All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Any ideas how to write a Splunk search to detect rapidly growing disk usage.  Using a sourcetype of WinHostMon and the storage_used field?
Below I listed How I received my info. I want OS as field and "Android Server 2019"  field value. similar for all .  OS: Android Server 2019 Time: Mar. 31, 2014 12:35:55 AM EDT (Mar. 31, 2014 ... See more...
Below I listed How I received my info. I want OS as field and "Android Server 2019"  field value. similar for all .  OS: Android Server 2019 Time: Mar. 31, 2014 12:35:55 AM EDT (Mar. 31, 2014 04:35 AM UTC) Host: Demohost1 Number: VMware-00 00 a0 c0 d0 ed 05 df-0r 0c 00 00 00 11 3p 0 Host ID: 65456zDasdsA4+64+ADSD66S Local IP: XX.XXX.XXX.XXX Username: fakeuser1547 Command Line: xadwd \\fdsffd\w$\vfddd\fdfdsz<fxvx://cvfvxcv/w$/vcxzvxcv/vxvcx> D:\SADSSDF /b /SZCZXC /fed /R /GJGKL:DDV /W:87 /Q:90 action info: "C:\Windows\system32\cmd.exe" Action: HFDSHFSA SYDFYUSDFI GUIDFGIUSG dEMO ACTION has been detected. Action Taken: demoand, usual action Associated Value: 67A1790DCA55B8803AD024EE28F616A284DF5DD7B8BA5F68B4B252A5E925AF79"); (hash_sha256 on file_write) intersted file: syagdisg\hdisahiuhds\hsihisdaf\fbkjdsbfa\hjdjsab\ URL: Falcon Link<https://demourl.com/e3/__https://hdsudh.ndsjnds.bdjsabd.outlook.com/?url=httpsfgfdjkbdbfbfs;dfbabsjdbfasbdd cxvbdiufbduifbdfubbd8jknnd890jndnfd8nbjnbfjdf9jnfd88bfjdfbn90dhfdjnkfd980bfdjbfd0bfdjkfb8bjkdsbfjdbf9ibfdsjubf0nbjfdknbsf09nbsdifbnd89*nvkjdnbfd99JKBNDS9NKSNKJ9njknbdikjs9NKJNJK9nkmnksa0jcjisnbidhcdsi0> Demo Action Teken: Has not sdwewdn wdnw Verual hash: Hash value is provided as empty
Hi all, I want to implement 2 panels in one dashboard. Output of Panel_1 will be a list of ID that meet the search keyword and I hope to find a way to use the output as the input to Panel_2, Panel... See more...
Hi all, I want to implement 2 panels in one dashboard. Output of Panel_1 will be a list of ID that meet the search keyword and I hope to find a way to use the output as the input to Panel_2, Panel_3, and Panel_4.  Panel_2, Panel_3, Panel_4 will use the list of ID to search but using different conditions.  I can't find a way to make the output of Panel_1 as the input to the rest 3 Panels. Is there any way to implement such purpose? Moreover, is there any way to color each Panel into different color? Thanks.
The correlation I am analyzing has some interesting issue. 1. When I run the SPL code separately in a search bar it has 100s of events, but when I see the Incident Review , I see only a few(very few... See more...
The correlation I am analyzing has some interesting issue. 1. When I run the SPL code separately in a search bar it has 100s of events, but when I see the Incident Review , I see only a few(very few). 2.. The last line of the correlation search  is  "outputlookup somelookup.csv".     But I see the creator of this lookup hasn't created it's definition.  could this be the reason why the notables are not getting created ????  Also when I see the stats of the correlation it it shows  Statistics Avg. Event Count 0 Avg. Result Count 0 Avg. Run Time 0:00:00 Invocations 0 Skipped 0 Success 0 Could anyone confirm if my suspicion is correct that the missing definition of the lookup is prohibiting the notables from being created with no evidence of skips, errors, or suppression in the logs.
