All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am looking for a Alert query for monitoring the windows process below is the scenario 1. Lookup having fields called host and Process 2. index showing events for process monitoring in "host" ... See more...
I am looking for a Alert query for monitoring the windows process below is the scenario 1. Lookup having fields called host and Process 2. index showing events for process monitoring in "host" and "Name" field Requirement is, initial line of the search, query needs to pick the values from "host" and "Process" field from the lookup first and check the index query, if the matching value isn't found, then results should be displayed in the Splunk Kindly assist.
Hello, I have multiple panels in same page. When I select any criteria from the dropdown, then I want to see only the panels which have the values. 
Hi,   Is there any way to control if users are using wireless keyboard or mouse ?     
Hello, Can anyone assist with the saas credential reset? ^ Post edited by @Ryan.Paredez to remove Controller URL. Please do not share Controller URLs on Community posts for security and privacy r... See more...
Hello, Can anyone assist with the saas credential reset? ^ Post edited by @Ryan.Paredez to remove Controller URL. Please do not share Controller URLs on Community posts for security and privacy reasons.
hello, Has anyone installed Imperva Database Audit Analysis? I can't configure it to show me data. I receive the logs and can see them in the search application. the logs are sent via syslog and a... See more...
hello, Has anyone installed Imperva Database Audit Analysis? I can't configure it to show me data. I receive the logs and can see them in the search application. the logs are sent via syslog and are indexed correctly but are not parsed. I followed the configuration instructions up to a point... there it is specified how to configure if you have syslog on splunk itself, but I have it on a separate server. any help will be appreciated thx
Hi Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search f... See more...
Hi Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search for any csv files that might have a specific string value.
Hello Splunkers, Here is my use-case : I am monitoring apache logs on 3 different VMs, one VM for each env : dev, uat, prod I do not see the point to create a specific index for each env (no secu... See more...
Hello Splunkers, Here is my use-case : I am monitoring apache logs on 3 different VMs, one VM for each env : dev, uat, prod I do not see the point to create a specific index for each env (no security / restrictions needed). But I still want to be able to distinguish the logs by environment.  What would be the best practice to do that ? Create a tag / event type ? for each host from where the logs are coming ? Regards, GaetanVP
Hi all, I am new to Spluntk and have problem with my search. I have a Lookup table: Error.csv Filter *Error1* *Error2* *Error3* ... I want to use this Lookup table to filter the raw data ... See more...
Hi all, I am new to Spluntk and have problem with my search. I have a Lookup table: Error.csv Filter *Error1* *Error2* *Error3* ... I want to use this Lookup table to filter the raw data from logs.  However the raw data does not exactly match the values from the Lookup but rather includes Error1, Error2 ... I am trying to only show the logs that do not include these specific messages from the Lookup table. My query: basesearch | table _raw, host, source [| inputlookup Error.csv ]| fields Filter| where NOT raw=Filter The query does not show any results and i have been trying to get it to work for hours now, but somehow can not figure out how.
Hello, when we are trying to push our app bundle, the following error message occurs:   splunk apply shcluster-bundle --answer-yes -target https://HOSTNAME123:8089 Error while deploying apps to... See more...
Hello, when we are trying to push our app bundle, the following error message occurs:   splunk apply shcluster-bundle --answer-yes -target https://HOSTNAME123:8089 Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=specificappname on target=https://XXXXXXXXX:8089: Non-200/201 status_code=500; {"messages":[{"type":"ERROR","text":"Read Timeout"}]   We checked the folder structure of "specificappname" on the deployer and on the shcnodes and couldn't find anything unusual. The Deployment is automated via a script and was running successful before. There are also no replication errors on the shc.   Any chance to debug this problem or find out what exactly is failing?
Hi Experts,   Im using Splunk Dashboard Studio, I have multiple table, I would like to hide the tables where there are no results. Could you advise workaround for achieving the same using dashboa... See more...
Hi Experts,   Im using Splunk Dashboard Studio, I have multiple table, I would like to hide the tables where there are no results. Could you advise workaround for achieving the same using dashboard studio.   Thanks
Hi Splunkers, I need a help in coming up with a logic in getting values from two lookups to my current search. I'm working on a search which has a field "customer" and I need to bring their ids fro... See more...
Hi Splunkers, I need a help in coming up with a logic in getting values from two lookups to my current search. I'm working on a search which has a field "customer" and I need to bring their ids from two different lookups. Basically, I have to check both the lookups for their ids and write them in the field called "ID" in my current search. TIA Search : customer       ID a                      b          c          d            e          lookup 1                                   lookup 2 customer       ids                    customer      ids a                         1                         d                      4 b                         2                         e                      5 c                         3                         a                      1                             
I have 2 events having fields 1. id_cse_event: sqsmessageid,timestamp 2. Scim: sqs_message_id, timestamp. I want to search all the messages published by id_cse_events in scim using messageid, th... See more...
