Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;O...
See more...
Thanks Giuseppe for your quick reply. It doesn't seem to work. So e.g. there are 6 records, Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD Test;Abc2;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc2;UPD Test;Abc3;DONE;2022-09-09;Me;Null;INS Hello;Abc5;OPEN;2022-09-09;Me;Abc4;UPD So in above example, I would like to find records where reference with status DONE is not found in any other record under field New Reference with status OPEN. In abov example, abc1 and abc2 finds matched record but Abc3 &Abc5 doesn't find. many Thanks
Hi, Thanks for your inputs , its working but not fulfilling the requirements. can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and w...
See more...
Hi, Thanks for your inputs , its working but not fulfilling the requirements. can you share more insights on drilldown option. example : when we have 2 or more column names with longer text and want to get expand field values for the one column name which we have selected(specific) but not to expand all the columns where this drilldown is used.
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search>
[ sear...
See more...
Hi @mendi , let me understand: do you have Reference and NewReference in each event? if yes you have to create a search using the field to compare as keys, something ike this: <your_search>
[ search <your_search> | rename Reference AS NewReference | fields NewReference ]
| fields Name Reference Status Date Creator NewReference Type
| stats
dc(Status) AS Status_count
values(*) AS *
BY Reference
| where Status_count=2
| table Name Reference Status Date Creator NewReference Type if you have more conditions, you can add them to the where. Ciao. giuseppe
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-...
See more...
I have thousands of records (events), I would like to search field a if it exists in field b of other event (record). e.g. Name;Reference,Status;Date;Creator;NewReference;Type Test;Abc1;DONE;2022-09-09;Me;Null;INS Hello;Null;OPEN;2022-09-09;Me;Abc1;UPD So I would like to find records where Reference(Abc1) with status (Done) is present in another record whose NewReference is equal to Referenc eof earlier record (Abc1) and status is OPEN The logs will have thousands of records Thanks
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did y...
See more...
Hi @Haleb , as @PickleRick said, it's hard to help you without any information about your architecture. Anyway, how are you sending logs? are you using one or two receivers? how many inputs did you enabled? are you using a Load Balancer? Ciao. Giuseppe
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: K...
See more...
Hi @dataisbeautiful , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster, you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Depl...
See more...
Hi @kobi , as @PickleRick said, you cannot use a Deployment Server to push apps to Search Head Cluster, you must use a SHC-Deployer. You eventually could push the apps from the DS to the SHD-Deployer and after it deployes apps to the Cluster. Ciao. Giuseppe
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. ...
See more...
There is something wrong. But seriously - you haven't shown us anything regarding your data and your configuration. You haven't told us what your architecture is and where this addon is installed. My glass orb is undergoing annual maintenance...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why...
See more...
Try using this uri: https://<host>:<mPort>/services/search/v2/jobs/ The api uri that you are using is depricated. To my knowledge, it deletes the "|" in the beginning of the SPL query, that's why you got the error "Error in 'makeresults' command: This command must be the first command of a search.". What splunk receives from your query "search | makeresults | eval nombre=\"denis\"" with api call is this: makeresults | eval nombre="denis" AND NOT | makeresults | eval nombre="denis" https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#search.2Fv2.2Fjobs.2F.7Bsearch_id.7D.2Fresults
Hi @isoutamo @gcusello I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I c...
See more...
Hi @isoutamo @gcusello I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I can still use the single value to adjust the text shown underneath. Thanks all for your suggestions!
It's hard to be sure not knowing your config and data but the typical case is that you're using both indexed fields as well as search-time json extractions.
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authent...
See more...
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authentication list authentication To see what authentication mechanism is your HF using
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values for the fields are duplicated, that is, for one event I have two values. Any ideas why th...
See more...
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values for the fields are duplicated, that is, for one event I have two values. Any ideas why this might be happening?
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subseq...
See more...
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events. It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in. I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.
| inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" Apologies if I am misinterpreting, the above portion combines my regular expressions into a s...
See more...
| inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" Apologies if I am misinterpreting, the above portion combines my regular expressions into a single value? I tried a to do a "where match(field_value, regex)", but gotten a regular expression is too large error
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it...
See more...
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it as NETWORK?
Most of the indexes we have right now are used for the same purpose of creating a report. It would have been ideal for me if they can use the Search menu (out-of-the-box UI) so it would save me the ...
See more...
Most of the indexes we have right now are used for the same purpose of creating a report. It would have been ideal for me if they can use the Search menu (out-of-the-box UI) so it would save me the hassle of creating a custom UI to point datetime filtering to the correct field. However, I would say your recommendations do make sense. Thanks for the inputs!
Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to inves...
See more...
Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to investigate further. But as of now, I have been able to login through the help of isoutamo's answer (see accepted solution). It turns out all the user accounts have all been wiped out by the previous admins when I checked on the list of active users. All good now. Thanks !!!