All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am using the Webtools add-on to do some work with a API endpoints.  The curl commands works fantastically.  However, when attempting to use the urlencode command, I keep getting errors.   I get the... See more...
I am using the Webtools add-on to do some work with a API endpoints.  The curl commands works fantastically.  However, when attempting to use the urlencode command, I keep getting errors.   I get the following error message: command="urlencode", '<' not supported between instances of 'OrderedDict' and 'OrderedDict' I have installed the latest version of TA-webtools, 3.0.2.  Splunk version 8.2.7. Please see the attached image. Any help on resolving this issue would be extremely appreciated. Thanks. Regards, TheFrunkster
Hi Guys, I have UF installed on my windows machine, abruptly last month logs got stopped. I check in splunkd log file and saw the error TcpOutputFd [800 TcpOutEloop] - Connection to host=xx.xxx.xxx.... See more...
Hi Guys, I have UF installed on my windows machine, abruptly last month logs got stopped. I check in splunkd log file and saw the error TcpOutputFd [800 TcpOutEloop] - Connection to host=xx.xxx.xxx.xxx:9997 failed Also after restarting, it resumes sending logs to Splunk for some days but again it will stop and gives the same error. Not sure how to fix this issue and proceed.
Hoping this is going to be a relatively simple one. Can you nullQueue metrics indexes?  For example, if I am using the  new *nix TA, all performance monitoring is collected with scheduled scripts a... See more...
Hoping this is going to be a relatively simple one. Can you nullQueue metrics indexes?  For example, if I am using the  new *nix TA, all performance monitoring is collected with scheduled scripts and stored in metrics indexes.  Can we nullQueue a specific sourceType at the indexer like we would an event index?   Thanks!
Hello, I noticed that some "Security and Compliance" alerts log usernames and others do not. For instance, the alert name "File Uploaded to Document Library For The First Time" clearly logs the use... See more...
Hello, I noticed that some "Security and Compliance" alerts log usernames and others do not. For instance, the alert name "File Uploaded to Document Library For The First Time" clearly logs the user who performed the action. However, the alert, "A Potentially Malicious URL Was Clicked" does not log the user who clicked on this information. I tried to extracts new fields and again, I observed that this particular alert does not contain the username. For obvious reasons, I would like to have that information on hand whenever an alert such as this one comes through. I looked in the MS Security Portal, and that does have the username. It just does not get to Splunk, and therefore, cannot be apart of the alert. Is there any way to resolve this? To be clear I would like all of these alerts to have a username associated with each. Thanks.
Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet: I'm trying to create an email notification (or something along those lines) whenever a playbook fai... See more...
Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet: I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?
Hello, I would like to know your inputs on the below. I have a request where on a splunk dashboard we need to create a button which should invoke a response play in PagerDuty, We are trying to im... See more...
Hello, I would like to know your inputs on the below. I have a request where on a splunk dashboard we need to create a button which should invoke a response play in PagerDuty, We are trying to implement it and stuck with the approach. Please help me with your thoughts.  
Good afternoon, I would like to know if in dashboard studio it is also possible to hide the menu and buttons (edit, download), just like in classic mode. I want to hide the top menu, title an... See more...
Good afternoon, I would like to know if in dashboard studio it is also possible to hide the menu and buttons (edit, download), just like in classic mode. I want to hide the top menu, title and buttons, leaving only the time range of the image below.   in classic mode, hidden by xml, in the code below:
Splunk Enterprise OnPrem 9.0.1. We are troubleshooting an issue where some alerts are beign triggered incorrectly, and found a correlation between this odd triggers and _internal events with sourcet... See more...
Splunk Enterprise OnPrem 9.0.1. We are troubleshooting an issue where some alerts are beign triggered incorrectly, and found a correlation between this odd triggers and _internal events with sourcetype = splunkd_remote_searches. The events are described as: 01-18-2023 14:03:00.178 -0300 INFO StreamedSearch - Streamed search connection closed: search_id=remote_<node>_subsearch_searchparsetmp_ ... What does searchparsetmp mean in the context of the subsearch? Also whats is the difference with remote_<node>_subsearch_scheduler_ ... also describing similar events on _internal?
I have a field A which has percentage values. Also, I have a field B which has percentage values in it. Both are different values.  Now I want to create a new field which adds both the values.  ... See more...
I have a field A which has percentage values. Also, I have a field B which has percentage values in it. Both are different values.  Now I want to create a new field which adds both the values.  A              B 10%      30% 20%      50% 30%     70% The query should fetch me the results like below: C 40% 70% 100%
Is there any chance that someone will update the BlueCat Add-On for Splunk for DHCP logs? When I review the TA, the props/transforms are not aligning with the DHCP log format anymore. Thx
Hi All, I'm pretty new to Splunk so forgive me if this is an easy question. I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/aft... See more...
