All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm more familiar with the ServiceNow side of things, but in the alert action, there's a Custom Fields section.  You can add additional fields there, eg description=[whatever info you want to pass f... See more...
I'm more familiar with the ServiceNow side of things, but in the alert action, there's a Custom Fields section.  You can add additional fields there, eg description=[whatever info you want to pass from Splunk] On the ServiceNow side, you'll have to tweak the Transform Map to map the Description field over from the import set table that incidents are originally created on, to the actual Incident table in ServiceNow.  I don't know why description isn't included OOTB, seems like a pretty useful field to populate...
Hi @pm2012 , the LINE_BREAKING isn't correct. download a sample of your data in a text file and use it in the guided procedure [Settings > Add data] in this way, you can find the correct sourcetyp... See more...
Hi @pm2012 , the LINE_BREAKING isn't correct. download a sample of your data in a text file and use it in the guided procedure [Settings > Add data] in this way, you can find the correct sourcetype definitions to use to parse your data. Ciao. Giuseppe
Hi @gcusello  I am sharing the below config present for this log source  
We apparently have the StreamWeaver integration in place, but we are not sure how it was implemented as the folks who did it are no longer around. How is it done usually?  Is it a REST API integra... See more...
We apparently have the StreamWeaver integration in place, but we are not sure how it was implemented as the folks who did it are no longer around. How is it done usually?  Is it a REST API integration? as I see at Connect: Splunk Enterprise 
We have this stood up and working...sort of.  Splunk Admins can configure alerts to add the "ServiceNow Incident Integration" action, and we can create Incidents in Splunk. The problem is, we have a... See more...
We have this stood up and working...sort of.  Splunk Admins can configure alerts to add the "ServiceNow Incident Integration" action, and we can create Incidents in Splunk. The problem is, we have a lot of development teams that create/maintain their own alerts in Splunk.  When they go to add this action, they're not able to select the account to use when configuring the action...because they don't have read permission to the account.  Even if an Admin goes in and configures the action, it won't work at run-time, because the alert runs under the owner's permissions...which can't read the credentials to use to call ServiceNow. Has anyone else ran into this issue?  How can this be setup to allow non-Admins to maintain alerts?
Hi @ViniciusMariano , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @karthi2809, check the values of payLoadInterface from the search, because they must match with the related values in the lookup, in this way, you can join them and have the Link. about the Stat... See more...
Hi @karthi2809, check the values of payLoadInterface from the search, because they must match with the related values in the lookup, in this way, you can join them and have the Link. about the Status condition, remove it because you don't have the Status field in the stats command. Ciao. Giuseppe
I was afraid of that. It's no big deal, I can hand-jam in the hex code for each system. Thanks for the response!
As a ServiceNow Admin, this is DEFINITELY a problem on the ServiceNow side.  Accounts calling the ServiceNow REST API need to be configured as web service only accounts, and have the correct roles ap... See more...
As a ServiceNow Admin, this is DEFINITELY a problem on the ServiceNow side.  Accounts calling the ServiceNow REST API need to be configured as web service only accounts, and have the correct roles applied based on what you're trying to read.
Sadly, no, that didn't work. No biggie, I can hand-jam in the hex code for each system, I was just hoping to get a little too fancy. Thanks, though!
Hi @gcusello  1.Still i am not able to get Link values in the table . 2. Then the condition Status LIKE (,"%") is wrong, what do you want to check?. --->checking for Status  as *
Hi @pm2012, what's the sourcetype definition for this data flow? it seems that the LINE_BREAKING isn't configured. Ciao. Giuseppe
Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned. So, if you have a service account for say business critical app, you get the users/develope... See more...
Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned. So, if you have a service account for say business critical app, you get the users/developers to create various private KO's for this app, then move/clone them to the main app and assign the KO's to the service account user. I don't know if having multiple services accounts is needed, but perhaps having one account per business critical app. The service account will need to have sufficient capabilities and resources based on its Splunk role and optionally you could look at workload management rules for the different roles for different workloads, so give the important service account that belongs to a role better performance than others.
