All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I inherited a Splunk environment I was informed the other day that a computers.csv lookup is not generating any results, is there a way to find out what should be populating that file which is curren... See more...
I inherited a Splunk environment I was informed the other day that a computers.csv lookup is not generating any results, is there a way to find out what should be populating that file which is currently empty, I did find the App which houses the lookup csv 
Good afternoon I'm having trouble changing the color of the indices (numbers) that appear on top of the bars. I need to change the current color (black) to white. Can someone help me? Panel co... See more...
Good afternoon I'm having trouble changing the color of the indices (numbers) that appear on top of the bars. I need to change the current color (black) to white. Can someone help me? Panel code:   { "type": "viz.column", "title": "", "dataSources": { "primary": "ds_7YQhhskC" }, "options": { "foregroundColor": "#FFFFFF", "fontColor": "#FFFFFF", "fieldColors": { "Sum of amount": "#A870EF" }, "legend.placement": "top", "axisTitleX.text": "Days of the week", "axisTitleY.text": "Amount of transactions", "chart.showDataLabels": "all", "legend.labelStyle.overflowMode": "ellipsisNone", "yAxisVisibility": "show", "xAxisVisibility": "show", "backgroundColor": "transparent" }, "showProgressBar": false, "showLastUpdated": false, "context": {} }      
Hi,  I want to add a new Search Head to my existing 3 node SHC. My question is regarding the initialization step.   splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<m... See more...
Hi,  I want to add a new Search Head to my existing 3 node SHC. My question is regarding the initialization step.   splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret <security_key> -shcluster_label <label     -secret <security_key>   IF I look in the server.conf on an existing SHC member you can find the pass4SymmKey [shclustering] pass4SymmKey = $9$dkjajkldjaj-- But I have the original secret that was used to create the pass4SymmKey e.g. password1234 Which do I use?   And when I added the IDX cluster to the new SHC node, do I use the pass4SymmKey or the original secret? Thank you!
I am trialing splunk and have installed the splunk otel collector but nothing is appearing in the console, the access token shows 0 hosts tied to it.
Good day All! UF version 8.2.9 on a series of Linux machines. I've an application containing local/server.conf deploying to a series of Linux machines. The machines have a mixed configuration o... See more...
Good day All! UF version 8.2.9 on a series of Linux machines. I've an application containing local/server.conf deploying to a series of Linux machines. The machines have a mixed configuration of short and fqdn as the hostname. For consistence, want to use the short name. Each instance environment contains a variable called HOST_EXTERNAL which is the short name. The documentation states: * Can contain environment variables. * After any environment variables are expanded, the server name (if not an IPv6 address) can only contain letters, numbers, underscores, dots, and dashes. The server name must start with a letter, number, or an underscore. ERROR: serverName must start with a letter, number, or underscore. You have: $HOST_EXTERNAL ServerName is only set in the apps/app-name/local and system/default/server.conf.  system/default/server.conf:serverName=$HOSTNAME app-name/local/server.conf:serverName = $HOST_EXTERNAL Googling, doesn't produce any examples of using an environment variable other than $HOSTNAME. What am I missing on attempting to use $HOST_EXTERNAL as serverName in server.conf Thoughts?
I have an OpenCanary which is using a webhook to deliver data into my Splunk instance. It works really well but my regex is a bit rubbish and the field extraction is not going well.  The wizard is ... See more...
