All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input" (index=windows_* OR index=win*) (sourcetype="wineventlog:secur... See more...
When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input" (index=windows_* OR index=win*) (sourcetype="wineventlog:security" OR source="wineventlog:security" OR sourcetype="xmlwineventlog:security" OR source="xmlwineventlog:security" OR sourcetype="wineventlog*" OR source="wineventlog*" OR sourcetype="xmlwineventlog*" OR source="xmlwineventlog*") signature_id IN (4720 4722 4725 4726 4738) Target_Account_Name!=*$ Subject_Account_Name!=*$ | eval signature=coalesce(signature, EventCode_Description) | eval Computer_Name=coalesce(Computer_Name,ComputerName,Computer) | eval New_Message=coalesce(Message,message,body,EventData_Xml) | stats count earliest(_time) as earliest latest(_time) as latest values(Computer_Name) as src values(signature) as signature values(signature_id) as signature_id values(Logon_ID) as Logon_ID values(TaskCategory) as Task_Category values(Device_Name) as device by dest, Subject_Account_Name, Target_Account_Name, host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(earliest) | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(latest) | fields count earliest latest Target_Account_Name Subject_Account_Name signature signature_id dest host src Logon_ID Task_Category   Any  ideas?
I know that I can add  visualizations to a dashboard with JavaScript and hook into the SearchManager done event that way. However, I am wondering if there is a way to get an object reference for visu... See more...
I know that I can add  visualizations to a dashboard with JavaScript and hook into the SearchManager done event that way. However, I am wondering if there is a way to get an object reference for visualizations that are added via the GUI? Is the only way to hook into the done event via JavaScript without having to build the dashboard via JavaScript? Thanks.
I am using a virtual server and all users are being seen as service accounts.  Which is causing my logon and admin account searches to show some very high numbers (authentications are showing as logo... See more...
I am using a virtual server and all users are being seen as service accounts.  Which is causing my logon and admin account searches to show some very high numbers (authentications are showing as logons).  Is there a way to get the system to ignore the actual service accounts that are running that are not users where as both are being seen as a logon type 3 (Network)?
When logs arrive heavyforwarder, the forwarder may add some metadata into it based on the rule.   For example, 1. I have Syslog forwarder keeps on writing logs into the Heavy forwarder's disk spac... See more...
When logs arrive heavyforwarder, the forwarder may add some metadata into it based on the rule.   For example, 1. I have Syslog forwarder keeps on writing logs into the Heavy forwarder's disk space. 2. Heavyforwarder monitor logs written into various directories, e.g. [monitor:///var/log/remote/source_type_a/*.log] 3. Heavy forwarder add the source_type and host of the log, when it is indexing. E.g. if it is forwarding the log from /var/log/remote/source_type_a/*.log, it add the sourcetype of log as source_type_a   Does these meta data also count into the indexer license limit?
Hello, I am trying to use Streamstats with Sum(value) and I want to reset that sum after it reaches a certain threshold (in the example below this threshold is 1000). The Splunk documentation states... See more...
Hello, I am trying to use Streamstats with Sum(value) and I want to reset that sum after it reaches a certain threshold (in the example below this threshold is 1000). The Splunk documentation states that "The eval-expression can reference fields that are returned by the streamstats command. "   However it is completely ignoring my reset_after clause, any help is much appreciated. Example below:     index=events |table id,_time |sort 0 -id, _time |streamstats current=f reset_on_change=true last(_time) as last_seen by id |eval time_delta=_time-last_seen |sort 0 -id, _time |streamstats reset_after="("running_time>=1000")" reset_on_change=true sum(time_delta) as running_time by id   Splunk reference: reset_afterSyntax: reset_after="("<eval-expression>")"Description: After the streamstats calculations are produced for an event, reset_after specifies that all of the accumulated statistics are reset if the eval-expression returns true. The eval-expression must evaluate to true or false. The eval-expression can reference fields that are returned by the streamstats command. When the reset_after argument is combined with the window argument, the window is also reset when the accumulated statistics are reset.
