All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am trying to write a search that displays a table that shows whether a log in cloud watch exists or not every 15 minutes over a 5 hour period. The caveat being that I would like it to show a 0 for ... See more...
I am trying to write a search that displays a table that shows whether a log in cloud watch exists or not every 15 minutes over a 5 hour period. The caveat being that I would like it to show a 0 for time intervals that don’t have the log even if they’re in the future. I’m also having trouble formatting the result table so that the time intervals are the columns/x axis and the count is row/y-axis. Any help would be greatly appreciated, thanks!
Is it expected behavior when a user has write capability to another users knowledge object and the app, that write capability does not include "Edit Permissions" capability to that object?  Users h... See more...
Is it expected behavior when a user has write capability to another users knowledge object and the app, that write capability does not include "Edit Permissions" capability to that object?  Users have the ability to edit objects that they are not the owner of but don't have the ability to edit the permissions of the objects they are not the owner of.  They can only edit permissions of objects that they own. We can see the users are in the role that has write permissions to the object as well as write permissions to the app, the objects in the app aren't private, but for saved searches the dropdown in the Edit menu, the "Edit Permissions" option does not appear.  The Edit Permissions option only seems to appear for the owner of the object.  For lookups owned by another user, Permissions can be seen by others with write capability to the object but are greyed out and unable to modify the permissions. We've verified that the user can edit the object by modifying a savedsearch or lookup and clicking on save, and subsequently seeing the change afterwards.  Write permissions seems to exist for objects owned by another user but not the ability to modify the permissions to those objects. This occurs on multiple search centers.
How can I troubleshoot the deployment server or universal or heavy forwarder? I set up deployment server then in forwarders I run ./splunk set deploy-poll ip:port  But Forwarder Management client... See more...
How can I troubleshoot the deployment server or universal or heavy forwarder? I set up deployment server then in forwarders I run ./splunk set deploy-poll ip:port  But Forwarder Management clients = 0! Why? How can I troubleshoot it and solve it?   in forwarder: cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf [target-broker:deploymentServer] targetUri = X.X.X.58:8089   in deployment-server:   /opt/splunk/bin/splunk list deploy-clients WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. No deployment clients have contacted this server.   Note: the forwarder and deployment server in Google Cloud VMs Note: I tried it on a local server, and it's running right   can anyone help me?                     
Hi Team ,   Currently we are using Splunk cloud Version - 9.0.2209.4 . I have 3 panels A, B and C .  I am trying to do something as , when i click on panel A , i see the other statistics/ chart... See more...
Hi Team ,   Currently we are using Splunk cloud Version - 9.0.2209.4 . I have 3 panels A, B and C .  I am trying to do something as , when i click on panel A , i see the other statistics/ chart related to A . Wanted to know how can we hide and unhide panels here in dashboard studio by interlinking them .   Thanks in Advance.
I have mail.log. This is displayed in the "Event" column:     May 24 14:02:05 srv7 amavis[10129]: (10129-08) Passed CLEAN {RelayedInbound}, [IP]:59703 [IP] <email@email.com> -> <first.last@doma... See more...
I have mail.log. This is displayed in the "Event" column:     May 24 14:02:05 srv7 amavis[10129]: (10129-08) Passed CLEAN {RelayedInbound}, [IP]:59703 [IP] <email@email.com> -> <first.last@domain.com>, Queue-ID: CC8511E237D, Message-ID: <ID@domain.com> May 24 13:37:34 srv7 amavis[10129]: (10129-03) Passed CLEAN {RelayedOutbound}, LOCAL [IP]:40060 <first.last@domain.com> -> <email@email.com>, Queue-ID: E61E71E237D, Message-ID: <ID@domain.com> May 24 13:45:32 srv7 amavis[10129]: (10129-04) Passed CLEAN {RelayedInbound}, [IP]:14208 [IP] <email@email.com> -> <first.last@domain.com>, Queue-ID: E5C8B1E237D, Message-ID: <ID@domain.com>     I wish to extract the 2 email address, display them in a table and count how many emails each email address has.
I am having difficulties to get Splunk to ingest gzipped logs files from an S3 bucket, the files itself do not have extensions and Splunk is reading them as binaries. I tried archive_cmd to auto, g... See more...
I am having difficulties to get Splunk to ingest gzipped logs files from an S3 bucket, the files itself do not have extensions and Splunk is reading them as binaries. I tried archive_cmd to auto, gunzip -c, gzip -d in props.conf with no luck [source::/xxx/*] unarchive_cmd = gunzip -c NO_BINARY_CHECK = true gunzip -c works in shell, gzip -d doesn't without gz suffix *using AWS addon due to the nature of the environment, the files can't be renamed. Anyone experienced this before?
HI  All,  I have one question . Normally we see BT correlation b/w browser activity and its respective JVM .  But im my case if i have passthrough layer of webserver  i.e.  browser --> webserver --... See more...
HI  All,  I have one question . Normally we see BT correlation b/w browser activity and its respective JVM .  But im my case if i have passthrough layer of webserver  i.e.  browser --> webserver --> JVM . do we see the BT  correlation here ? please advise !! 
