All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi  Hope you are doing good.. I want to build one query where I will get user with associate event code or IP for example  If I use stats count by user, event code I will get  User event co... See more...
Hi  Hope you are doing good.. I want to build one query where I will get user with associate event code or IP for example  If I use stats count by user, event code I will get  User event code  Abc  1 Abc  2   But I want output like  User event code  Abc  1, 2  I.e. User name should not get repeat for different event code    Can you please guide me here    Thanks 
I need a way to stop users with access to a Studio dashboard from being able to clone it. From this they are able to edit this new dashboard, giving these particular user too much access. These use... See more...
I need a way to stop users with access to a Studio dashboard from being able to clone it. From this they are able to edit this new dashboard, giving these particular user too much access. These users having a minimal amount of role capabilities, Search and List all objects. So I'm unable to give them any less capabilities. (not that any seem to relate to this.) Any help or ideas would be greatly appreciated. Thanks
Hi All- What would you say is the recommended method for handling CSV files?  Ingesting it into an index or using it as a lookup table?  TLDR - Server team keeps server master list as CSV.  Wan... See more...
Hi All- What would you say is the recommended method for handling CSV files?  Ingesting it into an index or using it as a lookup table?  TLDR - Server team keeps server master list as CSV.  Want to bring it into Splunk as the reference (baseline) which all other tools report against (AD, CS, R7 etc).  Should I ingest that CSV into an index or keep it a csv and use it as a lookup table?   Thanks in Advance!
I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctl... See more...
I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script. issued command: ./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index> The command completes and the data is ingested. However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON. Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.
Im trying to blacklist the below eventcodes since we dont have any use for them but somehow it is not working . I made the below change and delpoyed it to all UF via DS . Any idea why it is not worki... See more...
Im trying to blacklist the below eventcodes since we dont have any use for them but somehow it is not working . I made the below change and delpoyed it to all UF via DS . Any idea why it is not working ?    [WinEventLog://Security] disabled = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist = 1003,501,510,7036,1066,17137,8003,403,404,410,900-902,4690,4099 index = winlog renderXml=false
Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:   I am still very new to the Splunk world and therefore I have... See more...
Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:   I am still very new to the Splunk world and therefore I have no experience with the props.conf file. I made a copy of the props.conf file in the folder /opt/splunk/etc/system/local and put the command in there (See below).   However, when starting Splunk now  the following message appears:   I suspect I phrased the command wrong or wrote it into the wrong section in props.conf. Also, it would be interesting to know if the part of the command that brings the events in table form can also be written into the props.conf file and if so into which section of the file? Many thanks and greetings
why it's showing blank lines in logs. What is the reason callsock is sending blank lines https://drive.google.com/file/d/19XH55gFxpuIwZbklD8Lgf4tIVSY3DKbn/view?usp=sharing
Hey All,  I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,  1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medi... See more...
Hey All,  I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,  1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......  2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com 3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.  In the "Props.conf" I can add below,  FIELDALIAS-src_host = src_host AS dest_host FIELDALIAS-shost = shost AS dhost but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".  Any help on this will be much appreciated.  Thanks.   
How do i replace the Hyphen with dot. For example i have a field call IP and the value are 10-20-11-120 but i want to convert this to 10.20.11.120. I have tried the | rex mode=sed but it's only r... See more...
How do i replace the Hyphen with dot. For example i have a field call IP and the value are 10-20-11-120 but i want to convert this to 10.20.11.120. I have tried the | rex mode=sed but it's only replacing the first hyphen with dot. Please refer to my below SPL SPL | makeresults | eval IP="10-20-11-120" | rex mode=sed field=IP "s/-/./"
Hi there, Kindly help me on  Search to trigger an alert by scan the logs for scheduled job and check elapsed time (threshold time) for each job execution instance If the elapsed time exceeds the s... See more...
