All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have a dashboard where the data is coming from a lookup called "ABC" which has 2 fields called "src_ip" and "dest_ip", respectively. On the same dashboard, I now need to add a textbook such... See more...
Hi, I have a dashboard where the data is coming from a lookup called "ABC" which has 2 fields called "src_ip" and "dest_ip", respectively. On the same dashboard, I now need to add a textbook such that a user inputs 1 or more IP addresses, searches against BOTH the "src_ip" and "dest_ip" fields on the lookup, and this filters the final results on the dashboard.   The issue I am having is all the IP address are string values and I am having trouble refining the search as this is the error I am currently getting:  Error in 'where' command: The expression is malformed. An unexpected character is reached at '*) OR like(dest_ip,*)'. So, a search like this works for me: | inputlookup ABC | where like (dest_ip,"10.175.96.146 10.175.96.147 10.175.96.148 10.175.96.149 10.175.96.150 10.175.96.183").   I am unable to search against both these "src_ip" and "dest_ip" when using a token though for an input like this: <query>| inputlookup ABC | where like(src_ip,$srcip_tok$) OR like(dest_ip,$srcip_tok$) </query>   Can you please help? Thanks as always
i have two dropdown list. i am populating static values in dropdownlist1. based on one dropdownlist loading other dropdownlist. based on dropdownlist2 value i am triggering urls. i am facing follow... See more...
i have two dropdown list. i am populating static values in dropdownlist1. based on one dropdownlist loading other dropdownlist. based on dropdownlist2 value i am triggering urls. i am facing following issue. i want trigger url from second dropdown list using submit button.. not based on on change. as below: <change> <condition value="A"> <link target="_blank">https://google.com</link> </condition> although i change from value from dropdownlist i have to trigger based on submit button. How to achieve this?  
Have drop down vaules like below Extual vaul Index =abc source = abc source   Drop down values like prod  lable  Value source =abc source  In query getting like error index=abc source=abc s... See more...
Have drop down vaules like below Extual vaul Index =abc source = abc source   Drop down values like prod  lable  Value source =abc source  In query getting like error index=abc source=abc source  i required logic for space between index and source     
Hi I would like to identify the different way to send splunk results alert in Centreon. I know its possible to send Centreon events in Splunk with the Centreon steamer connector and the Splunk HTTP... See more...
Hi I would like to identify the different way to send splunk results alert in Centreon. I know its possible to send Centreon events in Splunk with the Centreon steamer connector and the Splunk HTTP Event Collector but my need will be to send Splunk alerts in Centreon Except in i am mistaken, the solution to interface splunk alerts with an external system will be to run a custom alert action with script (shell or python) using the results of a saved search ? Is it exact? Is there any other solutions to do that? Thanks for your help
I have a search like this to fetch the maximum value. Now the case i wanted to add is, if the maximum value field is 4-step4 then i want my table to display second maximum value as the max step. Des... See more...
I have a search like this to fetch the maximum value. Now the case i wanted to add is, if the maximum value field is 4-step4 then i want my table to display second maximum value as the max step. Desired result  Id Step that is taking maximum time maxtime 12345678 3-step3 33   | makeresults | eval _raw="{ \"Detail\": { \"Id\": 12345678, \"RequestCompleteTS\": \"2023-04-27T15:59:30.6960113-04:00\", \"Steps\": { \"0-step1\": 32, \"0-step2\": 15, \"3-step3\": 33, \"4-step4\": 49, \"5-step5\": 15, \"6-step6\": 9, \"7-step7\": 8 }, \"StepsCnt\": 18, \"TargetRegion\": \"BRD\" }, \"LogType\": \"Info\", \"Message\": \"Success\", \"Time\": \"2023-04-27 15:59:30.696--04:00\"" ``` ^^^ create dummy event ^^^ ``` | spath | rename Detail.Id AS Id Detail.Steps.* AS * | foreach *step* [ eval Steps=if(isnull(Steps), '<<FIELD>>', mvappend(Steps, '<<FIELD>>')) ] | eval steps_list_ordered=mvmap( mvsort(mvmap(mvdedup(Steps), len(Steps) . "-" . Steps)), substr(Steps, 3) ) ,maxtime=mvindex(steps_list_ordered, mvcount(steps_list_ordered)-1) | foreach *-step* [ eval "maxstep"=if('<<FIELD>>'=maxtime, "<<FIELD>>", if(isnotnull('maxstep'), 'maxstep', null())) ] | rename maxstep AS "Step that is taking maximum time" | table Id "Step that is taking maximum time" maxtime ​  
TL;DR and I'm sorry. And desperate.   So I am basically trying to get the system and application tables from ServiceNow into Splunk and was advised to use the Splunk Add-on for ServiceNow Note tha... See more...
