All Topics

Top

All Topics

Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some sea... See more...
Hello Experts, We have migrated to new hardware after old data is backed up , new environment has last 2 months of data . Now we want to restore old data onto a standalone server to perform some searches .  Highlights  --> old backup has primary and replication buckets as it was cluster backup. --> we are planning to setup a test machine(indexer/search head) for the above and ask storage team to mount (~450TB (primary and secondary ) buckets). Do you think it is a right approach ? is there anything that we need to consider before we ask a test machine (8GB RAM , 4 CPU) and storage team to mount 450TB(backup) to this test machine . 
Example ERROR HttpInputDataHandler [7000 HttpDedicatedIoThread-1] - Failed processing http input, token name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9, events_processed=nnn, http_in... See more...
Example ERROR HttpInputDataHandler [7000 HttpDedicatedIoThread-1] - Failed processing http input, token name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9, events_processed=nnn, http_input_body_size=yyyyyyy, parsing_err="Server is busy"  
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter ... See more...
Greetings. I am quite new to Splunk and read a lot of sources. However, I have a hard time to find my answer about the join and eval functions. I have a first search on an index. I want to filter this search with values of one field in a csv I import as lookup. Example: index="data" sourcetype="entities" | table EMAIL EXTERNAL_EMAIL CATEGORY And I have the inputlookup  inputlookup 20230904_NeverLoggedIn.csv How do I compare the field EXTERNAL_EMAIL from the index to the E_MAIL field in the csv file as a filter? Many thanks for the help.
Hi Friends, My Client using Splunk ITSI and XYZ(Internal Application). Now they want to access Splunk ITSI  Glass Table UI  from Internal (XYZ) Application GUI.  Kindly advice how to achieve this. 
Hello again! I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided t... See more...
Hello again! I'm working with two different sources of data both tracking the same thing but coming from different sources. I need to consolidate them into one single Splunk search, so I decided to turn one of the two sources of data into a lookup table for the other. Right now the lookup table I'm using has 3 Fields in it: HostName, Domain, and Tanium. What I'd like to do is load the 3 fields from this Lookup into my Splunk Search so that: 1) the HostName field from the lookup is merged with the HostName field in the search, with unique HostName values from the search and the lookup both available in the final output, but also that if there's duplicate values for HostName, they're merged together. 2) The Domain and Tanium values from the Lookup are loaded into their corresponding entries in the final output. Is this possible? I believe it should be if I use the command: | lookup WinrarTaniumLookup.csv HostName OUTPUT Tanium Domain But when I put in that command it doesn't appear to be adding any unique HostName values from the Lookup, just merging the HostName values that both the lookup and the search share.  What am I doing wrong here?
Please is it possible to create a Tag  for a group of IP addresses? i need to do to search on a group of servers.
I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.  I was able to start with the search below, which provides me... See more...
I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.  I was able to start with the search below, which provides me a count of distinct user account change grouped by the source user.  When I try to apply a threshold logic to it, it doesn't appear to work. source="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | stats count(Target_Account_Name) by Subject_Account_Name
Hi I cross the results of a subsearch with a main search like this index=toto [inputlookup test.csv |eval user=Domain."\\"Sam |table user] |table _time user Imagine I need to add a new lookup i... See more...
Hi I cross the results of a subsearch with a main search like this index=toto [inputlookup test.csv |eval user=Domain."\\"Sam |table user] |table _time user Imagine I need to add a new lookup in my search  For example i would try to do something like this  index=toto [inputlookup test.csv OR inputlookup test2.csv |eval user=Domain."\\"Sam |table user] |table _time user How to do this please?
During a recent Observability Tech Talk, attendees tuned in to discover Splunk's approach to digital experience monitoring. Splunk experts Connor Tye and Nivedita Narayanan discussed the different el... See more...
