All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How can I create alerts based on this app data received using API? How this app https://splunkbase.splunk.com/app/6960 alert if my data matches with the intel feeds? Cyble Threat Intel 
The calculation is correct for what it is. However, all this is is the difference between the time the event was indexed by Splunk and the timestamp Splunk has assigned to the event. This is usually ... See more...
The calculation is correct for what it is. However, all this is is the difference between the time the event was indexed by Splunk and the timestamp Splunk has assigned to the event. This is usually based on the data in the event. Whether this represents "latency" is a matter of opinion and whether this is acceptable is also a matter of opinion. It very much depends on the route your data is taking and what the data represents. All of this is not something we can answer for you.
Hi Rich, thank you for your info ill check this and ill be back to you
I have a problem with data it's self and i have 2RF 2SF and they are works fine   i tried to roll buckets multiple times it's works for short time and then get back to the problem again   any one... See more...
I have a problem with data it's self and i have 2RF 2SF and they are works fine   i tried to roll buckets multiple times it's works for short time and then get back to the problem again   any one has idea how can i solve this issue   Thanks
Hi Team, I'm seeing following 22.77 as avg latency for the last 24 hours for one of the sourcetype. What is the normal avg latency that can be accepted since the logs are coming through syslog-> Hea... See more...
Hi Team, I'm seeing following 22.77 as avg latency for the last 24 hours for one of the sourcetype. What is the normal avg latency that can be accepted since the logs are coming through syslog-> Heavy Forwarder->Indexer's and ingesting into splunk.  Please let us know if there is any other alternative approach we can use to calculate the latency if below is incorrect.   Any help would be highly appreciated. Regards VK  
you are right but there are logs which have the instanceid field.
Hello, I am implementing some actions in the S1 app for Splunk SOAR. All actions function independently, such as 'run action', and some work within a playbook. However, one action, when attempted wit... See more...
Hello, I am implementing some actions in the S1 app for Splunk SOAR. All actions function independently, such as 'run action', and some work within a playbook. However, one action, when attempted within a playbook, displays the following error: phantom.act(): action 'get endpoint info by computer name' not supported by any enabled apps
Hello,   We are interested in capturing Microsoft Teams PSTN call records.  There is a Microsoft Graph API  with specific methods to capture this information.   https://learn.microsoft.com/en-us/g... See more...
Hello,   We are interested in capturing Microsoft Teams PSTN call records.  There is a Microsoft Graph API  with specific methods to capture this information.   https://learn.microsoft.com/en-us/graph/api/callrecords-callrecord-getpstncalls?view=graph-rest-1.0&tabs=http   This app in splunkbase looks like it can capture what we want.   (https://splunkbase.splunk.com/app/1546).  The Microsoft Teams  add-on for Splunk is not capturing the PSTN call records and only seems to be capturing Teams to Teams calling.  Any other ideas ?  Thanks.
Hi @mustapha_arakji , I created my custom add-on: eventtypes, tags, field extractions and calculated fields. I did it using the SA-CIM Vladiator app (https://splunkbase.splunk.com/app/2968). Ciao.... See more...
Hi @mustapha_arakji , I created my custom add-on: eventtypes, tags, field extractions and calculated fields. I did it using the SA-CIM Vladiator app (https://splunkbase.splunk.com/app/2968). Ciao. Giuseppe
I have a mutiselect input like this   <input type="multiselect" token="year"> <label>Year</label> <choice value="*">All</choice> <delimiter> OR year=</delimiter> <fieldForLabel>year</fieldForLa... See more...
I have a mutiselect input like this   <input type="multiselect" token="year"> <label>Year</label> <choice value="*">All</choice> <delimiter> OR year=</delimiter> <fieldForLabel>year</fieldForLabel> <fieldForValue>year</fieldForValue> <search> <query>| inputlookup supported_years.csv | dedup year | table year</query> </search> <default>2023</default> <initialValue>2023</initialValue> </input>   I want to set the time range token to the result of the input selection above. If 2023 was chosen, the token value for $timeRangeEarliest$ should be 2023/01/01 and the token value for $timeRangeLastet$ should be 2023/12/31.  If 2021 and 2023 was chosen, the token value for $timeRangeEarliest$ should be 2021/01/01 and the token value for $timeRangeLastet$ should be 2023/12/31. Etc. I want to use this two tokens for time range in search. Don't know how to do it. Please help. Many thanks.
btw, where can i find web.conf in windows? Because i cant find the right one to edit this file
Okey then, i will try to do with this method. Thanks for the respond
Hello I have installed the Splunk add on for AWS on our on perm Splunk instance. Using IAM User is not allowed in our company due to security policy. We can only use IAM role to access the resources... See more...
