All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

this query shows all employees in the company: index=EmployeeData AND sourcetype=Directory* earliest=@d | search NOT Hire_Date IN ("2021-11-11","2021-05-22","2022-08-02", "2021-11-11") | search W... See more...
this query shows all employees in the company: index=EmployeeData AND sourcetype=Directory* earliest=@d | search NOT Hire_Date IN ("2021-11-11","2021-05-22","2022-08-02", "2021-11-11") | search Worker !="Level05" Termination_Date="" Training_Performed="" | table First, Last, primaryWorkEmail, Training_Performed I need to compare with a CSV that shows all of the people who did their training, this CSV contains the field Submitted How would you structure the join to compare if xyz employee is in the CSV of people who completed their training?  
Hi all, I have just started using Splunk dashboards to visualise my data, sorry for asking such a simple question. I have added single value panel on my dashboard which shows the verdict of the test ... See more...
Hi all, I have just started using Splunk dashboards to visualise my data, sorry for asking such a simple question. I have added single value panel on my dashboard which shows the verdict of the test performed. I am using the following the source code: ``` <row> <panel> <single> <title>Verdict</title> <search> <query>index=test_index | search splunk_id="$splunk_id$" | table verdict </query> </search> <option name="colorMode">block</option> <option name="drilldown">none</option> <option name="height">60</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="useColors">1</option> </single> </panel> </row>   ``` It creates a panel with black background colour with text in white colour at the centre. So verdict will give only 2 values ('Pass' or 'Fail'). What I want is the panel should have green background colour is verdict is 'Pass' and red colour background if verdict is 'Fail'. Along with this I would like to have 'Pass' and 'Fail' written in black colour rather than white colour. I am not the admin of the Splunk server so I cant add and javascript file or css file to the source code.  Any help would be hugely appreciated. Thanks! @bowesmana can you help me out here if you can? Thanks!
I have below format log messages. At the end I want to group the messages by BID. { "details" : [ { "BID" : "123" }, { "BID" : "456" } ] } These BIDs correspond to some static fields which des... See more...
I have below format log messages. At the end I want to group the messages by BID. { "details" : [ { "BID" : "123" }, { "BID" : "456" } ] } These BIDs correspond to some static fields which describe what BID is. Like BID :  123 corresponds to Apple. This detail/description is however not present in the events or search results. The mappings are present in the lookup.csv file with BID and description as 2 columns, which I am using for lookup. But the description is field is getting displayed at the end rather than after/before the BID. I want to show the below expected output but its showing the below actual output.  Expected Output Description BID Count Apple 123 4 Orange 456 3   Actual Output BID Count Description 123 4 Apple 456 3 Orange   I am using below query, Is there any way to achieve the expected output?  MY_SEARCH | spath | rename "details{}.BID" as BID | stats count as Count by BID | lookup lookup.csv BID as BID OUTPUT description as description  
I'm going to implement AppDynamics to a .net core 6 rest api, and I can't get a successful connection. I followed the steps from the link below: https://docs.appdynamics.com/appd/22.x/latest/en/a... See more...
I'm going to implement AppDynamics to a .net core 6 rest api, and I can't get a successful connection. I followed the steps from the link below: https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-ser[…]agent/install-the-net-core-microservices-agent-for-windows What I notice is a single line in the profiler log and nothing else 2022-10-10 15:55:33.258255[0x00001b94]<info>:Use CoreCLR profiler With that type of log, I can't even infer if it's a connection issue or an implementation issue. Is there a demo project for visual studio, a sample to base on?
I have a lookup table named ics_special_domains that contains this: domain_name,type microsoft.com,microsoft *.microsoft.com,microsoft google.com,google *.google.com,google nwngms.com,ot *.nw... See more...