form the below logs i want to capture  "appDesc" data using regex.   2023-05-02 22:27:20,100 | info application status https:www.codeurl [ Response: 200 ok- https:www.codeurl "appDesc" : "User no... See more...
form the below logs i want to capture  "appDesc" data using regex.   2023-05-02 22:27:20,100 | info application status https:www.codeurl [ Response: 200 ok- https:www.codeurl "appDesc" : "User not within error limit" { "appcd" : "0", "appDesc" : "fraud app dected risk tolerance" } ],       2023-05-02 22:27:20,100 | info application status https:www.codeurl [ Response: 200 ok- https:www.codeurl "appDesc" : "User not within error limit" { "appcd" : "0", "appDesc" : "fraud app dected risk tolerance" } ],    
What is the process or is it possible to enable HttpOnly flag for ADRUM cookie. Attaching screenshot for reference.
Hi , I have to restrict 2023-05 date field . This is used as filter in the dashboard. Can some one help me provide the command for the requirement. 
We have a job which is getting terminated intermittently , even though when this search gets executed successfully it's run time is just 7-8 mins. Still it fails sometimes. Can someone suggest how we... See more...
We have a job which is getting terminated intermittently , even though when this search gets executed successfully it's run time is just 7-8 mins. Still it fails sometimes. Can someone suggest how we can avoid its failure:   (index=200004664_triumph_sidx sourcetype=tr_billed_summary_sidx (indc_wve_fnchg_sdx="N") (player_acct_nbr_sdx=100269999 OR player_acct_nbr_sdx=100269984 OR player_acct_nbr_sdx=100269963 OR player_acct_nbr_sdx=100269976 OR player_acct_nbr_sdx=100269950) (code_ia_prod_id_sdx!="KOB" AND code_ia_prod_id_sdx!="KOC" AND code_ia_prod_id_sdx!="KOD" AND code_ia_prod_id_sdx!="KOE" AND code_ia_prod_id_sdx!="KOF") earliest=-45d@d latest=-1d@d) | fields - _raw | fields nbr_plst_sdx code_trans_acct_sdx indc_cyc_rvlv_sdx amt_curr_outst_bal_sdx indc_wve_fnchg_sdx player_acct_nbr_sdx code_ia_prod_id_sdx | eval date_prev=strftime(_time,"%m/%d/%Y") | fillnull value="NULL" code_trans_acct_sdx indc_cyc_rvlv_sdx | where code_trans_acct_sdx="NULL" | rename indc_cyc_rvlv_sdx as indc_cyc_rvlv_prev amt_curr_outst_bal_sdx as amt_curr_outst_bal_prev | JOIN nbr_plst_sdx [ search (index=200004664_triumph_sidx sourcetype=tr_billed_summary_sidx (indc_wve_fnchg_sdx="N") (player_acct_nbr_sdx=100269999 OR player_acct_nbr_sdx=100269984 OR player_acct_nbr_sdx=100269963 OR player_acct_nbr_sdx=100269976 OR player_acct_nbr_sdx=100269950) earliest=-1d@d latest=@d) | fields - _raw | fields nbr_plst_sdx code_trans_acct_sdx indc_cyc_rvlv_sdx amt_curr_outst_bal_sdx indc_wve_fnchg_sdx player_acct_nbr_sdx code_ia_prod_id_sdx | eval date_current=strftime(_time,"%m/%d/%Y") | fillnull value="NULL" code_trans_acct_sdx indc_cyc_rvlv_sdx | where code_trans_acct_sdx="NULL" and amt_curr_outst_bal_sdx > 0 | rename indc_cyc_rvlv_sdx as indc_cyc_rvlv_current amt_curr_outst_bal_sdx as amt_curr_outst_bal_current] | stats values(date_current) as date_current values(indc_cyc_rvlv_current) as indc_cyc_rvlv_current values(amt_curr_outst_bal_current) as amt_curr_outst_bal_current latest(date_prev) as date_prev latest(indc_cyc_rvlv_prev) as indc_cyc_rvlv_prev latest(amt_curr_outst_bal_prev) as amt_curr_outst_bal_prev values(player_acct_nbr_sdx) as player_acct_nbr values(indc_wve_fnchg_sdx) as indc_wve_fnchg values(code_ia_prod_id_sdx) as code_ia_prod_id by