All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We have configured some program to run as a service in Unix server.  I want to configure an alert in Splunk that when this systemd service is in a failed state (status) , we have to trigger an email ... See more...
We have configured some program to run as a service in Unix server.  I want to configure an alert in Splunk that when this systemd service is in a failed state (status) , we have to trigger an email message to the recipient.
I wanted to know how we can construct a search query for a service which is running on a centOS server and the utilization has exceeded 70 per cent for last 10 mins ? We are supposed to create an ale... See more...
I wanted to know how we can construct a search query for a service which is running on a centOS server and the utilization has exceeded 70 per cent for last 10 mins ? We are supposed to create an alert if such kind of situation arises? Any help would be greatly appreciated.
Hello,  i need urgent help. I’m connecting cribl to splunk through HEC  i’m using the free trial of splunk cloud.  the hec destination from cribl’s side says all is well yet I don’t find an... See more...
Hello,  i need urgent help. I’m connecting cribl to splunk through HEC  i’m using the free trial of splunk cloud.  the hec destination from cribl’s side says all is well yet I don’t find any data coming into splunk and even after connecting it to an indexer that i created there’s no data in the monitoring section and no data when searching 
Hello,   I'm trying to create a data input as HEC to receive data from cribl.   In cribs I created a destination as Splunk HEC  In Splunk I created a data input HEC but it keeps giving erro... See more...
Hello,   I'm trying to create a data input as HEC to receive data from cribl.   In cribs I created a destination as Splunk HEC  In Splunk I created a data input HEC but it keeps giving errors.  I'm using a free cloud trial of Splunk, I managed to get the HEC uri as per the Splunk docs: https://http-inputs-newinstance123.splunkcloud.com:8088/services/collector/event but I still get the attached errors in cribl. Any help ?
I am trying to write simple XML code that will evaluate a field value and change the font color for the row that contains the value. I only need to evaluate two conditions. Alarm or clear. I am new t... See more...
I am trying to write simple XML code that will evaluate a field value and change the font color for the row that contains the value. I only need to evaluate two conditions. Alarm or clear. I am new to xml. I could really use some help.
hi I downloaded Splunk  9.0.4.1 free.. and it won't let me install the software I'm trying to install a message that Microsoft doesn't recognize this software and takes me to the Microsoft  doesn... See more...
hi I downloaded Splunk  9.0.4.1 free.. and it won't let me install the software I'm trying to install a message that Microsoft doesn't recognize this software and takes me to the Microsoft  doesn't recognize this software and takes me to the Microsoft Store The software is already on my computer I have Windows 11 thanks
Hello Folks, I am new with Splunk. I am looking to build a query to detect lateral movement using Windows Service creation. I want to check for following pattern: EventCode 4624 followed by E... See more...
Hello Folks, I am new with Splunk. I am looking to build a query to detect lateral movement using Windows Service creation. I want to check for following pattern: EventCode 4624 followed by EventCode 4697 or 7045. EventCode 4624 followed by EventCode 7036. How can I write a query to detect such patterns?
I am new and learning splunk, I have a 2 events like below with same event type.  name='name1', user='abc', type='type1', other-fields     : latest event name='name1', user='abc1', type='type1'... See more...
I am new and learning splunk, I have a 2 events like below with same event type.  name='name1', user='abc', type='type1', other-fields     : latest event name='name1', user='abc1', type='type1', other-fields  : past event name='name2', user='def', type='type2', other-fields        I want to dedup based on user field, but the dedup value changes but all other fields remain same. In this case I want to match fields name & type between first 2 events and pick up the latest one.  My final filtered events should be: name='xyz', user='abc', type='new', other-fields name='name2', user='def', type='type2', other-fields   Any suggestions?    
**I want to preface with the fact that I am a total noob at Splunk, so please bear with me.** I am trying to make a dashboard that shows the on-call for each organization/team. It lists their name,... See more...
