All Topics

Top

All Topics

I have the following search that works but I'm trying to display more information in the search results.  I have a watchlist lookup.  I use that to search notable events so that I can alert on a us... See more...
I have the following search that works but I'm trying to display more information in the search results.  I have a watchlist lookup.  I use that to search notable events so that I can alert on a user or asset that is part of a new notable.    I'm trying to figure out how to display the new notable in the results.    | inputlookup user_watchlist | search _key=* | rename _key as user | table user asset | dedup user asset | eval flag="no" | join type=left user asset [ search index=notable | where isnotnull(src) | table src user _time | mvexpand src | mvexpand user | dedup src user | eval user=mvindex(split(user,"@"),0) | eval flag="yes" | rename src as asset | eval asset=lower(asset)] | where flag="yes"    
Hello Splunkers, I need some help with writing a SPL, I have a field  called "DcPolicyAction" where the value could be 0 or 1, if its 0 I want to basically call it Successful and If its 1 it is Fai... See more...
Hello Splunkers, I need some help with writing a SPL, I have a field  called "DcPolicyAction" where the value could be 0 or 1, if its 0 I want to basically call it Successful and If its 1 it is Failure , can someone help me with the SPL syntax.  I dont want to use the stats command. Just a simple query that lists the field.   Thank you,   regards, Moh.
Hi, I came across a guide on the official Tufin website detailing the integration between Tufin and SOAR Phantom: https://extensions.tufin.com/details/tufin-splunk-phantom-integration This integra... See more...
Hi, I came across a guide on the official Tufin website detailing the integration between Tufin and SOAR Phantom: https://extensions.tufin.com/details/tufin-splunk-phantom-integration This integration offers a range of actions, including the capability to block domains. However, when I checked the Splunk App Store, the available Tufin app seems to have a limited set of actions and does not include the ability to block IPs or domains: https://splunkbase.splunk.com/app/5859 Is anyone having this app and would be willing to share it? Or if you have developed something similar in the past, could you share some tips?   Thanks
A dashboard has a time range selector. has a query search like below, the first search will apply the time range selector. but the second search I want to set the earliest is the range selector ear... See more...
A dashboard has a time range selector. has a query search like below, the first search will apply the time range selector. but the second search I want to set the earliest is the range selector earliest -7d@d  Does anyone know how to do this? ex: today: 9/20,  time range selector: 9/14~9/22,I excepted the second search is 9/7~9/22   index="*" host="... | join type=left max=0 uid [search earliest=???  latest=$earliest$ index="*" host="... ] ... Thanks.
Hi All, My file is not reindexing though I used below settings in my inputs configuration file  . File is very small (300 char) and wont change often,  want file to reindex daily .  Kindly help . ... See more...
Hi All, My file is not reindexing though I used below settings in my inputs configuration file  . File is very small (300 char) and wont change often,  want file to reindex daily .  Kindly help . crcSalt = <SOURCE>  initCrcLength = 256
I developed my first app and am trying to integrate it into CIM using the documentations. so far I Successfuly defined an eventtype in eventtype.conf [my_event_type] search = sourcetype=my_source ... See more...
I developed my first app and am trying to integrate it into CIM using the documentations. so far I Successfuly defined an eventtype in eventtype.conf [my_event_type] search = sourcetype=my_source and when I search for this event type I get all the results: eventtype=my_event_type Now I continue to define tags, using this guide My tags.conf file looks like this: [eventtype=my_event_type] alert = enabled But nothing is returned when I search for: tag=alert Moreover when I search for all types of tags I get only one type "error" and it's count is significantly less then the eventtype amount: sourcetype=my_source | stats count by tag In the guide it says "Once you have tagged an event type, you can search for it in the search bar" but I can't search for the tags. How can I troubleshoot the process? What should I look for? What am I missing? thank you.
Hello Team,   I have 2 look up data and I want to join them through a common field MonthYear. I need to calculate transmission per dept = Total transmission *(size of dept/total size of dept) I... See more...
