All Topics

Top

All Topics

I am working on a KPI script and I need to deduplicate lines in the field  Looks like this : is there an | eval field= substr for first line of field  or some regex that can deduplicate my ... See more...
I am working on a KPI script and I need to deduplicate lines in the field  Looks like this : is there an | eval field= substr for first line of field  or some regex that can deduplicate my values. Thanks
Hello Team, i have the following problem. Inside my data i have a String like: Error in Data | 5432323 from endpoint 543336 Error in Data | 1344214 from endpoint 543446 Error in Data | 1323214... See more...
Hello Team, i have the following problem. Inside my data i have a String like: Error in Data | 5432323 from endpoint 543336 Error in Data | 1344214 from endpoint 543446 Error in Data | 1323214 from endpoint 545536 The field in Splunk is called: error_message. The Goal is to filter these events out from the search results with a lookup. So that when i dont want to see these messages in futher searches i can adapt the lookup. The idea was something like test.csv check, error_message true, Error in Data | * from endpoint * | lookup test.csv error_message output check | search check!=true I tried the things from https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513?_ga=2.154739834.350113351.1675844344-1427000930.1666340646&_gac=1.213658144.1672302784.EAIaIQobChMIrf-SprWe_AIVp49oCR13GwTHEAAYASAAEgKCgvD_BwE&_gl=1*1ufx1dh*_ga*MTQyNzAwMDkzMC4xNjY2MzQwNjQ2*_ga_5EPM2P39FV*MTY3NTg1MDAzMy4xMTAuMS4xNjc1ODUyMzk3LjU0LjAuMA.. but this doesnt worked for me. Thank you all.  
We've integrated the Palo Alto NGFW with our Splunk. The logs are only coming from the Log type - Threat only. We're forwarding other log types as well like Traffic,URL Filtering,Data Filtering etc... See more...
We've integrated the Palo Alto NGFW with our Splunk. The logs are only coming from the Log type - Threat only. We're forwarding other log types as well like Traffic,URL Filtering,Data Filtering etc All the integration and configuration is correct. Can someone help me to get the logs from other sources as well or tell me the reason why from other sources logs not coming.
Hello Splunkers, Please if someone can help me with a Splunk query, I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup l... See more...
Hello Splunkers, Please if someone can help me with a Splunk query, I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup list of IPs, I'm confused what command i should use in search "inputlook" or "lookup. Moreover, I would be grateful is someone can explain me the difference beteween inputlook and lookup with an example. Thank you,   Moh
I want to create a alert that will notify if error_count is continuously increasing over time for any of the group mentioned in column In table I have used timechart which gives sum of error_count v... See more...
I want to create a alert that will notify if error_count is continuously increasing over time for any of the group mentioned in column In table I have used timechart which gives sum of error_count value for different groups over the time. I need to compare. I want query that will trigger alert when every row value is greater then its previous row for their respective column, If any column verify this condition Alert should be raised In Simple words : Alert when error_count increases with time for any group My sample query: <<BASE QUERY>> earliest=-4h@h latest=@h | timechart span=30m sum(error_count) as c by group  Result of this query is in image attached ,consider this table as sample data for Alert query
Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and Novemb... See more...
Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in October and November, and I want to show the number of September for October and November for the chart to have a continuous trend. Here's my query:   <my search> | timechart span=1mon dc(UserID) as "Number of Users"   The current chart looks like this:  
I'm having trouble getting a new deployment client to connect to the DS. I can see connectivity is established, but the client keeps logging an error:     DC:DeploymentClient ... channel=tenantSer... See more...
I'm having trouble getting a new deployment client to connect to the DS. I can see connectivity is established, but the client keeps logging an error:     DC:DeploymentClient ... channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected       Looking at the splunkd_access log on the DS I can see the handshake message being recieved with a 401 by the DS     10.X.X.2 - - ... "POST /services/broker/connect/GUID/CLIENTNAME/guff/linux-x86_64/8089/9.0.2/GUID/universale_forwarder/CLIENTNAME HTTP/1.1" 401     I have plenty of Windows machines in the environment connecting successfully to this DS (also running on Windows). But this server and a few other Linux machines are not connecting. Any advice?  
I have go through a few videos in youtube and documentation provided but I am unable to find a source with the steps to integrate the data into Splunk Observability Cloud. Most of the tutorials avail... See more...
I have go through a few videos in youtube and documentation provided but I am unable to find a source with the steps to integrate the data into Splunk Observability Cloud. Most of the tutorials available have the integration done pre-recording- and the videos are mainly to explain on the functionality of Splunk APM.  May I have a reference on how to setup the Splunk APM in Splunk Observability Cloud?
I have a field EXT-ID[48] of 18 bytes, where the first three bytes should contain an identifier as OCT, positions 8-10 will contain the value 000 to 100, and position 11 will contain values 1-3.  S... See more...
I have a field EXT-ID[48] of 18 bytes, where the first three bytes should contain an identifier as OCT, positions 8-10 will contain the value 000 to 100, and position 11 will contain values 1-3.  SPLUNK log as follows For example, I have an identifier received as OCT but position 8-10 is blank and the 11th position has value. I need a SPLUNK query where I would like to check that position 1-3 has value OCT and position 8-10 contain value 000 to 100, basically position 8-10 has a nonblank value in EXT-ID[48] EXT-ID[48] FLD[Additional Data, Priva..] FRMT[LVAR-Bin] LL[1] LEN[11] DATA[OCT 1] I have tried this query but it's not working index=au_axs_common_log source=*Visa* "EXT-ID[48] FLD[Additional Data, Priva..]" | rex field=_raw "(?s)(.*?FLD\[Additional Data, Priva.*?DATA\[(?<F48>[^\]]*).*)" | search F48="OCT%" @SPL  
