All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is there a way to achieve this?   I have  a lookup table with 2 columns alert_type and short_description.   alert_type | short_description cpu              | "The Host".host."cpu utilizatio... See more...
Is there a way to achieve this?   I have  a lookup table with 2 columns alert_type and short_description.   alert_type | short_description cpu              | "The Host".host."cpu utilization is high".cpu_perc."%" mem            | "The memory in the host ".host."is high with a percentage of ".mem_perc."%"   When alert type matches it should return short_description and the fields in the short description should replace with field values( host,cpu_perc and mem_perc)   Example : The Host abcd.com cpu utilization is high 90 % instead of a string "The Host".host."cpu utilization is high".cpu_perc."%"  
Hello, I have questions about my fire brigade installation, but I noticed the last questions on fire brigade are from 2016, and it shows as not supported on splunkbase. Is firebrigade dead?  if s... See more...
Hello, I have questions about my fire brigade installation, but I noticed the last questions on fire brigade are from 2016, and it shows as not supported on splunkbase. Is firebrigade dead?  if so what replaced it? --jason  
below is the value of a field.   what i would like to do is do a regex where i would output node# + temperature.   example output:   Node0_temperature=26 degrees C / 78 degrees F Node1_... See more...
below is the value of a field.   what i would like to do is do a regex where i would output node# + temperature.   example output:   Node0_temperature=26 degrees C / 78 degrees F Node1_temperature=29 degrees C / 84 degrees F   thanks, node0: -------------------------------------------------------------------------- Routing Engine status: Slot 0: Current state Master Election priority Master (default) Temperature 26 degrees C / 78 degrees F CPU temperature 41 degrees C / 105 degrees F DRAM 98254 MB (98304 MB installed) Memory utilization 4 percent 5 sec CPU utilization: User 0 percent Background 0 percent Kernel 4 percent Interrupt 1 percent Idle 95 percent node1: -------------------------------------------------------------------------- Routing Engine status: Slot 0: Current state Master Election priority Master (default) Temperature 29 degrees C / 84 degrees F CPU temperature 41 degrees C / 105 degrees F DRAM 98254 MB (98304 MB installed) Memory utilization 4 percent 5 sec CPU utilization: User 0 percent Background 0 percent Kernel 2 percent Interrupt 0 percent Idle 98 percent  
Is it possible to create a tableview without a manager, but passing the data via a javascript object? Object example: let x = [{'col1':'val1'},{'col1':'val2'},{'col1':'val3'},{'col1':'val4'}] ... See more...
Is it possible to create a tableview without a manager, but passing the data via a javascript object? Object example: let x = [{'col1':'val1'},{'col1':'val2'},{'col1':'val3'},{'col1':'val4'}] And after the table will be able to create itself.
Hi, I am having a local minikube Kubernetes cluster set up. Furthermore, I want to setup the Splunk App for Data Science and Deep Learning, to be able to interact with my local Kubernetes Cluster. O... See more...
Hi, I am having a local minikube Kubernetes cluster set up. Furthermore, I want to setup the Splunk App for Data Science and Deep Learning, to be able to interact with my local Kubernetes Cluster. On the setup page, I provide the information in the input field as shown in the screenshot below. For the Cluster CA, Cluster Certificate and Client key, I am using the contents of the files in ~/.minikube/certs . When I click the "Test & Save" button, I receive the following error message:  Exception: Could not connect to Kubernetes. HTTPConnectionPool(host='10.96.143.124', port=80): Max retries exceeded with url: //version/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f391087acd0>: Failed to establish a new connection: [Errno 110] Connection timed out'))  I know that this means Splunk is having troubles connecting to my local cluster. But unfortunately I feel I reached a dead end, and I am not sure how I can fix this issue. Any help on this would be greatly appreciated!   PS: Here is a screenshot of the error message:
Hello, We have installed the add on: Monitoring of java virtual machines with JMX on the forwarder level. It was forwarding data correctly when forwarder was on version 8.1.3. However after upgradi... See more...