Hello Team,   I have 2 look up data and I want to join them through a common field MonthYear. I need to calculate transmission per dept = Total transmission *(size of dept/total size of dept) In lookup1 I need to calculate the propotion of size based on dept eg; Transmission for Eng dept = 119 *((100+23)/ 170) Lookup1: MonthYear  size  org  dept July 2022 100 research Eng July 2022 23 research Eng July 2022 2 data IU July 2022 45 research Lab Total size 170   Lookup2: MonthYear Transmission ID July 2022 60 global July 2022 34 global July 2022 23 Pbg July 2022 2 pcf Total transmission 119   I made a merge of 2 lookup with join using MonthYear but I am able to pass only one token value at a time. I need to get pie chart based on calculated formula for org and sort for top values in dept Code: |inputlookup lookup2.csv |search MonthYear="July 2022" |join MonthYear   [|inputlookup lookup1.csv]  |stats sum(Transmission) as TotalTransmission, sum(size) as Totalsize by MonthYear  |join MonthYear  [|inputlookup lookup1.csv   |search dept="Eng"   |stats values(MonthYear) as MonthYear,sum(size) as DeptMem by dept] |eval "Transmission per dept" = round(("Transmission per dept") * (DeptMem/Totalsize),2) |fields "Transmission per dept"
I have Splunk SH Cluster ( 3 SH's in Cluster)  and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk.  Now my ... See more...
I have Splunk SH Cluster ( 3 SH's in Cluster)  and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk.  Now my issue is I see the events are extracted as it should when we use an add-on.  However I do not see any Checkpoint app/add-on this is installed on SH's / HF.  No manual field extractions either.  I would like to know if there is any away to check how the fields are extracted ? Secondly, We also have a separate SH running ES.  On this, I don't see the events being extracted as I see it on our SH cluster.  I did try to install Splunk Add-on for Checkpoint to parse the fields and make it CIM compliant but the fields are not extracted.  I changed the sourcetype of the CP logs to match it with the add-on but still no luck.  I am using Splunk Add-on for Check Point Log Exporter.  Appreciate your thoughts on this.
Dear Team, I am an AppDynamics user in my Organization. We have installed the Database agent in our own server and the AppDynamics team installed the AppDynamics Front end in some server I guess. w... See more...
Dear Team, I am an AppDynamics user in my Organization. We have installed the Database agent in our own server and the AppDynamics team installed the AppDynamics Front end in some server I guess. we are able to see the DB Agents and Collectors and data in the AppDynamics, but the issue is we are able to see all the Agents (its Metrics, Policies etc)  of other agents in our Org.  This is inconvenient. 
Do hidden and depends panels count towards SVC usage if not displayed?
Hello, I have installed Splunk ITSI several times on various types of infrastructure, and I am observing this behavior for the first time. The latencies all have zero values as if they are not bein... See more...
Hello, I have installed Splunk ITSI several times on various types of infrastructure, and I am observing this behavior for the first time. The latencies all have zero values as if they are not being reported. I have adjusted the collection interval, but it hasn't made any difference. What I don't understand is that this issue concerns latencies of virtual machines, ESXi servers, and datastores, while all other KPIs are okay. Is it possible that Splunk cannot collect certain values even though others are being collected? Do you have any idea about the root cause of this error?  IT Service Intelligence Version : 4.17.0 Splunk Enterprise Version : 9.0.5
I am noticing that the eStreamer Client Add-On is generating a lot of logs and filling up my Enterprise Server. Is there any way to mitigate this? It looks like the app will write 1000 lines of cod... See more...
I am noticing that the eStreamer Client Add-On is generating a lot of logs and filling up my Enterprise Server. Is there any way to mitigate this? It looks like the app will write 1000 lines of code per file. Is there any way to set an overwrite or scavenge setting so it doesn't just keep filling up the disk infinitely?   root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# du -sh /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ 87G /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# ll total 90725612 drwx--x--- 2 root root 151552 Sep 18 02:06 ./ drwx--x--- 3 root root 4096 Sep 13 12:18 ../ -rw------- 1 root root 27279093 Sep 13 12:18 encore.1694621917.log -rw------- 1 root root 28232829 Sep 13 12:18 encore.1694621924.log -rw------- 1 root root 28304921 Sep 13 12:18 encore.1694621930.log -rw------- 1 root root 28368804 Sep 13 12:19 en ...     wc -l encore.1694630328.log 10000 encore.1694630328.log
I have an old stand alone search head with Enterprise security and I'm migrating to a new search head cluster. Now I have 2 enterprise securities running in parallel and i need to migrate incident_r... See more...
