@brandonmurphy I know this is an old post, but for those looking to index External Public Egree IPs (IPv4 and IPv6) from Splunk UFs or Splunk Enterprise, we built this Get Public IP Add-on: https://splunkbase.splunk.com/app/8107 ... View more

Settings on the SH as follows: AUTO_KV_JSON = false KV_MODE = none   Settings on the HF: AUTO_KV_JSON = false INDEXED_EXTRACTIONS = json KV_MODE = none   Values are getting duplicated, do you have anymore suggestions for us ? ... View more

These are two separate mechanisms. Powershell has some features that script input doesn't (most important being the ability to receive powershell objects, not just text). ... View more

https://conf.splunk.com/files/2019/slides/FN1190.pdfFN1190.pdf (splunk.com)  ... View more

Thank you! Worked for me! ... View more

So i figured out a way to retain _time. Whatever you are bringing over into your summary index; source, sourcetype, fields of your choice....Create your own _raw field. In my instance I created _raw as below: | eval _raw= _time. ":" .source | table _raw ALL OTHER FIELDS YOU WANT | collect index=SI This will retain the _time value in your summary index. If this works for you please upvote this response! ... View more

I had a similar issue and this helped me - thanks! 🙏 ... View more

powershell inputs expect the command to return PS Objects and every object will be a separate event. Find a template to convert string output to objects here: https://community.splunk.com/t5/Getting-Data-In/powershell-input-working-example-and-some-pitfalls/m-p/556695#M92128  ... View more

Were you ever able to resolve this? I am having a similar issue. Splunk is reading AWS s3 .gz files as "����" where as if I download the file to my Linux/HW I can use "gzip -d filename.gz" and it works just fine. As others suggested, it is a single file not a directory.  ... View more

Say eg I have Category field with NULL value so simply use below code, Category!=NULL ... View more

Hi, the simple answer is: You cannot configure this add-on through splunk web. It has no views to configure it with. Please start by reading through https://docs.splunk.com/Documentation/AddOns/released/NagiosCore/Installationoverview and follow the steps to install and configure the add-on. ... View more

Hi, when my searches fail or show errors I always open the Job Inspector. In the Inspector popup window, there is another link to the search.log that gives you some very detailed information. Another way to see more info about your errors is to open a plain search window and do a search like:   index=_internal error   Oliver  ... View more

Hi, in the ES app, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts  Please note that all Threat Intel is being normalised into a joint intel framework. In the sub-tabs you will find the intel relating to the different security domains. Looking at the intel details you will see some of them are from your TAXII feeds... provided the download was successful. Cheers, Oliver ... View more

Hi, the way I understand your question is that you are looking for the configuration file with the definition of the source and the sourcetype for the events in the notable index of ES. The answer to that question is: There are none. The notable index is being populated through correlation searches that end in a ...| collect ... command that writes the result of the correlation search to the notable index. See this page for more information on how to use collect to write data to an index:  https://docs.splunk.com/Documentation/SplunkCloud/8.1.2008/SearchReference/Collect Cheers Oliver   ... View more

Hi MonkeyK, to my understanding of that datamodel, Authentication is ONLY for the authentication process, not for monitoring the underlying session and thus will only show login events and only has two meaningful action states: "success" and "failure". Check the Network_Session datamodel to track your sessions and use the "start" and "end" tags to mark session login and logoff respectively. Oliver ... View more

Hi ebele, you have epoch timestamps in your sample data. If you want the the timestamps to display as human readable dates, use an   ... | eval human_earliest=strftime(earliest_date,"%c") | ...    If you have a dashboard with a time range picker that populates a token called "time_selection" and would like to  have your search to deliver only the events in the selected time range add the following to your search:   ...| where earliest_date>=$time_selection.earliest$ AND latest_date<$time_selection.latest$ | ...   Last, but not least, if you would like to honor the timestamps in your standard search bar, using the standard time selector on the right of the splunk search field... add the following to your search: ...| addinfo | where earliest_time>=info_min_time AND latest_time<info_max_time | ... I assume that you only want those KPIs that have both, the earliest and the latest time inside the time range. You may need to tweak that to meet your requirements. Hope it helps, Oliver ... View more

Hi RobertRi, from experience I see that the problem you are trying to solve is just a subset of the troubles that you face. Again, depending on where you come from, a lot of things have changed and IMHO there is only one efficient way to find out if your dashboards still work or not. Aside from that, looking for the tag is a way to identify your views that use the deprecated xml. Oliver ... View more

