All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to extract time from preamble data in csv?

by in Getting Data In
‎01-27-2023 11:50 AM
‎01-27-2023 11:50 AM
Hello, i am using UF to ingest a csv file that has the timestamp in preamble data, i would like to extract the timestamp and to remove the preamble data and then ingest the csv.  the file looks l... See more...
Hello, i am using UF to ingest a csv file that has the timestamp in preamble data, i would like to extract the timestamp and to remove the preamble data and then ingest the csv.  the file looks like the table below: Time stamp 2023-01-26T11:15:00-05:00   info obj   datainfo blahblah   datadata blahblah         field1 field1 field2 value1 1 info1 value2 2 info2 value3 3 info3 value4 4 info4 value5 5 info5 value6 6 info6 value7 7 info7 value8 8 info8 value9 9 info9   my props.conf: DATETIME_CONFIG = TIME_PREFIX=Time\sstamp, MAX_TIMESTAMP_LOOKAHEAD=22 TIME_FORMAT=%Y-%m-%dT%H:%M:%S%z INDEXED_EXTRACTIONS = CSV FIELD_HEADER_REGEX = (field1.*) LINE_BREAKER = ([\r\n]+) SHOULD_LINEMERGE = false NO_BINARY_CHECK = true the issue here is i am able to read the csv and the field names, however the timestamp of the event is the current time and not from the file. how do i fix this?    
Labels

How to compare contents of one lookup to another?

by in Splunk Search
‎01-27-2023 11:41 AM
‎01-27-2023 11:41 AM
Currently I have an inputlookup csv that contains a list of IP addresses and lookup csv that has a list of subnets. I would like to create a query that shows the IPs in the inputlookup table that are... See more...
Currently I have an inputlookup csv that contains a list of IP addresses and lookup csv that has a list of subnets. I would like to create a query that shows the IPs in the inputlookup table that are not part of the subnets specified in the lookup. I am stumped on how to do this any instance would be greatly appreciated. 
Labels

How to display only subsets of data from correlated sendmail log transactions?

by in Splunk Search
‎01-27-2023 11:04 AM
‎01-27-2023 11:04 AM
The sender and recipient information  I need from Unix/Linux "sendmail" logs is contained in separate lines in the sendmail log.  I am able to correlate all the entries for a given email using nested... See more...
The sender and recipient information  I need from Unix/Linux "sendmail" logs is contained in separate lines in the sendmail log.  I am able to correlate all the entries for a given email using nested search, dedup, and transation using the following search:      index="sendmail_logs" host=relay* [search index="sendmail_logs" host=relay* from=\<*@example.com\> | dedup qid | fields qid ] | transaction fields=qid maxspan=1m which produces the following (simplified and obfuscated): 2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=mail, continue 2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=rcpt, continue 2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=data, continue 2023-01-26T23:37:25+00:00 relay1 sendmail[115877]: 30QNbOpD115877: from=<bounce+e1165d.ef30-username=ourdomain.com@example.com>, size=25677, class=0, nrcpts=1, msgid=<20230126233721.b60dfcd8b6c1249b@example.com>, bodytype=8BITMIME, proto=ESMTPS, daemon=MTA, tls_verify=NO, auth=NONE, relay=m194-164.mailgun.net [161.38.194.164] 2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter add: header: X-NUNYA-SPF-Record: v=spf1 include:mailgun.org include:_spf.smtp.com ~all 2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter change: header Subject: from Sample Subject Line to EXTERNAL: Sample Subject Line 2023-01-26T23:37:26+00:00 relay1 sendmail[115877]: 30QNbOpD115877: milter=ourmiltname, action=eoh, continue 2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: to=<username@ourdomain.com>, delay=00:00:02, xdelay=00:00:01, mailer=smtp, tls_verify=OK, pri=145677, relay=nexthop.ourdomain.com. [192.168.0.7], dsn=2.0.0, stat=Sent (30QNbQau230876 Message accepted for delivery) 2023-01-26T23:37:27+00:00 relay1 sendmail[115887]: 30QNbOpD115877: done; delay=00:00:02, ntries= Now, what I want to do is reduce the output to only the lines that contain the strings "from=" OR "to=".   I am new to splunk, so i tried adding adding           |  regex _raw="from\=\<|to\=\<" but all the lines are still displayed.   Suggestions on how to correct my query?

How to show related data in other drop down if one is selected?

by in Dashboards & Visualizations
‎01-27-2023 10:57 AM
‎01-27-2023 10:57 AM
I have two drop-down on the dashboard. When I select first dropdown from the list then I need the show the selected (filtered) list based on the first drop down on the second. Pls help.