Hi All, I'm pretty new to Splunk so forgive me if this is an easy question. I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the event. For example, I want to search failed logins for a certain account, and then try to find other login events for that host 5 mins before and after. I can figure out how to search for the events individually, but don't know how to combine them and then format them into something like a table. So my first search would be: index="wineventlog" EventCode=4768 Result_Code=0x6 And the second search would be based on the first search, but for a different event code: search index="wineventlog" EventCode=4624 | "filter by the results of the first search 5 mins before/after each event" Eventually I'd want to get to a table similar to this: Time                                  Event                                  Supporting Events Jan 18 @ 10:01am    Event 1                               Jan 18 @ 10:03am              Event 1a                                                                                          Jan 18 @ 10:02am              Event 1b Jan 17 @ 7:33am       Event 2                              Jan 17 @ 7:35am                 Event 2a                                                                                         Jan 17 @ 7:32am                 Event 2b ect...etc... Thanks!
Hi, I am very new to splunk and need help for the below situation. I am having two columns as below Row        Column 1                                  Column2 1.        Value:dataclass         ... See more...
Hi, I am very new to splunk and need help for the below situation. I am having two columns as below Row        Column 1                                  Column2 1.        Value:dataclass                      Internal               Value:url                                     http://****.com/****               Value:application-name      ABC               Value:daily-backup                Y 2.        Value:dataclass                      Internal               Value:url                                     http://*n**.com/****               Value:application-name      XPZ               Value:daily-backup                N Now I need to convert these row value of Column1 as Column and Column 2 value as their row value like below. Dataclass                    URL                            Application-Name                                   Daily-Backup Internal               http://****.com/****                ABC                                                           Y Internal               http://*n**.com/****                XPZ                                                          N   Thanks in advance.    SVM
I have a report index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip | search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)... See more...
I have a report index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip | search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10) | sort -sbomb Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event.  I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip .  query takes too long to run twice with append. 
I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for.  I'm trying to display a table that shows the number of times each CVE was found.  I know how to display ... See more...
I'm creating a dashboard that lets users input a comma delimited list of CVE's to search for.  I'm trying to display a table that shows the number of times each CVE was found.  I know how to display the number if the CVE was in the data but I'm struggling to find out how to display 0 for CVE's that aren't in the data. I have a base query that uses tstats (since it runs against a data model) and I can run any additional SPL off the base query in the table panel.   The base query looks like this   <form> <label>Vulnerability Distribution</label> <init> <set token="tok_query">base</set> </init> <search> <query>| makeresults count=1 | eval Vulnerabilities.cve=if("$cves$"=="*",null(),split($cves|s$,",")) | format | eval search=if(search=="NOT ()","","AND ".search) </query> <done> <set token="tok_query">$result.search$</set> </done> </search> <search id="base"> <query> | tstats latest(Vulnerabilities.cve) as cves latest(Vulnerabilities.Vuln_Mgmt.vulnerability_name) as vulnerability_name max(Vulnerabilities.Vuln_Mgmt.age) as age `vm_datamodel_default_filter` $tok_query$ by Vulnerabilities.Vuln_Mgmt.dest_ip,Vulnerabilities.Vuln_Mgmt.vulnerability_id | rename Vulnerabilities.Vuln_Mgmt.* as * </query>       the vm_datamodel_default_filter macro just has our normal filters (i.e. WHERE severity > 3 AND status=open...) The panel query that shows the count for CVE's it found looks like this:       <panel> <title>Vulnerability Distribution</title> <table> <search base="base"> <query>| stats latest(cves) as cves dc(dest_ip) as vulnerable_assets by vulnerability_id</query> </search> </table> </panel>       I just can't figure out how to get the table to include 0 for CVE's not found. Any help would be greatly appreciated
Recently we needed to update the Client Secret for one of our tenants and I wanted to ask what is the most efficient way of tracking what the token expiry date is  and to create an alert in Splunk? ... See more...
Recently we needed to update the Client Secret for one of our tenants and I wanted to ask what is the most efficient way of tracking what the token expiry date is  and to create an alert in Splunk? I had a look at the logs and couldn`t find anything to indicate when the access token is about to expire.
Hello all, When splunk is set up in Azure, does Azure charge for the Alerts and notification or how does the alert charges works when splunk in set up in Azure.
Hi all, i am using a search using internal index but i want to add a field values which is in other index = wineventlog below is the i am using from internal index  in the search i want to add a f... See more...
Hi all, i am using a search using internal index but i want to add a field values which is in other index = wineventlog below is the i am using from internal index  in the search i want to add a field to table     
Hello Team, I need to send an alert on all working day at 8.00 AM with a time range of 24hrs except on Monday with a time range of 3 days. Will this be possible in our alert settings for the same S... See more...
Hello Team, I need to send an alert on all working day at 8.00 AM with a time range of 24hrs except on Monday with a time range of 3 days. Will this be possible in our alert settings for the same SPL query but different time range. OR should we add in SPL query ?  
I've been struggeling for a while and hopefully someone here can help me.  Need to figure out if a user have an active session based on session id and user name. Active session is defined as only... See more...
I've been struggeling for a while and hopefully someone here can help me.  Need to figure out if a user have an active session based on session id and user name. Active session is defined as only event 21 received OR event 25 received has newer timestamp than event 24 received. Not active session is defined if only event 21 AND event 24 is received OR event 24 received has newer timestamp than event 25 received. Search starts something like this: index=main source=events EventCode IN (21,24,25) | fields _time, User, EventCode, Session_ID, host Thanks in advance
Hi, Am new to splunk and will be needing assitance in the health status of splunk.How to debug the below errors in red.