Check the roles assigned to the user in question. ... View more

Just place a text input in the dashboard and use normal dashboard tokens. Then you can make your search something like this: | mycustomcommand path=$path_token$   ... View more

How are you indexing the data? UF with a monitor stanza in the syslog server? If that's te case the logs would be there. If not, do you have some rules that might change or discard the logs you are looking for? If, as I believe given the %Port_Security, you are running cisco devices use this: https://splunkbase.splunk.com/app/1467 The final source type should not be syslog but something like cisco:ios. Avoid using syslog as a final source type since the logs will be different fro device to device and it will make a mess to build proper extractions since they will apply to everything with math source type. ... View more

It seems that you might have some hidden characters in your original data. Open the file with e.g. VS Code and enable the the render control characters in the settings to check if there are hidden characters there. ... View more

Check the splunk dev portal. Its has some examples on custom commands. https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/ Also Splunk's git has some other examples for custom commands here: https://github.com/splunk/splunk-app-examples/blob/master/custom_search_commands/python/generatingsearchcommands_app/bin/generatingcsc.py In this example you can replace the count with a path to do something along the lines of: | mycustomcommand path="D:/Temp/temp.txt" ... View more

Hi Matheo  Can you post the mongod.log and splunkd.log? As a side note, you should read the docs before upgrading Splunk. https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/HowtoupgradeSplunk v8.0.x should be upgraded to v8.1.x or V8.2.x before going to v9.0.x   ... View more

Have you tried to index the xml version of those event? ... View more

Depending what you are trying to see I would say you could use either a sankey or a parallel coordinates custom viz. Sankey https://splunkbase.splunk.com/app/3112 Parallel Coordinates https://splunkbase.splunk.com/app/3137 ... View more

There are no issues with either approaches. Depending on what data you are indexing you would probably need to have UFs/HFs on-prem to collect and forward data to you azure instances. Either way, since you are moving splunk to a new platform I would suggest you to take a look at Splunk's validated architectures for the best architecture that fists your org needs. With just 1 indexer you run the risk of having downtime on search and indexing in case of maintenance.  https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf ... View more

You use an account that has admin privileges. Usually you create one during the installation. Older versions used to have a default account (user:admin and pass:changeme) nowadays you just create one. If you forgot you can use these solutions to reset the password: https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622 ... View more

Congrats everyone! I’m really grateful to be part of this amazing group of people. Hope to see you all in .conf ... View more

The following docs page has a list of the default hex codes for charts, although I believe that they are not update, at least not in the v9.x docs. https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/ChartConfigurationReference   *Default value for charting.seriesColors: [0x1e93c6, 0xf2b827, 0xd6563c, 0x6a5c9e, 0x31a35f, 0xed8440, 0x3863a0, 0xa2cc3e, 0xcc5068, 0x73427f, 0x11a88b, 0xea9600, 0x0e776d, 0xffb380, 0xaa3977, 0x91af27, 0x4453aa, 0x99712b, 0x553577, 0x97bc71, 0xd35c2d, 0x314d5b, 0x99962b, 0x844539, 0x00b290, 0xe2c188, 0xa34a41, 0x44416d, 0xe29847, 0x8c8910, 0x0b416d, 0x774772, 0x3d9988, 0xbdbd5e, 0x5f7396, 0x844539] ... View more

Use | rex with SED mode   | makeresults | eval error_msg = "Required Parameters Longitude and Latitude are missing or invalid" | rex field=error_msg mode=sed "s/(Required Parameters) .* (missing) .*/\1 \2/g"       ... View more

You can use | rex to achieve that: |rex field=sourcePort "(?<src_port>\d{1,5})" |eval sourcePort=if(group=one,src_port,sourcePort)   ... View more

If you're looking just at Splunk Enterprise (the core product), you can create an index per customer and have a role per customer to give permissions to their indexes on top of roles to give users capabilities. Then you most likely need to rework the apps dashboards to include those indexes. My suggestion would be to e.g. name the indexes something like windows_customer1, windows_customer2 and change the searches in dashboards to look for index=windows_* or create a macro that hold this and use that macro instead in the searches where you'd filter the index (this way if the indexes changes you can just change the macro instead of reworking all the searches again). If the roles are properly set you should see just the data concerning your company based on your role when opening the dashboards.  If, on. the other hand, you are talking about the premium app Splunk Enterprise Security, as Giuseppe stated, it does not easily support multi tenancy and would likely need some Splunk PS to implement ... View more

If you use the pivot interface and select the VPN child do you get results? Can you try this? | tstats prestats=true summariesonly=false allow_old_summaries=true values(sourcetype) as sourcetype FROM datamodel=Authentication WHERE nodename=Authentication.VPN  | stats dedup_splitvals=t values(sourcetype) ... View more

I've seen that happening in some of my on-prem customers. Still no idea why that happens but just refreshing the page fixes it. ... View more

Same logic as the previous one |timechart values(count) by Pstatus ... View more

Just add a timechart command | timechart values("avg(prtime)") by Pght ... View more

What are you trying to accomplish? ... View more