All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Splunk Community,   I wondered if there was any way to match a keyword against a string in a lookup.  For example:   I have a lookup containing a field with a string:   items d... See more...
Hi Splunk Community,   I wondered if there was any way to match a keyword against a string in a lookup.  For example:   I have a lookup containing a field with a string:   items description "orange apple banana"  fruit   I have this field in my search results: item "apple"     |makeresults | eval item="apple"     Is there any way I can look-up the lookup above to match "apple" against "orange apple banana" and output "fruit" from the description field? I can achieve the reverse of this with wildcard matching (e.g. "orange apple banana" > *apple*), but haven't been able to find a way to match against a string. Does anyone know if this is possible? Thanks    
In indexer discovery method, Heavy forwarder clear text password not being encrypted after restart. Please help
Hello, I have created and imported a lookup file ex. "hashes.csv" and I have pasted there a list of 500+ hashes. I want to search with index=* to see if I find any of these hashes in _raw field o... See more...
Hello, I have created and imported a lookup file ex. "hashes.csv" and I have pasted there a list of 500+ hashes. I want to search with index=* to see if I find any of these hashes in _raw field of any type of log. Thank you in advance.
Up until a month ago, it was working perfectly, but for the past 2-3 weeks splunk dashboards are not showing any data and the mails we get as alerts are blank, they have no report in them. What is ... See more...
Up until a month ago, it was working perfectly, but for the past 2-3 weeks splunk dashboards are not showing any data and the mails we get as alerts are blank, they have no report in them. What is the possible cause? How to resolve this?
Hi all, I want to extract the following word with rex expression: ABC\qq1234  expected result: qq1234 Please note that the substring needed will always after ABC\. Any help will be appreciated!
Hi guys. I was asking why my reports, using license_usage.log from LicenseMaster, for "LicenseUsage" sometimes do not log the "h" or "s" field (alias from host or from source). Doing so, i can have... See more...
Hi guys. I was asking why my reports, using license_usage.log from LicenseMaster, for "LicenseUsage" sometimes do not log the "h" or "s" field (alias from host or from source). Doing so, i can have a full report for Indexers or Sourcetypes usage, but not for Host or Sources.   INFO LicenseUsage - type=Usage s="" st="MY_ST" h="" o="" idx="MY_IDX" i="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" pool="auto_generated_pool_enterprise" b=51331 poolsz=214748364800   May it be the origin forwarder version? I have forwarders from 6.x.x to 8.x.x version running. Any clue? Thanks.
Happy New Year to all of you. So I have syslog in which we have details of the devices and switches.  The requirement is to find the old and new ip address for the NetworkName which were recentl... See more...
Happy New Year to all of you. So I have syslog in which we have details of the devices and switches.  The requirement is to find the old and new ip address for the NetworkName which were recently added to a group.  To get this i have to follow below steps. 1. get the NetworkName which has been recently added to group. 2. than get the latest CallingStation for the NetworkName . # search for step 1 & 2 index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName =USAZSLKRR01FIF0001 |stats latest(CallingStation ) as CallingStation by NetworkName 3. search in the index with the CallingStation  to get IPAddress(it has to ran for last 24 hours) index=na3rc Calling_Station_ID=B0-22-7A-32-32-26 | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New") The problem here is that IPAddress field has both old and new IPAddress. I tried join but it is showing no results as it is being maxout and when i try to use it in same search it is only showing new IPAddress. Thank in Advance       index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName=USAZSLKRR01FIF0001 | stats latest(CallingStation) as CallingStation by NetworkName | join CallingStation type=left [| search index=xyz | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New")]      
Hi Experts,   I would like to compare values in same field (vlan_ids) for equality based on a machine serial (hyp_serial).   Would like validate whether the VLAN ID's are configured on both V... See more...
Hi Experts,   I would like to compare values in same field (vlan_ids) for equality based on a machine serial (hyp_serial).   Would like validate whether the VLAN ID's are configured on both VM's under same hyp_serial are same or not equal.    There will be 2 VM's under the same serial.    Could you please help me with my requirement.   index=lab source=unix_hyp  | spath path=hyp_info{}{} output=LIST  | mvexpand LIST  | spath input=LIST  | where category == "hyp_vlan"  | table hyp_name hyp_serial vlan_ids    Table Output: ------------------ hyp_name     hyp_serial   vlan_ids hyp_vm1 AE12893X    5_767_285_2010 hyp_vm2     AE12893X5_356_375_2010 hyp_vm3    ZX87627J9_49_43_44_3120 hyp_vm4     ZX87627J9_49_43_44_3120 hyp_vm5 YG92412K5_767_285_2010 hyp_vm6 YG92412K 5_767     Expected Output: ----------------- hyp_name     hyp_serial   vlan_ids      VLAN CHECK hyp_vm1 AE12893X    5_767_285_2010    OK hyp_vm2     AE12893X 5_356_375_2010  OK hyp_vm3    ZX87627J 9_49_43_44_3120  OK hyp_vm4     ZX87627J 9_49_43_44_3120  OK  hyp_vm5 YG92412K 5_767_285_2010  MISMATCH hyp_vm6 YG92412K 5_767             MISMATCH
I install UF 8.2.4 for Windows and using default pem and CA certificate, I tried to connect UF to the indexer. However, the eventlog information cannot be sent to indexer with the error  ERROR TcpI... See more...
