All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Luis Guillermo.Moreno, Thanks for asking this question on the Community. I did some searching and did not find any mention of Minerva on the community or in our docs.  If you don't hear from... See more...
Hi @Luis Guillermo.Moreno, Thanks for asking this question on the Community. I did some searching and did not find any mention of Minerva on the community or in our docs.  If you don't hear from the community in a few days, you may want to reach out to your AppD Rep, or even try contacting AppD Support. How do I submit a Support ticket? An FAQ 
It looks like it might not work with _time fields - try assign a new field to the formatted value e.g.  | eval Time=strftime(_time,"%F %T") Then change to formatting to take this new field into acc... See more...
It looks like it might not work with _time fields - try assign a new field to the formatted value e.g.  | eval Time=strftime(_time,"%F %T") Then change to formatting to take this new field into account <colorPalette type="expression">if(tonumber(strftime(strptime(value,"%F %T"),"%H")) == 6 OR tonumber(strftime(strptime(value,"%F %T"),"%H")) == 11 OR tonumber(strftime(strptime(value,"%F %T"),"%H")) == 18 OR (tonumber(strftime(strptime(value,"%F %T"),"%H")) == 21 AND tonumber(strftime(strptime(value,"%F %T"),"%M")) < 35), "#A2CC3E", "#F58F39")</colorPalette>
Thanks for the quick reply, very appreciate. But my json log input is defined in an app network input, not a file, it defines the sourcetype, for example, sourcetype=app_alert_data. In this case, c... See more...
Thanks for the quick reply, very appreciate. But my json log input is defined in an app network input, not a file, it defines the sourcetype, for example, sourcetype=app_alert_data. In this case, can I use unarchive_cmd to preprocess app_alert_data? Thanks again.
Did you managed to try version 9.2.2 they provided? They also gave it to me but in my case it's not working. Now I don't have crashes but the splunk-winevtlog process keeps to move in "suspended" sta... See more...
Did you managed to try version 9.2.2 they provided? They also gave it to me but in my case it's not working. Now I don't have crashes but the splunk-winevtlog process keeps to move in "suspended" state in task manager. Actually almost nothing is collected from Forwarded Events...   Regards
Hi @danspav , I replied on Friday that the hyperlink is not working by providing the source code and screenshots. Could you please look into it and assist? Thank you.
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:   `index` | eval risk... See more...
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:   `index` | eval risk=round(Risk_Score,0) | stats dc(System_Name) AS count by risk | sort + risk | join type=left [ search `index` | search System_Name="$system_name$" | eval risk=round(Risk_Score,0) | stats sum(risk) as highlight] | eval highlight=if(highlight=risk,highlight,0) | eval highlight=if(highlight=risk,count,0) | eval count=if(highlight=count,0,count)
Does anyone know how this will integrate with "Private" channels in Slack? https://splunkbase.splunk.com/app/5846
In that case, you can download the app from Splunkbase and run the python script on a test server and update the csv file on the production server in the above mentioned location.    Otherwise as m... See more...
In that case, you can download the app from Splunkbase and run the python script on a test server and update the csv file on the production server in the above mentioned location.    Otherwise as mentioned in the following document, the scan will run only with the packages shipped - https://docs.splunk.com/Documentation/Splunk/9.2.1/UpgradeReadiness/Scan#Disable_app_list_updates   Thanks, Tejas.
Its working giving proper results only red color is coming on every time
Thank you!  This was exactly what I was looking for.  Much easier than trying to use eventstats
Yes, it is! Thank you so much! I truly appreciate this! 
I found an answer for this. If you check out openssl.org, the version is not actually EOL for PREMIUM customers, which Splunk is. An annotation in the findings checklist should suffice. Hope that he... See more...
I found an answer for this. If you check out openssl.org, the version is not actually EOL for PREMIUM customers, which Splunk is. An annotation in the findings checklist should suffice. Hope that helps.
Thank you for the reply ! Unfortunately, app upgrade did not help and the deployment does not have an internet connection. Is there a way to fabricate the .csv ?
Yeah, the scanner is now primarily complaining about OpenSSL 1.0.2 being EOL (OpenSSL SEoL (1.0.2.x)), which also then means there are associated CVEs. $ /opt/splunk/bin/splunk cmd openssl version ... See more...
Yeah, the scanner is now primarily complaining about OpenSSL 1.0.2 being EOL (OpenSSL SEoL (1.0.2.x)), which also then means there are associated CVEs. $ /opt/splunk/bin/splunk cmd openssl version OpenSSL 1.0.2zi-fips 1 Aug 2023 So this is clearly an outdated version of OpenSSL being shipped with Splunk Enterprise 9.2.0.1 So the question is still valid, why ship splunk with an EOL version of OpenSSL?    
Your email address is your primary identifier for splunk.com account so technically there is no way to change it. That's why - if you have registered with a company address and then change jobs - you... See more...
Your email address is your primary identifier for splunk.com account so technically there is no way to change it. That's why - if you have registered with a company address and then change jobs - you  have to create a new account and contact Splunk to transfer your certifications between accounts. There might be a possibility of transfering other content between accounts but it's a relatively unlikely case.
Hi @karthi2809, Yes, you can pass a token to a search based on DataModels or Summary Indexes. Both of them don't consume license. Ciao. Giuseppe
I don't have an account on the partner portal. I will try support@splunk.com again. I will keep this post updated if I hear anything back.
Hi @gcusello  Thanks for the reply. Actually i want to improve my dashboard performance. So i try to convert as report. But as you said its static. So if i use summary index or data model we can p... See more...
Hi @gcusello  Thanks for the reply. Actually i want to improve my dashboard performance. So i try to convert as report. But as you said its static. So if i use summary index or data model we can pass token ?any sample data model .And both will consume license right?
Hi @whrg , we are a Splunk Partner and I have an account on Partner Portal. Otherwise, you can send an email to support@splunk.com. Ciao. Giuseppe
Hello @gcusello, How exactly did you open this case with Support?