All Topics

Top

All Topics

Hello fellow splunkers, I'm posting here because I would gladly have help with the following query. Let's say I have an XML like this one     <?xml version='1.0' encoding='UTF-8'?> <rootEle... See more...
Hello fellow splunkers, I'm posting here because I would gladly have help with the following query. Let's say I have an XML like this one     <?xml version='1.0' encoding='UTF-8'?> <rootElement> <group> <groupItemKey>item1</groupItemKey> <groupItemValue>0</groupItemValue> </group> <group> <groupItemKey>item2</groupItemKey> <groupItemValue>1</groupItemValue> </group> <group> <groupItemKey>item3</groupItemKey> <groupItemValue>2</groupItemValue> </group> ... <group> <groupItemKey>itemN</groupItemKey> <groupItemValue>3</groupItemValue> </group> </rootElement>     And I want to extract in a table like this all the possible combinations I have of groupItemKey and groupItemValue GroupItemKey GroupItemValue item1 0 item2 1 item3 2   I tried with the following query   | makeresults | eval _raw="<?xml version='1.0' encoding='UTF-8'?><rootElement><group><groupItemKey>item1</groupItemKey><groupItemValue>0</groupItemValue></group><group><groupItemKey>item2</groupItemKey><groupItemValue>1</groupItemValue></group><group><groupItemKey>item3</groupItemKey><groupItemValue>2</groupItemValue></group><group><groupItemKey>itemN</groupItemKey><groupItemValue>3</groupItemValue></group></rootElement>" | xmlkv | table groupItemKey, groupItemValue   But seems like that only the item with groupItemKey "itemN" gets considered when outputting the results on the table, same goes with regex   Any ideas how to make it work so that splunk takes all the groupItemKey elements? Thanks a lot!
I've created fields from regex expressions before but never from the source field. This is an example of the value within the source field:  \\host0000\Test\IT Information\ Data Files\Daily Report... See more...
I've created fields from regex expressions before but never from the source field. This is an example of the value within the source field:  \\host0000\Test\IT Information\ Data Files\Daily Reporting\Business Unit\  I would like to extract the business unit value and call it Business Unit. I have access to create a props.conf file.   Can you help?   Kind regards, Vishal
I have this search that is working and returning a average Delay value: Search Command | eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z") | stats range(epoch_timestamp) as Del... See more...
I have this search that is working and returning a average Delay value: Search Command | eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z") | stats range(epoch_timestamp) as Delay by "logId" | stats avg(Delay) However, I want to display the daily averages in a timechart graph to see the performance evolution by day. Tried the following based on research but It does not return Statistic or Vizualization values (just returning events): Search Command | eval epoch_timestamp=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z") | stats range(epoch_timestamp) as Delay by "logId" | bucket _time span=1d | stats avg(Delay) as Performance by _time
Hi, i have a challenge masking out password data from the ps-source/sourcetype events at indexing time.  We have made an application with a props.conf file and a transforms.conf file. This applica... See more...
Hi, i have a challenge masking out password data from the ps-source/sourcetype events at indexing time.  We have made an application with a props.conf file and a transforms.conf file. This application is distributed to all indexers, and when we use btool to list which settings are in use, it all seems ok. The indexers has also been restarted after pushing the bundle to them, although a restart was not necessary according to the validate  cluster-bundle command. My regex works fine in regex101, but nevertheless the passwords still remains unmasked after trying to activate it. From props.conf: # Remove password from source:ps for wlp-servers [ps] TRANSFORMS-anonymize = ps_password-anonymizer From transforms.conf: [ps_password-anonymizer] REGEX = (?m)^(.*?password=|.*?PASSWORD=).*?_(-.*)$ FORMAT = $1XXXX_$2 DEST_KEY = _raw From btool: /opt/splunk/etc/peer-apps/nt_anonymizer/default/transforms.conf [ps_password-anonymizer] /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE = /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/peer-apps/nt_anonymizer/default/transforms.conf DEST_KEY = _raw /opt/splunk/etc/peer-apps/nt_anonymizer/default/transforms.conf FORMAT = $1XXXX_$2 /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096 /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/transforms.conf MV_ADD = False /opt/splunk/etc/peer-apps/nt_anonymizer/default/transforms.conf REGEX = (?m)^(.*?password=|.*?PASSWORD=).*?_(-.*)$ /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw   Any ideas why this wont work as expected? Isn't it possible to do this on the indexers? Does it have to be done on a HF?  
