All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, I have the following tables: asset table: asset_id solution_id vulnerability_id solution table: solution_id solution summary vulnerability table: vulnerability_id title severity ... See more...
Hi, I have the following tables: asset table: asset_id solution_id vulnerability_id solution table: solution_id solution summary vulnerability table: vulnerability_id title severity How do I write a splunk query to show a table that has the asset_id, solution summary, title, and severity? This would be the SQL query that I use:       SELECT a.asset_id, b.solution_id, b.summary as solution_summary, c.vulnerability_id, c.title as vulnerability_title, c.severity FROM asset a JOIN solution b USING (solution_id) JOIN vulnerability c USING(vulnerability_id)          
Hello, Does anyone is still using Splunk add-on for sharepoint? Looks like it is not available in splunkbase anymore. If yes, can you pls provide the sourcetype config for mssharepoint-uls?   ... See more...
Hello, Does anyone is still using Splunk add-on for sharepoint? Looks like it is not available in splunkbase anymore. If yes, can you pls provide the sourcetype config for mssharepoint-uls?     thanks
Hi, I am working on a multiselect filter, where default "All" option should be removed if the user selects something other than "All". The caviat is that the options for multiselect are not based... See more...
Hi, I am working on a multiselect filter, where default "All" option should be removed if the user selects something other than "All". The caviat is that the options for multiselect are not based on a search, they are manually added. For example:   <choice value="first_choice=&quot;*&quot;">All</choice> <choice value="second_choice=&quot;Y&quot;">second choice</choice> <choice value="third_choice=&quot;Y&quot;">third choice</choice> <choice value="fourth_choice=&quot;Y&quot;">fourth choice</choice> <choice value="fifth_choice=&quot;Y&quot;">fifth choice</choice>   What I usually do doesn't work:   <change> <eval token="form.mytoken">if(mvcount('form.mytoken')=0,"*",if(mvcount('form.mytoken')!=1,mvfilter('form.mytoken'!="*"),'form.mytoken'))</eval> </change>   If anyone has a solution, I would really appreciate it. Thank you!
Currently in my logs I am getting the hostname of the users but not their usernames. I created a lookup table that contains hostnames and usernames. I am trying to match the hostname from search to t... See more...
Currently in my logs I am getting the hostname of the users but not their usernames. I created a lookup table that contains hostnames and usernames. I am trying to match the hostname from search to the hostname in the lookup file and then print their correlated username in a table format in the search visualization.  Lookup file: hostname username host1 user1 host2 user2 host3 user3 host4 user4   search: index=windows sourcetype:eventlogs  [|inputlookup users.csv | fields hostname username | rename hostname as users] ~~~print username correlated to "users" in the above string.~~~
Hello, We're running localhost Http Event Collectors on UF for Docker Containers on the same host. However I'm unable to override the hostname from these Events. Unfortunately there is no flag to d... See more...
Hello, We're running localhost Http Event Collectors on UF for Docker Containers on the same host. However I'm unable to override the hostname from these Events. Unfortunately there is no flag to do so in the docker daemon. Therefor I've tried to do it on the Forwarder as well as on the indexer. Both unsuccessful. On the Forwarder: /opt/splunkforwarder/etc/apps/splunk_httpinput/default/inputs.conf   [http] host = wantedHostName disabled=0 port = 8088 enableSSL=0 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0   /opt/splunkforwarder/etc/apps/splunk_httpinput/local/inputs.conf   [http://localhost] host = wantedHostName description = <desc> disabled = 0 index = main token = <token> useACK = false   On the indexer: /opt/splunk/etc/system/local/props.conf   [host::badHostName] TRANSFORMS-badhost = badHostName   /opt/splunk/etc/system/local/transforms.conf   [badHostName] DEST_KEY = MetaData:Host REGEX = * FORMAT = host::wantedHostName     None of these work. Can someone please help us out? Cheers!  
Good morning, I am having an issue on-boarding our main Eventhub into the Splunk Add-On for Cloud Services (latest version). I have setup the inputs just like my other Eventhub but it is not send... See more...
