All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

How do I change "views" name in splunk? For example: Dashboard  "test" associated with views "test" Dashboard  "test-v2" associated with views "test__v2" Dashboard  "test-v3" associated with view... See more...
How do I change "views" name in splunk? For example: Dashboard  "test" associated with views "test" Dashboard  "test-v2" associated with views "test__v2" Dashboard  "test-v3" associated with views "test__v3" How do I change dashboard "test" to "test-v1" and "views" name to "test__v1"? When I changed the dashboard name "test" to "test-v1", it did not change the views name to "test__v1" Thanks
We are using Splunk Enterprise 9.0.1 OnPrem, with Splunk App for Lookup File Editing version 3.6.0. We need to get a user to modify a column in a lookup, so we give him access and capabilities to ... See more...
We are using Splunk Enterprise 9.0.1 OnPrem, with Splunk App for Lookup File Editing version 3.6.0. We need to get a user to modify a column in a lookup, so we give him access and capabilities to do so. But we dont want this user to have the power to modify all the columns in that lookup. Is there anyway that we can restrict which columns a user can edit? Regards. EDIT: Here is an open idea for this feature request: https://ideas.splunk.com/ideas/APPSID-I-529. Please vote if you consider it is useful.
Hello, I have a distributed environment:  1 Search Head (SH), 1 Indexer, 1 Deployment Server, and 1 Syslog Server. I deployed my apps to the Syslog server for those devices that cannot have a forwa... See more...
Hello, I have a distributed environment:  1 Search Head (SH), 1 Indexer, 1 Deployment Server, and 1 Syslog Server. I deployed my apps to the Syslog server for those devices that cannot have a forwarder installed. In Splunk Add-on for VMware, it shows a diagram of a distributed environment.  I have my VMware device logs sent to the syslog server, then the syslog server sends them to the indexer. I've installed the add-ons for VMware Esxi Logs on SH and Syslog, and VMware add-on for Indexes on the Indexer. I don't understand what a Data Collection Node, or a Data Collection Scheduler is?  The documentation is confusing.   What are these and do I need them in my environment for my VMware devices? Thanks    
Create_Failed: The following resource(s) failed to create: SplunkDMCtrailCWLogSubscriptionFilterCustomResource.    We are able to pass all the prereq's and then after deploying the cloudformation t... See more...
Create_Failed: The following resource(s) failed to create: SplunkDMCtrailCWLogSubscriptionFilterCustomResource.    We are able to pass all the prereq's and then after deploying the cloudformation template in AWS it fails to create the SplunkDMCtrailCWLogSubscriptionFilterCustomResource and we are never able to ingest the cloudtrail logs. Any help would be greatly appreciated.     
I have a lookup table that contains usernames and userids. I want to use this to match a username to userid & vice versa. I want to take the output from said lookup and search across multiple indexes... See more...
I have a lookup table that contains usernames and userids. I want to use this to match a username to userid & vice versa. I want to take the output from said lookup and search across multiple indexes for the username OR the userid. It would look ruffly something like this: |inputlookup username2userid.csv | search username=a@a.com | table username userid | search (index=a $username$) OR (index=b $userid$)   If I manually replace either variable with the actual values the search works. Is it not possible to pass a variable from a lookup into a search?   Thank you in advance! 
I have installed and setup the VirusTotal TA with basic configuration i.e. API key and Max Batch Size just to test things. However when I try to run the following command   index=advanced_hunti... See more...
I have installed and setup the VirusTotal TA with basic configuration i.e. API key and Max Batch Size just to test things. However when I try to run the following command   index=advanced_hunting category="AdvancedHunting-UrlClickEvents" properties.UrlChain=* | virustotal domain=properties.UrlChain   I get the following error   Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1. Streamed search execute failed because: Error in 'virustotal' command: External search command exited unexpectedly with non-zero error code 1.   I'm scrolling through Google but nothing is helping at the moment. Was wondering if anyone else has experienced the same issue
I was setting `ModularInputs` to WARNING.. wanted to know the default value of `AdminManagerDispatch` ... as of now it is set to "WARN", I want to know if this is the default for this one too? ... See more...
