All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello everyone,  i have this below SPL i am using,  index=abcde* | eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ") | eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"... See more...
Hello everyone,  i have this below SPL i am using,  index=abcde* | eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ") | eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ") | eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "), When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest. If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field.  Now, my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above, [eval logtype = if(match,(regex), "X"," ")]  Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.   or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below. logtype  Values               count                 %  browser               xx                    xx% adminlogs           xx                    xx% useractivity        xx                    xx% appconnector   xx                    xx% userstatus           xx                   xx%   Hope the above question makes sense, any help on this will be much appreciated.  Thanks...!!!
Hello, I'm new to splunk (Internship) and couldn't find and answer. I'd need a way to filter my search. I'm curently using a ".... | ... | stats count by RequestPath" search. The problem is t... See more...
Hello, I'm new to splunk (Internship) and couldn't find and answer. I'd need a way to filter my search. I'm curently using a ".... | ... | stats count by RequestPath" search. The problem is that the "RequestPath" can contain variable/random data at the end.   Exemple: x/y/first x/y/second/randomText x/y/second/randomText x/y/third     There are millions outputs and i would like to filter them so i only keep : x/y/first x/y/second x/y/third Thanks
I have a dashboard which received a token named "time" by drilldown, which stores a specific time in epoch.  Now I want the searches in my dashboard to have a time range based on this epoch value. ... See more...
I have a dashboard which received a token named "time" by drilldown, which stores a specific time in epoch.  Now I want the searches in my dashboard to have a time range based on this epoch value.  I tried to use this token in "earliest" and "latest",  i.e, <earliest>$time$</earliest>. I worked only when I put the token as is, but not with any kind of simple arithmetic like <earliest>$time$ - 100000 </earliest>. How can I use my epoch token to set the time ranges in my panels? 
Hello Splunk Community! I have an ec2 instance of Windows Server 2022 with Splunk Enterprise (9.0.4) installed. Within a few minutes of installing, all of the processing queues are 100% blocked and i... See more...
Hello Splunk Community! I have an ec2 instance of Windows Server 2022 with Splunk Enterprise (9.0.4) installed. Within a few minutes of installing, all of the processing queues are 100% blocked and it places all indexers on quarantine. It is currently outputting to 3 different indexers, and the only logs it is supposed to send is internal logs. I am 100% positive the indexers are not the issue. I think the problem is potentially a connection issue to these indexers as I cannot ping these machines. There is no firewall blocking traffic in between them, so thinking it might be an issue with a setting in server 2022 somewhere. I made sure to install through Admin CMD line, and for testing, this ec2 has all outbound connections open. Does anyone have any ideas or have seen this before? I had this happen on another box but messing with CMD line and different install flags it finally started working but it seems like no matter what flags I use it doesn't work.
Hi, Can someone help me  "AAD SSO last reset date" query?
Hi,  I am facing an issue while implementing two textboxes in splunk dashboard.  Requirement is to make the submit button work in three scenarios:  1. Either of the textbox is empty 2. Both t... See more...