**I want to preface with the fact that I am a total noob at Splunk, so please bear with me.** I am trying to make a dashboard that shows the on-call for each organization/team. It lists their name, contact info, the start of when they are on call, and the end of when they are on call. **Ex of what it should look like:** (Select org(s): abc ) | org       | team       | username | OnCallStart                                 | OnCallEnd                                     | | -------- | -------- ---| ------------- | ------------------------------------ | ------------------------------------ | | abc      | aa-team | bob2           | 2023-05-01T08:00:00-7:00 | 2023-05-02T08:00:00-7:00 | **The issue is (other than me not being able to figure out how to get their respective teams listed currently) is that it looks more like this:** *(ignore the dates being the exact same, just giving an idea of the format)* | org      | team   | username | OnCallStart                                 | OnCallEnd | | -------- | --------- | -------- ---- | -------- ----------------------------| ------------------------------------ | | abc      |                | bob2          | 2023-05-01T08:00:00-7:00 | 2023-05-02T08:00:00-7:00 | | 123      |               |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | |               |                |                     | 2023-05-01T08:00:00-7:00 | 2023-05-01T08:00:00-7:00 | I have a multiselect option with a submit button so that I can filter by orgs, however if for example I filtered by "abc" org, it would show bob2 but have both "abc" and "123" orgs listed. How can I control the orgs shown when a user is a part of multiple orgs? How can I limit the number of oncallstart and oncallend times listed to a single line that correlates to the particular org that it matches with? I tried seeing if I could use something like | head 1 But that doesn't seem to be what I want based on this: https://docs.splunk.com/Documentation/SCS/current/SearchReference/HeadCommandOverview#How_the_head_command_works I don't know where to locate props.conf to use something like TRUNCATE, not even sure if that's what should be used in this instance or not. https://community.splunk.com/t5/Getting-Data-In/Size-limit-for-an-event/m-p/16410 I considered limiting in the source code by using something like <option name ="count">1</option> but that just limits it to show one user per page, still listing the multiple orgs (despite filtering for a particular one) and the multiple start and end times. Would it be some kind of query parameter? https://docs.splunk.com/Documentation/DashApp/0.9.0/DashApp/dsOpt
Hi! I have a search query problem that's wrecking my newbie brain. I have log events that look like this:     { "operationName": "Add app role assignment to group", "properties": { ... See more...
Hi! I have a search query problem that's wrecking my newbie brain. I have log events that look like this:     { "operationName": "Add app role assignment to group", "properties": { "targetResources": [ { "administrativeUnits": [], "displayName": "MyAwesomeDisplayName", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "modifiedProperties": [ { "displayName": "AppRole.Id", "newValue": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "oldValue": null }, { "displayName": "AppRole.Value", "newValue": null, "oldValue": null }, { "displayName": "Group.ObjectID", "newValue": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "oldValue": null }, { "displayName": "Group.DisplayName", "newValue": "myAwesomeGroupName", "oldValue": null }, { "displayName": "Group.WellKnownObjectName", "newValue": null, "oldValue": null } ], "type": "ServicePrincipal" } ], "userAgent": null } }     What I'm trying to do is get the corresponding value for newValue where displayName is Group.DisplayName. i.e. when displayName=Group.DisplayName, the corresponding newValue for that would be (in this example) myAwesomeGroupName. Not every log event will have a displayName=Group.DisplayName event in it, so that's why I'm looking to capture when it's there. I hope that makes sense.  
Want to use a lookup file that has a list of specific user IDs to search the Palo Alto GlobalProtect logs and identify their VPN usage.  I am receiving an error "Error in 'table' command: Invalid arg... See more...
Want to use a lookup file that has a list of specific user IDs to search the Palo Alto GlobalProtect logs and identify their VPN usage.  I am receiving an error "Error in 'table' command: Invalid argument: 'User=xyz'" when the rex is before the inputlookup.  I receive 0 results when the inputlookup is before the rex.  I know the rex works when run independently as a list of all the usernames are listed.  Greatly appreciate the help in advance.   index=* sourcetype="pan:globalprotect" | rex field="user" "(?<user_domain>[^\\\\]+)\\\\(?<user_only>.+)" | eval User=case(user_only=="" AND user=="","unknown",isnotnull(user_only),user_only,1=1,user),"User Domain"=if(isnull(user_domain),"unknown",user_domain) | table User [| inputlookup lookupname.csv |rename ntid as "User"] |table User    
Below are the sample logs, here i have 2 types of logs formats. for json logs i have given this props: [sourcetype] INDEXED_EXTRACTIONS=json KV_MODE=none SHOULD_LINEMERGE=true TIMESTAMP_FILED... See more...
Below are the sample logs, here i have 2 types of logs formats. for json logs i have given this props: [sourcetype] INDEXED_EXTRACTIONS=json KV_MODE=none SHOULD_LINEMERGE=true TIMESTAMP_FILEDS=timestamp LINE_BREAKER=([\r\n]+) how to write props so that both logs we can capture.   {"timestamp": "2022-02-12T01:22:13.345Z", "application status", host:app.cpm-134678, application/json: 0drem345msdsmmnn, "authorization"*************** ******************************************************************** ************************************************user interface, application conenction-ok "**********"         ClientID: NA host: json-edrtyu level: app-apiInfo message: clientid: undefined, userid: unknown timestamp: 2022-01-12T01:09:44.344Z       {"timestamp": "2022-02-14T01:22:13.123Z", "application status", host:app.cpm-134678, application/json: 0drem345msdsmmnn, "authorization"*************** ******************************************************************** ************************************************user interface, application conenction-ok "**********"       ClientID: NA host: json-edrtyu level: app-apiInfo message: clientid: undefined, userid: unknown timestamp: 2022-01-12T01:09:44.34    
I want to work on cleaning up data quality issues specific to data received on HEC inputs. Various teams send data into the environments HEC inputs and specify the event metadata. So how could I dete... See more...
I want to work on cleaning up data quality issues specific to data received on HEC inputs. Various teams send data into the environments HEC inputs and specify the event metadata. So how could I determine which events came in from the HEC input? I couldn't find ways to match 
I'm running the curl command curl -k https://prd-p-aaaaa.splunkcloud.com:8088/services/collector -H "Authorization: Splunk <HECTOKEN>" -d '{"event": Test Message}' -vvv I get this error * Trying <... See more...
