×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sainag_splunk
Splunk Employee
Member since: ‎08-30-2016
3 weeks ago
Community Statistics
Posts 180
Solutions 18
Karma Given 27
Karma Received 74
Member Since ‎08-30-2016
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Securing Authorization and Authentication of ...

by Splunk Employee in Splunk Enterprise
‎10-15-2024 12:24 PM
‎10-15-2024 12:24 PM
Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself.  https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption. RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly. MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface. Tokens are usually the way to go for most scenarios. https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens   Hope this helps! ... View more

Re: transform ingested HEC JSON log as regular log

by Splunk Employee in Splunk Enterprise
‎10-15-2024 11:59 AM
‎10-15-2024 11:59 AM
The only way you can do is to use  /services/collector/raw endpoint. I understand the desire to maintain your existing Splunk setup, I would advise against using the raw endpoint (/services/collector/raw) to transform the JSON logs back into regular log format. This approach would unnecessarily increase system load and complexity. Instead, the best practice is to use the existing event endpoint (/services/collector/event) for ingesting data into Splunk. This is optimized for handling structured data like JSON and is more efficient. I recommend adjusting your alerts and dashboards to work with the new JSON structure from logging-operator. While this may require some initial effort, it's a more sustainable approach in the long run: Update your search queries to use JSON-specific commands like spath or KV_MODE=JSON to extract fields. Modify dashboards to reference the new JSON field names. Adjust alerts to use the appropriate JSON fields and structure. ... View more

Re: SAML login with Azure AD failes cause of missi...

by Splunk Employee in Splunk Enterprise
‎10-15-2024 11:40 AM
‎10-15-2024 11:40 AM
I personally follow this doc and never had any issues. Can you please try this from scratch again. https://learn.microsoft.com/en-us/entra/identity/saas-apps/splunkenterpriseandsplunkcloud-tutorial ... View more

Re: Why there are no instances available

by Splunk Employee in Splunk Cloud Platform
‎10-15-2024 11:26 AM
1 Karma
‎10-15-2024 11:26 AM
1 Karma
Typically you will get an email with your splunkcloud trial stack details. Subject: " Weclome to Splunk Cloud!" May be in spam? your url will look like this:  Splunk Cloud URL: https://test-p45.splunkcloud.com I don't think your trial version is synced with your salesforce account.  here is the link: https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/Howdoyouwanttoadddata Hope this helps.    ... View more

Re: SAML login with Azure AD failes cause of missi...

by Splunk Employee in Splunk Enterprise
‎10-14-2024 01:15 PM
‎10-14-2024 01:15 PM
Hello looks like an issue with the certificate. Please check this out :https://community.splunk.com/t5/Deployment-Architecture/Problem-with-SAML-cert-quot-ERROR-UiSAML-Verification-of-SAML/m-p/322376#M12073 If this is a brand new implementation, you can also use Splunk's "ondemand services" for help. The Professional Services ( experts can "shoulder surf" this and help get it resolved.   ... View more

Re: Search head's authentication credentials rejec...

by Splunk Employee in Deployment Architecture
‎10-14-2024 08:02 AM
‎10-14-2024 08:02 AM
Hello @BRFZ when was the last reboot on this search head ? looks like its hung up. I encourage to reach out to support if this not get resolved.        ... View more

Re: SAML login with Azure AD failes cause of missi...

by Splunk Employee in Splunk Enterprise
‎10-14-2024 07:51 AM
‎10-14-2024 07:51 AM
Hello @msteffl . Are you using the scripted authentication? Do you also see any warnings like on the splunkd.log ?     " WARN AuthorizationManager [34567 TcpChannelThread] - Unknown role 'ldap_user"   If you also see the the "unknown role" error message, it might be AD group to Splunk Role mapping is failing on because it can't find a Splunk role definition for "ldap_user". Take a look at the "authorize.conf.   To troubleshoot this issue you will need to turn on debug for SAML on the SH and get the user to try and login again.  Once they have done that you can run the following to see if any roles are being retuned for the user: index=_internal sourcetype=splunkd samlp:response   Docs:  https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigureSSOinSplunkWeb https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/Mapgroupstoroles https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ConfigureauthextensionsforSAMLtokens#Configure_authentication_extensions_for_Microsoft_Azure_using_Splunk_Web   Hope this helps.  ... View more

