All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello all, I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available: Total Traffic vs Attack Traffic -  | stats count as "T... See more...
Hello all, I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available: Total Traffic vs Attack Traffic -  | stats count as "Total Traffic" count(eval(isnotnull(attack_type))) as "Attack Traffic". Top 10 Hostnames / FQDN Targeted - |stats count by fqdn No of Error logs - |search severity = Error |stats count No of Critical logs - |search severity = Critical |stats count Attack Classification by % - (Num of Attacks) - |top limit=10 attack_type Top 10 IP Addresses - | top ip_client limit=10 Daily Attack Trend - |timechart count(attack_type) as count span=1d Weekly Attack Trend - |timechart count(attack_type) as count span=1w Status Codes Trend - |stats count by response_code HTTP Method Used - |stats count by method Log Details - |table _time, ip_client, method, policy_name, response_code, support_id, severity, violations, sub_violations, violation_rating, uri All searches followed by base search. Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.
I have data that contains the LOGINDate, UserName, and USERID. I need to use the MLTK to detect user behavior individually, not for all users together. The goal is to use Machine Learning to detect... See more...
I have data that contains the LOGINDate, UserName, and USERID. I need to use the MLTK to detect user behavior individually, not for all users together. The goal is to use Machine Learning to detect the normal behavior of each user based on hours and days. Additionally, I need to detect: If the user logs in on off days, to determine whether it’s normal behavior. If the user logs in at abnormal hours on any day, this should also be detected. I successfully implemented this using Python, but the customer requires it to be done using Splunk MLTK without any static values.
When i push configuration bundle through cluster master getting below error.. Please suggest on this.    
Currently I am adopting the same deployer to two different search head cluster and would like to remove it from one of the clusters. However, I cannot find any official documentation related to it. C... See more...
Currently I am adopting the same deployer to two different search head cluster and would like to remove it from one of the clusters. However, I cannot find any official documentation related to it. Could anyone tell me how to do it? Thank you so much
Hello, I am currently trying to deploy a single deployer across two different search head clusters but am having trouble finding detailed steps on how to do this. I have used the same cluster label a... See more...
Hello, I am currently trying to deploy a single deployer across two different search head clusters but am having trouble finding detailed steps on how to do this. I have used the same cluster label and secret for both clusters. To differentiate the clusters, I attempted to assign different captains as follows: For Cluster A bootstrap shcluster-captain -servers_list "https://cluster_A_IP:8089, https://cluster_A_IP:8089, https://cluster_A_IP:8089" For Cluster B bootstrap shcluster-captain -servers_list "https://cluster_B_IP:8089, https://cluster_B_IP:8089, https://cluster_B_IP:8089" I am unsure if this setup correctly separates the two clusters while using the same deployer. Could you provide guidance on whether this approach is effective or suggest an alternative method? Thank you so much
Hi Team We have a deployment with 3 standalone search heads . One of them have ES running on it. We are planning to introduce a new server as a deployer and make this 3 search head clustered.  Ques... See more...
Hi Team We have a deployment with 3 standalone search heads . One of them have ES running on it. We are planning to introduce a new server as a deployer and make this 3 search head clustered.  Question: 1. Is it possible to add these exisitng search heads to a cluster or should we copy all configs then create new search heads and copy the configs to all? If this is the only possibility what are the recommendations and challenges ? Can we take a backup of  full /etc/apps  and then deploy new search heads-> add to cluster-> replicate /etc/apps. Is this approach?   Any heads up will be appreciated 
Is there a way to hide the tooltip when I hover on a pie chart in Splunk Dashboard studio and customize what shows? For example when I hover on this chart, I see weighted_sum: 9,946 But I w... See more...
Is there a way to hide the tooltip when I hover on a pie chart in Splunk Dashboard studio and customize what shows? For example when I hover on this chart, I see weighted_sum: 9,946 But I would like to only show the weighted_sum% and not the value     
I have a Splunk Dashboard table with data.  This is the JSON below:             { "type": "splunk.table", "dataSources": { "primary": "ds_zn4Nlcdc" }, "title": "Some... See more...
I have a Splunk Dashboard table with data.  This is the JSON below:             { "type": "splunk.table", "dataSources": { "primary": "ds_zn4Nlcdc" }, "title": "Some title", "options": { "columnFormat": { "name": { "width": 109 }, "team": { "width": 60 } }, "headerVisibility": "fixed" }, "description": "Some description.", "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.url.value$", "newTab": true } } ], "context": {}, "containerOptions": {}, "showProgressBar": false, "showLastUpdated": false }             I have Event Handlers to reroute to the correct URL when drilling down. BUT the hyperlink is applied to the whole row. I want the hyperlink to be applied to only a specific column so I can have multiple hyperlinks for one row.  At the moment, I can click any value on the row and I will be routed to $row.url.value$ but I want to click on a specific column and then be routed to that hyperlink specific to that column   
Hello and help.  I've downloaded Splunk enterprise and initially was able to connect to the dashboard then all of a sudden I started to receive the Message "This site can't be reached". I've deleted ... See more...
Hello and help.  I've downloaded Splunk enterprise and initially was able to connect to the dashboard then all of a sudden I started to receive the Message "This site can't be reached". I've deleted cache and cookies per support then was nicely led to community support. Also, I deleted and added inbound rules for Splunk 9997 and splunk web. Thanks  
I need help with the structure of this search index=indexname I need help with the structure of this search I would like to display the username, the group and the connection method |stats coun... See more...
