All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Even after the correct credentials have been put into the app, when I press test connectivity, I keep getting errors. Stuff like error 500 and what not, things that have to do with the connection, bu... See more...
Even after the correct credentials have been put into the app, when I press test connectivity, I keep getting errors. Stuff like error 500 and what not, things that have to do with the connection, but I've tested both the credentials and that the device's ports are open. Still getting these types of errors, don't know why soar isn't able to connect. App version is 3.01 and the soar version is 5.3.5.
I am currently working on a search dashboard.  I have the dashboard created and the search (Submit Button).  In this search I am looking at the messaging portion of our firewall logs.  When I submit ... See more...
I am currently working on a search dashboard.  I have the dashboard created and the search (Submit Button).  In this search I am looking at the messaging portion of our firewall logs.  When I submit a search I have to put in the whole message example "Interface G1 Link is up".   What I am trying to do is search for keywords like Interface, G1, link is up, link is down.   Any info would be great.
I have the data as below: LoginID  AccessDate Organization Section logCount           1 10thApril O1 S1 1.39 2 11thApril O2 S2 1.76 3 ... See more...
I have the data as below: LoginID  AccessDate Organization Section logCount           1 10thApril O1 S1 1.39 2 11thApril O2 S2 1.76 3 12thApril O1 S1 2.45 4 10thApril O1 S1 5.67 5 11thApril O2 S2 2.34 6 12thApril O1 S1 1.23 7 13thApril O2 S2 2.56   I want to calculate variance corresponding to each LoginID leaving that id for the time, See Below (The result that is expected): Id Organization Section values(LoginID) values(logCount) Variance 1 O1 S1 2 1.76 2.011847       3 2.45         4 5.67         5 2.34         6 1.23         7 2.56   2 O2 S2 1 1.39 2.142889       3 2.45         4 5.67         5 2.34         6 1.23         7 2.56  
Hi Guys, We recently had 1 Indexer in Melbourne ( server A). It had a lot of data and later due to a disaster recovery requirement we had to setup a new  indexer in Sydney(Server B) and then enabled... See more...
Hi Guys, We recently had 1 Indexer in Melbourne ( server A). It had a lot of data and later due to a disaster recovery requirement we had to setup a new  indexer in Sydney(Server B) and then enabled Indexer clustering between the two.  So far so good. Problem arises when we found out that there is another Indexer in Sydney (server C) and we need to migrate data off of it to our Sydney instance (B) as C is an old WIN server and is being retired.  Question: How can I proceed with this? Simply move the indexes and buckets from C over to our Sydney Instance(B)? Since clustering is on, what needs to be done so that this data does not get replicated over to Indexer in Melbourne (A) and only stays in (B)?? Thanks in Advance, Neerav
Hi, I have a requirement to show the data based on period . Period is a dropdown having Today,Last Month & Last Quarter. Based on this filter panel should refresh .  My query is   <input type="... See more...
Hi, I have a requirement to show the data based on period . Period is a dropdown having Today,Last Month & Last Quarter. Based on this filter panel should refresh .  My query is   <input type="dropdown" token="period_tkn"> <label>Period</label> <choice value="Today">Today</choice> <choice value="Last Month">Last Month</choice> <choice value="Last Quarter">Last Quarter</choice> <change> <condition value="Today"> <set token="er">"@d"</set> <set token="lt">now()</set> </condition> <condition value="Last Month"> <set token="er">"-1mon@mon"</set> <set token="lt">"@mon"</set> </condition> <condition value="Last Quarter"> <set token="er">"-3mon@mon"</set> <set token="lt">"@mon"</set> </condition> </change> <default>Today</default> <initialValue>Today</initialValue> </input> <table> <search> <query> index="index name" earliest=$er$  | where _time&lt;$lt$ AND _time&gt;relative_time(now(),$er$) | table infra_on_prem app_name platform_name _time | timechart limit=0 span=1h min(infra_on_prem) by platform_name | eval hour=strftime(_time,"%H"),hour=_time."#".hour.":00" | fields - _time | transpose 0 header_field=hour column_name=Platform | search Platform!="_span" | addtotals | eval Health=case(Total&gt;20,"100:::",Total&lt;1,"500:::",1=1,"300:::") | fields Platform Health * | `icon_indicator_stack` | fields - Total | transpose header_field=Platform | rex field=column "#(?&lt;hour&gt;.*)" | fields - column | transpose 0 header_field=hour column_name=Platform | rename "row "1 as Health   above query is for period="Today",  bolded query condition should change based on period filter . How can I do that . please help
Facing below error  Scanario: no of indexer=3 cluster master=1 Error:The cluster peer is unable to handle request at this time. This means either the cluster peer unable to communicate w/ the clu... See more...
