Hi @Brenny, I encountered the same problem today and found the issue. In my case, the eventhub name wasn't the good one. It should be the one located in the properties' name field under the Event...
See more...
Hi @Brenny, I encountered the same problem today and found the issue. In my case, the eventhub name wasn't the good one. It should be the one located in the properties' name field under the Event Hub Instance, but I was using the one from the Event Hub namespace properties. Hope that helps!
Hello @gcusello I thank you for your response. So, is everything managed from the Forwarder Management section, including the management of non-clustered IDX and SH ?
Hi @BRFZ, you can use Deployment server to manage also Not clustered Indexers and not clustered Seach Head, even if it isn't a best practice. You cannot manage clustered SHs or IDXs. Ciao. Giuseppe
| inputlookup file_intel
| stats count BY threat_key
| eval lookup=1
| append [ | inputlookup ip_intel | stats count BY threat_key | eval lookup=2 | fields threat_key lookup ]
| append [ | inputlookup http_intel | stats count BY threat_key | eval lookup=4 | fields threat_key lookup ]
| stats sum(lookup) AS mask BY threat_key
| search threat_key=*risklist_hrly* if mask is 7 the key is in all files if it is 6 it is in ip_intel and http_intel if it is 5 it is in file_intel and http_intel etc.
@deepakc and @isoutamo , If this require installation of JQ , then it would not be possible , because if i want my customer to use the application , and prerequisite is to install the JQ widget , I ...
See more...
@deepakc and @isoutamo , If this require installation of JQ , then it would not be possible , because if i want my customer to use the application , and prerequisite is to install the JQ widget , I simply cant force my customer.
It looks to like you either have a problem with your data (raw events), your ingest config e.g. transforms.conf or your search query. Unfortunately, since you have shared none of these, it is rather ...
See more...
It looks to like you either have a problem with your data (raw events), your ingest config e.g. transforms.conf or your search query. Unfortunately, since you have shared none of these, it is rather difficult to offer anything more constructive.
With some of the events, we are facing the unexpected format of the query results. Actually in the raw event there is no issue at all, and each field is showing their own values. But when it is queri...
See more...
With some of the events, we are facing the unexpected format of the query results. Actually in the raw event there is no issue at all, and each field is showing their own values. But when it is queried and displayed in the statistics section as results, the values of few fields are displaying incorrectly. Usually the search results show key-values. But with some events, the search results are showing as "fieldname1=fieldname1=value" and in some cases "fieldname1=fieldname3=value". Example1: Request_id=Request_id=12345 (Expected to be -> "Request_id=12345") Example2: Parent_id=message_id=456 (Expected to be -> "Parent_id=321") Example3: Parent_id=category=unknown (Expected to be -> "Parent_id=321") Is this related with parser or something else? We are unable to find what could be the issue lying over here. Could anyone please help us on fixing this issue at the earliest?
I am trying to install splunk with GPO. Previously, I installed it locally on the machines with a batch file with additional installation parameters. Now I use the same batch file with a GPO and I g...
See more...
I am trying to install splunk with GPO. Previously, I installed it locally on the machines with a batch file with additional installation parameters. Now I use the same batch file with a GPO and I get a system error 1376 "The specified local group does not exist" Same user works when I install locally. When I install locally I use domain\username. The user is used to run the splunk service.
Hi How to write spl search query by adding multiple field in single search Field 1 - contain data like authorization " Write or Read " Field 2 - contain user id details like " @abc.com , use...
See more...
Hi How to write spl search query by adding multiple field in single search Field 1 - contain data like authorization " Write or Read " Field 2 - contain user id details like " @abc.com , user1, user 2, Question How to write a spl query Index =testing ("write" AND " @abc.com" ) spl query to add multiple filed which contain " write " AND "@abc.com" when these condition satisfied an alert has to been sent
Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a clie...
See more...
Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a client of the deployment server as well ?
I tried to create a new certificate with password and still have the same error as previous: Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CL...
See more...
I tried to create a new certificate with password and still have the same error as previous: Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Failing to Build Attack Range 3.0 on Linux Mint 21.2 (ubuntu codename jammy) I have been following installation instructions on https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html...
See more...
Failing to Build Attack Range 3.0 on Linux Mint 21.2 (ubuntu codename jammy) I have been following installation instructions on https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html for a attack range local install on linux Attack range fails during the build process (python attack_range build) <--output cut--> ASK [phantom : Creates directory] ********************************************* changed: [ar-phantom-attack-range-key-pair-ar] TASK [phantom : Copy Splunk SOAR to server] ************************************ [WARNING]: Error deleting remote temporary files (rc: 1, stderr: Could not chdir to home directory /home/vagrant: Permission denied bash: /home/vagrant/.bashrc: Permission denied }) changed: [ar-phantom-attack-range-key-pair-ar] TASK [phantom : prepare phantom install script without apps] ******************* fatal: [ar-phantom-attack-range-key-pair-ar]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo /home/vagrant/.ansible/tmp `\"&& mkdir \"` echo /home/vagrant/.ansible/tmp/ansible-tmp-1716446324.3823583-133581-59531706665728 `\" && echo ansible-tmp-1716446324.3823583-133581-59531706665728=\"` echo /home/vagrant/.ansible/tmp/ansible-tmp-1716446324.3823583-133581-59531706665728 `\" ), exited with result 1", "unreachable": true} PLAY RECAP ********************************************************************* ar-phantom-attack-range-key-pair-ar : ok=2 changed=2 unreachable=1 failed=0 skipped=6 rescued=0 ignored=0 Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again. 2024-05-23 08:38:44,768 - ERROR - attack_range - vagrant failed to build
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count. for example: right now i can able to get count but not sure ho...
See more...
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count. for example: right now i can able to get count but not sure how to find 10% or more difference to get alert.
index=ABC sourcetype=XYZ | timechart span=1h count | timewrap d series=short