Hi folks,   Can I delete the data in a virtual index like "Hadoop" using the delete command in the SPL.   Thanks, in advance.
Hi,    I am trying to use our Google Idp (Google workspace) to enable SSO on our Splunk.  I followed this link and it worked successfully when adding custom attribute individually to each user.... See more...
Hi,    I am trying to use our Google Idp (Google workspace) to enable SSO on our Splunk.  I followed this link and it worked successfully when adding custom attribute individually to each user.  Now I need to use Google groups for Splunk RBAC so authentication and Authorisation is handled using groups membership. When using the Groups membership, I couldnt find any clear answer from Google or Splunk about what to be used here as App Attribute    I only found this link  which is useless    I raised a support ticket with google and got this answer    Could you advise on how to setup RBAC using google groups membership or help with Google SAML IDP setup     
Filed extracted like rex field = msg " student information\" : (?<studentname>.*?),"   Student name getting like below "Stdent570" "55555sdeend" I want data with our double quotes 
Hi, I am trying to create a timechart using mstats command but I have some questions as follows, I would appreciate it if I am able to get some answers or clarifications on them: What is the di... See more...
Hi, I am trying to create a timechart using mstats command but I have some questions as follows, I would appreciate it if I am able to get some answers or clarifications on them: What is the difference between the aggregations which are rate_avg() and rate_sum() when using mstats command? We observed that no matter which aggregations we are using, the graphs are returning the same result. Example are as follows: Using rate_avg Using rate_sum Thank you very much.   Best Regards, Kelvin.   @ericaooi 
I have two event start event having extracted fields from log  managerid ,branch I'd,empname using index = emp source = empsource " offer letters" End event having extracted field empid,branch id in... See more...
I have two event start event having extracted fields from log  managerid ,branch I'd,empname using index = emp source = empsource " offer letters" End event having extracted field empid,branch id index= manager source= manager source " relieving letters"  I want to get empid who's is taken offer letter and relieving later and duration.  
Hi All, I am trying to route my WMI data to a null queue but want to route data coming through from a specific group of hosts only. Example : The Windows WmI data is coming through from different g... See more...
Hi All, I am trying to route my WMI data to a null queue but want to route data coming through from a specific group of hosts only. Example : The Windows WmI data is coming through from different group of hosts listed below  Hostgroup1 = ABCDEF hostgroup2 =  XXXXXX hostgroup3 = sssssssss The WMI events (example eventcodes , type, log source etc) are mostly common for all the hosts and hence if i use either of these common fields all of my data will be sent to null queue. I would want to only send Hostgroup1 which starts with ABCDEF , there are around 500+ hosts in the host group  starting with ABCDEF .  Could anyone suggest a way to only route data from the hostgroup1 to Null queue . 04/20/2023 07:01:10 PM LogName=Hello SourceName=Microsoft Windows logs. EventCode=1234 EventType=x Type=Information ComputerName=abcdefghijl2106.domain.abc.com TaskCategory=dynamic OpCode=Info RecordNumber=12345678 Keywords=Audit Success I am trying to write my transforms regex based on the computer name so it can only group the hostgroup1 starting with abcdef  hosts and route that data to null queue 
Is there a way to exclude specified data from a single field. The example I have is on Destination IP addresses from a firewall.  Splunk is currently showing multiple IP addresses in the field that... See more...
Is there a way to exclude specified data from a single field. The example I have is on Destination IP addresses from a firewall.  Splunk is currently showing multiple IP addresses in the field that is the direct path from source to destination and some are related to our specific appliances that we do not need to see. e.g. I have 3 IP's as below 1.1.1.1 1.1.1.2 1.1.1.3 I know what 1.1.1.1 and 1.1.1.2 are so I need to exclude them from view on the field but I want to keep 1.1.1.3. I need my know IP's excluded as there are many others that I am not aware of. I have around 50 IP's I want excluded from the field.  
