I am dealing with a similar issue
we use an HTTP template that works for the health rule-based events to call Webex and Opsgenie but it won't work for custom events. It is failing with the 400 err...
See more...
I am dealing with a similar issue
we use an HTTP template that works for the health rule-based events to call Webex and Opsgenie but it won't work for custom events. It is failing with the 400 error.
At this point my theory is the template variable exposed by the custom event and the health rule-based event are not the same and as a result, the HTTP template used for the health rule-based event is not working for the custom event
any thoughts?
I suppose it's more of a Docker question than a Splunk one. Having said that, I'd expect it to have no "practical" max value. It's probably more of a performance/resources thing (if you set it too hi...
See more...
I suppose it's more of a Docker question than a Splunk one. Having said that, I'd expect it to have no "practical" max value. It's probably more of a performance/resources thing (if you set it too high and let it gather those undeliverable messages you could hit OOM-killer and such).
Hi, this is probably a product related question. I have a requirement to monitor EDI files (834 - Enrolment file in Healthcare terms) end to end. I would like to see number of EDI files received, pro...
See more...
Hi, this is probably a product related question. I have a requirement to monitor EDI files (834 - Enrolment file in Healthcare terms) end to end. I would like to see number of EDI files received, processed and saved, analyse the file processing failures. Which Splunk product(s) best suits my need?
Hi @Josh1890, please try this: <your_search>
[| inputlookup malware_list.csv | rename malware_signature AS query | fields query ] in thsi way you perform a full text search using themalware_signat...
See more...
Hi @Josh1890, please try this: <your_search>
[| inputlookup malware_list.csv | rename malware_signature AS query | fields query ] in thsi way you perform a full text search using themalware_signature field. Ciao. Giuseppe
Hello, I need help with the following scenario: Let's say I have a log source with browser traffic data, one of the available fields is malware_signature I made a lookup table to filter the results...
See more...
Hello, I need help with the following scenario: Let's say I have a log source with browser traffic data, one of the available fields is malware_signature I made a lookup table to filter the results by 10 specific malwares I'd like to be alerted on, all 10 entries have wildcards like so, with another field called classification: malware_signature classification *mimikatz* high when I use inputlookup to filter the results it works well, but no matter what I tried I can't get the "classification" field to be added works well for filtering: [| inputlookup malware_list.csv | fields malware_signature] classification field won't show: [| inputlookup malware_list.csv | fields malware_signature classification] Doesn't work: [| inputlookup malware_list.csv | fields malware_signature] | lookup malware_list.csv malware_signature OUTPUT classification Clarification: I use inputlookup for filtering the results to the logs I want to see by the malware_signature After that I want to enrich the table with the classification field, but using the lookup command it won't catch the malware_signature with the wildcards.
Hello, you should check DNS records on your server, not sure internal logs can help.
In worst case use this example :
props.conf
[host::<IP address>]
TRANSFORMS-<hostname>=<hostname>_overri...
See more...
Hello, you should check DNS records on your server, not sure internal logs can help.
In worst case use this example :
props.conf
[host::<IP address>]
TRANSFORMS-<hostname>=<hostname>_override
transforms.conf
[<hostname>_override]
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::<FQDN>
I believe this article may be of use. "your splunk Id is same which you are using to log into splunk.com e.g. to Download Splunk Enterprise." https://community.splunk.com/t5/Knowledge-Managemen...
See more...
I believe this article may be of use. "your splunk Id is same which you are using to log into splunk.com e.g. to Download Splunk Enterprise." https://community.splunk.com/t5/Knowledge-Management/Where-Can-I-find-my-Splunk-ID/m-p/516404 If this helped, karma is appreciated.
Hello follow Splunkers! We want to ingest Oracle Fusion Application (SaaS) audit logs into Splunk on-prem, and the only way to do this is through the REST API GET method. So, now that I cannot find ...
See more...
Hello follow Splunkers! We want to ingest Oracle Fusion Application (SaaS) audit logs into Splunk on-prem, and the only way to do this is through the REST API GET method. So, now that I cannot find a REST input option in Splunk or any free add-on from Splunk for this task, all I have read over the internet is to develop a script. I need your support to share a sample Python script that should not only pull the logs but also avoid duplicate logs with every pull. Thanks in advance!
Hi @Jamilahmajed,
I’m a Community Moderator in the Splunk Community.
This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend...
See more...
Hi @Jamilahmajed,
I’m a Community Moderator in the Splunk Community.
This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
We tried to do similar thing but we found the data from VulDB lacking in terms of precision. The vulnerability description was free-form text, sometimes there were affected versions of software menti...
See more...
We tried to do similar thing but we found the data from VulDB lacking in terms of precision. The vulnerability description was free-form text, sometimes there were affected versions of software mentioned, sometimes not...
Hi @PickleRick , we are receiving the messages from VulDB, we form them and we send to a customer External system. Then we receive assets from their asset management and we compare them with the da...
See more...
Hi @PickleRick , we are receiving the messages from VulDB, we form them and we send to a customer External system. Then we receive assets from their asset management and we compare them with the daily CVEs, there are two fields in the record layout to do this. Ciao. Giuseppe
It would help if you told us where this setting is. You can't expect us to know everything that has the word "splunk" anywhere and be able to administer anything you throw at us. Yes, we're good but ...
See more...
It would help if you told us where this setting is. You can't expect us to know everything that has the word "splunk" anywhere and be able to administer anything you throw at us. Yes, we're good but maybe not that good
At first you got me a bit confused since Splunk has its own internal audit logs... But since you're talking about output from auditd, there are indeed two paths you can go: 1) Limit the source by w...
See more...
At first you got me a bit confused since Splunk has its own internal audit logs... But since you're talking about output from auditd, there are indeed two paths you can go: 1) Limit the source by writing audit rules so that only relevant events are logged (this can also have the nice side effect of lowering load on your audited host slightly and decreased storage needs) 2) Filter the data on the receiving end by props/transforms. This is a viable solution if you're gathering the audit logs in another place as well and want to limit only what is indexed in Splunk or if you cannot write audit rules precisely enough. Of course the general remarks from @gcusello about the "why" side of ingesting those logs are very much relevant.
You can use eventstats as @dtburrows3 already pointed out, just keep in mind that Splunk will put those sums into every single row in your results. It's not an Excel, you cannot merge cells here.
@gcuselloan off-topic question - were you able to do anything reasonable with the VulDB data? We tested the app for a while with one customer but it turned out the returned data was useless due to co...
See more...
@gcuselloan off-topic question - were you able to do anything reasonable with the VulDB data? We tested the app for a while with one customer but it turned out the returned data was useless due to complete lack of any reasonable structure to it.
You can't search data you don't have. So first you have to ask yourself if you have any data regarding your assets in your Splunk and if you do, what kind of information it contains.