How to do a stats count by on only some array elements?

by in Splunk Enterprise
‎01-27-2023 10:07 AM
‎01-27-2023 10:07 AM
Hey everyone. I am trying to do a stats count by items{}.description, items{}.price but I'd like to filter out some of the items. In this example, I'd like to include "description one" and "descripti... See more...
Hey everyone. I am trying to do a stats count by items{}.description, items{}.price but I'd like to filter out some of the items. In this example, I'd like to include "description one" and "description two", but not "description three".  In the real situation there is many more that I'd like to include and to exclude. Is this possible?       "time": "01:01:01", "items": [ { "description": "description one", "price": "$220" }, { "description": "description two", "price": "$10" }, { "description": "description three", "price": "$50" } ]        
Labels

.Net Application -> OpenTelemetry Collector -> AppDynamics

by in Splunk AppDynamics
‎01-27-2023 09:55 AM
‎01-27-2023 09:55 AM
Hi all, I'm developing a POC using otel collector (running on docker) to collect logs, traces, and metrics from a dotnet application and then send the observability data to AppDynamics. I'm followin... See more...
Hi all, I'm developing a POC using otel collector (running on docker) to collect logs, traces, and metrics from a dotnet application and then send the observability data to AppDynamics. I'm following this section of the documentation: https://docs.appdynamics.com/appd/22.x/22.6/en/application-monitoring/appdynamics-for-opentelemetry Currently I only see traces in the example configuration. Does anyone know if logs and metrics are also supported? And do I need to install dotnet agent to do this (given that I just want to see data successfully received in AppDynamics)? Thank you for the help! Regards,
Labels

Log output obfuscates our logs related to Splunk plugin

by in Getting Data In
‎01-27-2023 09:11 AM
‎01-27-2023 09:11 AM
We have been having a constant stream of log output related to the tier 3 "splunk" plugin, looking to see how to remove this as it is making our bundles difficult to analize and solve issues. The... See more...
We have been having a constant stream of log output related to the tier 3 "splunk" plugin, looking to see how to remove this as it is making our bundles difficult to analize and solve issues. There is a constant stream of jenkins_console comming from most of our backend microservices, is there anyway to remove this from our logs? Thanks! Fernando Devops SquareTrade
Labels

How to filter for total number of users on an appliance?

by in Splunk Search
‎01-27-2023 08:51 AM
‎01-27-2023 08:51 AM
For Cisco I used the filter below, I will need to add filters for whatever view I am looking for. I want to look up the total number of users for a specific day of the month on a host. @ What d... See more...
For Cisco I used the filter below, I will need to add filters for whatever view I am looking for. I want to look up the total number of users for a specific day of the month on a host. @ What do I need to add to my filter?   index="its_sslvpn" host=*SIRA* user=*@*   Thank you.  Anthony  
Labels

What is best practice when utilizing a search from the below apps?

by in Knowledge Management
‎01-27-2023 08:05 AM
‎01-27-2023 08:05 AM
What is best practice when utilizing a search from the below apps? What pros/cons should I consider from each? I appreciate any guidance here.  1) Enable the search stored in the app? 2) Clone th... See more...
What is best practice when utilizing a search from the below apps? What pros/cons should I consider from each? I appreciate any guidance here.  1) Enable the search stored in the app? 2) Clone the search and store in a custom company-specific app, and enable there?  DA-ESS-MitreContent DA-ESS-ContentUpdate

How to add value in two fields based on their name?

by in Splunk Search
‎01-27-2023 07:48 AM
‎01-27-2023 07:48 AM
Hi, I would like to add value in two fields based on their name.  I want the output as sum of traffic_in#fw1+traffic_out#fw1 and so on by _time.  
Labels

How to filter events with regex?

by in Splunk Search
‎01-27-2023 07:46 AM
‎01-27-2023 07:46 AM
I'm trying to filter out events like the ones below using the regex expression regex _raw!="^[A-Za-z0-9]{4}:.*$"   but its not working.  Can someone help me with this?   Events 0000: 00 0... See more...
I'm trying to filter out events like the ones below using the regex expression regex _raw!="^[A-Za-z0-9]{4}:.*$"   but its not working.  Can someone help me with this?   Events 0000: 00 025e 28:0a000c5f call 0a000c5f 0000: 04 025d 14 ldnull 007a: 00 021d de:2a leave.s :0000=>01 0249 11:07 ldloc.s 07
Labels

How can a non admin user create a maintenance window?

