All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am looking into developing a custom splunk app that lets us manage our knowledge objects in bulk. The idea is to create custom REST endpoints and call them from a splunk-ui based app in splunk web... See more...
I am looking into developing a custom splunk app that lets us manage our knowledge objects in bulk. The idea is to create custom REST endpoints and call them from a splunk-ui based app in splunk web. Looking into the documentation of custom REST endpoints (https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestscript), it strikes me that the sample code imports a splunk module that I can find no documentation for. Am I missing out on something here? Am I just supposed to use splunklib? I would greatly appreciate feedback regarding the plan to use custom REST endpoints with a splunk web based UI.
I was able to do it by some other way but your solution is cleaner and elegant. Thanks for the help 
I think the time format is more likely to be TIME_FORMAT=%m%d%Y%H%M%S
yes both general and clustering stanza updated with pass4key and min length as well . but still the same issue .   
that is a shame that after 5 years and several versions we still cannot disable a user  By the way, you cannot leave a user without a role. You need to create a role with no authorizations and giv... See more...
that is a shame that after 5 years and several versions we still cannot disable a user  By the way, you cannot leave a user without a role. You need to create a role with no authorizations and give them.
Hi there,   We are currently ingesting Palo Alto threat logs into Splunk although we are missing the 'URL' log_subtype. Current subtypes being ingested for PA threat logs include spyware, vulnerab... See more...
Hi there,   We are currently ingesting Palo Alto threat logs into Splunk although we are missing the 'URL' log_subtype. Current subtypes being ingested for PA threat logs include spyware, vulnerability and file subtypes. Can anyone please tell me what changes need to be made on the Palo Alto and/or Splunk side to ingest log_subtype=URL threat logs?     Regards, CW
Hi @splukiee  have you changed the pass4SymmKey value under general stanza seems you updated pass4SymmKey for clustring stanza, IMO , log message trggerting for pass4SymmKey under general  a... See more...
Hi @splukiee  have you changed the pass4SymmKey value under general stanza seems you updated pass4SymmKey for clustring stanza, IMO , log message trggerting for pass4SymmKey under general  also as suggested by @PickleRick  can you please run btool for pass4SymmKey to check different location of pass4SymmKey present on the server. /opt/splunk/bin/splunk btool server list --debug | grep -i pass4SymmKey
Hi @the_sigma, Try these configs: [ psv ] CHARSET=UTF-8 INDEXED_EXTRACTIONS=PSV SHOULD_LINEMERGE=false category=Structured description=Pipe-separated value format. TIME_PREFIX=^ MAX_TIMESTAMP_LOO... See more...
Hi @the_sigma, Try these configs: [ psv ] CHARSET=UTF-8 INDEXED_EXTRACTIONS=PSV SHOULD_LINEMERGE=false category=Structured description=Pipe-separated value format. TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD=14 TIME_FORMAT=%d%m%Y%H%M%S  
Hi @SplunkExplorer  for your question regarding sudors I dont think Splunkuser you created , by deafult its not part of any sudors list , it will be group same as splunk user for running Spl... See more...
Hi @SplunkExplorer  for your question regarding sudors I dont think Splunkuser you created , by deafult its not part of any sudors list , it will be group same as splunk user for running Splunk on linux you dont need to part of any sudors. Splunk perfrom its core funcations as normal.
Hi there, i got issue when setting connector Splunk in OpenCTI When i check logs, it says terminated i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors alr... See more...
