All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Does anybody know if it is possible to add a Dashboard Studio Dashboard to the navingation in an App? When Adding a Dashboard Studio Dashboard to the navigation menu the dashboard does not display.
We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day. The report sometimes shows too many events. I want to modify it ... See more...
We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day. The report sometimes shows too many events. I want to modify it such that if a user has been removed from an AD group and added back in within one hour, then it would be ignored. Here are examples below. EventCode 4729 is a user getting removed and 4728 is a user getting added.   _time MemberSid AD_Group EventCode 2022-12-21 14:48:22 bob Executives 4728 2022-12-21 12:48:22 bob Executives 4729 This would show up in the morning report that bob was removed from the Executives group at 12:48 since its been over an hour since they were added back in.   _time MemberSid AD_Group EventCode 2022-12-21 14:38:22 janice Executives 4728 2022-12-21 13:00:22 bob Executives 4728 2022-12-21 12:55:22 dylan Executives 4729 2022-12-21 12:50:22 janice Executives 4729 2022-12-21 12:48:22 bob Executives 4729 Janice and Dylan would show up in the morning report in this case since its been over an hour that Janice was added back in and Dylan was never added back at all.   I'm not good with SPL and am having trouble with what command(s) to use so that I can achieve the above.  Below is the search I currently have. The comment indicates what I'm trying to do. index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives" | rename Group_Name as AD_Group | table _time, MemberSid, AD_Group, EventCode | sort by MemberSid ``` WHERE for a user, if there is eventcode 4729 and no eventcode 4728 following or eventcode 4728 over a hour later, then keep those events/results. In other words, ignore users with eventcode 4729 and eventcode 4728 within a hour apart.```  
Hello Splunkers,   I think I could be over thinking the search below. I am working on adding an earliest and latest time to the search, but I need to ensure that there are no duplicates being store... See more...
Hello Splunkers,   I think I could be over thinking the search below. I am working on adding an earliest and latest time to the search, but I need to ensure that there are no duplicates being stored in the lookup table. Anybody have any recommendations?   My first impression is that we could have a lookup table that could become very large over time. If we not not run the search over all-time, which we are trying not to do.   index=salesforce eventtype=sfdc_object sourcetype="sfdc:account" | eval object_type="Account" | rename Name AS object_name | sort 0 - _time | dedup Id | eval object_id= substr(Id, 1, len(Id)-3) | table LastModifiedDate, LastModifiedById, Id, object_id, object_name, object_type, AccountNumber | outputlookup lookup_sfdc_accounts.csv    
Hello, I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but h... See more...
Hello, I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated! Event 1: 106.51.86.25 [22/Dec/2022:07:48:10 -0500] POST /services/public/v1/signup HTTP/1.1 201 5 539   Event 2: 23.197.194.86 - - [22/Dec/2022:07:48:09 -0500] "POST /services/public/v1/signup HTTP/1.1" 201 -
Hello, new to using splunk across a domain and I am attempting to get a query that details any domain user account changes. I want to pull change type, who changed the account, and date/time from /va... See more...
Hello, new to using splunk across a domain and I am attempting to get a query that details any domain user account changes. I want to pull change type, who changed the account, and date/time from /var/log/dirsrv logs . Any suggestions?
Splunk Enterprise 9.0.1 on premise, clustered search heads and indexers. DB Connect 3.7.0. We found out that every time the indexer cluster is restarted, some events are being duplicated in the i... See more...
Splunk Enterprise 9.0.1 on premise, clustered search heads and indexers. DB Connect 3.7.0. We found out that every time the indexer cluster is restarted, some events are being duplicated in the indexes around the time of the restart. There are some older threads discussing similar issues but they are using much older versions of the software. Any ideas on how to troubleshoot/debug/workaround this issue?
Hi Splunkers, I have a problem with the "Splunk Security Essentials" application. Currently, I have 34 activated correlation searches that I would like to map on the Mitre Framework. Viewing the ... See more...
Hi Splunkers, I have a problem with the "Splunk Security Essentials" application. Currently, I have 34 activated correlation searches that I would like to map on the Mitre Framework. Viewing the "sse_content_exported_lookup" file, the mitre information does not match the information reported in each correlation rule. Also, there are correlation searches in the "sse_content_exported_lookup" file that had the mitre but didn't appear in the Mitre Map. However, all 34 correlation searches show up in the bookmarks. Could you suggest a solution? is there any procedure I can follow to make sure that all active correlation searches appear in the mitre map?   Thank you.
