All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a union [] command that I want to execute only if a check box is checked, how can I manage this? SPL2 branch doesn't work on my dashboard for some reason and the eval if else only works for as... See more...
I have a union [] command that I want to execute only if a check box is checked, how can I manage this? SPL2 branch doesn't work on my dashboard for some reason and the eval if else only works for assigning a value to a var, what options do I have now?   | search | if value = 'so and so' execute union [sql]
We are having an issue with App for McAfee/SkyHigh Web Gateway (MWG/SWG/SSE) config. We are getting truncated logs and duplicates ranging from 2 to 30. This has been an ongoing issue and would love t... See more...
We are having an issue with App for McAfee/SkyHigh Web Gateway (MWG/SWG/SSE) config. We are getting truncated logs and duplicates ranging from 2 to 30. This has been an ongoing issue and would love to resolve.    Any thoughts on here? 
Hello All,    Hope you are doing good..   1. Can anyone please let me know what is the most stable version of Splunk is present 2. I have upgraded my splunk to the 9.0.2 version is this ver... See more...
Hello All,    Hope you are doing good..   1. Can anyone please let me know what is the most stable version of Splunk is present 2. I have upgraded my splunk to the 9.0.2 version is this version stable as of now?  It would be great if anyone has any documents which will clear the doubts as of now I'm not getting any doc as such    Thanks       
let's say i have 1 index and we have multiple users, i want to assign a role so that user A can only view 5 interesting fields from 50 interesting fields.     
Hi, I am attempting to do a chart drill down using Dashboard Studio version 8.2.4. In this version, no token is available to chose from the dropdown in the UI. Only a URL option I've looked a lot ... See more...
Hi, I am attempting to do a chart drill down using Dashboard Studio version 8.2.4. In this version, no token is available to chose from the dropdown in the UI. Only a URL option I've looked a lot of documentation and tried a number of different tokens, however none seem to work the token is just sent in the URL.  e.g. $click.value$ etc. as defined in documentation Simple XML Reference - Splunk Documentation      
Hello, I have a significant number of Notables raised by the Non-pdm alerts correlation search. The correlation search runs every 2 hours, triggers an alert when the user violates the policy sourc... See more...
Hello, I have a significant number of Notables raised by the Non-pdm alerts correlation search. The correlation search runs every 2 hours, triggers an alert when the user violates the policy sourcetype=netskope earliest=-2h NOT (alert_name IN ("pdm", " External_Shared Files - Alert", "All DLP Policies")) | stats dc(alert_name) as alert_count,values(_time) as incident_time by user Throttling is set to 3 days duration what changes we need to make a less no. of notables to be raise? Thanks..
Hi I have some data events with Date value  How to create splunk search if value of MAX_POSITION_DATE  for TABLE2 SHOULD BE  (TODAY -1)  and table 1 has TODAY value and table 3 has TODAY . i wa... See more...
Hi I have some data events with Date value  How to create splunk search if value of MAX_POSITION_DATE  for TABLE2 SHOULD BE  (TODAY -1)  and table 1 has TODAY value and table 3 has TODAY . i want to display any events if not met above condition       TABLES NAMES MAX_POSITION_DATE      TABLE1 2023-05-17 00:00:00.000       TABLE2 2023-05-16 00:00:00.000       TABLE3 2023-05-17 00:00:00.000  
Dear Team, Below is the raw log for your reference: {"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z} I have created a props.conf with the respective ... See more...
Dear Team, Below is the raw log for your reference: {"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z} I have created a props.conf with the respective sourcetype and below for your reference: [kube:apiserver-audit] LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = stageTimestamp\"\:\" TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N SHOULD_LINEMERGE=false MAX_TIMESTAMP_LOOKAHEAD=27 However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.   Br, Prasad V
Hi! I'm trying to set up HEC with my app outgoing webhook. There's no way to pass token in auth header, so I intended to use a query string authorization. But in a cloud trial instance - I simply di... See more...
Hi! I'm trying to set up HEC with my app outgoing webhook. There's no way to pass token in auth header, so I intended to use a query string authorization. But in a cloud trial instance - I simply didn't find a setting for it. Any ideas, folks? best regards
I have a search that makes a decision based on time since an event.    | eval diff = now() - _time   and then make some decision based on how long ago the event took place   | eval state ... See more...
