All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Basic search for doing this is index... | eval isInWindow = if (_time > relative_time(now(),"-241m@m") AND _time < relative_time(now(),"-1m@m"),1,0) | stats sum(isInWindow) as A which sets isInWind... See more...
Basic search for doing this is index... | eval isInWindow = if (_time > relative_time(now(),"-241m@m") AND _time < relative_time(now(),"-1m@m"),1,0) | stats sum(isInWindow) as A which sets isInWindow to be 1 or 0 depending on whether it's in or out then just summing the field. As for calculating sliding windows, streamstats is a way to do that, but you could also just do maths to set various counters using the same relative_time logic and then sum those counters. There are other ways, but it depends on what you want to do with that
I would consult the Nessus forums. 
I think what I am trying to do is relatively easy ? I want to query looking back -8 hours then count the # of events that are in a specific 4 hour window. index=anIndex sourcetype=aSourceType ... See more...
I think what I am trying to do is relatively easy ? I want to query looking back -8 hours then count the # of events that are in a specific 4 hour window. index=anIndex sourcetype=aSourceType aString earliest=-481m latest=-1m | eval aTime2 = _time | eval A = if (aTime2 > relative_time(now(),"-241m@m") AND aTime2 < relative_time(now(),"-1m@m"),(A+1),A) | table A, aTime2 I would also want a count for the next sliding 4 hr window (-300m to -60m), there are few more but just trying to figure out the first one for now. I was expecting my variable "A" to show how many of my matched events occur within the first 4 hr period but its empty ? Am I going about this incorrectly, not seeding "A" with a 0 start value ? What am I missing ?  
I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that ... See more...
I had a quick question about the resources on my indexer. I have a dev environment with a forwarder, indexer, and SH. On all of the servers, I have an IO Wait error. Investigating, I could turn that alert off, or I could look at the actual resources available on the machine. Looking through it, it looks as if i may need more resources. Looks like i only have 2 cores? and about7 GB of ram.    Min Specs recommended by Splunk are: An x86 64-bit chip architecture. 12 physical CPU cores, or 24 vCPU at 2 GHz or greater per core. 12 GB RAM. This is what i have: Would this explain these errors:   System iowait reached red threshold of 3 Maximum per-cpu iowait reached red threshold of 10 Sum of 3 highest per-cpu iowaits reached red threshold of 15   Before I started trying to re do our Dev env from the ground up, we were receiving these errors and they haven't gone away.    Thanks for any help
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credentialed, I looked at som... See more...
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credentialed, I looked at some events, and it indicates the check type: local. Is this means the scan is credential ?  Also tried to look into the events to see if there are anything that indicated that the scan is authenticated. Thanks in advance for any information may help.
HFs process data transparently so there's no way to track the flow of events.  Many customers work around that by having the HF add a field to every event where the value of the field is the HF's name.
Are you using the F5 BIG-IP platform? If so, the Splunk Add-on for F5 BIG-IP seems like the right direction. https://splunkbase.splunk.com/app/2680 Documentation, including installation and data fo... See more...
Are you using the F5 BIG-IP platform? If so, the Splunk Add-on for F5 BIG-IP seems like the right direction. https://splunkbase.splunk.com/app/2680 Documentation, including installation and data forwarding instructions, can be found here: https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/About
Does it appear when you change the search results to the "visualization" tab,  then switch the visualization to "Line Chart"?   Alternatively could you try: <your search that extracts the fields> ... See more...
Does it appear when you change the search results to the "visualization" tab,  then switch the visualization to "Line Chart"?   Alternatively could you try: <your search that extracts the fields> | timechart mode(target) as target mode(state) as state mode(cavity) as cavity
There is a minimum basic instance specification for a production-grade Splunk Enterprise deployment in this page: https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware E.g. ... See more...