Hello all, im looking to create a dashboard for certain accounts. I have a list of 20 accounts that need to be monitored if they are logging in or not. I did a stats count and can see all the account... See more...
Hello all, im looking to create a dashboard for certain accounts. I have a list of 20 accounts that need to be monitored if they are logging in or not. I did a stats count and can see all the accounts however putting this into a single value visualization shows a count for all the logs so its showing as millions as its counting each log for the accounts.  Is there a way to get the number to only show if it sees an account rather than account and every log associated with it, I should only have a max of 20. Thank you
Need help with regex for inputs.conf to change the host as hostname and incase host has FQDN it should pick up till hostname only  example  1) host=hostname1 2) host = hostname2.yahoo.com 3) host... See more...
Need help with regex for inputs.conf to change the host as hostname and incase host has FQDN it should pick up till hostname only  example  1) host=hostname1 2) host = hostname2.yahoo.com 3) host = hostname3.google.com   In all these example it should pick only hostname1,hostname2,hostname3
Let say I have a result below index = indextest source=stest bunch of evals = evals sourcetype=sttext | table ID Status Remark Values   ID         Status       Remark               Values 11 ... See more...
Let say I have a result below index = indextest source=stest bunch of evals = evals sourcetype=sttext | table ID Status Remark Values   ID         Status       Remark               Values 11         PASS          CHECKED         something something hello 371      FAILED       CONFIRMED    someting hello SOME   let say I want to input another field from a inputlookup that is correlated with the ID number. ex) | inputlookup test |table ID ActualName     ID       ActualName 11       McDonald 371    BurgerKing         HOW TO simply input that result into the first query so that I can get a result as below? ID        ActualValue              Status       Remark               Values 11       McDonald                   PASS          CHECKED         something something hello 371      BurgerKing                FAILED       CONFIRMED    someting hello SOME       NOTE   when I try this, index = indextest source=stest bunch of evals = evals sourcetype=sttext |append [ | inputlookup test] |stats values("ID") as ID, values ("Actual Value") as "Actual Value" ...and so on... by System     result comes out ID                          ActualValue                                   Status                                Remark                                           Values 11 , 371         McDonald , BurgerKing                  PASS, FAILED                 CHECKED  ,CONFIRMED       something something hello , someting hello SOME            it's not separated.   Simply how to insert a inputlookup result to a table that shares a one common field.    
Hi Team,   I need a rex command to extract subject field from the event _raw.. Currently i am splitting the fields with comma(,) and extracting the fields based on Index number. The above scenar... See more...
Hi Team,   I need a rex command to extract subject field from the event _raw.. Currently i am splitting the fields with comma(,) and extracting the fields based on Index number. The above scenario is success for 80 % of data but it fails to extract for rest because  subject contains comma within the subject itself which is causing the subject to split into two different fields.
Hello, I need to parse ilo5 logs. I have tryed a lot of variants of props.conf, but no one had worked. I need to create a sourcetype for this. Here is an example of log Feb 13 10:14:32 11.34.20.65 ... See more...
Hello, I need to parse ilo5 logs. I have tryed a lot of variants of props.conf, but no one had worked. I need to create a sourcetype for this. Here is an example of log Feb 13 10:14:32 11.34.20.65 1 2022-01-13T07:170:23Z ILOZY556597X4 iLO5 - - - Host REST logout: System Administrator
My regex from the message field looks like this.   | rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<... See more...
