All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Prompt as I can make arithmetic comparison of two fields. Comparison: more, less. The first field consists of numbers: field="1", field="2" The second of numbers and letters: field="1.route", field... See more...
Prompt as I can make arithmetic comparison of two fields. Comparison: more, less. The first field consists of numbers: field="1", field="2" The second of numbers and letters: field="1.route", field="2.route"
Hi, I have a python script with json string which is sent to splunk cloud through Universal Forwarder. Since I have ":" character in my json string, the string is not indexed due to missing escape ... See more...
Hi, I have a python script with json string which is sent to splunk cloud through Universal Forwarder. Since I have ":" character in my json string, the string is not indexed due to missing escape character. I tried adding \ manually for escaping, but the indexed data shows the ":" character with "\" as prefix. Please suggest a way to escape : in my python script or a way to eliminate the \ in indexed data.
Hi, How can we calculate milli seconds to seconds for this field -> transactionDuration=20058?
For the search record: I edited an already functional dashboard in the studio, tweaking the layout. Part of that was deleting and relocating the Time Input. Afterwards I was seeing this weirdness o... See more...
For the search record: I edited an already functional dashboard in the studio, tweaking the layout. Part of that was deleting and relocating the Time Input. Afterwards I was seeing this weirdness on all of the charts:   That started a "what does it mean and where is it coming from" search, eventually becoming an expert in the concept of Splunk tokens. The problem was the  re-insertion of the Time Input had it put into the wrong area of the dashboard. The solution was to edit the Source of the dashboard and cut and paste the defaults section out of the visualization section that it had been put into, and back into the top section.           "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } },             Additionally the name of the token had been modded to the intuitive value of tr_txndYpSb  when putting back the Time Input so it needed to be changed back to global_time. Once that was done, the dashboard charts worked again.           "inputs": { "input_inmCH1Lw": { "options": { "defaultValue": "-7d@h,now", "token": "tr_txndYpSb" }, "title": "Time Range Input Title", "type": "input.timerange" } },            
I would like to download Splunk Add-On Builder version 2.2.0 in the hopes that it can import an app create from that version.  How can I get ahold of that specific version of the app?
I'm looking to limit the the maximum results returned for a custom alert action to for example 10.   If a user chooses to trigger the alert action for each result - it should limit to 10 triggers... See more...
I'm looking to limit the the maximum results returned for a custom alert action to for example 10.   If a user chooses to trigger the alert action for each result - it should limit to 10 triggers per result. I have looked into maxresultrows but didn't get anywhere with it as it would have to defined in limits.conf. Is it possible to add  | head 10 to each saved alert in an app or something like that for only alerts that have my custom alert action?   Thanks in advance
I have a log entry with the current format:    field=A_B   (delimited by underscore) How can I extract this data into two different fields so that I can create a table  field1 field2 ... See more...
I have a log entry with the current format:    field=A_B   (delimited by underscore) How can I extract this data into two different fields so that I can create a table  field1 field2 A B
@chrisyounger  Wondering if there is a way to collapse common node names in dendrogram viz. I can understand from a URL or directory standpoint why it works the way it does. I am working with jo... See more...
@chrisyounger  Wondering if there is a way to collapse common node names in dendrogram viz. I can understand from a URL or directory standpoint why it works the way it does. I am working with jobs and dependencies and there may be a common child node below some parent which branches out into a tree from there.  Like in the last attachement from ITSI.  Is there a way to make it behave like ITSI does with a single common dependent node? Is this something straightforward with existing implementation or custom? With Dendrogram Viz  In ITSI In table form...     
Hi, I have a setup page for my custom app which I'm using to store secrets - username/password combination, I'm using javascript for that but I'm not experienced in JS. I would also like to creat... See more...