Hello I have installed the Splunk add on for AWS on our on perm Splunk instance. Using IAM User is not allowed in our company due to security policy. We can only use IAM role to access the resources. In Splunk aws addon page, Under configuration tab, Adding AWS account in Splunk requires KeyID/secret key which I can not create due to my company policy.. Is there a way to connect to the AWS account using IAM role that has the Splunk inline policy attached to it?   Thanks in advance. Siva  
@gcusello, did you get any chance finding an answer for this one? Or you ended up creating your own?
Yes, finally by getting my hands dirty on RHEL8 I was able to install soar. I hope Splunk takes measures because next year rhel8 reaches EOL and that will become an issue to take the certification as... See more...
Yes, finally by getting my hands dirty on RHEL8 I was able to install soar. I hope Splunk takes measures because next year rhel8 reaches EOL and that will become an issue to take the certification as well. I read on reddit about people who modified the soar files to install it on centos-like systems, but it takes a lot of time. Having said that I hope they take action because such a situation is not possible. I hope this post will be read by people who have had the same problem as me so I can help them ae write to me on this post. Greetings, Andrew
It appears that this privilege is relegated to the "admin" and "power" roles, rather than a single Capability. I've tested this by making a test role inherit from the "power" role, then it let me up... See more...
It appears that this privilege is relegated to the "admin" and "power" roles, rather than a single Capability. I've tested this by making a test role inherit from the "power" role, then it let me upload an image. But when the test role is assigned all the same capabilities as the power role, it does not allow for uploading of images. Thus you will need to either inherit from the power or admin roles, or request someone with that inheritance or role assignment to upload the image for you. P.S. ChatGPT is off the mark. There is no "edit_visualizations" capability in Splunk.
Indeed, SOAR on-prem is in an awkward situation for OS support. SOAR on-prem only supports Amazon Linux 2, RHEL, or the end-of-support CENTOS. The SOAR automation broker runs on Debian, but that onl... See more...
Indeed, SOAR on-prem is in an awkward situation for OS support. SOAR on-prem only supports Amazon Linux 2, RHEL, or the end-of-support CENTOS. The SOAR automation broker runs on Debian, but that only helps you if you are using the Cloud version of SOAR. I believe there was some chatter in the #SOAR usergroup about adding support for 2 other CENTOS-related linux distros, but it's not there yet. You probably could get SOAR running on a distro similar to CENTOS, but you'd have to spend more time tinkering to get it working.
I see a few issues, but don't know that fixing them will solve the problem. 1. All of the sed commands are malformed.  There should be a single "s/" at the beginning and only 2 slashes before the fi... See more...
I see a few issues, but don't know that fixing them will solve the problem. 1. All of the sed commands are malformed.  There should be a single "s/" at the beginning and only 2 slashes before the final 'g'. 2: I'm not sure quotation marks are allowed in a stanza name. 3. "WinEventLog://" is a prefix for inputs.conf stanzas, not for props.conf. 4. Have you tried using a sourcetype name in the props.conf stanza rather than a source name? It would help to see some sample events and to know which parts of the events you wish to remove. If you want someone to confirm the inputs.conf stanza then you'll need to show the inputs.conf stanza.
Dears, Eum service and its db doesnt start automatically after restart in RHEL linux server. After every reboot need to start eum the its db manually. Is there any solution to automatically start th... See more...
Dears, Eum service and its db doesnt start automatically after restart in RHEL linux server. After every reboot need to start eum the its db manually. Is there any solution to automatically start the eum service and its db when there is server reboot.  Thank you..
Try something like this | where 'delta(avg(requestSize))' > 0 OR 'delta(avg(responseSize))' > 0