Finding events immediately following/preceding another event
tldr: I have an event of interest, and I want to find the next qualified event after it, but without specifically using a time qualifier since it is oftentimes unpredictable. Think "grep -A1" but the...
View ArticleSplunk shcluster configuration on master not updating config
I am trying to configure a master node in a splunk cluster to be an indexer master and shc deployer. I install Splunk Enterprise (7.3.1) and then execute commands to configure it: splunk edit...
View ArticlePopulate statistics that satisfy 2 multi value from a field
Sample set of logs with fieldnames (time, name, and status) from one index=test 1. name=X1 status=FAIL time=7am 2. name=X1 status=FAIL time=7:01am 3. name=X1 status=SUCCESS time=7:02am 4. name=X2...
View ArticleCustomize map with states Mexico
Hi, I want to customize the map visualization with states Mexico divided in zones. For example: CDMX - Centre Tlaxcala - Centre Chiapas - Sourth Oaxaca - Sourth Sinaloa - North Others. It is possible ?...
View ArticleFor my particular configuration, where and how do I delete all traces of all...
I have a 4-server Splunk scenario: deployment server index server search head server A deployment client server (w/ a Splunk Universal Forwarder) I used the deployment server web interface to create a...
View ArticleUse GCE service account
I am running Splunk on top of GCE instances, and I'd like to use GCE service account for the pubsub subscription instead of providing a JSON file. Is that possible? What would be the effort to...
View ArticleKeep track of max count.
Mysesarch | stats avg(time) as "median", max(time) as MaxMedian max(time99) as "Max99th", max(time999) as Max999th by host I have something like this, I also want a count of max(99th) by host in past...
View ArticleGetting info from Splunkbase
Is there a way I can retrieve the leads list for all the apps I published without having download it from each one? Say using an API of sorts.
View ArticleHow can we set time filter on click from table view?
Is there a way we can pass epoch time from click of the table cell and set it to time filter of Splunk?
View ArticleDiscarding source type data from _raw event after per-event source type...
**Disclaimer:** This is a "self-answering" question: I'm already doing what the question asks. I'm "asking" this question because I think the answer might be useful to other users. I also welcome...
View Articlehow to resolve 'Unexpected DTD declaration' error when logging on using the...
I copied the C# Logon code from example and tried to logon to my Splunk service (http://10.134.21.107:8000). When running the C# code, I got the 'Unexpected DTD declaration' error. This error is the...
View ArticleHow to rename extracted values
I have the following data: Code Area 1234.1234 ABC 9933.9933 DEF 6611.6611 GHI 8910.8910 ABC 8910.1111 ABC Search looks like the following: | inputlookup combined.csv | search Code=* | eval...
View ArticleHow to extract an IP address across different pattern of events?
I'm trying to extract IP (v4) addresses from different events. For instance, for an event such as: [...] sent ping to 1.1.1.1:514 [...] this rex command works just fine: | rex field=_raw "...
View ArticleMap events using lat long
Below is my sample event- 29-09-2019 8:00:00 Pullout longitude latitude 29-09-2019 8:02:10 loss longitude latitude 29-09-2019 8:02:55 restore longitude latitude 29-09-2019 8:09:00 loss longitude...
View Articlepantag: Palo Alto Networks Add-on (PanXapiError)
Hi, We are getting the below error while trying to use pantag command, ***External search command 'pantag' returned error code 2. Script output = "ERROR 'PanXapiError' object has no attribute 'msg'...
View ArticleHow to exclude/ignore writing an error to splunkd.log
Hi, Is there a way to tell splunk not to write a particular error message to splunkd.log? I am getting hit by below error continuously and I can't fix JSON inputs which are coming from external source....
View ArticleWhat is the purpose of Report "Audit - Index Readiness" under SA-Utils apps ?
This Report "Audit - Index Readiness" under SA-Utils apps is running for every 30 minutes for last 24 hours time range and getting skipped in Search head. Just wanted to know what is the purpose of...
View ArticleWindows Defender ATP
I have followed the various sets of instructions for sending Microsoft Defender ATP logs to Splunk, however I am getting the following errors:> 2019-09-30 15:56:57,263 INFO pid=29578>...
View Articlecan we send image (not attachment, but showing image) in body of email using...
We have a requirement of sending an image and showing it in the body of the email for the users, is there a way of doing that ? We dont need to send it as an attachment. Can we do that using sendemail...
View Articlelogs/csv InfoSec for Practice
Hi Splunkers. I'm wondering if you know any websites/repository from which I can download some infosec data for practice. I know that given their sensitive information, It's not easy to find no more...
View Article