All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm not able to figure out how to use submitOnDashboardLoad in the normal xml dashboard. Where shall I put it. I've tried putting it in the form, search, fieldset, and as option name but its not work... See more...
I'm not able to figure out how to use submitOnDashboardLoad in the normal xml dashboard. Where shall I put it. I've tried putting it in the form, search, fieldset, and as option name but its not working.
Hi @ All Splunkynators how to sample incoming (HEC) data? I want get statistical data /events to save license volume, drop eg 9 of 10 of incoming events... I look forward to your suggestions ... See more...
Hi @ All Splunkynators how to sample incoming (HEC) data? I want get statistical data /events to save license volume, drop eg 9 of 10 of incoming events... I look forward to your suggestions Gegards - Markus
I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord
Hello People, I am trying to run below splunk query,   base search | rename msg.message as "message", msg.customer as "customer" | eval Total_Count = 1, Total_Success = if(where isnull( msg.errorC... See more...
Hello People, I am trying to run below splunk query,   base search | rename msg.message as "message", msg.customer as "customer" | eval Total_Count = 1, Total_Success = if(where isnull( msg.errorCode),"1","0"), Total_Error = if(where isnotnull( msg.errorCode),"1","0") | fields Total_Count,Total_Success,Total_Error,message,customer | stats sum(Total_Count) as Total, sum(Total_Success) as Success, sum(Total_Error) as Error | eval successRate = ((Success/Total)*100)."%" | stats Total, Success, successRate by customer   and I am getting below error   Error in 'eval' command: The expression is malformed. Expected IN.   Can anyone please let me know what am I doing wrong here? Thanks !!!
Hi, I want to write a case condition where i can check values from Range column. For instance If range for both cost & product is low the a new column should show value as low If range for both... See more...
Hi, I want to write a case condition where i can check values from Range column. For instance If range for both cost & product is low the a new column should show value as low If range for both Cost & Product = severe then New Column should show severe If range for Cost=severe & Product=low OR if Cost=low & Product =severe Then New column = elevated Please suggest
Hello, I am facing issues to find delta. I have: Lookup Table: testaccount_holder.csv 2 Field names in Lookup: account_no and cell index=test Sourcetype =test_account 2 Field names :  account_n... See more...
Hello, I am facing issues to find delta. I have: Lookup Table: testaccount_holder.csv 2 Field names in Lookup: account_no and cell index=test Sourcetype =test_account 2 Field names :  account_no and cell Now, need to compare Lookup table with  sourcetype using these 2 fields and find all the records/rows which are exist in Lookup table but not in sourcetype. This comparison is based on these 2 fields. Any recommendations will be highly appreciated. Thank you so much.  
I have 2 groups of data: messageId1: ['A', 'B', 'C'] messageId2: ['A', 'E', 'F', 'G', 'T', 'Z']   How do I return the values that are ONLY present in messageId1 and not in messageId2? So the res... See more...
I have 2 groups of data: messageId1: ['A', 'B', 'C'] messageId2: ['A', 'E', 'F', 'G', 'T', 'Z']   How do I return the values that are ONLY present in messageId1 and not in messageId2? So the result for this would be: 'B' and 'C'
Hi all. I have one SHC with 3 search heads I thought if I create a HEC using web gui in specific memer, others were replicated HEC But NOT how should I do to fix that? my SHC member have replic... See more...
Hi all. I have one SHC with 3 search heads I thought if I create a HEC using web gui in specific memer, others were replicated HEC But NOT how should I do to fix that? my SHC member have replication_port = 9887 in server.conf
I need to create a single field named MemberOf from the XML snippet below.  It should look like this: memberOf CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,... See more...