TL;DR and I'm sorry. And desperate.   So I am basically trying to get the system and application tables from ServiceNow into Splunk and was advised to use the Splunk Add-on for ServiceNow Note that this is not the Security Operations ServiceNow integration app. I have followed this documentation word for word but cannot establish a connection to either of the 2 ServiceNow tenants I am testing with. The addon implies it is a network or internet issue. Using the application logs at index=_internal sourcetype="ta_snow" the error message indicates it is either a proxy issue or a certificate issue.  I see absolutely no requests in my proxy logs and no traffic to ServiceNow from the Splunk server I have installed the addon on (although other internet destined traffic is).  I have attempted  1) using the cli to create the account connection and specify to disable certificate validation 2) added the Root CA of the ServiceNow tenant to the addon as advised at the bottom of the documentation I linked above. Still, I get the same errors.  It is almost as if the addon is not recognizing any changes I make through the cli. Curious if anyone has successfully deployed this addon and if they had to do anything special certificate-wise, or if anyone has had issues creating accounts through the cli. I have left some of the error below Thanks in advance!   3-05-24 22:34:36,657 ERROR pid=73561 tid=MainThread file=splunk_ta_snow_account_validation.py:validate:154 | Unable to reach ServiceNow instance at https://derp.service-now.com. The reason for failure is=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/util/ssl_.py", line 402, in ssl_wrap_socket context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data) PermissionError: [Errno 13] Permission denied During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/connectionpool.py", line 700, in urlopen self._prepare_proxy(conn) File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/connectionpool.py", line 994, in _prepare_proxy conn.connect() File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/connection.py", line 424, in connect tls_in_tls=tls_in_tls, File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/util/ssl_.py", line 404, in ssl_wrap_socket raise SSLError(e) urllib3.exceptions.SSLError: [Errno 13] Permission denied During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/requests/adapters.py", line 499, in send timeout=timeout, File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/connectionpool.py", line 786, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/opt/splunk/etc/apps/Splunk_TA_snow/lib/urllib3/util/retry.py", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='derp.service-now.com', port=443): Max retries exceeded with url: /incident.do?JSONv2&sysparm_query=sys_updated_on%3E=2000-01-01+00:00:00&sysparm_record_count=1 (Caused by SSLError(PermissionError(13, 'Permission denied'))) During handling of the above exception, another exception occurred:
Hi Community,    I am trying to come up with the proper props and transforms config to ingest the data from a source that writes data in json however the json is heavily nested and contains some ... See more...
Hi Community,    I am trying to come up with the proper props and transforms config to ingest the data from a source that writes data in json however the json is heavily nested and contains some field value pairs that I will also like to extract within the nested json data.  Sample data included below. Thanks in advance    The field / value that I am trying to extract is in the key="key3" value within the brackets     { "time": "2023-05-20T12:35:20.255445557-07:00", "Key": "Value", "Key2": "Value2", "Key3": "[key3_field1=Value1] [key3_field2=Value2] [key3_field3=Value3] [key3_field4=Value4] [key3_field5=Value5]", "Key4": ["key4_value1", "key4_value2", "key4_value3", "key4_value4"], "key5" : { "key5_key1": "key5_value1", "key5_key2": ["key5_key2_value1", "key5_key2_value2", "key5_key2_value3"], "key5_key3": { "key5_key3_key1": "value531", "key5_key3_key2": 532 ,          }    } }  
I'm trying to test the installation of a uf on my windows device for later deployment for work, but the script just doesn't seem to take into account the flags I specify.  msiexec.exe /i "splunkfor... See more...
