All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user mak... See more...
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes.   Can you help?
It depends on the format of phone number that you want and any range constraints on the number. Essentially, random() returns a "random" potentially large integer. This is usually reduced in range b... See more...
It depends on the format of phone number that you want and any range constraints on the number. Essentially, random() returns a "random" potentially large integer. This is usually reduced in range by using a modulus operation. e.g.  | eval number=random() % 1000000 This will give you an integer below a million. Alternatively, you could randomise parts of the number e.g. | eval number = "1-".printf("%0.3d", random() % 1000)."-".printf("%04d", random() %10000)
In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file.  This is a plea to the developers:  Could you please update this app to a... See more...
In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file.  This is a plea to the developers:  Could you please update this app to address this need?  Thanks!
How do I format a returned int into a phone number with the hyphen using the eval random function.    What I have so far:  | eval PhoneNumber = (random() )
Guys thanks for valuables hints and posts. This time I managed to do it by myself.  here is my new, working query: index="odp" OR index="oap" txt2="ibum_p" | eval c_e = mvindex(split(c_e,","... See more...
Guys thanks for valuables hints and posts. This time I managed to do it by myself.  here is my new, working query: index="odp" OR index="oap" txt2="ibum_p" | eval c_e = mvindex(split(c_e,","),0) | eval c_e=coalesce(c_e,e) | stats values(*) by c_e So critical in my case was renaming field.  Instead of rename I use coalesce and it helped.  Stats now returns values from both indexes. K.    
Any details on adding the use of AWS IAM Roles Anywhere with the Splunk addon for AWS
Apologies, but would really appreciate a more detailed set of instructions - can`t get my head round how adding a checkbox helps with the encryption and how to actually achieve this ? Many thanks!
Thanks for the response -  I expect about 5 results for each reference result -> so I set maxsearches=5.  However, nothing I have tried produces any results.  Boss?  You mean team SME?  Don't actuall... See more...
Thanks for the response -  I expect about 5 results for each reference result -> so I set maxsearches=5.  However, nothing I have tried produces any results.  Boss?  You mean team SME?  Don't actually have one of those, we are in a help yourself environment. Everything I've done with the above query results an a msg that says "unable to run query",  specifying the query after the map.
You are parsing HdtIn and HdtOut twice with strptime using different formats. Only one of the formats is working. Use that to parse the times into epoch format and find the difference between these t... See more...
You are parsing HdtIn and HdtOut twice with strptime using different formats. Only one of the formats is working. Use that to parse the times into epoch format and find the difference between these times.
Not able to extract the difference.  Query:  (index="events_prod_gmh_gateway_esa") SPNLDSCR* | spath Y_CONV | search Y_CONV=CACAFORM| spath ID_FAMILLE | search ID_FAMILLE=CAFORM |eval Time_in = ... See more...
Not able to extract the difference.  Query:  (index="events_prod_gmh_gateway_esa") SPNLDSCR* | spath Y_CONV | search Y_CONV=CACAFORM| spath ID_FAMILLE | search ID_FAMILLE=CAFORM |eval Time_in = "20" + substr(sRefInt , 9 , 15) |eval Processing_Start_Time = strptime(HdtIn,"%Y%m%d%H%M%S.%q") , Processing_End_Time = strptime(HdtOut,"%Y%m%d%H%M%S.%q") , Reception_Time = strptime(Time_in,"%Y%m%d%H%M%S.%q") |eval Processing_Start_Time_1 = strptime(HdtIn,"%m/%d/%Y %H:%M:%S.%6N") , Processing_End_Time_1 = strptime(HdtOut,"%m/%d/%Y %H:%M:%S.%6N") , Reception_Time_1 = strptime(Time_in,"%Y%m%d%H%M%S.%q"), diff = Processing_End_Time_1 - Reception_Time_1 |convert ctime(Processing_Start_Time) , ctime(Processing_End_Time) , ctime(Reception_Time) | table _time , ID_FAMILLE , MSG_TYP_CONV , MSG_TYP_ORIG , sRefInt , Reception_Time , Processing_Start_Time , Processing_End_Time , Processing_Start_Time_1 , Processing_End_Time_1 , Reception_Time_1 , diff    
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credential, I looked at some ... See more...
Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credential, I looked at some events, and it indicates the check type: local. Is this means it is credential ?  Thanks in advance for any information may help.
