All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm trying to run personal scripts in Splunk from a dashboard. I want the dashboard to call a script by user input and then output the script to a table. I'm testing the ability with a Python script ... See more...
I'm trying to run personal scripts in Splunk from a dashboard. I want the dashboard to call a script by user input and then output the script to a table. I'm testing the ability with a Python script that calls a PowerShell script, returns the data to the Python script, and then returns the data to the Splunk dashboard. This is what I have so far:  Test_PowerShell.py Python Script:    import splunk.Intersplunk import sys import subprocess results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults() # Define the path to the PowerShell script ps_script_path = "./Test.ps1" # Define the argument to pass to the PowerShell script argument = sys.argv[1] # Execute the PowerShell script with the argument results = subprocess.run(['powershell.exe', '-File', ps_script_path, argument], capture_output=True, text=True) splunk.Intersplunk.outputResults(results)   Page XML:    <form version="1.1" theme="dark"> <label>Compliance TEST</label> <description>TESTING</description> <fieldset submitButton="false" autoRun="false"></fieldset> <row> <panel> <title>Input Panel</title> <input type="text" token="user_input"> <label>User Input:</label> <default>*</default> </input> </panel> </row> <row> <panel> <title>Script Output</title> <table> <search> <query>| script python testps $user_input$ | table field1</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>   Test.ps1 PowerShell Script:    Write-Host $args[0]   commands.conf:   [testps] filename = Test_PowerShell.py streaming=true python.version = python3   default.meta   [commands/testps] access = read : [ * ], write : [ admin ] export = system [scripts/Test_PowerShell.py] access = read : [ * ], write : [ admin ] export = system   The error I'm getting is the following: External search command 'testps' returned error code 1. 
Hello,  I have the same problem, can we do a rollback installation ? another idea ?  
Is this actual WARN log message you found? If yes,  what was the reason for back-pressure?
Please share the inputs.conf and props.conf stanzas related to the input. Have you searched the last chance index (usually 'main')?  Have you searched all time, including the future, in case the tim... See more...
Please share the inputs.conf and props.conf stanzas related to the input. Have you searched the last chance index (usually 'main')?  Have you searched all time, including the future, in case the timestamps are not interpreted correctly?
Yes, it is possible.  If the VM or identity provider logs failed logins to Splunk then you can search those events for multiple attempts within a given timeframe.
We can't have more than one email action and it has nothing to do with sendemail.py. Splunk does not allow more than one config file stanza with the same name.  If it finds more than one they are me... See more...
We can't have more than one email action and it has nothing to do with sendemail.py. Splunk does not allow more than one config file stanza with the same name.  If it finds more than one they are merged into a single stanza.
That's great feedback. We will add output group.
Hello, thanks for answering there is no errors the time formating is not take into account here my query: <query>index="xxx" earliest=$timerange.earliest$ latest=$timerange.latest$ | table guid,... See more...
Hello, thanks for answering there is no errors the time formating is not take into account here my query: <query>index="xxx" earliest=$timerange.earliest$ latest=$timerange.latest$ | table guid, "parameter", "value"| xyseries "guid", "parameter", "value" | fields "guid" "type" "Start Time" "End Time" "Duration" | eval fields "Start Time" = strftime("Start Time", "%d/%m/%y %H:%M:%S") | sort 0 - "Start Time" </query> as i explained start time is not reformated as expected it's on orignal format! guid type start time end time duration         2024-05-20T04:00:53.536Z incremental 2024-05-20T04:00:53.847Z 2024-05-20T04:01:05.815Z 00:00:12           thanks Laurent  
@phanTom  My requirement is to get notification of ingestion. Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom. Then it should notify us ... See more...
@phanTom  My requirement is to get notification of ingestion. Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom. Then it should notify us Please help me with your suggestion on this Regards Harisha  
Hi @Kaushaas, I'm not sure that is required a specific role to see the Permissions for own objects. which is your role? have you the same issue also on fields or eventtypes or using a different us... See more...
Hi @Kaushaas, I'm not sure that is required a specific role to see the Permissions for own objects. which is your role? have you the same issue also on fields or eventtypes or using a different user or role? Ciao. Giuseppe  
Hi @gcusello  I am unable to see, not sure I need any particular permissions or roles for same.  
Hello, i wanted to ask if there is a way in Splunk to collect failured Login Data from Users on a Virtual Machine that is hosted with VMware, so that i can see if a user tried to login like 5 times ... See more...
Hello, i wanted to ask if there is a way in Splunk to collect failured Login Data from Users on a Virtual Machine that is hosted with VMware, so that i can see if a user tried to login like 5 times and failed the Login on VM 5 times?  Would be nice to use it for finding out if there is some Kind of Brute Force Attack or something else going on.
Hi @Yashvik, your data seems to be json, that usually has duplicated field values. Anyway, could you share a sample of your data (please not a screenshot)? About the behaviour in a particoular app... See more...
Hi @Yashvik, your data seems to be json, that usually has duplicated field values. Anyway, could you share a sample of your data (please not a screenshot)? About the behaviour in a particoular app, maybe there are some calculated fields that elaborate your values. Ciao. Giuseppe  
Hi @Abdulkareem , none will never enable al the available CS because you have to enable only the ones that have data to run, there's no sense to enable all the CS you have! then, between the ones w... See more...
