All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That app is not Splunk Cloud Supported - hence you can't install it. It might be worth contacting the Developers of this app (Not splunk Developed) and see what options they offer  you. 
You will need to use the Splunk DB connect application - it mentions that Mongo DB atlas is supported - you will need to install the drivers etc.  https://docs.splunk.com/Documentation/DBX/3.17.1/... See more...
You will need to use the Splunk DB connect application - it mentions that Mongo DB atlas is supported - you will need to install the drivers etc.  https://docs.splunk.com/Documentation/DBX/3.17.1/DeployDBX/AboutSplunkDBConnect  There are many steps so work through them slowly  and not miss any steps.  This is a good link to get an overview of DB connect, but you will have to set-up for Mongo db as you go along https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/Configuring_Splunk_DB_Connect   
My Splunk instance (Splunk Enterprise Server 9.0.8) is a standalone for demo purpose, hence has only demo data. It should only show data for 'All time' as all the data are of 2022 - 2023.  I saved ti... See more...
My Splunk instance (Splunk Enterprise Server 9.0.8) is a standalone for demo purpose, hence has only demo data. It should only show data for 'All time' as all the data are of 2022 - 2023.  I saved time input to 'All time' as default but on page load it is not showing any data in the whole dashboard. Next I select any other time option and then again on selecting 'All time' whole dashboard starts showing all the expected data. Please help me.
why keep getting this error on ACS     information on securing this, see https://docs.ansible.com/ansible- core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user... See more...
why keep getting this error on ACS     information on securing this, see https://docs.ansible.com/ansible- core/2.11/user_guide/become.html#risks-of-becoming-an-unprivileged-user FAILED - RETRYING: Restart the splunkd service - Via CLI (60 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (59 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (58 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (57 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (56 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (55 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (54 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (53 retries left). FAILED - RETRYING: Restart the splunkd service - Via CLI (52 retries left).    
Hi, For a personal project, I am using MongoDB Atlas and Splunk. I would like to ingest my logs from MongoDB Atlas into Splunk. Is there any documentation or method to achieve this? Th... See more...
Hi, For a personal project, I am using MongoDB Atlas and Splunk. I would like to ingest my logs from MongoDB Atlas into Splunk. Is there any documentation or method to achieve this? Thank you!
Hello, How can I get all the pod names with a query where the value will be in between 1.5 - 2.5. I can share a sample signalfx query for better understanding.    How can I write a equivalent ... See more...
Hello, How can I get all the pod names with a query where the value will be in between 1.5 - 2.5. I can share a sample signalfx query for better understanding.    How can I write a equivalent splunk query for this.  
Can any one suggest use cases for Admin Role  
I use Splunk cloud version 9.1.2312.103  
doesn't look like what i need, it's just a dashboard  i need this https://docs.splunk.com/Documentation/ES/7.1.0/RBA/ViewMitreMatrixforRiskNotable#View_the_MITRE_ATT.26CK_posture_for_a_risk_notable ... See more...
doesn't look like what i need, it's just a dashboard  i need this https://docs.splunk.com/Documentation/ES/7.1.0/RBA/ViewMitreMatrixforRiskNotable#View_the_MITRE_ATT.26CK_posture_for_a_risk_notable the problem is that the event doesn't have this (MITRE ATT&CK Posture for this Notable) information in notable... how to add it?
hello , i need to install Rest Api Modular Input but i get this error     
Hi @dtburrows3 , Thank you for your prompt response and it worked. Really appreciate your assistance.
Hi  @user487596 , as I said, I always use the MITRE ATT&CK app, but if you want to use only the Security Essentials, see this: https://docs.splunk.com/Documentation/SSE/3.8.0/User/MITREFramework C... See more...
Hi  @user487596 , as I said, I always use the MITRE ATT&CK app, but if you want to use only the Security Essentials, see this: https://docs.splunk.com/Documentation/SSE/3.8.0/User/MITREFramework Ciao. Giuseppe
That's correct, the behaviour of Splunk is that any code(props/trans) in local will override the app default settings.  As long as you use the same sourcetype name that's in the Windows TA and use th... See more...
That's correct, the behaviour of Splunk is that any code(props/trans) in local will override the app default settings.  As long as you use the same sourcetype name that's in the Windows TA and use that in your custom TA, and they live side by side and the local will override. Note: The other Windows TA settings will still kick in but yours will override.    
Hi All, Hopefully someone can help with this.   We have logs that contain JSON where one of the fields can have multiple groups/entries - I would like to unwind/expand the groups to have a separate... See more...
Hi All, Hopefully someone can help with this.   We have logs that contain JSON where one of the fields can have multiple groups/entries - I would like to unwind/expand the groups to have a separate output per line.  I think I have to use mvzip command but I'm having issues with syntax.  Example data/query below... | makeresults format=json Data="[ { \"event\": \"AGREEMENT_ACTION_COMPLETED\", \"participantUserEmail\": \"123456789@test.com\", \"agreement\": { \"id\": \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\", \"status\": \"OUT_FOR_SIGNATURE\", \"participantSetsInfo\": { \"participantSets\": [ { \"memberInfos\": [ { \"id\": \"abcdefg\", \"email\": \"abcdefg@test.com\", \"company\": null, \"name\": \"test o'test\", \"privateMessage\": null, \"status\": \"ACTIVE\" } ], \"order\": \"1\", \"role\": \"SIGNER\", \"status\": \"WAITING_FOR_OTHERS\", \"id\": \"abcdefg1234\", \"name\": null, \"privateMessage\": null }, { \"memberInfos\": [ { \"id\": \"hijklmno\", \"email\": \"hijklmno@test.com\", \"company\": null, \"name\": null, \"privateMessage\": null, \"status\": \"ACTIVE\" } ], \"order\": \"1\", \"role\": \"SIGNER\", \"status\": \"WAITING_FOR_MY_SIGNATURE\", \"id\": \"hijklmno1234\", \"name\": null, \"privateMessage\": null } ] }, \"documentsInfo\": null, \"agreementViewRequest\": null } }]" | spath output=eventType path=event | spath output=agreementId path=agreement.id | spath output=agreementStatus path=agreement.status | spath output=participantUserEmail path=participantUserEmail | rename participantSets{}.membersInfos{}.email as memberEmail, participantSets{}.status as memberStatus | table _time, agreementId, eventType, agreementStatus, participantUserEmail, memberEmail, memberStatus I still see only one line output and the 'memberEmail' and 'memberStatus' fields are showing as blank where as I want to see one line out to match every entry under 'participantSets' field. Any help appreciated.
@gcusello , The application is cool, but I would like to understand the built-in capabilities. Is there any documentation or tips on how to set up visualization without third-party applications?
Hi @user487596 , yes, in Security Essentials App you have also a MITRE visualization, but I'm hinting to use the above MITRE ATT&CK app. Ciao. Giuseppe
Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation... See more...
Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Ciao. Giuseppe
Ah! I thing I get it now. So basically we leave Splunk_Windows_TA alone and then simply create a new TA with a /local/props.conf and transforms.conf that override that sourcetype. Is this understandi... See more...
Ah! I thing I get it now. So basically we leave Splunk_Windows_TA alone and then simply create a new TA with a /local/props.conf and transforms.conf that override that sourcetype. Is this understanding correct? 
@gcusello, what about MITRE ATT&CK Framework in Splunk Security Essentials, which, as I understand it, is already built in, Is it impossible to work with it or is it easier with your application?
Hi @user487596 , install it from Splunkbase I always use it: you'll find inside it useful Use Cases for ES. Ciao. Giuseppe