Good morning, I am having an issue on-boarding our main Eventhub into the Splunk Add-On for Cloud Services (latest version). I have setup the inputs just like my other Eventhub but it is not sending data: Below is the setup:   This is error I find in the logs:     logger=azure.eventhub._eventprocessor.event_processor pos=event_processor.py:_load_balancing:286 | EventProcessor instance '#####' of eventhub '#######' consumer group '$Default'. An error occurred while load-balancing and claiming ownership. The exception is AssertionError(). Retrying after 60s     I have a case open with MS and Splunk but no help so far.   Oliver  
Hello, In order to monitor a file via UF, those files should grant read-only permissions user and group as splunk:splunk on linux servers,  I have doubt on windows servers whether the user and g... See more...
Hello, In order to monitor a file via UF, those files should grant read-only permissions user and group as splunk:splunk on linux servers,  I have doubt on windows servers whether the user and group (splunk:splunk) is an active directory service account and group?     Thanks
Hello Splunkers,   I'm here to ask you for a bit or your wisdom. Context : This happens since the upgrade from 8.2.x to 9.0.3. The issue does not impact the platform (which is a dev platform). ... See more...
Hello Splunkers,   I'm here to ask you for a bit or your wisdom. Context : This happens since the upgrade from 8.2.x to 9.0.3. The issue does not impact the platform (which is a dev platform).  For a few weeks, I receive some errors in my interna logs that are really bizarre :    03-02-2023 17:25:30.518 +0100 ERROR CMRepJob [49280 CMExecutorWorker-1] - job=CMSyncP2PJob bid=firewall_juniper~219~91483FBC-75D0-4410-9205-DE9DB070C3F3 my_guid=B3309FA8-4903-40B3-9E5D-B7BD712F6F70 my_rawport=xxxx my_usessl=1 ot_guid=91483FBC-75D0-4410-9205-DE9DB070C3F3 ot_hp=xxx.xxx.xxx.xxx :xxxx ot_rawport=xxxx ot_usessl=1 relative_path= custact=p2p_syncup getHttpReply failed; err: Connect Timeout   I thought it was a problem with few buckets that have been replicated wrong or not at all. But, first, I don't have any warning on the Replcation Factor / Search Factor and, it is always the same 17 bids. So I guess it is not what I thought. I don't have any other logs like this, every event that get in is correctly indexed / replicated.   Have you any idea of what's happening here ? And if it might be a problem, have you any idea of how I can fix that?  Thanks for your time. Best regards ! 
Let's say I have a query like "index=myindex honor | stats count by mydata,mydata2". I want to add the results of this query as a note in my soar system. My problem starts exactly at this point. If t... See more...
Let's say I have a query like "index=myindex honor | stats count by mydata,mydata2". I want to add the results of this query as a note in my soar system. My problem starts exactly at this point. If the result of my query is 1 row, there is no problem, but when more than one row results, I can only add the first row as a note. I am sending the data in the form of "$result.mydata$" and "$result.mydata2$" to the soar system. I want to print the whole line, not a single line. that is, as a result, I want to direct all the results in the incoming table and add them to the query. thanks
Hello!  Does anyone know how to update the whois lookup builder to be able update with new domains every 3 months for current info in the DomainTools app for ES? 
Conditons to create query: 1) Query should not contain any eventcode 2) Query must be build from DNS data model
Hi all I am trying to add webhook for splunk cloud instance. But It throws an error as " {"text":"Query string authorization is not enabled","code":16} I checked the Query String Authentication... See more...
Hi all I am trying to add webhook for splunk cloud instance. But It throws an error as " {"text":"Query string authorization is not enabled","code":16} I checked the Query String Authentication enable option not available in splunk cloud. Please provide your valuable suggestion to get it worked.   Thanks in advance,
Hello again.   I am testing a "light" version of an index completely compatible with the tstats + PREFIX() method (selecting only the fields I work with and removing all major breakers of field v... See more...
Hello again.   I am testing a "light" version of an index completely compatible with the tstats + PREFIX() method (selecting only the fields I work with and removing all major breakers of field values from the _raw) as an alternative to datamodels, since it's waaaay faster.   My first test has been computing the distinct count value of a field (sessionid) with extremely high cardinality but without major breakers (so prefix compatible) both in the original index and my summary index for a given hour. ORIGINAL INDEX:  48.692.463 distinct session ids SUMMARY INDEX: 6.016.022 distinct session ids   However, if I do the alternative way of doing DC (count by sessionid so for each different sessionid it generates a row and then I count all the rows) it gives me the correct result. SUMMARY INDEX with count of counts method: 48.692.463 distinct session ids   So the problem is in the DC function. It seems the issue occurs when splunk gathers the DC chunks to generate the final result, but tuning chunk_size parameter has no effect whatsoever. When I do the same test with smaller time ranges so distinct sessions >1.000.000 both original index and summary index DCs give me the same result.   How can I solve the problem? Is this a Splunk bug?
