All Topics

Top

All Topics

Hello, I have created a Splunk app and it is currently in marketplace. I am getting a timeout error while pulling data from my API into Splunk app. Upon investigation, I figured out that I need to ... See more...
Hello, I have created a Splunk app and it is currently in marketplace. I am getting a timeout error while pulling data from my API into Splunk app. Upon investigation, I figured out that I need to increase 'splunkdConnectionTimeout' from 30 sec to a higher value, in `$ SPLUNK_HOME /lib /python3.7 /site-packages /splunk /rest /__ init__. py’, line number 52. I want to modify this as and when the user installs my app, this modification should be applied upon restarting the splunk. I tried doing this by using `web. conf` file in my app but I am not sure where and how to use this. Please help me how can I do this.
-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I sh... See more...
-I am running an alert which is not triggering email actions when using real-time option.   The alert is used to  search for hosts which have not sent logs in the last 5 minutes. -For example, I shut down a host for testing and wait 5 minutes. I then manually use the search string and specify time frame (e.g. last 15 minutes)- I am able to obtain results. However,  even though the same search was configured in the form of an alert running in real time, it produces no results nor does it trigger an email. Here is the search I am using:     index=* | stats max(_time) as latest by host | eval recent= if(latest > relative_time(now(),"-5m"),1,0). realLatest = strftime(latest, "%Y-%M-%D %H%M%S") | fields - latest | where recent = 0 | rename host AS Host, realLatest AS "Latest Timestamp" | table Host, "Latest Timestamp"      
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in ... See more...
Good afternoon, I am trying to show information from a csv which is static, but will be replaced as time goes on I awas wondering there was a way to make the CSV filenames a dropdown option in an input which would correlate in the searches below in the dashboard.    For example Input dropdown values: july.csv august.csv   And the search would be | inputlookup $august.csv$ ...   Is this an option or is there a better way to do this?
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my in... See more...
I'm trying to add an input within a canvas as is indicated here: https://docs.splunk.com/Documentation/SplunkCloud/latest/DashStudio/inputConfig#Inputs_in_the_canvas I have been dragging my input to the canvas without luck. Then I found this video that shows a configuration option for in or above canvas: https://www.youtube.com/watch?v=eyXAa6xxrso However, on my dashboard, I do not have these options. Is there a configuration that I am missing?   Why am I unable to move my inputs to the canvas? Splunk Cloud Version: 9.0.2209.3
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable ... See more...
Hello All, I have seen this post (which is helpful) "How to get the on click marker gauge redirect to a dashboard?"   I would like to run a search instead of setting a variable on a panel. Is this possible? The javascript writes the value to a $toke$ variable on a second panel. I would like to run a search - the filler gauge does not have an option for a drilldown. Yes - the easy way is to just click the search magnify glass.   Thanks, eholz1
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from... See more...
Is there a way to view license usage from the Splunk search head? I'm on Splunk 9.0.3. I've attempted to forward license_usage.log to the Splunk indexer and directly to the Splunk search head from the manager node. The file seems to forward however the contents are replaced with a message stating the information is only viewable from the manager node. Another possibility is license_usage.log is generated by default on both the indexer and search head so it only looks as though the log is being forwarded.  Due to the way our Splunk deployment is distributed, I need to have the web interface disabled on the manager node so simply logging into the manager node web interface is not an option. To reiterate the question above, is there a way to view licensing information (either through search or monitoring console) from the Splunk search head?
Hi, I want to separate out below fields in table format. Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT] Query I a... See more...
Hi, I want to separate out below fields in table format. Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT] Query I am using = | eval Namespace=mvindex(split(mvindex(split(_raw, "Namespace "),1),"],"),1) | eval ServiceName=mvindex(split(mvindex(split(_raw,"ServiceName "),1),"],"),0) | eval Version=mvindex(split(mvindex(split(_raw,"Version "),1),"],"),0) | stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host | sort -Version Expected result Host AppName ServiceName Version                  
Hi All, I would like to download the Splunk Add-on for AWS 6.0.0 Version documentation for my reference, but I spent some time to search in google and also from the https://docs.splunk.com/ but unab... See more...
