP_CONDITION: Chassis temperature over 60 degrees C (but no fan/impeller failure detected) Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     The alarm clear events:   Sep 27 05:26:21 re0.router4-utah alarmd[7895]: Alarm cleared: Temp sensor color=YELLOW, class=CHASSIS, reason=Temperature Warm Sep 27 05:26:21 re0.router4-utah craftd[7730]: Minor alarm cleared, Temperature Warm     The goal is to keep the normal temperature alert running as it always has, but somehow ignore the host router4-utah when it triggers and clears temperature alarms on FPC11. I think the easiest way to say this is any temp alarm that triggers and clears on router4-utah that is surrounded within 25 seconds of this line:   Sep 27 05:26:02 re0.router4-utah chassisd[7726]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Over Temperature! (jnxContentsContainerIndex 7, jnxContentsL1Index 12, jnxContentsL2Index 0, jnxContentsL3Index 0, jnxContentsDescr FPC: MPC5E 3D 24XGE+6XLGE @ 11/*/*, jnxOperatingTemp 91)     Any assistance one can provide is much appreciated! Thanks.
Hi When will I receive my results. Please help here! As i can see the results will be declared on October but i want to know. Which week or exact date.  @splunk @exam-dev-staff @cert-team-admin 
index=botsv1 sourcetype="stream:http" | timechart max(date_year)
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection ... See more...
Hi Everyone, after i select the source type i am getting below error while using ingest actions. I had to update the pass4symmkey as ingest actions required to setup custom pass4symmkey Connection testing failed in all remote clients: [https://*.*.*.*:8089]. This can be caused by misconfiguration of secret key or event capture is not supported in those remote splunk instances.   ANy idea what is happening?
I have 3 queries , i want to combine to one query so that i can use it for alert Query1: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs "logs started"   "tarnsac... See more...
I have 3 queries , i want to combine to one query so that i can use it for alert Query1: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs "logs started"   "tarnsaction recevied" [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "initial error logs " Query2: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs " timeouterror" AND "failed logs confirmed " [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "logs in transactions " Query3: index=error-data  sourcetype=error:logs  source=https://error:appliocation.logs " application logs continuted" [|inputlookup append=t  errorlogs.csv where error=2 |fields host |format] |stats count as "total failed"
I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show detai... See more...
I would like help with creating the following. Search when account was created and return a list of users who have not authenticated 30 days after account was created. I have a search to show details for a particular user, but I would like to create a list of all users and set an alert if not authenticated after 30 days. index=duo object=<user1> OR username=<user1> | eval _time=strftime(_time,"%a, %m/%d/%Y %H:%M") | table _time, object, factor, action, actionlabel, new_enrollment, username | rename object AS "Modified User", username AS "Actioned By" | sort _time desc   So if actionlabel="added user' exists, I would like to return new_enrollment=false   Object(actionlabel=added user) = username(new_enrollment=false)   Here's how the output I'm searching for    User Created Authentications since created (After 31 days) Last Authentication user1 7/25/2023 0   user2 7/27/2023 3 8/19/2023
At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in the “12th Singapore Cyber Conquest" contest. Devesh shared a little bit about the contes... See more...