Hi there, i got issue when setting connector Splunk in OpenCTI When i check logs, it says terminated i follow guide from this man here https://the-stuke.github.io/posts/opencti/#connectors already open token, crate API livestream at opencti, also already create collections.conf and add [opencti] at $SPLUNK_HOME/etc/apps/appname/default/. Btw im using search app so i create collections.conf at $SPLUNK_HOME/etc/apps/appname/default/ because i don't know value of field from opencti to send so i don't create any field list in [opencti] My connections setting like this : connector-splunk: image: opencti/connector-splunk:6.2.4 environment: - OPENCTI_URL=http://opencti:8080 - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN} # Splunk OpenCTI User Token - CONNECTOR_ID=MYSECRETUUID4 # Unique UUIDv4 - CONNECTOR_LIVE_STREAM_ID=MYSECRETLIVESTREAMID # ID of the live stream created in the OpenCTI UI - CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true - CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true - "CONNECTOR_NAME=OpenCTI Splunk Connector" - CONNECTOR_SCOPE=splunk - CONNECTOR_CONFIDENCE_LEVEL=80 # From 0 (Unknown) to 100 (Fully trusted) - CONNECTOR_LOG_LEVEL=error - SPLUNK_URL=http://10.20.30.40:8000 - SPLUNK_TOKEN=MYSECRETTOKEN - SPLUNK_OWNER=zake # Owner of the KV Store - SPLUNK_SSL_VERIFY=true # Disable if using self signed cert for Splunk - SPLUNK_APP=search # App where the KV Store is located - SPLUNK_KV_STORE_NAME=opencti # Name of created KV Store - SPLUNK_IGNORE_TYPES="attack-pattern,campaign,course-of-action,data-component,data-source,external-reference,identity,intrusion-set,kill-chain-phase,label,location,malware,marking-definition,relationship,threat-actor,tool,vocabulary,vulnerability" restart: always depends_on: - opencti   Hope my information is enough to get solved
The match function uses regex so the wildcards are different - try this | eval priority = if(match(kubernetes.container_name, "^service1-v.*|^service2-v.*|^service3.*"), "2", "Not set")
@ITWhispererand @PickleRick thank you both very much! Technically PickleRick's mimics the precise result better, but takes c.13K steps, while ITWhisperer's answer takes just 332 steps and leaves a l... See more...
@ITWhispererand @PickleRick thank you both very much! Technically PickleRick's mimics the precise result better, but takes c.13K steps, while ITWhisperer's answer takes just 332 steps and leaves a leading hyphen (which is easy enough to strip out). I'm going to accept ITWhisperer's as the solution for it's efficiency, but wanted to call out that PickleRick's result, as a pure regex solution, is technically better. Thank you both!
@marnall  thanks . Did that , also made sure that the of pass4SymmKey & pass4SymmKey_minLength are unique across all locations , but stil the same issue 
Hi Guys, we have a doubt reagarding the user that execute Splunk on a linux environment. Until now, we have always avoided use of root user; instead, we have always  installed and configured Splunk ... See more...
Hi Guys, we have a doubt reagarding the user that execute Splunk on a linux environment. Until now, we have always avoided use of root user; instead, we have always  installed and configured Splunk on Linux in the following way: Create a dedicated user, eg. "splunkuser" Change ownership of splunk installation folder to that user Configure splunk for boot autorun with dedicated user What is not clear for us, and we didn't found on doc, is: suppose this user belongs to sudoers group. Here 2 question rise: It can be removed from sudoers, or some Splunk related process require it belong to that group? If it cannot be totally removed from sudoers, which process requires it maintain such kind of privileges?
  The search log
I am trying to write a search query as part of our alerting.  The intention is that if search results come from a certain container (kubernetes.container_name) e.g. service1, service2 or service3 the... See more...
I am trying to write a search query as part of our alerting.  The intention is that if search results come from a certain container (kubernetes.container_name) e.g. service1, service2 or service3 then I should set a priority of 2. The problem is that the service names have a version number appended to them e.g. service1-v1-0 or service3-v3-0b to give two such examples. My intention was to use a combination of 'if' and 'match' with a wildcard to achieve this but it doesn't seem to work.  The reason for me using this was that the start of the container_name would remain the same and as the version numbers change the search that I'm attempting to write should be future proofed. | eval priority = if(match(kubernetes.container_name, "^service1-v*|^service2-v*|^service3*"), "2", "Not set") However these are returning "Not set" even when the expected kubernetes.container_name is used. Can someone help me understand why this isn't working, how to fix and whether there might be a better way of doing this? Thanks!
Reading https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/DashStudio/contExport#Schedule_an_email_export, seems like its available on this version. Although we are on 9.1 version on Splunk C... See more...
Reading https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/DashStudio/contExport#Schedule_an_email_export, seems like its available on this version. Although we are on 9.1 version on Splunk Cloud.
Thanks very much. It is solve now.
Hi @mobrien1 , I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the... See more...
Hi @mobrien1 , I suppose that the meanng of the affermation is that e.g. risk score is counted for each value you can find in the results of your Correlation Search, so if you have more hosts in the results, the Risk Score is counted for all of them. But, why did you posted this question? Ciao. Giuseppe