Hi All, I would like to download the Splunk Add-on for AWS 6.0.0 Version documentation for my reference, but I spent some time to search in google and also from the https://docs.splunk.com/ but unable to fetch those details could any one guide me how to get the pervious release documentation from Splunk site.   Thanks in Advance.    
Hi all, After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received: "API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malfo... See more...
Hi all, After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received: "API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.". As per the app documentation, the expected field format for "Message ID" is not specified. I´m  using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format? Thanks in advance!  
For adding two KPIs  in SA topology, KPI queries that taken from Monitoring console are using REST API and are working only on Monitoring console and are not giving results at Search Head or ITSI whe... See more...
For adding two KPIs  in SA topology, KPI queries that taken from Monitoring console are using REST API and are working only on Monitoring console and are not giving results at Search Head or ITSI where they are required.  The error is - "Restricting the results of the rest operator to local instance because you do not have the dispatch_rest_to_indexers capability". How can this be proceeded with ?
Hi, I have two fields: field 1 and field 2 field1        field 2 ABC           AA\ABC DEF           DD\DEF GHI            GG\JKL Now I need to compare both these fields and exlcude if ... See more...
Hi, I have two fields: field 1 and field 2 field1        field 2 ABC           AA\ABC DEF           DD\DEF GHI            GG\JKL Now I need to compare both these fields and exlcude if there is a match So in the above case it should return only field1         field 2 GHI             GG\JKL Could someone help me on this, please?
Hi,   I have a excel file on a linux server at a particular path. I have created a input file to monitor this file , but Im not receiving any logs. Can anyone help me how to get that excel daily ... See more...
Hi,   I have a excel file on a linux server at a particular path. I have created a input file to monitor this file , but Im not receiving any logs. Can anyone help me how to get that excel daily by creating  a input.conf 
Hi Team, I have 2 splunk searches in which i want to exclude of hostname in first search matches with Node field in the 2nd search. how can i modify for joining this 2 searches to exclude hostname.... See more...
Hi Team, I have 2 splunk searches in which i want to exclude of hostname in first search matches with Node field in the 2nd search. how can i modify for joining this 2 searches to exclude hostname. common field is hostname field in first one and it will be as Node field in the 2nd search  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" group=tcpin_connections os=Windows | dedup hostname | eval age=(now()-_time) | eval LastActiveTime=strftime(_time,"%y/%m/%d %H:%M:%S") | eval Status=if(age< 3600,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | lookup 0010_Solarwinds_Nodes_Export Caption as hostname OUTPUT Application_Primary_Support_Group AS CMDB2_Application_Primary_Support_Group, Application_Primary AS CMDB2_Application_Primary, Support_Group AS CMDB2_Support_Group NodeID AS SW2_NodeID Enriched_SW AS Enriched_SW2 Environment AS CMDB2_Environment | eval Assign_To_Support_Group=if(Assign_To_Support_Group_Tag="CMDB_Support_Group", CMDB2_Support_Group, CMDB2_Application_Primary_Support_Group) | table _time, hostname,sourceIp, Status, LastActiveTime, Age, SW2_NodeID,Assign_To_Support_Group, CMDB2_Support_Group,CMDB2_Environment |where Status="DOWN" AND NOT isnull(SW2_NodeID) AND CMDB2_Environment="Production" | sort 0 hostname   index=ivz_em_solarwinds source="solwarwinds_query://Test_unmanaged_Nodes_Data" | table Node Account Status From Until | dedup Node
Hi there, we have setup splunk in airgapped environment. Windows forwarding log to HF via UF agent port 9997. HF then forwards the log to indexer rsyslog via data diode. We are receiving logs in ind... See more...
Hi there, we have setup splunk in airgapped environment. Windows forwarding log to HF via UF agent port 9997. HF then forwards the log to indexer rsyslog via data diode. We are receiving logs in indexer which is having special characters. Can anyone know how to troubleshoot this? Thankyou in advance @splunk 
Hi Team, I am using below query: <row> <panel> <table> <search> <query>index="abc*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFile... See more...