Hello, We have installed the add on: Monitoring of java virtual machines with JMX on the forwarder level. It was forwarding data correctly when forwarder was on version 8.1.3. However after upgrading Forwarder to 9.0.1, it stopped working. We updated /etc/hosts file with 127.0.0.1 <hostname> and restarted splunk, The add on was sending data after that. Once the app server was restarted, it stopped sending data again and we got the below error : systemErrorMessage="Failed to retrieve RMIServer stub: javax.naming.NameNotFoundException: jmxrmi" If I comment the line added in /etc/hosts, I get the below error: 2022-11-15 21:55:57 ERROR Logger=ModularInput Probing socket connection to SplunkD failed.Either SplunkD has exited ,or if not, check that your DNS configuration is resolving your system's hostname (<hostname>) correctly : Connection refused (Connection refused) 2022-11-15 21:55:57 ERROR Logger=ModularInput Determined that Splunk has probably exited, HARI KARI. server.xml has below Listener: <Listener accessFile="${catalina.base}/conf/jmxremote.access" address="${base.jmx.bind}" authenticate="true" className="com.springsource.tcserver.serviceability.rmi.JmxSocketListener" passwordFile="${catalina.base}/conf/jmxremote.password" port="${base.jmx.port}" useSSL="false"/> the bind has below parameters in catalina.properties: base.jmx.port=<port> base.jmx.bind=<IP> config.xml: <jmxserver host="<IP>" jvmDescription="<hostname>" jmxport="<port>" jmxuser="admin" jmxpass="<jmx password>"> @Damien_Dallimor@PickleRick @gcusello@isoutamo
Hi I there any way to dynamically fill in the part in red? Assuming the alert is running from the Searched. The idea is if you re-install on a new Splunk install, you don't want to have to find a... See more...
Hi I there any way to dynamically fill in the part in red? Assuming the alert is running from the Searched. The idea is if you re-install on a new Splunk install, you don't want to have to find and replace all the   
We need to collect VMWare Carbon Black Cloud events to Splunk (Cloud) We use this app https://splunkbase.splunk.com/app/5332 on heavy forwarder to configure inputs. If we have a distributed environ... See more...
We need to collect VMWare Carbon Black Cloud events to Splunk (Cloud) We use this app https://splunkbase.splunk.com/app/5332 on heavy forwarder to configure inputs. If we have a distributed environment, is this app (5332) also needed on the indexers?   The release note mentions this app https://splunkbase.splunk.com/app/5334 for the indexers but its own details point back to the 5332 app. So, could someone please tell me which one is needed where? thank you,
Hi all, We have noticed on our EDR some noise coming from the script C:\Program Files\Splunk\bin\runScript.py" which seems to be starting a number of btool processes.   Could someone tell me wh... See more...
Hi all, We have noticed on our EDR some noise coming from the script C:\Program Files\Splunk\bin\runScript.py" which seems to be starting a number of btool processes.   Could someone tell me what's the usage of this and why it's happening? I have tried googling to find more information but no luck.   Appreciate it!
Hello,   Where can I view notable alert suppression entries in ES? I'm looking for a way to not only audit these entries but also remove them.
Hi, So, we have a large number of domain controllers, which have Splunk Universal Forwarder installed AND Microsoft Defender for Identity. Defender has switched to using Npcap (MS agreed some kin... See more...
Hi, So, we have a large number of domain controllers, which have Splunk Universal Forwarder installed AND Microsoft Defender for Identity. Defender has switched to using Npcap (MS agreed some kind of OEM license with them), but I am told we need to keep Splunk and WinPcap for DNS traffic capture. The issue is, on startup and occasionally every few days, I get spammed from Defender complaining that it's using WinPcap instead of Npcap drivers. Ie. it seems to be dumb and when it sees both, uses winpcap first and not npcap first. If I go to Defender for Identity I don't see any issues with the sensor.  Entire AD team get over 100 messages every few days with this. Ticket open with MS has so far yielded nothing. Surely we can't be the only people with this problem? Is there a way to rename the WinPcap driver and tell Splunk to go look for the renamed driver, for instance? I don't know. There must be a fix. It's driving us nuts. Thanks!