Hello I have created a dashboard that shows the previous 4 days and the equivalent days the week before for asset counts, for example IPS devices reporting in. Some days i will have 15 devices repo... See more...
Hello I have created a dashboard that shows the previous 4 days and the equivalent days the week before for asset counts, for example IPS devices reporting in. Some days i will have 15 devices reporting in, but the previous week may have 18, so im looking for a way to show what the missing devices are? is there a way to just pull out the devices that are missing?   Cheers
Hi All, This is the existing visualization which has Lastlogon(people who haven't logged in for quiet sometime). Those record which has null lastlogon value is done a count. I have require... See more...
Hi All, This is the existing visualization which has Lastlogon(people who haven't logged in for quiet sometime). Those record which has null lastlogon value is done a count. I have requirement here to show value for last 6 month and 12 months. Can anyone help me in providing the command for last 6 months and 12 months
Hi, I have a spl query which checks for status of a process. I want to show the status in a world map based on region i.e., APAC, EMEA & NA. I dont have the geo location data, how can I achieve... See more...
Hi, I have a spl query which checks for status of a process. I want to show the status in a world map based on region i.e., APAC, EMEA & NA. I dont have the geo location data, how can I achieve this. Please suggest.
I have a query for for my dropdown with tokens inserted here and there and whenever the values on those tokens change my query runs to populate the dropdown. But the problem is that sometimes the n... See more...
I have a query for for my dropdown with tokens inserted here and there and whenever the values on those tokens change my query runs to populate the dropdown. But the problem is that sometimes the new values and old values are displayed together and I don't want that. And worse is, the old value remains selected sometimes. I have to manually select my new entry. I have SelectFirstValue to true.    
Hi I setup a universal forwarder on a Windows VM to send Active Directory logs to the Splunk Cloud. I also want to send these logs to a syslog server. Can I send logs to both the Splunk Cloud insta... See more...
Hi I setup a universal forwarder on a Windows VM to send Active Directory logs to the Splunk Cloud. I also want to send these logs to a syslog server. Can I send logs to both the Splunk Cloud instance and a syslog server at the same time?
Hello to everyone. Every dashboard with any type of "visualization" (pivot, for example) needs a data model. Data models have an owner, just like other objects. But how can I reassign the data mod... See more...
Hello to everyone. Every dashboard with any type of "visualization" (pivot, for example) needs a data model. Data models have an owner, just like other objects. But how can I reassign the data model to another user? I tried to use 'Reassign knowledge object' but I can't find any objects with this type.
We have an external application, an API, which will send few parameters, and it needs to access Splunk API and get an entry into Splunk logs info. and extract the logs info. Can anyone please help u... See more...
We have an external application, an API, which will send few parameters, and it needs to access Splunk API and get an entry into Splunk logs info. and extract the logs info. Can anyone please help us on this? how it can be done ?    any help is appreciated.
Hello, I'm new at the splunk world, I have 4 dropdowns that I need to show the ALL option to select all values to update a table,  But I'm struggling on how to do it.   Tried to add the static opt... See more...
Hello, I'm new at the splunk world, I have 4 dropdowns that I need to show the ALL option to select all values to update a table,  But I'm struggling on how to do it.   Tried to add the static option with All % and the default value, but isn't working.
Hi All, I request to help me with the steps to upgrade log4j to latest version in Splunk On-Prem distributed environment.  
I have different query result for different query. Can i make it generic one. For now i have 4 different splunk dashboard url with different queries for 4 applications. can i bring it in one url in... See more...
I have different query result for different query. Can i make it generic one. For now i have 4 different splunk dashboard url with different queries for 4 applications. can i bring it in one url in a generic way? like in drop down list i can show 4 app. (app1, app2, app3, app4). on selecting each app from drop down list can i call splunk url?
Hi, I work for a company that has Splunk used on Servers. it is governed by a main team, however the installation of Universal Forwarder is up to the individual teams, as a result, the version need... See more...
Hi, I work for a company that has Splunk used on Servers. it is governed by a main team, however the installation of Universal Forwarder is up to the individual teams, as a result, the version needs update from time to time. I am in the process of automating all software version downloads the platform I maintain uses and was wondering if there is a known way to connect with the splunk site and download the latest version of UniversalForwarded via script. I use powershell but could try translate other scripts if there is a method.  any info on URL and any header information syntax for login I need is appreciated Thank you
I have the below sample botsv3 sample data set which is sysmon in xml format. I need to convert that into json formatted events.  Sample Current XML format - code block :1     <Event xmlns='http:... See more...
