Help understanding eventtype search
I have the Splunk Windows Infrastructure app installed and when I run this search below: eventtype=msad-failed-user-logons host="*" I get this returned below, but I'm not understanding how the search...
View ArticleJson file getting truncated
Below is my i/p file { "Count": 2, "Items": [ { "total_time": { "S": "0.000s" }, "start_date_time": { "S": "2017-09-19 05:00:43" }, "bad_records": { "N": "0" }, "successful_records": { "N": "0" },...
View ArticleSplunk counting duplicate events for failed logon
When the below search is ran, it'll count duplicate failed logons for all users. How do I exclude duplicates in a count?> eventtype=msad-failed-user-logons> (host="*")|fields>...
View ArticleGet single value panel to display a "date"
Hi I have search for a dashboard which produces a graph and does predictions, I want to display the date when we expect a certain threshold to be crossed. I have added some smarts to the search so it...
View ArticlerangeColors showing wrong color for rangeValues
I am working on a single value dashboard panel where I am showing results in percentage. I am want show different range in different colors. So, I have defined the below range: min to 30.99 -> green...
View ArticlenumberPrecision for single value dashboard
I am working on a single value dashboard panel where I am showing output in percentage with precision up to 2 decimal points (e.g. 60.25%). However, I want shows 0 and 100 as a whole number (NO decimal...
View ArticleMatch Lookup Table to Summary Index
Hi, I wonder whether someone could help me please. I'm using the following query to to interrogate a summary index, matching this to a lookup table. index=summary_dg_nmo report=ddcops3148V5 | lookup...
View ArticleHas anyone successfully configured Bro logs from Security Onion to be...
I have managed to get Bro logs into Splunk, but even with the App/TA the data is still clunked together and not very searchable. Ive seen a few props.conf files here and there but has anyone had...
View ArticleDoes the auto_high_volume setting recommandations apply for a single indexer?
Hi, We typically say that if we index more than 10GB per day per index, we should put **maxDataSize = auto_high_volume** But does that apply to one indexer or the whole cluster? In other words, if I...
View ArticleJIRA index
To access JIRA from Splunk, does indexing is necessary? Or we can fetch the necessary details from JIRA only with the help of JQL. If indexing is necessary, can I know the procedure of configuring the...
View ArticleSplunk search for keyword match
Hi, Fellow Splunkers, Noob question. I would like to seek for help in my search, this is the case: The client gave csv for keywords, the search should be filtered based on the keyword matched, for...
View ArticleRegex Help
I am trying to do a field extract but running into problems Here is an example event. I am trying to build a regex to extract the signatures field (IP Fragmentation, DNS Amplification). The signature...
View ArticleUnable to send same source data to two different logical indexes and two...
Hi All, Facing few challlenges, mine is playing around with the same transforms. I'm trying to achieve the same source data to forward to two different logical indexes and two different indexers...
View Articlenull events while using spath
JSON: "mainArray": [ {"name":"MS","value":20}, {"name":"MC","value":20}, {"name":"CF","value":20}, {"name":"ST"}, {"name":"CMR","value":20} ] -- i am currently using the search as " | spath output=code...
View ArticleHow to include additional field from inputlookup in results?
Hi, I have a lookup table errors.csv ,which contains Error and Source columns.I have a query the returns log entries containing Error column values : [|inputlookup errors.csv | rename Error AS query |...
View ArticleEvicted transaction duration and strptime() unable to process token of form...
I'm building a form with a time picker, and the output should go to a timerange visualizer based on events grouped into transactions. I'm trying to include transactions on the chart which are evicted (...
View ArticleHow to display time, host, source type in a splunk when the statement is as...
I have a stack trace for one particular error like this, [9/20/17 5:40:13:428 EDT] 000000e0 SystemOut O 20 Sep 2017 05:40:13:428 [INFO] [DMAXP01_MIF2] [] BMXAA6372I - Host name: 139.46.95.92. Server...
View ArticleToken for a field containing spaces and special characters
How do i return the value of a feild which contains spaces and special characters using a Token . The feild name is License quota used (%) I tried the following combinations, however none appear to...
View ArticleExternal search head performs searches on seperate cluster?
Is it possible to have a cluster (1 maaster, 2 indexers, 1 search head, 1 deployer) and have an external search head connect to the indexer cluster and perform searches on them? And is it possible to...
View ArticleI want to see who has disabled and enabled the default demo lookup files...
I want to see who has disabled and enabled the default demo lookup files under Splunk ES->Data Enrichment->Identity Management, is there any Search Query which can help me ?
View Article