We got an issue where earlier someone created input on the HF and done the data onboarding but now data stopped coming to the Splunk. but we are unable to find out which HF was used earlier to create... See more...
We got an issue where earlier someone created input on the HF and done the data onboarding but now data stopped coming to the Splunk. but we are unable to find out which HF was used earlier to create the Input. is there any way to find out the HF which was in use to send the data to the Splunk SH.  
I have a sample data in my Redis Database as below. I have created an input in there as abc_test and index is abc_test.  Observed that no data has been returned from the search que... See more...
I have a sample data in my Redis Database as below. I have created an input in there as abc_test and index is abc_test.  Observed that no data has been returned from the search query. May I get your assistance on "How to test Redis Enterprise Add-On for Splunk" please.   Thank you.  
Hallo About this post, https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Impact-of-increasing-the-queue-size/m-p/630016#M10927 What's the Best Practices about managing queues ... See more...
Hallo About this post, https://community.splunk.com/t5/Building-for-the-Splunk-Platform/Impact-of-increasing-the-queue-size/m-p/630016#M10927 What's the Best Practices about managing queues size? Let's talk about servers running only Splunkd (Indexers and HFs) and 16GB of total physical memory. Thanks.
Hi all.  Through my work I'm building a little distributed test environment.  To make it extra hard on me they have setup the search head, indexer and forwarder on different v-Nets. Also, only th... See more...
Hi all.  Through my work I'm building a little distributed test environment.  To make it extra hard on me they have setup the search head, indexer and forwarder on different v-Nets. Also, only the search head has a public IP. My question then is how do I connect the indexer to the search head when the indexer does not have a public facing IP?    Hope the question makes sense. Jacob
Can Splunk observability be used on non cloud application?
I want to add dropdown menu to a table value. Each value in a row should be a collapsable dropdown giving the description of the value. For example if my column entry has a value R_5, if I click on i... See more...
I want to add dropdown menu to a table value. Each value in a row should be a collapsable dropdown giving the description of the value. For example if my column entry has a value R_5, if I click on it, it should expand and show me as radius=5. I am able to do use a tooltip for this but want a dropdown instead.
Hi Community! I'm hoping someone can set my head straight.  I have two app inputs. One that I push to all *NIX servers (Splunk_TA_nix), and one additional app that I want to push to one specific se... See more...
Hi Community! I'm hoping someone can set my head straight.  I have two app inputs. One that I push to all *NIX servers (Splunk_TA_nix), and one additional app that I want to push to one specific server, serverXX (Splunk_TA_nix_serverXX_inputs). For serverXX, I want it to have an additional blacklist entry to exclude all files named /var/log/syslog/XYZ.* Splunk_TA_nix/local/inputs.conf    (other stanzas exist but have been removed for this example) [monitor:///var/log] whitelist = kern*|syslog$ blacklist=(lastlog|cron|FILES.*$) disabled = 0 index = nix sourcetype = syslog Splunk_TA_nix_serverXX_inputs/local/inputs.conf    (the app just contains this stanza) [monitor:///var/log] whitelist = kern*|syslog$ blacklist=(lastlog|cron|FILES.*$|XYZ\.) disabled = 0 index = nix sourcetype = syslog I tried this method of pushing the 2 apps to serverXX, and btool is showing that it's picking up the blacklist from the Splunk_TA_nix (not the one with the XYZ), so I guess I'm doing this all wrong! What should be the correct way to exclude XYZ files for only serverXX while deploying to all *NIX hosts?    
Hi there,   So we have one of our event logs set to archive.  But there were some files that are already there before we started ingesting this log.   So if I want to bring these logs in to splun... See more...
Hi there,   So we have one of our event logs set to archive.  But there were some files that are already there before we started ingesting this log.   So if I want to bring these logs in to splunk how do you do it?  I understand in this case UF and WI are only options.   So I did deploy the below with deployment server and restarted deploy-server.  But this log did not make it to splunk.  Any ideas what could be the problem?  or any other way I can bring in exported/archived event logs in to splunk?   [monitor://C:\windows\system32\winent\logs\Archive_log.evtx] disabled = 0 index=idx
Average response time with 10% additional buffer ( single number)
I have a simple lookup table that contains a list of IPs.  I'd like to take this list and search across all of my indexes, which don't all use the same fields for source/destination IPs.  What would ... See more...
I have a simple lookup table that contains a list of IPs.  I'd like to take this list and search across all of my indexes, which don't all use the same fields for source/destination IPs.  What would be the best/most efficient way to search all of these indexes for IP matches?
Hi, I'm having trouble seeing the "Advanced Hunting Results" Dashboard section of the "Microsoft 365 App for Splunk" app, I have the Add-on "Splunk add-On for Microsoft Security" installed but I can... See more...
Hi, I'm having trouble seeing the "Advanced Hunting Results" Dashboard section of the "Microsoft 365 App for Splunk" app, I have the Add-on "Splunk add-On for Microsoft Security" installed but I can't get the sourcetype m365:defender:incident:advanced_hunting. I already validated the permissions within the application in AAD and if they are granted, any ideas?