I have 2 events having fields 1. id_cse_event: sqsmessageid,timestamp 2. Scim: sqs_message_id, timestamp. I want to search all the messages published by id_cse_events in scim using messageid, then find the difference between the time stamps This is the query i have wrote: sourcetype=id-cse-events | where isnotnull(sqsMessageId) | eval sqsmsgid=sqsMessageId | eval id_cse_time=timeStamp | table sqsmsgid, id_cse_time | map [search sourcetype=scim |fields line.message.sqs_message_id, line.timestamp|search line.message.sqs_message_id="$sqsmsgid$" | eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") ]maxsearches=9999 | table line.message.sqs_message_id,time_diff_in_seconds id_cse_time= 2023-01-27T09:55:45.970831Z scim timestamp = 2023-01-27T08:24:28.601+0000 The events are getting matched, but i don't see any table with messageid and timediff. Can anyone help?
How can I achieve the query for retrieving data for a particular time for the last 6 days? Suppose I want to get the data for last 6 days from time 12.00 A.M to 4.00 P.M. Please help on the same
Hi Except if i am mistaken, Splunk ES contains a collection of add-ons. In combination, these add-ons provide the dashboards, searches, and tools that summarize the security posture of the enterpris... See more...
Hi Except if i am mistaken, Splunk ES contains a collection of add-ons. In combination, these add-ons provide the dashboards, searches, and tools that summarize the security posture of the enterprise, allowing users to monitor and act on security incidents and intelligence Does it means that Splunk ES works without any forwarder?  How the correlaation is done beteween these addns and the enterprise infrastructure? Is it automatic? The data are sent to the indexers lije with Splunk Enterprise or just to a search head? Sorry for these questions, but I am rookie in Splunk ES and I need to understand how the security events are ingested Thanks
Hey community,  I 'm new members, and sending you greetings.  I hope can learn good stuff from each other.
Hi, I want to ask about SLA which I refer from following URL: https://www.splunk.com/ja_jp/legal/splunk-cloud-service-level-schedule.html My questions are: 1. Service credit billing is a custo... See more...
Hi, I want to ask about SLA which I refer from following URL: https://www.splunk.com/ja_jp/legal/splunk-cloud-service-level-schedule.html My questions are: 1. Service credit billing is a customer's confidential information, but it is stated that the customer should contact Splunk. Is the customer in this statement and End-user who should contact Splunk directly? 2. Credits will be returned in time (up to 1 month) according to the availability % per quarter, but will the contract period be extended? 3. It states that a complete description is required when making a service credit claim. Is there any sample report content or regulatory form for it? Thanks, Emmy
I have sample.csv file with about 30000 rows with columns: sample data data  value1    value2 5600012345    abc  xxx 7890012345    fsfs rwrr I have bel... See more...
I have sample.csv file with about 30000 rows with columns: sample data data  value1    value2 5600012345    abc  xxx 7890012345    fsfs rwrr I have below query     index="b2c" |rex field=path1.path2.details "code=\'(?<data>[^\n\r\']{10})"     I can see the extracted 'data' field in the fields list. I want to  query  'data' column values in the csv file and return table with the data and other fields from the event and csv file. how to use inputlookup or lookup command to search the extracted field? Thanks for the help in advance
Hi Community ! Actually , im doing the Okta-Splunk enterprise integration , i´ve studied the documentation about this, but i have a question for the creation of certificate to encrypt the comunicati... See more...
Hi Community ! Actually , im doing the Okta-Splunk enterprise integration , i´ve studied the documentation about this, but i have a question for the creation of certificate to encrypt the comunication between Okta-Splunk , is that possible? which is the certificate type needed for this    Thanks!    
Greetings. My Splunk instance parses messages which has a JSON array type:   ``` { tags: ["info", "foo", "bar"] } ``` Let's say I want to search for events where precisely the second index of th... See more...
Greetings. My Splunk instance parses messages which has a JSON array type:   ``` { tags: ["info", "foo", "bar"] } ``` Let's say I want to search for events where precisely the second index of the tags field has the value "foo".   Having consulted the Splunk docs, I found Array and object expressions . I tried using Array and object expressions, and all of my queries ended poorly Eventually I was pointed to MultivalueEvalFunctions , which worked. Using Multivalue fns  left me with many questions: Why is my JSON array parsed as a multivalue? Why is it not an array? If I execute `typeof('tags')`, I get "Invalid". Why? Shouldn't it be Array or Multivalue? If I execute `typeof('tags{}')`, I get "Multivalue". Why? What did that operator do, and why was it required? More or less, as a polyglot programmer with a decade of experience, I found splunk operations on collections to be not just unintuitive, but counter intuitive.  Beyond my explicit three question categories above, if compelled, let me know other best-known-practices around searching with array-ish fields
Hi All,    I'm trying to make my dashboard dynamic.  for example, if the search query responds with 5 values, I want 5 row & panel to be created dynamically in the dashboard. Likewise will it be po... See more...
Hi All,    I'm trying to make my dashboard dynamic.  for example, if the search query responds with 5 values, I want 5 row & panel to be created dynamically in the dashboard. Likewise will it be possible to make the panels to be getting created based on the query output? Please assist me on this ask and I can add more details if needed