All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @ITWhisperer  My requirement is to fetch the value from the latest event (even if I restrict the search to 30 mins).  Example : Query : index = events_prod_tio_omnibus_esa ( "SESE023" ) sour... See more...
Hi @ITWhisperer  My requirement is to fetch the value from the latest event (even if I restrict the search to 30 mins).  Example : Query : index = events_prod_tio_omnibus_esa ( "SESE023" ) sourcetype=Log_mvs | rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)" | rex field=msg "NB\s* (?<Msg_typ>[^\s]+)" | table Nb_msg   Result :    I want to display the value "Nb_msg" in the result if there is any event in the last 15 mins. if there is no event in the last 15 mins , then display the value "0" in the result.   Currently with the query (attached above) , i am getting the value "Nb_msg" from all the events generated in last 15 mins.   
Hi @LearningGuy, sorry there was a misunderstanding: it isn't possible to update un index- It's possible to display the index data enriched with the phone by a lookup. Otherwise, it's possible to ... See more...
Hi @LearningGuy, sorry there was a misunderstanding: it isn't possible to update un index- It's possible to display the index data enriched with the phone by a lookup. Otherwise, it's possible to save the events of the old index in a new one, enriched also with phone number. Ciao. Giuseppe
Hi @LearningGuy, the only way to restrict access to any object are roles. Ciao. Giuseppe
Hi @gcusello  If I am not an admin, Is it possible to do the following?   (refer to my main question) I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard.... See more...
Hi @gcusello  If I am not an admin, Is it possible to do the following?   (refer to my main question) I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard. Thanks
Hi @Roy_9 , you can create a custom input and you have to find the parsing rules. Ciao. Giuseppe
Hi @gcusello  there are logs for the windows onesettings service "This service offers to report telemetry data back to MS about OS health, build info, etc. in order to keep the computer "healthy" ... See more...
Hi @gcusello  there are logs for the windows onesettings service "This service offers to report telemetry data back to MS about OS health, build info, etc. in order to keep the computer "healthy" . We came accross this setting recently. The logs are written to "Microsoft\Windows\Privacy-Auditing\" and they are in Windows Event Log I am not sure whether these events can be tracked using Splunk add-on for windows, any thoughts on this? Thanks
Hi @gcusello  When you said it's possible to add new field into past data in a summary index, is it a new entry/insert or an update ?   In my example, Is it possible to update (not insert) "Phone"... See more...
Hi @gcusello  When you said it's possible to add new field into past data in a summary index, is it a new entry/insert or an update ?   In my example, Is it possible to update (not insert) "Phone" field in "test_1" past data (_time/timestamp is in the past) ? Do I need to have permission to perform an update to an index? I think I only can perform insert, but not delete or update Your sample query is moving new data to the new index "test_2", not to same  "test_1" past data  if you have these information in a lookup, way do you need to save it in the index? the main_index has a large set of data, it's very slow doing a lookup in dashboard, that's why i filtered necessary data and moved it to summary index Past:  index=main_index + csv data ===> index=summary report="test1" Now: I updated csv data with a phone field  index=main_index + csv data ===> index=summary report="test2" Can I update (not insert) only "phone" field from "test2" to "test1" with Past timestamp? OR Can I update (not insert) only "phone" field from "main index+CSV" to  "test1" with Past Timestamp? index=main_index + csv data (NEW) ===> index=summary report="test1" (PAST Timestamp) Thank you
Hi @Dayalss , yes, there are seven apps for Qualys, two of them seem to be related to vulnerabilities. I'm not a Qualys expert, so I don't know which app is the one for your requirements. Ciao. G... See more...
Hi @Dayalss , yes, there are seven apps for Qualys, two of them seem to be related to vulnerabilities. I'm not a Qualys expert, so I don't know which app is the one for your requirements. Ciao. Giuseppe
Hi,   You mean other app?    
If I understand correctly, then yes; you could use a single to display a number, you just need a search to calculate the number for your. The stats command can easily count the number of events retur... See more...
If I understand correctly, then yes; you could use a single to display a number, you just need a search to calculate the number for your. The stats command can easily count the number of events returned by the search.
Hi @Dayalss , check other dashboards, I'm almost sure that you'll find what you're searching. Ciao. Giuseppe
Hi @gcusello ,   I have installed the Qualys Vulnerabilities app , but it does not full fill our requirement.   We need to build custom dashboards , but there is data mismatch. Need to fix it. ... See more...
Hi @gcusello ,   I have installed the Qualys Vulnerabilities app , but it does not full fill our requirement.   We need to build custom dashboards , but there is data mismatch. Need to fix it.   Regards, Dayal
The inputs.conf stanza tells Splunk to run your script.  What the script does depends on how it is written.  It may want to get the files it should read from a script-specific configuration file.
Hi @anooshac , if you see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603 ) there's exactly  also this example. Ciao. Giuseppe
Sure, you have a couple of options there. You can either add adaptive response actions to your Splunk ES correlation searches (if you're using those) or you can set up a saved search to export exactl... See more...
Sure, you have a couple of options there. You can either add adaptive response actions to your Splunk ES correlation searches (if you're using those) or you can set up a saved search to export exactly the results you want to. When I last worked on this (it's been about a year), I found that the saved search method was more reliable. I used a search similar to the Incident Response view search ("Incident Review - Main" in SA-ThreatIntelligence) as my use case was to forward notable events to the SOAR platform.      
Thanks @ITWhisperer  for an update.  If I have to create Dashboard which will only display the number of records (example 2) if it is within 15 mins and 0 if latest event is less than 15 mins.  Is ... See more...
Thanks @ITWhisperer  for an update.  If I have to create Dashboard which will only display the number of records (example 2) if it is within 15 mins and 0 if latest event is less than 15 mins.  Is it possible to create such dashboard ?? 
It looks like your event time is already in the _time field i.e. your timestamp parsing appears to be correct, therefore, if you restrict your search to the last 15 minutes, you won't get any events ... See more...
It looks like your event time is already in the _time field i.e. your timestamp parsing appears to be correct, therefore, if you restrict your search to the last 15 minutes, you won't get any events prior to that.
The problem with tables is that the browser(?) tries to adjust the table after the CSS, which usually overrides whatever width you have tried to set.
What is the relationship between ID and Event, because you don't appear to be doing anything with ID in you  current search. Does Event exist in your second dataset (ERROR API [ID]) #### ID is the c... See more...
What is the relationship between ID and Event, because you don't appear to be doing anything with ID in you  current search. Does Event exist in your second dataset (ERROR API [ID]) #### ID is the command field in both the data sets . while Event is only present in 1st data set i.e ("API : access : * : process : Payload:")
Hi All, i am trying reduce the width of 2nd and 3rd column of a table since some of the cell has big sentence and it occupies too much space. i tried referring an example like below. <row> <pan... See more...
Hi All, i am trying reduce the width of 2nd and 3rd column of a table since some of the cell has big sentence and it occupies too much space. i tried referring an example like below. <row> <panel> <html depends="$alwaysHideCSSPanel$"> <style> #tableColumWidth table thead tr th:nth-child(2), #tableColumWidth table thead tr th:nth-child(3){ width: 10% !important; overflow-wrap: anywhere !important; } </style> </html> <table id="tableColumWidth">   But i am not able to change the width using this. Any corrections needed in above html?