All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Based on the value from one dropdownlist i am hiding other drop downlist.(based on condition doing unset the token of 2nd ddl).. Although the dropdownlist got hidden, still value getting passed if we... See more...
Based on the value from one dropdownlist i am hiding other drop downlist.(based on condition doing unset the token of 2nd ddl).. Although the dropdownlist got hidden, still value getting passed if we already chosen some value. Initial value set to be 'All'
Friends, I have extracted the field "ussdcode" from xml using "xmlkv" and renamed it to "UssdCode" . Now I want to pass value to "UssdCode" using dropdown list. I have also created "UssdCode_Token"... See more...
Friends, I have extracted the field "ussdcode" from xml using "xmlkv" and renamed it to "UssdCode" . Now I want to pass value to "UssdCode" using dropdown list. I have also created "UssdCode_Token" in dropdown and have provided static value "ALL =* " in dropdown. can someone plz help me with filtering the data using dropdown? index=masapi sourcetype = myaccountservices-api_reporting_log ussdcode AND StatusCode=$StatusCode_token$ |eval temp=split(_raw,":") |eval trx_id=mvindex(temp,3) |dedup trx_id |xmlkv |rename ussdcode as UssdCode |stats Count by UssdCode,StatusCode | addcoltotals Count labelfield="StatusCode"
I have two data sources - 1. Discovered data. Can be either a lookup file or a db table. Let's assume db table. I'm pulling data from table using splunk app for DB connect. 2. A lookup file. Scenar... See more...
I have two data sources - 1. Discovered data. Can be either a lookup file or a db table. Let's assume db table. I'm pulling data from table using splunk app for DB connect. 2. A lookup file. Scenario: I will have two columns OS_name and OS_Version coming from the discovery_data db table. I will also have a os_latest_release.csv lookup file which will have three columns - OperatingSystem, Existing_OSType, Latest_Available_Version. OperatingSystem ExistingOSType Latest_Available_Version AIX any 7.3 HP-UX any 11i v3 Linux any RHEL 9.1 Linux SuSE Enterprise Server 11 (3.0.101-108.2 SUSE Linux Enterprise Server 15 Linux ubuntu_12_04 Ubuntu 22.10 Linux Oracle Linux Server 7.9 Oracle Linux 9.1 Linux Debian any Debian version 11 Linux Lincase any LINUX Lincase SL 7.9 Other other TBC Solaris any Solaris 11.4 SunOS/Solaris any Solaris 11.4 VMware any vSphere ESXi 8.0 Windows Windows 10 Windows 11 version 22H2 Win2012R2 6.3.9600 any Windows Server 2022 Windows any Windows Server 2022   For every OS_name and OS_version there will be a matching combination/entry in the lookup file. The ExistingOSType column in lookup file will either have the version details similar (not necessarily same, strings may not match as-is) to discovered data or will have 'any' as field value (i.e., no matter which discovered version or os type be, the latest version will be same for the given OS_name).  Now I have to come up with latest Latest_Available_Version column for each row of data coming from db table. Conditions to be considered - 1. if db.OS_name=L.OperatingSystem and db.OS_version=L.Existing_OSType then Latest_Available_Version . if there's no match, then 2. set  db.Latest_Available_Version  =l.Latest_Available_Version  where db.OS_name=L.OperatingSystem and L.Existing_OSType=any   Any help, please?
Hi, Can you advise on my Query. Splunk Universal Forwarder installed on client machine, the are generating log files for every 2hrs, is there any way we can control there logs generation time? can ... See more...
Hi, Can you advise on my Query. Splunk Universal Forwarder installed on client machine, the are generating log files for every 2hrs, is there any way we can control there logs generation time? can we set anything in UF to generate log files for every 30mins and push to Indexer?
Hi splunker, anyone had try to integrate Kaspersky security center v13/14? there is so many api reference here https://support.kaspersky.com/help/KSC/14/KSCAPI/index.html   and I try to creat... See more...
Hi splunker, anyone had try to integrate Kaspersky security center v13/14? there is so many api reference here https://support.kaspersky.com/help/KSC/14/KSCAPI/index.html   and I try to create with tutorial from https://avleonov.com/2019/07/17/kaspersky-security-center-11-api-getting-information-about-hosts-and-installed-products/   but can't add action to cover all params, maybe anyone has the experience to share? thanks before
Hello, I've an index where all my data is stored and I want to create 2 savedsearch :  - one with all the data (i have to create this one because there are others sourcetype that i don't want the... See more...
Hello, I've an index where all my data is stored and I want to create 2 savedsearch :  - one with all the data (i have to create this one because there are others sourcetype that i don't want the user to access). - one with less data I have an issue when i create my savedsearch with      |table myfield1,myfield2      i can see myfield3 in the events tab from the search result.   In fact, i want to see myfield3 from events tab only with my savedsearch with all the data but not in the other one.
The following procedures are used to build the system. https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector I am trying the following command listed in Raw eve... See more...
The following procedures are used to build the system. https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector I am trying the following command listed in Raw event parsing, but it returns "curl: (3) URL using bad/illegal format or missing URL". In the "http-inputs-<customer>" section I have put "http-inputs-localhost:8088", is this wrong? I know this is a rudimentary question, but please help. curl https://http-inputs-<customer>.splunkcloud.com/services/collector/raw -H "X-Splunk-Request-Channel: FE0ECFAD-13D5-401B-847D-77833BD77131" -H "Authorization: Splunk BD274822-96AA-4DA6-90EC-18940FB2414C" -d '<raw data string>' -v
How to compare last value with the second last value?   Say I have a column with N records in it 88 22 67. --> 44 55 12 44 75 80 --> I want to compare the last ... See more...
