Hi splunkers,   I have problem about usind maxming geoip datavbses I get 4 databases from maxmind (GeoIP2-City.mmdb; GeoLite2-ASN.mmdb; GeoIP2-Country.mmdb; GeoIP2-Anonymous-IP.mmdb) I need to use these 4 databases Following the html documentation about iplocation (https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Iplocation), I copy the databases I need to use under a specific directory and configure limits.conf to point to this directory for any of the databases I need to use. This database was copied over search Head AND Indexers. Limits.conf : [root@vlpsospk04-sh databases]# more ../local/limits.conf [iplocation] db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-City.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoLite2-ASN.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-Country.mmdb db_path = /data/splunk/etc/apps/cnaf_deploy_maxmind_databases/databases/GeoIP2-Anonymous-IP.mmdb Then, when I m using this file configuration, Then restart splunkd process, I get data about GeoIP2-City.mmdb, but nothing about GeoIP2-Anonymous-IP.mmdb as an exemple. In the documentation about iplocation, only one mmdb file is documented, so is this a specific configuration to use multiple mmd files ?   Does someone get results with sevferal databases ?   Thank you !

Hi Splunkers, I have a request for our environment: I have to send AWS logs to our Splunk, which is a Cloud one. Googling I found some very usefull guides, for different type of logs, such as the ones of a specific EC2 istance, for example all the logs of  /var/logs of a Linux VM. What I was not able to find, is how to send the AWS Hypervisor logs to Splunk; when I say Hypervisor logs I mean all the one related to VM, and so EC2 istances, management. For example, I want to be able to see on Splunk if some admin has created, deleted, stopped or started an EC2 istance, both a new one or an exiting one. Is there some config docs/guides I can use?

Hey Guys, I have the following data in Splunk. Each eventdata has 4 lines (which are seperated through newLines) and every line in a event represent the value of a variable.  My Question: Can I generate a table in which I list every event with the four variables. The table I wont to have should look like the following excel table :   Thanks for your help!

On one of my RHEL 7.9 server, i am seeing splunk service is Active:active(exited). i am using 8.2.2.0. please guide me to fix the issue. [root@srv01 ~]# systemctl -l | grep -i splunk splunk.service loaded active exited SYSV: Splunk indexer service [root@srv01 ~]# systemctl status splunk.service Active: active (exited)

Hi guys, I need to evaluate a disruption.  It can last multiple hours, so I need to use data which is at least 4h old. This query needs to show all disruptions that are longer than 15 minutes with it's starting timestamp and it's last occurring timestamp. To group all logged events, I need a transaction which also contains the field CompleteDescription. If this field contains specific values which can be seen in the query, it is a disruption. The query I've build works so far but is to slow to collect data from multiple hours. Does anyone have an idea how to improve the query for more performance? Thank you!     index=log sourcetype=servlog | transaction ThreadId host maxspan=180s startswith=(LogMessage=start) endswith=(LogMessage=end) | stats earliest(_time) as "first", latest(_time) as "last", count by Type, CompleteDescription | eventstats sum(count) as count_full by Type, CompleteDescription | eventstats sum(count_full) as total by Type | eval percentage = round((count_full/total)*100,0) | eval time_diff = round((last - first)/60, 0) | eval CompleteDescription=upper(CompleteDescription) | search Type!=SSL (CompleteDescription = "MISSING RESPONSE" OR CompleteDescription = "TIMEOUT" OR CompleteDescription = "TECHNICAL ERROR" OR CompleteDescription = "INTERNAL SYSTEM ERROR" OR CompleteDescription = "NO REACHABILITY") total >= 10 percentage >= 50 time_diff >= 30 | convert ctime(first) ctime(last) | table Type, CompleteDescription, count_type, count, percentage | sort - percentage, total      

Hi, guys, me having issue with telegram alerts. 1. There are 3 available apps in splunkbase for sending alerts from splunk using telegram bots. So I've created bot, and added it to a group that will save all alerts. After that, I've configured the telegram app in Splunk, added all configs: chat id, bot id, and proxy settings (it's the only way to access the internet) but it's not working, I mean I'm not receiving any alert. I guess the problem is in proxy.