Hi, I have a setup page for my custom app which I'm using to store secrets - username/password combination, I'm using javascript for that but I'm not experienced in JS. I would also like to create or modify a custom .conf file which would contain some default variables for my alert_action like a couple urls for authentication and submitting events. I wouldn't want to hard-code these values and want to be able to update them with a webpage so all new settings would apply to all the custom alert actions as the default. Are there guides on how to do this or perhaps someone has a working example with both secret creation/storage/updating and variable creation/updating in a custom .conf file? Thanks in advance
To start off, I know that there are threads that already answer this, but those threads existed a long time ago. I have a question with the code that I will provide in the post. For some reason, when... See more...
To start off, I know that there are threads that already answer this, but those threads existed a long time ago. I have a question with the code that I will provide in the post. For some reason, when I try to apply this JS extension to the dashboard I have, it will not always work. If I refresh the page or go into edit mode... the rows don't stay highlighted. I'm wondering what would cause this since I thought the table would pre-render each time the page is refreshed or goes into and out of edit mode. Here's the code for the JS extension...       require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!", ], function (_, $, mvc, TableView) { // row Coloring by String Comparision of check field and True let CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { // enable this custom cell renderer for check field return _(["check"]).contains(cell.field); }, render: function ($td, cell) { // add a class to the cell based on the returned value var value = cell.value; // apply interpretation for check field if (cell.field === "check") { if (value === "True") { $td.addClass("range-cell").addClass("range-severe"); } } // update the cell content with string value $td.text(value).addClass("string"); }, }); mvc.Components.get("highlight").getVisualization(function (tableView) { tableView.on("rendered", function () { // apply class of the cells to the parent row in order to color the whole row tableView.$el.find("td.range-cell").each(function () { $(this).parents("tr").addClass(this.className); }); }); // add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); });       The CSS is here...       /* Row Coloring */ #highlight tr.range-severe td { background-color: #D93F3C !important; } #highlight .table td { border-top: 1px solid #fff; } #highlight td.range-severe { font-weight: bold; }       And finally the XML code to create the dashboard to replicate the issue. I should note that I am on Safari.       <dashboard stylesheet="js_functions:table_row_highlight.css" script="js_functions:table_row_highlight.js"> <label>JS Row Highlight test</label> <row> <panel> <table id="highlight"> <search> <query>| makeresults | eval id=1 | eval check="True,False,True,False,False,True,False,True,False,True,False,False,True" | eval check=split(check,",") | mvexpand check | accum id | eval alert_name="Alert ".id</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>      
Hello!  I realize that the question is a bit particular, so I will try to explain through an example. I am indexing a json that looks like this with escaped characters and leading/trailing quotes: ... See more...
Hello!  I realize that the question is a bit particular, so I will try to explain through an example. I am indexing a json that looks like this with escaped characters and leading/trailing quotes: "{\"data\": {\"essentials\": {\"monitorCondition\": \"Resolved\",\"firedDateTime\": \"2022-09-26T14:56:41.7862462Z\",\"resolvedDateTime\": \"2022-09-26T15:02:47.9852843Z\"}}}" I need to associated _time to the following statement: If monitorCondition=Fired then parse firedDateTime as _time, otherwise parse resolvedDateTime as _time. Since the json is not understood directly by Splunk due to the escaped quotes I am attempting the following: format the _raw correctly so that it is interpreted correctly by Splunk. calculate the value to use as timestamp associate timestamp to the _time field  This is my props.conf so far: [json_test_st] KV_MODE = json DATETIME_CONFIG =  LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 500 NO_BINARY_CHECK = true TZ = GMT category = Custom disabled = false pulldown_type = 1 SEDCMD-formatjson = s/\\|^\"|\"$//g  TRANSFORMS = gettime TIMESTAMP_FIELDS = timestamp TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7NZ   This is my transforms.conf   [gettime] INGEST_EVAL = timestamp=if('data.essentials.monitorCondition' = "Fired",'data.essentials.firedDateTime','data.essentials.resolvedDateTime')   The result is that I can get Splunk to parse the json correctly, but it does not extract the timestamp. Could anybody give me a push in the right direction? Thank you and best regards, Andrew
I just set up the UF on my DC (it's a lab environment) and I can confirm that both are connected on the specified ports using netstat but I'm not getting any logs from my DC. I'm also using Splunk a... See more...
I just set up the UF on my DC (it's a lab environment) and I can confirm that both are connected on the specified ports using netstat but I'm not getting any logs from my DC. I'm also using Splunk add-on for windows and enabled logs for sysmon and AD only. This is my inputs  file for the add on. And I keep getting  these errors in my Splunk instance  here's also the log file for splunkd  
Hi, We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box. Example, we use the action "get file" - this action onl... See more...
Hi, We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box. Example, we use the action "get file" - this action only accepts one machine id at a time . We want to get multiple files via this action (for each item, send to "get file"), therafter send each file through a sub playbook and then return all outputs to a prompt in the main playbook with enrichment.
I know this has been already asked in the past, but it still not completely clear to me: https://community.splunk.com/t5/Alerting/Can-someone-explain-when-I-would-use-quot-Once-quot-versus-quot/m-p... See more...
I know this has been already asked in the past, but it still not completely clear to me: https://community.splunk.com/t5/Alerting/Can-someone-explain-when-I-would-use-quot-Once-quot-versus-quot/m-p/279202 https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions For testing purpose to understand the topic, I have set-up the following Correlation Search that triggers a Notable Event in Splunk Enterprise Security. The same can be done also as an Alert in Splunk Enterprise:     | makeresults count=3 | streamstats count | eval value=case(count=1,"test01",count=2,"test02",count=3,"test03") | eval alert=case(count=1,"KO",count=2,"OK",count=3,"KO") | search alert="KO" |`get_event_id`|eval orig_index=index|eval orig_indexer_guid=indexer_guid|eval orig_event_hash=event_hash|eval orig_cd=_cd|eval orig_raw=_raw     The above search run every 5 minutes and generates 2 events.  I tried to change between "Once" and "For each result" but nothing change, they are always generated 2 Notable events. I was expecting: "Once": generate only 1 Notable event "For each result": generate 2 Notable events   So the question is which is the difference between "Once" and "For each result" and why there is no effect changing it in my test? Thanks a lot, Edoardo
I have the following log:      Requests over Threshold found: {"kv":{"top_requests":[{"operation_name":"get","last_dispatch_duration_us":136231,"last_remote_socket":"xx","last_local_id":"67B57F730... See more...
I have the following log:      Requests over Threshold found: {"kv":{"top_requests":[{"operation_name":"get","last_dispatch_duration_us":136231,"last_remote_socket":"xx","last_local_id":"67B57F7300000001/00000000C1E2DBA3","last_local_socket":"xxx:37894","total_dispatch_duration_us":136231,"total_server_duration_us":3,"operation_id":"0x127f1","timeout_ms":250,"last_server_duration_us":3,"total_duration_us":136516},{"operation_name":"get","last_dispatch_duration_us":135914,"last_remote_socket":"xxx","last_local_id":"67B57F7300000001/00000000C1E2DBA3","last_local_socket":"xxx:37894","total_dispatch_duration_us":135914,"total_server_duration_us":15,"operation_id":"0x127e9","timeout_ms":250,"last_server_duration_us":15,"total_duration_us":135985},{"operation_name":"get","last_dispatch_duration_us":135827,"last_remote_socket":"xxx.xxx:11210","last_local_id":"67B57F7300000001/000000006A92D90B","last_local_socket":"xxx:59306","total_dispatch_duration_us":135827,"total_server_duration_us":15,"operation_id":"0x127e7","timeout_ms":250,"last_server_duration_us":15,"total_duration_us":135946}],"total_count":3}}     How can I parse this? 
Hi,   | tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d | eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q") | eval... See more...
