All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From the... See more...
This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From there, you'll need to set up the mechanism for sending alerts to SOAR and a playbook within SOAR for processing them the way you need to. What action you want to do on the endpoint will determine how to set that playbook up. If this is leveraging Defender, for example, you can set up an action to call Defender to quarantine an endpoint or something like that. It will vary a lot depending on your exact use case.
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between t... See more...
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between that behavior is.
It appears the problem still around.  I am upgrading to 7.3.1 and still getting the error.  I had to use the CLI option to upgrade. 
thank you
| tstats count where index=* by index, sourcetype
Hi @whitecat001, you could try: index=* sourcetype=your_sourcetype in this way you can know which is the index. Ciao. Giuseppe
what command can i run if am not sure where an index for a data associated with a sourcetype is stored in splunk
So basically we moved from crashes (9.1) to process suspended (9.2)...I would prefer the first, at least something was collected. Thanks a lot for the feedback.   Regards
@ivan5593  This is certainly possible using an authentication account which will give you a token to interact with the SOAR API.  The you just need to use the correct API endpoint with the correc... See more...
@ivan5593  This is certainly possible using an authentication account which will give you a token to interact with the SOAR API.  The you just need to use the correct API endpoint with the correct payload to send events to SOAR: https://docs.splunk.com/Documentation/SOARonprem/5.3.1/PlatformAPI/Using  If you want to initiate a playbook from JIRA than you need the playbook_run API endpoint with the correct payload.  I would also say that the JIRA app has an On Poll action that you can setup with some JQL to only pull in what you want and it will just create containers for you whenever it polls and finds something new. This would be better if you had playbooks that ran on ingestion into SOAR.  -- Hope this helps! If so please mark as a solution for future. Happy SOARing!  --
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products.  ... See more...
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products.  I was wondering about configure a webhook in Jira that triggers a playbook in Splunk SOAR, and update the tickets. Is there any way to accept webhooks in Splunk SOAR? Maybe a better way to do this integration? Thanks in advance!
Awesome, Its working! Thank you very much!
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my ... See more...
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my end. That's concerning to hear that it didn't work for you... the "suspended behavior" is what i'm seeing on the existing 9.2.1 version.
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Searc... See more...
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Search Head I have a PIDs of reaped splunkd processes and the question is how to get PID of splunkd for particular saved search from _internal index. Scheduler events have SID field like this: sid="scheduler_aS5zLnNva29sb3Y_czdfc2llbV9uZXR3b3Jr__RMD58313482a27867d57_at_1716903900_27923" Is the last part of SID (27923) a Linux process ID? Or maybe I can get PID from some other source?
No, i downgraded my operating system to Server 2019 and everything started working.  Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a he... See more...
No, i downgraded my operating system to Server 2019 and everything started working.  Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a heavy forwarder.
Hi @Luis Guillermo.Moreno, Thanks for asking this question on the Community. I did some searching and did not find any mention of Minerva on the community or in our docs.  If you don't hear from... See more...
Hi @Luis Guillermo.Moreno, Thanks for asking this question on the Community. I did some searching and did not find any mention of Minerva on the community or in our docs.  If you don't hear from the community in a few days, you may want to reach out to your AppD Rep, or even try contacting AppD Support. How do I submit a Support ticket? An FAQ 
It looks like it might not work with _time fields - try assign a new field to the formatted value e.g.  | eval Time=strftime(_time,"%F %T") Then change to formatting to take this new field into acc... See more...
It looks like it might not work with _time fields - try assign a new field to the formatted value e.g.  | eval Time=strftime(_time,"%F %T") Then change to formatting to take this new field into account <colorPalette type="expression">if(tonumber(strftime(strptime(value,"%F %T"),"%H")) == 6 OR tonumber(strftime(strptime(value,"%F %T"),"%H")) == 11 OR tonumber(strftime(strptime(value,"%F %T"),"%H")) == 18 OR (tonumber(strftime(strptime(value,"%F %T"),"%H")) == 21 AND tonumber(strftime(strptime(value,"%F %T"),"%M")) < 35), "#A2CC3E", "#F58F39")</colorPalette>
Thanks for the quick reply, very appreciate. But my json log input is defined in an app network input, not a file, it defines the sourcetype, for example, sourcetype=app_alert_data. In this case, c... See more...
Thanks for the quick reply, very appreciate. But my json log input is defined in an app network input, not a file, it defines the sourcetype, for example, sourcetype=app_alert_data. In this case, can I use unarchive_cmd to preprocess app_alert_data? Thanks again.
Did you managed to try version 9.2.2 they provided? They also gave it to me but in my case it's not working. Now I don't have crashes but the splunk-winevtlog process keeps to move in "suspended" sta... See more...
Did you managed to try version 9.2.2 they provided? They also gave it to me but in my case it's not working. Now I don't have crashes but the splunk-winevtlog process keeps to move in "suspended" state in task manager. Actually almost nothing is collected from Forwarded Events...   Regards
Hi @danspav , I replied on Friday that the hyperlink is not working by providing the source code and screenshots. Could you please look into it and assist? Thank you.
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:   `index` | eval risk... See more...
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:   `index` | eval risk=round(Risk_Score,0) | stats dc(System_Name) AS count by risk | sort + risk | join type=left [ search `index` | search System_Name="$system_name$" | eval risk=round(Risk_Score,0) | stats sum(risk) as highlight] | eval highlight=if(highlight=risk,highlight,0) | eval highlight=if(highlight=risk,count,0) | eval count=if(highlight=count,0,count)