I have an OpenCanary which is using a webhook to deliver data into my Splunk instance. It works really well but my regex is a bit rubbish and the field extraction is not going well.  The wizard is getting me a reasonable way but the OpenCanary moves the log items around in the rows and this foxes the wizard which seems to see the repetition and resists my attempts to defeat it when I try to take the text after some labels (namely Port which works as it's in the same location per line, Username, Password and src_host. Two lines which should help with the understanding of my challenge. message="{\"dst_host\": \"10.0.0.117\", \"dst_port\": 23, \"local_time\": \"2023-02-08 16:20:12.113362\", \"local_time_adjusted\": \"2023-02-08 17:20:12.113390\", \"logdata\": {\"PASSWORD\": \"admin\", \"USERNAME\": \"Administrator\"}, \"logtype\": 6001, \"node_id\": \"hostname.domain\", \"src_host\": \"114.216.162.49\", \"src_port\": 47106, \"utc_time\": \"2023-02-08 16:20:12.113383\"}" path=/opencanary/APIKEY_SECRET full_path=/opencanary/APIKEY_SECRET query="" command=POST client_address=100.86.224.114 client_port=54770 message="{\"dst_host\": \"10.0.0.117\", \"dst_port\": 22, \"local_time\": \"2023-02-08 16:20:11.922514\", \"local_time_adjusted\": \"2023-02-08 17:20:11.922544\", \"logdata\": {\"LOCALVERSION\": \"SSH-2.0-OpenSSH_5.1p1 Debian-4\", \"PASSWORD\": \"abc123!\", \"REMOTEVERSION\": \"SSH-2.0-PUTTY\", \"USERNAME\": \"root\"}, \"logtype\": 4002, \"node_id\": \"hostname.domain\", \"src_host\": \"61.177.172.124\", \"src_port\": 17802, \"utc_time\": \"2023-02-08 16:20:11.922536\"}" path=/opencanary/APIKEY_SECRET full_path=/opencanary/APIKEY_SECRET query="" command=POST client_address=100.86.224.114 client_port=54768 Any regex experts will help me build out pivots and reporting for my OpenCanary which gets around 200'000 connection attempts every 7 days
Hi! I'm trying to export the CMC health overview dashboard as a pdf and, hopefully, set it to send as an email attachment on a regular schedule. I have seen this answer: https://community.splunk.... See more...
Hi! I'm trying to export the CMC health overview dashboard as a pdf and, hopefully, set it to send as an email attachment on a regular schedule. I have seen this answer: https://community.splunk.com/t5/Dashboards-Visualizations/Can-you-copy-a-dashboard-into-a-report/m-p/375881 &  this doc https://docs.splunk.com/Documentation/Splunk/9.0.3/Report/GeneratePDFsofyourreportsanddashboards#:~:text=To%20schedule%20dashboard%20PDF%20emails,in%20the%20Data%20Visualizations%20Manual. on how to accomplish that. But the export options are not visible within the CMC app. Is this possible within the CMC app?
Because of a typo we had the following in our query:     earliest=-1@d     Since Splunk query actually ran I assumed that some kind of default value had been used. I could not find such detail... See more...
Because of a typo we had the following in our query:     earliest=-1@d     Since Splunk query actually ran I assumed that some kind of default value had been used. I could not find such details in docs.  
We're in the middle of a micro-segmentation project and we're cataloging our Splunk resources.   This is for an on-prem deployment Splunk has a handy chart for ports but this chart does not contai... See more...
We're in the middle of a micro-segmentation project and we're cataloging our Splunk resources.   This is for an on-prem deployment Splunk has a handy chart for ports but this chart does not contain the Monitoring Console: https://docs.splunk.com/Documentation/Splunk/9.0.3/InheritedDeployment/Ports  Does anyone one know what ports are needed for the Monitoring Console, 8089 bi-diretionally to all the Splunk Servers + 9997 to the indexers +web port is what I was thinking but I couldn't find documentation to support that.   Thanks, any help is appreciated. 
Hi, I am looking for a way when a notification is triggered in Splunk to mention an employee or a group (@...) in the message in Microsoft Teams so they can get feedback. I already have the notificat... See more...
Hi, I am looking for a way when a notification is triggered in Splunk to mention an employee or a group (@...) in the message in Microsoft Teams so they can get feedback. I already have the notifications set up so that via the webhook the notifications end up in the correct Teams channels. Thanks in advance!      
Here is the query i have and need to extract the "sts:ExternalId"   requestParameters: { [-] policyDocument: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAssumeRoleForAnotherAcco... See more...
Here is the query i have and need to extract the "sts:ExternalId"   requestParameters: { [-] policyDocument: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAssumeRoleForAnotherAccount", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::384280045676:role/jenkins-node-custom-efep" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "efep" } } } ] }
I want to see the 500 error count for each Customers over time (Today/Yesterday/LastWeekOfDay) So total 3 days. Below screenshot is Kibana Chart. How can we create same kind of chart in Splunk? ... See more...
I want to see the 500 error count for each Customers over time (Today/Yesterday/LastWeekOfDay) So total 3 days. Below screenshot is Kibana Chart. How can we create same kind of chart in Splunk? I have tried below timechart query but x axis have time first instead of customerId. index="services" statusCode="500" | timechart span=1d count by customerId I have also tried with below Query But I feel Count in response in not correct. index="services" statusCode="500" | bucket _time span=day | chart count by customerId,_time | head 10 Is there a better way to do it?    
hello everyone, I have a column which contains week1 , week2 ,week3,week4,week5 and I want an input to the chart to show me the data from week1 to week3 for example or week2 to week5 how could I do... See more...
hello everyone, I have a column which contains week1 , week2 ,week3,week4,week5 and I want an input to the chart to show me the data from week1 to week3 for example or week2 to week5 how could I do that? 