Hi,  I am facing an issue while implementing two textboxes in splunk dashboard.  Requirement is to make the submit button work in three scenarios:  1. Either of the textbox is empty 2. Both the textboxes are not empty The submit button is not working as expected. I am attaching the code here. Please have a look and let me know what's going wrong.   <row> <panel> <title>MAKE THE TEXTBOX WORK</title> <input type="text" token="text1" searchWhenChanged="true"> <label>TEXTBOX1</label> <default></default> <change> <unset token="isLifeCycleSubmit"></unset> <set token="submitLifeCycle">true</set> <unset token="setSubmitLifeCycle"></unset> <unset token="form.setSubmitLifeCycle"></unset> </change> </input> <input type="text" token="text2" searchWhenChanged="true"> <label>TEXTBOX2</label> <default></default> <change> <unset token="isLifeCycleSubmit"></unset> <set token="submitLifeCycle">true</set> <unset token="setSubmitLifeCycle"></unset> <unset token="form.setSubmitLifeCycle"></unset> </change> </input> <input type="time" token="lifeTime"> <label>Select Time</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> <change> <unset token="isLifeCycleSubmit"></unset> <set token="submitLifeCycle">true</set> <unset token="setSubmitLifeCycle"></unset> <unset token="form.setSubmitLifeCycle"></unset> </change> </input> <input id="submitLifeCycle" type="link" token="submitLifeCycle" searchWhenChanged="true" depends="$submitLifeCycle$"> <label></label> <choice value="true">Submit</choice> <change> <set token="isLifeCycleSubmit">true</set> <unset token="submitLifeCycle"></unset> <unset token="form.submitLifeCycle"></unset> <set token="setSubmitLifeCycle">true</set> </change> </input> <input id="setSubmitLifeCycle" type="link" token="setSubmitLifeCycle" searchWhenChanged="true" depends="$setSubmitLifeCycle$"> <label></label> <choice value="true">Submit</choice> </input> </panel> </row> <row> <panel > <table> <title>QUERY</title> <search> <query>index=abc sourcetype ...|eval isSubmit=$isLifeCycleSubmit$ </query> </search> </table>
I have HTML sections relying on some custom CSS in a dashboard and I can make them look great in either dark or light mode like so: <form version="1.1" stylesheet="foobar_light.css" theme="light"> ... See more...
I have HTML sections relying on some custom CSS in a dashboard and I can make them look great in either dark or light mode like so: <form version="1.1" stylesheet="foobar_light.css" theme="light"> Or: <form version="1.1" stylesheet="foobar_dark.css" theme="dark"> I would ideally like not to specify in which mode the dashboard should be seen and leave it to whatever the user's preference is. The problem is dark mode with the light CSS looks awful/unreadable and vice-versa. Is there any way I can get splunk to choose the right CSS depending on the user's theme preference?
After the update to v7.1 of Splunk ES Incident Review channel, when selecting events and choosing Edit Selected, it presents with the popup/overlay window, where we can change the Status (Analyzing, ... See more...
After the update to v7.1 of Splunk ES Incident Review channel, when selecting events and choosing Edit Selected, it presents with the popup/overlay window, where we can change the Status (Analyzing, Closed, etc..) and assign ourselves as the Owner. When clicking on Save Changes, the overlay window does not auto-close, and we have to manually click on the Close button. In the previous version this overlay auto-closed and the Incident Review page refreshed after clicking on Save Changes (or Save). Is there some configuration setting that will enable this once again auto-close after making the Status changes?
Hi, I'm wondering if the syslog outputs.conf feature described in the [syslog] stanza supports TLS encryption? I see no mention of it in the docs about this.
I have three fields like " field1=SGSIFASFFWR035A field2=AXAZCBDM02 fields3=ESESDFAADFSABBM00002 in above examples I want to extract field values like these; field1=FWR035A (any character after ... See more...
I have three fields like " field1=SGSIFASFFWR035A field2=AXAZCBDM02 fields3=ESESDFAADFSABBM00002 in above examples I want to extract field values like these; field1=FWR035A (any character after FW* including FW) field2=BDM02 (any character after BDM* including BDM) fields3=BBM00002 (any character after BBM* including BBM ) additionally, I want to  to use single  command to extract all three field values in one go. like "FW*|BDM"|BBM*"   I am using below rex command to extract it but it is not including FW keyword in extracted field | rex field= field1 "FW(?<AFTERTHISKEYWORD>\S+)"   if you can provide a workable solution either using rex and eval or another code, it would be appreciated.   Thanks in advance..  
Hi After configuring some reports in PCI, when I go back to Report, I get an error message: A custom JavaScript error caused an issuse loading your dashboard. See the developer console for more det... See more...
Hi After configuring some reports in PCI, when I go back to Report, I get an error message: A custom JavaScript error caused an issuse loading your dashboard. See the developer console for more detail How to fix this error??
Hello Splunkers, Help me please. I need a search to generate daily report looking for user's traffic in internal logs. I got an csv file generated daily by an external system what contains username... See more...