Hi there, Kindly help me on  Search to trigger an alert by scan the logs for scheduled job and check elapsed time (threshold time) for each job execution instance If the elapsed time exceeds the specified threshold for ALL the three executions. Thanks in Advance, Regards, Theja
Hello, I need your help to find a way to achieve the following use case: in main search: I've to categories: Windows and NIX. both the categories have ip and hostname fields. category       ... See more...
Hello, I need your help to find a way to achieve the following use case: in main search: I've to categories: Windows and NIX. both the categories have ip and hostname fields. category             ip                         hostname windows         x.x.x.x                    a nix                     y.y.y.y                      b Now my requirement is to join the above result set with another result set based on the following business rules: - for windows, I want to join based on the hostname only. - for nix, I want to join  based on both ip and hostname. Thanks in advance for the help.
hai all How to monitor a windows service, send an alert and restart the service? what was the required configuration.
Hi All,  Before i post here i have tried everything under https://community.splunk.com/t5/Splunk-Search/How-to-join-2-indexes/m-p/560334  but couldnt figure out my search.  Index01 contains  field... See more...
Hi All,  Before i post here i have tried everything under https://community.splunk.com/t5/Splunk-Search/How-to-join-2-indexes/m-p/560334  but couldnt figure out my search.  Index01 contains  fields of interest as follows :  host, hostname, agent_version,agent_date The difference between host & hostname fields is host contains  name of HF server (which i dont want to correlate)  while hostname contains the list of device names  (which i want to correlate with Index02).  In Index02., the fields of interest are:  host (default field), _time (default field)  To summarize, the field hostname from Index01 matches the values of the field host from Index02 . So this is the common denominator. Requirement is for all the devices from index01,  find  out the latest time stamp (as in when the device last logged) from Index02.    Below is what i need to achieve: hostname(Index01) agent_date (Index01) agent_version (Index01) LastSeen (Index02) xxx xxx xxx xxxx         Have tried below 2 queries but no luck.   It shows 0 results found.  But if i run the search individually they show data.     index=index01 | rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)." | dedup hostname [ search index=Index02 | stats latest(_time) as lastSeen_epoch BY host | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen ] | table hostname agent_date agent_version LastSeen OR index=index01 [ search index=Index02 | stats latest(_time) as lastSeen_epoch BY host | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen ] | rex field=dns "(?P<hostname>[a-zA-Z0-9-]+)." | dedup hostname | table hostname agent_date agent_version LastSeen          
Hi, I have an inputlookup with wSender, wSubject and wRecipient. I want to whitelist some of the emails sent by an user to a specific recipient that have a specific subject. How can I whitelist bas... See more...
Hi, I have an inputlookup with wSender, wSubject and wRecipient. I want to whitelist some of the emails sent by an user to a specific recipient that have a specific subject. How can I whitelist based on this 3 conditions (Sender=X, Subject=Y, Recipient=Z) ? I've tried: where Sender!=wSender AND Subject!=wSubject AND Recipient!=wRecipient but in this case all the email sent by wSender are whitelisted. Also tried index=xxx AND NOT | inputlookup whitelist.csv fields wSender, wSubject, wRecipient - but the same result, the user from wSender is getting whitelisted for all the emails he sent not just the ones from wSubject.
I've done a simple search like this: index=fw_cisco | stats dc(dest_ip) as NrDestIp by src_ip I have defined a lookup file (ip_lookup) which has two colums: IPHost and DNShost. How do I replace the... See more...
I've done a simple search like this: index=fw_cisco | stats dc(dest_ip) as NrDestIp by src_ip I have defined a lookup file (ip_lookup) which has two colums: IPHost and DNShost. How do I replace the values of src_ip with the corresponding values of the lookup table? I tried this index=fw_cisco | lookup ip_lookup IPHost as src_ip OUTPUT DNSHost as resolved_src | stats dc(dest_ip) as NrDestIp by src_ip, resolved_src But it creates two columns, and also misses the values of src_ip that dont have a matching IPHost in the lookup table.
Let me be more clear: I have defined a lookup file (ip_lookup) which has two colums: IPHost and DNShost Now I have a search which has two fields, src_ip and dest_ip. I successfully created a new fie... See more...