Hi, I have the following joined Splunk query: index="myIndex" source="mySource1" | fields _time, _raw | rex "Naam van gebruiker: (?<USER>.+) -" | dedup USER | table USER | sort USER | join type... See more...
Hi, I have the following joined Splunk query: index="myIndex" source="mySource1" | fields _time, _raw | rex "Naam van gebruiker: (?<USER>.+) -" | dedup USER | table USER | sort USER | join type=left [ search index="myIndex" source="mySource2" "User:myUserID The user is authenticated and logged in." | stats latest(_raw) ] The results look like this: Green is myUserID. Red is some other persons user ID. Because I am using my hardcoded user ID, every person gets the "latest(_raw)" record corresponding to my user id. I want each user to get their own event. I believe this can be done if I use the USER field in the second search, but I don't know the syntax to get it to work. I tried: "User:'USER' The user is authenticated and logged in." And also "User:\USER\ The user is authenticated and logged in." But these don't work. What is the correct syntax?  
I am working on a KPI script and I need to deduplicate lines in the field  Looks like this : is there an | eval field= substr for first line of field  or some regex that can deduplicate my ... See more...
I am working on a KPI script and I need to deduplicate lines in the field  Looks like this : is there an | eval field= substr for first line of field  or some regex that can deduplicate my values. Thanks
Hello Team, i have the following problem. Inside my data i have a String like: Error in Data | 5432323 from endpoint 543336 Error in Data | 1344214 from endpoint 543446 Error in Data | 1323214... See more...
Hello Team, i have the following problem. Inside my data i have a String like: Error in Data | 5432323 from endpoint 543336 Error in Data | 1344214 from endpoint 543446 Error in Data | 1323214 from endpoint 545536 The field in Splunk is called: error_message. The Goal is to filter these events out from the search results with a lookup. So that when i dont want to see these messages in futher searches i can adapt the lookup. The idea was something like test.csv check, error_message true, Error in Data | * from endpoint * | lookup test.csv error_message output check | search check!=true I tried the things from https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513?_ga=2.154739834.350113351.1675844344-1427000930.1666340646&_gac=1.213658144.1672302784.EAIaIQobChMIrf-SprWe_AIVp49oCR13GwTHEAAYASAAEgKCgvD_BwE&_gl=1*1ufx1dh*_ga*MTQyNzAwMDkzMC4xNjY2MzQwNjQ2*_ga_5EPM2P39FV*MTY3NTg1MDAzMy4xMTAuMS4xNjc1ODUyMzk3LjU0LjAuMA.. but this doesnt worked for me. Thank you all.  
We've integrated the Palo Alto NGFW with our Splunk. The logs are only coming from the Log type - Threat only. We're forwarding other log types as well like Traffic,URL Filtering,Data Filtering etc... See more...
We've integrated the Palo Alto NGFW with our Splunk. The logs are only coming from the Log type - Threat only. We're forwarding other log types as well like Traffic,URL Filtering,Data Filtering etc All the integration and configuration is correct. Can someone help me to get the logs from other sources as well or tell me the reason why from other sources logs not coming.
Hello Splunkers, Please if someone can help me with a Splunk query, I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup l... See more...
Hello Splunkers, Please if someone can help me with a Splunk query, I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup list of IPs, I'm confused what command i should use in search "inputlook" or "lookup. Moreover, I would be grateful is someone can explain me the difference beteween inputlook and lookup with an example. Thank you,   Moh
I want to create a alert that will notify if error_count is continuously increasing over time for any of the group mentioned in column In table I have used timechart which gives sum of error_count v... See more...
I want to create a alert that will notify if error_count is continuously increasing over time for any of the group mentioned in column In table I have used timechart which gives sum of error_count value for different groups over the time. I need to compare. I want query that will trigger alert when every row value is greater then its previous row for their respective column, If any column verify this condition Alert should be raised In Simple words : Alert when error_count increases with time for any group My sample query: <<BASE QUERY>> earliest=-4h@h latest=@h | timechart span=30m sum(error_count) as c by group  Result of this query is in image attached ,consider this table as sample data for Alert query
Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and Novemb... See more...
Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and November for the chart to have a continuous trend. Here's my query:   <my search> | timechart span=1mon dc(UserID) as "Number of Users"   The current chart looks like this: