Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") y...
See more...
Yeah maybe some others will chime in. The only thing I can think of is that the number of alerts that show up in Triggered Alerts would be different depending on which option ("Once" or "For each") you select. I saw this post which is sort of similar, but no one responded to it.
In addition to what @ITWhisperer says, what is the physical significance of _time currently in your data? Is there any reason why your ingestion should NOT use reported_date instead of whatever is u...
See more...
In addition to what @ITWhisperer says, what is the physical significance of _time currently in your data? Is there any reason why your ingestion should NOT use reported_date instead of whatever is used in current data? That will make your requirement so much simpler to fulfill. (If this is a viable alternative, there could be other benefit, too.) This said, Splunk can always search records where reported_date falls within the last 15 months. Here, I will illustrate with the following caveat: reported_date is always earlier than or equal to _time. There can be other strategies to search if this condition is not true but unless that is a problem in your case, the following method is simpler. <your search criteria> earliest=-15mon
| where relative_time(now(), "-15mon") < strptime(reported_date, "%F")
``` "%F" -> "%Y-%m-%d" ```
Short answer is no. Events are timestamped by the _time field and earliest and latest applies to this field, not to some other field in the event. You would have to apply a time period (earliest and ...
See more...
Short answer is no. Events are timestamped by the _time field and earliest and latest applies to this field, not to some other field in the event. You would have to apply a time period (earliest and latest) to your search to cover enough of your events to find events where reported_date is between the times you are interested in.
Hi All; I have list of events, which includes a field called reported_date, format is yyyy-mm-dd. I'm trying to create a search that looks for reported_date within the last 15 months of current day...
See more...
Hi All; I have list of events, which includes a field called reported_date, format is yyyy-mm-dd. I'm trying to create a search that looks for reported_date within the last 15 months of current day. Is it possible to do an earliest and latest search within a specific field? Note: _time does not align with the reported_date. Any assistance would be greatly appreciated! TIA
Hi @mobrien1 , maybe "Once" and "For each result" became from Alerts. I don't find any other answer. let me know if I can help you more, or, please, accept one answer for the other people of Comm...
See more...
Hi @mobrien1 , maybe "Once" and "For each result" became from Alerts. I don't find any other answer. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I think I would agree with your first statement. But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." e...
See more...
I think I would agree with your first statement. But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something.
Following advice from developer, I renamed passwords.conf from another addon TA-WALLIX_Bastion/default/passwords.conf and now Configuration finally opening
Hi @riyastk , let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @gcusello thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So ...
See more...
Hi @gcusello thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So it's evident why those are marked as "Invalid". So the issue must be with the sourcetype, I guess. Sorry if I didn't mention that the data sets are not the same. I just want to show that the later screenshot has matches for count_httpunk and the first one doesn't have.
this is the below output i got using the command : /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey = /opt/splunk...
See more...
this is the below output i got using the command : /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey = /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf encrypt_fields = "****" /opt/splunk/etc/system/default/server.conf pass4SymmKey = changeme /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12
I have been experimenting with splunk-ui and created an app to make calls from splunk web to the splunk REST API. However, I keep getting errors like this: The same origin policy prohibits acces...
See more...
I have been experimenting with splunk-ui and created an app to make calls from splunk web to the splunk REST API. However, I keep getting errors like this: The same origin policy prohibits access to external resource at https://localhost:8090/servicesNS/nobody/path_redacted_but_is_valid?output_mode=json. (Reason: CORS-Header 'Access-Control-Allow-Origin' is missing) This is how the call looks like const url = `https://localhost:8090/servicesNS/nobody/${eventType.acl.app}/saved/eventtypes/${eventType.title}?output_mode=json`
const response = await fetch(url, {
credentials: "include",
method: "POST",
redirect: "follow",
body: JSON.stringify({'search': eventType.content.search})
});
return response.json(); This is my server.conf [sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/mycerts/cert.pem
[httpServer]
crossOriginSharingPolicy = https://localhost:8090
crossOriginSharingHeaders = * I can access https://localhost:8090/servicesNS/* "by it self" in my browser. I am using Firefox 128 and splunk 9.0.5 I can set crossOriginSharingPolicy to "*" (without quotes), but that will cause the browser to reject any requests that require authentication, so this is no solution
Hello, I am running SPLUNK 9.1.2 on Linux and ever since I installed a new internal certificate, I am not able to run SPLUNK. Below are some of the warnings I was about to find in splunkd.log. Woul...
See more...
Hello, I am running SPLUNK 9.1.2 on Linux and ever since I installed a new internal certificate, I am not able to run SPLUNK. Below are some of the warnings I was about to find in splunkd.log. Would anyone have any idea of how this can be addressed and fixed? Thank you for any suggestions! WARN SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'. WARN HttpListener [12196 webui] - Socket error from “…” while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher WARN HttpListener [12196 webui] - Socket error from “…” while idling: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknow protocol WARN SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='bad record mac'. WARN HttpListener [12196 webui] - Socket error from “…” while idling: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac WARN SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='decrypt error'. WARN HttpListener [12196 webui] - Socket error from “…” while idling: error:1408C095:SSL routines:ssl3_get_finished:digest check failed
@zapping575- This is little-bit complicated topic, as there are many ways to achieve this and also there are many types of Rest endpoints. I prefer to learn from example, some prefer to learn from d...
See more...
@zapping575- This is little-bit complicated topic, as there are many ways to achieve this and also there are many types of Rest endpoints. I prefer to learn from example, some prefer to learn from documents. I'm putting both as references here: https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestscript/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestmanageaccess/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customresteai/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/creexamples/ https://github.com/splunk/splunk-app-examples/tree/master/custom_endpoints/hello-world I hope this helps!!!
Hi ITWhisperer, they are still the same as the default. Admittedly, I am a bit stumped about the the finer details of these properties. At most I could see the entry of # The number of entries p...
See more...
Hi ITWhisperer, they are still the same as the default. Admittedly, I am a bit stumped about the the finer details of these properties. At most I could see the entry of # The number of entries per page when paginating Rules Engine searches.
internal_search_page_size = 10000 being perhaps the culprit as to why ITSI only indexed around ~10070 events per day. Or do you know which rule might limit the backfill-size?