I have an old stand alone search head with Enterprise security and I'm migrating to a new search head cluster. Now I have 2 enterprise securities running in parallel and i need to migrate incident_reveiw to the new cluster to see the history of all incidents in one place so i can shut down the stand alone search head.
Hello! I am using Splunk Enterprise Security app and whenever I access Security Posture Dashboard, the panels for both Top Notable Events and Top Notable Event Sources,  are very small. I am only ab... See more...
Hello! I am using Splunk Enterprise Security app and whenever I access Security Posture Dashboard, the panels for both Top Notable Events and Top Notable Event Sources,  are very small. I am only able to see 2 or 3 events at most and have to scroll up and down within the panel to see the rest of events. Is there any way to modify the panel size so that all top notable events are displayed without having to scroll within the small panel area? In previous versions, this panel used properly display at least 10 events without having to use any type  of scrolling. Same issue happens with both chrome and microsoft edge browsers. Any help would be very much appreciated, Thanks!
Hi guys, I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.       Fields: Device_Name Device_Interfa... See more...
Hi guys, I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.       Fields: Device_Name Device_Interface SomeField Pseudocode: <some query> | if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String" | if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"        
I have hundreds of thousands of events of this form. id event_type 11 ack 11 req 11 ack 12 req 11 req 12 ack 11 ack 13 req 12 req 12 req 11 req 12 ack 13 ack 12 ack 13 req How ca... See more...
I have hundreds of thousands of events of this form. id event_type 11 ack 11 req 11 ack 12 req 11 req 12 ack 11 ack 13 req 12 req 12 req 11 req 12 ack 13 ack 12 ack 13 req How can I create req-ack pairs of these events so that I can find the time difference between req and ack? Expected pairing: 11 req-ack, req-ack 12 req-ack, req-ack, req-ack 13 req-ack    
Hi All i am struggling with a query and appreciate some help please i received the data on csv file - timestamp is today  i'm interested in 3 fields Account_No , Total and Order_Date My view look... See more...
Hi All i am struggling with a query and appreciate some help please i received the data on csv file - timestamp is today  i'm interested in 3 fields Account_No , Total and Order_Date My view looks like this: Account_No      Total       Order_Date 123                      15.00        1/01/2023 123                      35.00        15/02/2023 123                      45.00        19/02/2023 456                      15.00         1/01/2023 456                      50.00        25/01/2023 456                     10.00        19/02/2023   I'd like a view like this                             Account_No            Jan                Feb Total Sum         123                          15.00            80.00                              456                           65.00            10.00   My main issue is using the eval to change the date format that appears in the csv file from 01/01/2023 to read January 2023 or even just January will probably do for this exercise.  I've come up with this so far | eval Order_Date = replace(Order_Date,"01", "January") but firstly i see 06/January/2023 and not just January  my other issue is that if any other month has 01 in it (for example 01/07/2023 it appears like this January/07/2023) Any ideas? Also i started looking at stats list command to group all Account_Nos together  main search..... | fields Order_Date Account_No Total | stats list(Total) as Total by Account_No i am unable to figure out how to get the subtotals for each Account_No    Any pointers would be appreciated    Thank you                
We have Splunk message validation scenarios in our test scenarios and need to know whether any Open API's are available for Test automation? Automation Framework -TOSCA 
Hi Team, We are using Alert manager enterprise to receive the alert notifications. As we are new to this alert manager enterprise, we would like to understand few features about it. Firstly, we have ... See more...
Hi Team, We are using Alert manager enterprise to receive the alert notifications. As we are new to this alert manager enterprise, we would like to understand few features about it. Firstly, we have use cases with threshold criteria.  So, we would like to understand that if we have events which are with inside the threshold limit but not with exact threshold match (i.e) we set an alert to trigger if we encounter 5 failure attempts for any user within 5minutes. But in real time, we noticed that 5 failure attempts for user within 2 minutes, as we set up threshold as 5 minutes, even though we have 5 failure attempts within  2 minutes, will it trigger an alert? 
Hello Splunkers !! Our Splunk setup is currently setup to have singular processing instead of parallel processing, therefore the load is not being distributed but rather spikes on one core. We want... See more...
Hello Splunkers !! Our Splunk setup is currently setup to have singular processing instead of parallel processing, therefore the load is not being distributed but rather spikes on one core. We want to distribute load on all the other CPU core parallelly. Please suggest how I check the core CPU used by Splunk and in which config file I need to change ?