All Posts

Top

All Posts

Hi @tuts , I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that y... See more...
Hi @tuts , I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
I want to link OpenCTI with Splunk ES to be on top of the threats
Good morning,     I recently created a tag for a set of hosts. For example, CA for all California hosts. Does this take time to populate or show up within my Data Models?  I am running a search sim... See more...
Good morning,     I recently created a tag for a set of hosts. For example, CA for all California hosts. Does this take time to populate or show up within my Data Models?  I am running a search similar to this  | tstats count FROM datamodel=<data_model>.<root_event> WHERE tag=CA BY _time, host, etc....   I have also tried this  | datamodel  <data_model> <root_event> search  | search tag=CA | table _time, host, etc....
Perhaps if you read my suggestion more carefully you would have noticed that I suggested you evaluate a new token and then use that token in the link!
Please I need the method if it is done with you
Ah, very good. Thank you!        
Hello Team, We tried to integrate our Splunk enterprise LB URL using SAML authentication. We gave details such as Entity ID, LB URL, and Reply URL, and they generated metadata (XML), which we then u... See more...
Hello Team, We tried to integrate our Splunk enterprise LB URL using SAML authentication. We gave details such as Entity ID, LB URL, and Reply URL, and they generated metadata (XML), which we then uploaded to Splunk. After configuration, we received the following error. Please find the below SS error FYR. Could you please assist us with the mentioned integration part Please let us know if you need any other information. Regards, Siva.
You have several options 1) The delta command to calculate the difference 2) The autoregress command to copy over value from previous result row and calculate difference manually 3) The streamstat... See more...
You have several options 1) The delta command to calculate the difference 2) The autoregress command to copy over value from previous result row and calculate difference manually 3) The streamstats command to do the same as 2) but in a more complicated way
Hello everyone, can anyone help me with how I can get the difference to the previous value from a device that sends me the total kwh number in order to be able to calculate a consumption per specifi... See more...
Hello everyone, can anyone help me with how I can get the difference to the previous value from a device that sends me the total kwh number in order to be able to calculate a consumption per specified time in the Splunk dashboard? Currently, I am only shown an ever-increasing value. Thank you very much!
Hi @ITWhisperer  This is my code in xml dashboard. In my dashboard some link should be present. So if i click on the link it showing null. So i used below code. Still i am getting null value. ... See more...
Hi @ITWhisperer  This is my code in xml dashboard. In my dashboard some link should be present. So if i click on the link it showing null. So i used below code. Still i am getting null value. <condition field="Link"> <eval token="link">if(isnull($row.URL$),"","https://$row.URL|n$"</eval> <link target="_blank">$row.URL|n$</link> </condition>
@michaeler26 - If whatever you are looking for is listed here - https://conf.splunk.com/global-broadcast-details.html?locale=global-broadcast-details.html then you should be able to view it live duri... See more...
@michaeler26 - If whatever you are looking for is listed here - https://conf.splunk.com/global-broadcast-details.html?locale=global-broadcast-details.html then you should be able to view it live during the conf24. If it is not listed on this page you will not be able to see it virtually during the conf.   I hope this helps!!!
Sorry, I have not done any formal cyber-security courses myself.
Hi, since a couple of days i getting these errors from one of my search heads: "06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 b... See more...
Hi, since a couple of days i getting these errors from one of my search heads: "06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11513 - data_source="/opt/splunk/var/log/splunk/audit.log", data_host="XXX", data_sourcetype="splunk_audit"" As far as i understood, i can set truncate value within the props.conf to a higher value. I just want to understand, why internal logs exceeds the line length. Can someone point me in the right direction why the audit logs exceeds this limit? thanks
hello, I have a problem that I'm not receiving data to some of my indexes when it is related to monitoring.  for the monitor I created an app in the server I pull the data from, it worked for a w... See more...
hello, I have a problem that I'm not receiving data to some of my indexes when it is related to monitoring.  for the monitor I created an app in the server I pull the data from, it worked for a while and now it stopped. the stanza of the inputs.conf looks like that: [monitor://\\<my_server_ip>\<folder>\*.csv] index=<my_index> disabled = 0 ignoreOlderThan = 2d sourcetype = csv source=<source_name>   it happens in 2 indexes of mine that have the same stanza structure. I checked the connection from my server to the monitor path and it was ok. I checked the _internal index for errors with no results. I opened wireshark no see any connections error which i didn't found any errors.   any ideas?
Generally speaking, yes, you can use a single HF for all of your input scripts.  If you will be processing a lot of data then you may need an additional HF.
If you know when you injected it, can you find the raw event in the logs that Splunk has to see how it has been logged (then you'll know what to search for)?
Hi @R4M4L3, if you're speaking of a lab or a Stand_Alone instalation, you can use the same Spunk Enterprise IP address or hostname. If you have to manage more than 50 clients, you must use a dedica... See more...
Hi @R4M4L3, if you're speaking of a lab or a Stand_Alone instalation, you can use the same Spunk Enterprise IP address or hostname. If you have to manage more than 50 clients, you must use a dedicated server for this role. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Updating/Aboutdeploymentserver Ciao. Giuseppe
Hello. I want to deploy Splunk Enterprise on my machine. and I am installing Universal Forwarder and I can't figure out what the Deployment Server IP could be. should I make it the IP address of t... See more...
Hello. I want to deploy Splunk Enterprise on my machine. and I am installing Universal Forwarder and I can't figure out what the Deployment Server IP could be. should I make it the IP address of the Host Machine? need help.!!    
the following code 1' OR '1'='1'# these are the malicious code to get admin data and password. i want to find the anomaly that it causes the log through Splunk search sample attack