All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, How can I get all the pod names with a query where the value will be in between 1.5 - 2.5. I can share a sample signalfx query for better understanding.    How can I write a equivalent ... See more...
Hello, How can I get all the pod names with a query where the value will be in between 1.5 - 2.5. I can share a sample signalfx query for better understanding.    How can I write a equivalent splunk query for this.  
Can any one suggest use cases for Admin Role  
I use Splunk cloud version 9.1.2312.103  
doesn't look like what i need, it's just a dashboard  i need this https://docs.splunk.com/Documentation/ES/7.1.0/RBA/ViewMitreMatrixforRiskNotable#View_the_MITRE_ATT.26CK_posture_for_a_risk_notable ... See more...
doesn't look like what i need, it's just a dashboard  i need this https://docs.splunk.com/Documentation/ES/7.1.0/RBA/ViewMitreMatrixforRiskNotable#View_the_MITRE_ATT.26CK_posture_for_a_risk_notable the problem is that the event doesn't have this (MITRE ATT&CK Posture for this Notable) information in notable... how to add it?
hello , i need to install Rest Api Modular Input but i get this error     
Hi @dtburrows3 , Thank you for your prompt response and it worked. Really appreciate your assistance.
Hi  @user487596 , as I said, I always use the MITRE ATT&CK app, but if you want to use only the Security Essentials, see this: https://docs.splunk.com/Documentation/SSE/3.8.0/User/MITREFramework C... See more...
Hi  @user487596 , as I said, I always use the MITRE ATT&CK app, but if you want to use only the Security Essentials, see this: https://docs.splunk.com/Documentation/SSE/3.8.0/User/MITREFramework Ciao. Giuseppe
That's correct, the behaviour of Splunk is that any code(props/trans) in local will override the app default settings.  As long as you use the same sourcetype name that's in the Windows TA and use th... See more...
That's correct, the behaviour of Splunk is that any code(props/trans) in local will override the app default settings.  As long as you use the same sourcetype name that's in the Windows TA and use that in your custom TA, and they live side by side and the local will override. Note: The other Windows TA settings will still kick in but yours will override.    
Hi All, Hopefully someone can help with this.   We have logs that contain JSON where one of the fields can have multiple groups/entries - I would like to unwind/expand the groups to have a separate... See more...
Hi All, Hopefully someone can help with this.   We have logs that contain JSON where one of the fields can have multiple groups/entries - I would like to unwind/expand the groups to have a separate output per line.  I think I have to use mvzip command but I'm having issues with syntax.  Example data/query below... | makeresults format=json Data="[ { \"event\": \"AGREEMENT_ACTION_COMPLETED\", \"participantUserEmail\": \"123456789@test.com\", \"agreement\": { \"id\": \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\", \"status\": \"OUT_FOR_SIGNATURE\", \"participantSetsInfo\": { \"participantSets\": [ { \"memberInfos\": [ { \"id\": \"abcdefg\", \"email\": \"abcdefg@test.com\", \"company\": null, \"name\": \"test o'test\", \"privateMessage\": null, \"status\": \"ACTIVE\" } ], \"order\": \"1\", \"role\": \"SIGNER\", \"status\": \"WAITING_FOR_OTHERS\", \"id\": \"abcdefg1234\", \"name\": null, \"privateMessage\": null }, { \"memberInfos\": [ { \"id\": \"hijklmno\", \"email\": \"hijklmno@test.com\", \"company\": null, \"name\": null, \"privateMessage\": null, \"status\": \"ACTIVE\" } ], \"order\": \"1\", \"role\": \"SIGNER\", \"status\": \"WAITING_FOR_MY_SIGNATURE\", \"id\": \"hijklmno1234\", \"name\": null, \"privateMessage\": null } ] }, \"documentsInfo\": null, \"agreementViewRequest\": null } }]" | spath output=eventType path=event | spath output=agreementId path=agreement.id | spath output=agreementStatus path=agreement.status | spath output=participantUserEmail path=participantUserEmail | rename participantSets{}.membersInfos{}.email as memberEmail, participantSets{}.status as memberStatus | table _time, agreementId, eventType, agreementStatus, participantUserEmail, memberEmail, memberStatus I still see only one line output and the 'memberEmail' and 'memberStatus' fields are showing as blank where as I want to see one line out to match every entry under 'participantSets' field. Any help appreciated.
@gcusello , The application is cool, but I would like to understand the built-in capabilities. Is there any documentation or tips on how to set up visualization without third-party applications?
Hi @user487596 , yes, in Security Essentials App you have also a MITRE visualization, but I'm hinting to use the above MITRE ATT&CK app. Ciao. Giuseppe
Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation... See more...
Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Ciao. Giuseppe
Ah! I thing I get it now. So basically we leave Splunk_Windows_TA alone and then simply create a new TA with a /local/props.conf and transforms.conf that override that sourcetype. Is this understandi... See more...
Ah! I thing I get it now. So basically we leave Splunk_Windows_TA alone and then simply create a new TA with a /local/props.conf and transforms.conf that override that sourcetype. Is this understanding correct? 
@gcusello, what about MITRE ATT&CK Framework in Splunk Security Essentials, which, as I understand it, is already built in, Is it impossible to work with it or is it easier with your application?
Hi @user487596 , install it from Splunkbase I always use it: you'll find inside it useful Use Cases for ES. Ciao. Giuseppe
thanks, saved me loads of redundant coding! i.e. elegant new solution setting dashboard tokens: | sort 0 area -error_rate | dedup area | eval x=area+"_service_id" | eval {x} = service_id | field... See more...
thanks, saved me loads of redundant coding! i.e. elegant new solution setting dashboard tokens: | sort 0 area -error_rate | dedup area | eval x=area+"_service_id" | eval {x} = service_id | fields - x service_id | eval x=area+"_service" | eval {x} = service | fields - x service | eval x=area+"_value" | eval {x} = error_rate | fields - x error_rate | eval x=area+"_color" | eval {x} = color | fields - x color | fields - area _time | stats values(*) as *
Hi @andgarciaa , you can find more infos at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Propsconf and answering to your question: TRUNCATE = <non-negative integer> * The default maxim... See more...
Hi @andgarciaa , you can find more infos at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Propsconf and answering to your question: TRUNCATE = <non-negative integer> * The default maximum line length, in bytes. * Although this is in bytes, line length is rounded down when this would otherwise land mid-character for multi-byte characters. * Set to 0 if you never want truncation (very long lines are, however, often a sign of garbage data). * Default: 10000 There isn't a general guideline: usually the TRUNCATE value is defined by the specific Add-On you're using and it's related to the technology you're using. If you are ingesting a custom log, you have to choose the correct one by yourself. Ciao. Giuseppe
Hi @gcusello , don't see "MITRE ATTACK App for Splunk" in apps; yes, i'am work inside Enterprise Security
Hi,    I am running a search to get count of IP';s from yesterday & last month. index=<> source="/****" IP!="10.*" [| inputlookup ip_tracking.csv | rename MIDS AS MID | format ] earliest=-30d@d la... See more...
Hi,    I am running a search to get count of IP';s from yesterday & last month. index=<> source="/****" IP!="10.*" [| inputlookup ip_tracking.csv | rename MIDS AS MID | format ] earliest=-30d@d latest=now| eval ReportKey="Last30Day"|append [search index=<> source=""/****"" IP!="10.*" [| inputlookup ip_tracking.csv | rename MIDS AS MID | format ] earliest=-1d@d latest=@d | eval ReportKey="yesterday"]| eval Day=if(_time<=relative_time(now(),"-30d@d"),"yesterday","Last30Day") | stats count(eval(Day="yesterday")) AS yesterday count(eval(Day="Last30Day")) AS Last30Day BY IP     This search is giving me all results in Month but not in yesterday. Can you help me in correcting the query  
Hi @user487596 , to help you, I need some additional information: what's your issue? did you installed the Splunk MITRE ATT&CK app (https://splunkbase.splunk.com/app/4617 )? are you working insid... See more...
Hi @user487596 , to help you, I need some additional information: what's your issue? did you installed the Splunk MITRE ATT&CK app (https://splunkbase.splunk.com/app/4617 )? are you working inside Enterprise Security or not? Ciao. Giuseppe