Hi Guys, I deployed a new heavy forwarder in our environment, however I'd want to repoint certain devices to the freshly deployed forwarder. I tried updating the ip in the local/deploymentclient.... See more...
Hi Guys, I deployed a new heavy forwarder in our environment, however I'd want to repoint certain devices to the freshly deployed forwarder. I tried updating the ip in the local/deploymentclient.conf, but I'm still getting the old HF information in logs. Could you demonstrate to me how to do so? 
Hi All, Is there an option to see the working of Fish bucket in real time? Switching off the server? can we test it? If yes, please let me know how to do it in test server.
Hello The Splunk release note states that version 8.2.10 was released on February 14, 2023. This installation file does not exist on the download page. Is there any other reason? When will it... See more...
Hello The Splunk release note states that version 8.2.10 was released on February 14, 2023. This installation file does not exist on the download page. Is there any other reason? When will it be available for download?
In my splunk cloud , when i search for index index="asterisk" and trigger any deployment to get logs for this index and select last 15 minute to get latest logs but no logs are there. But when i chan... See more...
In my splunk cloud , when i search for index index="asterisk" and trigger any deployment to get logs for this index and select last 15 minute to get latest logs but no logs are there. But when i change time from last 15 minute to last 6 hours then i can see my latest logs, this is weird . Log time for asterisk is in UTC. Can someone please help me here?
Is it an omission that the latest Windows TA will only extract registry_path if the registry_type field contains "\w+Key". As a result, registry_path is not set to key_path and therefore in the Endpo... See more...
Is it an omission that the latest Windows TA will only extract registry_path if the registry_type field contains "\w+Key". As a result, registry_path is not set to key_path and therefore in the Endpoint.Registry datamodel, there is no value stored for registry_path in the datamodel and the path comes out as unknown. Has anyone come across a good reason NOT to add the additional mapping, so that it will pass through the DM correctly. The consequence is that you can't use tstats on an accelerated DM
I have an example data on csv named invent.csv like this: I want to map ip values ​​to host output using lookup using lookup, logic example: input -> ip = 1.1.1.1 -> lookup to invent.csv ->... See more...
I have an example data on csv named invent.csv like this: I want to map ip values ​​to host output using lookup using lookup, logic example: input -> ip = 1.1.1.1 -> lookup to invent.csv -> output -> table hostname = host1 Thanks. *Sorry for my bad eng
Hello - I'm trying to pass a dictionary into a format code block: for example: my_dict = {"hello":"world", "foo":"bar"} and in the format code block i have: Contents of dictionary: {0} wh... See more...
Hello - I'm trying to pass a dictionary into a format code block: for example: my_dict = {"hello":"world", "foo":"bar"} and in the format code block i have: Contents of dictionary: {0} where 0 is mycodeblockname:custom_function:my_dict.hello and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see
I try to login automatically by WebView2 JavaScript like below.   webView2.ExecuteScriptAsync("document.querySelector('#username').value = 'xxxx';"); webView2.ExecuteScriptAsync("document.que... See more...
I try to login automatically by WebView2 JavaScript like below.   webView2.ExecuteScriptAsync("document.querySelector('#username').value = 'xxxx';"); webView2.ExecuteScriptAsync("document.querySelector('#password').value = 'yyyy';"); webView2.ExecuteScriptAsync("document.querySelector('body > div.account > div > div > div.account-login > form > fieldset > input.splButton-primary.btn.btn-primary').click();");   The code sets username and password correctly and click the "Sign In" button fine. However, I got "Login Failed" error. Is there any tric to avoid auto login???   I am able to log in successfuly after just press "TAB" keys many times and click "Sign In" button without any change of username/password. it confusing me more...  
I want the v7.5.0 of app #1928 which is not visible in Splunkbase. How can I find the Internal owner of the app? Please help with this....