I have a search that makes a decision based on time since an event.    | eval diff = now() - _time   and then make some decision based on how long ago the event took place   | eval state = if(diff<300, "active", "not active")   However, if I want to run this historically, my diffs are set to current time so I can't easily look historically at a point in time and tell the state of the world (with the same search).  Is there a time function in search where I can pull the earliest and latest time filters? eg   | eval diff = $timerange.latest$ - _time  
Hi, Below is an example of my use case: timestamp messageId correlationId region category trace 17/05/2023 00:00 1 correlationA UCAN orders START 17/05/2023 ... See more...
Hi, Below is an example of my use case: timestamp messageId correlationId region category trace 17/05/2023 00:00 1 correlationA UCAN orders START 17/05/2023 00:01 2 correlationA UCAN orders FLOW 17/05/2023 00:02 3 correlationA UCAN orders FLOW 17/05/2023 00:03 4 correlationA UCAN orders FLOW 17/05/2023 00:04 5 correlationA UCAN orders FLOW 17/05/2023 00:05 6 correlationA UCAN orders FLOW 17/05/2023 00:06 7 correlationA UCAN orders FLOW 17/05/2023 00:07 8 correlationA UCAN orders END 17/05/2023 00:10 9 correlationB EMEA accounts START 17/05/2023 00:11 10 correlationB EMEA accounts FLOW 17/05/2023 00:12 11 correlationB EMEA accounts FLOW 17/05/2023 00:13 12 correlationB EMEA accounts FLOW 17/05/2023 00:14 13 correlationB EMEA accounts FLOW 17/05/2023 00:15 14 correlationB EMEA accounts FLOW 17/05/2023 00:16 15 correlationB EMEA accounts EXCEPTION   And the expected output: timestamp correlationId region category status #records duration 17/05/2023 00:10 correlationA UCAN order SUCCESS 6 00:07:00 17/05/2023 00:16 correlationB EMEA accounts ERROR 5 00:06:00   - the goal is to have one row per correlationId  - the column STATUS should be calculated with the following rule: if there is a row with trace=END it means that the flow ran successfully and the status should be "SUCCESS" and if there is a row with trace=EXCEPTION it means that an error occurred and the status should be "ERROR" - the number of records should consider only the rows with trace=FLOW - the duration should be the time elapsed from the row with trace=START until the row trace=END or trace=EXCEPTION Can you help on building the query?
I'm trying to evaluate the date string to a time format sing the strptime() the format I have is:   Tue_Oct_25_03:57:49_IDT_2022 the strptime function looks like:  strptime(date,"%a_%b_%d_%H:%... See more...
I'm trying to evaluate the date string to a time format sing the strptime() the format I have is:   Tue_Oct_25_03:57:49_IDT_2022 the strptime function looks like:  strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") Running the query: index="some_index" source="some_source" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date shows me a table with empty d values and date is showing as expected. What am I doing wrong here?
Hi Splunkers,   Is there any way to embedded the Splunk dashboards to leap application. 
Dataframe row : {"_c0":{"0":null,"1":"00:00:01","2":"13:30:01"},"_c1":{"0":null,"1":"CPU","2":"all"},"_c2":{"0":"Linux","1":"%user","2":"1.05"},"_c3":{"0":"3.10.0-1160.76.1.el7.x86_64","1":"%nice","2... See more...
Dataframe row : {"_c0":{"0":null,"1":"00:00:01","2":"13:30:01"},"_c1":{"0":null,"1":"CPU","2":"all"},"_c2":{"0":"Linux","1":"%user","2":"1.05"},"_c3":{"0":"3.10.0-1160.76.1.el7.x86_64","1":"%nice","2":"0.34"},"_c4":{"0":"(fraasdwhbdd1.de.db.com)","1":"%system","2":"0.83"},"_c5":{"0":"16\/05\/23","1":"%iowait","2":"0.05"},"_c6":{"0":"_x86_64_","1":"%steal","2":"0.00"},"_c7":{"0":"(8","1":"%idle","2":"97.73"},"_c8":{"0":"CPU)","1":"%utilization","2":"2.27"}}.   The above event is a sample event that has been received to our splunk portal. We need to extract the %utilization value from the above event which is the value of 2.27. This %utilization value is dynamic. we need to extract it using rex command. Please help us on this.
