All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hey Splunkers !! SPL-210107 Set Up Primary Data Source missing from data configuration side panel for Choropleth USA and Choropleth World Workaround: Add the data source via source... See more...
Hey Splunkers !! SPL-210107 Set Up Primary Data Source missing from data configuration side panel for Choropleth USA and Choropleth World Workaround: Add the data source via source code. Does this issue is fixed in 9.0.* versions.... This issue is available in Splunk 8.2.7 known issue document .. cant able to verify is this issue is fixed in version 9.0.* ...... check through the fixed issues document of 9.0.* version ... there is no sign that this issue is fixed or not ? So how could i verify does this issue is fixed in 9.0.* versions.... And if possible brief this issue with some sample SPL query and about the workaround for this issue... ------------------------------------ RestinLinux
I was installing the Linux AuditD app and the TA on my Splunk instance and my forwarders installed on RHEL 7 systems when I noticed that there's no inputs.conf file in either the app or the TA. How a... See more...
I was installing the Linux AuditD app and the TA on my Splunk instance and my forwarders installed on RHEL 7 systems when I noticed that there's no inputs.conf file in either the app or the TA. How are my indexers supposed to get and use any data from the systems without the forwarders sending the data over? Am I just supposed to make one myself? I had a look at the video guide for version v2 (something like 6 years ago), and that one seems to have an inputs.conf file, unlike the current version v3.
I want to exclude duration results if greater than 7 days. So i used search NOT but it is not working. Can someone help here? Query index=sentinelone | eval duration=tostring(now()-strptime(ins... See more...
I want to exclude duration results if greater than 7 days. So i used search NOT but it is not working. Can someone help here? Query index=sentinelone | eval duration=tostring(now()-strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N"),"duration") | table _time installedAt agentDomain duration |search installedAt!="Null"    
I'm looking for a way to set a token when the column exists (regardless of value).   Tried these with no luck.  <eval token=if(isnotnull($row.MyCol$),useValue=$row.MyCol$,null())> <eval token=cas... See more...
I'm looking for a way to set a token when the column exists (regardless of value).   Tried these with no luck.  <eval token=if(isnotnull($row.MyCol$),useValue=$row.MyCol$,null())> <eval token=case($row.MyCol$ != &quot;&quot; , useValue=$row.MyCol$)  Thoughts? 
I have a query which results in a table: "some words" | stats dc(host) as host_count by zone, region My end goal is be able to create an alert if "host_count < 2" in any row. I will achie... See more...
I have a query which results in a table: "some words" | stats dc(host) as host_count by zone, region My end goal is be able to create an alert if "host_count < 2" in any row. I will achieve that by adding " | where host_count < 2" to the query and alerting if the search is non-empty.   The issue is that in some cases, when there are no lines matching the  "some words" criteria, I will have no row for that zone/region combination in my table. (i.e. I will never have a row where host_count is 0). This will result in a false negative for the alert. I had the thought that I could possibly merge the search result with a lookup table which provides the 0 value lines, but had no success. How can I achieve this?
Hello dear Splunk experts! I've stuck with one search and can't figure how to do this.  Did a lot of searching here on this friendly community but couldn't find the answer despite that saw a lot of... See more...
Hello dear Splunk experts! I've stuck with one search and can't figure how to do this.  Did a lot of searching here on this friendly community but couldn't find the answer despite that saw a lot of similar tasks with solutions. I have a dataset like this: sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval value1 approved value2 not approved value3 delayed   And I want to get something like this: sg sg_value sg_approval sg1 value1 approved sg2 value2 not approved sg3 value3 delayed   What is the best way to achieve this? I've found some examples around transpose, eval or stats functions but these didn't solve my task completely. And to add a bit of complexity to this task - how to calculate sum of particular cells in rows with particular values of columns. I have this dataset: sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg2_now sg3_approval value1 approved 4 value2 not approved 2 value3 5 delayed value2 not approved 3 value3 approved 5 value4 1 approved   And want to extract it as: sg_approval sg_now approved 10 not approved 5 delayed 5   So that sg_now column contains sum of all values in sg1_now, sg2_now and sg3_now sorted by sg1_approval, sg2_approval and sg3_approval. Thank you very much in advance! Regards
Dear Splunkers, really sorry for my question , I do feel that reply would be on another thread(couldn't find it), but i try to forward custom application access logs to  Splunk, giving specific tag... See more...
Dear Splunkers, really sorry for my question , I do feel that reply would be on another thread(couldn't find it), but i try to forward custom application access logs to  Splunk, giving specific tag-name to each column let's say(i would define it by regular expression), sending only "matching" data. I 've already set inputs.conf with the file path, index and sourcetype and successfully see full logs on Splunk search but whole info on event data . Still not sure where to set appropriate configuration(props.conf, tranform.conf, ?) for getting only Invoked Service, Caller IP and Response Code let's say since we are referring to Access Logs. 
I want no results of a search to display until the search has completed. The search I am running displays any users which do NOT have any logs found in the search. I also have an alert that triggers ... See more...