Hi thaara, my suggestion still works, just omit the part with the health score, leave the individual paths in, do the stats ... by _time, host, Mon and in your visualisation select "trellis" with split by host ... View more

It doesn't work may be because sorry I think i didn't put question in Splunk language there are not files but source of date , changed details below as per splunk names : I have data from 2 diff source with same fields as shown below : index=* sourcetype=* source= test.txt device_name="alpha" pool_name="a" device_name="beta" pool_name="b" device_name="gamma" pool_name="c" index=* sourcetype=* source=test1.txt device_name="alpha" pool_name="a" device_name="beta" pool_name="b" device_name="gamma" pool_name="z" eval actual_pools = toString(device_name) + ";" + toString(pool_name) I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt . Thanks for help . ... View more

Hi Manoshanni, I solved you initial question, telling you why the error occurred. I gave you a regex that works like a charm on the data that you have provided and your comment PC, JP makes no sense to me. If you would like to ignore the "iron" and just return the "pc", "jp" ... you should have only had those in bold. | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/iron(?<app>\w+)/" ... View more

I found an alternative solution by extracting at index time: Transforms.conf [csv_pair] REGEX = -\d+\,\d+\,\d+\,\w+\,(\w+)\,(\S+) FORMAT = $1::$2 REPEAT_MATCH = true WRITE_META = true props.conf [csv] TRANSFORMS-csv = csv_pair ... View more

Hi, I've implemented your dashboard, changed some and for me it works out of the box, without js. Try this and let me know, if it helps: <form> <label>bytesgroup</label> <fieldset submitButton="false"> <input type="dropdown" token="sourcetype" searchWhenChanged="true"> <label>sourcetype</label> <fieldForLabel>sourcetype</fieldForLabel> <fieldForValue>sourcetype</fieldForValue> <search> <query>index=_internal|stats count by sourcetype</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> </input> <input type="multiselect" token="Group" searchWhenChanged="true" id="grp"> <label>select group</label> <fieldForLabel>Group</fieldForLabel> <fieldForValue>Group</fieldForValue> <search> <query>|inputlookup group.csv where sourcetype="$sourcetype$" |stats count by Group</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> <delimiter>|</delimiter> <choice value=".*">All Groups</choice> </input> <input type="multiselect" token="field1" id="idSelectIndex"> <label>pre-selected bytes</label> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>bytes="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>bytes</fieldForLabel> <fieldForValue>bytes</fieldForValue> <search id="idSearchSelectIndex"> <query>|inputlookup group.csv where sourcetype="$sourcetype$" | where match(Group,"$Group$") | fields bytes | dedup bytes</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> <choice value="*">All</choice> </input> <input type="multiselect" token="selected_bytes"> <label>Select bytes</label> <delimiter> </delimiter> <fieldForLabel>bytes</fieldForLabel> <fieldForValue>bytes</fieldForValue> <search> <query>index="_internal" sourcetype="$sourcetype$"|stats count by bytes sourcetype</query> <earliest>$time_slice.earliest$</earliest> <latest>$time_slice.latest$</latest> </search> </input> <input type="time" token="time_slice"> <label>time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>index=_internal sourcetype=splunkd_access $field1$|stats count by bytes</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">5</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> Oliver ... View more

Hi poddraj, when I don't get the expected result, I copy the whole query to a scratchpad and execute it step by step, adding one | at a time until I see the step that delivers unexpected results. Just executing the gentimes, rename and fields gives you exactly the expected time intervals. The lookup seems wrong, because what you ask Splunk to do is: Take the lookup by the name ftthresholdlkp and match on the field FT. You don't have a field FT to match on, the only field you have at that point is _time. Create your lookup table like this: "devicetype","FT" "FT","DeviceA" "FT","DeviceB" ... "FT","DeviceX" Do your lookup like this: | eval devicetype="FT" | lookup ftthresholdlkp devicetype OUTPUT FT HiH Oliver ... View more

Hi, you need to find the root cause for the error. On the splunk UI, dropdown "Job" and select "Inspect Job" to open the job inspector of a failed query. In the Job inspector window, look for the "search.log" link and click it. In the log, search for the words "WARN" or "ERROR" Once you know the root cause for the problem, we could probably help you to avoid it in the future. Hope it helps, Oliver ... View more