Let me be more clear: I have defined a lookup file (ip_lookup) which has two colums: IPHost and DNShost Now I have a search which has two fields, src_ip and dest_ip. I successfully created a new field by using lookup like this: index=fw_cisco | lookup ip_lookup IPHost as src_ip OUTPUT DNShost as resolved_source_ip But I want to do the same for the field dest_ip too.  Doing lookup like this:  | lookup ip_lookup IPHost as src_ip, dest_ip ... throws an error How do I create two new fields that match the src_ip and dest_ip of my events, from the same lookup command
I am trying to figure out a way to calculate a field in a set of data. In my search im returned events from a long list of computers. For lack of a better explanation, I have events that essentially ... See more...
I am trying to figure out a way to calculate a field in a set of data. In my search im returned events from a long list of computers. For lack of a better explanation, I have events that essentially each computer will throw once a day at the same time every day. I will have logs that have fields ComputerName, and ComputerValue. Every day the ComputerValue will be a different numeric value. I need to create a new field in each log that will be the difference between the ComputerValue field. So if day 1, Computer1 gives ComputerValue 10, and day 2 Computer1 gives ComputerValue 12, I need to at search time add a field to Computer1 that would be day 2 value minus day 1 value positive or negative. So day 2 will also have a value ComputerDifference of 2. and if day 3 computerValue is 8, it would be ComputerValue of day 2 minus day 3 and ComputerDifference would be -4. Its something I could easily do in Excel but I cant figure out a way to do it here. Any suggestions? 
Hello, From the GUI (DB Input), it seems that Splunk is unable to detect any Rising Column due to our sub query:     SELECT event_time FROM sys.fn_get_audit_file ( (SELECT TOP(1) e.audit_fi... See more...
Hello, From the GUI (DB Input), it seems that Splunk is unable to detect any Rising Column due to our sub query:     SELECT event_time FROM sys.fn_get_audit_file ( (SELECT TOP(1) e.audit_file_path FROM [sys.dm_server_audit_status] e WHERE e.name = 'Audit-select-statement'), default, default) WHERE event_time > ? ORDER BY event_time ASC       unfortunately, Splunk DB Connect is unable to detect any rising column. If I remove the SELECT TOP(1), the rising column appear again. The goal is to query the audit table with the current filename. I saw another discussion (https://community.splunk.com/t5/Splunk-Search/DB-Connect-rising-column-combination-of-two-columns/m-p/121434) but seems the enhancement request (DBX-564) is still not ready. Would anyone happen to have the same issue ? Kind Regards,  
Hi all, I am trying to use the screenshot machine API to get an The image is not displayed properly. We have confirmed that the API is working properly and The execution history shows the file ... See more...
Hi all, I am trying to use the screenshot machine API to get an The image is not displayed properly. We have confirmed that the API is working properly and The execution history shows the file size and the path to the vault file, so we believe that the screenshot was taken successfully. Does anyone know the cause? 日本語訳 お世話になります。 screenshot machineのAPIを利用し、 画像を取得しても、うまく表示がされません。 APIのテストは成功しており、アクションの詳細を確認しても、 ファイルサイズとvaultファイルのパスが 確認できるため、スクリーンショットの取得は成功していると思われます。 どなたか原因をご存知の方はいらっしゃいますか?
Hello all, I have been using Splunk's classic dashboard for a while now and I switched to dashboard studio, one thing I can't seem to figure out is when I need to have different values of labels fr... See more...
Hello all, I have been using Splunk's classic dashboard for a while now and I switched to dashboard studio, one thing I can't seem to figure out is when I need to have different values of labels from the value actually used by the token. Say the data source of a dropdown is an SQL query with 2 columns, one I want to use as the label (aka value displayed to the user), the other as the token's actual value, is that possible? If it helps in classic dashboard it is done via     <fieldForLabel>name</fieldForLabel> <fieldForValue>age</fieldForValue>       Any ideas? Thank you very much!