All Topics

Top

All Topics

I recently installed the Splunk Add-on builder on my local environment (not in the cloud) and developed an Add-on using python and Rest API. Things worked well, I created 2 data collections and data... See more...
I recently installed the Splunk Add-on builder on my local environment (not in the cloud) and developed an Add-on using python and Rest API. Things worked well, I created 2 data collections and data comes in. I decided to remove the Rest API data collection and right after the Inputs page failed to load. I used to get the generic status code 500 but now it is "Request failed with status code 404". I went through all of the discussions in the community and none of the answers helped me. Internal Logs Search : index=_internal "error" Result:          message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" RuntimeError: assist binary not found, path=/Applications/Splunk/etc/apps/splunk_assist/bin/darwin_x86_64/assistsup message from "/Applications/Splunk/bin/python3.7 /Applications/Splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" raise RuntimeError(f'assist binary not found, path={full_path}')         Thanks in advance, Aviv.
Hello,    I'm not a javascript expert, but I have found useful examples to build setup pages for app and add-on:     https://github.com/splunk/splunk-app-examples These examples show forms with... See more...
Hello,    I'm not a javascript expert, but I have found useful examples to build setup pages for app and add-on:     https://github.com/splunk/splunk-app-examples These examples show forms with input "text". I see that "textarea" works too. But I cant' build other input type, such as "select". How can I add "select" here? For instance,   e("label", null, [ "My label ", e("input", { type: "select", name: "mytype", options: [ { label: "File", value: "file" }, { label: "Folder", value: "folder" }, ], onChange: this.handleChange }), ]),   doesn't work. Thank you very much Kind Regards Marco
Hi Team, I am a newbie to the Splunk. I have install the Splunk Enterprise in a server and I have installed some of the forrwarders in other machines and I'm taking up the application, security, sy... See more...
Hi Team, I am a newbie to the Splunk. I have install the Splunk Enterprise in a server and I have installed some of the forrwarders in other machines and I'm taking up the application, security, system and setup logs. But now, I want to monitor the websites he visited and the outlook application either it is separate application or running in browser. I want to monitor them in order to detect the phishing attacks. There is no web proxy servers and IIS servers. Can anyone suggest some ideas to complete this use case (On detecting the phishing attacks)
So I currently have a stats sum donuts for the last 90 days and i am getting the following results like below sum(donuts) 54000   But i need a line chart to show the total num... See more...
So I currently have a stats sum donuts for the last 90 days and i am getting the following results like below sum(donuts) 54000   But i need a line chart to show the total number of donuts (sum (donuts) field)  for the last 90 days but just on  a 4 weeks interval. So i should have something like below I have a field for the lastEaten date but that shows how many were eaten on that specific date. 
I am building search head cluster.  But when i am initiating clustering i am getting below error. I am using below syntax for cluster initiation.  Please note I have checked my server.conf file in lo... See more...
I am building search head cluster.  But when i am initiating clustering i am getting below error. I am using below syntax for cluster initiation.  Please note I have checked my server.conf file in local directory and added entry as false for cliVerifyServerName and sslVerifyServerName.  Also in web.conf enableSplunkWebSSL = false is already there .   ./splunk init shcluster-config -auth <username>:<password> -mgmt_uri <uri>:<managementport> -replication_port <replication port> -replication_factor <n> -conf_deploy_fetch_url <url>:<managementport> -secret <security_key> -shcluster_label <label> WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Login failed I am not looking to setup any third party or self singed certificate as this is just for self learning.  I would request your support. 
I am running a search like  index="main" app="student-api" "path"="/v1/enroll" And in the events (when I select Raw) I see this type of output { "application":"student-api", "environment":"prod",... See more...