Re: Index Volume Location On Search Heads

by Splunk Employee in Deployment Architecture
‎10-10-2024 04:32 PM
1 Karma
‎10-10-2024 04:32 PM
1 Karma
Yes, It is the best practice  to have consistent index configurations & definitions throughout the cluster. Thanks @gcusello @PickleRick  for the good points. To further elaborate on this topic and provide more details, I'd like to add the following: EDIT: I'd like to expand on my previous answer with some additional best practices: 1. Separate Index Definition from Storage Definition: - It's typically best practice to keep these configurations separate. - In a production environment, use a legitimate app for your main indexes.conf file, not the system/local directory . - This ensures better manageability, version control, and consistency across your Splunk deployment. 2. Use Separate Apps for Configurations: - Implement a base config methodology with different apps for different aspects. - Create apps like: a) org_all_indexes: For consistent index definitions across the deployment. b) org_idxer_volume_indexes: For indexer-specific configurations. c) org_srch_volume_indexes: For search head-specific configurations. 3. Flexibility and Scalability: - This approach allows different storage tiers for indexers and search heads as needed. - It maintains a consistent view of available indexes across the deployment while allowing for component-specific optimizations. These practices will help create a more robust, manageable, and scalable Splunk infrastructure. ... View more

Re: convert to datetime datatype and derive day,we...

by Splunk Employee in Splunk Enterprise
‎10-10-2024 07:43 AM
‎10-10-2024 07:43 AM
Based on what I can understand, you can try using something like this and tweak it as needed. | makeresults | eval datetime_str="Thu 10 Oct 2024 08:48:12:574 EDT" | eval datetime=strptime(datetime_str, "%a %d %b %Y %H:%M:%S:%3N %Z") | eval day_name=strftime(datetime, "%A"), day_of_month=strftime(datetime, "%d"), month=strftime(datetime, "%b"), year=strftime(datetime, "%Y"), week_number=strftime(datetime, "%U"), time_part=strftime(datetime, "%H:%M:%S") | fields datetime_str, datetime, day_name, day_of_month, month, year, week_number, time_part | eval hour=substr(time_part, 1, 2), minute=substr(time_part, 4, 2), second=substr(time_part, 7, 2)     ... View more

Re: AggregatorMiningProcessor - Breaking event bec...

by Splunk Employee in Getting Data In
‎10-10-2024 07:29 AM
‎10-10-2024 07:29 AM
The reason for your error is "Poorly formatted data" . Regarding INDEXED_EXTRACTIONS=JSON, here is the good article on when/where it can be used. Can you please run this search and show me the output for your sourcetype? index=_internal source=*splunkd.log* AggregatorMiningProcessor OR LineBreakingProcessor OR DateParserVerbose WARN data_sourcetype="my_json" | rex "(?<type>(Failed to parse timestamp|suspiciously far away|outside of the acceptable time window|too far away from the previous|Accepted time format has changed|Breaking event because limit of \d+|Truncating line because limit of \d+))" | eval type=if(isnull(type),"unknown",type) | rex "source::(?<eventsource>[^\|]*)\|host::(?<eventhost>[^\|]*)\|(?<eventsourcetype>[^\|]*)\|(?<eventport>[^\s]*)" | eval eventsourcetype=if(isnull(eventsourcetype),data_sourcetype,eventsourcetype) | stats count dc(eventhost) values(eventsource) dc(eventsource) values(type) values(index) by component eventsourcetype | sort -count   ... View more

Re: please excuse... as it is very basic... AND in...

by Splunk Employee in Splunk Search
‎10-09-2024 02:30 PM
‎10-09-2024 02:30 PM
Hey @PickleRick , thanks for calling that out. You're absolutely right, and I totally dropped the ball on some of those details. My bad. I was trying to keep things simple  but I guess I oversimplified a bit too much while typing. You nailed it with the AND being an operator, not a command. That's a rookie mistake on my part. About the performance thing - yeah, I should've been clearer. For simple stuff, it might not make a huge difference, but you're spot on that it can matter a lot with complex searches or big data sets. ... View more

Re: please excuse... as it is very basic... AND in...