nbr_plst_sdx | eval check_type=case((indc_cyc_rvlv_prev="N" AND indc_cyc_rvlv_current="N"),"T2T", (indc_cyc_rvlv_prev="Y" AND indc_cyc_rvlv_current="Y"),"R2R", (indc_cyc_rvlv_prev="N" AND indc_cyc_rvlv_current="Y"),"T2R",1=1,"NA") | rename nbr_plst_sdx as nbr_plst | where check_type != "NA" | table nbr_plst player_acct_nbr code_ia_prod_id indc_wve_fnchg date_prev indc_cyc_rvlv_prev amt_curr_outst_bal_prev date_current indc_cyc_rvlv_current amt_curr_outst_bal_current check_type | eval date_curr_epoch=strptime(date_current,"%m/%d/%Y") | eval date_prev_epoch=strptime(date_prev,"%m/%d/%Y") | eval date_diff=(date_curr_epoch-date_prev_epoch)/86400 | eval date_diff=round(date_diff) | JOIN nbr_plst [ search index=triumph sourcetype=tr_billed_subbalance (nbr_plyr_acct=100269999 OR nbr_plyr_acct=100269984 OR nbr_plyr_acct=10026963 OR nbr_plyr_acct=100269976 OR nbr_plyr_acct=100269950) (code_prch_cadv="P") earliest=-1d@d latest=@d | stats values(amt_ctd_fc) as amt_ctd_fc values(amt_adb) as amt_adb values(beg_dpr) as beg_dpr values(pct_stmt_dpr) as pct_stmt_dpr values(code_be_grace) as code_be_grace values(code_fe_grace) as code_fe_grace by nbr_plst prty_l2h] | eval amt_adb = tonumber(amt_adb) | eval amt_ctd_fc = tonumber(amt_ctd_fc) | eval beg_dpr = tonumber(beg_dpr) | eval pct_stmt_dpr = tonumber(pct_stmt_dpr) | eval calc_fc=exact((amt_adb*pct_stmt_dpr*date_diff)/100) | eval calc_fc_round=round(calc_fc,2) | rex field=calc_fc "(?P<calc_fc>[0-9]*[.][0-9]{2})\d*" | table * amt_ctd_fc amt_adb pct_stmt_dpr date_diff calc_fc calc_fc_round | eval valid_type=case((check_type="T2T" AND amt_ctd_fc>0),"alert1", (check_type="R2R" AND (amt_adb>0 AND amt_ctd_fc=0)),"alert2", (check_type="R2R" AND (pct_stmt_dpr>0 AND amt_ctd_fc=0)),"alert3", (check_type="R2R" AND (amt_adb>0 AND amt_ctd_fc!=calc_fc_round)),"alert4", (check_type="R2R" AND (pct_stmt_dpr>0 AND amt_ctd_fc!=calc_fc_round)),"alert5", (check_type="T2R" AND (amt_adb>0 AND amt_ctd_fc=0)),"alert6", (check_type="T2R" AND (pct_stmt_dpr>0 AND amt_ctd_fc=0)),"alert7", (check_type="T2R" AND (amt_adb>0 AND amt_ctd_fc!=calc_fc_round)),"alert8", (check_type="T2R" AND (pct_stmt_dpr>0 AND amt_ctd_fc!=calc_fc_round)),"alert9",1=1,"NA") | table * valid_type | where valid_type="alert1" OR valid_type="alert2" OR valid_type="alert3" OR valid_type="alert4" OR valid_type="alert5" OR valid_type="alert6" OR valid_type="alert7" OR valid_type="alert8" OR valid_type="alert9" | where calc_fc_round > 0 | fields - amt_curr_outst_bal_prev beg_dpr date_curr_epoch date_prev_epoch | where (check_type!="T2T" AND code_fe_grace!=02) | eval calc_fc_low = round(calc_fc-0.01,2) | eval calc_fc_high = round(calc_fc+0.01,2) | where (amt_ctd_fc > calc_fc_high) OR (amt_ctd_fc < calc_fc_low) | rename amt_adb as "Average Daily Balance Amt" pct_stmt_dpr as "Statement DPR Percentage" amt_ctd_fc as "FC Assessed by Triumph" calc_fc_round as "Calculated FC" nbr_plst as "Plastic Number" amt_curr_outst_bal_current as "Current Outstanding Balance" | eval epochyesterday=relative_time(now(),"-1d@d") | eval yesterday=strftime(epochyesterday,"%m%d%y") | eval Splunk_Alert_Id="iFIND Pricing and Fees"."||"."Grace_Monitoring"."_".yesterday | fields - date_current date_diff date_prev epochyesterday yesterday valid_type
Hi There, I am currently looking at a search within Splunk Security Essentials (Concentration of Attacker Tools by Filename). The search mentions a file named "tools.csv", which I assume is a lis... See more...