I'm running the curl command curl -k https://prd-p-aaaaa.splunkcloud.com:8088/services/collector -H "Authorization: Splunk <HECTOKEN>" -d '{"event": Test Message}' -vvv I get this error * Trying <IP>:8088... * Connected to prd-p-aaaaa.splunkcloud.com (<IP>) port 8088 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1): * Recv failure: Connection reset by peer * LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer * Closing connection 0 curl: (35) Recv failure: Connection reset by peer   I tried with http-<splunkstack>.splunkcloud.com:8088 http-inputs-<splunkstack>.splunkcloud.com:8088 for the above I get * Could not resolve host: http-prd-p-aaaaa.splunkcloud.com * Could not resolve host: http-inputs-prd-p-aaaaa.splunkcloud.com I'm using the trial version of splunk cloud.  
I recently enabled Splunk tokens (using SAML authentication) and am able to successfully execute basic API calls (such as the one below).   curl -H "Authorization: Bearer <token>" -X GET https://... See more...
I recently enabled Splunk tokens (using SAML authentication) and am able to successfully execute basic API calls (such as the one below).   curl -H "Authorization: Bearer <token>" -X GET https://<host>.splunkcloud.com:8089/services/authorization/roles   I have a Splunk search that works great from the Splunk Cloud UI, but I would like to be able to retrieve the same data in either JSON or CSV format.  I have attempted to follow the Splunk documentation on this, but being brand new may simply be missing something.  What is the best way to achive my goal in this case? Is using Splunk tokens the preferred/best approach?
Thanks in advance for your time and assistance.  Can someone please tell me how to generate a list of configured, properly functioning Data Models that support Splunk Enterprise Security correlatio... See more...
Thanks in advance for your time and assistance.  Can someone please tell me how to generate a list of configured, properly functioning Data Models that support Splunk Enterprise Security correlation searches?  There are more data models listed in Settings --> Data Models than when I perform a '| datamodel' search, such as the one pointed to here: list all datamodels with the feeds (index, sourcet... - Splunk Community. I just want to nail down a method for ensuring that the data models configured within correlation searches are configured - AND are operating as intended.  Again, thank you. Sven        
After clicking save on the setup page of the Unix / Linux add-on I receive an error message. "There was an unexpected problem while saving inputs. please reload page and try again". Is the a solution... See more...
After clicking save on the setup page of the Unix / Linux add-on I receive an error message. "There was an unexpected problem while saving inputs. please reload page and try again". Is the a solution for this issue or some key things to check?
Hello, I have 3 servers,  Search Head, Indexer, Deployment Server, According to the manual: Installed Splunk add-on for Unix and Linux on all 3 servers. Manual says to enable data and scripte... See more...
Hello, I have 3 servers,  Search Head, Indexer, Deployment Server, According to the manual: Installed Splunk add-on for Unix and Linux on all 3 servers. Manual says to enable data and scripted inputs. In my Deployment Server: I enabled all the File and Directory Inputs, Scripted Inputs, and the Scripted Event Inputs. Questions: Do I have to enable all the inputs on my Search Head and Indexer too?  If I enable the inputs in these 2 servers, will there be replicated data, or conflicts? Thanks
When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input" (index=windows_* OR index=win*) (sourcetype="wineventlog:secur... See more...
When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input" (index=windows_* OR index=win*) (sourcetype="wineventlog:security" OR source="wineventlog:security" OR sourcetype="xmlwineventlog:security" OR source="xmlwineventlog:security" OR sourcetype="wineventlog*" OR source="wineventlog*" OR sourcetype="xmlwineventlog*" OR source="xmlwineventlog*") signature_id IN (4720 4722 4725 4726 4738) Target_Account_Name!=*$ Subject_Account_Name!=*$ | eval signature=coalesce(signature, EventCode_Description) | eval Computer_Name=coalesce(Computer_Name,ComputerName,Computer) | eval New_Message=coalesce(Message,message,body,EventData_Xml) | stats count earliest(_time) as earliest latest(_time) as latest values(Computer_Name) as src values(signature) as signature values(signature_id) as signature_id values(Logon_ID) as Logon_ID values(TaskCategory) as Task_Category values(Device_Name) as device by dest, Subject_Account_Name, Target_Account_Name, host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(earliest) | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(latest) | fields count earliest latest Target_Account_Name Subject_Account_Name signature signature_id dest host src Logon_ID Task_Category   Any  ideas?
I know that I can add  visualizations to a dashboard with JavaScript and hook into the SearchManager done event that way. However, I am wondering if there is a way to get an object reference for visu... See more...
I know that I can add  visualizations to a dashboard with JavaScript and hook into the SearchManager done event that way. However, I am wondering if there is a way to get an object reference for visualizations that are added via the GUI? Is the only way to hook into the done event via JavaScript without having to build the dashboard via JavaScript? Thanks.