I'm trying to test the installation of a uf on my windows device for later deployment for work, but the script just doesn't seem to take into account the flags I specify.  msiexec.exe /i "splunkforwarder.msi" AGREETOLICENSE=yes SPLUNKUSERNAME=Admin SPLUNKPASSWORD=Password /qn If I take out the /qn it will just open the normal UF install wizard. I'm not sure what's going on. I feel as though everything is correct.
Thanks in advance for your time and assistance.  I have a Splunk Enterprise Security correlation search intended to trigger when there are at least 20 events having the same values of FieldA and Fie... See more...
Thanks in advance for your time and assistance.  I have a Splunk Enterprise Security correlation search intended to trigger when there are at least 20 events having the same values of FieldA and FieldB within 60 seconds.  Consistent with multiple resources within Splunk docs, I am using the below search.  The correlation search runs once every 30 minutes.  (Main search) | bin _time span=60s | stats count by FieldA FieldB | where count > 19 This should be straightforward, but the search has fired when there are 20 or more log entries with the same FieldA and FieldB values during the entire 30 minutes since the last correlation search, but definitely not 20 instances within the defined bin window of 60s. Is there some caveat of using the bin command that I am unaware of?  Is there a more reliable method to achieve the same objective? _Thanks_
Hi All, Recently a question came up about notifying a client on high urgency notable events. I want to send out an auto email anytime there's a high urgency notable event. It's easy to write a sear... See more...
Hi All, Recently a question came up about notifying a client on high urgency notable events. I want to send out an auto email anytime there's a high urgency notable event. It's easy to write a search that checks for high urgency notable events and send an email. However, I also want to be able to change the status of these notables within the same search as I send the email (Client Notified, or something similar). Is there a simple way to do this? I'd even settle for a complicated way Thanks for reading!
Currently trying to test an HTTP event collector token by directly sending events to the cloud before we use the HEC for a OpenTelemetry Connector, but we are getting stuck at 403 Forbidden error. I ... See more...
Currently trying to test an HTTP event collector token by directly sending events to the cloud before we use the HEC for a OpenTelemetry Connector, but we are getting stuck at 403 Forbidden error. I can see the successful request going through our firewall. Is there something wrong with this curl command?  Not sure if it affects anything but we are still on the Splunk Cloud Classic, not Victoria.  Screenshots attached, appreciate any help we can get!        
Hi All I have a room mailbox in office365 and i want to get the information of how many meetings were booked for one month. i am using the below two queries but i am not getting the output. can an... See more...
Hi All I have a room mailbox in office365 and i want to get the information of how many meetings were booked for one month. i am using the below two queries but i am not getting the output. can anyone help me correct the syntax. Query1 index=mail sourcetype="ms:o365:reporting:messagetrace" | rename RecipientAddress as email | lookup meeting_rooms email | search NOT subject=Canceled:* | bucket _time span=1h | stats dc(email) as invited values(name) as room_name values(email) as invitees by SenderAddress subject _time | rename subject as meeting_subject | search room_name="room1@mydomain.com" | lookup meeting_rooms name as room_name outputnew email as room_email | stats sum(invited) as room_total by room_name room_email Query2 index=mail sourcetype="ms:o365:reporting:messagetrace" | rename RecipientAddress as email | lookup meeting_rooms email | search NOT subject=Canceled:* | bucket _time span=1h | stats dc(email) as invited values(name) as room_name values(email) as invitees by SenderAddress subject _time | rename subject as meeting_subject | search room_name="Room1" | stats sum(invited) as room_total by room_name
I'm experimenting with converting a classic dashboard to dashboard studio. The classic dashboard has a time picker used to establish a date range for searches in the panels. When I cloned the dashboa... See more...