Hi Team, I am using below query: <row> <panel> <table> <search> <query>index="abc*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval keyword=if(searchmatch("ReadFileImpl - ebnc event balanced successfully"),"True","")| eval phrase="ReadFileImpl - ebnc event balanced successfully"|table phrase keyword</query> <earliest>-1d@d</earliest> <latest>@d</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">true</option> <option name="wrap">true</option> <format type="color" field="keyword"> <colorPalette type="list">[#118832,#1182F3,#CBA700,#D94E17,#D41F1F]</colorPalette> <scale type="threshold">0,30,70,100</scale> </format> </table> </panel> </row> I want along with true and phrase  one checkmark should also come  in another column. Can someone guide me. Phrase keyword ReadFileImpl - ebnc event balanced successfully True ReadFileImpl - ebnc event balanced successfully True
Hi, I would like to get the list of all users, with roles and last login via splunk query. I tried the following query with a time range of "alltime" but it shows incorrect date for some users:  i... See more...
Hi, I would like to get the list of all users, with roles and last login via splunk query. I tried the following query with a time range of "alltime" but it shows incorrect date for some users:  index=_audit action="login attempt" | stats max(timestamp) by user Thank you, Kind regards Marta  
I have a HEC and I am receiving logs from CloudWatch and the default index is set to "aws". From the same HEC token I am also receiving Firewall logs from CloudWatch and these logs are also going to ... See more...
I have a HEC and I am receiving logs from CloudWatch and the default index is set to "aws". From the same HEC token I am also receiving Firewall logs from CloudWatch and these logs are also going to the index "aws". How can I transform the Firewall logs coming from the same HEC token from a different source to be assigned to index "paloalto"? I tried using the below config but it doesn't work props.conf [source::syslogng:dev/syslogng/*] TRANSFORMS-hecpaloalto = hecpaloalto disabled = false transforms.conf [hecpaloalto] DEST_KEY = _MetaData:Index REGEX = (.*) FORMAT = palo_alto I created the index palo_alto in the cluster master indexes.conf, applied cluster bundles to the indexers. And also applied the above config using deployment server to the Indexers. For some reason the logs are still going to the aws index.
Hello Splunkers, I am used to use the following command to decrypt $7 Splunk configuration password such as pass4SymmKey or sslConfig.   splunk show-decrypted --value '<encrypted_value>'    I ha... See more...
Hello Splunkers, I am used to use the following command to decrypt $7 Splunk configuration password such as pass4SymmKey or sslConfig.   splunk show-decrypted --value '<encrypted_value>'    I have several questions regarding this command :  1/ Do you ever find any official documentation about it ? I was  looking here but not result : https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/CLIadmincommands 2/ Is it possible to use this command for $6 encrypted (hased ?) string, like the one stored for admin password stored in $SPLUNK_HOME/etc/passwd. I suppose it's not possible since it's a password and it should not be "reversible" for security reason. 3/ This question is related to the previous one. Is it right to say that $7 value has been encrypted since it's possible to revert it and $6 has been hashed because it's impossible to get the clear value back ? Thanks for your help ! GaetanVP
Morning All  I've been asked to document everything we have on Splunk Platform (on prem) before moving to the cloud. Has anyone been in similar position and where did they start??  Any pointers wou... See more...
Morning All  I've been asked to document everything we have on Splunk Platform (on prem) before moving to the cloud. Has anyone been in similar position and where did they start??  Any pointers would be appreciated    Thank you    
Hi I have appeared for the cyber defense analyst (CDA) exam long back.I did not get my results whether iam passes or not.Also scorecard in pearsonvue showing "Results will be provided via email".Whe... See more...
Hi I have appeared for the cyber defense analyst (CDA) exam long back.I did not get my results whether iam passes or not.Also scorecard in pearsonvue showing "Results will be provided via email".When will I receive my results.please help here! @splunk @exam-dev-staff