Hi There, I am currently looking at a search within Splunk Security Essentials (Concentration of Attacker Tools by Filename). The search mentions a file named "tools.csv", which I assume is a list of the attacker tools mentioned in the title of the search.  Is there any way that I can access the contents of the CSV file? Purely because I want to see which tools are listed. Any help would be appreciated, Jamie
Version of Splunk DB Connect 3.13.0 is only supported for splunk 9.0 and older version 8.2 or 8.1 is there any solution what to use instead of Splunk DB Connect because with version 9.0 there are vul... See more...
Version of Splunk DB Connect 3.13.0 is only supported for splunk 9.0 and older version 8.2 or 8.1 is there any solution what to use instead of Splunk DB Connect because with version 9.0 there are vulnerabilities ?
Hi all, Enter different SPLs into dropdown, I have created a panel that outputs different results for each, but I am not getting the expected results because I am specifying the field values to out... See more...
Hi all, Enter different SPLs into dropdown, I have created a panel that outputs different results for each, but I am not getting the expected results because I am specifying the field values to output in the source. SPL① Output Fields:  src_ip loginid login_time SPL②  Output Fields:  uri_path http_referer src_ip Fields specified in the source : src_ip loginid login_time ⇒ When SPL② is output, only src_ip is shown.   according to the SPL selected in the dropdown, Is it technically possible to vary the field values? Also, is it possible to vary the drill down values in the same way? I'm translating from Japanese, so sorry if the text is wrong! 日本語訳 お世話になります。 ドロップダウン内にSPLを入力し、パネル上に異なる結果を出力したいと考えているのですが、 ソース上でフィールド値を指定しているので、求めている結果を得ることが出来ません。 SPL① 出力するフィールド:  src_ip loginid login_time SPL②  出力するフィールド:  uri_path http_referer src_ip ソース上で指定しているフィールド : src_ip loginid login_time ⇒  ドロップダウンでSPL②を指定した場合、src_ipしか出力されません。   ドロップダウンの値に合わせて、出力させるフィールドを変動させることは可能ですか? また、ドリルダウンで指定しているトークンをドロップダウンのSPLに合わせて連動させることは 可能ですか?            
Hi, data is got getting indexed when we are adding csv file from add data under settings .. its events count is showing as 0 ..
my query below (Index=x source=xtype valid) or (index=y source= ytype  passed) | eval which=if(match(_raw, " valid"),"valid", "passed") | stats values( which) as msg by manid |  stats count(eval(ms... See more...
my query below (Index=x source=xtype valid) or (index=y source= ytype  passed) | eval which=if(match(_raw, " valid"),"valid", "passed") | stats values( which) as msg by manid |  stats count(eval(msg=" valid")) as total_ count count(eval(msg= "passed"))    getting  out like total count 54 respons count 58 But i want check this condition too  Eval msgconur = mvcount(msg) | where >1  Need to check duration time > 30 count duration time <30 count   
Hello, Not sure if something similar has been posted but what i'm trying to do is a partial match of all the ids in one search result with those in another search (two different sources so can't re... See more...