During a recent Observability Tech Talk, attendees tuned in to discover Splunk's approach to digital experience monitoring. Splunk experts Connor Tye and Nivedita Narayanan discussed the different elements of Splunk's Digital Experience Monitoring (DEM) portfolio and how it can help you optimize your customer experience. You'll want to keep reading and explore how Splunk's DEM can help detect, alert and take action to address issues quickly and effectively.   Dive into the details of Splunk's Digital Experience Monitoring "Optimizing Digital Experiences with Splunk Observability: Combining Synthetics and RUM for Performance Monitoring"   The Importance of Digital Experience Monitoring for E-commerce Sites   Learn why robust digital experience monitoring is crucial to prevent card abandonment and build user trust in e-commerce sites. Digital experience monitoring is an important part of observing the performance and usability of websites and web applications. It is essential in today's world of digital transformation, where users demand seamless experiences and optimal performance from all the services they interact with. Splunk Observability offers two complimentary products for digital experience monitoring: Synthetics and Splunk Real User Monitoring (RUM). Synthetics uses synthetic data to identify potential performance issues before they reach customers, while RUM provides real user insights to understand how users are interacting with the service. Combining these two products provides a well-rounded solution for monitoring pre-production and production environments. Digital experience monitoring is no longer about simply monitoring uptime, as expectations have changed and the way services are hosted has evolved. With digital experience monitoring, we can monitor changes in page load time, web vitals, and third party services, thus ensuring a smooth user experience.   Monitoring Website User Experiences with Digital Experience Monitoring (DEM)   Digital Experience Monitoring (DEM) is a great tool to help identify user experiences. In this talk, we will discuss how DEM can be used to monitor a website. We will use a simple e-commerce website as an example. As a service owner of the website, we have noticed a delay in getting to checkout, which is not a great user experience. We will use Synthetics and RUM to measure the impact on the website. Synthetics is a set of transactions put together that each translate to steps and actions. For example, when a user searches for a product, adds it to their cart and checks out, these are three different actions that can be grouped into three transactions. RUM uses real data from users to build a portfolio. It requires little instrumentation and can be set up in less than an hour. With DEM, it doesn't matter what infrastructure is being used - on-prem, hybrid, or cloud customers can all access the service. Let's use DEM to monitor our website and see how it can help improve user experience.   Synthetic Monitoring Tool: Understand Your Workflow Performance and Identify Issues Quickly.   A great way to understand the performance of any workflow is to use the Synthetic Monitoring tool. This tool gives you a visual representation of what the user saw, as well as metrics associated with it. Through the waterfall feature, you can easily determine what elements of the page may be lagging and causing issues. Additionally, you can set up business transactions to specifically evaluate the checkout flow. For example, if the checkout flow is taking too long, you can immediately identify it in the Synthetic Monitoring tool. Moreover, if you have an APM product set up, you can further drill down to the root cause of the issue. Additionally, if the same page is instrumented for Real User Monitoring (RUM), you can get a landscape view of the different environments the issue is happening across. Through this, you can get a better understanding of how many people are using your product, and the different platforms and devices that are supported. This helps to provide a uniform user experience across the globe. "Proactively Identifying Performance Issues with Synthetic Monitoring and RUM Data"   Troubleshooting User Sessions in Multiple Browsers and Regions   Explore user sessions across different browser versions and regions to identify delays and troubleshoot performance issues. Synthetic monitoring allows us to proactively identify issues before users encounter them and ensure consistent performance across diverse usage scenarios. The Synthetics Run results page automatically populates RUM data and matches it with the normalized URL of the synthetic test. We can localize the RUM distribution to the same country or area as the test ran from, or switch to global users. RUM field data allows us to optimize user experience by providing insights into how real users interact with the application across geographic locations, devices, and browser platforms. This helps us to identify performance bottlenecks, pinpoint areas of improvement, and prioritize fixes for maximum user impact. "Optimizing the User Experience through Splunk's Synthetic Monitoring and Web Optimization Tools."   Splunk Synthetic Monitoring and Web Optimization: Enhancing User Experience   Learn how Splunk synthetic monitoring and web optimization can help identify and fix performance issues, ensuring a seamless user experience on your website.   