All Topics

Top

All Topics

I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules... See more...
I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules{}).   Lookup File combinedrules{} 324252 543246 search     Combinedrules{} Search(index) Inputlookup file 324252 No Yes 432324 No Yes
Hi,  I have the following log lines: 2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/adm... See more...
Hi,  I have the following log lines: 2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/admin/master/console/* 2023-08-23 06:28:04,446 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-70) Recalculated absoluteURI to https:// foo.com/admin/realms/master/users and so on.... I need to create a query and extract "foo.com" from the url so I can create an alert anytime the url is  "bar.com"   Very new to splunk. so please bare with me.  Thanks
Dear All I am trying to create a dashboard which will have two global inputs. Input1: IPAddress Input2: Panel Name Based on Input2, the layouts and views, tables with change. For example, i... See more...
Dear All I am trying to create a dashboard which will have two global inputs. Input1: IPAddress Input2: Panel Name Based on Input2, the layouts and views, tables with change. For example, if Input2 was selected as Firewall traffic, it would show network traffic for that IPAddress. If Input2 was selected as Windows, it would show windows activity from that IP with different layouts, tables, and panels.
1st query:  index="A" event_tag="event1" build_number=1 job_name=job1 type=completed   2nd query:  index="B" event_tag="event2" build_number=1 job_name=job1 We have some events in indexA and some e... See more...
1st query:  index="A" event_tag="event1" build_number=1 job_name=job1 type=completed   2nd query:  index="B" event_tag="event2" build_number=1 job_name=job1 We have some events in indexA and some events in indexB ,how to combine these using common fileds are build_number and job_name. What will the query  
I have a splunk query to get execution time of methods shown below   basesearch | where like(method,"A") OR like(method,"B") | table method,time    This will show execution time of method A ... See more...
I have a splunk query to get execution time of methods shown below   basesearch | where like(method,"A") OR like(method,"B") | table method,time    This will show execution time of method A and method B present in the same flow for multiple calls. Results are something like below   method time A 110 B 95 A 120 A 110 B 101 A 110 B 95 A 125 A 115 B 80 B 85 B 90   I want to filter results such that execution time of A>=110 and corresponding execution time of B  something like below   A B 110 85 120 101 110 95 125 100 115 95    
log sample [6724268.575s][debug][gc,age] GC(10561) Desired survivor size 33554432 bytes, new threshold 1 (max threshold 15) I am getting timestamp parsing errors for the above source logs using ... See more...
log sample [6724268.575s][debug][gc,age] GC(10561) Desired survivor size 33554432 bytes, new threshold 1 (max threshold 15) I am getting timestamp parsing errors for the above source logs using below props DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false TRUNCATE = 999999 TZ = America/New_York
Hi Splunkers, Everyday i have received a mail with attachment csv , Here i need to push this csv data into splunk .  Pls suggest any app or any script (Python) .   Thanks you in Advance.   
Hi, sir. I am a developer working for a multinational company. I am now responsible to find a solution that allows our manager view our DAU data on mobile phone. I noticed that Splunk provides RUM wh... See more...
Hi, sir. I am a developer working for a multinational company. I am now responsible to find a solution that allows our manager view our DAU data on mobile phone. I noticed that Splunk provides RUM which can collect user data and also provide a mobile app called `Splunk mobile`.  My question is: Can I view the RUM charts in Splunk mobile? It's important because managers do not always near their computer, so using a native mobile app can help them master the data anywhere. 
Hi guy I'm installing DB Connect, when configuring I get this error: I got the JDK path according to the command: echo $JAVA_HOME. Is Oracle JDK error?  
Hi,   When I extract any fields from json log, following error is generated  "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractio... See more...
Hi,   When I extract any fields from json log, following error is generated  "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."   Aug 24 13:16:20 192.168.2.24 fenotify-333875.warning: { "alert": { "ack": "no", "action": "blocked", "alert-url": "***************", "appliance-id": "C4:00:AD:B6:C5:33", "attack-time": "2023-08-24T04:16:08Z", "dst": { "ip": "192.168.2.148", "mac": "fc:34:97:03:fe:98", "port": "80" }, "explanation": { "analysis": "content", "cnc-services": { "cnc-service": { "address": "192.168.2.148", "channel": "POST /album.php HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 273\r\nHost: 192.168.2.148\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nc=jO0wkeKc25qk/jg9NkqHPYA1XRkb0eqAPErxNwK5fmcXnTY0m3qFMPT2&kaiikog=M4orW66CyB5IjuC7TFuXRXOu&uce=er+Z6Z0jmOjNDtX5cONg+rVQo6oNPYQ0leujF838&oa=JIcmHxXfQvOJUgRbe7md5RBz9uZx&ssqwy14=+gDzCdPBlfSipfJIxWZ/O6jp&mmmkii=Ejrq8elTUzQqMMrfBs2oCZkoqZFLbvdKd5YyiQgp50Qsaw+JBOzLVsxbAfJCDaY=", "host": "192.168.2.148", "port": "80", "protocol": "tcp", "sid": "86134347", "sname": "Trojan.Bedep", "type": "CncSigMatch", "url": "hxxp://192.168.2.148/album.php" } }, "malware-detected": { "malware": { "name": "Trojan.Bedep", "sid": "86134347", "stype": "bot-command" } }, "protocol": "tcp" }, "id": "333875", "interface": { "interface": "pether3", "label": "A1", "mode": "tap" }, "name": "malware-callback", "occurred": "2023-08-24T04:16:08Z", "product": "Web MPS", "root-infection": "7717", "sc-version": "1397.140", "sensor": "Coupers-NX", "sensor-ip": "192.168.2.21", "severity": "crit", "src": { "ip": "192.168.2.154", "mac": "00:0c:29:07:f9:d1", "port": "58061", "vlan": "0" }, "uuid": "62206b77-a649-4dfe-aba9-67debda3e52f", "version": "9.1.5.986166" }, "appliance": "Coupers-CM.couperscm.com", "appliance-id": "3C:EC:EF:8E:64:9E", "msg": "normal", "product": "CMS", "version": "9.1.5.986166" }
