All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@zeinstein were you able to find any good solution for this
@kamlesh_vaghela, can you help me please ?
No that's not it. I want my dropdown to be powered by a search but which will be defined in a js.   Something like this?  
After further digging I have found the following 2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelon... See more...
After further digging I have found the following 2024-07-09 08:31:23,330 log_level=ERROR pid=972253 tid=MainThread file="ModularInput.py" function="print_error" line_number="675" version="sentinelone_app_for_splunk.5.2.2b20240416" host=<redacted> sourcetype=sentinelone_app_for_splunk:error source=sentinelone:input:782b6c37-3fdb-3385-b3d5-272bf1df0837 error_message="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_type="<class 'requests.exceptions.RetryError'>" error_arguments="HTTPSConnectionPool(host='<redacted>', port=443): Max retries exceeded with url: /web/api/v2.1/application-management/risks?riskUpdatedDate__gte=1719909012000&includeRemovals=True&limit=1000 (Caused by ResponseError('too many 500 error responses'))" error_filename="s1_client.py" error_line_number="365" input_guid="782b6c37-3fdb-3385-b3d5-272bf1df0837" input_name="cves"
I want to extract the below field into two fields  i want to extract the Name and version both as two fields can some one help me on this.    
Hi @Siddharthnegi , there are two solutions: splunk cmd btool --debug savedsearches list | egrep "\[" or | rest /servicesNS/-/-/saved/searches | table title, cron_schedule next_scheduled_time ... See more...
Hi @Siddharthnegi , there are two solutions: splunk cmd btool --debug savedsearches list | egrep "\[" or | rest /servicesNS/-/-/saved/searches | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search * I prefer the second. Ciao. Giuseppe
How to get all saved searches with their names and their respective search
i have integrated virus total  app with Splunk SIEM through API key and but in the apps its not showing any results 
Try something like this TIME_FORMAT = [%s]
https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#saved.2Fsearches  
Hi @jcorcorans , as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event displ... See more...
Hi @jcorcorans , as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display. If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion: <your_search> | rex "\[(?<epoch_timestamp>\d+)\]" | eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")  Ciao. Giuseppe
could  you tell how
Try using ReST to retrieve the saved searches and look for the search you are interested in
Okay I only know the index("_internal")
How would you identify it if you found it? Do you know if it has been executed and if so when? Do you know which index(es) are searched? Do you know who wrote it?
I have a saved search but I don't know the name of that saved search how do I get it.
Hi,  Thank you so much for your inputs, sorry i didn't convey my question properly. query : For example : we have fieldname1, fieldname2,fieldname3 all are long texts. we want to use reveal token ... See more...
Hi,  Thank you so much for your inputs, sorry i didn't convey my question properly. query : For example : we have fieldname1, fieldname2,fieldname3 all are long texts. we want to use reveal token and drill down option for all the 3 fieldnames. when i click the fieldname1, it should expand fieldname1 only instead of expanding fieldname1,fieldname2,fieldname3. similarly when i click the fieldname2 , it should expand fieldname2 but not all the three fieldnames, if i click on all the 3 fieldnames then only it should expand all the 3 fieldnames otherwise it should expand based on selection of fieldname.   query2 : If its possible to have below additional feature then it will be very much helpful. for example : All 3 fieldnames are column names in a table .table have more than 10  rows with longer text ,is it possible to expand single row and for a single column name/fieldname based on the selection.   Thanks, Srinivasulu S    
Is this what you're looking for? https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/
You possibly want this ... | chart count max(_time) as MaxTime over aRange by aType | eval aRange = aRange+1 | rename "count: 0" AS A, "count: 1" AS B | eval aPercentage = round((A / B) * 100) and ... See more...
You possibly want this ... | chart count max(_time) as MaxTime over aRange by aType | eval aRange = aRange+1 | rename "count: 0" AS A, "count: 1" AS B | eval aPercentage = round((A / B) * 100) and then you will have also two columns MaxTime: 0 and MaxTime:1 and then you can do | eval MaxTime=max('MaxTime: 0', 'MaxTime: 1')