Splunk's Synthetic Monitoring and Web Optimization capabilities provide users with the ability to test features and user journeys before they go live, receive step-by-step guidance to immediately improve their end-user experience, and prioritize issues based on severity and ease of solving them. Web optimization extends the monitoring process by providing insights into how to improve performance, and benchmarking pages against lighthouse scores, core web vitals and industry standards. It also allows users to compare pre- and post-code change performance, to test the results of new code. Web Optimization also assigns defects to the relevant roles, such as developers or designers, and orders them based on severity. "Splunk Synthetic Monitoring Enhances Setup Process with Record Functionality and Integrations"   Enhanced Integrations and Alerting Capabilities for Splunk Synthetic Monitoring   Discover the latest integrations and features of Splunk Synthetic Monitoring, including enhanced metric sending, dashboarding, alerting, and on-call notifications. Splunk recently introduced a new feature in synthetic monitoring to make the setup process faster. This feature, known as the Chrome Script Importer, enables users to record all interactions on a page and submit the file for the test setup. Additionally, Splunk synthetic monitoring has released five integrations with other Splunk products. These integrations allow users to send metrics via HECs for Splunk enterprise or cloud, send metrics to Splunk infrastructure monitoring, and view a digital experience in Splunk ITSI. Splunk on call also allows users to send on- call alert notifications to multiple team members. To further help users, Splunk provides guides, videos, and an eBook with best practices to optimize performance. Splunk also has a community site with answers and resources for digital experience monitoring. Lastly, Splunk ideas allows customers to submit new product enhancements or vote for existing ideas. We hope you have gained a better understanding of the features and capabilities of Rigor and Synthetics. If you have any other questions, please reach out and we'll be happy to help.   Want to learn more? Watch the full Tech Talk on-demand, From Clicks to Conversions: Tune Performance from the User Perspective. Also view resources and all the pressing questions submitted during the live event.   
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data insights, key use cases, and tips on managing Splunk more efficiently. We also host Gett... See more...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data insights, key use cases, and tips on managing Splunk more efficiently. We also host Getting Started Guides for a range of Splunk products, a library of Product Tips, and Data Descriptor articles that help you see everything that’s possible with data sources and data types in Splunk. This month we’re highlighting some significant changes to our Use Case Explorer for Security and Use Case Explorer for Observability, aligning them with Splunk’s new prescriptive value paths for resilience so the use cases you need to drive resilience in your organization are easier than ever to implement. As usual, we’re also sharing the complete list of articles that Lantern has published over the past month. Read on to find out more.  Your Path to Greater Resilience for Security and Observability You’ve probably heard a lot about digital resilience if you attended .conf23, or if you’ve been keeping up with Splunk’s blog. Splunk offers a prescriptive path for organizations to improve digital resilience across security and observability that starts with foundational visibility to access the information teams need. With better visibility, they can prioritize actions and respond to what's most important. From there, teams can be more proactive and automate processes, and ultimately focus on optimizing digital experiences for teams and customers. But helping your own organization down this path isn’t always easy. You might not know where to start, or how to implement the use cases that will ultimately drive your overall resilience. That's where Splunk Lantern’s newly-revised Use Case Explorers for Security and Observability come in. The Use Case Explorers provide you with a structured framework and actionable guidance you can follow to develop digital resilience, wherever your organization is in its data journey. Supercharging Security The Use Case Explorer for Security shows you how to build foundational visibility in your organization through getting the basics right: gathering data in the right way and using tools like Splunk Security Essentials to build a foundational security monitoring program. From there, you'll find out how tools like Splunk Enterprise Security and Splunk SOAR can help you efficiently deal with cyber threats, as well as build modern alerting systems that help you stay on top of issues. When you've learned all this, you'll be able to see how to use Splunk Mission Control to access all your security information in one place, and spot the trends and insights that will help you build and maintain great customer relationships. Optimizing Observability The foundation of the Use Case Explorer for Observability lies in establishing strong observability basics like analyzing logs, which can be done right away in the Splunk platform. Then, as you progress, learn how to use Splunk IT Service Intelligence to gauge the health of services and extract valuable insights from events. You’ll see how to use tools like Splunk APM, Splunk Infrastructure Monitoring, and Splunk On-Call to monitor and manage your systems, identifying and addressing issues with greater ease. Then, to deliver outstanding digital customer experiences, you’ll