All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a search that has "index=A", "Source=A", "Source=B" and both sources have the column "Address" I want to compare what is in source A but not in Source B based on the Values "Address" 
I have a base search and I want to set the token based on the result count. When there is no search result I want to show the message "Search returns no data" on the dashboard. I tried the below way... See more...
I have a base search and I want to set the token based on the result count. When there is no search result I want to show the message "Search returns no data" on the dashboard. I tried the below way, Message doesn't show up when there is 0 search result. But if I set the token and add this message on top where its "'job.resultCount'>0, the message shows up on the dashboard. ``` <search id="baseSearch"> <done> <condition match="'job.resultCount' > 0"> <unset token="check"></unset> </condition> <condition> <set token="check">Search returns no data</set> </condition> </done> <query> ... </query> </search> <row> <panel depends="$check$"> <html> <h2>$check$</h2> </html> </panel> </row> ```
index=abc sourcetype=app_logs |stats count as events by host, host_ip |where events >0  When i schedule this as alert  i am receiving alert only when there is no data in all the hosts, but  i n... See more...
index=abc sourcetype=app_logs |stats count as events by host, host_ip |where events >0  When i schedule this as alert  i am receiving alert only when there is no data in all the hosts, but  i need to get an alert if there is no data from any ONE host as well how can i do this???
I want to create a table in Dashboard Studio that will open up another dashboard when the user clicks on a row in the table.  However, I cannot figure out how to provide the name of the dashboard to ... See more...
I want to create a table in Dashboard Studio that will open up another dashboard when the user clicks on a row in the table.  However, I cannot figure out how to provide the name of the dashboard to link to in a hidden field (see code below).  How do I create a table drilldown to a dashboard based on the name in a hidden column?   { "visualizations": { "viz_15E2DDQP": { "type": "splunk.table", "dataSources": { "primary": "ds_HsTRSmYx" }, "title": "Fleet Status" } }, "dataSources": { "ds_HsTRSmYx": { "type": "ds.search", "options": { "query": "| makeresults\r\n| eval ITEM = \"Operator Logins\"\r\n| eval STATUS = \"Good\"\r\n| eval _hot_link = \"operator_logins_dashboard\"\r\n| append [\r\n| makeresults\r\n| eval ITEM = \"Revenue Service\"\r\n| eval STATUS = \"Fair\"\r\n| eval _hot_link = \"revenue_service_dashboard\"\r\n]\r\n| append [\r\n| makeresults\r\n| eval ITEM = \"Announcements\"\r\n| eval STATUS = \"Poor\"\r\n| eval _hot_link = \"announcements_dashboard\"\r\n]\r\n| append [\r\n| makeresults\r\n| eval ITEM = \"Navigation\"\r\n| eval STATUS = \"Warning\"\r\n| eval _hot_link = \"navigation_dashboard\"\r\n]\r\n| append [\r\n| makeresults\r\n| eval ITEM = \"Available Resources\"\r\n| eval STATUS = \"Error\"\r\n| eval _hot_link = \"resources_dashboard\"\r\n]\r\n| table ITEM STATUS _hot_link" }, "name": "Fleet Status" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "options": { "display": "auto-scale" }, "structure": [ { "item": "viz_15E2DDQP", "type": "block", "position": { "x": 0, "y": 0, "w": 690, "h": 260 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "Dashboard Studio Hotlink POC" }  
Splunk ES documentation https://docs.splunk.com/Documentation/ES/7.1.1/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source  describes how to Add a URL-based threat source and it seems work even wi... See more...
Splunk ES documentation https://docs.splunk.com/Documentation/ES/7.1.1/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source  describes how to Add a URL-based threat source and it seems work even with credential using POST. What if I have to use API Key instead of credentials? How to download Threat Intelligence from a remote API using API Keys? From  MCAP https://mcap.cisecurity.org/ for instance. Thank you for your time in advance.
my query: index=abd ("start app" AND "app listed") |rex field=_raw "APP:\s+(<application1>\S+)" |rex field=_raw "LLA:\s+\[?<dip>[^\]]+)." |dedup dip |chart over application1 |appendcols [|... See more...
my query: index=abd ("start app" AND "app listed") |rex field=_raw "APP:\s+(<application1>\S+)" |rex field=_raw "LLA:\s+\[?<dip>[^\]]+)." |dedup dip |chart over application1 |appendcols [|search index=abd ("POST /ui/logs" OR "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete" |rex field=_raw "APP: (?<application2>\w+)" |rex field=_raw "LLA:\s+\[?<dip>[^\]]+)." |dedup dip |chart over application2 i want output as shown below: HOW TO GET THIS?? application1 count application2 count L1 10 L1 15 M2 20 M2 4 L3 45 L3 100
Hello Team We have a UBA 3-nodes architecture. Unfortunately, SAML authentication is required. We added the SAML xml file under "Manage --> Settings" as suggested. The result is that UBA threw us... See more...