I want no results of a search to display until the search has completed. The search I am running displays any users which do NOT have any logs found in the search. I also have an alert that triggers when this search displays any results. The issue I am running into is that sometimes with long running queries, the results can sometimes briefly display results that a user that has not yet been found in the search and thus triggers an alert before the search finishes. The search finishes with the correct results, but the damage is done and the alert is already triggered.   I do not have the ability to modify the alert, just the search query.   The simplified search query: search string | eval tracked_users=split("userA,userB,userC",",") | stats values(user) as user by tracked_users | where NOT match(user,tracked_users) | table tracked_users | rename tracked_users as "Users not found"   Is  there a way to hide the table until the search is complete?  Or is there a better way to structure the query such that no results are displayed until the search is complete?
Hello Do field values have to be consistent for ES or doesn't it matter?  So in the wineventlog if src is sometimes the IP and other times the fqdn does ES care?  Same with the user field, if somet... See more...
Hello Do field values have to be consistent for ES or doesn't it matter?  So in the wineventlog if src is sometimes the IP and other times the fqdn does ES care?  Same with the user field, if sometimes the field value is bob@domain or domain-bob or bob$ does it matter? Thanks R00ster
Hi All, I have a large number of Windows logs in directory. How can I automatically delete them from the disk space after Splunk saves them and the folder size will be bigger than 5 gigabytes? Wher... See more...
Hi All, I have a large number of Windows logs in directory. How can I automatically delete them from the disk space after Splunk saves them and the folder size will be bigger than 5 gigabytes? Where can I write such configuration? Thanks in advance!
HI Team, I am getting 2 hr time span only if i mentioned the 1 or 3 or 4 hours span too in the visualization line chart. Running below command gives correct time 1hr span but in the visualization... See more...
HI Team, I am getting 2 hr time span only if i mentioned the 1 or 3 or 4 hours span too in the visualization line chart. Running below command gives correct time 1hr span but in the visualization facing the issue. attached the reference. index="xx" * "*" |eval Day case(like(Date,"%22-AUg-22"),"work",like(Date,"%23-AUg-22"),"work",like(Date,"%24-AUg-22"),"week",like(Date,"%25-AUg-22"),"week",1=1,Day) |timechart span=1h max(YYY) by Day   Thanks in Advance. 
Hi, I would like to create a dropdown menu with two goals in mind : 1) Adjust button width to the size of the text selected so that the whole selected text can be read 2) In the dropdown list (... See more...
Hi, I would like to create a dropdown menu with two goals in mind : 1) Adjust button width to the size of the text selected so that the whole selected text can be read 2) In the dropdown list (when choosing a new item), many strings are too large to fit in one line. I want to increase the box list width to the size of the largest selectable text item  I managed to fix issue 1) with the greatful help of https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-the-dropdown-input-width-not-increasing/m-p/416340 by adding       <html> <style> #Selection_DropDown div[data-component="splunk-core:/splunkjs/mvc/components/Dropdown"] {display: inline-block !important; width: auto !important } </style> </html>       I'm struggling though to find a SimpleXML/CSS, kind of easy solution, to the issue 2) Is it possible to complete both of these requirements ?   Cheers
Greetings, I have been creating a search that collects all the sourcetypes that have not collected any information during the last 4 hours (Which I was able to accomplish). The thing is that I need ... See more...
Greetings, I have been creating a search that collects all the sourcetypes that have not collected any information during the last 4 hours (Which I was able to accomplish). The thing is that I need to know which indexes these sourcetypes belong to in this same search. Any idea? This is the search: | metadata type=sourcetypes index=* | search sourcetype=* | where lastTime<now()-14400 | eval ageInSeconds = (now()- firstTime) | search ageInSeconds > 86400 | convert ctime(lastTime) ctime(recentTime) ctime(firstTime) | table sourcetype, lastTime
I am trying helloworld app from BlogProjects/splunk-custom-search-command-python/hello_world at master · CptOfEvilMinions/BlogProjects · GitHub. Compressed and  Installed it from file (hello_world.sp... See more...
I am trying helloworld app from BlogProjects/splunk-custom-search-command-python/hello_world at master · CptOfEvilMinions/BlogProjects · GitHub. Compressed and  Installed it from file (hello_world.spl). Then restarted Splunk... But when trying "index="zeek" sourcetype="bro:conn:json" | helloworld" getting Unknown search command 'helloworld'.   # ls -l /opt/splunk/etc/apps/hello_world/ total 4 drwxr-xr-x 2 splunk splunk 28 Sep 21 06:44 bin drwxr-xr-x 2 splunk splunk 43 Sep 21 06:44 default drwxr-xr-x 7 splunk splunk 140 Sep 21 06:44 lib drwxr-xr-x 2 splunk splunk 6 Sep 21 06:44 local drwx------ 2 splunk splunk 24 Sep 21 06:44 metadata -rw-r--r-- 1 splunk splunk 46 Sep 21 06:44 README.md # ls -l /opt/splunk/etc/apps/hello_world/bin total 4 -rwxr-xr-x 1 splunk splunk 491 Sep 21 06:44 hello_world.py # cat /opt/splunk/etc/apps/hello_world/default/commands.conf [helloworld] python.version = python3 chunked = true  
I am trying to create an alert to record failed logins for the Splunk servers, however not all of them show up in my current alert.   I can get the Search Heads and one of my Heavy Forwarders but my ... See more...