I need to create a single field named MemberOf from the XML snippet below.  It should look like this: memberOf CN=Buttercup,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors – US – Buttercup- Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=ButtercupLocation - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Everyone - M to Q - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=O365-Buttercup,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com         <entry key="memberOf"> <value> <Map> <entry key="CN=Buttercup Location - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors - Group,OU=SharePoint,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=buttercup,DC=com"/> <entry key="CN=Contractors – US – Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Corp-Hypr,OU=Hypr,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Everyone - Group,OU=SharePoint,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Everyone - Buttercup - Group,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=O365-Buttercup2,OU=MIM Created Groups,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Buttercup ,OU=SAP Service Accounts and Groups,OU=Service Accounts,DC=corp,DC=Buttercup,DC=com"/> <entry key="CN=Buttercup-MNOPQ,OU=CIT-WS,OU=Groups,DC=corp,DC=Buttercup,DC=com"/> </Map> </value> </entry>      
I am trying to split the values in both the columns and create 5 rows by assigning respective values. I need an output as below. Can someone suggest how can I achieve this ?  I tried mvexpand but ... See more...
I am trying to split the values in both the columns and create 5 rows by assigning respective values. I need an output as below. Can someone suggest how can I achieve this ?  I tried mvexpand but it does not seem to help. Anything else we can try ?    field1       | field 2  ------------------------------- Name 1   |  10 ------------------------------- Name 2   | 12  
TL;DR What is wrong with the SPL at the end? I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId f... See more...
TL;DR What is wrong with the SPL at the end? I am trying to list the IIS cs_user_Agent(s) for each test customer. The EventID field that is found in the SystemLog matches up with the IISEventId field in IIS. That is how they are connected. The inner search (sourcetype="SystemLog*") run alone returns 6,000 events. That is correct. With the join 160,000 events are returned.  Since the sub search is run first and every  EventID is unique I would expect 6000 events.     There is only one CustomerName shown in stats and it is the same in each row.  The CustomerName is also different on each search.  If I add a specific customer to the sub search, such as CustomerName="Bob's Pizza", or CustomerName="Bolts R Us" the same number of results are returned.   Search The names have been changed to protect the innocent.  Any spelling errors or missing quotes are just a failure in my typing ability.  I have switched the two searches in the join and also switched the rename order and had the same problem.  If the subsearch is run first and the join uses the renamed field from the subsearch for the outer search this seems correct to me.    index=myIndex sourcetype=IIS   | join IISEventID  [ search index=myIndex sourcetype="SystemLog*" IsTestCustomer="True"   | rename EventID as IISEventID   | fields CustomerName ] | stats count by CustomerName cs_User_Agent   This is a sample of the output.  I know that Bob's Burgers does not use PRTG.  If I run it again the CustomerName may be "The Three Broomsticks" or any other customer. CustomerNAme cs_User_Agent count  Bob's Burgers Rebex+HTTPS 2150  Bob's Burgers Mozilla/4.0+ 934  Bob's Burgers Mozilla/5.0 611  Bob's Burgers Amazon-Route53-Health-Check 464  Bob's Burgers PRTG/Go+Health+Check 124   Thanks for any help  
I installed a sh and before I added to the SH cluster search worked and after I added it I got the following so whats going on Why does splunk do this as I gain momentum.
Hi all,   How do you collect your macOS security logs and index them into your Splunk Cloud/Enterprise instance?   I already have a deployment server so it would be great to just install the UF's... See more...
Hi all,   How do you collect your macOS security logs and index them into your Splunk Cloud/Enterprise instance?   I already have a deployment server so it would be great to just install the UF's with some parameters to connect to the DS and from there on install the app & make the UF send what the app tells it to send.   Is the best way to do it using the Splunk UF?   Apple changed to the Unified Log Database format, so how do you do it? My manager suggested SC4S but is it necessary? Can SC4S even ingest macOS data? We want the SC4S server to remain internal since all of us are WFH. SC4S is not recommended to be used with wireless networks/firewalls/or IDS's which we all have. So I don't think that's possible. I would greatly appreciate your help.
I am trying to create a search to generate an alert if I find a host that has more than 1000 events for two consecutive 10 minute periods. The first search would look for a particular string to see ... See more...