Hello Team We have a UBA 3-nodes architecture. Unfortunately, SAML authentication is required. We added the SAML xml file under "Manage --> Settings" as suggested. The result is that UBA threw us out of the platform with no chance to login anymore either way. We have tried to login with the standard UBA user as we have always done as per -- https://docs.splunk.com/Documentation/UBA/5.2.0/Admin/UBALogin -- . Again, this page is misleading  and there is no way to login to Splunk UBA anymore. So we tried to seek on docs.splunk.com for suggestions. Unfortunately, any Splunk documentation suggest to use the GUI to revert -- which is not possible -- and now we are at dead end. log.log under caspida is not revealing much.  2023-07-25 18:39:48.596 error: no permissions found for role(s): %s (user=%s), failing login 2023-07-25 18:39:48.596 error: No permissions found for the roles: undefined The error page -- https://splunkuba.apps.mediaset.it/saml/acs {"userError":true,"message":"No permissions are granted to this username."} but roles and users have been mapped properly. Does anyone know know how to revert the authentication by using the CLI? Does anyone know how to deploy SAML authentication ? Thanks.
Hi All, Issue : ITSI deployment failing in preproduction with error "Unterminated string starting at: line 1 column 11371852 (char 11371851)" The process of deployment for ITSI is that we have a St... See more...
Hi All, Issue : ITSI deployment failing in preproduction with error "Unterminated string starting at: line 1 column 11371852 (char 11371851)" The process of deployment for ITSI is that we have a Standalone box where we try to create our services KPIs etc . and take a backup of that service and restore the changes in pre prod environment . while doing so the restorations fail with an error "Unterminated string starting at: line 1 column 11371852 (char 11371851)" ITSI Version: 4.13.2 Splunk version: 9.0.4 Steps tried :  1. Took a backup of the existing service (example service1) in qa, deleted that service1, and restored service1 back to qa - received the same error. 2. Deleted the service and then restored the standalone backup and still failed with the same error  3. created a new test service and KPI on the standalone and restored it in qa and still failed with the same error. Requesting assistance on this issue. I have been trying multiple things and requesting some help on the same. I will provide any additional information if required.
HI people, I want from a query to only print out the first n-characters of the field value. So:   index=someIndex sourcetype=someNetworkDevice | stats count by someField     The outpu... See more...
HI people, I want from a query to only print out the first n-characters of the field value. So:   index=someIndex sourcetype=someNetworkDevice | stats count by someField     The output goes:   someField this is a strong value 1 this is a string value 1a this is a string value 2 some other string value 1 some other string value 1a some other string value 2 this is yet another string value 1 this is yet another string value 1a etc.     I want to pull out say the first 10 characters in each row:   this is a this is a this is a some other some other some other this is yet this is yet etc  
Hi I need help to extract and to filter fields with rex and regex 1) i need to use a rex field on path wich end by ".exe" Example : in path C:\ProgramFiles\Toto\alert.exe in need to catch "aler... See more...
Hi I need help to extract and to filter fields with rex and regex 1) i need to use a rex field on path wich end by ".exe" Example : in path C:\ProgramFiles\Toto\alert.exe in need to catch "alert.exe" 2)i need to filter events which have a path in AppData\Roaming and which end by .exe I have done this but it doesnt works   | regex NewProcess=(?i)\\\\AppData\\\\Roaming\\\\[^\\\\]+\\.exe$"   Thanks
I found this search query online, is there a way to modify it to search for a host on splunk instead of for the actual splunk server?  | rest /services/server/info | eval LastStartupTime=strftime(s... See more...
I found this search query online, is there a way to modify it to search for a host on splunk instead of for the actual splunk server?  | rest /services/server/info | eval LastStartupTime=strftime(startup_time, "%Y/%m/%d %H:%M:%S") | eval timenow=now() | eval daysup = round((timenow - startup_time) / 86400,0) | eval Uptime = tostring(daysup) + " Days" | table splunk_server LastStartupTime Uptime
Hi. In classic dashboard its possible to hidden errors in Dashboards, i.e.: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-hide-error-message-icons-from-dashboard/m-p/272528 ... See more...