I have a lookup table named ics_special_domains that contains this: domain_name,type microsoft.com,microsoft *.microsoft.com,microsoft google.com,google *.google.com,google nwngms.com,ot *.nwngms.com,ot gasco.com,it *.gasco.com,it I'm trying to use this in a search to filter on specific types, but I'm trying a basic search first.  This is the most basic search I'm trying: index=ics_dns ( query_type="A" OR query_type="AAAA" ) | lookup ics_special_domains domain_name as query{} outputnew type as domain_type | where domain_type="microsoft" It returns this error: basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0) I'd appreciate any help figuring this out.
I'm trying to get both JSON and syslog information from our firewall into Splunk Cloud using universal forwarder.   So far I've gotten the JSON in by getting splunk to listen to port 514, forward th... See more...
I'm trying to get both JSON and syslog information from our firewall into Splunk Cloud using universal forwarder.   So far I've gotten the JSON in by getting splunk to listen to port 514, forward that to the index, and then adding it using  splunk add udp 514 -sourcetype JSON However, now I want to add the syslog information as well, which comes over the same port.  When I attempt to add that I get an error: splunk add udp 514 -sourcetype syslog Parameter name: UDP port 514 is not available. How do I get the splunk index to read both from the same port?
I'm trying to create a timechart at intervals of one month however the below code produces the sum of the entire month, I want the value on the 1st of each month, please let me know any solutions to ... See more...
I'm trying to create a timechart at intervals of one month however the below code produces the sum of the entire month, I want the value on the 1st of each month, please let me know any solutions to get value any alternate to span to get intervals as on 2022-10-01 2022-09-01 2022-08-01 `source=all_month.csv place=*alaska* mag>=3.5 | timechart span=mon@mon1 count BY mag`    (index="sales") | fillnull value="undefined"| bucket _time span=mon@mon1 | chart count by _time stock
Hi all, I would like to create a table with details involved from two different index created. I'm facing difficulty in combining the data from both two indexes with common columns but different ev... See more...
Hi all, I would like to create a table with details involved from two different index created. I'm facing difficulty in combining the data from both two indexes with common columns but different event structure. How to start a query to merge/combine fields from different indexes? As mentioned, both indexes consist of one similar field which is user=john. Here are the details:   IndexA fieldA1=user (john) fieldA2=description   IndexB fieldB1=user (john) fieldB2=Workstation fieldB3=EventCode   Expected result: user| EventCode| description| Workstation john|      4740     |locked out| Lenovo..   could someone point me to the right direction on how to start a Splunk Cloud query to merge into one table? Many thanks.
I have the following search that shows the top 10 hosts by count of vulnerability categories: index=foo | stats count as Count by security_group_name, severity | chart useother=true first(Count) ov... See more...
I have the following search that shows the top 10 hosts by count of vulnerability categories: index=foo | stats count as Count by security_group_name, severity | chart useother=true first(Count) over security_group_name by severity | eval total=case(critical>0 AND high>0,critical+high,critical>0,critical,high>0,high,1==1,0) | eval subTotal=case(medium>0 AND low>0,medium+low,medium>0,medium,low>0,low,1==1,0) | sort 10 - subTotal,subSubTotal,total | fields - subTotal,subSubTotal,total | table "security_group_name",critical,high,medium,low This issue with my chart is that the results are not sorted by the overall total so I see the following results: How do I modify my search to sort by overall count/total? Thx
How to calculate the number of times the same event has occured in an index
Hello fellow splunkers, I'm looking to update all the Splunk icons within the user interface with custom icons. So far I successfully updated the one on the login screen. However, I cannot update t... See more...
Hello fellow splunkers, I'm looking to update all the Splunk icons within the user interface with custom icons. So far I successfully updated the one on the login screen. However, I cannot update the icon in the top left (which also acts like the home button). Alternatively, I'm looking to hide the status bar on the (which has the above mentioned icon) for a subset of users. Any hints on  how to achieve this? Thank you!
Hi, I'm pretty new to splunk and I have a question. I am trying to send information from one index to another with the "collect" command. The problem is that when I send the events to the n... See more...