There is a minimum basic instance specification for a production-grade Splunk Enterprise deployment in this page: https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware E.g. An x86 64-bit chip architecture 12 physical CPU cores, or 24 vCPU at 2 GHz or greater speed per core. 12 GB RAM. A 1 Gb Ethernet NIC, optional second NIC for a management network. A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual. If you are just doing testing and can tolerate a lower performance, you can use lower specs. For estimating storage requirements, it would depend on how many days of retention you would keep for your <100MB/day, and how compressible your log data is. You could throw a couple tens of gigabytes into it and see how the disk space taken by data grows.
I have accomplished the Rex using field extractor but as for plotting the values this is not of much help, id like to plot the values found with the associated timestamp of the event into a line c... See more...
I have accomplished the Rex using field extractor but as for plotting the values this is not of much help, id like to plot the values found with the associated timestamp of the event into a line chart
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk ent... See more...
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk enterprise security and Splunk soar app will be installed on the same server as well. The lab is just for the demo and some RND purpose and the daily ingestion will be less than 100 mb.  I have the license and the Enterprise security package from my previous lab setup. Needed some suggestion with what vCPU, storage and RAM I should proceed with.   Thanks in advance
| rex "target: Temp\((?<target>\d+)\), state: Temp\((?<state>\d+)\), cavity: (?<cavity>\d+)"  
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time... See more...
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time series I take it I will have to use a rex command to extract the bolded values from the message field. How would I go about this? {"bootcount":10,"device_id":"71ff6686fa5347828e3668e59249d0be","environment":"prod_walker", "event_source":"appliance","event_type":"GENERIC","location": {"city":"","country":"XXX","latitude":XXX,"longitude":XXX,"state":""}, "log_level":"info","message":"hardware_controller: TestState { target: Temp(315600), state: Temp(315600), cavity: 178900, fuel: None, shutdown: None, errors: test() }", "model_number":"XXXX","sequence":1411,"serial":"XXXX","software_version":"2.2.2.7641","ticks":158236,"timestamp":1717972790}  
Hello, I hope all is well. Need your help to monitor the F5 Interface utilization throughput (performance Monitor). Any Idea! @community  #performanceMonitor
Hello, as questions. I'd like to ask if it is possible to convert Elasticsearch machine learning anomaly detector model to Splunk machine learning toolkit model?
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (f... See more...
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (false positives thanks god). At this point I have two issues: - The field "Body" is always empty.   Reviewing the macros included in the app, they seem to be created for the non-XML sysmon events. I changed the inputs.conf from the TA-Windows-Sysmon addon without success. The events continue flowing in in XML format.     [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 0 source = WinEventLog:Microsoft-Windows-Sysmon/Operational     Did anyone face the same issue? how did you solve it? - I also would like to add an exception list of processes to reduce the amount of alerts, whitelisting some well known windows executables or tools. have anyone done that? could you tell me the approach you took? thanks a lot. I am checking other alternatives like Cyences https://splunkbase.splunk.com/app/5351. any opinion?
where the last 4 digits contain any number from 0 to 9
Thanks for the reply. I actually need a 7 digit format like " 555-XXXX". 
Hi @Scott.Lucier, I spoke with a PMM on my team and this is what they shared with me.  In my opinion, the better way is to create an action suppression. You would need three: one for 5 PM to midn... See more...
Hi @Scott.Lucier, I spoke with a PMM on my team and this is what they shared with me.  In my opinion, the better way is to create an action suppression. You would need three: one for 5 PM to midnight M-F, one from 21:00 AM to 6 AM M-F, and a third for all day Sat-Sunday. Action suppression is a feature that is meant for this purpose, and can be used globally for an application or environment, for all HRs, so you do not have to re-create each HR.
The random function only returns an integer and there is no way to force it to include hyphens in the output. Since the function may return an integer too small for a phone number, I suggest using m... See more...
The random function only returns an integer and there is no way to force it to include hyphens in the output. Since the function may return an integer too small for a phone number, I suggest using multiple calls to build it.  Here's an example using the North American Numbering Plan.     | eval PhoneNumber = (random() % 1000)."-".(random() % 1000)."-".(random() % 10000)     Additional massaging may be needed if you want more realistic phone numbers (no "001" for an area code, for example).