I was setting `ModularInputs` to WARNING.. wanted to know the default value of `AdminManagerDispatch` ... as of now it is set to "WARN", I want to know if this is the default for this one too? "splunk set log-level ModularInputs -level WAR     Can someone please guide me? ___________________________________________________________________________________ splunk@sh-i-***************c7e3:~$ splunk set log-level ModularInputs -level WARN WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Log level changed. splunk@sh-i-**************e3:~$ splunk show log-level ModularInputs WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Component: ModularInputs     Level: WARN     Buffering: 0 splunk@sh-i-*************7e3:~$ splunk show log-level AdminManagerDispatch WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Component: AdminManagerDispatch     Level: WARN     Buffering: 0 splunk@sh-i-*********:~$ hostname -f;date Wed Jun 21 10:29:29 UTC 2023 ydholakia@sh-i-***************:~$ timed out waiting for input: auto-logout  ~/Downloads/ splunk@sh-i-***********:~$ splunk set log-level ModularInputs -level WARN WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Log level changed. splunk@sh-i-*************:~$ splunk show log-level ModularInputs WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Component: ModularInputs     Level: WARN     Buffering: 0 splunk@sh-i-************7e3:~$ splunk show log-level AdminManagerDispatch WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Component: AdminManagerDispatch     Level: WARN     Buffering: 0 splunk@sh-i-********************2f2c7e3:~$ hostname -f;date Wed Jun 21 10:29:29 UTC 2023        
Hi, i have field IP ADDRESS when user login, so i want to alert email when to have a new ip address.  Can you help me
Please! Help me fix search code. Thank you very much!  
Hello, is there a way to upgrade Splunk universal forwarder to all onboarded endpoints using the deployment server? I was looking for answers but I didn't find anything helpful. Thank you.
Hello I was reading about making requests to the Splunk API. When I was reading this link below and when making a request the username (admin) and password (pass) need to be included in the request... See more...
Hello I was reading about making requests to the Splunk API. When I was reading this link below and when making a request the username (admin) and password (pass) need to be included in the request which is seen below: curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/alert_actions https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/RESTREF/RESTsearch#search.2Fjobs However there was another link mentioning that authentication tokens are needed to make API requests. curl -H "Authorization: <type> <token>" -X <method> https://<instance host name or IP address>:<management port>/<REST endpoint> -d <data...> [-d <data...>...] https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Security/UseAuthTokens Is the first API request can only be used by admins and is the second request only given to users granted access by admins where they are given authentication tokens?
Hi people, I need help designing a regex that will cover the below strings, please. ------------------------------------------------------------------------------ wmic useraccount get /ALL /for... See more...
Hi people, I need help designing a regex that will cover the below strings, please. ------------------------------------------------------------------------------ wmic useraccount get /ALL /format:csv wmic process get caption,executablepath,commandline /format:csv wmic qfe get description,installedOn /format:csv wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") wmic process call create #{process_to_execute} wmic process where name='#{process_to_execute}' delete >nul 2>&1 wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}" wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall ---------------------------------------------------------------- Thank you!
source="Application_Vulnerabilities_*.csv" index="vuln_mgmt" sourcetype="csv" one of the dashboard has above query . where to fetch the source file mentioned in splunk.
Hi All, I have got the below query at two different time range (Last 24 hrs and All Time). index=* | stats count by index,host  which gives a table as below: index host count ... See more...
Hi All, I have got the below query at two different time range (Last 24 hrs and All Time). index=* | stats count by index,host  which gives a table as below: index host count abc hdcgcgmefla02uv 127976   Now I want to compare the host column in both the tables and populate it in a new column in a tabular view. If host is available in both time ranges, then the value is "Availabe" and if host is not available in any of the  time ranges the value will be "Not Available" Like below: index host Comparision abc hdcgcgmefla02uv Available abc hdcgcgmefla22uv Not Available xyz hdcgcgmefla12uv Available   Please help to create a query to get the table with the desired comparisons. Your kind inputs are highly appreciated. Thank you..!!
