Hello, I have a token "user" representing the name of a user. This name can contain "(" or ")". When I am using this token to execute a LDAP search, I get an error because it cannot contains brackets. The solution is to replace ( by \28 and ) by \29. I tried it without using the token, and it works: | ldapsearch domain=mydoman search="(CN=John Doe \\28test\\29)" Unfortunately, I am using a dashboard to automatically complete this username. I need to replace the brackets by \28 and \29. Is there a quick way to do this? Thank you ... View more

Hello, I was wondering if it is possible to add the result of the iplocation (Country, City, ... fields) command in a data model structure? Thank you ... View more

Hello, I am trying to create a Connection in Splunk DB Connect 2. It is a MS-SQL Database. There is no named instance. The only instance is the default one. The user that I am using has the correct rights. DB Connect contacts the SQL Server because I see the error logs on it. Even though I am changing the "Default Database" field in the Connection form, it seems the DB Connect app is not using it. Indeed, when the database typed is correct, Splunk displays the following error message: External search command 'dbxquery' returned error code 1. Script output = " ERROR "Exception at ""/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbxquery.py"", line 123 : java.sql.SQLException: java.sql.SQLException:java.sql.SQLException: Cannot create PoolableConnectionFactory (Cannot open database ""mssqlserver"" requested by the login. The login failed. But "mssqlserver" is not a database name, but the default instance name. There is no reason DB Connect put this name in the database field because I put something else. When I read the SQL Logs, it is clear that DB Connect is using "mssqlserver" as the database name. Any idea how to make it work? PS: I tried the MS generic driver and the jTDS driver. None of them work. ... View more

Hello, I am trying to set up a connection in the Splunk DB Connect 2 app, but it doesn't find the driver: failed: java.sql.SQLException:,Cannot load JDBC driver class 'com.microsoft.sqlserver.jdbc.SQLServerDriver' I installed JAVA: java version "1.8.0_66" Java(TM) SE Runtime Environment (build 1.8.0_66-b17) Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode) The DB-Connect app find JAVA after I enter the JAVA_HOME variable. I copied the sqljdbc4.jar file from microsoft to /opt/splunk/etc/apps/splunk_app_db_connect/bin/ After restarting Splunk, it still doesn't find the driver. Any ideas ? PS: I tried to set up the CLASSPATH var as this post described : https://answers.splunk.com/answers/235666/splunk-db-connect-2-the-driver-class-commysqljdbcd.html but it doesn't work. ... View more

Hello, I have a search that find all the IPs used by each user. I would like to run this search periodically so that if a new IP is used by a user, I receive an alert. I was think about storing the results in a CSV and comparing the result of the following search with that CSV. But is it efficient ? Also, I am not sure how to save it as a CSV since there can be several IPs for one user: user1, ip1, ip2 user2, ip1 ... Any ideas ? Thanks EDIT: I managed to progress. I used a join with a subsearch: ... distinct_count(src_ip) values(src_ip) AS IP earliest=-1d@d latest=@d by user | rename distinct_count(Web.src) AS count | fields user, count, IP | join user [ ... distinct_count(src_ip) values(src_ip) AS IP_old from earliest=-22d@d latest=-1d@d by user | rename distinct_count(Web.src) AS count_old | fields user, count_old, IP_old] | makemv delim=" " IP_old | where IP!=IP_old But I don't know how to compare the multi-values field "IP" and the multi-values field "IP_old". I would like to keep only the event where IPs in "IP" are new compared to "IP_old". Any ideas ? ... View more

Hello, I am currently setting up some graphs and I was wondering if there is a simple and flexible way to generate an alert when there is a unusual peak in the graph. I know I can set up an alert if X events have been found but this is not flexible. Is there a way that Splunk can learn that, for example, on Mondays, there are more events generated so the alert limit should be higher ? Thank you ! ... View more

Hello, I have logs from Cisco ESA (emails) and some of them are logged in the futur. For example this log is marked "12/16/15 11:20:30.290 PM" by Splunk, but it should be "Dec 16 00:28:26". Dec 16 00:28:26 <internal-IP> logs: Info: MID XXXXX Message-ID '<20151215232030290.BLABLA@XXXX.COM>' As you can see, the email address contains "20:30.290" which makes the timestamp wrong. To block this behavior, I tried to setup MAX_TIMESTAMP_LOOKAHEAD to 16 or 19, but it seems that Splunk keeps reading the whole log because for the above example, I have this field: timeendpos = 82 (it stops after 20151215232030290) My props.conf (on the indexer:) [cisco:esa:legacy] SHOULD_LINEMERGE = false TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 19 NO_BINARY_CHECK=true Any idea ? Thank you ... View more