Hi @Abdulkareem , none will never enable al the available CS because you have to enable only the ones that have data to run, there's no sense to enable all the CS you have! then, between the ones with data, you have to choose the ones to enable based on your infrastructure. Remeber that every search in Splunk takes a CPU and release it when finishes, so you have to analyze your data, define the CS to enable and then designe the infrastructure to run your searches, Splunk ES requires at least 16 CPUs and 64 GB RAM, but the resources depen on the number of users and the number of CSs. Second approach is to start with a standard configuration: (16/32 CPUs and 64/128 GB RAM), enable all the searches for your data and see if the resuorces are sufficient or not. Ciao. Giuseppe
I actually install this app, but nothing was changed. i also try this other syntax.
Hi @Kaushaas, go in the dashboard form and click on "Edit, you should see the "Edit Permissions" choice: Ciao. Giuseppe
I cannot see the option to edit permissions
Hello Team, We are getting below error, while deploying the java agent. For few min it's coming-up and after sometime the agent is crashing along with the application. It seems some issue while inst... See more...
Hello Team, We are getting below error, while deploying the java agent. For few min it's coming-up and after sometime the agent is crashing along with the application. It seems some issue while instrumentation the class. Below are the logs for you refence. [main] 17 May 2024 11:25:46,397 WARN LightweightThrowable - java.lang.NoSuchMethodException: java.lang.Throwable.getStackTraceElement(int) caught trying to reflect Throwable methods [AD Thread Pool-Global0] 17 May 2024 11:25:48,998 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:', name=SQLSyntaxErrorException : OracleDatabaseException, diagnosticType=ERROR, configEntities=null, summary='java.sql.SQLSyntaxErrorException caused by oracle.jdbc.OracleDatabaseException'}] [AD Thread Pool-Global0] 17 May 2024 11:25:48,998 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global0] 17 May 2024 11:25:49,094 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:=1873198} [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [1873198], ErrorKey[cause=[java.sql.SQLSyntaxErrorException, oracle.jdbc.OracleDatabaseException]], java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException: [AD Thread Pool-Global0] 17 May 2024 11:25:49,294 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621', name=java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:, diagnosticType=STACK_TRACE, configEntities=[Type:ERROR, id:1873198], summary='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:'}] [AD Thread Pool-Global0] 17 May 2024 11:25:49,294 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global0] 17 May 2024 11:25:49,336 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621=2272870} [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [2272870], StackTraceErrorKey{hashCode=-1465592621}, java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621 [AD Thread Pool-Global0] 17 May 2024 11:25:56,893 INFO DynamicRulesManager - The config directory /opt/appdyn/javaagent/23.12.0.35361/ver23.12.0.35361/conf/namicggtd52d-onboarding-25-ll7bx--1 is not initialized, not writing /opt/appdyn/javaagent/23.12.0.35361/ver23.12.0.35361/conf/namicggtd52d-onboarding-25-ll7bx--1/bcirules.xml [AD Thread-Metric Reporter0] 17 May 2024 11:26:07,293 INFO MetricSender - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global1] 17 May 2024 11:26:38,997 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436', name=java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:, diagnosticType=STACK_TRACE, configEntities=[Type:ERROR, id:1873198], summary='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:'}] [AD Thread Pool-Global1] 17 May 2024 11:26:38,997 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global1] 17 May 2024 11:26:39,093 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436=2272876} [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [2272876], StackTraceErrorKey{hashCode=-1702013436}, java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436 Kindly assist. Regards, Amit Singh Bisht
Thanks for your fast responses. Some more context: For incidence response, we want to generate a text block with all notables below each other where a security analyst can write his conclusion bel... See more...
Thanks for your fast responses. Some more context: For incidence response, we want to generate a text block with all notables below each other where a security analyst can write his conclusion below every notable, like this: * Short-lived group membership ID: F3y4IS Time: 05/14/2024 11:12:28 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Usage of Default Account "administrator" ID: L32op/, WTBxMy Date: 05/17/2024 20:39:04 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Malware detected ... For this, I already wrote the following query to get the current notables to analyse: `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression` | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default`  If I transpose this, I get the first table I posted. In the macro `text_block_fields_default` are interesting fields to include in the report like "action, app, dest, src, etc". So the solution shouldn't be dependent on column names. I already have this query which generates the text block for 1 specific notable: `notable` | search event_id="BAAAD325-8391-4075-81A2-AB145A1FA2FB@@notable@@80497c055c45b92d73bd74e700c1b6f9" | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default` | `ctime(_time)` | rename _time as time | transpose include_empty=False column_name=text_block | eval row 1=mvjoin('row 1',",") | eval text_block=if(text_block="search_name","* ",text_block.": "),text_block=replace(text_block,"(.{21}).*","\1") | eval text_block=text_block . 'row 1' | append [| makeresults | eval text_block="--> " ] | table text_block  Thanks in advance for your help!
@PaulPanther, Thanks for your response. Yes,  i want to embed a Splunk dashboard in an external site (my website) using SplunkUI tool. Not using by any splunkbase market app. My objective is,  I... See more...
@PaulPanther, Thanks for your response. Yes,  i want to embed a Splunk dashboard in an external site (my website) using SplunkUI tool. Not using by any splunkbase market app. My objective is,  I want to provide a service where i can display their Splunk dashboard data in visualization form on external website for public users. I have successfully access dashboard definition of splunk dashboard as per follow this guideline data/UI/views/{name}. I am trying to use SplunkUI tool where i can render dashboard definition to visualize Splunk dashboard data on an external website.