Hey Splunk Community, I'm having an issue with the $SPLUNK/var/lib/splunk/kvstore/mongo directory. I have a tonne of files present in this directory dated from several months ago at around the 512MB size range ending in ".ns" and ".0".  If we remove these files over say an age of 30 days would this have any impact on the SIEM or if this action safe?

Hi, I have a python script with json string which is sent to splunk cloud through Universal Forwarder. Since I have ":" character in my json string, the string is not indexed due to missing escape character. I tried adding \ manually for escaping, but the indexed data shows the ":" character with "\" as prefix. Please suggest a way to escape : in my python script or a way to eliminate the \ in indexed data.

For the search record: I edited an already functional dashboard in the studio, tweaking the layout. Part of that was deleting and relocating the Time Input. Afterwards I was seeing this weirdness on all of the charts:   That started a "what does it mean and where is it coming from" search, eventually becoming an expert in the concept of Splunk tokens. The problem was the  re-insertion of the Time Input had it put into the wrong area of the dashboard. The solution was to edit the Source of the dashboard and cut and paste the defaults section out of the visualization section that it had been put into, and back into the top section.           "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } },             Additionally the name of the token had been modded to the intuitive value of tr_txndYpSb  when putting back the Time Input so it needed to be changed back to global_time. Once that was done, the dashboard charts worked again.           "inputs": { "input_inmCH1Lw": { "options": { "defaultValue": "-7d@h,now", "token": "tr_txndYpSb" }, "title": "Time Range Input Title", "type": "input.timerange" } },            

I'm looking to limit the the maximum results returned for a custom alert action to for example 10.   If a user chooses to trigger the alert action for each result - it should limit to 10 triggers per result. I have looked into maxresultrows but didn't get anywhere with it as it would have to defined in limits.conf. Is it possible to add  | head 10 to each saved alert in an app or something like that for only alerts that have my custom alert action?   Thanks in advance

To start off, I know that there are threads that already answer this, but those threads existed a long time ago. I have a question with the code that I will provide in the post. For some reason, when I try to apply this JS extension to the dashboard I have, it will not always work. If I refresh the page or go into edit mode... the rows don't stay highlighted. I'm wondering what would cause this since I thought the table would pre-render each time the page is refreshed or goes into and out of edit mode. Here's the code for the JS extension...       require([ "underscore", "jquery", "splunkjs/mvc", "splunkjs/mvc/tableview", "splunkjs/mvc/simplexml/ready!", ], function (_, $, mvc, TableView) { // row Coloring by String Comparision of check field and True let CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function (cell) { // enable this custom cell renderer for check field return _(["check"]).contains(cell.field); }, render: function ($td, cell) { // add a class to the cell based on the returned value var value = cell.value; // apply interpretation for check field if (cell.field === "check") { if (value === "True") { $td.addClass("range-cell").addClass("range-severe"); } } // update the cell content with string value $td.text(value).addClass("string"); }, }); mvc.Components.get("highlight").getVisualization(function (tableView) { tableView.on("rendered", function () { // apply class of the cells to the parent row in order to color the whole row tableView.$el.find("td.range-cell").each(function () { $(this).parents("tr").addClass(this.className); }); }); // add custom cell renderer, the table will re-render automatically. tableView.addCellRenderer(new CustomRangeRenderer()); }); });       The CSS is here...       /* Row Coloring */ #highlight tr.range-severe td { background-color: #D93F3C !important; } #highlight .table td { border-top: 1px solid #fff; } #highlight td.range-severe { font-weight: bold; }       And finally the XML code to create the dashboard to replicate the issue. I should note that I am on Safari.       <dashboard stylesheet="js_functions:table_row_highlight.css" script="js_functions:table_row_highlight.js"> <label>JS Row Highlight test</label> <row> <panel> <table id="highlight"> <search> <query>| makeresults | eval id=1 | eval check="True,False,True,False,False,True,False,True,False,True,False,False,True" | eval check=split(check,",") | mvexpand check | accum id | eval alert_name="Alert ".id</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>