All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Experts ,  I have never done this and wonder if there is a best way to achieve below  I want to use DS to push intial configurations from DS to CM and then use CM as porxy for IDX cluster .  ... See more...
Hello Experts ,  I have never done this and wonder if there is a best way to achieve below  I want to use DS to push intial configurations from DS to CM and then use CM as porxy for IDX cluster .  I tried below  1) added CM as client and for the serverclass I have added 'stateOnClient = noop' to each of the app entries just to make sure those application does not work locally no the CM  2) after above step confs lands on cm under /opt/splunk/etc/apps ,however I want them to land to /opt/splukn/etc/master-apps question is can DS put the directories in a diffferent locations than default that is /opt/splunk/etc/apps
| loadjob savedsearch="userid:search:hostslists" | lookup lookupname Hostname as host OUTPUTNEW Hostname,IP | eval Host=upper(host)    | append         [| loadjob savedsearch="userid:search:hosts... See more...
| loadjob savedsearch="userid:search:hostslists" | lookup lookupname Hostname as host OUTPUTNEW Hostname,IP | eval Host=upper(host)    | append         [| loadjob savedsearch="userid:search:hostslists"          | lookup lookupname IP as host OUTPUTNEW IP,Hostname          | eval Host=upper(host)]    | append         [| loadjob savedsearch="userid:search:hostslists"          | lookup lookupname AltName as host OUTPUTNEW AltName,IP,Hostname          | where AltName != Hostname          | eval Host=upper(host)] | eval starttime=relative_time(now(),"-10d@d"),endtime=relative_time(now(),"-1d@d") | convert ctime(latest),ctime(starttime),ctime(endtime) | where latest<=endtime AND latest>=starttime | rename latest as "Last event date", Host as "Host referred in Splunk" | eval Hostname=if('Host referred in Splunk'!='IP','Host referred in Splunk',Hostname) | stats count by Hostname,IP,"Host referred in Splunk","Last event date" | fields - count | dedup IP,Hostname   In my query I am using the saved search "hostslists" (it contains list of hosts reporting to splunk along with latest event datetime) Lookup "lookupname" (contains fields: Hostname, AltName,IP) Aim: Have to get the list of devices present in lookup which is not reporting for more than 10 days Logic: some devices report with "Hostname", some devices reprot with "AltName", few devices report with "IP"        So, I am checking all the 3 fields and capturing "Last event date"     Now, I am facing challenge,  Hostname               IP              "Last event date" Host1                  ipaddr1               25th July                 (by referring IP) Host1                  ipaddr1               10th June                 (by referring Hostname)   I have 2 different "Last event date" for same "Hostname" & "IP".  In my report, it is not showing the latest date, but Here I have to consider latest date, I am stuck how to use such logic. Can anyone please help ? Thanks for your response
Hello, I tried to import App Dashboard for Cyberwatch but dashboard display empty data. My understanding, for the Data input, i should select the following: sourcetype = "cyberwatch:syslog" ... See more...
Hello, I tried to import App Dashboard for Cyberwatch but dashboard display empty data. My understanding, for the Data input, i should select the following: sourcetype = "cyberwatch:syslog" app context = "Cyberwatch (SA-cyberwatch)" index name = "cyberwatch" But if i check the content of the dashboard, there is other source type: cbw:group cbw:node cbw:vuln ... Can you clarify to make the Dashboard work from Cyberwatch syslog events? Regards, Olivier
Currently we have our Cisco ISE devices being sent to a syslog server and then a forwarder is bringing that into Splunk. We are running into an issue where ise_servername is showing the device name, ... See more...
Currently we have our Cisco ISE devices being sent to a syslog server and then a forwarder is bringing that into Splunk. We are running into an issue where ise_servername is showing the device name, but the Syslog server name. What am I missing? How would I go about fixing this?
Hello Splunkers! I am using HEC to send an html file to splunk. The received event contains the html lines of code. The html is a table with some data, and forms a table with the data. Is there a w... See more...