by Splunk Employee in Splunk Search
‎10-09-2024 09:58 AM
‎10-09-2024 09:58 AM
Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk searches. Both of your examples will work, but there are some slight differences:   AND ... IN (...): index=ADFS_AWS AND clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc")   This is part of the main search string and is evaluated early in the search process.   Using WHERE:   index=ADFS_AWS | WHERE clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc") The WHERE command is a separate search command that filters results after the initial search. In terms of efficiency: For most cases, they'll perform similarly. The AND version might be slightly faster as it's applied earlier in the search process. The WHERE version is more flexible if you need to do more complex filtering. Remember, the best approach often depends on your specific data and use case. Don't hesitate to test both and see which works better for you! Splunk Search Manual: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearch Search Processing Language (SPL) Reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual WHERE command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where Comparison of search commands (including AND and WHERE): https://docs.splunk.com/Documentation/Splunk/latest/Search/Comparesearchcommands Best practices for searching: https://docs.splunk.com/Documentation/Splunk/latest/Search/Bestpracticesforsearching Using the IN operator: https://docs.splunk.com/Documentation/Splunk/latest/Search/Usetheinoperator Splunk Search Tutorials: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Hope this helps.     ... View more

Re: Time extraction using props.conf

by Splunk Employee in Getting Data In
‎10-09-2024 07:30 AM
1 Karma
‎10-09-2024 07:30 AM
1 Karma
Please try to remove the " (double quotes) from the TIME_FORMAT. TIME_FORMAT=%d/%m/%Y %H:%M:%S   If this isn't working checkout the btool on this source/host/sourcetype for any DATETIME_CONFIG setting on your props.conf. Hope this helps. ... View more

Re: Why am I unable to use the Splunk App and Add-...

by Splunk Employee in All Apps and Add-ons
‎10-08-2024 03:44 PM
‎10-08-2024 03:44 PM
The "use existing data input" feature allows you to reuse the checkpoint for any other input or the same input where you want to start/resume from the last stored checkpoint. ... View more

Re: Error in Splunk GitHub Content

by Splunk Employee in All Apps and Add-ons
‎10-08-2024 01:28 PM
‎10-08-2024 01:28 PM
can you try adding this below line to the end of your search? and give it a try? | noop search_optimization.predicate_push=f https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Noop#Managing_specific_search_optimizations_with_the_noop_command Hope this Helps. Karma would be appreciated.  ... View more

Re: Why am I unable to use the Splunk App and Add-...

by Splunk Employee in All Apps and Add-ons
‎10-08-2024 01:17 PM
1 Karma
‎10-08-2024 01:17 PM
1 Karma
Hello @Cheng2Ready Are you on classic stack or Victoria stack? If you are on classic stack, we need to configure this inputs on the idm.  ... View more

Re: Dashboard Studio working with Reports and Time...

by Splunk Employee in Dashboards & Visualizations
‎10-08-2024 09:26 AM
‎10-08-2024 09:26 AM
Multiple questions on the same post might be misleading to others in future. Please ask as new question. For granting third-party access to Splunk dashboards, here are some options and best practices: Embedded reports: You can use Splunk's embed functionality to share specific reports or dashboards. This method allows you to control exactly what data is shared. Reference: https://docs.splunk.com/Documentation/Splunk/latest/Report/Embedscheduledreports Summary indexing and role-based access: Collect relevant data in a summary index with a specific source. Create a dedicated Splunk role for the third party. Map this role to their AD/LDAP group. Set search restrictions for this role to only access the required source/sourcetype, so you don't give access to the entire iindex. Hope this helps. Karma would be appreciated.  ... View more

Re: how to create a dashboard with avg AUTHZ usag...

by Splunk Employee in Dashboards & Visualizations
‎10-08-2024 09:10 AM
1 Karma
‎10-08-2024 09:10 AM
1 Karma
Some sample searches to start with as requested. You can adjust the time spans and thresholds as needed. These queries should provide a foundation for your AUTHZ usage dashboard, balancing detail with performance. Total AUTHZ attempts:   index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count as Total Successful vs. failed authorizations:   ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count(eval(INFO="success" OR match(ERROR,"user failure"))) as Success, count as Total | eval Failed = Total - Success | eval Success_Rate = round((Success/Total)*100,2) | table Success, Failed, Total, Success_Rate ```   Authorization attempts by host:   ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | stats count as Attempts by host | sort -Attempts | head 10 ```   Peak authorization times and average response time:   ``` index=yourindexname tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | timechart span=15min count as Attempts avg(duration) as avg_duration perc95(duration) as p95_duration | eval avg_duration=round(avg_duration/1000,2) | eval p95_duration=round(p95_duration/1000,2) ``` ... View more