Hi All, I have a query and the results shows as above. The column function as only single value. I need to get only one value instead of two as the_time also remains same. Can anyone help me ... See more...
Hi All, I have a query and the results shows as above. The column function as only single value. I need to get only one value instead of two as the_time also remains same. Can anyone help me to get single value instead of the value repeating twice.
Access to education.splunk.com was denied. I don't have authorisation to view this page. HTTP ERROR 403
Hi all! My question is, why splunk can't run a scripted input on Windows even though it has full access to that script? Entry of inputs.conf:     [script://.\\bin\deploy.bat] disabled = 0 int... See more...
Hi all! My question is, why splunk can't run a scripted input on Windows even though it has full access to that script? Entry of inputs.conf:     [script://.\\bin\deploy.bat] disabled = 0 interval = 300 index=windows [script://.\\bin\update.bat] disabled = 0 interval = 60 index=windows     These stanzas are responsible for installing and updating Sysmon on Windows servers and hosts. I deploy this configuration by deployment server to UFs. Splunk UFs ran by domain account. This account isn't admin. Here, there is full access: Here, as this user is running: But in the logs I see that access is denied: Please help me figure out why this is happening and how to solve it!  
I have been wondering how to produce a table Of indexes and the sourcetypes used in them, something like:       | rest splunk_server=localhost /services/data/indexes | fields + title | rename... See more...
I have been wondering how to produce a table Of indexes and the sourcetypes used in them, something like:       | rest splunk_server=localhost /services/data/indexes | fields + title | rename title AS Index | MAGIC-COMMAND [ | metadata type=sourcetype index=Index ]       MAGIC-COMMAND can't be join (no common field), appendcols, appendpipe and append don't do the right thing, and multisearch wants streaming data. If I switch the search and subsearch, I think I almost get what I want except I no longer have an index/title field.       | metadata type=sourcetypes index=Index [ | rest splunk_server=localhost /services/data/indexes | fields + title | rename title AS Index ]       I don't see how to use a REST call for /services/saved/sourcetypes instead of metadata because there's no index reference. I'm stumped. Any advice?  
index=mail [ | inputlookup Updated.csv | rename address AS query | fields query ] | dedup MessageTraceId | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | w... See more...
index=mail [ | inputlookup Updated.csv | rename address AS query | fields query ] | dedup MessageTraceId | lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match | where isnull(domain_match) | lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2 | where isnotnull(domain_match2) | stats values(RecipientAddress) as Recipient values(Subject) as Subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" values(Status) as Status values(EventDate) as Resigned Date by RecipientDomain SenderAddress | eval subject_count=mvcount(Subject) | sort - subject_count | convert ctime("Latest") | convert ctime("Earliest")   currently i have this query, which is working well.    In the csv , i have another column called event date,. based on the results generated i would like to show the even date as well when running the query.
HI Team,   I am posting only part of the query to avoid confusion. the sourcetype logs data for past 10 days everyday I search for it because thats how its designed and I am fine with it. However... See more...
HI Team,   I am posting only part of the query to avoid confusion. the sourcetype logs data for past 10 days everyday I search for it because thats how its designed and I am fine with it. However, I want to filter only for yesterdays date for another purpose and want to use the same source. If I simply put 2023-05-16 as a filter in my search query I can get the data but  I want to automate it to fetch results everyday and every day I run, it should by default take yesterdays value.  I simple want to print the value of result.yesterday in my search query like how i can mention 2023-05-16. Could you please let me know how I can achieve this?    | makeresults | eval yesterday = strftime(relative_time(now(), "-1d@d"), "%Y-%m-%d")|fields - relative_time $result.yesterday$ search index=infra source=*emr* sourcetype="aws:description" source="*emr_clusters" account_id="a0087" | dedup Id | rename Name as cluster_name, Id as JobFlowId Status.Timeline.CreationDateTime as cluster_creation_on, Status.Timeline.ReadyDateTime as cluster_ready_on, Status.Timeline.EndDateTime as cluster_terminate_on     Thanks in advance