by in Knowledge Management
‎01-27-2023 06:46 AM
‎01-27-2023 06:46 AM
In ITSI, How can a non-admin user create a maintenance window? As we observe only itoa admin and itoa team admin having capabilities to create maintenance window. However, I am trying to make non-adm... See more...
In ITSI, How can a non-admin user create a maintenance window? As we observe only itoa admin and itoa team admin having capabilities to create maintenance window. However, I am trying to make non-admin user do the same. Please suggest and help.
Labels

How to create Windows process monitoring alert?

by in Alerting
‎01-27-2023 06:43 AM
‎01-27-2023 06:43 AM
I am looking for a Alert query for monitoring the windows process below is the scenario 1. Lookup having fields called host and Process 2. index showing events for process monitoring in "host" ... See more...
I am looking for a Alert query for monitoring the windows process below is the scenario 1. Lookup having fields called host and Process 2. index showing events for process monitoring in "host" and "Name" field Requirement is, initial line of the search, query needs to pick the values from "host" and "Process" field from the lookup first and check the index query, if the matching value isn't found, then results should be displayed in the Splunk Kindly assist.
Labels

How do I hide panel when "no results found" after selecting from drop-down list?

by in Dashboards & Visualizations
‎01-27-2023 06:23 AM
‎01-27-2023 06:23 AM
Hello, I have multiple panels in same page. When I select any criteria from the dropdown, then I want to see only the panels which have the values. 

How can I monitor if someone is using wireless keyboard or mouse ?

by in Monitoring Splunk
‎01-27-2023 06:16 AM
‎01-27-2023 06:16 AM
Hi,   Is there any way to control if users are using wireless keyboard or mouse ?     
Labels

Controller password reset

by in Splunk AppDynamics
‎01-27-2023 06:02 AM
‎01-27-2023 06:02 AM
Hello, Can anyone assist with the saas credential reset? ^ Post edited by @Ryan.Paredez to remove Controller URL. Please do not share Controller URLs on Community posts for security and privacy r... See more...
Hello, Can anyone assist with the saas credential reset? ^ Post edited by @Ryan.Paredez to remove Controller URL. Please do not share Controller URLs on Community posts for security and privacy reasons.

Has anyone installed Imperva Database Audit Analysis?

by in Dashboards & Visualizations
‎01-27-2023 05:46 AM
‎01-27-2023 05:46 AM
hello, Has anyone installed Imperva Database Audit Analysis? I can't configure it to show me data. I receive the logs and can see them in the search application. the logs are sent via syslog and a... See more...
hello, Has anyone installed Imperva Database Audit Analysis? I can't configure it to show me data. I receive the logs and can see them in the search application. the logs are sent via syslog and are indexed correctly but are not parsed. I followed the configuration instructions up to a point... there it is specified how to configure if you have syslog on splunk itself, but I have it on a separate server. any help will be appreciated thx
Labels

Is there a way to search across multiple lookup files to find text within them?

by in Splunk Search
‎01-27-2023 05:26 AM
‎01-27-2023 05:26 AM
Hi Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search f... See more...
Hi Is there a way to search across multiple Lookup files to find text within them ?  I know that you can use | inputlookup to get the contents of a single lookup csv file but I'm trying to search for any csv files that might have a specific string value.
Labels

How to distinguish applications log by environment?

by in Deployment Architecture
‎01-27-2023 05:25 AM
‎01-27-2023 05:25 AM
Hello Splunkers, Here is my use-case : I am monitoring apache logs on 3 different VMs, one VM for each env : dev, uat, prod I do not see the point to create a specific index for each env (no secu... See more...
Hello Splunkers, Here is my use-case : I am monitoring apache logs on 3 different VMs, one VM for each env : dev, uat, prod I do not see the point to create a specific index for each env (no security / restrictions needed). But I still want to be able to distinguish the logs by environment.  What would be the best practice to do that ? Create a tag / event type ? for each host from where the logs are coming ? Regards, GaetanVP
Labels

How to use a lookup to filter raw data from a log?

by in Splunk Search
‎01-27-2023 05:24 AM
‎01-27-2023 05:24 AM
Hi all, I am new to Spluntk and have problem with my search. I have a Lookup table: Error.csv Filter *Error1* *Error2* *Error3* ... I want to use this Lookup table to filter the raw data ... See more...
Hi all, I am new to Spluntk and have problem with my search. I have a Lookup table: Error.csv Filter *Error1* *Error2* *Error3* ... I want to use this Lookup table to filter the raw data from logs.  However the raw data does not exactly match the values from the Lookup but rather includes Error1, Error2 ... I am trying to only show the logs that do not include these specific messages from the Lookup table. My query: basesearch | table _raw, host, source [| inputlookup Error.csv ]| fields Filter| where NOT raw=Filter The query does not show any results and i have been trying to get it to work for hours now, but somehow can not figure out how.
Labels