I am trying to create a search to generate an alert if I find a host that has more than 1000 events for two consecutive 10 minute periods. The first search would look for a particular string to see if there are more than 1000 occurrences ( by host) 20 minutes ago to 10 minutes ago. Then want to see if that same host has more than 1000 events for 10 minutes ago to now. Would I use two different searches with same search ( index=anIndex source=aSource "aString") with just different lookbacks: ( earliest=-20m latest=-10m ) & ( earliest=-10m latest=now ) and then appendcols ? Where this stumps me is how would I make sure that its the same host from the first search that is also found in the second search ? Or is there a different / better approach for this type of comparison, search ?
Here's my query:   index=comp_logs "processed=" | eval name=consumerGroupId | timechart span=1h sum(processed) as processed by name   it gives me this result:  For each column, I'd like t... See more...
Here's my query:   index=comp_logs "processed=" | eval name=consumerGroupId | timechart span=1h sum(processed) as processed by name   it gives me this result:  For each column, I'd like to get the top 10 values from descending order (we can remove the _time column). Is this possible with timechart? Thank you!
Has anybody managed to integrate a dashboard with FIRST's cvsscalc31.js? We would like to get the cyber data scored using this script - Common Vulnerability Scoring System v3.1: Calculator Use & Desi... See more...
Has anybody managed to integrate a dashboard with FIRST's cvsscalc31.js? We would like to get the cyber data scored using this script - Common Vulnerability Scoring System v3.1: Calculator Use & Design   
I'm trying to alert/query  any Host that has not had an update in more than say 30 days.   Here is the search in Splunk:   "index=endpoint_mcs_server sourcetype="Windows:UpdateList""   Wh... See more...
I'm trying to alert/query  any Host that has not had an update in more than say 30 days.   Here is the search in Splunk:   "index=endpoint_mcs_server sourcetype="Windows:UpdateList""   Which gives me this data: "PSComputerName="host" description="Update" hotfixid="KB5022503" installedby="NT AUTHORITY\SYSTEM" Installedon="02/23/2023""   So it gives me a date "InstalledOn" so I just need to edit the search to only show systems that have not "InstalledOn" and or had an update in the last 30 days.   Thanks for the help
Hello,  I'm having issues with line break for some reason. I'm looking to break an event every 6 lines. Any suggestions? Log Example: Total Operations Currents/sec:Max/sec:Success:Failed 2 144 ... See more...
Hello,  I'm having issues with line break for some reason. I'm looking to break an event every 6 lines. Any suggestions? Log Example: Total Operations Currents/sec:Max/sec:Success:Failed 2 144 184469195 201 Key Generate Current/sec:max/sec:Success:Failed 0 0 0 0 Key Version Generate Currect/sec:Max/sec:Success:Failed 0 0 0 0 Key Version Generate Currect/sec:Max/sec:Success:Failed 0 0 0 0  
After updating my add-on to 4.1.2 I am getting this error during certification: check_python_sdk_version Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to versi... See more...
After updating my add-on to 4.1.2 I am getting this error during certification: check_python_sdk_version Detected an outdated version of the Splunk SDK for Python (1.6.6). Please upgrade to version 1.6.16 or later. File: bin/add-on/aob_py3/solnlib/packages/splunklib/binding.py
I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathe... See more...
I want to add new row to my search result using values from the previous result. Basically I am counting few strings and I want to display percent of that matched string in a new row using some mathematical operators or function. Below is what I have done. My first query works fine but second query in append is giving error. Error is: Error in 'eval' command: The expression is malformed. Expected AND.       index="12345" "Kubernetes.namespace"="testnamespace" | bin _time | stats count(eval(searchmatch("String1"))) AS Success count(eval(searchmatch("string2"))) AS Sent count(eval(searchmatch("string3"))) AS Failed | append [ stats eval Success_percent= Success/(Success+Sent +Failed) AS Success eval Sent_Percent= Sent/(Success+Sent +Failed) AS Sent eval Failed_percent= Failed/(Success+Sent +Failed) AS Failed ] | transpose 0 column_name="Status" | rename "row 1" as Count | rename "row 2" as "Percent"