I need help with the structure of this search index=indexname I need help with the structure of this search I would like to display the username, the group and the connection method |stats count by username, group, connection method |sort -count
So I have an Index Index= xxxxxx "Stopping iteration" I have the rex for getting the unique Id Event Sample : Stopping iteration - 1900000000: 2000 Files accepted so my current REX is rex "Stoppi... See more...
So I have an Index Index= xxxxxx "Stopping iteration" I have the rex for getting the unique Id Event Sample : Stopping iteration - 1900000000: 2000 Files accepted so my current REX is rex "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+)" and it extracts the 1900000000 I want to extract the 2000 number and then do a count for 24 hours. Any help would be great
Team,   I have a situation where user is calling service 1 and then service1 calls service2 using same transaction_id sometime it happens that user is calling service 1 but it is not calling servi... See more...
Team,   I have a situation where user is calling service 1 and then service1 calls service2 using same transaction_id sometime it happens that user is calling service 1 but it is not calling service2 and vise versa. I need a query which will show result in table format and show yes/No if service 1/2 called or not. transaction_id , service1_status , service2_status. 1234 , yes ,yes 5678, yes, No Ex :- log of service 1 :- <timestamp> <transaction_id> <service1 URL> log of service 2 :- <timestamp> <transaction_id> <service2 URL>  
Hello, I'm trying to add up the MIPS of each of the partitions per minute and then keep only the maximum MIPS per day but I'd like to display the time and minutes at which this peak arrived. How do I... See more...
Hello, I'm trying to add up the MIPS of each of the partitions per minute and then keep only the maximum MIPS per day but I'd like to display the time and minutes at which this peak arrived. How do I do it? Here's my search: First, I want to make the addition of the MIPS for all partition per minute. Second, I want to keep only the max value per day of the prior addition.     index=myindex  | bin span=1m _time | stats sum(MIPS) as MIPSParMinute by _time | timechart span=1d max(MIPSParMinute) as MaxMIPSParMinute | eval Day=strftime(_time,"%Y/%m/%d") | eval Hour=strftime(_time,"%H:%M") | sort 0 - MaxMIPSParMinute Day | dedup Day | table Day Hour MaxMIPSParMinute Unfortunaly, in my result I loose the hour and minute of when this peak occurs in the day.  Is there a way of keeping the hours and minute value?    Thanks!
We are implementing an app to collect large csv report via python script but the interval in seconds period is not a good solution for us. Is it expected there to be cronjob option for collection int... See more...
We are implementing an app to collect large csv report via python script but the interval in seconds period is not a good solution for us. Is it expected there to be cronjob option for collection intervals  in future versions. please let me know. thanks in advance
Can anyone tell me how to migrate a Microsoft Azure App for Splunk dashboard (security_center_alerts) from the original Classic format to Dashboard Studio? I realize I can clone the dashboard, but a... See more...
Can anyone tell me how to migrate a Microsoft Azure App for Splunk dashboard (security_center_alerts) from the original Classic format to Dashboard Studio? I realize I can clone the dashboard, but am not sure how to have the app recognize the migrated dashboard instead of the original one. Also, is there a way to add a new local dashboard to the app dropdown menus? Thanks in advance! Steve  Cook
Hi, struggling to get single values to show with trendline comparing to previous month.   | bin span=1mon _time | chart sum(cost) as monthly_costs over bill_date   Tried differnt varations. The ... See more...
Hi, struggling to get single values to show with trendline comparing to previous month.   | bin span=1mon _time | chart sum(cost) as monthly_costs over bill_date   Tried differnt varations. The above will show a single value for each month, but I want to add a trendline to the single value to compare to the previous month. Any ideas? Thanks!
Hi all Does anyone know if there is a built-in visualisation similar to that provided by Graphistry (https://www.splunk.com/en_us/blog/tips-and-tricks/visualising-network-patterns-with-splunk-and-gr... See more...
Hi all Does anyone know if there is a built-in visualisation similar to that provided by Graphistry (https://www.splunk.com/en_us/blog/tips-and-tricks/visualising-network-patterns-with-splunk-and-graphistry.html)? Thanks
Hi everyone, I'm a new Splunk Enterprise administrator. I'm about to delete the previous administrator's account and create a new one for myself. However, I have a few questions before I proceed. T... See more...
Hi everyone, I'm a new Splunk Enterprise administrator. I'm about to delete the previous administrator's account and create a new one for myself. However, I have a few questions before I proceed. The previous administrator created numerous saved searches, lookup files, and scheduled tasks. Before deleting the account, I would like to: Verify account assets: Is there a way to view all the saved searches, lookup files, dashboards, and other assets owned by the account that I'm about to delete? Assign assets: How can I transfer ownership of these assets to my new account or configure my new account to access them? I'm concerned that deleting the account without taking these precautions might disrupt ongoing scheduled tasks. Any advice or experience you can share would be greatly appreciated. Thank you.
Hello Splunkers, This is after I upgraded to Splunk Enterprise version 9.4, the client names under Forwarding Management on deployment server showing up as GUID but not the actual hostnames, prior t... See more...
Hello Splunkers, This is after I upgraded to Splunk Enterprise version 9.4, the client names under Forwarding Management on deployment server showing up as GUID but not the actual hostnames, prior to version 9.4 I remember it was showing actual hostnames, not sure if an additional configuration is required here. have anyone experience the same and knows what needs to be done. Please advise,   regards,
We have Search head cluster consisting of 3 Search heads. where Splunk enterprise security have notable index in the enterprise security app where all the notable logs are getting stored, now the pro... See more...
We have Search head cluster consisting of 3 Search heads. where Splunk enterprise security have notable index in the enterprise security app where all the notable logs are getting stored, now the problem is the notable index data is not replicating there data along with other 2 Search heads.