I am running a search like  index="main" app="student-api" "path"="/v1/enroll" And in the events (when I select Raw) I see this type of output { "application":"student-api", "environment":"prod", "timestamp":"2023-02-23T08:24:23.163Z", "traceId":"2a2e3980-e61b-4927-b270-1785569d5af8", "response":{ "statusCode":"200", }, "request":{ "protocol":"HTTP/1.1", "method":"POST", "path":"/v1/enroll", "headers":{ "Accept-Encoding":[ "gzip" ], "Accept-Language":[ "en_US" ], "Content-Type":[ "application/json; charset=UTF-8" ], "Experiments":[ "{\"n\":\"first_enroll\",\"p\":\"BACKEND_SERVICE\",\"v\":\"FIRST\"},{\"n\":\"ttl_ios\",\"p\":\"BACKEND_SERVICE\",\"v\":\"default\"}]}" ], "TraceId":[ "2a2e3980-e61b-4927-b270-1785569d5af8" ] }, "cookies":"", "body":"" }, "duration":115 }  Now, I am trying to generate count based on how many of the ttl_ios has value = default ({\"n\":\"ttl_ios\",\"p\":\"BACKEND_SERVICE\",\"v\":\"default\"}] is where it is default)  vs non-default - so the result should look like say -  variant               count default                10 non-default        3 (default and non-default are the only 2 values it can have) Appreciate your help on this. Thanks
Hello, I have following results like below: Host Type Type Duplicate Field  ABCD Coca Cola Coca Cola EFGH 7up - Sprite 7up - Sprite   but i want my search for the Type Duplicate... See more...
Hello, I have following results like below: Host Type Type Duplicate Field  ABCD Coca Cola Coca Cola EFGH 7up - Sprite 7up - Sprite   but i want my search for the Type Duplicate Field to remove anything after the first space so my table should like below: Host Type Type Duplicate Field  ABCD Coca Cola Coca EFGH 7up - Sprite 7up   Any help would be greatly appreciated. 
Hi, There is a need to send automated summary of daily emails that are stopped by anti-spam filter. In Splunk we have act=quarantined and we can see all stopped emails, but how to create "one a... See more...
Hi, There is a need to send automated summary of daily emails that are stopped by anti-spam filter. In Splunk we have act=quarantined and we can see all stopped emails, but how to create "one alert or report" for specific users where they get on Email only results where their Email is matched.  Example. If I do something like this             index="email" act="QUARANTINED" | lookup email_notify_quarantine email AS orig_recipient OUTPUTNEW notify AS notify | where notify="true" ...             I'll get results for Quarantined messages for all user's that need to get that report and now If I create Scheduled Report or Alert I am afraid that user will get all list of Quarantined messages not only theirs.
I want to colour the column on the basis of other values which i am reading in splunk related to that field not on the basis of the range or the data of that field
I've got the following to calculate our quota: index=summary source="splunk-storage-summary"| stats latest(activeStorageLicenseGB) and the following to give a list of how much is in each of our ... See more...
I've got the following to calculate our quota: index=summary source="splunk-storage-summary"| stats latest(activeStorageLicenseGB) and the following to give a list of how much is in each of our indexes:   index=summary source="splunk-storage-detail" |stats latest(rawSizeGBCustomer) as "size" by idxName |sort -size |fields idxName size   What I'd like to do is display 'size' in the second query as a percentage of our quota using the results of the first query. I can do it if I use a join and then eval, but is there a way to store the results of that first query in a variable I can then use in the second query? 
I want to use join. However, the fields to be compared are fields called _time and b. However, when join _time, b [sub_search] is performed, the date is output for only one day. What should I do?
| chart values(Date_Policy) BY Volume,WeekRange, in above command I wanted to add host as well in the BY section but not getting result for it. Can any help to fix this. | chart values(Date_P... See more...
| chart values(Date_Policy) BY Volume,WeekRange, in above command I wanted to add host as well in the BY section but not getting result for it. Can any help to fix this. | chart values(Date_Policy) BY Volume,WeekRange, host
Thanks in advance. We have scenario that we need to send alerts multiple times .   1. Lagging      E.g  Lets put Threshold time : 1 Hour   20/02 10:00 AM NZT : Lagging encountered after 1 Hour th... See more...
