Hi, i got this query | tstats summariesonly=t allow_old_summaries=t dc(All_Traffic.dest_port) as num_dest_port dc(All_Traffic.dest_ip) as num_dest_ip from datamodel=Network_Traffic by All_Traffic.src_ip, All_Traffic.action | rename "All_Traffic.*" as "*" | where num_dest_port > 100 OR num_dest_ip > 100 AND num_dest_port > num_dest_ip | eval desv=num_dest_port / num_dest_ip | where desv > 1 AND action!="blocked"   And the result is: My solution is half way done because it deletes most of them but not the ones that the src_ip is duplicate and the desv is diferent from one another (I don't know why). What I need is that all duplicates with the same ip are deleted. This is what I have -->  dedup src_ip | where desv > 1 AND action!="blocked" AND action!="teardown" Thanks!

  Hello !! I want to read index=test line by line and then analyze log by  log_dict and parser_log  function.. is it possible??  I am very desperate to solve this problem. please help me..ㅠ.ㅠ       @Configuration() class GenerateTESTCommand(GeneratingCommand): event_log = read event_log(index) def generate(self): log = self.log_dict(self.event_log) if log: try: result = self.parse_log(log) yield result except BaseException as ex: print(log, ex)        

Hi all, I would like to display panels only if they are selected by multi-select dropdown. So I use <condition match=....> to compare the input string. Becuase users may enter more than one keywords for panels, I want to make the condition to allow multiple input values. ex. if users select Panel A and Panel B, then both panels should be shown, and panel C is hidden. But my code doesn't work as I expected. No matter I choose Panel A or Panel B from dropdown, none of the panels are displayed. Could anyone help to check which part of codes I wrote is wrong? <choice value="panelA">Panel A</choice> <choice value="panelB">Panel B</choice> <choice value="panelC">Panel C</choice> <change> <condition match="match('value',&quot;panelA&quot;)"> <set token="tokenA">true</set> <unset token="tokenB" /> <unset token="tokenC" /> <set token="tokenA_B">true</set> </condition> <condition match="match('value',&quot;panelB&quot;)"> <set token="tokenB">true</set> <unset token="tokenA" /> <unset token="tokenB" /> <set token="tokenA_B">true</set> </condition> <condition match="match('value',&quot;panelC&quot;)"> <set token="tokenC">true</set> <unset token="tokenA" /> <unset token="tokenB" /> <unset token="tokenA_B" /> </condition> ... <row> <panel depends="$tokenA$, $tokenA_B$,"> <title>Table 1</title> ...... Thank you.

I am trying to make a custom function for Cybereason, however as I am not so familiar with Python I was wondering if there is a way to pull the credentials from the existing app so that I do not have to type in the username and password as clear text in my custom function

Hi all, In Splunk Add-on for Microsoft Office 365 (4.2.1) on Splunk Enterprise 9, we got problem when configuring it on a Splunk instance with IPv6 enabled: 2022-12-29 16:04:38,155 level=ERROR pid=2704844 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:72 | datainput=b'Staff_Management_Activity_AzureAD' start_time=1672301078 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/lib/requests/models.py", line 434, in prepare_url scheme, auth, host, port, path, query, fragment = parse_url(url) File "/opt/splunk/etc/apps/splunk_ta_o365/lib/urllib3/util/url.py", line 397, in parse_url return six.raise_from(LocationParseError(source_url), None) File "<string>", line 3, in raise_from urllib3.exceptions.LocationParseError: Failed to parse: https://::1:8089/servicesNS/nobody/splunk_ta_o365/configs/conf-inputs/splunk_ta_o365_management_activity%3A%2F%2FStaff_Management_Activity_AzureAD Seems the localhost resolves to ::1 instead of [::1].    There is no problem if the host doesn't have IPv6 enabled. Would anyone please help? Thanks and Regards

Hi Recently we have installed the ABLR on our prodcution system.  We were told that we need to bounce the database in order for the agent to start the monitoring.    Is this a requirement. This is a Oracle 19c database.    Thanks & Regards   

I have reset the admin password on many Splunk instances but this one is hung up for some reason, please see the screen shot the Set password box never goes away and this is preventing me from adding this instance to the Distributed Search list on another machine Encountered the following error while trying to save: Status 401 while sending public key to search peer https://legspkds01:8089: Remote login has been disabled for 'admin' with the default password. Either set the password, or override by changing the 'allowRemoteLogin' setting in your server.conf file.

Hi,  I am new in splunk and I'm trying to figure out how it works, I download the splunk-sdk-java project from git and I have a free trial as well. I am trying to do the logging test in order to see if I am able to connect but I am getting this error:  Exception in thread "main" java.lang.NoClassDefFoundError: com/splunk/ServiceArgs at login.main(login.java:23) Caused by: java.lang.ClassNotFoundException: com.splunk.ServiceArgs at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:606) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:168) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) Someone can guide me to solve this, please?

Hi  Happy Holidays to everyone. Am trying to get user  report. The system is Linux. The report must or should have the following included in the .png file.  Can Splunk do all that.? I know its capable of some. But that seems excessive.  Is there an SPL query that can achieve this?   Thanks      

Hello! I got trouble to find a way to provide panels for user-input percentage on raw events. User can input 90, 75, 50, 25, or any value to represent percentage 90, percentage 75, percentage 50, percentage 25,  and so on. The corresponding events could be displayed in seperated panels. The number of panels displayed depends on how many counts of values from users' input. Does anyone have ideas to implement this? Thank you so much.

Hello,  Can someone help me figure out how to create a drilldown by clicking on a marker in a Dashboard Studio map? Additionally I need to be able to either customize the mouseover tooltip or at least at another field other that it just displaying the Lat Lon. Thanks, David