All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @isoutamo @gcusello  I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I c... See more...
Hi @isoutamo @gcusello  I've actually found a different fix to this. Place a transparent reactangle over the top and have the interaction properties set on that. The pop-up menu doesn't show and I can still use the single value to adjust the text shown underneath. Thanks all for your suggestions!
It's hard to be sure not knowing your config and data but the typical case is that you're using both indexed fields as well as search-time json extractions.
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authent... See more...
As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed. You might check /opt/splunk/bin/splunk btool authentication list authentication To see what authentication mechanism is your HF using
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why th... See more...
Hi, I created custom input using HEC in distributed environment. When searching, I see that the values ​​for the fields are duplicated, that is, for one event I have two values. Any ideas why this might be happening?
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subseq... See more...
We recently configured the new sentinelone:channel:application_management:risks sourcetype and after the initial bulk ingest of historic events and a smaller and steadier number of events over subsequent days the risk channel has stopped pulling in any new events. It's been 8 days since any new events have come in from this channel. I've deleted and recreated the input a couple of times, adjusted the cron to every 5 minutes from every 12 hours and still nothing new is coming in. I suspect there's an issue with the checkpoint, but have not found anything conclusive, and as we are a Splunk Cloud customer my ability to dig beyond the logs is limited. See screenshot below for most recent logs from the risk channel.
| inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\""   Apologies if I am misinterpreting, the above portion combines my regular expressions into a s... See more...
| inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\""   Apologies if I am misinterpreting, the above portion combines my regular expressions into a single value?  I tried a to do a "where match(field_value, regex)", but gotten a regular expression is too large error 
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it... See more...
Why is it that every time I set the event under (Security Domain=NETWORK) from the Content Management page, the value (Security Domain=Threat) appears on the Incident Review page even though I set it as NETWORK?  
Most of the indexes we have right now are used for the same purpose of creating a report. It would have been ideal for me if they can use the Search menu (out-of-the-box UI) so it would save me the ... See more...
Most of the indexes we have right now are used for the same purpose of creating a report. It would have been ideal for me if they can use the Search menu (out-of-the-box UI) so it would save me the hassle of creating a custom UI to point datetime filtering to the correct field. However, I would say your recommendations do make sense. Thanks for the inputs!  
Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to inves... See more...
Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to investigate further. But as of now, I have been able to login through the help of isoutamo's answer (see accepted solution). It turns out all the user accounts have all been wiped out by the previous admins when I checked on the list of active users. All good now. Thanks !!!
I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of success ,but nothing is being extracted and this eventcode constitutes ma... See more...
I am having issues with action extraction on my windows addon . for example the eventcode 4624 should have an action value of success ,but nothing is being extracted and this eventcode constitutes majority of the data .the status is being extracted correctly  as success.does anyone know how action is being extracted for this eventcode.    
Hey there, Results of the | fit command are affected by the time range picker.  Once you set the time range to all time, _time is displayed normally.   Edit: I looked into the interaction between ... See more...
Hey there, Results of the | fit command are affected by the time range picker.  Once you set the time range to all time, _time is displayed normally.   Edit: I looked into the interaction between inputlookup + fit + time range picker. As documented here, the result of the fit command are appended to the initial dataset. In this case, the expected outcome would be that the resulting table includes only rows that are covered by the time range picker. However, the following happens: Time range picker: All time Resulting table: Initial dataset + output of fit command Result: OK, expected result Time range picker: Some time before the first observation - now Resulting table: Initial dataset + output of fit command Result: OK, expected result (Warning: The specified span would result in too many (>50000) rows.) Time range picker: About halfway through the dataset timestamps - now Resulting table: Initial dataset + output of fit command Result: OK, unexpected result (Warning: The specified span would result in too many (>50000) rows.) Time range picker: After some time of the last observation - now Resulting table: Initial dataset + output of fit command Result: OK, unexpected result (Warning: The specified span would result in too many (>50000) rows.) Time range picker: Some time before the first observation - some time stamp after the last observation Resulting table: output of fit command Result: NOT OK, unexpected result I checked the sources that were available to me (search.log, .py files) but sadly this did not suffice to reverse engineer how the initial dataset and the output of the fit command are merged and filtered. It seems that earliest has no effect, but once latest is set to a timestamp, the behavior becomes unexpected.
Hi all Is there a way to use one deploy server to push app to 2 different search head clusters? for example I have search head cluster named site1 and I want to install a new search head cluster na... See more...
Hi all Is there a way to use one deploy server to push app to 2 different search head clusters? for example I have search head cluster named site1 and I want to install a new search head cluster named site2 then push to site1 some apps, and to push a different apps to site 2, so I can control which app will be pushed to each site   
Thanks for the answer, but unfortunately that doesn't solve the issue. And I'm puzzled how a platform like SOAR doesnt provide granular user & roles permissions. We should be able to define that a u... See more...
Thanks for the answer, but unfortunately that doesn't solve the issue. And I'm puzzled how a platform like SOAR doesnt provide granular user & roles permissions. We should be able to define that a user can only assing containers/tasks to other users within it's role, instead of everybody(or similar)...  Because the default settings allows a given user to assign a container to whoever user or roles he wishes... Does anyone know if there a way using REST API or playbooks?
Hi @isoutamo , thank you for your support. it was a mistyping, the issue was that the searchmatch() function doesn't run in INGEST_EVAL, ising the match() function, my INGEST_EVAL is working. Than... See more...
Hi @isoutamo , thank you for your support. it was a mistyping, the issue was that the searchmatch() function doesn't run in INGEST_EVAL, ising the match() function, my INGEST_EVAL is working. Thank you again for your support. Ciao. Giuseppe
I could see we need to use splunklib library in custom command creation but when i try to install the library i am getting a exception due to its dependency download which is pycrypto which i underst... See more...
I could see we need to use splunklib library in custom command creation but when i try to install the library i am getting a exception due to its dependency download which is pycrypto which i understood is not supported in splunk version 9.x, is there a alternate way to do it.
Hi @ques_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma... See more...
Hi @ques_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hello Every one I have a problem in protocol detection in splunk logs! I see bittorrent Every where in my logs and the traffic is not a bittorrent one! But i track the traffic and its between a ne... See more...
Hello Every one I have a problem in protocol detection in splunk logs! I see bittorrent Every where in my logs and the traffic is not a bittorrent one! But i track the traffic and its between a network device and a monitoring tool. I have DPI (deep packet inspection) installed as an Aux but it seems to be a wrong app detection in splunk. what should i do? is there any help with that? #SPLUNK
What difference are you expecting? Are you trying to say that in your example kb is 1000 based and you want to convert to 1024 based. That is not what memk does. In this case just do | eval KB=round... See more...
What difference are you expecting? Are you trying to say that in your example kb is 1000 based and you want to convert to 1024 based. That is not what memk does. In this case just do | eval KB=round(kb/1.024,3) If they are both 1024 based, then they are the same number, so memk will not do anything.  
Apart from what @richgalloway already pointed out the question is what are you trying to do. If you're trying to spawn a subsearch for each event from the base search... that doesn't work this way. Y... See more...
Apart from what @richgalloway already pointed out the question is what are you trying to do. If you're trying to spawn a subsearch for each event from the base search... that doesn't work this way. You could use map to spawn a separate search for each result row but that's highly ineffective method. You're probably better of with appending two separate result sets and doing some magic on that compound data to get your results.