I'm experimenting with converting a classic dashboard to dashboard studio. The classic dashboard has a time picker used to establish a date range for searches in the panels. When I cloned the dashboard to dashboard studio, the time picker is no longer used. All the searches, are searching from the earliest date stored in Splunk which is several years worth of data. Can someone explain what is happening and how to fix. This should be a relatively simple thing to do.
We are using Splunk enterprise with Splunk Add-on AWS app that gather our data from our AWS account. However, the app in constantly calling IMDSv1 to gather metadata, which we want to turn off and en... See more...
We are using Splunk enterprise with Splunk Add-on AWS app that gather our data from our AWS account. However, the app in constantly calling IMDSv1 to gather metadata, which we want to turn off and enable IMDSv2.  Please let me know where in the setting I can turn this behavior off. Thanks.
I am relatively new to Splunk and I am trying to extracting fields in Splunk,  I have a pattern I am attempting to extract and put into a field. The pattern looks like this: AdyenPaymentResponse:... See more...
I am relatively new to Splunk and I am trying to extracting fields in Splunk,  I have a pattern I am attempting to extract and put into a field. The pattern looks like this: AdyenPaymentResponse::ProcessResponse::Response -> Result : Failure AdyenPaymentResponse::ProcessResponse::Response -> Result : Success I am using this expression to match the pattern: | rex field=_raw "AdyenPaymentResponse:.*\sResult\s:(?<Status>)" I have to keep "AdyenPaymentResponse" as the base search and  I would like to extract this into a field called "Status" which shows only Failure or Success     
Hi, How do i remove the highlighted value shown above. i dont want to show them in my pie chart
Hello I'm getting this error when I go into the Enterprise console and look at the security posture it's been going on for a few days any idea how to troubleshoot this? Thanks in advance   I wo... See more...
Hello I'm getting this error when I go into the Enterprise console and look at the security posture it's been going on for a few days any idea how to troubleshoot this? Thanks in advance   I would appreciate the help as I am relatively new to Splunk and need some guidance.
Hello Splunkers , I am in need of finding a list of Indexes that are from a particular indexer cluster or group. Like when you go to DMC and look for Indexes and volumes(Indexes and Volumes: In... See more...
Hello Splunkers , I am in need of finding a list of Indexes that are from a particular indexer cluster or group. Like when you go to DMC and look for Indexes and volumes(Indexes and Volumes: Instance) , there is an option to filter them via Groups .I want a similar search that can be powered from the _internal log or some other rest endpoint from a search head . Thanks in advance ! Sam
Hi There, I have checked multiple other discussions on this forum with people after a similar solution, however, they seemed quite specific, whereas I'm looking for a general method to accomplish th... See more...
Hi There, I have checked multiple other discussions on this forum with people after a similar solution, however, they seemed quite specific, whereas I'm looking for a general method to accomplish this. Essentially I just want a simple way to show a message of some kind on every dashboard panel that currently doesn't have results to show, instead of the typical "No search results returned". Any help would be appreciated, Jamie  
I have two indexes and need to pull the idfrom the second into the first. For example I have a log from each index in a table as follows. Index2 has every mail and id for a user meanwhile Index1 has ... See more...
I have two indexes and need to pull the idfrom the second into the first. For example I have a log from each index in a table as follows. Index2 has every mail and id for a user meanwhile Index1 has the event data I will be using. Index:         user:                                                         mail:                                                id:      index1       name@gmail.com                                                                                   zxshbfbfve093ns index2                                                                       name@gmail.com                   abc123   I need to pull the id field (abc123) and associate it to the event in index1 where name@gmail.com is matching in index2.