All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Good day @Venkata.Vadlamani hope you well, Did you ever manage to get the monitoring right with Fargate? I need to install the same on containers and also have a java and .net agents. Please adv... See more...
Good day @Venkata.Vadlamani hope you well, Did you ever manage to get the monitoring right with Fargate? I need to install the same on containers and also have a java and .net agents. Please adviae? regards. Shane. 
Hi,  Our Company is using Splunk Enterprise with 600GB/day for out SOC, and now we would lịke to use this license to extend for our new Private Cloud Managed SOC. Is it possible and legal with Splun... See more...
Hi,  Our Company is using Splunk Enterprise with 600GB/day for out SOC, and now we would lịke to use this license to extend for our new Private Cloud Managed SOC. Is it possible and legal with Splunk license term?
Try something along these lines: Have the "button" set a token, e.g. "add_comment" Have a (hidden) search which is dependent on the token e.g. "| eval _active="$add_comment$" Update the lookup in... See more...
Try something along these lines: Have the "button" set a token, e.g. "add_comment" Have a (hidden) search which is dependent on the token e.g. "| eval _active="$add_comment$" Update the lookup in the (hidden) search (using the text box token) In the <done> handler of the search, unset the "add_comment" token The idea is that the (hidden) search is executed whenever the add_comment token is not null, and it resets the token to null when the search is complete (ready for the next time).
Hi @hohyuon , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poi... See more...
Hi @hohyuon , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @P47R14RCH  even i'm facing the same issue, did you find any solution?
Hi all I am trying to add a text box and a button to a visualisation as a way a adding a 'commentary' on the chart. For example, if the chart shows something unusual, I'd like to be able to enter a ... See more...
Hi all I am trying to add a text box and a button to a visualisation as a way a adding a 'commentary' on the chart. For example, if the chart shows something unusual, I'd like to be able to enter a reason in the text box e.g. 'Some figures for this month are missing', then click the button and the current date and that comment from the box would be added to the lookup. I do currently have a solution of sorts but it's very clunky as it involves setting a token in a text box and then a html button which opens a URL but the URL is actually the search (search?q=%7Cmakresults%0A%7Ceval%20Date%3D...). This results in a new tab being opened and the
What is it you are trying to do? What is the "' or 1=1; --" supposed to be doing? Please share some anonymised representative events so we can see what you are dealing with (amazingly, we don't have ... See more...
What is it you are trying to do? What is the "' or 1=1; --" supposed to be doing? Please share some anonymised representative events so we can see what you are dealing with (amazingly, we don't have access to your systems or your data!)
OK That's funny! ChatGPT! No wonder you still have issues! 
Do you mean something like this: <row> <panel depends="$stayhidden$"> <html> <style> div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) { ... See more...
Do you mean something like this: <row> <panel depends="$stayhidden$"> <html> <style> div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) { display: flex !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell { padding-left: 4px; padding-right: 4px; margin-left: 4px; margin-right: 4px; border: 2px solid white !important; border-radius: 8px !important; color: white !important; box-shadow: inset 0 0 3px 0 rgba(0,0,0,.4), inset 0 0 3px 5px rgba(0,0,0,.05), inset 2px 3px 4px 0 rgba(255,255,255,.6), 2px 2px 4px 0 rgba(0,0,0,.25) !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell:hover { box-shadow: inset 0 0 3px 0 rgba(0,0,0,.4), inset 0 0 3px 5px rgba(0,0,0,.05), inset 2px 3px 4px 0 rgba(255,255,255,.6), 0 12px 16px 0 rgba(0,0,0,0.24), 0 17px 50px 0 rgba(0,0,0,0.19) !important; transform: translateY(-1px) !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell:active { box-shadow: inset 0 0 3px 0 rgba(0,0,0,.4), inset 0 0 3px 5px rgba(0,0,0,.05), inset 2px 3px 4px 0 rgba(255,255,255,.6), 0 8px 16px 0 rgba(0,0,0,0.24), 0 13px 50px 0 rgba(0,0,0,0.19) !important; transform: translateY(2px) !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell { background-color: yellow !important; color: black !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell[data-mv-index="0"] { display: none !important; } </style> </html> </panel> <panel> <table id="states"> <title>States $state$</title> <search> <query>| makeresults count=10 | eval event=random() % 3 | eval state=mvindex(split("ACTIVE,SLEEP,DEAD",","),random() % 3) | stats values(state) as state by event | eval state=mvappend("extra",state)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">row</option> <drilldown> <eval token="state">$click.value2$</eval> </drilldown> </table> </panel> </row>
Hi @Ahmed_340 , see in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435 ) you can find your Use Case and also test data. Ciao. Giuseppe
hello, i am a newbie . where are i can get the demo data to practice different attack detection in splunk enterprise? 
here is the fresh code   index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" (" ' or 1=1; -- " OR " admin' OR '1'='1 ") | stats count by source_ip, uri, _time still not workin... See more...
here is the fresh code   index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" (" ' or 1=1; -- " OR " admin' OR '1'='1 ") | stats count by source_ip, uri, _time still not working i have injected  ' or 1=1; -- this in the input field
i am a newbie please help me to correct my code . tried to correct that with chatgpt. it said the code is ok  
Does anybidy konw when I clicked valueo in table cell How I render input btn?
I have one more question. Can I use one Heavy Forwarder for all apps with script inputs, or would it be better to deploy a separate instance for every app? Thanks for your help!
Hello @rrovers, You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you nee... See more...
Hello @rrovers, You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you need to place the following sourcetype on the indexers. And if your data flow is UF -> IHF -> Indexers, in that case you'll need to place the sourcetype configuration on the IHF. Here, IUF and IHF refer to Intermediate Universal Forwarder and Intermediate Heavy Forwarder respectively. [<<sourcetype>>] TRUNCATE = <<max_length_of_event>> Also, you can set TRUNCATE to any value you wish.  --- Thanks, Tejas.
The search you have posted is not valid - please share the actual search with minimal anonymisation. Please share in a code block </> to preserve spacing etc.
Your subject is very broad - how would anyone know what this was specifically about especially given that it is already in a Dashboards & Visualizations section! Having said that, you then restrict ... See more...
Your subject is very broad - how would anyone know what this was specifically about especially given that it is already in a Dashboards & Visualizations section! Having said that, you then restrict your required solution to not include HTML - as @gcusello says, with these restrictions, it isn't possible (with current standard visualization options). However, if you would be prepared to expand your outlook you could do something along these lines:   <row> <panel depends="$stayhidden$"> <html> <style> div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) { display: flex !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell { border: 2px solid black !important; padding-left: 4px; padding-right: 4px; margin-left: 4px; margin-right: 4px; border-radius: 8px !important; } </style> </html> </panel> <panel> <table id="states"> <title>States</title> <search> <query>| makeresults count=10 | eval event=random() % 3 | eval state=mvindex(split("ACTIVE,SLEEP,DEAD",","),random() % 3) | stats values(state) as state by event</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>   Note that this doesn't work if there is only one value in the multivalue field (however, with a bit of extra work, this can be gotten around by inserting an additional value to the field and then hiding this value.
Thank you. I solved it.
i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise iput the following command  index="dvwa_logs" host="DESKTOP-... See more...
i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise iput the following command  index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" ("' or 1=1; --" OR "admin' OR '1'='1") | stats count by source_ip, uri, _time but not getting ant result