Hi. In classic dashboard its possible to hidden errors in Dashboards, i.e.: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-hide-error-message-icons-from-dashboard/m-p/272528 Studio Dashbords using a Json file and I need to use the similar technique as link above in Json file used by Dashboard Studio. I checked documentation and I don't find anything how to hidde errors in the Dashbord Studio. Anyone can help me how to avoid any errors in Dashboard Studio? Thanks
I have my data as follows: | table envName, envAcronym, envCluster I am using envName as Label of the dropdown but want to use envAcronym and envCluster as the value. From the dropdown editor, I ... See more...
I have my data as follows: | table envName, envAcronym, envCluster I am using envName as Label of the dropdown but want to use envAcronym and envCluster as the value. From the dropdown editor, I dont see a way to specify multiple values. Is there a way to achieve what I am looking for? I tried setting the value as a json object but then dereferencing the variables with dot notation does not work. For example I tried to reference value as "$selectedEnv.envAcronym$" and $selectedEnv.envCluster$ but it does not work.
I have the code below and I need to get the statuses yesterday and today with respect to API value. My current search is below.  index="l7" earliest=-1d@d latest=now | eval status=case(response_st... See more...
I have the code below and I need to get the statuses yesterday and today with respect to API value. My current search is below.  index="l7" earliest=-1d@d latest=now | eval status=case(response_status<400 AND severity="Audit", "Success_count", response_status>=400 and response_status<500, "Backend_4XX",response_status>=500, "Backend_5XX",response_status==0 AND severity="Exception", "L7_Error") | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") I need my data to be grouped separately or side by side. I need your help in achieving this.  
how do I send events of two different indexes to a different sourcetype than the one I already have? I have to put them in another sourcetype, all the events of the two indexes. how do i configure ... See more...
how do I send events of two different indexes to a different sourcetype than the one I already have? I have to put them in another sourcetype, all the events of the two indexes. how do i configure the props.conf and transforms.conf?
I want to find time difference between two events (duration some operation took) and plot a graph which shows how much time it took for each of the entity ... I gave some query mentioned below : ... See more...
I want to find time difference between two events (duration some operation took) and plot a graph which shows how much time it took for each of the entity ... I gave some query mentioned below : <base_search>| | eval duration = duration_seconds + (60 * (duration_minutes + (60 * duration_hours))) | fieldformat duration = tostring(duration, "duration") | fieldformat duration_in_minutes = duration / 60   Now i got correct output in the form of a table , but with some extra fields  I need first column (cls_id) and last column (duration_in_minutes) , Can someone help how can i get that? I tried appending | table cls_id , duration_in_minutes , but that gives null value for "duration_in_minutes" field/column.
Hi. I'm using Splunk Enterprise 9.0.4 on-Prem. The Search head has been set up with AzureAD as IdP and normal user login functions as expected. I tried to connect the Splunk Mobile App to my se... See more...
Hi. I'm using Splunk Enterprise 9.0.4 on-Prem. The Search head has been set up with AzureAD as IdP and normal user login functions as expected. I tried to connect the Splunk Mobile App to my search head, but it complains that "SAML needs to be set up for Connected Experiences before devices can be registered", so I log on as administrator, and navigate to "SAML Configuration" in Splunk Secure Gateway. Here it states, that I need to connect to a SAML IdP, and when I look at Okta or Azure it states this: "To use Okta or Azure, use a provided authentication script to establish a persistent connection." Now it seems that there should be a provided script, that I can use in my SAML configuration, I just can't find anywhere, where it states wich script it is.   Hopefully someone is less blind than me, and can point me in the right direction.   Kind regards /las  
Hello Splunkers! I am using "transaction" command to merge multiple logs based on a mutual field between them. To clarify, I have email logs, the issue is that for 1 email I receive 4 logs in the fo... See more...
Hello Splunkers! I am using "transaction" command to merge multiple logs based on a mutual field between them. To clarify, I have email logs, the issue is that for 1 email I receive 4 logs in the following order: from subject attachment to They all have one field in common: id. I am using the following transaction command:  | transaction id startswith=from endswith=to   The issue is that it merges only the two logs containing "from" and "to". Can you please verify if I am using the command correctly because I need it to also merge the logs in between not only "from" and "to".
My verbose mode and fast mode results are different . How to run a scheduled search in verbose mode by default?   added this parameter in the search stanza in savedsearches.conf display.page.searc... See more...
My verbose mode and fast mode results are different . How to run a scheduled search in verbose mode by default?   added this parameter in the search stanza in savedsearches.conf display.page.search.mode = verbose But no effect, it is still running in fast mode. Splunk Enterprise Version: 9.0.4.1