How to compare last value with the second last value?   Say I have a column with N records in it 88 22 67. --> 44 55 12 44 75 80 --> I want to compare the last record 80 with that of 67( last value and want to write whether the value was 'greater' or 'smaller' in the output. In above case 55 was greater so my output should say GREATER. Do we have any command to accomplish this?
As stated by the Title We have a test env for learning but at some point it will be a larger production deployment with that said we have a Clustered Env on a vsphere server and one of the boxes ... See more...
As stated by the Title We have a test env for learning but at some point it will be a larger production deployment with that said we have a Clustered Env on a vsphere server and one of the boxes is a win2019 server with EPO/Trellix on it. So I would really like to know what best practice step by step on sending that data over rom the EPO server to Splunk whether that be to a indexer or to a heavy forwarder? Do I need to put up some kind of syslog server somewhere or since its a Windows server should I just put a forwarder on it and use that to send data?    
Hi, I am trying to sort out which Splunk add-on for ServiceNow to use: 4412, 3921, or 1928. I want to have Splunk alerts generate tickets in Service now, ingest Splunk alerts and convert them into S... See more...
Hi, I am trying to sort out which Splunk add-on for ServiceNow to use: 4412, 3921, or 1928. I want to have Splunk alerts generate tickets in Service now, ingest Splunk alerts and convert them into SR or SIR depending on the type of alert, and SOC Analysts can also manually forward selected events on-demand from the Splunk console.  
Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. How... See more...
Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. However the impacted entities are not showing up. Please advise on the next steps what to verify/check to see this in the Episode Review.  
Is there a way to build a UI to prompt the user for extra input at the time of clicking a workflow action? So that they can input additional information (which is not present in the event fields) tha... See more...
Is there a way to build a UI to prompt the user for extra input at the time of clicking a workflow action? So that they can input additional information (which is not present in the event fields) that could be used in an http request. Ideally, the user would open the event, click the custom workflow action, see a small dialogue with a form for input(s) and then click 'submit' to call the action.   Also, is there a way to have the user authenticate to an external service, using either a service account they already saved in splunk, or redirect to enter credentials?
I have been trying to export results of the builtin Risk Analysis dashboard for a quarterly report.  Other dashboards in ES have the "Export" button in the upper right of the screen.  The Risk Analys... See more...
I have been trying to export results of the builtin Risk Analysis dashboard for a quarterly report.  Other dashboards in ES have the "Export" button in the upper right of the screen.  The Risk Analysis and Sequence Analysis dashboards do not seem to have a way to export or schedule running them.  Anyone know of a way?   Thanks.
Hi Team,   I have a custom app which is integrated to snow . Our upgrade readiness app shows it need update " Issue:  File path contains an outdated Python SDK. Update to the latest Python SDK. ... See more...
Hi Team,   I have a custom app which is integrated to snow . Our upgrade readiness app shows it need update " Issue:  File path contains an outdated Python SDK. Update to the latest Python SDK. " Can someone help how can I update custom app python SDK .  
Hi, Hypothetically speaking, if I have the following event:   q[pworei[qpweori[pqwoeirp[qowier[powierw"NAME":"BOB";POQIWERUPQOWIEUPROIQWEURPOWIERPOWQIUR"NAME":"SAM";qpweoirpwoierupwoiproiqproiw... See more...
Hi, Hypothetically speaking, if I have the following event:   q[pworei[qpweori[pqwoeirp[qowier[powierw"NAME":"BOB";POQIWERUPQOWIEUPROIQWEURPOWIERPOWQIUR"NAME":"SAM";qpweoirpwoierupwoiproiqproiw"NAME":"COLT"; I want to have a table with a column title Name, and then have all names included in that row. Preferably in this format: BOB, SAM, COLT. Is this possible? The problem I run into is when I do: | rex field=_raw \"NAME\"\:\"(?<Name>\W+)\" It only captures the first Name. Is there anything I can do where it captures all of the names?
Hi everyone, I am currently trying to create a table that shows the count of activity by user as well as the occurrence in which sourcetype:  What I am trying to achieve Users Sourcetype ... See more...
Hi everyone, I am currently trying to create a table that shows the count of activity by user as well as the occurrence in which sourcetype:  What I am trying to achieve Users Sourcetype Count User 1 source 1 20 User 2 source 2 30 Here is my base search at the moment: index=index* "user"="user1*" OR "user"="user2*" | stats count by user | eval input_type="Count"| xyseries input_type count Right now, it does show me the count of the user activity but I'm not sure how to add the sourcetype to the search to create a table view.
I need to set GMT +1 timezone for the logs. Please let me know what would be the value set in TZ=? in props.conf.
How to add html/css and java script code to Splunk dashboard
How to load drop down list based on time selector token
I'm using python SDK to search and retrieve results in JSON output_mode. The data I'm searching for was loaded into splunk as a CSV file with the first row as header.  Currently I'm getting these ... See more...
I'm using python SDK to search and retrieve results in JSON output_mode. The data I'm searching for was loaded into splunk as a CSV file with the first row as header.  Currently I'm getting these keys in the output     "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server"     _raw field has a string of comma separated values(actual data). I'm not able to get the header for these values. The rest of the fields are just metadata.   How do I get the CSV header in the JSON output of the search? I even tried CSV 'output_mode'. No luck