All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi, Am new to splunk and will be needing assitance in the health status of splunk.How to debug the below errors in red.  
Hello, On a specific service, I want to define my workflow names based on url path in order to follow key business actions on a web app. My wish : Remove the domain name Use the 3 first seg... See more...
Hello, On a specific service, I want to define my workflow names based on url path in order to follow key business actions on a web app. My wish : Remove the domain name Use the 3 first segments of URL Path to use them as workflow name, for example : /api/v1/products /api/v1/partners /api/v1/users  And also I want to mask or replace all IDs on the URL with a regex pattern : Do you have an idea how to do that on splunk APM ?   Thank you. Regards Aurélien.  
    | rex field=_raw "measResults\W(?<avgCpuUtilization>\d{0,3})\s(?<maxCpuUtilization>\d{0,3})" | rex field=_raw "PLMN-PLMN\W\w+-\d\W\w\w\w-\d{0,3}.\d{0,3}.\d{0,3}.\d{0,3}@(?<RB_OR_LVS_DC>\w+-\w+)... See more...
    | rex field=_raw "measResults\W(?<avgCpuUtilization>\d{0,3})\s(?<maxCpuUtilization>\d{0,3})" | rex field=_raw "PLMN-PLMN\W\w+-\d\W\w\w\w-\d{0,3}.\d{0,3}.\d{0,3}.\d{0,3}@(?<RB_OR_LVS_DC>\w+-\w+)" | eventstats avg(avgCpuUtilization) as AvgCPU max(maxCpuUtilization) as MaxCPU count by UK_OR_USA_DC | stats count by month,RB_OR_LVS_DC,month_name,monthyear,AvgCPU,MaxCPU | table month_name,AvgCPU,MaxCPU,UK_OR_USA_DC       UK_OR_USA_DC contain 2 values UK_DC and USA_DC, i want to calculate avgCpuUtilization and maxCpuUtilization for both UK_DC and USA_DC. so their  will be having 4 values  avgCpuUtilization_UK_DC,  maxCpuUtilization_UK_DC,  avgCpuUtilization_USA_DC ,  maxCpuUtilization_USA_DC,  i am unable to fecth this , how i can combine avgCpuUtilization and maxCpuUtilization with UK_DC . request your help on this 
Hi, I tried creating a network diagram viz and the nodes do not stop moving and spin around each other. Obviously, it makes the dashboard impossible to use. When I disable physics or enable hierarc... See more...
Hi, I tried creating a network diagram viz and the nodes do not stop moving and spin around each other. Obviously, it makes the dashboard impossible to use. When I disable physics or enable hierarchy it stops moving, but loses the topology view that I need. What can be done?
I would like to be able to configure the Splunk Add-on for Sysmon to ingest logs from a file instead of the Windows Event Log directly. The default input.conf in the Splunk Add-on for Sysmon App cont... See more...
I would like to be able to configure the Splunk Add-on for Sysmon to ingest logs from a file instead of the Windows Event Log directly. The default input.conf in the Splunk Add-on for Sysmon App contains the following:  [WinEventLog://WEC-Sysmon] disabled = true renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = XmlWinEventLog:WEC-Sysmon host = WinEventLogForwardHost I tried to override the input like so: [monitor:///path/to/my_file/filename.log] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = XmlWinEventLog:WEC-Sysmon host = WinEventLogForwardHost Unfortunately, it doesn't work and no logs appear to be sent by the Heavy Forwarder to my Indexer. the file I am using contains Windows Logs in a standard Windows Event Log XML format (1 per line). I want to be CIM compliant with my Sysmon logs but I cannot use a WinEventLog:// input, I have to use a file input.
Hi , I want to change the date format from 7/30/2023 12:00:00 AM to 2023-07-30 I am using following command but seems no luck eval DesiredDate = strftime(strptime(DesiredDate,"%m/%d/%YT%H:%M:%... See more...
Hi , I want to change the date format from 7/30/2023 12:00:00 AM to 2023-07-30 I am using following command but seems no luck eval DesiredDate = strftime(strptime(DesiredDate,"%m/%d/%YT%H:%M:%S.%QZ"),"%m-%d-%Y")
Regarding Federated search: Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable. Why do you need to expl... See more...
Regarding Federated search: Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable. Why do you need to explicitly define each remote index on the FSH? Why don’t Splunk allow you to enable all indexes and save the effort of having the maintain the list
My data looks like the following  student_id browser_id guid datetime x_id 12_a Chrome_2 1122 1/9/23 14:45 788a 13_a Chrome_4 1213 1/12/23 19:13 33b ... See more...