Thanks in advance. We have scenario that we need to send alerts multiple times .   1. Lagging      E.g  Lets put Threshold time : 1 Hour   20/02 10:00 AM NZT : Lagging encountered after 1 Hour threshold -> Alert#1 via email with subject : Total lag time      20/02 11:00 AM NZT : Lagging still occur -> Alert#2 via email with subject : Total lag time   2 hour (Accumulated lagging hour) + Create Incidents in ServiceNow       20/02 13:00 PM NZT : Lagging encountered after 1 Hour threshold -> Alert#3 via email with subject : Total lag time      20/02 14:00 PM NZT : Lagging encountered after 1 Hour threshold -> Alert#4 via email with subject : Total lag time ---Got fixed  
I am seeking a Sr.Splunk Engineer Onsite role based in Tempe, Arizona. The potential candidate will be part of the Monitoring Team. Please see the below job posting. https://foxcareers.com/Search/J... See more...
I am seeking a Sr.Splunk Engineer Onsite role based in Tempe, Arizona. The potential candidate will be part of the Monitoring Team. Please see the below job posting. https://foxcareers.com/Search/JobDetail/R50021610/senior-splunk-engineer-fox-corporation I manage the monitoring team and Splunk is a key part of the monitoring framework. I am looking for an energetic person who is a true team player. We are a team with high velocity and ever-changing priorities. Freedom to be creative and voice the individual's point of view is guaranteed. 
i have jira issue collector app in splunk and inputs also added we can see logs as well. here it was with only one project with index=jirarequest Now i modified the JQL query in the inputs to get da... See more...
i have jira issue collector app in splunk and inputs also added we can see logs as well. here it was with only one project with index=jirarequest Now i modified the JQL query in the inputs to get data from 2 projects, the JQL query i used is: project%20in(MMAAS%2CBBAT)%20AND%20updated%3E-2h   But now after  updating the JQL query with 2 projects i am not able to see the data from second project i.e CBBAT. Do i need to modify or update anywhere else, i am not sure.
Hi, I have installed Splunk Universal Forwarder for windows 9.0.4 to work with Splunk Cloud. Downloaded credential packages and saw logs in Splunk cloud. We need to send these logs to a index other ... See more...
Hi, I have installed Splunk Universal Forwarder for windows 9.0.4 to work with Splunk Cloud. Downloaded credential packages and saw logs in Splunk cloud. We need to send these logs to a index other than the main. Do you know how I can do this? Also, which files would need to be edited if we want to add/remove log source (right now, we only have windows security logs, but maybe we want to add windows application logs also) Can the installation of UF and these files be done via Microsoft SCCM when we need to do a mass deployment (instead of using deployment server)?   Thanks,   Krunal Dave
On page 12 of 122 on the documentation of "Splunk Security Analyst Workflows 7.1.0" it says and I quote: "If you added notable events to investigations, or generated short IDs for notable events to... See more...
On page 12 of 122 on the documentation of "Splunk Security Analyst Workflows 7.1.0" it says and I quote: "If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts, you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the notable event represented by a short identifier. However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed." I am confused by the statement: "If the notable event is suppressed, you will not be able to see it on the Incident Review page when filtering on short ID." when just before it, it says that : "However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed."   Which one is true or correct. Does filtering using short IDS show the suppressed notable events or does it not on the incident review page?   Thank You Kind Regards,  
I have 20+ data sources  in a server and each data source is over 500MB so splunk is not indexing all the data sources. Please advise what config that i should add to parse all the 20+ data sources i... See more...
I have 20+ data sources  in a server and each data source is over 500MB so splunk is not indexing all the data sources. Please advise what config that i should add to parse all the 20+ data sources in a server. [monitor:///var/opt/*/logs/*/mlogging/*/*/*/*/ProxyLog/Proxy.log] sourcetype = middlewarelog index = prd initCrcLength = 512 ignoreOlderThan = 7d _TCP_ROUTING=if disabled = false The above input is not parsing all the data sources, it just parsing only one data source and skipping all others in the server. Thanks.
Hi All,  Has anyone Integrated CyberArk Alero with Splunk Cloud instance. If yes can you please recommend the best way. Thanks  
Hi ALL, Has anyone Integrated Appsense logs in Splunk cloud instance. If yes what is the best way to perform the action. any idea or help would be helpful    Thank you