At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in the “12th Singapore Cyber Conquest" contest. Devesh shared a little bit about the contest, his experience with Splunk, and how he envisions applying his knowledge to his future endeavors. The 12th Singapore Cyber Conquest was a contest that brought together students from various Institutes of Higher-Learning in Singapore, along with teams from other ASEAN countries. Devesh partnered with another student, Jia Le, which proved to be a successful collaboration. As a team, they were tasked with using Splunk software to navigate through data, tackle complex challenges, and accumulate points.  According to Devesh, “It was a thrill to compete in an environment that required swift thinking and the ability to rapidly adapt to new software tools.” He also highlighted the strategic element that underpinned their success and emphasized the importance of choosing challenges wisely to maximize points. Devesh shared that, beyond the joy of winning, he found immense value in gaining hands-on experience with the Blue Team aspect of cybersecurity. “Familiarity with the Splunk Search Processing Language (SPL) was beneficial during the competition,” said Devesh. “SPL is pretty simple once you become accustomed to its intricacies and knowing how to manipulate data using it was critical to achieving success during the competition.” As the winning team, Devesh and his teammate were awarded an all-expenses paid trip to Splunk University and .conf23 in Las Vegas. At Splunk University, Devesh enrolled in the Splunk Architect Bootcamp and the SOAR Administrator Bootcamp. His assessment of these courses underscored their practical value – offering a glimpse into how Splunk could be effectively employed in real-world scenarios including SOAR's capabilities with playbooks and tools that greatly enhance incident response.  Although Devesh doesn’t currently use Splunk in his day-to-day life, he believes the knowledge he gained at the Splunk University bootcamps will be helpful and applicable in his future career. Should he find himself in a Blue Team or Security Operations Center (SOC) role, his proficiency with tools like Splunk and SOAR could significantly contribute to his effectiveness in manipulating big data and performing incident response.  Devesh Logendran's journey is just one more example of the transformational potential of learning and skills development. His experience with Splunk and his team’s performance in the BOTS contest showcase the power of dedication and an aptitude for working in cybersecurity.   We really appreciate Devesh’s willingness to share his story!  If you have a similar story, please reach out to me, cskokos@splunk.com.     -- Callie Skokos on Behalf of the Splunk Education Crew
Hi All, Can any one pls share a regex for the below events to exclude(text in red). 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Wind... See more...
Hi All, Can any one pls share a regex for the below events to exclude(text in red). 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{5484D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:27:56.545195800Z'/><EventRecordID>2371</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='18656'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x37</Data><Data Name='NewProcessId'>0x140</Data><Data Name='NewProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe</Data><Data Name='TokenElevationType'>%j1936</Data><Data Name='ProcessId'>0x3520</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> 2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{hh}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0000000</Keywords><TimeCreated SystemTime='2023-09-26T18:00:46.762007500Z'/><EventRecordID>146821602</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='24996'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>03e7</Data><Data Name='NewProcessId'>0511c</Data><Data Name='NewProcessName'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2010</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Need a single regex to exclude 1& 2 events. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T17:44:16.666598900Z'/><EventRecordID>146821089</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='2136'/><Channel>Security</Channel><Computer>secu</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SEC</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x51</Data><Data Name='NewProcessName'>C:\Windows\System32\conhost.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3ec</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>   <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{449'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-09-26T18:24:19.611633300Z'/><EventRecordID>146822267</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='19952'/><Channel>Security</Channel><Computer>securejump</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>SECUREJUMP</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x4a18</Data><Data Name='NewProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\get_proxy.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xdd0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Thanks...  
Hi Everyone, I've recently applied a blacklist file path regex to one of the apps inputs.conf in the serverclass on the host in DS. How can I determine  it's working or not?
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do... See more...
hi we have create new index on our platform but they collect any data The inputs.conf stanza are welll configurated with the new index name but our index are empty So i try to list the check to do in order to make our index working thanks
We are seeing some Timeout and Authentication error while collecting data from OTEL kubernetes collector through HEC, Could anyone please let me know if there is a need to change limits in config fil... See more...
We are seeing some Timeout and Authentication error while collecting data from OTEL kubernetes collector through HEC, Could anyone please let me know if there is a need to change limits in config files.   Below are the errors 2023-09-26T14:47:17.613Z info exporterhelper/queued_retry.go:433 Exporting failed. Will retry the request after interval. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Post \"https://xyz:8088/services/collector\": net/http: request canceled (Client.Timeout exceeded while awaiting headers)", "interval": "2.769200676s"}   2023-09-26T14:47:11.590Z error exporterhelper/queued_retry.go:401 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Permanent error: \"HTTP/1.1 401 Unauthorized\\r\\nContent-Length: 148\\r\\nCache-Control: private\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/xml; charset=UTF-8\\r\\nDate: Tue, 26 Sep 2023 14:47:11 GMT\\r\\nServer: Splunkd\\r\\nVary: Authorization\\r\\nX-Content-Type-Options: nosniff\\r\\nX-Frame-Options: SAMEORIGIN\\r\\n\\r\\n<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<response>\\n <messages>\\n <msg type=\\\"WARN\\\">call not properly authenticated</msg>\\n </messages>\\n</response>\\n\"", "dropped_items": 31}
Blocked auditqueue can cause random skipped searches, scheduler slowness on SH/SHC and slow UI.