Have you tried | fields *Read*  ?
You have the right idea, but the strptime format strings don't match the example data.  Then simply subtract one from the other to get the difference.  Try this |eval Processing_Start_Time = strptim... See more...
You have the right idea, but the strptime format strings don't match the example data.  Then simply subtract one from the other to get the difference.  Try this |eval Processing_Start_Time = strptime(HdtIn,"%m/%d/%Y %H:%M:%S.%6N") , Processing_End_Time = strptime(HdtOut,"%m/%d/%Y %H:%M:%S.%6N") , Reception_Time = strptime(Time_in,"%Y%m%d%H%M%S.%q"), diff = Processing_End_Time - Reception_Time  
how to do for loop one liner in splunk soar playbook for i in code_1__output1: code_1__output5 == i.split(":")[0] if code_1__output5 == "ipaddress": code_1__output4 == s... See more...
how to do for loop one liner in splunk soar playbook for i in code_1__output1: code_1__output5 == i.split(":")[0] if code_1__output5 == "ipaddress": code_1__output4 == str(code_1__output5)
Hello! I have the following search: | mstats avg(*) as * WHERE index=indexhere host=hosthere span=1 by host |timechart span=1m latest(*) as * What i am trying to do is only show the fie... See more...
Hello! I have the following search: | mstats avg(*) as * WHERE index=indexhere host=hosthere span=1 by host |timechart span=1m latest(*) as * What i am trying to do is only show the fields that contains the word "read" somewhere in the field name. Each field name is different and doesn't have "read" in the same place or before/after the same special characters either. I have tried fixing with with different commands but can't seem to find a good solution.  Thanks in advance
@kp_pl wrote: index="odp" OR index="oap" txt2="ibum_p" | rename e as c_e | eval c_e = mvindex(split(c_e, ","), 0) | stats values(*) by c_e line 1 - two indexes joined and one of them filter... See more...
@kp_pl wrote: index="odp" OR index="oap" txt2="ibum_p" | rename e as c_e | eval c_e = mvindex(split(c_e, ","), 0) | stats values(*) by c_e line 1 - two indexes joined and one of them filtered ( to create OneToOne relation). To clarify, line 1 does *not* join the indexes nor does it create a one-to-one relation. The OR operator tells the search peers to select all events from the odp index and the events in the oap index where the txt2 field has the specified value.  No relationship between the two indexes is made or implied and none should be inferred. To create a relationship, use the join (not preferred), transaction (also not preferred), or stats (preferred) command to associate the events by common fields, as in line 4.
Hi  Can you please let me know how we can find the difference of time between 2 timestamp fields. For example, 2 timestamp fields are in the below format:  Reception_Time = 06/21/2024 08:58:00.... See more...
Hi  Can you please let me know how we can find the difference of time between 2 timestamp fields. For example, 2 timestamp fields are in the below format:  Reception_Time = 06/21/2024 08:58:00.000000  Processing_End_Time = 06/21/2024 09:52:55.000000   Query :  (index="events_prod_gmh_gateway_esa") SPNLDSCR2406210858000001000 | spath Y_CONV | search Y_CONV=CACAFORM| spath ID_FAMILLE | search ID_FAMILLE=CAFORM |eval Time_in = "20" + substr(sRefInt , 9 , 15) |eval Processing_Start_Time = strptime(HdtIn,"%Y%m%d%H%M%S.%q") , Processing_End_Time = strptime(HdtOut,"%Y%m%d%H%M%S.%q") , Reception_Time = strptime(Time_in,"%Y%m%d%H%M%S.%q") |convert ctime(Processing_Start_Time) , ctime(Processing_End_Time) , ctime(Reception_Time) | table _time , ID_FAMILLE , MSG_TYP_CONV , MSG_TYP_ORIG , sRefInt , Reception_Time , Processing_Start_Time , Processing_End_Time
Based on the data, I expect 2-4 rows per single REFERENCE_VAL.
Sorry for the delay on this; no, I don't really have an answer to that one. You might open a support ticket for advice there. In my instances, I generally tried to minimize the amount of events it wa... See more...
Sorry for the delay on this; no, I don't really have an answer to that one. You might open a support ticket for advice there. In my instances, I generally tried to minimize the amount of events it was being sent.
Please some anonymised sample events from both indexes and a description of what it is you are trying to achieve, and some expected output.