All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi  Can someone tell me how we can use a csv file using a lookup and extract the details from a file in a field which we can use for further calculations.  Example: A csv file (dummy.csv) with the ... See more...
Hi  Can someone tell me how we can use a csv file using a lookup and extract the details from a file in a field which we can use for further calculations.  Example: A csv file (dummy.csv) with the below details are saved in Splunk and we need to extract the details present in the file after the date in a new field in SPlunk and use the new field for further calculations.  Data in the dummy.csv file :  "Monday,01/07/2024",T2S Live Timing,"[OTHER] BILL invoice for CSDs Billing period 10-30 June ",,,,,, "Tuesday,02/07/2024",, ,,,,,, "Wednesday,03/07/2024",,"[OTHER] BILL invoice for NCBs Billing period 10-30 June",,,,,, "Thursday,04/07/2024",, ,[OTHER] DKK Service window between 19.35 - 23.59 ,,,,, "Friday,05/07/2024",T2S Synchronised Release day,,,,,,, "Saturday,06/07/2024",,[4CB] T2-T2S Site Recovery (internal technical test) ,[4CB] T2-T2S Site Recovery (internal technical test) ,,,,, "Sunday,07/07/2024",,[4CB] T2-T2S Site Recovery (internal technical test) ,[4CB] T2-T2S Site Recovery (internal technical test) ,,,,, "Monday,08/07/2024",T2S Live Timing, ,,,,,, How we can use the lookup and eval command to find the data present in the above file after the date ??  Example :  Date = 01/07/2024  Output = T2S Live Timing Date = 02/07/2024  Output = Blank Space  Date = 03/07/2024  Output = Blank Space  Date = 04/07/2024  Output = Blank Space  Date = 05/07/2024  Output = T2S Synchronised Release day  
A search can be longer than the URI allows for opening in a new tab, which causes the 414 Request-URI Too Long error.  There are multiple workarounds: Refactor the search and/or move long portions ... See more...
A search can be longer than the URI allows for opening in a new tab, which causes the 414 Request-URI Too Long error.  There are multiple workarounds: Refactor the search and/or move long portions of the query into an inputlookup command or search macro. Edit the URL to remove the query and only use the SID (as long as the search ID hasn't expired) For the second option, you can make a "Bookmarklet" that removes all of the URL parameters except the SID: javascript: window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1') Note: Khoros is breaking the bookmarklet; replace : with : If you click on that bookmarklet when you get the error, it will open the search.    
Hi @tuts , in my opinion, only the knowledge of a security analyst can help you in the search. You could install some app for the technologies you have but, I think that only a deep knowledge of at... See more...
Hi @tuts , in my opinion, only the knowledge of a security analyst can help you in the search. You could install some app for the technologies you have but, I think that only a deep knowledge of attack methods and technics can support you. Ciao. Giuseppe
Hi @kgiri253 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poi... See more...
Hi @kgiri253 , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thanks @gcusello the documentation that you shared helped to resolve this issue. By default the above mentioned limit is 500 and the reports are mentioned in lexographical order. Our report was ... See more...
Thanks @gcusello the documentation that you shared helped to resolve this issue. By default the above mentioned limit is 500 and the reports are mentioned in lexographical order. Our report was starting from "S" which was going over and above 500. We have increased the limit now to 1000 which worked for us. Thanks again for prompt reply
That's sad. Are there other tools that help me with analysis? And what do you advise
That's sad. Are there other tools that help me with analysis? And what do you advise
Hi @elend , there's no utility to pass a token to a report because a report is useful if there are no parameters. If you have parameters (tokens) you can use a dashboard as a report, so you can pas... See more...
Hi @elend , there's no utility to pass a token to a report because a report is useful if there are no parameters. If you have parameters (tokens) you can use a dashboard as a report, so you can pass the token from a dashboard to another dashboard, as also described by @bowesmana . Ciao. giuseppe
I dont want to change the time range.
And what is the fix for that? Because this annoying error is messing up with ansible variables. I had to use Splunk UF version 8.x - it works fine. I had other issues on Splunk Enterprise versio... See more...
And what is the fix for that? Because this annoying error is messing up with ansible variables. I had to use Splunk UF version 8.x - it works fine. I had other issues on Splunk Enterprise version 9.x - disappointing
This annoying 'non-impacting' known issue is messing up with my ansible variables under facts.d and eventually all my ansible roles, user creations including splunk user, ldap, etc etc end up in a 'i... See more...
This annoying 'non-impacting' known issue is messing up with my ansible variables under facts.d and eventually all my ansible roles, user creations including splunk user, ldap, etc etc end up in a 'impacting issue' and fatal errors situation. I test it by using Splunk UF version 8.x in my ansible playbooks - everything is working seamlessly and fine. What is the fix for this IMPACTING known issue?
Hi @tuts , I performed a similar search in the past: there's no automatic analysis that you can perform, youcan search for the inbound accesses and outbound transaction, you can only search, with a ... See more...
Hi @tuts , I performed a similar search in the past: there's no automatic analysis that you can perform, youcan search for the inbound accesses and outbound transaction, you can only search, with a security specialist to identify some possible threat or compromise. Ciao. Giuseppe
Scenario: The device has been compromised, and we want to understand how the breach occurred. We have extracted data from the device from the Setup, Security, and Application logs in CSV format and u... See more...
Scenario: The device has been compromised, and we want to understand how the breach occurred. We have extracted data from the device from the Setup, Security, and Application logs in CSV format and uploaded it to Splunk. Question: What is the best way to automatically analyze this data in Splunk and identify any suspicious information
Okay, i thinks its done for it. Then another issue i want to ask is still relate with this tokenization, is it possible to pass token from dashboard to Report?
Hi @kgiri253 , surely the match that you indicated isn't correct, check it. I usually prefer to indicate every report in a line: <saved name="<your_report>" /> you can find more information at ht... See more...
Hi @kgiri253 , surely the match that you indicated isn't correct, check it. I usually prefer to indicate every report in a line: <saved name="<your_report>" /> you can find more information at https://dev.splunk.com/enterprise/docs/developapps/createapps/addnavsplunkapp/ Ciao. Giuseppe
Good to hear your back up and running! It sure does feel like a breaking change/incompatibility between alert manager and Splunk 9.3. Maybe we'll hold off on updating until 9.3.1 All the best
We restored a backup. Splunk is back at version 9.2.2 and everything is working like before. I've checked the Alert Manager before upgrading and is should be compatible with 9.3.0. We will give it... See more...
We restored a backup. Splunk is back at version 9.2.2 and everything is working like before. I've checked the Alert Manager before upgrading and is should be compatible with 9.3.0. We will give it another try in a few weeks. Once again, thanks for your help. Much appreciated.
Hi @elend , you can add the Time tokens that you passed to the earliest and latest fields: in the secondary dashboard, if the Time tokens are called $earliest$ and $latest$: index=your_index earli... See more...
Hi @elend , you can add the Time tokens that you passed to the earliest and latest fields: in the secondary dashboard, if the Time tokens are called $earliest$ and $latest$: index=your_index earliest=$earliest$ latest=$latest$ | ...  Ciao. Giuseppe
Hi @sarlacc , good for you, see next time! Please acceptyour last message to help other people of Coomunity to find the right solution. Ciao and happy splunking Giuseppe P.S.: Karma Points are a... See more...
Hi @sarlacc , good for you, see next time! Please acceptyour last message to help other people of Coomunity to find the right solution. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @nabeel652 , for my knowledge, you can change the colour of the background or of the text based on the value of the field, but I don't think that's possible to change both of them. Ciao. Giuseppe