All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to remove the null values, which are in empty cells, there is no data present I tried multiple ways not able to remove them, index="gitxapixation" platform !=null provision_type IN (*) si... See more...
I want to remove the null values, which are in empty cells, there is no data present I tried multiple ways not able to remove them, index="gitxapixation" platform !=null provision_type IN (*) site_location IN (*) | eval end_time=strftime(end_time, "%m/%d/%y %H:%M:%S") | eval WW=strftime(start_time, "%V.%w") | eval _time = start_time | eval WW=strftime(_time, "%V.%w") | eval scenario_name=cas(provision_type="BIOS",mvindex(split(context,"."),1),provision_type="IFWI",mvindex(split(context,"."),1),provision_type="OS",mvindex(split(context,"."),1)) | eval scenario_name=coalesce(scenario_name,name) | rename scenario_name as Testcase_id | stats count(eval(status="FAIL")) as fail_count, count(eval(status="PASS")) as pass_count, count(eval(like(status,"BLOCKED%"))) as not_run_count by WW,kit,provision_type,platform,subproject | eval scenario_status=case(fail_count>0, "FAIL", not_run_count>0, "NOT RUN", fail_count=0 AND not_run_count=0, "PASS") | eval IFWI=case(provision_type="IFWI",scenario_status) | eval OS=case(provision_type="OS",scenario_status) | eval BIOS=case(provision_type="BIOS",scenario_status) | rename platform as Platform subproject as AutomationType | table WW,Platform,kit,AutomationType,IFWI,BIOS,OS I will appreciate on this, please help me out
Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an excerpt from the log:  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events... See more...
Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an excerpt from the log:  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event> Can anyone help me create the appropriate regex I can use within the SEDCMD? After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data> --------------------------- I currently use: blacklist1 = EventCode="4688" | ParentProcessName="(.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe)" Thank you!
Hi, I'm facing an issue while configuring SAML on Splunk Cloud, using Google Workspace "Saml response does not contain group information"  I follow this step-by-step to configure the SAML authent... See more...
Hi, I'm facing an issue while configuring SAML on Splunk Cloud, using Google Workspace "Saml response does not contain group information"  I follow this step-by-step to configure the SAML authentication but somehow failed https://lantern.splunk.com/Data_Descriptors/Google/Configuring_Google_Workspace_as_a_SAML_IdP_with_Splunk_Cloud_Platform   Thanks Vincent
Hello, community, I am having a problem understanding why the WinEventLog sourcetype cannot be accepted as other sourcetypes I have worked with. Is this WinEventLog should be declared as [WinEventL... See more...
Hello, community, I am having a problem understanding why the WinEventLog sourcetype cannot be accepted as other sourcetypes I have worked with. Is this WinEventLog should be declared as [WinEventLog] in props.conf when using SEDCMD or it should have a different declaration within the square brackets? Thank you   
Hi there, We are running .NET apps in the containers with cluster agent and auto instrumentation enabled. By default .NET Agent is loaded along with the .NET dependencies configurations. But in th... See more...
Hi there, We are running .NET apps in the containers with cluster agent and auto instrumentation enabled. By default .NET Agent is loaded along with the .NET dependencies configurations. But in the case of self-contained applications, this is not possible. How we could load .NET Agent during the startup of self-contained application in Linux container? Best, Liubomyr
Hi all, Very new to Splunk here. I'm hoping to get some help. I'm trying to use some of the values in my CSV file as search filters. I suck at explaining, but I'll try anyway. This is what my CSV f... See more...
Hi all, Very new to Splunk here. I'm hoping to get some help. I'm trying to use some of the values in my CSV file as search filters. I suck at explaining, but I'll try anyway. This is what my CSV file looks like:   errorMessage,errorMessageFilter,errorCode,errorAlertValue Test1,Value1,1,10 Test2,Value2,2,10 Test3,Value3,3,100 Test4,Value4,5,100 Test5,Value5,5,100 And my search is structured like this: index=testing application=app1 msg=?? What I'm trying to accomplish is that the ?? part gets populated with values from the CSV file. Specifically, all the values found in errorMessageFilter (so Value1, Value2 etc.)   What do I need to do to make it so the end result would look something like this (using the CSV file): index=testing application=app1 msg="Value1" OR "Value2" OR "Value3" OR "Value4" OR "Value5"   Thanks!
