index=akamai "httpMessage.host"="*" "httpMessage.path"="/auth/realms/user/login-actions/authenticate" "*User-Agent:*" | spath "attackData.clientIP" | rename "attackData.clientIP" as ipAddress, httpMessage.host as Host, httpMessage.path as Path, User-Agent as "User Agent" | where [search index=keycloak type=LOGIN* [ inputlookup fraud_accounts.csv | rename "Account Login" as customerReferenceAccountId, "Input IP" as ipAddress | return 1000 customerReferenceAccountId ] | return 10000 ipAddress ] | table ipAddress, Host, Path, _time, "Account ID", "User Agent"

Hello Splunkees, I have a requirement where I need to calculate the availability or uptime percentage of some Critical APIs. We ingest those API logs in Splunk and it tells us about the throughput, latency and HTTP status codes. Is there a way to calculate the availability of any API using these metrics? I mean something like calculating the success and failure rate and then based on that come up with a number to say how much available my API is. Does anyone have any basic query which can calculate that?  I have created something like below to calculate the success and failure rates -   index=myapp_prod sourcetype="service_log" MyCriticalAPI Status=200 | timechart span=15m count as SuccessRequest | appendcols [ search index=myapp_prod sourcetype="service_log" MyCriticalAPI NOT Status=200 | timechart span=15m count as FailedRequest] | eval Total = SuccessRequest + FailedRequest | eval successRate = round(((SuccessRequest/Total) * 100),2) | eval failureRate = round(((FailedRequest/Total) * 100),2)    

Hello  I find it difficult to stop the search when I got first result in multisearch. I tried |head 1  but it can't be implemented in multisearch  Is there anyway to stop it to enhance my search efficiency? Because I got over 10 indexes which has over 10 million entires in each index to search. |multisearch [index = A |search ....] [index = B |search ....] [index = C |search ....] [index = D |search ....] .... Thank you so much.

Hi Team, we have some questions on uploading data. 1) Can we upload sample json/csv data with CIM compatible, can we see any demo ? 2) how to ingest network / network-traffic related sample data on splunk enterprise ? 3) Similarly looking for some more sample data related to email or mac-addr etc on splunk enterprise (trial account). Regards Anand  

Hello, since some time ago we are experiencing high CPU and/or memory usage related to the splunk_ta_o365 input addon. The processes impacted are the python ones: %CPU PID USER COMMAND 98.9 317938 splunk /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365_graph_api.py 97.7 317203 splunk /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365_graph_api.py 8.8 3058237 splunk splunkd -p 8089 restart   Updating didn't resolved the issue Is anyone else experiencing this? How can we manage it?   Thanks!!

Hello, I have an deployment app that monitor log file from an external server that work fine since last year. But suddenly, since 26/1/2023 untill now, it can't index anything. Nothing changed from the server side or on my side either, the host still produce log file on a daily basis. I also request to check the connection and restart deployment client but no improvement. My input.config is: [monitor:///u01/pv/log-1/data/trafficmanager/enriched/access/*.log] disabled = 0 index = my index sourcetype = my sourcetype The example log file name is: access_worker_6_2023_01_26.log  I like to resolve this problem, even redo every step if I have to because this is urgent. And I like to know how to troubleshoot step by step to know where is the problem, and how to prevent this in the future.  

Hi Splunkers, I was wondering if there is a way to output the contents of a Lookup file but also show the Lookup file name as results so for example | inputlookup append=t <filename1>.csv | inputlookup append=t <filename2>.csv | inputlookup append=t <filename3>.csv   Running the above will show the contents but would like to know which file the contents relates to. Thanks

Hi All,   I am trying our Splunk Enterprise server for MySQL database monitoring. I am using a trial version of Splunk. I have installed the Splunk DB Connect application and have installed the MySQL driver mysql-connector-j-8.0.31.jar. I am able to see that the driver is installed. And I have configured a MySQL DB connection. But when I execute Health Check from the monitoring console for the Splunk DB Connect app, I am getting the error " One or more defined connections require the corresponding JDBC driver." "Driver version is invalid, connection: MySQLDB, connection_type: mysql." MySQL DB version is 8.0.23 and it's an AWS Aurora RDS instance. I did try "Splunk DBX Add-on for MySQL JDBC" to install the driver before and I had the same issue. I saw that the driver that came with this app was of a lower version than what we use in our application to connect to the database, so installed the new driver directly. Also while trying to execute a query I am getting the error "Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1." Please help to resolve this error. Thanks Arun    

splunkd service is trying to start after windows server reboot but it stops suddenly. MS has confirmed that there is no issue from Service Control Manager.  This Splunk service stoppage is found only on the servers after the patching reboot.  