My data looks like the following  student_id browser_id guid datetime x_id 12_a Chrome_2 1122 1/9/23 14:45 788a 13_a Chrome_4 1213 1/12/23 19:13 33b 14_a Chrome_3 1422 1/13/23 1:42 24c 15_b FireFox_1 1289 1/16/23 15:46  12d 12_a Chrome_2 1132 1/11/23 21:50 788a Ideally, we shouldn't have different guids given same student_id, browser_id and x_id. I am trying to find all those student_ids who violate this rule aka student_ids with same browser_id and x_id but different guid. So for the above, I'd like to see something like -        12_a Chrome_2 1122 1/9/23 14:45 788a 12_a Chrome_2 1132 1/11/23 21:50 788a       I am trying -        index="main_idx" app="student_svc" | stats count by student_id browser_id guid datetime x_id | where count > 1 | stats list(count) by student_id       But it doesn't seem to be yielding the result. What should be the fix? Thanks
Hi, I am trying to use this Splunk Add-on for Microsoft Cloud Services on Splunk Enterprise platform. I have followed all the steps mentioned in the splunk doc Configure a Storage Account in Micr... See more...
Hi, I am trying to use this Splunk Add-on for Microsoft Cloud Services on Splunk Enterprise platform. I have followed all the steps mentioned in the splunk doc Configure a Storage Account in Microsoft Cloud Services - Splunk Documentation But Data is not getting indexed in Splunk unless i select the highlighted one in below pic in the Azure storage account  Due to company policy i cannot set it to "Enabled from all networks". I have tried raising microsoft support request but didnt get the solution. I am able to fetch the data from the storage account directly into Virtual Machine using azcopy command but using add on i am not able to index/fetch the data into splunk. Any help on troubleshooting this issue will be of great help
I need a link to download the latest HP-UX Splunk universal forwarder 
This is a single server Splunk deployment. I am indexing Duo MFA logs using the official splunk app. In the "Searching and reporting" app, when I use the table command to view that data, each field i... See more...
This is a single server Splunk deployment. I am indexing Duo MFA logs using the official splunk app. In the "Searching and reporting" app, when I use the table command to view that data, each field is a multivalue field with the value duplicated. When I try the same search using the Duo app instead of "Searching and reporting", the fields are extracted only once as expected, not duplicated. For example... When I use the table command on this data in "Searching and reporting":     email user@example.com user@example.com       When I use the table command on this data in the "Duo" app:     email user@example.com       So this problem appears to be limited to the "Searching and reporting" app. But I'm not finding any configuration specific to "Searching and reporting" related to this app/source. For example, there is nothing in SPLUNK/etc/apps/search/local/ props.conf or transforms.conf that would affect this source. The current configuration according to the btool is coming from SPLUNK/etc/apps/duo_splunkapp/default/props.conf and is:     [source::duo] INDEXED_EXTRACTIONS = json KV_MODE = none       I also tried changing the config to this:     INDEXED_EXTRACTIONS = none AUTO_KV_JSON = true KV_MODE = json       but that just resulted in neither the "Searching and reporting" app nor the "Duo" app having extractions for this data. How do I fix this so the "Searching and reporting" app has a single set of extractions and not duplicates?
I am new to Splunk and would really appreciate some guidance or advice on how to do the following: We got different DLP alerts in different consoles, each console with different API capabilities.Th... See more...
I am new to Splunk and would really appreciate some guidance or advice on how to do the following: We got different DLP alerts in different consoles, each console with different API capabilities.The alerts are logged in Microsoft Purview, (a.k.a. the Compliance Center), in Microsoft Defender for Cloud Apps, Microsoft 365 Defender and Splunk.My problem is how do we get the necessary data out of any of these consoles? I'd like to know if Splunk has something tying them all together. I wish to build a search/report that correlates them; linking together certain fields of each source type to create a report and to generate an email that includes alert details and a copy of the content that created the detection.  Please help
i have few orphaned searches, which i need to reassign or disable or delete it. i am not able to do any of these. 1. The orphaned searches which can see in  splunk/app/search/orphaned_scheduled_se... See more...
i have few orphaned searches, which i need to reassign or disable or delete it. i am not able to do any of these. 1. The orphaned searches which can see in  splunk/app/search/orphaned_scheduled_searches.............. here the sharing is in user level. but i am not able to see the same  in  settings>All configurations>Reassign Knowledge objects. when i search the alert name by selecting the orphaned i am not getting any results. 2. When i checked the owner name in internal index it is showing that user has been disabled. Now how can i reassign or disable or delete this searches. is there any chance to do via CLI. please help on this.
All,  I am looking GitHub Enterprise logs as captured by my Syslog-ng server on prem. The logs being sent are JSON ...mostly, but we have some values in the JSON key-value-pairs that are breaking ch... See more...
