This is only error in logs when i tried to check: javax.xml.stream.XMLStreamException: No element was found to write: It start coming after i restarted splunk service on heavy forwarder but after sometimes again same issue. What could be the cause?   Thanks Shilpi

I'm using Splunk to collect data about a collection of logs. A log returned from Splunk might look like: type: user creation transaction_id:1234 message=process started   Now, I want to count how many time an error has been linked to a transaction for user_creation, without knowing the transaction in advance. For example, this error might be a log:   type: error transaction_id:1234 message=process abord   I'm trying to use the rex command to isolate the transaction_id from the first log, then pipe it to find an error with the same transaction_id (to get a count of how many time an error has been associated with the process user creation), but my request seems to considered the first part of my request instead of just using the return to pipe to the second request. Here is what I have to far:         type = "user creation" | rex field= (?<transaction_id>[^-]+)"| search transaction_id=field message="process abord" | stats count as total_error_user_creation         Anyone could suggest some improvements to get the desired result?      

Right now I'm using regex to pull data with the phrase "MFA challenge succeeded" using the following regex:   | rex "(?<MFA>[a-z,A-Z,\s,\bcode\b]+)account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+).\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<keycloak_id>[a-z,0-9,-]+)"    from the following field:  message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111  However in the message field the MFA challenge succeeded will often be different, such as:  MFA challenge issued MFA code issued MFA challenge failed. I need a way to use regex to pull out messages where it says MFA challenge issued, MFA code issued, MFA challenge failed and then display them in a table 

I have some Phantom playbooks performing tasks that I want to monitor on a Splunk dashboard - runs/day, distinct tasks processed per run, success/retry/failure, things like that. I can see the revision control check-ins by playbook name, but not the individual playbook runs - those are identified with an integer that corresponds to the playbook ID. The playbook ID changes for each check-in and doesn't appear to be included in the check-in event. Surely someone must have set up a way to track Phantom playbook runs from a Splunk dashboard with a human-readable playbook name  - how should I start going about this?

Hi My json logs comes with two different patterns one with timestamp and host added sometimes and one with out these extra fields , when i dont have extra timestamp and host the extractions work better , but for the events with timestamp and host events are not breaking properly  Type 1 Logs     Component: xxxxx    Data:    Description: xxxx    Message: xxxxx Accessed URL: xxxx    Originator: xxxx    Target: xxxx    appName: xxxxxx    subTarget: XYZ    timeStamp: 1668522719915 Type 2 Logs : Nov 15 15:31:58 ics021013230.ics-eu-1.asml.com {"appName": "XXXXXXX","Component":"XXXXX","timeStamp":"1668522718900","eventId":"2e0525","Description":"XXXX Gateway: YYYYY ","Originator":"xxxxxx","Target":xxxxx","subTarget":"xxxxx"

Hello all, I am getting an continuous error as the rule has a malformed related_searches definition. i have checked the lookup file as well and everything found normal but i am still getting the error. Is there any inconsistency in the query. The below is the query is used for alerting.   index=wineventlog source="*WinEventLog:Security" EventCode=4688 [ | inputlookup tools.csv WHERE discovery_or_attack=attack | stats values(filename) as search ] | transaction host maxpause=5m | where eventcount>=4 | fields _raw closed_txn field_match_sum linecount  

Hi,  I have recently created a splunk-cloud free trial. I then wanted to create a HEC-collector.  I went to : https://prd-p-aaaaa.splunkcloud.com/en-US/manager/launcher/http-eventcollector and added one.  (my id is different)  I received a token aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa i then followed the the documentation here: https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector to create the url for the HEC-collector. It says to use: <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint> so from my understanding it should become:  https://http-inputs-prd-p-aaaaa.splunkcloud.com:8088/services/collector/raw  since i want to provide logs over json.  However if i try to curl that url.. i get      curl: (6) Could not resolve host: THE_CONFIGURED_HOST     So, what im asking is what is the correct url to use towards the free-trial HEC-collector?   BR perl

I am creating a table using a search query. I want to show the details of that column value using a dropdown or tooltip (when hovering) over it. For example,  Suppose that table has a column Test and has a value PT. When I click on PT it should expand and display Physical Training or when I hover over it, it should show the complete name. Is it possible to to do?

[WinEventLog:Security] disabled = 0 index= win* blacklist1=EventCode="4662" Message=”Accesses:\t\t+(?!Create\sChild)” Is this correct way to filter out event which only have "Create Child" as field value under access? Please let me know if there is any syntax error or any other solution that I can try.

I have a dashboard with different panels, I would like to convert to a savedsearch. This accomplishes two things: Better performance, search can run every 5 minutes, panel refresh at 1 minute. Everyone looks at the same data, it sometimes happens that one person sees red while it is green again. How can i do that?  

Hi Team, I am planning to integrate Fireeye HX and Splunk and for the same I have installed the app from Splunk Base "FireEye App for Splunk Enterprise v3 | Splunkbase" on Heavy Forwarder and Search Head. Also as mentioned in the document performed the below steps  The HX appliance logging cannot be set from the GUI as of right now, please use the CLI: hostname # logging <remote-IP-address> trap none hostname # logging <remote-IP-address> trap override class cef priority info hostname # write mem On internal index I could see the below error and logs are not reflecting on Splunk ERROR SearchOperator:kv [17796 TcpChannelThread] - Cannot compile RE \"<malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class. Any assistance for this issue will be much appreciated

I have enabled several correlation searches in ES. Those search run normally and return result as expected if I search them manually However, those searches are not running as schedule and never show up if I search using "index=_internal sourcetype=scheduler". Also, their statistics in "Content Management" page suggest that they have been never triggered. Do you have any suggestion on this issue???