Hi, I'm pretty new to splunk and I have a question. I am trying to send information from one index to another with the "collect" command. The problem is that when I send the events to the new index the field and value do not appear as in the old index (they disappear). I am using this sentence:   index = legacy sourcetype = old_legacy | collect index= mew_legacy     But in the new index i'm not receiving the FIELD->VALUE .
Please help in reading the credentials from password.conf in python script.   
Guys its my first time here, i need to read the logs from my pfsense and get alerts based on the logs, any help on how i can achieve this? welcome and thanks in advance.
hai all, can you suggest is there anyway to ingest blookberg application data into splunk  
Hello,  please can someone assist with creating syntax to 1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud? 2. Create alert if a new ... See more...
Hello,  please can someone assist with creating syntax to 1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud? 2. Create alert if a new device is onboarded?  3. Count the numbers of the different types of devices that have been onboarded  4. create a table for the above     thanks  
i have  events for port listening on 443 how can i create search and alert if port was down or not liseting below are the same events   10/10/22 10:35:40.312 AM 2022-10-10 11:35:40.312 tran... See more...
i have  events for port listening on 443 how can i create search and alert if port was down or not liseting below are the same events   10/10/22 10:35:40.312 AM 2022-10-10 11:35:40.312 transport=TCP dest_ip=[::] dest_port=443 pid=4 appname=System host = GBLONICORE01Vsource = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_850\bin\win_listening_ports.batsourcetype = Script:ListeningPorts 10/10/22 10:35:40.312 AM 2022-10-10 11:35:40.312 transport=TCP dest_ip=0.0.0.0 dest_port=443 pid=4 appname=System host = GBLONICORE01Vsource = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_850\bin\win_listening_ports.batsourcetype = Script:ListeningPorts 10/10/22 9:35:40.006 AM 2022-10-10 10:35:40.006 transport=TCP dest_ip=[::] dest_port=443 pid=4 appname=System host = GBLONICORE01Vsource = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_850\bin\win_listening_ports.batsourcetype = Script:ListeningPorts 10/10/22 9:35:40.006 AM 2022-10-10 10:35:40.006 transport=TCP dest_ip=0.0.0.0 dest_port=443 pid=4 appname=System host = GBLONICORE01Vsource = C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_850\bin\win_listening_ports.batsourcetype = Script:ListeningPorts  
hi... how to do splunk integration with windows (which uses universal forwarder agent), so that it appears in the apps section of splunk enterprise security, because so far I can only integrate spl... See more...
hi... how to do splunk integration with windows (which uses universal forwarder agent), so that it appears in the apps section of splunk enterprise security, because so far I can only integrate splunk with windows without involving splunk enterprise security apps, so I want to do splunk enterprise security integration with windows, and I will do a bruteforce test on those windows Thank you
Hello All,   We are currently getting data from an application into these 5 indexes(index1, index2, index3, index4, index5.. )  from different locations around the world.  And I want to try and ... See more...
Hello All,   We are currently getting data from an application into these 5 indexes(index1, index2, index3, index4, index5.. )  from different locations around the world.  And I want to try and create a new index called "index_global" and point all these 5 indexes to this global index so that all the data can be available under a single index.  Hope this makes sense.  I would really like to understand, how i can achieve this. Any help on this would be really appreciated.    Thanks and cheers. 
Hi All, This is more a general inquiry I noticed that the _audit index collects a lot of activity, but it's not really telling in detail what actually has been done (if anything at all) .. edit u... See more...
Hi All, This is more a general inquiry I noticed that the _audit index collects a lot of activity, but it's not really telling in detail what actually has been done (if anything at all) .. edit user / edit role / edit index / remove ... What would be the recommended Log Levels for the different Audit Log channels? If  I would like to see in details what has been changed for a certain index, what Log channel(s) and what Log Level(s) would result in showing that information? Note, that in our environment any changes to indexes are done  in the (Linux) server directly, not using the UI Thanks in advance! Edwin