Hi,   | tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d | eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q") | eval Latest=strftime(Latest,"%Y-%m-%dT%H:%M:%S.%Q") | appendcols [tstats count where index=_internal by _time] I would like to generate the dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month As per the above query i am getting result like this Is there any other alternative for this please suggest?  
Hello, I have an API call that is bringing in json data to my Splunk environment. When I do a basic query of the index, I can see that every event is properly parsed in the 'list view':     d... See more...
Hello, I have an API call that is bringing in json data to my Splunk environment. When I do a basic query of the index, I can see that every event is properly parsed in the 'list view':     definition: { [-] knowledgeBases: [ [+] ] name: xxxxx published: xxxxx threatIndicators: Privilege_Escalation uniqueId: xxxx } firstFound: xxxxx lastFound: xxxxx status: Active target: { [+] } RiskRating: Medium RiskScore: 4.58 Solution: Service teams should upgrade the impacted package }     This data is then being utilized in an accelerated datamodel for a few dashboards. However, I noticed when using tstats in the queries, a lot of the results were missing.  I then tried troubleshooting the data within the index using 'table' and realized i need to use |spath to get the fields to display correctly in my table. Does anyone have any insight into this, or how to possibly use spath within a tstats query?
Hello We are getting M2crypto blocker during scan (platform readiness app) for migrate to 8.2.8 . (current - 8.1.7) This block coming for few instances (HFs only) but for IDX,SHs all passed . Que... See more...
Hello We are getting M2crypto blocker during scan (platform readiness app) for migrate to 8.2.8 . (current - 8.1.7) This block coming for few instances (HFs only) but for IDX,SHs all passed . Question is  -  1. Is that a road blocker for upgrade ? 2. Can you suggest the workaround /resolve this block    
Hi everybody, I am creating a Dashboard using Splunk and I'm searching for a solution. I have a list machine according to the type from an Excel file. I have a dbxquery to get data of each mach... See more...
Hi everybody, I am creating a Dashboard using Splunk and I'm searching for a solution. I have a list machine according to the type from an Excel file. I have a dbxquery to get data of each machine from DB  then using lookup, I now can get the count of event by each type. What I want to do next, is add drilldowns in the dashboard, to distinguish the type, base on the number of machine, for ex: if there is < 50 machines, the type will list in the drilldown 1, if > 50, types will be listed in the drilldown 2.  The reason to seperate into 2 group because I want to set the timechart span differently, span =1h for drilldown 1 and span =2h for drill down 2 Here is my script: |dbxquery connection="server" query="SELECT * FROM table " |lookup lookup.csv numero OUTPUT type |eval _time=strptime(time_receive,"%Y-%m-%dT%H:%M:%S.%N") |timechart span=2h count by type | untable _time type count_event | makecontinuous | fillnull value=0 | where count_event = 0 | sort - _time Can I do something in the search, like: If I click on the drilldown 1, I'll run the search with span =1h, when I choose from drilldown 2, I'll run the search with span =2h? I also want to have option ALL in each drilldown Do you have any idea? Thanks, Julia  
I like to use savedsearches with token inside  a classic xml dashboards e.g.  <form> ... <search> <query>| savedsearch "my_savedsearch " tok_token1="$form.tok_token1$" tok_token2="$form.tok_tok... See more...
I like to use savedsearches with token inside  a classic xml dashboards e.g.  <form> ... <search> <query>| savedsearch "my_savedsearch " tok_token1="$form.tok_token1$" tok_token2="$form.tok_token2$" ..." </query> </search> ... </form> But when I want to edit the savedsearch later in the search app/dashboard, the tokens are not set, e.g. > index=xyz field1=$tok_token1$  AND field2=$tok_token2$ The only way to run and edit the query  I know is to replace temporary the token to constant values, because something like  > | eval tok_token1=value  before does not work. Is there a better way to temporary set the tokens in a  dynamic search for enhancing a query afterwards ?