All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

Is there any App or Functionality for recording a user response?

by in Splunk SOAR
‎01-26-2023 08:43 AM
‎01-26-2023 08:43 AM
Hi all, Here's an interesting use case, wonder if SOAR can handle it. You send a user an email from SOAR after running a playbook. In the email you ask them a question with a Yes / No Response ... See more...
Hi all, Here's an interesting use case, wonder if SOAR can handle it. You send a user an email from SOAR after running a playbook. In the email you ask them a question with a Yes / No Response User can click "Yes" or "No" hyperlinks in the email, both are URL's linking back to SOAR. SOAR records when the URL is accessed, and notes it down in the related event (e.g. User click "No") Any possible way of doing something like that?
Labels

How to disable save as option?

by in Splunk Search
‎01-26-2023 07:49 AM
‎01-26-2023 07:49 AM
I want to disable the feature of save as, user can able to search but shouldn't be able to save it as a dashboard or report or any knowledge object.  
Labels

Horizontal Bar Chart Bar Colors: How to create search?

by in Splunk Search
‎01-26-2023 07:43 AM
‎01-26-2023 07:43 AM
I have a horizontal bar chart usingthe following post processing search: | stats count by urgency | eval urgency = if(urgency=="-", "unknown", 'urgency') The values of the urgency field are: ... See more...
I have a horizontal bar chart usingthe following post processing search: | stats count by urgency | eval urgency = if(urgency=="-", "unknown", 'urgency') The values of the urgency field are: "1 - High" "2 - Medium" "3 - Low" "unknown" I would like the horizontal bar color to change for each value: "1 - High"  would be Red "2 - Medium" would be Orange "3 - Low" would be Yellow "unknown" would remain blue I have seen code for working with value ranges, but I am looking for code that works only with the value.   Any suggestions are grealy appreciated
Labels

Rex field extraction

by in Splunk Search
‎01-26-2023 07:34 AM
‎01-26-2023 07:34 AM
I am trying to determine the average time for a set of issues to get resolved. I already created a field named "Duration" that extracts the time periods, the issue is that they're labeled in differen... See more...
I am trying to determine the average time for a set of issues to get resolved. I already created a field named "Duration" that extracts the time periods, the issue is that they're labeled in different time formats, with some combination of Day Hour Minute (ex. 4d 7h 20m, 1d 13m, 7h 43m, 5h, 25m). Duration is a rex created field which pulls the info from a string that looks something like this: issue="D830 System Down - 1930E 13 Jan - 2240 14 Jan (1d 3h 10m) - MU3892" Here is part of the search: index=main ................... . . | rex field=issue ".*\((?P<Duration>\d[^\)]+" | rex field=Duration "((?P<Days>\d{0,2})d\s)?((?P<Hours>\d{0,2})h\s)?(?P<Mins>\d{0,2})m" | eval Days=tonumber(Days) | eval Hours=tonumber(Hours) | eval Mins=tonumber(Mins) | eval MTTR=((Days*1440)+(Hours*60)+(Mins))/60 | table Duration Days Hours Mins MTTR Two combinations work successfully - 1d 12m and 43m Anything that includes the Hours field breaks the rex: - 1d 10h 20m and 20h 10m only pulls Mins - 5h doesn't work at all I ran it in regex101 and it should work for all. What is wrong with my "rex field=Duration " line?
Labels

How to create a Splunk query to detect HTTP direct outbound traffic?

by in Splunk Search
‎01-26-2023 07:03 AM
‎01-26-2023 07:03 AM
Hello,  I need a search query to detect http outboun irect traffic. Thank  you.

