All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Not sure if https://splunkbase.splunk.com/app/1761 helps?
Hello @yuvaraj_m91  Can you please elaborate the question a bit?
Hello @heskez Yes it's possible. You can have a custom lookup popped-up and integrate the same local intel - https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Addlocalthreatintel   Please hit Ka... See more...
Hello @heskez Yes it's possible. You can have a custom lookup popped-up and integrate the same local intel - https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Addlocalthreatintel   Please hit Karma, if this helps!
The first error could appear if you 're trying to install a RHEL8 version of Soar on a Centos7. Regarding CentOS 8, it's not officially supported but you can download a version CentOS/RHEL8... ht... See more...
The first error could appear if you 're trying to install a RHEL8 version of Soar on a Centos7. Regarding CentOS 8, it's not officially supported but you can download a version CentOS/RHEL8... https://docs.splunk.com/Documentation/SOARonprem/6.2.2/Install/Requirements  
I want to get the below search executed and display the results in a table for all comma separated values that gets passed from dropdown. index="xxx" source = "yyyyzzz" AND $DropdownValue$ AND Inpu... See more...
I want to get the below search executed and display the results in a table for all comma separated values that gets passed from dropdown. index="xxx" source = "yyyyzzz" AND $DropdownValue$ AND Input| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup _time | eval lastTriggered = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")| stats values(lastTriggered) as lastTriggeredTime| appendcols [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Output| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup_time | eval lastProcessed = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")| stats values(lastProcessed) as lastProcessedTime] | appendcols [search index="xxx" source = "yyyyzzz" sourcetype = "mule:rtf:per:logs" AND $DropdownValue$ AND Error| eventstats max(_time) as maxTimestamp by desc| head 1 | dedup_time | eval lastErrored = strftime(_time, "%d/%m/%Y %H:%M:%S %Z")]|eval "COMPONENT ID"="$DropdownValue$"|eval "Last Triggered Time"=lastTriggeredTime |eval "Last Processed Time"=lastProcessedTime| eval "Last Errored Time"=lastErrored | table "COMPONENT ID", "Last Triggered Time", "Last Processed Time","Last Errored Time" | fillnull value="NOT IN LAST 12 HOURS" "COMPONENT ID","Last Triggered Time", "Last Processed Time","Last Errored Time"   For example if $dropdownValue$ is having ABC,DEV, then the entire above mentioned search should get executed twice and 2 rows od data should be displayed in the table. Can someone guide how this can be achieved?    
I am getting this error "Login failed due to client tls version being less than minimal tls version allowed by the server " when editing the connection. From the splunk community, I have already adde... See more...
I am getting this error "Login failed due to client tls version being less than minimal tls version allowed by the server " when editing the connection. From the splunk community, I have already added some solutions to my configuration, using db connect setup page to set tls version with the parameter:   -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 Also, Adding sslVersions = tls1.2 under [sslconfig] None of the above worked! Kindly suggest me is there anything i need to check from my end or give any solution for this error. Splunk DB Connect #tlsversion
Try looking in inputs.conf
Hi, I wanted to know the exact path where I can see the mentioned sourcetypes. So that I can check under which category 2 different sourcetypes are defined and if possible, I can make it as a single ... See more...
Hi, I wanted to know the exact path where I can see the mentioned sourcetypes. So that I can check under which category 2 different sourcetypes are defined and if possible, I can make it as a single sourcetype since both are of same name
Perhaps your example is not large enough, but from the subject, perhaps you could try this | stats count as count_B by "Field A" "Field B" | eventstats count as count_A by "Field A" | where count_A ... See more...
Perhaps your example is not large enough, but from the subject, perhaps you could try this | stats count as count_B by "Field A" "Field B" | eventstats count as count_A by "Field A" | where count_A = 1
It is not clear to me what exactly you want to check. Please can you clarify?
Hi, here are the props.conf for the CSV file: DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured description = Thi... See more...
Hi, here are the props.conf for the CSV file: DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Structured description = This  sourcetype stores all the DB connect information disabled = false pulldown_type = true
i have anything displayed under label... is anybody can help? Here is what i see  
I have  inserted the raw log in the xml code editor. One without new lines in it are extracting fine but not the ones with new lines or tabs are not even though I am using (?s)
   
Hi @Mario.Morelli, Are you able to jump back in here and help out @Maximiliano.Salibe?
Hi All, It would be great help if anyone help me figure out this. App is deployed in the UFs to receive such logs in splunk under the index wineventlog. I can see 2 different sourcetypes (xmlwineve... See more...
Hi All, It would be great help if anyone help me figure out this. App is deployed in the UFs to receive such logs in splunk under the index wineventlog. I can see 2 different sourcetypes (xmlwineventlog, XmlWinEventLog) under the wineventlog index sourcetype : XmlWinEventLog (source : "XmlWinEventLog:Application", "XmlWinEventLog:Security", "XmlWinEventLog:System") sourcetype : xmlwineventlog (source : "WinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-Windows Defender/Operational") Please help me where should I need to check these exact difference of two distinct case sensitive sourcetypes. Thanks  
Hi @Vivin.D, Can you share what the error is? 
| makeresults | eval field2count = split("n,y,n,n,y,n,n,y,n,n,n,y",",") | mvexpand field2count | stats count(eval(field2count="n")) as n count(eval(field2count="y")) as y count(field2count) as total... See more...
| makeresults | eval field2count = split("n,y,n,n,y,n,n,y,n,n,n,y",",") | mvexpand field2count | stats count(eval(field2count="n")) as n count(eval(field2count="y")) as y count(field2count) as total | eval n = round(n/total,3) *100, y = round(y/total,3) *100 | fields - total | transpose | rename column as field2count, "row 1" as total
if there is another key, serial_number, how could I add this to the chart? rex field=message "ErrorCode\((?<error_code>[^\)]+)"| search error_code=*| chart values(error_code), values(serial_n... See more...
if there is another key, serial_number, how could I add this to the chart? rex field=message "ErrorCode\((?<error_code>[^\)]+)"| search error_code=*| chart values(error_code), values(serial_number) by _time I would like to show the error code, the time , and the serial number associated with the error code 
Hello everyone, My problem is as follows: I need to install Splunk Soar on my home laboratory. Now seeing that the versions are compatible with Centos7/8 which are deprecated, the moment I launch ... See more...
Hello everyone, My problem is as follows: I need to install Splunk Soar on my home laboratory. Now seeing that the versions are compatible with Centos7/8 which are deprecated, the moment I launch soar-installer or the soar-prepare-installer file, problems arise. Now since I have searched community and web but no luck. Is there a possibility to install SOAR on ubuntu? Also it is true that Amazon Linux 2 and RHEL is recommended, but is it possible that there is no way to install SOAR on other linux distribution? Thank you, biwanari