Consider using a lookup table that maps the first two octets to a location. If the lookup returns the same fields as the iplocation command then you could use the geostats command to display the dat...
See more...
Consider using a lookup table that maps the first two octets to a location. If the lookup returns the same fields as the iplocation command then you could use the geostats command to display the data on a map. You probably would need to create a lookup definition and use the Advanced settings to define CIDR match on the address field. The lookup might look something like this addr City Country Region lat lon 192.168.0.0/16 foo United States Texas xxx yyy 172.168.0.0/16 bar United States California aaa bbb
Hello, I need your help for something. I want to get a dropdown via using a result from a search with using js. I want the dropdown to take the search result: index=_internal |stats c...
See more...
Hello, I need your help for something. I want to get a dropdown via using a result from a search with using js. I want the dropdown to take the search result: index=_internal |stats count by source |table source Thank you so much
Hello All, I am installing Alert manager Enterprise on a standalone on-prem server. I can it indexed in a existing index or should I be using another new index for config. Also what would be ...
See more...
Hello All, I am installing Alert manager Enterprise on a standalone on-prem server. I can it indexed in a existing index or should I be using another new index for config. Also what would be the HEC host field, will it be my url for the splunk instance and what would be the HEC port as well. In my understanding is that, alert manager takes splunk alerts and displays it, Im not sure why HEC is even used when setting this up? Thank you for all the help! #
Thank you everyone for commenting. I have pre-defined location already based on the first two octets of the IP address schema. I thought there would be a way to identify location in that manner. Exam...
See more...
Thank you everyone for commenting. I have pre-defined location already based on the first two octets of the IP address schema. I thought there would be a way to identify location in that manner. Example Log in attempt from user1 from 192.168.x.x means they are coming from Texas Log in attempt from user2 from 172.168.x.x mean they are coming from California. Rember this are examples and I totally understand their local IP and geo tagging might not be possible since there internal IP. In this example we know the first two octas indicated California or Texas. The idea is to have a dashboard for Linux users that shows a map of Authentication user taking place based on IP address. There is only two IP address scheme we are dealing with and only two locations in this example each corresponding to the location in the example 192.168.x.x is Texas and 172.168.x.x is California. Hope this helps:) Something like the below image:
OK. Show us one of your 4624 events found in verbose mode (blur sensitive data if needed). BTW, looking at my 4624 events I don't see anything that should yield action=success extraction.
Ahhhh. yes. The usual confusion between Deployer and Deployment Server (I read "deploy server" as Deployer, you read it - probably good - as DS). This naming is confusing, especially for newbies.
The iplocation command doesn't work with internal IP addresses (192.128.x.x, 10.x.x.x, etc.). That's because many companies use the same IP address space so a lookup by IP alone is not meaningful. ...
See more...
The iplocation command doesn't work with internal IP addresses (192.128.x.x, 10.x.x.x, etc.). That's because many companies use the same IP address space so a lookup by IP alone is not meaningful. Your company would have to create and install their own .mmdb file with the appropriate information.
I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on t...
See more...
I have a Linux Environment and SSH is a thing here. I need to show SSH log in with location. I got the map to work but know I need to figure out how to show the IP's based on two locations based on the first two octets of the IP address schema. Example: Texas: 192.168.x.x California: 172.16.x.x index=Exampe_index "ssh" sourcetype="Example_audit" "res"=success type=USER_LOGIN hostname=*| iplocation addr | geostats latfield=lat longfield=lon count
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf ...
See more...
i am getting this error below regarding pass4SymmKey WARN HTTPAuthManager [1045 MainThread] - pass4SymmKey length is too short. See pass4SymmKey_minLength under the clustering stanza in server.conf INFO ServerRoles [1045 MainThread] - Declared role=cluster_master. INFO ServerRoles [1045 MainThread] - Declared role=cluster_manager. ERROR ClusteringMgr [1045 MainThread] - pass4SymmKey setting in the clustering or general stanza of server.conf is set to empty or the default value. You must change it to a different value. ERROR loader [1045 MainThread] - clustering initialization failed; won't start splunkd what exactly the problem is ? i am defined the exact proper legth of pass4SymmKey , but still it is not working . below is the server.conf file , The server.conf file for updated version will look like below : [general] serverName = *** pass4SymmKey = generated_pass4SymmKey_value [sslConfig] sslPassword = *** description = ABCDEFGH peers = * quota = MAX stack_id = *** description = ABCDEFGH peers = * quota = MAX stack_id = forwarder [***:ABCDEFGH] description = ABCDEFGH peers = * quota = MAX stack_id = free [indexer_discovery] [clustering] cluster_label = *** mode = manager replication_factor = 3 search_factor = 2 pass4SymmKey_minLength = 32 what am i missing ?
Hi @mendi , ok, it's a different condition: <your_search>
| eval key=if(Status="DONE",Reference,NewReference)
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) A...
See more...
Hi @mendi , ok, it's a different condition: <your_search>
| eval key=if(Status="DONE",Reference,NewReference)
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) AS Status_count
count(Status) AS Status
values(*) AS *
BY key
| where Status_count=1 AND Status="DONE"
| table Name Reference Status Date Creator NewReference Type Ciao. Giuseppe
Hi @Chiranjeev , what's the format of your logs? it's the standard windows or a different one? I experienced many issues using a concentrator for windows logs. If the format is different, you shu...
See more...
Hi @Chiranjeev , what's the format of your logs? it's the standard windows or a different one? I experienced many issues using a concentrator for windows logs. If the format is different, you shuld reparse them. Ciao. Giuseppe
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable t...
See more...
I have added a New SAML group and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources(indexes). Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users within that AD group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am worried to click on it.
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, co...
See more...
Another Easy way is to use forearch command: below is the example. |makeresults | eval mv=mvappend("5", "15"), total = 0, count = 0 | foreach mode=multivalue mv [eval total = total + <<ITEM>>, count = count + 1]
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that gro...
See more...
I have added a New SAML group from our organisation Azure AD and assigned a role which was created before with limited privileges/capabilities and access to only 2 indexes. However, users in that group have reported being unable to access the resources. Upon verifying in the users section of Splunk Cloud settings, I noticed that the specific users involved in that group were not assigned their roles. Is there a troubleshooting step I should take? I noticed an option in the SAML settings to reload the SAML configuration, but I am hesitant to click on it.
"Approved", "Declined" etc are not series, they are values on the x-axis. You need to refactor your search to create series. If you need help doing that, please share your data source code.
It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to neg...
See more...
It looks like your data values are strings but you are trying to add totals i.e. treating them as numerics. Try removing the commas (as well as the $ signs) and converting the bracketed number to negative e.g. change the "(" to "-" and remove the ")".
we have a centralized collector via WEF for our windows logs where a uf with windows addon is sending logs to splunkcloud,where also we have a ta addon .