Hi, Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to deal with the lack of persistence of the devices if I want to use UF or just use the ... See more...
Hi, Has anyone done anything with Azure scale sets, I guess I will need to correlate across a number of logs to deal with the lack of persistence of the devices if I want to use UF or just use the inbuilt logging provided by Microsoft? 
Hello Team, I need to set the SVC baseline in our environment. Please help me how to start to set up the SVC baseline. I mean what are the parameters I need to check. eg : Skip searches, expensiv... See more...
Hello Team, I need to set the SVC baseline in our environment. Please help me how to start to set up the SVC baseline. I mean what are the parameters I need to check. eg : Skip searches, expensive searches, orphaned searches.  Like : Where I am now after setting up the SVC baseline and where we will after setting up the SVC.
Hi, I am using the Splunk version 8.2.8 when I am trying to open the setup page of Splunk Add-on : ServiceNow Security Operations Integration Then i am getting below error on console    Can ... See more...
Hi, I am using the Splunk version 8.2.8 when I am trying to open the setup page of Splunk Add-on : ServiceNow Security Operations Integration Then i am getting below error on console    Can anyone please help on this? Above error is not coming in Splunk version 9.0.2. Add-on working fine with this version.
I want to implement this correlation search:   `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as ... See more...
I want to implement this correlation search:   `sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter` I do not have the required fields from Sysmon log data. I have fields like Image,ParentImage,Processid but do not have TargetImage, TargetProcessId, SourceImage, SourceProcessId. How do I build the above query using the fields I have.  
Hey, I have a big query and I need to have a command on the query that would filter all  Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI  AND Offline... See more...
Hey, I have a big query and I need to have a command on the query that would filter all  Asset_State!="Development" OR Asset_State!="Pre-Production", bit for ONLY Asset_Environment!="PKI  AND Offline" Status="2". If tried the following command: | if( Asset_Environment!="PKI  AND Offline" Status="2".,search NOT (Asset_State!="Development" OR Asset_State!="Pre-Production"))   I know the syntax is wrong, can you help ? Many thanks
Hi Team,  I just need to send logs from linux client machine (Suse linux) to the Splunk Server hosted in a remote datacenter.  I would like to ask, how to configure the linux machine to send the logs... See more...
Hi Team,  I just need to send logs from linux client machine (Suse linux) to the Splunk Server hosted in a remote datacenter.  I would like to ask, how to configure the linux machine to send the logs to the server and what're the step to be followed.  please share the method so that i can try embed the steps for automation.  Ideally, as the client machines are very high in numbers and they need to send the logs to Splunk Server, which is the recommended method (push based or pull based).  Thanks for this help with the answer.
Hi All, we have a requirement to configuring cisco aci app with our splunk environment (not cloud and it in on prem).we wanted to see the dashboard data in which ara available in the app. But when ... See more...
Hi All, we have a requirement to configuring cisco aci app with our splunk environment (not cloud and it in on prem).we wanted to see the dashboard data in which ara available in the app. But when i see the addon configuration (default-->eventtype.conf) I do see any events for any of the eventtype that i search for..i do find the configuration with cisco:apic:cloud .But here we have cisco app on prem.
Windows Event IDs (Codes) logs are delayed for days. Latency varies, The delay reaches at times weeks or months. It is confirmed that none of the pipeline queues are blocked. Note that the Event ID... See more...
Windows Event IDs (Codes) logs are delayed for days. Latency varies, The delay reaches at times weeks or months. It is confirmed that none of the pipeline queues are blocked. Note that the Event IDs are reached in real-time in the event viewer
i have below result, how can I do a regex to extract the fields, first being DateTime, username, Action, Entity 2022-11-21 15:44:13,ea186520,CREATED,USERSESSIONLOG