Facing below error  Scanario: no of indexer=3 cluster master=1 Error:The cluster peer is unable to handle request at this time. This means either the cluster peer unable to communicate w/ the cluster manager OR the cluster manager does not have <repFactor> peers added to the cluster. Check the cluster manager dashboard and/or manager_uri/secret settings.
Hi, I have the following query to detect outliers in eps: index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf* | eval hfgroup=substr(host, ... See more...
Hi, I have the following query to detect outliers in eps: index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf* | eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0)) | lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID | bucket _time span=1h | timechart span=1h sum(eps) as Eps | eval HourOfDay=strftime(_time, "%H") | eval BucketMinuteOfHour=strftime(_time, "%M") | eval DayOfWeek=strftime(_time, "%A") | streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek | eval AbsDev = abs(Eps - avg) | streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek | eval UpperBound = avg + (3 * MAD) | eval LowerBound = avg - (3 * MAD) | eval isOutlier=if(Eps > UpperBound OR Eps < LowerBound, "true", "false") | where isOutlier="true" However, I need the output to be just 1 trend line, representing Time, with outliers represented as red dots at the time of occurence. Currently, I am receiving all these unnecessary ;ine with no red dots representing outliers: Can you please help? Many thanks!
With INDEXED_EXTRACTIONS=JSON, indexed extraction is not working if json HEC  event payload is more than 512KB.  
Talking about this app in case it's ambiguous: https://splunkbase.splunk.com/app/1724 I have used it to create a KV store, as apparently that's the only way to do so in splunk cloud. I have also cr... See more...
Talking about this app in case it's ambiguous: https://splunkbase.splunk.com/app/1724 I have used it to create a KV store, as apparently that's the only way to do so in splunk cloud. I have also created a corresponding lookup definition. However, the resulting object is unusable. I keep getting: "Error in 'inputlookup' command: Lookup failed because collection 'xyz' in app 'lookup_editor' does not exist, or user 'abc' does not have read access." Both the lookup definition and the collection are global and readable by anyone. What am I missing? When I edit the KVstore in the lookup editor, I can see a dropdown "showing entries for: abc". I'm really confused by this. How can the content of a lookup (KV store or not) depend on the user?
Dear Sir/Madam, With someone retiring, I can advance from being a Splunk Enterprise Certified Administrator to becoming a Splunk Architect. To gain experience and practice, I would like to set up a ... See more...
Dear Sir/Madam, With someone retiring, I can advance from being a Splunk Enterprise Certified Administrator to becoming a Splunk Architect. To gain experience and practice, I would like to set up a home lab to take the Splunk Architect courses. I want to set up a virtual Home Lab with a Splunk distributed search environment, an indexer cluster, and a deployment server to deploy all the apps to the forwarders. Should I spin up how many Ubuntu Server VMs in Hyper-V? One search head, two indexers (right? ), a deployment server, a management node, and an HF for practice. Six VMs in total? Is that too few? or too many? Depending on how many Splunk roles each VM can play, I'm still determining. Online, this information is hard to find. I'm only going to ingest a few data sources for practice.
My dashboard has about 45 panels split between 8 pages using a dropdown. I am adding drilldowns that open panels that are hidden until a user clicks on a chart or table. My issue is that when I'm on ... See more...