Hi All,  I'm searching 2 different logs, which contain the "Severity" as common field. I want to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time. Sever... See more...
Hi All,  I'm searching 2 different logs, which contain the "Severity" as common field. I want to extract,  if log1 - severity =6 then what is the severity in log2, at given point of time. Severity values will be 1-6 only Ex:                         Log1                                 Log2 Severity       6                                           3 Kindly help on the same... Thank you
Splunk search result  are fetched from different locations from the app based on Id I have added dropdown list for the value Table1 and Search string is as below: Based on the above query all the T... See more...
Splunk search result  are fetched from different locations from the app based on Id I have added dropdown list for the value Table1 and Search string is as below: Based on the above query all the Table1 got populated in dropdownlist and displays all the values in single row.(Id, Table1, Time1, Table2,Time2,PayLoad) But on change of dropdownlist the values of Table2 - Table2,Time2,salary1,PayLoad getting hidden.. i can see only Table1,Time1.. (it shows the values from the one page only.. not grouping from other pages) Can you please help me?  
Since the first of April we started receiving HTTP 401 Client Error in modular input logs from Splunk Add-on for Microsoft Office 365 Reporting Web Service (TA-MS_O365_Reporting version 2.0.1). We t... See more...
Since the first of April we started receiving HTTP 401 Client Error in modular input logs from Splunk Add-on for Microsoft Office 365 Reporting Web Service (TA-MS_O365_Reporting version 2.0.1). We tried both OAuth authentication and basic authentication, but we still receive the same error. I was able to replicate the same issue in another Splunk environment against another M365 tenant. We also configured the addon Splunk Add-on for Microsoft Office 365 (splunk_ta_o365 version 4.2.1) to fetch these logs, but we still receive the HTTP 401. We are pretty confident that the app registrations and permissions are set up correctly. Both apps connects to the API endpoint https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace - do anyone know of any changes made to this endpoint from Microsoft?   Cheers, Rolf
What is the Splunk Add-on for Microsoft Office 365 Reporting Web Service? Is it not compatible with Microsoft's authentication library "Microsoft Authentication Library (MSAL)"? The current latest ... See more...
What is the Splunk Add-on for Microsoft Office 365 Reporting Web Service? Is it not compatible with Microsoft's authentication library "Microsoft Authentication Library (MSAL)"? The current latest version of the authentication library remains "Azure AD Authentication Library (ADAL)".
Hi there, I am using a Technology Add-On with Splunk which uses the data input feature to ingest the data in Splunk. I came across one issue where the when I disabled the data input from the Splunk ... See more...
Hi there, I am using a Technology Add-On with Splunk which uses the data input feature to ingest the data in Splunk. I came across one issue where the when I disabled the data input from the Splunk the PID with which it was running is still present in /proc directory oi Linux environment where Splunk is setup. Due to the non-removal of PID, when re-enable the data input the PID is not able to initiate as it gets the impression that this job is already running with some older existing PID. To overcome this I have to manually kill the older running PID which should be removed on disabling the data input.  Can someone please help to understand the root cause of why that PID is not getting removed or terminated when I disable the data input from the Splunk itself?  Why it is present in /proc directory due to which the other PID for the data ingestion job is not getting initiated? It would be really helpful if I get some information on the root cause as I am continuously facing this issue Thanks in Advance!!
Hi all, I try to group events using transaction.  Since there are multiple endswith condition, i tried following to match either one of the 3 string patterns but unable to match: ... | transactio... See more...
Hi all, I try to group events using transaction.  Since there are multiple endswith condition, i tried following to match either one of the 3 string patterns but unable to match: ... | transaction client endswith=eval(match(_raw, "string1|string2|string3")) Would anyone please help? Thanks a lot. Best Rgds