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection ?" (link).  I have a similar issue that I need to display panels dynamically depends ... See more...
Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection ?" (link).  I have a similar issue that I need to display panels dynamically depends on user selection in a filter. However, the user selection is no longer in categories, but from the packet_size in index="my index" within 24 hours. Therefore, the options in this filter becomes dynamic and what the user selects is dynamic as well. This is the search code in this filter:   index="my_idx" "*PING DATA*" | stats count by ping_pkt_size    and the output will be: ping_pkt_size Count 40 111 128 30 520 10 ... other ping_pkt_size are possible. Is it possible to display panels accordingly and dynamically depends on user selection?  ex. if the user selects 40, then display the analysis table for packet_size=40. If the user selects 128 and 520, then display 2 analysis tables, one for packet_size=128 and one for packet_size=520. Do anyone have idea about how to implement this? Thank you.
Hi, I have the "Upgrade Readiness App" version 4.1.2 installed on my prod and non-prod splunks. https://splunkbase.splunk.com/app/5483 I had a problem with it so uninstalled it and was going to... See more...
Hi, I have the "Upgrade Readiness App" version 4.1.2 installed on my prod and non-prod splunks. https://splunkbase.splunk.com/app/5483 I had a problem with it so uninstalled it and was going to reinstall it but I see the latest version on splunkbase is now 4.1.1. What happened to 4.1.2 - was it withdrawn?  Is that documented anywhere? Thanks, Keith  
I have a requirement to build a dashboard, when selected between through date and time range suppose  8/16/2023 17:00:00 and  8/16/2023 18:00:00. And want to show results for these dates as well as ... See more...
I have a requirement to build a dashboard, when selected between through date and time range suppose  8/16/2023 17:00:00 and  8/16/2023 18:00:00. And want to show results for these dates as well as the previous day same hour results todays count  yesterdays count 100 200   is it possible to have auto search and show two results through one time picker selection?
Hello, How do I create a job to update CSV file frequently using DBXquery? I have a company.csv file that was created by running a DBXquery search and uploaded into Splunk lookups. Whenever there i... See more...
Hello, How do I create a job to update CSV file frequently using DBXquery? I have a company.csv file that was created by running a DBXquery search and uploaded into Splunk lookups. Whenever there is an update on the data, I need to manually run DBXquery search, download the CSV file, delete the existing CSV file, then re-upload it to Splunk lookups.   In order to automate the process, I am thinking to use a job that executes DBXquery and outputlookup. Please suggest Thank you All for your help. Query: | dbxquery query="select * from tableCompany" Table 1: company.csv ip_address company location 192.168.1.1 Comp-A Loc-A 192.168.1.2 Comp-B Loc-B 192.168.1.5 Comp-E Loc-E
I'm running VT4Splunk 1.6.0  https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer. I'm trying to edit the index names, but get a generic error: "Unexpected error when En... See more...
I'm running VT4Splunk 1.6.0  https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer. I'm trying to edit the index names, but get a generic error: "Unexpected error when Enabling/Disabling saved searches." Any ideas?
I uploaded csv lookup table has 2 field location and iprange. iS THERE WAY TO GET WHAT ARE POSSIBLE IP IN EACH RANGE. SO I CAN ENTER IP address it will return the location for that range?
Hello,   I want to give the contact email details on one of my dashboads which is built in dashboard studio. I have tried link to url and gave "mailto:example@abc.com" , but this is not working. ... See more...
Hello,   I want to give the contact email details on one of my dashboads which is built in dashboard studio. I have tried link to url and gave "mailto:example@abc.com" , but this is not working. I want once someone clicks on the mail should open up.   Thanks  Sudha A
I have sourcetype based definition in which I mentioned INDEXED_EXTRACTION=JSON. Under this sourcetype there are 10 sources configured. Out of 10, let us say one is not in JSON format. So how to use ... See more...
I have sourcetype based definition in which I mentioned INDEXED_EXTRACTION=JSON. Under this sourcetype there are 10 sources configured. Out of 10, let us say one is not in JSON format. So how to use same sourcetype but no need to mentioned INDEXED_EXTRACTION=JSON for that particular source alone? I thought of using source:: based extraction in props with other attributes and not mentioning this INDEXED_EXTRACTION attribute. In that case will it be considered from the sourcetype declaration?
| timechart span=1mon count by status | addtotals row=t col=f labelfield=Total True False "Not available" fieldname="Total_Count" | eval percent=round(((True/Total_Count)*100),0) | table Date Percen... See more...
| timechart span=1mon count by status | addtotals row=t col=f labelfield=Total True False "Not available" fieldname="Total_Count" | eval percent=round(((True/Total_Count)*100),0) | table Date Percentage I chose visualization column chart but I get only default color. How can I customize the color base on the range. 0- 50% RED 50-70 AS YELLOW 70-100 AS Green.    <option name="charting.fieldColors">{"<50":"#e600ac","Up to 60":"#ff0000","Up to 80":"#ffa31a","Up to 100":"#33cc33"}</option>   I try modifying but it did not work.  Can anion help  Thanks
Hi Team, We have users logging in multiple devices. So, we need to showcase the count of devices  and user logged in. Can you please advise the query for same.   Regards, Nagalakshmi A