Hi I have logstash config that send logs to Splunk HEC. these data contain field that call "time". Now question is: Is it possible to consider "time" as "_time" on logstash config?   FYI: i... See more...
Hi I have logstash config that send logs to Splunk HEC. these data contain field that call "time". Now question is: Is it possible to consider "time" as "_time" on logstash config?   FYI: i want to consider this time as _time not the time that splunk receive it   Any idea? Thanks
Hi, I am trying to build a query on perimeter firewall how we can find the ips hitting to the fw. Thanks 
How to add close button(close symbol) to the banner message which is poping up when we set banner message in splunk, Is that possible or not?
Hi splunkers, I m using cluster master and indexers in spk 8.2.5 When I start my search heads, I got the error "master_uri. This setting is deprecated and might be removed entirely in a future re... See more...
Hi splunkers, I m using cluster master and indexers in spk 8.2.5 When I start my search heads, I got the error "master_uri. This setting is deprecated and might be removed entirely in a future release, use 'manager_uri' instead " I didn't found on splunk documentation what is the max version supporting master_uri and what is the minimum version supporting manager_uri.   I need this point to be sure all my forwarders (multiple versions) can deal with manager_uri in a way they can upload data ! Does somebody have details about this  ?  
Hi all, I would like to know one thing. reproduction procedure STEP1  Execute the following command ======================= | makeresults | eval _raw="Date,time,title,code 06/10/2023,10:22,A... See more...
Hi all, I would like to know one thing. reproduction procedure STEP1  Execute the following command ======================= | makeresults | eval _raw="Date,time,title,code 06/10/2023,10:22,AAA,100 06/10/2023,11:33,BBB,200" | multikv forceheader=1 | outputlookup sample_data.csv ======================= STEP2  Execute the following command index=sandbox | eval title = "AAA" | lookup sample_data.csv title OUTPUT code ======================= Executing STEP2 results in the following error. [indexer01,indexer02,indexer03] Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'sample_data.csv, title, OUTPUT, code'. See search.log for more details.. ======================= STEP3 Execute the following command  index=sandbox | eval title = "AAA" | table * | lookup sample_data.csv title OUTPUT code ======================= Lookup is executed normally I am wondering if you can tell me what is changed by running the | table command?
Hi  Ouput of my search result shows   FieldA ========= abcdabcdabcd001234 abcdef-gef exyza-123 xxxxyyyy-abcd     how to check or search for value of the result of FieldA that has... See more...
Hi  Ouput of my search result shows   FieldA ========= abcdabcdabcd001234 abcdef-gef exyza-123 xxxxyyyy-abcd     how to check or search for value of the result of FieldA that has only 18 characters   thanks in advance
Hi everyone: Splunk Add-on for Microsoft Cloud Services or Splunk Add-on for Azure Support collect Aure China?  1. Splunk Add-on for Azure        i create a new account. and create new input. ... See more...
Hi everyone: Splunk Add-on for Microsoft Cloud Services or Splunk Add-on for Azure Support collect Aure China?  1. Splunk Add-on for Azure        i create a new account. and create new input.     but see the log report error     cat ta_ms_aad_azure_virtual_network.log 2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Log level is not set, use default INFO 2023-06-14 10:32:07,118 INFO pid=4938 tid=MainThread file=setup_util.py:log_info:142 | Proxy is not enabled! 2023-06-14 10:32:08,558 ERROR pid=4938 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/azure_virtual_network.py", line 212, in collect_events raise RuntimeError("Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID") RuntimeError: Unable to obtain access token. Please check the Client ID, Client Secret, and Tenant ID   2.  Splunk Add-on for Microsoft Cloud Services         when i was created azure app account, report  Account authentication failed. Please check your                credentials and try again Who know, the two add-on is support Azure China or not ?   thanks   
Hi, I would like to ask whether MongoDB is supported by Splunk DB Connect Add on's? I looked into Splunk documentation but MongoDB is not listed as a supported database there. However, I look in... See more...
Hi, I would like to ask whether MongoDB is supported by Splunk DB Connect Add on's? I looked into Splunk documentation but MongoDB is not listed as a supported database there. However, I look into some answers by the Splunk community, there are developers that says it is supported. May I know the answer to the following questions: 1. Is the Splunk Documentation not updated? 2. MongoDB is deprecated in Splunk DB Connect Add on? Thank you.