Explanation of various http(s) related timeouts and impact.
Hey all, Trying this as a hail mary, as opened a support case last week and had no response on it. We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect ... See more...
Hey all, Trying this as a hail mary, as opened a support case last week and had no response on it. We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect via a playbook. From the documentation, there is a function called POST DATA, which allows us to send the data to ThreatConnect. Right now if I send a piece of intel, it gets added in under the API key account. But I need to be able to change the Owner. I can do this in a python script easily, but can't figure it out in this App. The documentation has "attribute_name" and "attribute_value" - which i've tried setting to "owner" and the required owner respectively. But this doesn't work - the app tells me it cannot find the attribute "owner". The documentation is very lacking here. I can't seem to figure it out. Any ideas on how I achieve this? Edit: error message: Indicator created/updated, but failed to update the attribute specified. Please ensure the attribute_name is valid, is applicable to the indicator type and attribute_value is valid I've tried several: "Owner, owner, owner_name, ownerName, etc. etc."
I have some log, and i want get top 20 with 2 conditions:  I user: index="fortinet" |top srcip srcname but in chart don't show srcname. Please help me.   Dec 22 18:55:00 192.168.100.99 date... See more...
I have some log, and i want get top 20 with 2 conditions:  I user: index="fortinet" |top srcip srcname but in chart don't show srcname. Please help me.   Dec 22 18:55:00 192.168.100.99 date=2022-12-22 time=18:54:56 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710096306112037 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.114 srcname="DESKTOP-KOTPUP7" srcport=50113 srcintf="LAN2-6" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640983 proto=17 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="DNS" trandisp="snat" transip=117.2.159.103 transport=50113 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="default" duration=180 sentbyte=76 rcvdbyte=141 sentpkt=1 rcvdpkt=1 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:71:41:ee" srcmac="00:0c:29:71:41:ee" srcserver=0 Dec 22 18:54:59 192.168.100.99 date=2022-12-22 time=18:54:55 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710095776077392 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49177 srcintf="lan" srcintfrole="lan" dstip=172.64.138.25 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641377 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49177 duration=101 sentbyte=1295 rcvdbyte=2390 sentpkt=8 rcvdpkt=7 appcat="unscanned" wanin=2098 wanout=871 lanin=871 lanout=871 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:58 192.168.100.99 date=2022-12-22 time=18:54:54 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710094938835145 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.110 srcname="DESKTOP-ANV" srcport=60294 srcintf="LAN2-6" srcintfrole="lan" dstip=20.198.119.143 dstport=443 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="India" sessionid=22992698 proto=6 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="HTTPS" trandisp="snat" transip=117.2.159.103 transport=60294 appcat="unknown" applist="default" duration=100324 sentbyte=309709 rcvdbyte=429373 sentpkt=3357 rcvdpkt=3357 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 sentdelta=370 rcvddelta=510 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:1e:9b:90" srcmac="00:0c:29:1e:9b:90" srcserver=0 Dec 22 18:54:56 192.168.100.99 date=2022-12-22 time=18:54:52 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710092246081148 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49182 srcintf="lan" srcintfrole="lan" dstip=117.18.232.240 dstport=80 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641463 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTP" trandisp="snat" transip=14.167.188.236 transport=49182 duration=77 sentbyte=659 rcvdbyte=462 sentpkt=7 rcvdpkt=4 appcat="unscanned" wanin=290 wanout=287 lanin=287 lanout=287 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:49 192.168.100.99 date=2022-12-22 time=18:54:45 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710085749980099 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=49835 srcintf="lan" srcintfrole="lan" dstip=40.83.240.146 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23151816 proto=6 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49835 duration=69719 sentbyte=19123 rcvdbyte=27448 sentpkt=189 rcvdpkt=189 appcat="unscanned" sentdelta=180 rcvddelta=251 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:44 192.168.100.99 date=2022-12-22 time=18:54:40 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710080306081096 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=61196 srcintf="lan" srcintfrole="lan" dstip=13.35.166.100 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="Taiwan" sessionid=23641845 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=61196 duration=1 sentbyte=1244 rcvdbyte=6581 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=6129 wanout=664 lanin=664 lanout=664 utmaction="allow" countweb=1 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:37 192.168.100.99 date=2022-12-22 time=18:54:33 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710072616128264 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.19 srcname="DQ" srcport=59337 srcintf="lan" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640850 proto=17 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="DNS" trandisp="snat" transip=14.167.188.236 transport=59337 duration=180 sentbyte=73 rcvdbyte=175 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" srcfamily="Virtual Machine" osname="Windows" srchwversion="Workstation pro" srcswversion="10" mastersrcmac="00:0c:29:5f:d9:52" srcmac="00:0c:29:5f:d9:52" srcserver=0      
mainsearch| stats count(_raw)  as Cou by hour |join hour [ subsearch| head -$Cou$ ]   Above mentioned command is not working, as main search values can be used as values in subsearch but unable ... See more...