All,  I am looking GitHub Enterprise logs as captured by my Syslog-ng server on prem. The logs being sent are JSON ...mostly, but we have some values in the JSON key-value-pairs that are breaking characters. The app is not escaping these characters.  SEDCMDing all the these events at the indexer were just overwhelming and don't think this is the correct approach.  I am looking the Splunk Add-on for GitHub and I am seeing it wants Splunk for Syslog Connect container deployed. Before I go and deploy that and learn how it works and what not, how can I check that Splunk has already solved this problem? Just don't want to build that sort of lab out and found out there isn't already some sort of work around in this tool for escaping json chars.    thanks -Daniel 
event is json: {message:AZK} x 10 {message:BCK} x 5 {message:C} x 3   What Im trying to get is a table to count message by values with a modified text Message AZK -  10 Message BCK -  5... See more...
event is json: {message:AZK} x 10 {message:BCK} x 5 {message:C} x 3   What Im trying to get is a table to count message by values with a modified text Message AZK -  10 Message BCK -  5 C - 3   I use this: | eval extended_message= case( match(_raw,"AZK"),"Message AZK", match(_raw,"BCK"),"Message BCK", 1=1, message) | stats count as nombre by extended_message | sort nombre desc | table extended_message, nombre   I can't not get the "C" in the list to be counted the message from the JSON event is not interpreted (i don't know) Thanks for your help  
Dear All. When searching some database log as index=my_db .... I have a field named "statement"  with content as example below: The login packet used to open the connection is structurally in... See more...
Dear All. When searching some database log as index=my_db .... I have a field named "statement"  with content as example below: The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 192.20.21.22] I need to create a new field, named IP2, with the IP address as above. In general, the rex command must look for the text between  "[CLIENT: " and "]" Your help is appreciated best regards Altin
Hi, Splunkers,    I have a timechart in dashboard.. l timechart span=1h count by VQ,    then timechart returns a graph with VQ_A, VQ_B, VQ_C with their values. I want to click these VQ_XXX ... See more...
Hi, Splunkers,    I have a timechart in dashboard.. l timechart span=1h count by VQ,    then timechart returns a graph with VQ_A, VQ_B, VQ_C with their values. I want to click these VQ_XXX  as input to reopen the dashboard.  how to pass these "count by" result as input to my dashboard?   actually, in my timechart:    l timechart span=1h count by VQ,    this VQ comes from a token.   there is a chart option below :  <option name="charting. Drilldown">$t_countby$</option>,  if  I put token  t_countby here,  then when I click VQ_A, or, VQ_B, VQ_C in my timechart,   the value passed as input is VQ, which I  selected from droplist with token t_countby,   not VQ_A, or, VQ_B, VQ_C, which I expected to pass as input.     thx in advance.   Kevin  
i currently have a query that returns what I need for a single day.   ( index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*group*") OR (index=microsoftcloud sourcetype="ms:azure:acc... See more...
i currently have a query that returns what I need for a single day.   ( index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*group*") OR (index=microsoftcloud sourcetype="ms:azure:accounts" source="rest*User*") | where match(userPrincipalName,"domain name") or match(userPrincipalName,"domain name") | eventstats count by id | eventstats count(eval((source="rest://MSGraph Group1 Members" OR (source="rest://MSGraph Group 2 Members") or (source="rest://MSGraph Group 3 Members") ))) as total | eventstats count(eval(source="rest://MSGraph CL Users" AND count>1)) as current | dedup total, current | eval perc=round(current*100/total,1)."%" | eval missing=total-current | rename total as "In Scope Users" | rename current as "Current Users" | rename perc as "Percent Compliant" | rename missing as "Missing" | table "In Scope Users", "Current Users", "Missing", "Percent Compliant"   I am trying to make this show me a chart over the previous month that show me the daily result of the posted query.   I have tried many "solutions" from the web, but nothing has worked.  Any help is appreciated
Just started to get logs for our 2019 exchange environment, I'm not a splunk admin and have been advised to use these commands to search all logs in Exchange send/rcv, but seeing what other search qu... See more...
Just started to get logs for our 2019 exchange environment, I'm not a splunk admin and have been advised to use these commands to search all logs in Exchange send/rcv, but seeing what other search queries I can build/use to search by subject, user, sender etc   index=msexchange sourcetype=msexchange:protocollog:smtpsend index=msexchange sourcetype=msexchange:protocollog:smtpreceive
Hello, I have a log that look like this: Here each fields as its own field name, and viewed patient data in registration(XXTEST, ORANGE CRUSH) here is event_name. (Captured group to be used.) 0... See more...
Hello, I have a log that look like this: Here each fields as its own field name, and viewed patient data in registration(XXTEST, ORANGE CRUSH) here is event_name. (Captured group to be used.) 0000|2019-01-07T14:20:12.000000Z|patientid|lastname, firstname|personlastname|M|middelname||PIEIGHT||MRN||Viewed|viewed patient data in registration(XXTEST, ORANGE CRUSH)|00000|| The one in red should be removed as it is sensitive patient data, for example (XXTEST, ORANGE CRUSH) should be removed.  transforms.conf I have. [removedata] REGEX = ^(?:[^\|\n]|){13}(?P<event_name>[^\|]+)([^)]) On my props.conf I have REPORT-removedata= removedata But it is still not working: Do I need to use the field name, or change my regex? Am I applying the proper user of Transform? Thank you,