Re: Searches not working across apps

by Splunk Employee in Splunk Enterprise
‎10-08-2024 08:12 AM
‎10-08-2024 08:12 AM
The only reason I can think of for this issue is a permission conflict problem. Did you look at the search.log as mentioned? Try comparing the search.log files for the working and non-working instances. Without knowing the full search details, it's hard to validate exactly what's going on. There must be settings defined for this sourcetype. Try running the btool command and see if you can find anything relevant there.   splunk btool props list sourcetype --debug     Hope this helps ... View more

Re: Searches not working across apps

by Splunk Employee in Splunk Enterprise
‎10-07-2024 03:26 PM
1 Karma
‎10-07-2024 03:26 PM
1 Karma
I believe the issue might be related to field extractions. There's likely a field called delta_time or delete/create in the Search app that isn't set to global for all apps. To troubleshoot: Inspect the search.log file. Look for entries containing "lispy". Examine the search TERMS in these entries. See if you can find anything related to the fields mentioned above. This approach might help you identify why the search isn't working as expected for users without direct index access. If you find that certain fields aren't available globally, you may need to adjust their extraction settings. ... View more

Re: License Expired message while talking to licen...

by Splunk Employee in Splunk Enterprise
‎10-07-2024 01:41 PM
‎10-07-2024 01:41 PM
Typically this is how we set up the license slaves. I recommend try the below.  By the use the CLI commmand on the bin directory on the indexer: ./splunk edit licenser-localslave -master_uri https://licensemaster:8089 Or you can update the server.conf file with: [license] master_uri = https://mylicensemasterserver:8089   Refer: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/LicenserCLIcommands I would recommend opening a support case if you are stuck even after this.   Hope this helps ... View more

Re: Dashboard Studio working with Reports and Time...

by Splunk Employee in Dashboards & Visualizations
‎10-07-2024 12:56 PM
1 Karma
‎10-07-2024 12:56 PM
1 Karma
To solve your problem with third-party users and time range flexibility, try this: Make a new, summary index just for this data. Set up an automatic search that puts the data required in this new index regularly. Change your dashboard to use this new index. Give the third-party users access to only this new index. Now you can add a time range picker to your dashboard. Hope this helps. Karma would be appreciated.  ... View more

Re: how to create a dashboard with avg AUTHZ usag...

by Splunk Employee in Dashboards & Visualizations
‎10-07-2024 12:51 PM
1 Karma
‎10-07-2024 12:51 PM
1 Karma
       1. You can start with your base search.  Add a time range and average calculation: index=* tag=name NOT "health-*" (words="Authentication words" OR MESSAGE_TEXT="Authentication word") | bucket _time span=1d | stats count as daily_count by host, _time | stats avg(daily_count) as avg_daily_count by host           3. Create a dashboard and add a table panel using this search.         4. Add visualizations like bar charts to represent the data graphically Key Metrics to Track: Total AUTHZ attempts Successful vs. failed authorizations logins Authorization attempts by host Authorization attempts by user Peak authorization times Unusual patterns or anomalies Dashboard Components: Summary statistics panel Time series graph of authorization attempts Top hosts by authorization usage (table or bar chart) Top users by authorization attempts (table or bar chart) Geographical map of authorization attempts (if applicable) Failed authorization attempts breakdown      Below Links should help you out. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Createnewdashboard https://www.splunk.com/en_us/resources/videos/create-dashboard-in-splunk-enterprise.html https://splunkbase.splunk.com/app/1603 Hope this helps   ... View more

Re: Does Splunk support CrowdStrike OAuth API?

by Splunk Employee in Splunk SOAR
‎10-07-2024 09:26 AM
‎10-07-2024 09:26 AM
 It is a Splunk supported SOAR connector.  https://github.com/splunk-soar-connectors/crowdstrikeoauth ... View more

Re: License Expired message while talking to licen...

by Splunk Employee in Splunk Enterprise
‎10-07-2024 09:05 AM
‎10-07-2024 09:05 AM
Can you please provide your  high level Splunk topology? How many components do you have ? is this clustered etc. Did you try restarting Splunk from the backend?  Lookout the license files in $SPLUNK_HOME/etc/licenses ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma from
Karma given to