I'm trying to parse saved searches that contain a bunch of eval statements that do this sort of logic   | eval var=case( a,b, c,d, e,f) | eval var2=case( match(x, "z|y|z"), 1, match(x, "a|b|c"), 2) | eval...    I have the search string from the rest api response and am trying to extract all the LHS=RHS statements with   | rex field=search max_match=0 "(?s)\|\s*eval (?<field>\w+)=(?<data>.*?)"   The captures all the fields in <field> nicely, i.e. var and var2 (in this example because of the non-greedy ?), but I am struggling with capturing <data> in that the data is multi-line and if I don't use non-greedy(?) then I only get ONE field returned and data is the remainder of the search string, i.e. greedy (.*) I can't use [^|]* (effectively much the same) as the eval statements may contain pipes | so I want to extract up to the next \n|\s?eval I've been banging around with regex101 but just can't figure out the syntax to get this to work. Any ideas?

Hi experts there, Trying to extract multivalue output from a multiline json field through props and transforms. How best can I achieve for the below sample data (for my_mvdata field) ? I can write a regex in pros.conf with \\t delimiter. But only getting the first line. How to use multi add and do it through transforms?            { something: false somethingelse: true blah: blah: my_mvdata: server1 count1 country1 code1 message1 server2 count1 country1 code1 message2 server3 count1 country1 code1 message3 server4 count1 country1 code1 message4 blah: blah: }            

My search:     | makeresults earliest=-2h | timechart count as aantal span=1m     returns a list of zero's but for the last/current minute it returns "1". I only want zero's back to combine this search with a timechart. After combining these searches (makeresults and timechart) there should be no message "no values found" anymore. What do I have to change to have only zero's as a result of my makeresults search?

the first parameter is expectedBw and the other one is observedBw the expectedBw remains constant we have to show by line graph that how the expectedBw is being achieved with respect to observedBw. There need to be 2 lines one for expectedBw one for observedBw. the x axis should have time and y axis should have bandwidth means at different time how is the observedBw going forward or behind the expectedBw

Hi, I am using the REST API to pull data from splunk, using the output_mode=json. The data that is returned is a mix of strings and JSON (objects) and I am trying to work out a way for the API to return the entire data set as JSON. For Example: Curl Command: curl -k -u 'user1'' https://splunk-server:8089/servicesNS/admin/search/search/jobs/export -d 'preview=false' -d 'output_mode=json' -d 'search=|savedsearch syslog_stats latest="-2d@d" earliest="-3d@d" span=1' | jq . Results: Note how the result is in JSON, but devices is an array of strings not json. {   "preview": false,   "offset": 0,   "lastrow": true,   "result": {     "MsgType": "LINK-3-UPDOWN",     "devices": [       "{\"device\":\"1.1.1.1\",\"events\":12,\"deviceId\":null}",       "{\"device\":\"2.2.2.2\",\"events\":128,\"deviceId\":1}",       "{\"device\":\"3.3.3.3\",\"events\":217,\"deviceId\":2}"     ],     "total": "357",   } } Query: | tstats count as events where index=X-syslog Severity<=4 earliest=-3d@d latest=-2d@d by _time, Severity, MsgType Device span=1d | search MsgType="LINK-3-UPDOWN" | eval devices=json_object("device", Device, "events", events, "deviceId", deviceId ) | fields - Device events _time Filter UUID Regex deviceId addressDeviceId | table MsgType devices Query Result in UI: MsgType devices total LINK-3-UPDOWN {"device":"1.1.1.1","events":12,"deviceId":null} {"device":"2.2.2.2","events":128,"deviceId":null} {"device":"3.3.3.3","events":217,"deviceId":null} 357   As can be seen from the UI the device is in JSON format (using json_object), but from the curl result it is a string in json format - is there a way for the query to return the whole result as a json object, not a mix of json and strings ? I have also tried tojson in a number of differnt ways, but no success. Desired Result: where devices is a json object and not treated a string as above. {   "preview": false,   "offset": 0,   "lastrow": true,   "result": {     "MsgType": "LINK-3-UPDOWN",     "devices": [       {"device":"1.1.1.1","events":12,"deviceId":null}",       {"device":"2.2.2.2","events":128,"deviceId":1}",       {"device":"3.3.3.3","events":217,"deviceId":2}"     ],     "total": "357",   } } I can post process the strings into JSON, but I would rather get JSON from SPlunk directly. Thanks !