All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey all, wondering if anyone has solved this problem before. Looking at potential for taking a Splunk Cloud alert and using it to connect to Ansible Automation Platform to launch a template. Have loo... See more...
Hey all, wondering if anyone has solved this problem before. Looking at potential for taking a Splunk Cloud alert and using it to connect to Ansible Automation Platform to launch a template. Have looked into the webhooks however AAP is only configured to allow Github and GitLab webhooks on templates it seems, and when attempting to post to the API endpoint to launch the template it would sit there and eventually time out.   Wondering if anyone has explored this space before and if there are any suggestions on how to get this connection working. 
There are no logs coming in from a VMgmt tool, I'm simply being handed a Critical CVE and being told to search for any assets that match.  Right now, I'm just performing a very taxing search where "i... See more...
There are no logs coming in from a VMgmt tool, I'm simply being handed a Critical CVE and being told to search for any assets that match.  Right now, I'm just performing a very taxing search where "index=* sourcetype=* [insert something that might relate to the asset]"
This the real answer. Still valid as of 2024 for the VMware TA add-on. GUI did not work for installation. Had to copy the tgz into the directory and extract it. Restarted Splunk and it works.
Once you configure your Azure event Hub inputs this should sourcetype mscs:azure:eventhub. Once the data comes in the Splunk TA will map to other sourcetypes, see below, these will then create the va... See more...
Once you configure your Azure event Hub inputs this should sourcetype mscs:azure:eventhub. Once the data comes in the Splunk TA will map to other sourcetypes, see below, these will then create the various CIM fields that can be mapped to the Alerts Data model (That's why you’re not seeing it being CIM compliant in the document list, as it’s a parent sourcetype)    Note: Often Splunk TA's perform a lot of data props/transformations/Regex behind the scenes and CIM compliance work.  The mscs:azure:eventhub sourcetype will point to the below sourcetypes and these are mapped to the Alerts Data model, now whether they contain the actual data you want is another matter, is this field you’re interested mapped to an Alerts Data model CIM field?   mscs:azure:security:alert (CIM Mapped to Alerts Data model) mscs:azure:security:recommendation (CIM Mapped to Alerts Data model) The below sourcetype has many other data types, so various elements will map to the different datamodels. azure:monitor:aad (Maps to Alerts/Authentication/Change) So, in your case the Alerts Data model is most likely the main use case, so it’s best to get the data into an test index first, tune the Alerts Data model to point to the test index with the tag alert, this will kick the searches in for the Alert data model, you can then do some analysis on the CIM fields and see what you’re getting.  If not seeing the fields you want, then your option is to use the Raw data for your searches, or you can create own data model and accelerate the data so it’s faster, but this is not CIM compliance in the true ES sense, it’s just making it faster and use of datamodels, which is fine, but maybe overkill.  The general idea is to map as much as you can for CIM compliance or the ones recommended on the CIM Compliance page you never get it 100%  Here are some Links for you to look at: Alerts Data model - Look at your data and can you map them to a field or recommended ones, The TA should do most of this for you as its CIM compliant.  https://docs.splunk.com/Documentation/CIM/5.0.2/User/Alerts CIM validation - you can use this for analysis work https://splunkbase.splunk.com/app/2968 MS Cloud TA - Info  https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/
What's your end goal with this? That would affect how I'd approach the problem. Do you want a playbook to take action based on this info, or is it some kind of audit?
Splunk has finally added the issue to their known issues page https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/KnownIssues  https://docs.splunk.com/Documentation/Splunk/9.2.1/Release... See more...
Splunk has finally added the issue to their known issues page https://docs.splunk.com/Documentation/Splunk/9.2.0/ReleaseNotes/KnownIssues  https://docs.splunk.com/Documentation/Splunk/9.2.1/ReleaseNotes/KnownIssues
#machinelearning Hello, I am using dist=auto in my Density function and I am getting negative Beta Results. I feel like this is wrong but keep me honest, I would like to understand how Beta distrib... See more...
#machinelearning Hello, I am using dist=auto in my Density function and I am getting negative Beta Results. I feel like this is wrong but keep me honest, I would like to understand how Beta distribution is captured  and why the mean is a negative result if I am using 0 to 100% success rate? other distribution I am happy with it (e.g Gaussian KDE and Normal) |fit DensityFunction MyModelSuccessRate by "HourOfDay,Object" into MyModel2 dist="auto" Thanks,   Joseph     
@verothor  Have you tried something like this? require([ 'underscore', 'jquery', 'splunkjs/mvc', "splunkjs/mvc/searchmanager", 'splunkjs/mvc/simplexml/ready!' ], function (_, $,... See more...
@verothor  Have you tried something like this? require([ 'underscore', 'jquery', 'splunkjs/mvc', "splunkjs/mvc/searchmanager", 'splunkjs/mvc/simplexml/ready!' ], function (_, $, mvc, SearchManager) { let mySearch = new SearchManager({ id: "mysearch", autostart: "false", search: '| makeresults | eval test = "This is test" ', preview: false, }, { tokens: true, tokenNamespace: "submitted" }); let mySearchResults = mySearch.data("results"); mySearchResults.on("data", function () { resultArray = mySearchResults.data().rows; console.log("My Data", resultArray); }); $(document).ready(function () { setInterval(function () { mySearch.startSearch(); }, 3000); }); });   Note: This is a sample JS. Just modify as per your requirement.    KV
Hi @Ram2 , host e sourcetype are indextime fields that you associate to your data surce, site should be an extracted field. Have you this field running only the search without stats? if not (as pr... See more...
Hi @Ram2 , host e sourcetype are indextime fields that you associate to your data surce, site should be an extracted field. Have you this field running only the search without stats? if not (as probable) you have to extract it. Ciao. Giuseppe
@gcusello , what's the Mode you're using? you must use Verbose. --running in verbose mode. if the site field isn't extracted, you cannoy use it, did you extracted the site field? -- The site field ... See more...
@gcusello , what's the Mode you're using? you must use Verbose. --running in verbose mode. if the site field isn't extracted, you cannoy use it, did you extracted the site field? -- The site field is a default field like host sourcetype. 
@mipa04  I assume tlogParameters filed getting extracted properly. Can you please try the below search? YOUR_SEARCH | eval tlogParameters = replace(tlogParameters, "'","\"") | eval _raw = tlogPara... See more...
@mipa04  I assume tlogParameters filed getting extracted properly. Can you please try the below search? YOUR_SEARCH | eval tlogParameters = replace(tlogParameters, "'","\"") | eval _raw = tlogParameters | spath | rename {}.* as *   My Sample Search : | makeresults | eval tlogParameters="[{'triggeredEventName': 'CustomerLoggedIn', 'owner': 'communicationcenter', 'channel': 'SiteMessage', 'sentOrNotSent': 'Sent', 'reasonNotSent':null}]" | append [| makeresults | eval tlogParameters="[{'triggeredEventName': 'CustomerLoggedIn', 'owner': 'communicationcenter', 'channel': 'SiteMessage', 'sentOrNotSent': 'Sent', 'reasonNotSent':null}]"] | rename comment as "upto now is sample data only" | eval tlogParameters = replace(tlogParameters, "'","\"") | eval _raw = tlogParameters | spath | rename {}.* as *      I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
sorry I made edits to it  Now it must works 
Hi @Ram2 , what's the Mode you're using? you must use Verbose. if the site field isn't extracted, you cannoy use it, did you extracted the site field? Ciao. Giuseppe
Hi @gcusello , probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer have you i... See more...
Hi @gcusello , probaby you runned the search on SHC outside the app where the site fied is extracted. --No i am running the same query under search and reporting app  in SHC and Deployer have you in the events the site field? --No these are default values for a host coming from universal forwarder,  what they set from application side.
Hello @marysan , the query is the same
This lead to a solve for me. I had our user change the time format at the beginning of their logs. 
Hi @Ram2 , probaby you runned the search on SHC outside the app where the site fied is extracted. have you in the events the site field? Ciao. Giuseppe
@humanBeing  If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers.
@DanAlexander1  If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers.
I think this query will work for you :    | tstats summariesonly=true fillnull_value="N/D" dc(All_Email.internal_message_id) as total_emails from datamodel=Email where (All_Email.action="quaranti... See more...
I think this query will work for you :    | tstats summariesonly=true fillnull_value="N/D" dc(All_Email.internal_message_id) as total_emails from datamodel=Email where (All_Email.action="quarantined" OR All_Email.action="delivered") AND NOT [| `email_whitelist_generic`] by All_Email.src_user, All_Email.subject, All_Email.action | `drop_dm_object_name("All_Email")` | eventstats sum(eval(if(action="quarantined", 1, 0))) as quarantined_count_peruser, sum(eval(if(action="delivered", 1, 0))) as delivered_count_peruser by src_user, subject | where total_emails > 50 AND quarantined_count_peruser > 10 AND delivered_count_peruser > 0