I install UF 8.2.4 for Windows and using default pem and CA certificate, I tried to connect UF to the indexer. However, the eventlog information cannot be sent to indexer with the error  ERROR TcpInputProc - Error encountered for connection from src=192.168.xx.xxx:65251. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol I search thru the /opt/splunk/var/log/splunk/splunkd.log and not much information can be found. How can I get more detail info to troubleshoot the problem ?  
I am using Splunk 8.2.1 with DB Connect 3.5.1 with OpenJDK 1.8.0.332 on Linux (RHEL), this is an airgapped system so I cannot paste the logs. After installing DB Connect and restarting Splunk, DB C... See more...
I am using Splunk 8.2.1 with DB Connect 3.5.1 with OpenJDK 1.8.0.332 on Linux (RHEL), this is an airgapped system so I cannot paste the logs. After installing DB Connect and restarting Splunk, DB Connect fails to start on both dbxquery.sh and server.sh On both scripts, after TrustManagerUtil - action=load_key_manager_succeed it throws an ExceptionInitializerError for SplunkServiceBuilder.<clinit>(SplunkServiceBuilder.java:19) complaining about: Error setting up SSL socket factory: java.security.NoSuchAlgorithmException: SSL SSLContext not available   In my java.security i h ave:   jdk.disabled.namedCurves = secp256k1 i have commented out (for testing) jdk.certpath.disabledAlgorithms, jdk.jar.disabledAlgorithms, jdk.tls.disabledAlgorithms however I still get this error.   It's the first time i'm seeing this so looking for guidance. Thanks
I'd want to merge two regex strings into a single one; any suggestions would be greatly appreciated. Reference Search Query - index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="<ABC1>[^\x00-\x... See more...
I'd want to merge two regex strings into a single one; any suggestions would be greatly appreciated. Reference Search Query - index=* sourcetype=XYZ "<ABC2>" "<ABC1>" | regex _raw="<ABC1>[^\x00-\x7F]" | regex _raw="<ABC2>[^\x00-\x7F]" Thanks in advance.  
There is a lookup table with a row called 'ip' containing multiple ip address values which I would like to correlate with firewall traffic in the 'netfw' index, 'src_ip' and 'dest_ip' fields.
I am trying to list existing HEC tokens with curl command as below:     curl -k -u admin:<admin_password> http://<splunk_enterprise_instance_ip>:8089/servicesNS/admin/splunk_httpinput/data/inpu... See more...
I am trying to list existing HEC tokens with curl command as below:     curl -k -u admin:<admin_password> http://<splunk_enterprise_instance_ip>:8089/servicesNS/admin/splunk_httpinput/data/inputs/http -v     It retruned as below:     * Trying 192.168.30.128... * TCP_NODELAY set * Connected to 192.168.30.128 (192.168.30.128) port 8089 (#0) * Server auth using Basic with user 'admin' > GET /servicesNS/admin/splunk_httpinput/data/inputs/http HTTP/1.1 > Host: <splunk_enterprise_instance_ip>:8089 > Authorization: Basic YWRtaW46UGFzc3dvcmQwMTIzIQ== > User-Agent: curl/7.61.1 > Accept: */* > * Recv failure: Connection reset by peer * Closing connection 0 curl: (56) Recv failure: Connection reset by peer     From splunkd.log:      01-09-2023 11:42:33.082 +0800 WARN HttpListener [3447 HttpDedicatedIoThread-0] - Socket error from <splunk_enterprise_instance_ip>:38846 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request     It seems this is ownign to SSL. However, I have disbaled SSL in both Splunk Enterprise Instance and HEC, from inputs.conf:     [dujas@centos8-1 local]$ cat /home/dujas/splunk/etc/apps/splunk_httpinput/local/inputs.conf [http] disabled = 0 enableSSL = 0     May I l know how I could make the http work? Thanks.