My dashboard has about 45 panels split between 8 pages using a dropdown. I am adding drilldowns that open panels that are hidden until a user clicks on a chart or table. My issue is that when I'm on a certain page and click on a visualization and the hidden panel appears, it remains displayed when I switch to a different page. I can't copy and paste my code so here's a snippet of what I have: <form>   <label>My Dashboard</label>   <fieldset submitButton="false">     <input type="dropdown" token="type" searchWhenChanged="true">       <label>Select Page</label>       <choice value="A">A</choice>       .......same for B-G.......       <choice value="H">H</choice>       <change>         <condition value="A">           <set token="A_panel">true</set>           <unset token="B_panel"></unset>            ......unset C-H......         </condition>         <condition value="B">           <set token="B">true</set>           <unset token="A_panel"></unset>           ......unset C-H......         </condition>         <condition>           .....Repeat for C-H.....         </condition>       </change>     </input>   </fieldset>   <row>     <panel depends="$A_panel$">       <title>Panel A1</title>       <table>         <search>           <query>| index=* App=* Status="Down" | table App A B C </query>           <earliest>0</earliest>           <latest></latest>         </search>         <option name="drilldown">cell</option>         <drilldown>           <set token="show_panel_A1">true</set>           <set token="selected_app">$click.value$</set>           <eval token="drilldown.earliest">case($click.name2$=="30 Days", "-30d", $click.name2$=="60 Days", "-60d")           <eval token="drilldown.latest">case($click.name2$=="30 Days", "now", $click.name2$=="60 Days", "-30d")         <drilldown>       </table>     </panel>   </row>   <row>     <panel depends="$show_panel_A1$">       <title>Count for $selected_app$</title>       <chart>         <search>           <query>| index=* App=* Status="Down" earliest=$drilldown.earliest$ latest=$drilldown.latest$ | search App="$selected_app$" | timechart count by App </query>         </search>       </chart>     </panel>   </row> I've tried adding the <unset token> for other drilldown panels under <drilldown> and <condition value=""> sections but the panels don't hide again after I select a different drilldown or move pages.
I have a simple dashboard with a few single value visualizations.  Clicking on then will open a panel below to reveal a table related to that single value using depends=$token$.  These single value m... See more...
I have a simple dashboard with a few single value visualizations.  Clicking on then will open a panel below to reveal a table related to that single value using depends=$token$.  These single value metrics are also tied to scheduled searches that send out email alerts when issues arise.  What I need to figure out is how to format the "link" in the email that will open this dashboard (this part is easy), but will ALSO open the table below the single value metrics.   Here is the current drilldown for a single value. <drilldown> <set token="idx"></set> </drilldown> Here is how I am using it in the panel to be opened. <row id="panel4" depends="$idx$">   I have tried changing the drilldown to this. <drilldown> <set token="idx">open</set> </drilldown>   and tried using this URL to link to the dashboard and ALSO open the panel below.  But it does not work. https://fqdn/en-US/app/appname/dashboardname?idx=open  
Why i am getting Duplicate entries while using outputlookups. Query:  |inputlookup append=t test1_checks.csv| eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0| outputlookup a... See more...
Why i am getting Duplicate entries while using outputlookups. Query:  |inputlookup append=t test1_checks.csv| eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0| outputlookup append=true test1_checks.csv Result: Alert Type      Correlated_alert test2                   test2 test2                   test2 test2                    test2   I need only one entry for all kind of entries in Alert_type and Correlated_alert.   Kindly help
Hi,   When I do APPS---> Splunk Common Information Model ----> In Actions when I click setup   It is throwing an 500 Internal Server Error " Oops. An error occurred while rendering the pag... See more...
Hi,   When I do APPS---> Splunk Common Information Model ----> In Actions when I click setup   It is throwing an 500 Internal Server Error " Oops. An error occurred while rendering the page template. See web_service.log for more details Click here to return to Splunk homepage." Let me know how we can sort out this error?