My regex from the message field looks like this.   | rex field=Message "\W(?<Hostname>\S+)\s\w+\W(?<Build>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CpuTotalMhz>\S+)\s\w+\W(?<CpuUsageMhz>\S+)\s\w+\W(?<MemoryTotalMB>\S+)\s\w+\W(?<MemoryUsageMB>\S+)\s\w+\W(?<Version>\S+)" |   For some reason it matches and pulls out all the fields from this entry:   Message=Hostname=esx-pod1-nprd-112.mad.local Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=142 MemoryTotalMB=1048094.5625 MemoryUsageMB=9086 Version=7.0.3   But not from any other entries which could looks like this:   Message=Hostname=10.241.192.46 Build=20842708 CPUCount=96 CpuTotalMhz=287232 CpuUsageMhz=8186 MemoryTotalMB=1048094.55859375 MemoryUsageMB=198624 Version=   or    Message=Hostname=esx-cl6-184.mad.local Build=19195723 CPUCount=20 CpuTotalMhz=49880 CpuUsageMhz=672 MemoryTotalMB=294587.2578125 MemoryUsageMB=52530 Version=  
what could be the settings to break the tcp data in splunk. Need to break after @sign to another event. L2023087102901 some data 000000 000000 000000 000000 000000 000000 000000 000000 000000 00000... See more...
what could be the settings to break the tcp data in splunk. Need to break after @sign to another event. L2023087102901 some data 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 000000 <@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@L2023087102903 another some data
Hello I need to add alert action to many alerts, Is it possible to add the same action to all of the alerts in one time ?   Thanks
Hello! My objective is to put the license expiry on a dashboard.  I read some older posts that state I can call a REST endpoint, but those seem to be out of date as the functionality is no longer av... See more...
Hello! My objective is to put the license expiry on a dashboard.  I read some older posts that state I can call a REST endpoint, but those seem to be out of date as the functionality is no longer available. What is the recommended way in 2023 to retrieve license expiry information so that it can be displayed on a dashboard?  I don't want to have to revert to storing a fixed value in a lookup... Thank you and best regards, Andrew
Hi All, I am trying to configure REST API endpoints to fetch data from office 365 Admin Center. I am trying to do that via Splunk Add-On for Microsoft Office 365. (Please let me know if I am doing i... See more...
Hi All, I am trying to configure REST API endpoints to fetch data from office 365 Admin Center. I am trying to do that via Splunk Add-On for Microsoft Office 365. (Please let me know if I am doing it wrong because I don't see any Splunk document that say how to configure REST endpoints to fetch Admin Center data). So far I have got the tenant created and this is able to access the APIs. My question is where do I configure the endpoints or what input type and content type should I select on Splunk Add-On for Microsoft Office 365  as I don't see an option to add the endpoints anywhere in the TA? Also, is there any other way to configure this? Thanks in advance for your help and suggestions!! Apologies for not being able to share any screenshots due to security concerns.
Hi * i am trying to search via tstats and TERM() statements. How can i use TERM() phrases that comes from an  Dashboard input field? for example Input field= test1,test2 Output search= | ts... See more...
Hi * i am trying to search via tstats and TERM() statements. How can i use TERM() phrases that comes from an  Dashboard input field? for example Input field= test1,test2 Output search= | tstats values(PREFIX(test_content=)) as test_content where index=testindex AND (TERM(host=test1) OR TERM(host=test2) by _time PREFIX(host=)
Hello gays I have events like this, in raw text: {"key":"Pending","value":0} {"key":"NOT processed","value":9} {"key":"error","value":5} ... And so on Every row is event I wanna build... See more...
Hello gays I have events like this, in raw text: {"key":"Pending","value":0} {"key":"NOT processed","value":9} {"key":"error","value":5} ... And so on Every row is event I wanna build chart with latest value of "Pending", "NOT processed", :"error" I cannot understand how to do it Please help      
Hey All, Been banging my head for a few days with this one and will appreciate any feedback on the topic. The scenario is the following: - LDAP data is polled via ldapsearch and written to a csv l... See more...