Hello, Not sure if something similar has been posted but what i'm trying to do is a partial match of all the ids in one search result with those in another search (two different sources so can't return in one search). dummy data: Source 1                                                                                       Source 2 extendedproductcode                      code2                                          productcode           2233445566                                         101573                                       5566                           2233445567                                          245859                                      5567                           eg. search 1 from source 1 returns a list of numbers like this: 2233445566, 2233445567 etc Now search 2 from source 2 has data that looks like this: "5566", "5567" etc Question is, how do I return a full list of  results from search 1 (source 1 data) where the numbers look like "*5544", "*5567" .  For a one off case I can run simple search  the ids in source 1 using ="*5566", but I'm not sure how to do it for a list of productds say 100-200 long. As the list is dynamic, I can't hardcode the numbers/ids. So I have a list of productids from source 2 which I need to search for in source 1 by partial match on productID. If there is a match, I want to return in a table from source 1 extendedProductId, code 2, and also the partial match. So something like this: Query to return: extendedproductcode                      code2                                          productcode           2233445566                                         101573                                       5566                           2233445567                                          245859                                      5567    Thanks,          
Hi Team, We have dashboard which will contains the daily job related information. In that we have two panels like below one is stats table and the other is Daily monitoring Dashboard panels. They a... See more...
Hi Team, We have dashboard which will contains the daily job related information. In that we have two panels like below one is stats table and the other is Daily monitoring Dashboard panels. They are in the same row but they are separate panels, we need those panels to be merged to one. Below are the information related to panels. Is there any possible way for this, please help us on this.  
SPL as below:  | makeresults | eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-9... See more...
SPL as below:  | makeresults | eval TEST="\n User-Agent: iOS/16.4.1 iPhone\n P-Access-Network-Info: 3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103\n Security-Verify: ipsec-3gpp;alg=hmac-md5-96;ealg=null;mod=trans;port-c=9950;port-s=9900;prot=esp;spi-c=2155781586;spi-s=4286488018\n" |rex max_match=0 field=TEST "P-Access-Network-Info:\s*(?<KeyValue>.+)\\n" what I want  is to get "3GPP-NR-TDD;utran-cell-id-3gpp=4600101200e020432103"  by identifying \n  as the end . But \\n seem not work for splunk,  I tried \n, but still failed.   
  I currently have a Heavy Forwarder that forwards logs to Splunk Cloud but the heavy forwarder version is at version 8.0.6 and I have started to have problems with this add-on (DB Connect) as I can... See more...
  I currently have a Heavy Forwarder that forwards logs to Splunk Cloud but the heavy forwarder version is at version 8.0.6 and I have started to have problems with this add-on (DB Connect) as I can connect to the database, splunk detects the table but does not read the tables contents to ingest them. After asking for support I was told that I had an outdated version of DB Connect in version 3.4.0 and I should update it to version 3.12.2. I just updated it and I still have problems with the add-in, I guess now I should focus on updating the version of Splunk that I use as Fowarder to the latest version. I would be grateful if you could let me know if I need to upgrade Splunk from version 8.0.6 splunk 9.x to Splunk 9.x: 1. login via ssh 2. Stop the splunk service from /opt/splunk/bin 3. Back up the splunk folder using the command tar -czvf splunk.tar.gz splunk and delete the uncompressed folder. 4. Download version 8.1.x or 8.2.x first before upgrading to version 9.x (as recommended in the documentation). 5. Proceed with the installation of the 8.1.x or 8.2.x version. 6. I download version 9.x and install it. Please let me know if I have omitted anything or if there are any errors in the list I have described.
Hello The character set in the database I want to look up is US7ASCII. The Korean language cannot be printed normally with this character set. I should not change the character set in the database... See more...
Hello The character set in the database I want to look up is US7ASCII. The Korean language cannot be printed normally with this character set. I should not change the character set in the database, I can't change the default environment of the DB Connect server because I already have access to many Oracle databases in DB Connect. Is there a way to print out Korean for DB Connect, whether using Oracle UTL_RAW or using other Splunk App or functions?
For the installation I do not see the Universal Splunk Forwarder /opt/log/www1 or /opt/log/www2 and am wondering why for that and if there was any changes to it.