How to pass values between 2 input lookups?

by in Dashboards & Visualizations
‎01-26-2023 06:51 AM
‎01-26-2023 06:51 AM
Hello I have 2 lookups. The first one will be getting inputs from a dashboard and getting saved to the lookup(for example: a column called <username>). The second lookup has the same data from ... See more...
Hello I have 2 lookups. The first one will be getting inputs from a dashboard and getting saved to the lookup(for example: a column called <username>). The second lookup has the same data from the first lookup with additional information(for example : columns called <username>,<usercity>,<userstate> ,<usercountry>). I'm trying to take the inputs from the first lookup > use information from the second lookup> and map it out using a clustermap.  Can someone help me with the spl ?  
Labels

How to change each instance of a field search result?

by in Splunk Search
‎01-26-2023 06:28 AM
‎01-26-2023 06:28 AM
I'm doing a search for server names and will eventually extract to to a csv. However, each result comes out as one of the following servername.domain: servername.domain servername: servername.... See more...
I'm doing a search for server names and will eventually extract to to a csv. However, each result comes out as one of the following servername.domain: servername.domain servername: servername.domain servername: servername How can I change the results in that particular field to be just servername? I feel like this is where regular expressions may come in to play. 
Labels

How to retrieve the full raw object of app action?

by in Splunk SOAR
‎01-26-2023 06:07 AM
‎01-26-2023 06:07 AM
Hey, Is there a way to retrieve the raw object of an app action in phantom.collect? So I have an app, which returns the following values: data, message, status, parameter And normally that wo... See more...
Hey, Is there a way to retrieve the raw object of an app action in phantom.collect? So I have an app, which returns the following values: data, message, status, parameter And normally that works fine - I can call each of these in turn like this;     data_result = phantom.collect(container=container, datapath=["my_app_action:action_result.data"]) message_result = phantom.collect(container=container, datapath=["my_app_action:action_result.message"])     etc.   but how do I retrieve the full object? e.g. something like this:     all_result = phantom.collect(container=container, datapath=["my_app_action:action_result.*"]) all_result = phantom.collect(container=container, datapath=["my_app_action:*"])     Hope that makes sense.
Labels

What are the default ports and services being used on docs for the Splunk heavy forwarder and Splunk ES?

by in Knowledge Management
‎01-26-2023 05:55 AM
‎01-26-2023 05:55 AM
I have a simple question for documentation purposes. What are the default ports and services being used on them for the Splunk heavy forwarder and Splunk ES?
Labels

How to replace 2 different characters in the same field?

by in Splunk Search
‎01-26-2023 05:41 AM
‎01-26-2023 05:41 AM
Hi, I have a csv that is imported to splunk and one of those fields has a space for the thousands and ends with  ",00",  I need it to be an integer only with numbers.   I can solve this th... See more...
Hi, I have a csv that is imported to splunk and one of those fields has a space for the thousands and ends with  ",00",  I need it to be an integer only with numbers.   I can solve this this with 2 lines:        | eval test=replace(field1,",00","")        | eval test=replace(test," ","") But I want to create a new field with Calculated fields. How can I do that in one line of code?
Labels

When using stats to display values() of  fields, how can we have the values to align between the field names?

by in Splunk Search
‎01-26-2023 03:40 AM
‎01-26-2023 03:40 AM
Hi All,  When using stats  to display values() of  fields , how can we have the values to align between the field names ?  For example My Data set Severity Status Count P1 New ... See more...
Hi All,  When using stats  to display values() of  fields , how can we have the values to align between the field names ?  For example My Data set Severity Status Count P1 New 1 P1 Open 2 P1 Unassigned 3 P1 Closed 5 When using | stats values(status) as status, values(Count) as Count by severity this is what i get.  Notice the count values are not as per dataset. Severity Status Count P1 New Open Unassigned Closed 1 5 3 2 i did like the results of Count to align as per their Status field. Expected Result Severity Status Count P1 New Open Unassigned Closed 1 2 3 5
Labels

Splunk Free Version for small company

by in Security
‎01-26-2023 01:40 AM
‎01-26-2023 01:40 AM
Hello  I work for a company with max 12 workstations to monitor, and we only want to log critical logs from these stations. Is Splunk Free a good option?
Labels

What splunk precedence rules should be followed to upgrade splunk clustered environment ?

by in Splunk Enterprise
‎01-26-2023 01:29 AM
‎01-26-2023 01:29 AM
Hi All, we wanted to upgrade Splunk Enterprise clustered environment from 8.2.2  version to 8.2.6 and have this question running in my mind what splunk precedence rules should be followed to upgrade... See more...
Hi All, we wanted to upgrade Splunk Enterprise clustered environment from 8.2.2  version to 8.2.6 and have this question running in my mind what splunk precedence rules should be followed to upgrade splunk clustered environment.   Can anyone guide me on what order should we need to upgrade the splunk instances. Sequence of order  1) Cluster Master 2) Indexer Peers 3) Search head captain  4) Search peers 5) Deployer  6) Deployment Server  7) Heavy Forwarders UF  Back-up SPLUNK_HOME/etc. 