Hello Splunkers! I am using HEC to send an html file to splunk. The received event contains the html lines of code. The html is a table with some data, and forms a table with the data. Is there a way, or how can I create a dashboard from the html text that shows the table?  Maybe another way to say this is: How can I extract the html code from the hec event, and display same on a dashboard?   Thank You So Much, E Holz  
We are looking for feasible to integrate with Mule Cloudhub with Splunk Cloud directly for logs ingestion. Please suggest
I have devices using a specific v4 address range and a specific v6 address range. I'd like to get the percent of devices using the v6 range so we can track the progress of the conversion. I'm new to ... See more...
I have devices using a specific v4 address range and a specific v6 address range. I'd like to get the percent of devices using the v6 range so we can track the progress of the conversion. I'm new to Splunk so I'm not sure how to proceed. 
Hi All, I`m looking to remove missing forwarders, where the servers have been permanently removed, reported by CMC. I cannot see anyway of doing this.  Is this something that i have to raise a ... See more...
Hi All, I`m looking to remove missing forwarders, where the servers have been permanently removed, reported by CMC. I cannot see anyway of doing this.  Is this something that i have to raise a support case for? many thanks Mark
Hi Guys, I'm trying to run a playbook and send an email using the SMTP services but not able to do it. When I tested send email from the SOAR CLI it was working but from the console it's not happeni... See more...
Hi Guys, I'm trying to run a playbook and send an email using the SMTP services but not able to do it. When I tested send email from the SOAR CLI it was working but from the console it's not happening. Can anyone tell me how to send emails from SOAR using "Passwordless" method? Unable to find the instructions or SOP on Splunk.   I've tested the connectivity over port 25 towards the SMTP server, and it's working.
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.... See more...
Hi all, I want to extract fields from a custom log format. Here's my transforms.conf: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*) FORMAT = name::$1 version::$2 message::$3 DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 1.2.3.4 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: name = QQQ123-G12-W4-AB version = iLO6 message = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (name and version) are extracted correctly. The message field only includes the first word: iLO. It seems Splunk is stopping at the first space for the message field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!
Hi All I've been tasked with setting up logging for Windows Certification Services and getting this into Splunk. Have enabled the logging for Certification Services and can see the events for this... See more...
Hi All I've been tasked with setting up logging for Windows Certification Services and getting this into Splunk. Have enabled the logging for Certification Services and can see the events for this in the Windows Security log, in Splunk I can see the Windows Security logs for the CA server however the Certification Services events are missing. I've confirmed in the inputs.conf that the event IDs I'm looking for are whitelisted, does anyone have any other suggestions on what can be checked?
I'm working on a transforms.conf to extract fields from a custom log format. Here's my regex: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s... See more...
I'm working on a transforms.conf to extract fields from a custom log format. Here's my regex: REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d{1,3}(?:\.\d{1,3}){3}\s+\d+\s+\S+\s+(\S+)(?:\s+(iLO\d+))?\s+-\s+-\s+-\s+(.*) FORMAT = srv::$1 ver::$2 msg::$3 DEST_KEY = _meta This regex is supposed to extract the following from a log like: Jul 27 14:10:05 x.y.z.k 1 2025-07-27T14:09:05Z QQQ123-G12-W4-AB iLO6 - - - iLO time update failed. Unable to contact NTP server. Expected extracted fields: srv = QQQ123-G12-W4-AB ver = iLO6 msg = iLO time update failed. Unable to contact NTP server. The regex works correctly when tested independently, and all three groups are matched. However, in Splunk, only the first two fields (srv and ver) are extracted correctly. The msg field only includes the first word: iLO. It seems Splunk is stopping at the first space for the msg field, despite the regex using (.*) at the end. Any idea what could be causing this behavior? Is there a setting or context where Splunk treats fields as single-token values by default? Any advice would be appreciated!
hi , in my company we are using splunk enterprise in cluster struct , i recently update my servers not splunk after that and after restarting splunk deployment server all forwarder are trying to do p... See more...
hi , in my company we are using splunk enterprise in cluster struct , i recently update my servers not splunk after that and after restarting splunk deployment server all forwarder are trying to do phone call and when trying to listen on deployment servers it reciving the calls but when i check clients on forwarder manager section it is empty , what can i do ?
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afr... See more...
Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution... we created a single summary index to all applications and afraid of giving access to them because any of them see that there can see other's apps summary data, it will be a security issue right. We have created a dashboard with summary index and disabled open in search. At some point, we need to give them access to summary index and what if they search index=* then their restricted index and this summary index shows up which can be risky. Is there any way we can restrict users running index=*. NOTE - already we are using RBAC to restrict users to their specific indexes. But this summary index will show summarised data of all. Any way to restrict this? However in dashboard we are restricting them by a field should be selected then only panel with summary index shows up by filtering. How people handle this type of situations? We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD groups and 1 user will have access to both these 2 groups. Being single summary index, thought of filtering it at role level using srchFilter and service field, so that to restrict one user seeing other apps summary data...Extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. We only need summary index for prod data (indexes) not non-prod data... Below is the role created for non-prod [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod Below is the role created for prod [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index=prod OR (index=opco_summary service=juniper-prod) In other post I received comment that indexed fields will use :: but here these two fields (index, service) are not indexes fields, hence given = Here my doubt is when the user with these two roles if they can search only index=non_prod if he see results or not? How this search works in backend? Is there any way to test? And few users are part of 6-8 AD groups (6-8 indexes). How this srchFilter work here? Please clarify.. But what if user runs index=non_prod... Can he still see non_prod logs or not? If there is no other way rather than creating seperate summary index for each application, we need to do it. But is there any way we can do it fast rather than doing it manually? But again I don't have coding knowledge to auomate this.
Hello Splunker, I hope you all are doing well.    I prepare to take the SPLK-3001 Exam, and I want to know the Self-Study guide, and the Version of the ES? is it V7 or V8? Thanks in advance!
Windows server 2022 I have tried installing JRE24 and Java 8. It doesn't let me save the JAVA_HOME path.  Throw below error:- FileNotFoundError: [WinError 2] The system cannot find the file specif... See more...
Windows server 2022 I have tried installing JRE24 and Java 8. It doesn't let me save the JAVA_HOME path.  Throw below error:- FileNotFoundError: [WinError 2] The system cannot find the file specified validate java command: java.   Any help would be appreciated!!!!  
We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD... See more...
We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD groups. Till here it is good.  Now we created a single summary index for all prod indexes data and we need to give access to that index to all app teams. Being single summary index, thought of filtering it at role level using srchFilter and service field, so that to restrict one user seeing other apps summary data Below is the role created for non-prod [role_abc] srchIndexesAllowed = non_prod srchIndexesDefault = non_prod Below is the role created for prod  [role_xyz] srchIndexesAllowed = prod;opco_summary srchIndexesDefault = prod srchFilter = (index::prod OR (index::opco_summary service::juniper-prod))  Not sure whether to use = or :: here to work? Because in UI when I m testing it is giving warning when I give = .. but when giving :: search preview results not working. Not sure what to give? Here my doubt is when the user with these two roles if they can search only index=non_prod if he see results or not? How this search works in backend? Is there any way to test? And few users are part of 6-8 AD groups (6-8 indexes). How this srchFilter work here? Please clarify 
Hello all,  I am working on an Splunk query which suppose to filter some logs by utilizing data from lookup. Consider a field called host. I have list of host stored on an lookup (let's call the l... See more...
Hello all,  I am working on an Splunk query which suppose to filter some logs by utilizing data from lookup. Consider a field called host. I have list of host stored on an lookup (let's call the lookup as hostList.csv). Now, I want to retrieve the list of servers from the hostList.csv lookup. And then filter the field host with the retrieved set of list.  Note - I don't want use map command for this.  If is there any other way of pull off this logic. Please help me with example query and explanation.  Thank you!
Finding the Cisco documentation and support hard to follow.  Netviz agent installed and running, java agent installed but not working.  Cisco Support advising me that I need a standalone Java applica... See more...
Finding the Cisco documentation and support hard to follow.  Netviz agent installed and running, java agent installed but not working.  Cisco Support advising me that I need a standalone Java application to attach the java agent to.  Haven't read this in the Network Visibility guidance.  Confused, can I add this to the app agent?  Anyone got steps on this? 
I onboarded one production logs to splunk but after restarting the UF I am not able to see the recent logs also I am not able to see the recent internal logs. How to fix this issue please help?