I have a field called 'description'. I want to be able to extract MD5, SHA1, SHA256 values present in this field. Need help with regular expression. Here is an example of the field value. It's prett... See more...
I have a field called 'description'. I want to be able to extract MD5, SHA1, SHA256 values present in this field. Need help with regular expression. Here is an example of the field value. It's pretty huge. Towards the last you will notice MD5, SHA1, SHA256 values. Example: ============ Family: alien alien is a credential theft malware designed to run on a mobile phone running the Android operating system. This malware will attempt to monitor the users activities and steal their data by either logging keystrokes, copying their clipboard content or applying a overlay on top of legitimate applications the malware is instructed to monitor for. Pattern(s) extracted from web_inject config for this family: com.wf.Tubeswatermobile Infrastructure: hxxp://yektkedecaedem.shop Type: CNC Infrastructure purpose: A CNC is the interface between the botnet and the threat actor, allowing the threat actor to send commands, exfiltrate data and manage an infected machine.     Virustotal Report: https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/detection Associated Payload Hashes: MD5 9fagf968da04a2bb464f4842ebd1bd29 SHA1 0bacdak9d1a7dbb975759d687645006f875a388b SHA256 ba57be868c89b4a342c412c066dc58ed9a888f8009ec512917004380d8e8233e http://yeytledfcaeden.shop ============
Hi there,    I am trying to get the containers detials for stipulated time period, Lets say, Jan 1st 2023 - March 31st - 2023.  May I know what is the format here to get it from REST API. I am try... See more...
Hi there,    I am trying to get the containers detials for stipulated time period, Lets say, Jan 1st 2023 - March 31st - 2023.  May I know what is the format here to get it from REST API. I am trying using below query  and getting the results from the very latest conatiners as well.    https://phantom.example.com/rest/container?sort=id&order=desc&label='phishing'&page_size=40000&"start_time"="2023-03-01T00:00:41.728895Z"   Sample output: sharing only one key: value pair "start_time": "2023-04-19T07:36:41.728895Z",
I would like to set the color of the field to green if it is younger than 1 week. The Time Format is Like this ('2023-04-19 08:57:10'), yes the format is with the apostrophe.  First I tried at the UI... See more...
I would like to set the color of the field to green if it is younger than 1 week. The Time Format is Like this ('2023-04-19 08:57:10'), yes the format is with the apostrophe.  First I tried at the UI just a Range color definition, but it doesn't work i think it's bcs of the apostrophe. 
Is it possible to use AWS SSM in a way to generate a HEC token on one heavy forwarder and pass it along (copy it to other heavy forwarders directly) using SSM? The heavy forwarders are managed instan... See more...
Is it possible to use AWS SSM in a way to generate a HEC token on one heavy forwarder and pass it along (copy it to other heavy forwarders directly) using SSM? The heavy forwarders are managed instances in SSM.
Hi,   We have Configured custom threat intel feeds with splunk. The connection is succesful the status of the file shows "file downloaded".  I have checked the threat intel audit logs and found so... See more...
Hi,   We have Configured custom threat intel feeds with splunk. The connection is succesful the status of the file shows "file downloaded".  I have checked the threat intel audit logs and found some thing here | status="No observables or indicators found in file" stanza="custom feeds" It is a CSV file and we have checked the ouput by giving the curl command and we got the response as IOC listed in the excel. but we  found this issue  | status="No observables or indicators found in file" stanza="custom feeds" Can you help me how to fix this issue . 
Hi, I have a zscaler NSS connected to splunk. I've been running some tests to see how splunk reacts to change in DNS entries.  It seems that the hostname isnt changed in splunk. Can anyone help m... See more...
Hi, I have a zscaler NSS connected to splunk. I've been running some tests to see how splunk reacts to change in DNS entries.  It seems that the hostname isnt changed in splunk. Can anyone help me on this? nssem1.clab.group is the old name. Thanks!