see how to use Splunk Synthetic Monitoring and Splunk Real User Monitoring to craft experiences that resonate positively with your customers. How to Begin Ready to start? Click through to the Use Case Explorer for Security or the Use Case Explorer for Observability to start learning more. New Prescriptive Adoption Motions This month we’re happy to announce that we’ve published two new sets of Prescriptive Adoption Motions to accompany our existing Prescriptive Adoption Motions for Security with Splunk. Prescriptive Adoption Motions for Observability with Splunk are written by Splunk’s observability experts to help you confidently implement use cases by leveraging proven practices and tailored strategies. Using them helps ensure that your organization not only realizes the full value of Splunk's observability solutions, but also continues to reap their benefits in the long run. Here’s the complete list of new guides for you to browse: Business Service Insights Event Analytics Infrastructure Monitoring Application Monitoring Digital Experience Monitoring We’ve also published two Prescriptive Adoption Motions for the Splunk platform: Using the Splunk platform for Security use cases, and Using the Splunk platform for Observability use cases. These guides help you learn how you can use the core platform to build foundational security and observability processes, without using any of Splunk’s premium security or observability products. Check them out, and let us know what you think! This Month’s New Articles Here are the rest of Lantern’s newly-published articles now live across Platform, Security, and Observability: Reviewing your ITSI environment Deploying predictive analytics at the right time Adopting ITSI capabilities strategically Splunk 9.1.1 FAQ Accessing search history Using the makeresults command Planning an organizational on-call policy Using On-Call reporting to improve your team performance We hope you’ve found this update helpful. Thanks for reading! Kaye Chapman, Senior Lantern Content Specialist for Splunk Lantern
How to change the colour of info button in dashboard.
Hi Splunkers! I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many even... See more...
Hi Splunkers! I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many events matched, but no notable events are being created. To test my correlation, I have added another action (send email) when the correlation is triggered, and sure enough, an email was sent to me. Can anyone help me solve this issue?
Dear Splunkers, actual i am facing an issue, we have an Lookup on the SHC with some location infromation e.g location.csv   ____ location DE EN   Scope is to ingest data only on indexers, whe... See more...
Dear Splunkers, actual i am facing an issue, we have an Lookup on the SHC with some location infromation e.g location.csv   ____ location DE EN   Scope is to ingest data only on indexers, when the location in events showing up on lookups too. The solution works with ingest_eval and lookup filtering.   The question right know is do we have the possibility to manage this lookup on SH level and provide some roles the permission to add/remove locations on their demand from this index. e.g. I'll update the lookup on the SH and this will be replicated to lookup on Index Cluster too..how can i achieve this one? Kind Regards
hi guys, I want to detect a service ticket request (Windows event code 4769) and one of the following corresponding events does not appear before the service ticket request: 1. User Ticket (TGT) req... See more...
hi guys, I want to detect a service ticket request (Windows event code 4769) and one of the following corresponding events does not appear before the service ticket request: 1. User Ticket (TGT) request, Windows event code 4768. 2. Ticket renewal request, Windows event code 4770.
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is trigge... See more...
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.
Hi All, I have below two logs: First Log 2023-09-05 00:17:56.987 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D090423.T001603 Second Log 2023-09-05 03... See more...
Hi All, I have below two logs: First Log 2023-09-05 00:17:56.987 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D090423.T001603 Second Log 2023-09-05 03:55:15.808 [INFO ] [Thread-20] FileEventCreator - Completed Settlement file processing, CARS.HIER.D090423.T001603 records processed: 161094 I want to capture the trimmings for both logs: My current queries index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Reading Control-File /absin/CARS.HIERCTR." index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Completed Settlement file processing, CARS.HIER."
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\ab... See more...
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\abc.h. How can i dot it using regex?  
Is there any performance impact when used, index IN ("windows_server") OR  index="windows_server"  ?
Hi Splunkers!    I need to extract the specific field which dosent consists of sourcetype in logs, Fields to extract - OS, OSRelease     Thanks in Advance, Manoj Kumar S
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basical... See more...
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basically, the requirement is to report this data in table format to users. output = "DbName|CurrentSizeGB|UsedSpaceGB|FreeSpaceGB|ExtractedDate abc|60.738|39.844|20.894|Sep 5 2023 10:00AM def|0.098|0.017|0.081|Sep 5 2023 10:00AM pqr|15.859|0.534|15.325|Sep 5 2023 10:00AM xyz|32.733|0.675|32.058|Sep 5 2023 10:00AM"