All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a clie... See more...
Hello, Could someone please help me with this question : should the clients of the deployment server only be forwarders, or can any component of the architecture (indexers, search heads) be a client of the deployment server as well ?
@gcusello  Thanks for your response but this doesn't work. Its making all the count 0 when we add | eval count=0  
I tried to create a new certificate with password and still have the same error as previous: Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CL... See more...
I tried to create a new certificate with password and still have the same error as previous: Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
| eval change=100*(s0-s7)/s7
Failing to Build Attack Range 3.0 on Linux Mint 21.2  (ubuntu codename jammy) I have been following installation instructions on https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html... See more...
Failing to Build Attack Range 3.0 on Linux Mint 21.2  (ubuntu codename jammy) I have been following installation instructions on https://attack-range.readthedocs.io/en/latest/Attack_Range_Local.html  for a attack range local install on linux Attack range fails during the build process  (python attack_range build) <--output cut--> ASK [phantom : Creates directory] ********************************************* changed: [ar-phantom-attack-range-key-pair-ar] TASK [phantom : Copy Splunk SOAR to server] ************************************ [WARNING]: Error deleting remote temporary files (rc: 1, stderr: Could not chdir to home directory /home/vagrant: Permission denied bash: /home/vagrant/.bashrc: Permission denied }) changed: [ar-phantom-attack-range-key-pair-ar] TASK [phantom : prepare phantom install script without apps] ******************* fatal: [ar-phantom-attack-range-key-pair-ar]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo /home/vagrant/.ansible/tmp `\"&& mkdir \"` echo /home/vagrant/.ansible/tmp/ansible-tmp-1716446324.3823583-133581-59531706665728 `\" && echo ansible-tmp-1716446324.3823583-133581-59531706665728=\"` echo /home/vagrant/.ansible/tmp/ansible-tmp-1716446324.3823583-133581-59531706665728 `\" ), exited with result 1", "unreachable": true} PLAY RECAP ********************************************************************* ar-phantom-attack-range-key-pair-ar : ok=2 changed=2 unreachable=1 failed=0 skipped=6 rescued=0 ignored=0 Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again. 2024-05-23 08:38:44,768 - ERROR - attack_range - vagrant failed to build
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count.   for example: right now i can able to get count but not sure ho... See more...
Hi Team, I need help to create a alert which can raise if latest hour count is 10% less than last week same day same hour count.   for example: right now i can able to get count but not sure how to find  10%  or more difference to get alert. index=ABC sourcetype=XYZ | timechart span=1h count | timewrap d series=short    
Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML re... See more...
Hello, I am getting the following error while trying to enable SAML for my deployment server :   Verification of SAML assertion using the IDP certificate provided failed. Unknown signer of SAML response. Kindly provide any valuable suggestions
Hi @yuvaraj_m91 , you already have this search in the License Consuption Report, the problem is that usually you don't maintain six months of internal logs. You could run a search avery day saving ... See more...
Hi @yuvaraj_m91 , you already have this search in the License Consuption Report, the problem is that usually you don't maintain six months of internal logs. You could run a search avery day saving the results in a summary index, you you'll have a very performant search and all the data also more than the retention. You could also run a search summing the lenght of each event of each index, but it will be very very slow search. Ciao. Giuseppe
Looking for spl query to get the index wise log consumption for each months splitup for last 6 months
Hi @Siddharthnegi, add the correct timezone to you user, and you'll see your timestamps. Ciao. Giuseppe
Hi @Richard_400, you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:   (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 dat... See more...
Hi @Richard_400, you have to use a function (e.g. count or sum or avg) begore of the eval in the stats command:   (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter) | timechart span=5m max(Rx/1E5) as Rx_count by INTinfo1   Ciao. Giuseppe
Hi @pm2012 , In the square brackets put the sourcetype you want to add to your data flow. Put the props.conf file on Search Heads and on the Forwarders they are coming, and (if present) on intermed... See more...
Hi @pm2012 , In the square brackets put the sourcetype you want to add to your data flow. Put the props.conf file on Search Heads and on the Forwarders they are coming, and (if present) on intermediate Heavy Forwarders. Ciao. Giuseppe
Hi @splunky_diamond, yes it's the latest! open a case to Splunk Support, as I said this is an old resolved bug. Ciao. Giuseppe
Hi @Kaushaas, usually all roles can see and edit Permissions on own dashboards, ask to your administrators to enable this feature for your role. Ciao. Giuseppe
Hi @karthi2809, you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fie... See more...
Hi @karthi2809, you could add a fixed field using eval, maintaining the link in the search (otherwise you cannot pass it to the drilldown) not displaying the Link itself in the panel (using the <fields></fields> tag. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated  ;.)  
Hi @KendallW , I have add the fields - _time at the last SPL command to remove the _time field. Unfortunately, it still doesn't show the annotation in the line graph.  
Hi @gcusello  Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map ... See more...
Hi @gcusello  Got it thanks , I dint defined in lookup definition. Now its mapping .One more thing i just want to add table name as URL in that it will shows Click here. Inside that I need to map the URL.
Hi @karthi2809, check if in the Lookup definition you flagged the case sensitivity flag, in case unflag it. see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one ... See more...
When checking the URL categorization for a URL, it appears that the URL has been classified under two categories, for example, Business/Economy and File Storage/Sharing. However, we can only see one category in the Splunk field (field name: filter_category). Is this something to do with the data collection in Splunk? Any details is appreciated. Check the current WebPulse categorization for any URL: https://sitereview.bluecoat.com/#/ 
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (inde... See more...
I want chart as follow. I could show count each count value (cannot Calc field) (index=interface_count devicename IN ($select_device$) INTinfo1=Gi0/1 OR Gi0/2 data_field_name=Rx_counter) OR (index=interface_count devicename IN ($select_device2$) description IN ($select_device$) data_field_name=Rx_counter) timechart span=5m eval(round(max(eval(Rx/1E5)),1)) as Rx_count by INTinfo1 _time Device_A Gi0/1 (a) Device_A Gi0/2 (b) Device_B Gi0/8 (c) Calc A+B-C 10:00 100 200 50 250 10:05 100 300 80 320 10:10 150 250 100 300