Hey All, Been banging my head for a few days with this one and will appreciate any feedback on the topic. The scenario is the following: - LDAP data is polled via ldapsearch and written to a csv lookup table - ldap_users - The use case is to return all subordinates under a specific person in the company Here's an example of the end goal: Consider the following 5 lines in the csv lookup cn               displayName              mail                                                  dn                                                                manager dm123     Dean, Martin              dean.martin@test.eu        CN=dm123,OU=T,OU=E,OU=S                    - ep123      Elvis, Presley              elvis.presley@test.eu        CN=ep123,OU=T,OU=E,OU=S                  dm123 mj123      Michael, Jordan        michael.jordan@test.eu   CN=mj123,OU=T,OU=E,OU=S                  ep123 bc123      Bill, Clinton                  bill.clinton@test.eu            CN=bc123,OU=T,OU=E,OU=S                  mj123 ba123      Buzz, Aldrin                buzz.aldrin@test.eu           CN=ba123,OU=T,OU=E,OU=S                  mj123   In this case, dm123 is the CEO of the company and is the direct manager of ep123. ep123 manages 1 person mj123, who then manages two people - bc123 and ba123. What is needed - if I run a query for the user dm123 to receive everybody under them in the company structure, so in this case, all other 4 users. So far I'm swinging at using foreach to iterate over the ldap tree, but I can't figure out how to do multiple iterations. Here's my search so far: | inputlookup ldap_users WHERE ( ( manager="CN=dm123,OU=T,OU=E,OU=S" ) ) | search cn!="x*" cn!="y*" cn!="z*" | table cn, displayName, mail, dn | rex field=dn "CN\=(?P<dn>[^\,]+)\," | foreach dn [| lookup ldap_users manager as dn OUTPUTNEW mail as mail_employee] | mvexpand mail_employee | search mail_employee!="-"   In manager= in the above, you would enter the person from who the iteration should begin. In this case, the CEO. The output returned is the cn, displayName, mail, dn for all their direct subordinates - ep123. I then take the dn for them (ep123) and do a foreach, looking for any users who have a manager who's equal to the dn - this would be mj123.  This provides me with the following output: cn                displayName                       mail                                                  dn                                                mail_employee ep123      Elvis, Presley       elvis.presley@test.eu    CN=ep123,OU=T,OU=E,OU=S   michael.jordan@test.eu    This is good, but now I have two roadblocks: - How to use mj123 (any piece of information-mail/dn/cn, doesn't matter which we chose for the example) to iterate once more and return bc123 and ba123.   Any help will be extremely appreciated!    
I have azure function app with .NET 6 and widnows OS. I have written azure functions using v4. Also installed extension on my function app. Still it is not monitoring my functions. This is the refer... See more...
I have azure function app with .NET 6 and widnows OS. I have written azure functions using v4. Also installed extension on my function app. Still it is not monitoring my functions. This is the reference link I followed. https://docs.appdynamics.com/appd/4.5.x/en/application-monitoring/install-app-server-agents/deploy-appdynamics-for-azure/instrument-the-net-agent-with-azure-functions
Hello -  I am looking to match an uploaded lookup table in csv format to the indexes we have. I am running into problems since the column I want to match in the index is not parsed. I have two ques... See more...
Hello -  I am looking to match an uploaded lookup table in csv format to the indexes we have. I am running into problems since the column I want to match in the index is not parsed. I have two questions: 1. Can we parse in splunk to extract the numbers and words we need? If so, what is the resource I need or how do I parse correctly? 2. I am looking to match a column in my lookup table to the parsed data in the index. We have different indexes and we need to look all of them up with the same lookup table csv. What I have so far is this, do we need eval command? index=guardduty | [ |inputlookup CostCentersandAWSAccounts.csv | search AccountId=Title | fields Business ]
chrome.exe and acrobat.exe are very noisy in our environment. I don't want to just exclude the process name because the actual process could be malicious. Was just wondering what best practice would ... See more...
chrome.exe and acrobat.exe are very noisy in our environment. I don't want to just exclude the process name because the actual process could be malicious. Was just wondering what best practice would be to make it less noisy. I was thinking of excluding the process name only if it matches the correct sha256 or is there a better way?