I'm back to creating services in ITSI and finding that using something other than an alias in an Entity Filter Field does not work. For example: I create a new Service to look at IIS logs. As the se... See more...
I'm back to creating services in ITSI and finding that using something other than an alias in an Entity Filter Field does not work. For example: I create a new Service to look at IIS logs. As the server hosts multiple sites my service contains two entity rules: (the entity has been setup with the server name as alias and a 'site' info tag listing all it's sites - separated by commas). So I can filter the service like so: Then I went on to create a KPI which tries to count the number of 400 errors in the IIS logs, via an Ad Hoc Search: eventtype=microsoft_iis_web host=server1 | eval 4xx_error=if(status>=400 AND status<500, status, null()) I then attempt to 'split by entity' - 'uri_path' (which is a field the above search query will return) and Filter by Entities in Service by setting the Entity Filter Field to 'site': This never finds anything! However if I filter by host it does work. If I open the Generated Search and run just the 'generate_entity_filter' search this always returns `no_entities_matched` unless the Entity Filter Field is configured to host (which is the entities alias). Am I coming up against a bug here (I am using an ancient version of ITSI)? Or is this by design? Or am I doing something wrong? Thanks!
Hi Splunker, When creating or editing a new Correlation Search, the items of "Adaptive Response Actions" do not appear and the following error occurs. The peculiarity only occurs when connecting f... See more...
Hi Splunker, When creating or editing a new Correlation Search, the items of "Adaptive Response Actions" do not appear and the following error occurs. The peculiarity only occurs when connecting from a macbook, and works normally when connecting from Windows. The current environment is Splunk 9.0.5 + ES 7.1.1, but this has occurred since ES 7.x, a year ago.   Thanks
Please help me, below is my query  index="myIndex" app_name="myappName"  My.Message = "*failed to retrieve the workOrder*" This returns say 6 splunk events,  with following message: Order 12345... See more...
Please help me, below is my query  index="myIndex" app_name="myappName"  My.Message = "*failed to retrieve the workOrder*" This returns say 6 splunk events,  with following message: Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12345 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12666 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12771 failed to retrieve the workOrder. Error DataBase mapping incorrect. Order 12888 failed to retrieve the workOrder. Error DataBase mapping incorrect. In the above-mentioned splunk query, 1) How I can get Total count using the stats to show visually 2) How to get the Order (eg 12345) and total count of a particular order?  3) How to get a table like below "Order#" # of times failed" Thanks
I have a dashboard which loads the results of a saved search to speed up the load times. The saved search is scheduled to run frequently, and keeps results from the past 7 or 8 searches in it's hi... See more...
I have a dashboard which loads the results of a saved search to speed up the load times. The saved search is scheduled to run frequently, and keeps results from the past 7 or 8 searches in it's history. Often times, the dashboard gets 0 results back from the loadjob command, and when I check the latest jobs, the most recent job status will be failed.  To fix it, I just manually delete the failed job and let it roll back to the previous Done job. Documentation for loadjob has an ignore_running option, but I am not seeing a way to ignore failed jobs, which would be nice. ** As an aside, I have noticed that I can make the saved search fail if I repeatedly call loadjob from a search (hit search 7 or 8 times without letting it finish) while the job is running.  I suspect that something like this is happening due to dashboard loads while this job is running which causes the failed job.
Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an excerpt from the log:  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events... See more...
Hello, community, I need help reducing Events containing 4688 and ParentProcessName=*splunkd.exe There is an excerpt from the log:  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event> Can anyone help me create the appropriate regex I can use within the SEDCMD? After the reduction the above event the result I am after should look something like this: <EventID>4688</EventID><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data> Thank you!
Below is the splunk query,  (My.Message has many various types of messages but the below one is what I wanted) index="myIndex" app_name="myappName"  My.Message = "*symbolName:*"  When I run the... See more...
Below is the splunk query,  (My.Message has many various types of messages but the below one is what I wanted) index="myIndex" app_name="myappName"  My.Message = "*symbolName:*"  When I run the above query, I get the below results: myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009 myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339 myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339 Please help on the following:  1) How to get the Total count of the query (Visualization) only for My.Message = "*symbolName:*"  2) How to split the string "myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009"  3) How to create a table for "symbolName", "Total Count", "ElapsedTime" (for example, symbolName: AAPL, Total Count = 2 and ElapsedTime = 0.0007348 (0.0002009 + 0.0005339) Thanks