Why is notable Macro not returning results in realtime searches via search API?

by in Splunk Enterprise Security
‎01-26-2023 12:54 AM
‎01-26-2023 12:54 AM
We use the splunk search endpoint to get notable events using the search endpoint services/search/jobs search=search `notable` earliest_time=(currentTime - 2min) latest_time=(currentTime) adho... See more...
We use the splunk search endpoint to get notable events using the search endpoint services/search/jobs search=search `notable` earliest_time=(currentTime - 2min) latest_time=(currentTime) adhoc_search_level=smart When search is completed services/search/jobs/<sid> dispatchState = DONE We get results services/search/jobs/<sid>/results We don't get all the results. But when we make the same search with same time ranges around 10 to 15 mins later, we get the results which we missed in the realtime search. Why do we get the issue and how do we resolve the issue ?
Labels

HFs as intermediate forwarder behind F5: How to extract hostname for all logs?

by in Getting Data In
‎01-26-2023 12:54 AM
‎01-26-2023 12:54 AM
Hello Splunkers, I am currently using a F5 load balancer  in front of two HFs that are used as intermediate forwarders and also doing the parsing jobs for incoming data.  I would like to create (... See more...
Hello Splunkers, I am currently using a F5 load balancer  in front of two HFs that are used as intermediate forwarders and also doing the parsing jobs for incoming data.  I would like to create (index time) a new field for all logs passing through my HF that can indicate which HF has done the job.  In other words, I want to keep a trace of which HFs was choose for each logs. I suppose I need to use a props.conf file but I do not where to place it and I do not know how to dynamically set a field = hostname of my machine. I am using a DS to deploy apps on my HFs  by the way and I would like to avoid any custom / manual config on each HF.  Thanks a lot, GaetanVP    

How to join with rex not working?

by in Splunk Search
‎01-25-2023 08:56 PM
‎01-25-2023 08:56 PM
I have 2 index, abc and bcz index abc data is in raw format like below. <random ip address>|-NA\CAPITA|5xxhxh545|jljdjhsdhj78987|hkjhkdjfkjfd5672v2hg7|87675678vf6x_ <random date time> "GET http:... See more...
I have 2 index, abc and bcz index abc data is in raw format like below. <random ip address>|-NA\CAPITA|5xxhxh545|jljdjhsdhj78987|hkjhkdjfkjfd5672v2hg7|87675678vf6x_ <random date time> "GET http:\\at-abc.com http/1.1" 500 <random values> I want to pull 87675678vf6x_ as field1 at-abc.com as field2 and 500 as field3. index bcz got formatted data. I now want to compare both indexes with field 1 of index abc with another field7 in bcz where bcz field5="name" and return field1 field2 and field3. It looks simple but not working.  
Labels

How to do field Extractions from the Message field in WinEventLog?