Good evening, With a Java Spring Boot application, I use the library provided by Splunk to send to Splunk the logs using com.splunk.logging.HttpEventCollectorLogbackAppender. By default when I do... See more...
Good evening, With a Java Spring Boot application, I use the library provided by Splunk to send to Splunk the logs using com.splunk.logging.HttpEventCollectorLogbackAppender. By default when I do a search in Splunk, the event appears like this (see image below). But I'd rather default the search to return results in this form. Is it possible to configure Splunk (Source types, etc..)  to display only the message field and not the entire event with all the fields?      
Hi, I am trying to extract a new field to spot unauthrorised certificate usage on a server.  Under event ID 4768, there is a "Certificate Information" heading followed by Certificate Issuer Name, C... See more...
Hi, I am trying to extract a new field to spot unauthrorised certificate usage on a server.  Under event ID 4768, there is a "Certificate Information" heading followed by Certificate Issuer Name, Certificate Serial Number, and Certificate Thumbprint. Ideally, I want to extract the Certificate Thumbprint field so I can create an alert. But because the logs I have so far have empty Certificate Information fields, it's making it difficult to create an expression. Does anyone have ideas how to extract the Certificate Thumbprint field? Regards, Mark
Hello, I have an all-in-one instance and i want to add a search head to be used by a team to only access specific data. is that possible without making a kind of distributed deployment, or i shou... See more...
Hello, I have an all-in-one instance and i want to add a search head to be used by a team to only access specific data. is that possible without making a kind of distributed deployment, or i should make the all-in-one instance as the deployment server and then add the search head? excuse my question if it seems basic, a newbie here  Thanks
Hi,   I have an alert that is supposed to trigger an email each subsequent day when there are 0 logs in the last 24 hours against a particular search.   However, when there ARE 0 logs in the ... See more...
Hi,   I have an alert that is supposed to trigger an email each subsequent day when there are 0 logs in the last 24 hours against a particular search.   However, when there ARE 0 logs in the past 24 hours, my alert does not get triggered for some reason. My alert is as follows:   Can you please help as I do not understand why this alert is not working as expected? Many thanks!
Hi Team,  Greetings ! I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints. Here is my HEC token config from inputs.conf ``` [http://IntegrationAckDisabledToken] disab... See more...
Hi Team,  Greetings ! I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints. Here is my HEC token config from inputs.conf ``` [http://IntegrationAckDisabledToken] disabled = 0 index = integrationindex indexes = token = 7XXXX31-58b6-4cf1-XXXXX62d04f useACK = 0 sourcetype = json_no_timestamp ``` And the I  send some data with channel in the header via the /services/collector/raw And when tried to get the ack using /services/collector/ack as below  curl -X POST "https://mysplunkindexersembhost.com:443/services/collector/ack" \ -H "Authorization: Splunk7XXXX31-58b6-4cf1-XXXXX62d04f" \ -H "X-Splunk-Request-Channel: 145f3699-fd99-42d0-8de9-28b06d937020" \ -H 'Cookie: AWSELB=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/,AWSELBCORS=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/"' \ -H "Content-Length: 12" \ -H "Connection: Keep-Alive" \ -d '{"acks":[1]}' -k   I expected HTTP -400 {"text":"ACK is disabled","code":14} but received HTTP - 200 {"acks":{"1":true}} I'm wondering why? One side note is, I initially created the HEC token with useACK =1, via CLI. Later disabled the ACK, via UI.  Any gurus in this community seen such behavior?  Thanks, CG
I recently started collecting data from my servers with the Add-On for unix and linux. I did a dashboard with pannels like CPU, RAM, storage by usage by mount point, services and their status... No... See more...
I recently started collecting data from my servers with the Add-On for unix and linux. I did a dashboard with pannels like CPU, RAM, storage by usage by mount point, services and their status... Now I want to create a dashboard that will collect all the warnings from the panels and will show it in a nice table. For example, if the file system usage is above 90 percent, show it in the dashboard and if someone cleaned it it will automatically disappear from the panel. I find it hard to collect all warnings in one panel because my data comes from different sourcetypes. Can you please help me?? I don't have a clue from where to start or what SPL queries to do.  Thank you
Hello, How we would send Data to Third Party Server (non-SPLUNK server) using REST API. They basically send requests from Third Party Server by REST API to pull the data from SPLUNK. What should we... See more...
Hello, How we would send Data to Third Party Server (non-SPLUNK server) using REST API. They basically send requests from Third Party Server by REST API to pull the data from SPLUNK. What should we tell them to send with their API requests? And how we need to configure our SPLUNK Server to serve their API requests? Your guidance would be highly appreciated. Thank you in advance for your support in these efforts.