Hi SMEs, while checking the log from one of the log source i could see logs are not ending properly and getting clubbed all together. Putting the snap below and seeking your best advice to fix it   ... See more...
Hi SMEs, while checking the log from one of the log source i could see logs are not ending properly and getting clubbed all together. Putting the snap below and seeking your best advice to fix it    
Hi @493600, please try this: | inputlookup file_intel | stats count BY threat_key | eval count=0 | append [ | inputlookup ip_intel | eval count=0 | fields threat_key count ] | append [ | inputlooku... See more...
Hi @493600, please try this: | inputlookup file_intel | stats count BY threat_key | eval count=0 | append [ | inputlookup ip_intel | eval count=0 | fields threat_key count ] | append [ | inputlookup http_intel | eval count=0 | fields threat_key count ] | stats sum(count) AS total BY threat_key | search threat_key=*risklist_hrly* if in all lookups there's a field called "threat_key". Ciao. Giuseppe
Use Below options  <option name="link.exportResults.visible">0</option> <option name="link.inspectSearch.visible">0</option> <option name="link.openPivot.visible">0</option> <option name="link.openS... See more...
Use Below options  <option name="link.exportResults.visible">0</option> <option name="link.inspectSearch.visible">0</option> <option name="link.openPivot.visible">0</option> <option name="link.openSearch.visible">0</option> <option name="link.visible">0</option> <option name="refresh.link.visible">0</option>
So we did manage to get this working with help from the guy who built the addon. I'll give you an example of a Splunk query that helped me index="example" #This is our authentication index | tab... See more...
So we did manage to get this working with help from the guy who built the addon. I'll give you an example of a Splunk query that helped me index="example" #This is our authentication index | table username | eval username_email=if(match(username,"[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}"),username,null()) | where isnotnull (username_email) | table username_email | emailvalidation field="username_email"
The above response will works for me.  We can get our base search job id  into "sid"  token.  Then we can use  "| loadjob  <sid of search>"  splunk command to run our panel without make it base sear... See more...
The above response will works for me.  We can get our base search job id  into "sid"  token.  Then we can use  "| loadjob  <sid of search>"  splunk command to run our panel without make it base search.   <search id="basesearch"> <query>| makeresults count=1 | streamstats count</query> <done> <set token="sid">$job.sid$</set> </done> </search>       <panel> <title>Dashboard panel without use of basesearch</title> <table> <title>Can export</title> <search> <!-- Remove base="<BaseSearch>" from here --> <query>| loadjob $sid$ | search "user your query here.." </query> </search> <option name="drilldown">none</option> </table> </panel>    
The above response will works for me.  We can get our base search job id  into "sid"  token.  Then we can use  "| loadjob  <sid of search>"  splunk command to run our panel without make it base sear... See more...
The above response will works for me.  We can get our base search job id  into "sid"  token.  Then we can use  "| loadjob  <sid of search>"  splunk command to run our panel without make it base search. <search id="basesearch"> <query>| makeresults count=1 | streamstats count</query> <done> <set token="sid">$job.sid$</set> </done> </search>   <panel> <title>Dashboard panel without use of basesearch</title> <table> <title>Can export</title> <search> <!-- Remove base="<BaseSearch>" from here --> <query>| loadjob $sid$ | search "user your query here.." </query> </search> <option name="drilldown">none</option> </table> </panel>  
I have three lookup files and I am trying to find out which one has a zero count. Below is the query I am using.   | inputlookup file_intel | inputlookup append=true ip_intel | inputlookup appe... See more...
I have three lookup files and I am trying to find out which one has a zero count. Below is the query I am using.   | inputlookup file_intel | inputlookup append=true ip_intel | inputlookup append=true http_intel | search threat_key=*risklist_hrly* | stats count by threat_key I want to know which threat_key has a zero count for threat_key=*risklist_hrly*. I have tried fillnull, its not working.   I can only see the one that has count. I want to get the one that has zero count.