by in Splunk Search
‎01-25-2023 06:37 PM
‎01-25-2023 06:37 PM
So after searching here it seems like a lot of people have trouble parsing/handling WinEventLogs. I want to ask if there is no better way than custom transforms and props? That might be a debatable... See more...
So after searching here it seems like a lot of people have trouble parsing/handling WinEventLogs. I want to ask if there is no better way than custom transforms and props? That might be a debatable question to some so I'll be more targeted. I'm trying to extract parts of the Message field, here's a sanitized example:       <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{xxxxx-xxxx-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-01-25T22:35:16.209857600Z'/><EventRecordID>840762295</EventRecordID><Correlation ActivityID='{D610E4E9-2C97-0000-12E5-10D6972CD901}'/><Execution ProcessID='704' ThreadID='2404'/><Channel>Security</Channel><Computer>dc01.domain.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>DOMAIN\okta_service</Data><Data Name='SubjectUserName'>okta_service</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x31198f</Data><Data Name='TargetUserSid'>DOMAIN\Bob.Saget</Data><Data Name='TargetUserName'>bob.saget</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetLogonId'>0x1578a0a1</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>DC01</Data><Data Name='LogonGuid'>{xxxxx-xx-D725-309C-788D104F655D}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x1658</Data><Data Name='ProcessName'>C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe</Data><Data Name='IpAddress'>1.2.3.4</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>             Namely at the bottom,   <Data Name='IpAddress'>1.2.3.4</Data> Now Im still using renderXml = true because when you look at the raw type.. that Message field is just so huge and practically impossible to define a field to me. Unless I'm wrong? Also as per my inputs file, the sourcetype for this is 'generic_single_line'. Now I've tried Regex, and Delimiters and both give me errors about either selecting too many fields, or in the case of Delimiters (when I attempts to specify other and '<>', an entirely unholy wall-of-text which this tiny blurb at the end:   has exceeded the configured depth_limit, consider raising the value in limits.conf.   Or Im going about this all wrong and raw is the easiest to deal with? Any help would be greatly appreciated!
Labels

How to blacklist regex in parsing?

by in Splunk Search
‎01-25-2023 02:57 PM
‎01-25-2023 02:57 PM
Currently running Splunk Universal Forwarder version 9.0.3. Looking to ignore Windows event logs (EventCode = 4103) using a "blacklist" approach as part of my overall inputs.conf configuration.  Wh... See more...
Currently running Splunk Universal Forwarder version 9.0.3. Looking to ignore Windows event logs (EventCode = 4103) using a "blacklist" approach as part of my overall inputs.conf configuration.  While the splunkd.log is not throwing any errors with my current attempts, it is also not ignoring logs containing the string:  String: to Ignore: C:\WINDOWS\CCM\SystemTemp.   Note: I am choosing to filter on the string above as other aspects can vary and this is the common string that is included in the events I want to ignore.  Below an example of such log.  Please advise.   My attempt at this is:    blacklist1 = EventCode="4103" Message="(?:Host Application =)\s+(?:.*WINDOWS\\CCM\\SystemTemp\\+.*)"       User=SYSTEM Sid=S-1-5-18 SidType=1 SourceName=Microsoft-Windows-PowerShell Type=Information RecordNumber=10132121 Keywords=None TaskCategory=Executing Pipeline OpCode=To be used when operation is just executing a method Message=CommandInvocation(Out-Default): "Out-Default" Context: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.2364 Host ID = 5009593d-812d-49fc-a794-4633cf58cd5c Host Application = C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\7f1a326f-19f5-4480-9414-46ffe015e730.ps1' Engine Version = 5.1.19041.2364    

How to configure Db connect to read new events only?

by in Knowledge Management
‎01-25-2023 02:49 PM
‎01-25-2023 02:49 PM
I'm having an issue where db connect is reading the whole database every hour and also logging duplicate events instead of reading new events. So yes I have up to 10-20 of the same event logging into... See more...
I'm having an issue where db connect is reading the whole database every hour and also logging duplicate events instead of reading new events. So yes I have up to 10-20 of the same event logging into Splunk. Would adjusting the execution frequency solved this issue?

How to get the count by days?

by in Splunk Enterprise
‎01-25-2023 02:19 PM
‎01-25-2023 02:19 PM
Query: index=apl-app-grap  sourcetype=grap:apps source=*applications*  host=xxxxxx |rex field =_raw "\|rank\:(?<Report>.*?)\|" |eval Pass=if(Report="0", "Pass", null()) |stats count(Pass) as Pass... See more...
Query: index=apl-app-grap  sourcetype=grap:apps source=*applications*  host=xxxxxx |rex field =_raw "\|rank\:(?<Report>.*?)\|" |eval Pass=if(Report="0", "Pass", null()) |stats count(Pass) as Passed_Count  output: Passed_Count 700 But i need the output for day wise, suppose if i select  7 days i should get 7 rows (showing each day count) like shown below: Passed_Count 100 100 100 100 100 100 100