Hi , how to do i display number of blocked and allowed threats with different severities in a timeframe(e.g monthly). Something like this output,   Month                    action               critical            high                medium               low 2022-11              allowed               9                        22                  45                        100                                  blocked                20                     400           44345                   23423   2022-10              allowed               39                        22                  4                        100                                  blocked                20                     500           4445                   23423   I can get to either of below output but not able to get as above,, ---- index=palo-network threat sourcetype="pan:threat" severity!=informational| bucket _time span=1month | eval Date=strftime('_time',"%Y-%m")| stats values(severity) count by _time,action ---- index=palo-network threat sourcetype="pan:threat" severity!=informational | bucket _time span=1month | eval Date=strftime('_time',"%Y-%m") | chart count over action by severity   Thank you.

  I am trying to execute this search but 90% of the times this search does not complete and returns incomplete results. The count is different for example this search will return 4,63,000 events, 4,20,000 or 3,60,000 etc results. I believe that my search is a bit heavy. Can anyone please help me to optimize this search.

Has anyone encountered this error when sending logs to 3rd party syslog destination using Splunk App for CEF I'm getting the following error. 11-03-2022 11:23:25.904 ERROR ChunkedExternProcessor [32136 ChunkedExternProcessorStderrLogger] - stderr: splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /services/data/inputs/all: The read operation timed out',) 11-03-2022 11:23:25.904 ERROR ChunkedExternProcessor [15688 searchOrchestrator] - Error in 'cefout' command: Splunkd daemon is not responding: ('Error connecting to /services/data/inputs/all: The read operation timed out',) 11-03-2022 11:23:25.911 ERROR SearchPhaseGenerator [15688 searchOrchestrator] - Fallback to two phase search failed:Error in 'cefout' command: Splunkd daemon is not responding: ('Error connecting to /services/data/inputs/all: The read operation timed out',) 11-03-2022 11:23:25.913 ERROR SearchStatusEnforcer [15688 searchOrchestrator] - sid:scheduler__userid_c3BsdW5rX2FwcF9jZWY__RMD53bb25367b408a898_at_1667434800_56257_BED74D95-D037-415C-8C9C-81F3D2FEEBAB Error in 'cefout' command: Splunkd daemon is not responding: ('Error connecting to /services/data/inputs/all: The read operation timed out',) 11-03-2022 11:23:25.913 INFO SearchStatusEnforcer [15688 searchOrchestrator] - State changed to FAILED due to: Error in 'cefout' command: Splunkd daemon is not responding: ('Error connecting to /services/data/inputs/all: The read operation timed out',)

Hello, we have a system that receives data from multiple sources each of these sources identifies the data being sent by a 25digit number, this number can be broken down by a combination of the positions, the number comes in the following format: TTWWWWWSSSYYMMDDCCCCCPL What I am trying to do is extract the CCCC portion of the number (Positions 19-23) and compare this with a lookup table to identify the sender of the information and then sort the associated data by the sender

I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk.  The file is being sent to my heavy forwarder and I have the following in inputs.conf  [monitor:///var/log/tomcat9] blacklist=(catalina\.out) disabled = 0 The data continues to be processed.  What am I missing?

I'm trying the below query, index=XXXXXXXXX   | eval space="cf_space_name=production" | search "space"  YYYYYYYYYYYY | stats count =================================================================== I want to filter the results based on the evaluated field. | search "space"    XXXXXXXXXXXXX    => is not returning correct values |  search "cf_space_name=production"    XXXXXXXXXXXXX    =>  but If I use the value like this its working. how to fix this? Thanks for the help.  

Hello,  I'm trying to filter my events/results after evalulating the field name and value dynamically using eval.    index=XXXX  YYYYYYY  | eval field_name=PPPP | eval field_value=KKKK | search field_name=field_value   I tried  below options, but none worked. index=XXXX   [|gentimes start=-1 | eval space="Test"| table space] index=XXXX   [|gentimes start=-1 | eval space="Test"| fields space]

I currently have v8.5 of the Splunk_TA_Windows app, and the following stanza in inputs:   [WinEventLog://AD FS/Admin] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=false    And it seems not to be working. I am also monitoring the Application, Security, and System logs, and they are showing up. I don't see anything in the logs. What am I doing wrong?

Hello!  I am pulling in logs from a server, there are about 500 logs in the directory.  We want to bring in all 498 of them with a generic sourcetype and two need a specific log type.  Is it as easy as this:   [monitor://C:\Program Files\Logs\*] blacklist = log1:log2 disable=false index=logs sourcetype=logs   [monitor://C:\Program Files\Logs\*] whitelist = log1:log2 disable=false index=logs sourcetype=specific:logs

I'm trying to get auditd events into Splunk using the rlog.sh script from the Splunk Add-on for Unix and Linux. It isn't working. The audit logs are not being ingested. No errors are appearing in index=_internal for the host. It is successfully scheduled through the ExecProcessor component: 0400 INFO ExecProcessor [1975905 ExecProcessor] - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_nix_l1_inputs/bin/rlog.sh To attempt to address the problem I have done the following: Had the host owner ensure dependent utilities are installed (listed in https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Requirements#Dependencies). Had the host owner change the log_group from root to splunk in /etc/audit/auditd.conf (suggested in https://community.splunk.com/t5/All-Apps-and-Add-ons/Can-t-get-rlog-sh-to-run/m-p/76143). When executing rlog in debug mode (./rlog.sh --debug) we get the following output: As splunk user: Blank output As root user: Expected output Additional details: This host was recently rebuilt. Before the rebuild the audit logs on this host were ingesting successfully through the Add-On. Other scripts through the Add-On are working on this host. This problem has not materialized on any of our other hosts utilizing the Add-On. Thanks in advance for your input!

Received error this morning on one of our non-distributed search head: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. Nothing works, cannot search, dashboards are non-functional.   Searching produces this error: Search not executed: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. user=admin., concurrency_category="historical", concurrency_context="user_instance-wide", current_concurrency=0, concurrency_limit=5000   I did quite a bit of digging in the community and found the following on my instances, non-distributed:   Dispatch Tried the clean-dispatch command on our bloated 8873 count in /opt/splunk/var/run/splunk/dispatch Shut down splunk even run in sudo, results in error of Permission denied Ran command:  ./splunk cmd splunkd clean-dispatch /temp -1day     bundle files distsearches.conf  has no maxbundlesize addressing the large .bundle files in /opt/splunk/var/run If I delete out the bundle files above, I can search for alittle bit on the search head, but then it craps out.   Now, I am at a loss after reading so many articles, how-tos and docs. I'm not a splunk guy, but I am trying to get this stable.

I need to compare two fields "Name" and "StudentName" and I am having problems with this, the values in the field "Name" do not contain accents but the values in "StudentName" contain accents in the names like 'Róbert' or 'Czuukó' and also names like 'Mary-Ann' so when I try to compare it will give me several matches because most of the names don't have accents but the ones that contain an accent in"Name" won't show up as matching with "StudentName"