All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I mean the content i have mapped in my mitre attack in the last 7 days.
What is bookmarked data? Please share some anonymised, representative sample events showing the event data you are working with, and a representation of your expected results.
Hello Can you help me Creating a dashboard that contains the following charts/data:                      Bookmarked content A chart (of tstat/ counts) of the content that was bookmarked. for the ... See more...
Hello Can you help me Creating a dashboard that contains the following charts/data:                      Bookmarked content A chart (of tstat/ counts) of the content that was bookmarked. for the past 7 days A chart with the names of the alerts/detections that were bookmarked for the past 30 days  Analso in this situation how to find your filed name in your splunk: bookmarked, bookmark I use both of them in my query but it still not working or we should use ''active'' please propose me a query.                  help me find the exact field name in order to create the exact query. Thank you. 
The print server OS is Windows Server 2019   I would like to get PrintService-Admin log to Splunk. I tried the following in the input.conf of Universal Forwarder in print server. [WinEventLog://M... See more...
The print server OS is Windows Server 2019   I would like to get PrintService-Admin log to Splunk. I tried the following in the input.conf of Universal Forwarder in print server. [WinEventLog://Microsoft-Windows-PrintService/Admin] disabled = 0 index = winps Which is found in https://community.splunk.com/t5/Getting-Data-In/Microsoft-Windows-PrintService-Operational-Logs/m-p/77633 But I cannot find any events from the index.   The log is enabled in the server, which is under Applications and Services Logs > Microsoft > Windows > PrintService   I also tried to set the data input from web console to monitor the log file in folder: C:\Windows\System32\winevt\Logs   With RegEx: Microsoft\-Windows\-PrintService.+\.evtx So i can get Microsoft-Windows-PrintService%4Admin.evtx AND Microsoft-Windows-PrintService%4Operational.evtx   But also, no event is shown for the index. Hope somebody can help with this. Thanks  
Hi, I hope all is well.   I have struggled with Data Model Concept as I seek to know why and When we use the data model and how it increases the performance? I am fine with it's structured data a... See more...
Hi, I hope all is well.   I have struggled with Data Model Concept as I seek to know why and When we use the data model and how it increases the performance? I am fine with it's structured data and has three type of data sets, also I am able to create it as How To.   But why use it? When use it?  what is the main idea behind it?
Its working with your solution. @ITWhisperer  Thanks for your help.
Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could ... See more...
Two thoughts.  In classic, you can probably use JavaScript to implement mouse-over or similar. (You can produce a "hidden" column named as an internal field, e.g., _fieldname.)  Another method could be to produce the column with ellipses, the use a drilldown to display the full text. Here is an example of the latter:   <dashboard version="1.1" theme="light"> <label>Very long text</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-dashboards/m-p/692394#M56730</description> <init> <set token="reveal_tok">init</set> </init> <search> <query> | makeresults format=csv data="reveal short" </query> </search> <row> <panel> <title>reveal = $reveal_tok$</title> <table> <search> <query>| makeresults format=csv data="fieldname not as long very very very very very very very very very very loooooooooooooooooooooog" | rename fieldname as _fieldname | eval fieldname = if(len(_fieldname) &gt; 50 AND len("$reveal_tok$") &lt; 51, substr(_fieldname, 0, 50) . " ... " , _fieldname)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="reveal_tok">$row._fieldname$</set> </drilldown> </table> </panel> </row> </dashboard>   When the dashboard loads, the initial value of $reveal_tok$ is set to "init". If you click that ellipses, the token's value becomes that of _fieldname (which is very long on this row).  The drilldown therefore reveals the full string. If you click on that short string, $reveal_tok$ becomes the shorter string, therefore the drilldown changes display back to ellipses for very long strings. There are other ways to do this, depending on your visualization needs and coding style.
That is not possible. What problem are you trying to solve?
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose. ... See more...
The Kerio Control Admin Guide tells how to send syslog from Kerio Control.  Set-up and configuration of a syslog server is entirely separate and the details depend on which syslog server you choose.  I recommend Splunk Connect for Syslog (SC4S) because it's easy to set up and configure.  See https://splunk.github.io/splunk-connect-for-syslog/main/
Thanks so much. This 10 year old post helped me resolve my issue!
Is it possible to reconfigure Splunk to use _indextime instead of _time for data retention policy?
Why does the Approval settings work in some actions and not in others?
There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the cou... See more...
There are a number of ways to do this - to find which sourcetypes have zero events, create an event for each sourcetype with a zero count and add it to the count for the sourcetype, and where the count is still zero, there were no events for that sourcetype. | stats count by sourcetype | append [| makeresults format=csv data="sourcetype,count A,0 B,0 C,0 D,0 E,0 F,0" | table sourcetype count] | stats sum(count) as count by sourcetype | where count=0 | eval count="No events found"
That worked!! One last thing, how do I display only specific sourcetype out of (A B C D E) for where the events for all the days=0. reword this statement
https://conf.splunk.com/files/2020/slides/TRU1761C.pdf Here I found a good pdf ... in fact  starcher found and I found his post .  
when i try to install splunklib i am getting a error because of pycrypto ....so couldn't follow that
wow , the first link is a good source of knowledge   thanks a lot.   There is one more sql I need to implement in splunk but it is not present there. Maybe you could help . The most efficient way ... See more...
wow , the first link is a good source of knowledge   thanks a lot.   There is one more sql I need to implement in splunk but it is not present there. Maybe you could help . The most efficient way to inner join is something like : index=db OR index=app | eval join=if(index="db",processId,pid) | stats sum(rows) sum(cputime) by join But how to join two tables with multicolumn key  ?   SELECT * FROM mytable1 INNER JOIN mytable2 ON (mytable1.mycolumn= mytable2.mycolumn AND mytable1.mycolumn2= mytable2.mycolumn2)    
@nguyens  Thanks it worked...
I have the same issue and believe it is caused from the last cloud update.  I have note reported this as a bug yet.
Try implementing using the class model