mainsearch| stats count(_raw)  as Cou by hour |join hour [ subsearch| head -$Cou$ ]   Above mentioned command is not working, as main search values can be used as values in subsearch but unable to use it under a command. Any suggestions?
Hi Team, I noticed that for some hosts search returns incorrect dc count: 1) the query to dc count ids when status is failed index=".." exec_mode="..." host_name="test_host" status="failed" | st... See more...
Hi Team, I noticed that for some hosts search returns incorrect dc count: 1) the query to dc count ids when status is failed index=".." exec_mode="..." host_name="test_host" status="failed" | stats  dc(id) AS failed BY host_name | table host_name failed (returns 1) 2)  the query to dc count ids when status is skipped or passed index="..." exec_mode="..." host_name="test_host" (status="skipped" OR status="passed") | stats  dc(id) AS pass_skip BY host_name | table host_name pass_skip (returns 234) 3) the query to dc count every id  index="..." exec_mode="..." host_name="test_host" | stats dc(id) AS executed BY host_name | table host_name executed (returns 234) but I expect that query #3 returns sum queries 1 (failed) and 2 (skipped and passed) : 1 + 234 = 235 the I try to play with statuses in the query to get the total ids dc count 4) index="..." exec_mode="..." host_name="test_host" (status="failed" OR status!="failed") | stats  dc(id) AS failed BY host_name | table host_name failed ( it returns also 234) Only 10% of hosts have such odd search behavior,  for another 90% total = failed + passed/skipped Thank you in advance!
Hi team, Can  you please me on this error?  
Hi guys,  We need to get events generated from aws eventbridge to get into splunk. So we tried integrating the eventbridge with the splunk api provided by splunk to send events from eventrbridge to... See more...
Hi guys,  We need to get events generated from aws eventbridge to get into splunk. So we tried integrating the eventbridge with the splunk api provided by splunk to send events from eventrbridge to splunk hec on port 8088. But we are not able to see any logs in the splunk. Can any one help us with this. To debug what is causing the issue.
Every week the Upgrade Readiness Scan says that Splunk Essentials for Cloud and Enterprise 9.0 is incompatible with jQuery 3.5.  When I go on Splunkbase to see if it has an update, I see no mention o... See more...
Every week the Upgrade Readiness Scan says that Splunk Essentials for Cloud and Enterprise 9.0 is incompatible with jQuery 3.5.  When I go on Splunkbase to see if it has an update, I see no mention of Splunk Essentials for Cloud and Enterprise 9.0 at all. Should I just delete the app?
Having some issue with extraction. source: SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC https://regex101.com/ shows that ^[^... See more...
Having some issue with extraction. source: SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC https://regex101.com/ shows that ^[^\.\n]*SESSION:(?P<Session>.*) will work. Splunk when trying returns almost the complete message. Almost like it does not see the new line   Basically I want from SESSION: to the end of line and if Splunk cannot do that to Client.    
Hi, I have the following problem:  Is there any way to remove these garbage sources, after one wrong log push, I had a lot of these garbage sources
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc... See more...
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time       And this gives me a table containing fields like catAnoFreq% , numAnoFreq%, stdev, etc I looked the documentation https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue but didn't understand how exactly it works.  so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range.
My task is format field "app" with relative fieldname How can I use format command to format as example: (app=*app1* OR  app=*app2* OR *app3* OR ...) please help me, thanks
I need a query for basic malware outbreak   Need query with server IP and server name from this raw logs.