My splunk cloud is configured with my server and now for every transaction hit we are getting multiple events, it is hard to check how many transaction and harder to understand, is there any way to o... See more...
My splunk cloud is configured with my server and now for every transaction hit we are getting multiple events, it is hard to check how many transaction and harder to understand, is there any way to only get one event for every one transaction with all the information inside it
Hi Splunkers, I have to build a rule, based on Windows Logs (XML ones), that must check this: Notify me is there are at least 3 consecutive occurreces of EventID 4776 from a list of host. Tje desid... See more...
Hi Splunkers, I have to build a rule, based on Windows Logs (XML ones), that must check this: Notify me is there are at least 3 consecutive occurreces of EventID 4776 from a list of host. Tje desiderd output must show: Host Number of consecutive events User/account associated to  events So for example, if we have that Host A has 4 consecutive events of EventID 4776 for user "Admin" Host B has 19 consecutive events of EventID 4776 for user "Test" Host C has 2 consecutive events of EventID 4776 for user "Joker" Host D has 3 Events of EvenID 4776, but only 2 consecutive; than has another different event and only after this another occurrence of 4776 for user "Hello" Host C don't match the consecutive count clause and must be escluded; same for Host D, because he has 3 events but not consecutive. The expected output is: Host User N. of consecutive events A Admin 4 B Test 19   What get me in stuck here is how to check that events are consecutive.Any suggestion?
Hi, For given sample data set, how can I extract all the numbers (will be always 3 digits) from desc?       | makeresults | eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary... See more...
Hi, For given sample data set, how can I extract all the numbers (will be always 3 digits) from desc?       | makeresults | eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down" | append [| makeresults | eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"] | append [| makeresults | eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"] | append [| makeresults | eval desc="All devices at 456 London, England are alerting as down and unreachable"] | append [| makeresults | eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]         output required:   can you please suggest regex I can use for the same? Thank you.
Where can I see ES content searches performance in terms of avg. time taken to run a particular correlation rule or saved search?
Hi everyone, i have a logs vpn format  2023-06-21T03:29:16+0000 [stdout#info] LOG ERR: 'LOG_DB RECORD {"username": "duocnv", "common_name": "duocnv", "start_time": 1687312988, "session_id": "aa2d4wW... See more...
Hi everyone, i have a logs vpn format  2023-06-21T03:29:16+0000 [stdout#info] LOG ERR: 'LOG_DB RECORD {"username": "duocnv", "common_name": "duocnv", "start_time": 1687312988, "session_id": "aa2d4wW6GaPydjA4", "service": "VPN", "proto": "UDP", "port": "1194", "active": 1, "auth": 1, "version": "3.6.7", "gui_version": "OCmacOS_3.4.2-4547", "platform": "mac", "bytes_in": 1448266, "bytes_out": 15124146, "bytes_total": 16572412, "vpn_ip": "172.27.20.2", "duration": 5168, "node": "ip-10-250-101-154.ap-southeast-1.compute.internal", "timestamp": 1687318156}' i used rex to extract field "vpn_ip" : index=openvpnas | rex field=_raw ".*\s"vpn_ip":\s*"(?<vpn_ip>[^"]+)" But it show error  Error in 'SearchParser': Missing a search command before '^'. Error at position '96' of search query 'search index=openvpnas | search LOG_DB RECORD | re...{snipped} {errorcontext = ublic_ip>[^"]+)"}'. Can anyone help me
Hi, Login id: [readacted] This is Ashok from [redacted] Company. I have an Admin role in AppDynamics and I'm able to log in 'https://www.appdynamics.com/'  but I'm unable to submit the support ti... See more...
Hi, Login id: [readacted] This is Ashok from [redacted] Company. I have an Admin role in AppDynamics and I'm able to log in 'https://www.appdynamics.com/'  but I'm unable to submit the support ticket. May I know how can I reach out to support to tell them about this concern? Thanks Ashok *Posted edited by @Ryan.Paredez to redact member email and company name. Please be careful when and how you share your companies name and email in community posts.