I am trying to create an alert to record failed logins for the Splunk servers, however not all of them show up in my current alert.   I can get the Search Heads and one of my Heavy Forwarders but my Indexers, Deployment/License server and Cluster Master/Monitoring Console server are not reporting.  Is there something that needs to be added or enabled to these servers?
Hello, I would like to display dates in a dashboard studio table, i want the format to be "%Y-%m-%d" but it is not displayed as such. Here is the spl excerpt:     | eval vuln_publication_d... See more...
Hello, I would like to display dates in a dashboard studio table, i want the format to be "%Y-%m-%d" but it is not displayed as such. Here is the spl excerpt:     | eval vuln_publication_date_string = strftime(normalized_publication_time,"%Y-%m-%d")     Here is the result of the search associated with the table. The type of the field is a string       And here the table itself. I guess it is due to the format, but i cannot change it   Does anybody have an idea how to force the format in the table ? Thank you
Hello fellow Splunkers. I am trying to set the sourcetype name using a part of the source path. I've read the answers from the same question on the community, but i just cant get it working, so il... See more...
Hello fellow Splunkers. I am trying to set the sourcetype name using a part of the source path. I've read the answers from the same question on the community, but i just cant get it working, so ill give it a shot and ask here. The goal: Set sourcetype name from the third folder in the source path. For example, automaticly set sourcetype to "foobar" from logs collected from source C:\data\Logs\foobar\logfile.log What i have tried: (on the universal forwarder) inputs.conf: [monitor://C:\data\Logs\...\*] index = main   (on the indexer receiving from the universal forwarder) props.conf: [source::C:\data\Logs\*] TRANSFORMS-changesourcetype = changesourcetype transforms.conf: [changesourcetype] SOURCE_KEY = MetaData:Source REGEX = C:\\data\\[^\\]+\\([^\\]+)\\ #REGEX = C:\\data\\Logs\\(\w+)\\ (Commented out: for debugging purposes) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype I've also tried (for debugging-reasons) solving it differently, by tagging a temporary sourcetype at the UFW: inputs.conf: [monitor://C:\data\Logs\...\*] index = main sourcetype = changemeplease props.conf: [changemeplease] TRANSFORMS-changesourcetype = changesourcetype transforms.conf: [changesourcetype] SOURCE_KEY = MetaData:Source REGEX = C:\\data\\[^\\]+\\([^\\]+)\\ #REGEX = C:\\data\\Logs\\(\w+)\\ (Commented out: for debugging purposes) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype   The data gets forwarded and indexed, but the transforms seem to not hit, what so ever. Any suggestions on what i am doing wrong here?
I have to ingest some data so i've created a field called customer data and the regex works fine - ^[0-9]{16}.{249}(?<customer_information>.{174}). As it contains PII data i need to mask it but keep... See more...
I have to ingest some data so i've created a field called customer data and the regex works fine - ^[0-9]{16}.{249}(?<customer_information>.{174}). As it contains PII data i need to mask it but keep the format of that event so the 174 characters within the customer_information field news to show as ####   Ive created this within the props.conf file but I can't get the data to be shown as ###. can you help? [mask_customer_data] DEST_KEY = _raw REGEX = ^[0-9]{16}.{249}(?<customer_information>.{174}) FORMAT = $1CI##############################################################################################################################################################################
Hi Splunkers, i work with Splunk Enterprise and wonder if i can modify content in share folder. I would like to change the fonts of the web-GUI to our corporate fonts and found the fonts used by ... See more...
Hi Splunkers, i work with Splunk Enterprise and wonder if i can modify content in share folder. I would like to change the fonts of the web-GUI to our corporate fonts and found the fonts used by splunk in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/fonts and the CSS for that in ../exposed/build/css/bootstrap-enterprise.css (searched for proxima in the css) Will it have any Impact on splunk Version updates or Splunksupport if i change the Fonts to corporate Fonts? Thanks in Advance for your answers
I wonder if someone can help, we are getting the following error when trying to send data into Splunk, this previously worked but now we cant seem to get it working at all,  I have tried to curl the ... See more...
I wonder if someone can help, we are getting the following error when trying to send data into Splunk, this previously worked but now we cant seem to get it working at all,  I have tried to curl the event manually and it succeeds, which is even stranger. The error message is token name=xxxx, channel=********* source_IP=******, reply=6, events_processed=0, http_input_body_size=101493, parsing_err="While expecting event object to start: Unexpected character while looking for value: 'E', totalRequestSize=101493" the event we are trying to send looks like this {     "time": 1663679182,     "host": "test-sandbox",     "source": "aws/lambda",     "sourcetype": "aws:lambda",     "index": "xxx-xxx",     "event": {         "message": "2022/09/20 14:06:22 node=test-sandbox Starting to move cantabm_testfile-9.zip from c21-metadata-dropzone-sandbox to c21-metadata-dest-sandbox/Metadata/cantabm_testfile-9.zip\n",         "account": "11111111111"     } }