I have the below sample botsv3 sample data set which is sysmon in xml format. I need to convert that into json formatted events.  Sample Current XML format - code block :1     <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}' /> <EventID>1</EventID> <Version>5</Version> <Level>4</Level> <Task>1</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime='2023-05-21T13:35:45.561534700Z' /> <EventRecordID>36885</EventRecordID> <Correlation /> <Execution ProcessID='3204' ThreadID='5508' /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>BGIST-L.froth.ly</Computer> <Security UserID='S-1-5-18' /> </System> <EventData> <Data Name='UtcTime'>2023-05-21 15:17:59.931</Data> <Data Name='ProcessGuid'>{EBF7A186-1A1C-5B59-0000-0010732E0200}</Data> <Data Name='ProcessId'>2684</Data> <Data Name='Image'>C:\Windows\System32\svchost.exe</Data> <Data Name='FileVersion'>10.0.17134.1 (WinBuild.160101.0800)</Data> <Data Name='Description'>Host Process for Windows Services</Data> <Data Name='Product'>Microsoft® Windows® Operating System</Data> <Data Name='Company'>Microsoft Corporation</Data> <Data Name='CommandLine'>c:\windows\system32\svchost.exe -k networkservice -p -s CryptSvc</Data> <Data Name='CurrentDirectory'>C:\Windows\system32\</Data> <Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data> <Data Name='LogonGuid'>{EBF7A186-1A19-5B59-0000-0020E4030000}</Data> <Data Name='LogonId'>0x3e4</Data> <Data Name='TerminalSessionId'>0</Data> <Data Name='IntegrityLevel'>System</Data> <Data Name='Hashes'> MD5=32569E403279B3FD2EDB7EBD036273FA,SHA256=C9A28DC8004C3E043CBF8E3A194FDA2B756CE90740DF2175488337281B485F69</Data> <Data Name='ParentProcessGuid'>{EBF7A186-1A18-5B59-0000-0010CEA80000}</Data> <Data Name='ParentProcessId'>608</Data> <Data Name='ParentImage'>C:\Windows\System32\services.exe</Data> <Data Name='ParentCommandLine'>C:\Windows\system32\services.exe</Data> </EventData> </Event>"       Expected in JSON format as below. I have only included fields that are actually needed. code block : 2     { "ID": 1, "Timestamp": "2023-05-18T05:07:59.940594300Z", "EventData": { "FileVersion": "10.0.17134.1 (WinBuild.160101.0800)", "Company": "Microsoft Corporation", "TerminalSessionId": 0, "UtcTime": "2018-08-20 15:18:59.929", "Product": "Microsoft® Windows® Operating System", "LogonId": "0x3e7", "Description": "Find String (QGREP) Utility", "OriginalFileName": "findstr.exe", "Hashes": "MD5=BCC8F29B929DABF5489C9BE6587FF66D,SHA256=40F83CE0B6E1C894AB766591574ABD5B6780028C874410F2EC224300DF443C81", "ParentProcessId": "5428", "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c netstat -nao | findstr /r \"LISTENING\"", "ProcessGuid": "{EBF7A186-0B7B-5B59-0000-001044A3CD01}", "ProcessId": "6236", "Image": "C:\\Windows\\System32\\findstr.exe", "User": "NT AUTHORITY\\SYSTEM", "LogonGuid": "{EBF7A186-AB15-5B58-0000-0020E7030000}", "LogonGuid": "{EBF7A186-AB15-5B58-0000-0020E7030000}", "IntegrityLevel": "System", "ParentProcessGuid": "{EBF7A186-0B7B-5B59-0000-0010249FCD01}", "ParentImage": "C:\\Windows\\System32\\cmd.exe", "RuleName": "", "CommandLine": "findstr /r \"LISTENING\"", "CurrentDirectory": "C:\\Windows\\system32\\" }, "Hostname": "BGIST-L.froth.ly", }       The key fields are EventID, Computer and entire EventData block What I have tried so far  Used | tojson command but it didn't created the nested EventData block. It just extracted all field-value pairs as individual objects then tried the below spl but it has fields hardcoded which is not desirable. We want them to be dynamically added to EventData block. The below SPL also led to lot of fields with null values as not all Event IDs had the same fields for obvious reasons.    index=main | rename EventID as ID Computer as Hostname eventtype as EventType | fillnull value="" | eval EventData=json_object("FileVersion", FileVersion, "Company", Company, "TerminalSessionId", TerminalSessionId, "UtcTime", UtcTime, "Product", Product,"LogonId",LogonId,"Description",Description,"Hashes",Hashes,"ParentProcessId",ParentProcessId,"ParentCommandLine",ParentCommandLine,"ProcessGuid",ProcessGuid,"ProcessId",ProcessId,"Image",Image,"User",User,"LogonGuid",LogonGuid,"IntegrityLevel",IntegrityLevel,"ParentProcessGuid",ParentProcessGuid,"ParentImage",ParentImage,"CommandLine",CommandLine,"CurrentDirectory",CurrentDirectory),_raw=json_set_exact(json_object(), "ID", ID, "Hostname", Hostname, "EventData", json_extract(EventData))    I tried the below query as well   index=botsv3 sourcetype=xmlwineventlog EventID=1 | spath | tojson   Which gave the following result where Eventdata atleast is still in block but both the fields appear as values in Event.EventData.Data field and values in Event.EventData.Data{@Name}. I need the values in Event.EventData.Data{@Name} field to appear as values of corresponding fields which appear as values in the Event.EventData.Data field and all that as part of EventData nested json block. Basically as shown in code block : 2   Any help on this would be highly appreciated!