Hello Splunkers, Help me please. I need a search to generate daily report looking for user's traffic in internal logs. I got an csv file generated daily by an external system what contains username, and an start-end time period like this: report.csv user,start_time,end_time user1,8,16 user2,8,20 I have to insert this three field per user into my search. I am using inputlookup to catch the "user" field this way: [base search]  | search user=*[|inputlookup "report.csv" |fields user ]* | table x,y,z,user It works, shows only the user'related logs, could be one or more users i csv. The problem i canno handle yet is about the additionl fileds. I had an idea to add an extra field with "eval" cmd, but doesn't work. So how can I read rest of the data form an external csv file? thanks 
Hello dear splunk community, how can I set the colors of the bar chart in splunk dashboard studio? Example code   index=digiks sourcetype=modeas_nexonic earliest= "@d+390m-7d" latest= "@d+1830m" ... See more...
Hello dear splunk community, how can I set the colors of the bar chart in splunk dashboard studio? Example code   index=digiks sourcetype=modeas_nexonic earliest= "@d+390m-7d" latest= "@d+1830m" SUB_DIB="4711" OR SUB_DIB="0815" | dedup RECV_TIME | chart count(RECV_TIME) over shift day by SUB_DIB | rename "4711" AS A_CHART, "0815" AS B_CHART     The bar 4711 should be displayed in red color The bar 0815 shall be displayed in green color Thanks in advance!
What kind of KPI's are supported when KPI Analyzer is enabled.
We have different licenses expires by different dates .The current sourcetype data comprises of both future expiry and past expiry too. we don’t want license that are expired meaning anything that ... See more...
We have different licenses expires by different dates .The current sourcetype data comprises of both future expiry and past expiry too. we don’t want license that are expired meaning anything that is before the current day. "Expire valid To" field will have this date . Please let me know how to achieve this in SPL .      
Hi Splunk Community -- I'm trying to ensure that my cluster master is sending internal logs to the indexer. Which directory in my cluster master should I put outputs. conf? And are there other conf ... See more...
Hi Splunk Community -- I'm trying to ensure that my cluster master is sending internal logs to the indexer. Which directory in my cluster master should I put outputs. conf? And are there other conf files that should accompany my outputs.conf file?
Installed the splunk add on to push events into ServiceNow and getting this error  "snsecingestes Unable to forward notable event"  Where could I start troubleshooting this issue?
Hello Splunkers, I have two lookups which are need to join. In lookup1.csv its containing the Rule name and the technique id in the columns and in lookup2.csv it contains the technique id and the ta... See more...
Hello Splunkers, I have two lookups which are need to join. In lookup1.csv its containing the Rule name and the technique id in the columns and in lookup2.csv it contains the technique id and the tactic name in the columns. Now i have joined the two lookups and got the result. Now the problem i am facing is that if the rule is having the multiple tactics name then the output result is displaying them in the same single field (screenshot attached). But i need the result as if the rule is having two tactic names then it should display 2 times the rule name and the tactic names individually. the query i used to join the lookups is | inputlookup lookup1.csv | lookup lookup2.csv technique_id     Waiting for the response....   Thanks in advance
Hi Splunk Community, I need a Splunk Query that monitors a password change in the DC log source that was not performed by the user from log source X (DC); Rather to be performed by an automation ... See more...
Hi Splunk Community, I need a Splunk Query that monitors a password change in the DC log source that was not performed by the user from log source X (DC); Rather to be performed by an automation of the system itself log source Y (Automated Password System). I want to trigger the search only in case the password change event was received and from that point to search 10 minutes back to see if the trigger was the system itself or an actual user. Can you please assist
Hello Is it possible to calculate the storage that part of log is taking ?  I have a log file that contains a message that i want to calculate the storage it takes after getting the numbers, is ... See more...
Hello Is it possible to calculate the storage that part of log is taking ?  I have a log file that contains a message that i want to calculate the storage it takes after getting the numbers, is it possible to exclude it from index ?   Thanks