All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, thanks for answering there is no errors the time formating is not take into account here my query: <query>index="xxx" earliest=$timerange.earliest$ latest=$timerange.latest$ | table guid,... See more...
Hello, thanks for answering there is no errors the time formating is not take into account here my query: <query>index="xxx" earliest=$timerange.earliest$ latest=$timerange.latest$ | table guid, "parameter", "value"| xyseries "guid", "parameter", "value" | fields "guid" "type" "Start Time" "End Time" "Duration" | eval fields "Start Time" = strftime("Start Time", "%d/%m/%y %H:%M:%S") | sort 0 - "Start Time" </query> as i explained start time is not reformated as expected it's on orignal format! guid type start time end time duration         2024-05-20T04:00:53.536Z incremental 2024-05-20T04:00:53.847Z 2024-05-20T04:01:05.815Z 00:00:12           thanks Laurent  
@phanTom  My requirement is to get notification of ingestion. Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom. Then it should notify us ... See more...
@phanTom  My requirement is to get notification of ingestion. Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom. Then it should notify us Please help me with your suggestion on this Regards Harisha  
Hi @Kaushaas, I'm not sure that is required a specific role to see the Permissions for own objects. which is your role? have you the same issue also on fields or eventtypes or using a different us... See more...
Hi @Kaushaas, I'm not sure that is required a specific role to see the Permissions for own objects. which is your role? have you the same issue also on fields or eventtypes or using a different user or role? Ciao. Giuseppe  
Hi @gcusello  I am unable to see, not sure I need any particular permissions or roles for same.  
Hello, i wanted to ask if there is a way in Splunk to collect failured Login Data from Users on a Virtual Machine that is hosted with VMware, so that i can see if a user tried to login like 5 times ... See more...
Hello, i wanted to ask if there is a way in Splunk to collect failured Login Data from Users on a Virtual Machine that is hosted with VMware, so that i can see if a user tried to login like 5 times and failed the Login on VM 5 times?  Would be nice to use it for finding out if there is some Kind of Brute Force Attack or something else going on.
Hi @Yashvik, your data seems to be json, that usually has duplicated field values. Anyway, could you share a sample of your data (please not a screenshot)? About the behaviour in a particoular app... See more...
Hi @Yashvik, your data seems to be json, that usually has duplicated field values. Anyway, could you share a sample of your data (please not a screenshot)? About the behaviour in a particoular app, maybe there are some calculated fields that elaborate your values. Ciao. Giuseppe  
Hi @Abdulkareem , none will never enable al the available CS because you have to enable only the ones that have data to run, there's no sense to enable all the CS you have! then, between the ones w... See more...
Hi @Abdulkareem , none will never enable al the available CS because you have to enable only the ones that have data to run, there's no sense to enable all the CS you have! then, between the ones with data, you have to choose the ones to enable based on your infrastructure. Remeber that every search in Splunk takes a CPU and release it when finishes, so you have to analyze your data, define the CS to enable and then designe the infrastructure to run your searches, Splunk ES requires at least 16 CPUs and 64 GB RAM, but the resources depen on the number of users and the number of CSs. Second approach is to start with a standard configuration: (16/32 CPUs and 64/128 GB RAM), enable all the searches for your data and see if the resuorces are sufficient or not. Ciao. Giuseppe
I actually install this app, but nothing was changed. i also try this other syntax.
Hi @Kaushaas, go in the dashboard form and click on "Edit, you should see the "Edit Permissions" choice: Ciao. Giuseppe
I cannot see the option to edit permissions
Hello Team, We are getting below error, while deploying the java agent. For few min it's coming-up and after sometime the agent is crashing along with the application. It seems some issue while inst... See more...
Hello Team, We are getting below error, while deploying the java agent. For few min it's coming-up and after sometime the agent is crashing along with the application. It seems some issue while instrumentation the class. Below are the logs for you refence. [main] 17 May 2024 11:25:46,397 WARN LightweightThrowable - java.lang.NoSuchMethodException: java.lang.Throwable.getStackTraceElement(int) caught trying to reflect Throwable methods [AD Thread Pool-Global0] 17 May 2024 11:25:48,998 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:', name=SQLSyntaxErrorException : OracleDatabaseException, diagnosticType=ERROR, configEntities=null, summary='java.sql.SQLSyntaxErrorException caused by oracle.jdbc.OracleDatabaseException'}] [AD Thread Pool-Global0] 17 May 2024 11:25:48,998 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global0] 17 May 2024 11:25:49,094 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:=1873198} [AD Thread Pool-Global0] 17 May 2024 11:25:49,194 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [1873198], ErrorKey[cause=[java.sql.SQLSyntaxErrorException, oracle.jdbc.OracleDatabaseException]], java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException: [AD Thread Pool-Global0] 17 May 2024 11:25:49,294 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621', name=java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:, diagnosticType=STACK_TRACE, configEntities=[Type:ERROR, id:1873198], summary='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:'}] [AD Thread Pool-Global0] 17 May 2024 11:25:49,294 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global0] 17 May 2024 11:25:49,336 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621=2272870} [AD Thread Pool-Global0] 17 May 2024 11:25:49,396 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [2272870], StackTraceErrorKey{hashCode=-1465592621}, java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1465592621 [AD Thread Pool-Global0] 17 May 2024 11:25:56,893 INFO DynamicRulesManager - The config directory /opt/appdyn/javaagent/23.12.0.35361/ver23.12.0.35361/conf/namicggtd52d-onboarding-25-ll7bx--1 is not initialized, not writing /opt/appdyn/javaagent/23.12.0.35361/ver23.12.0.35361/conf/namicggtd52d-onboarding-25-ll7bx--1/bcirules.xml [AD Thread-Metric Reporter0] 17 May 2024 11:26:07,293 INFO MetricSender - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global1] 17 May 2024 11:26:38,997 INFO ErrorProcessor - Sending ADDs to register [ApplicationDiagnosticData{key='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436', name=java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:, diagnosticType=STACK_TRACE, configEntities=[Type:ERROR, id:1873198], summary='java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:'}] [AD Thread Pool-Global1] 17 May 2024 11:26:38,997 INFO ErrorProcessor - To enable reverse proxy, use the node property or set env/system variables [AD Thread Pool-Global1] 17 May 2024 11:26:39,093 INFO ErrorProcessor - Setting AgentClassLoader as Context ClassLoader [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Restoring Context ClassLoader to com.singularity.ee.agent.appagent.kernel.classloader.Post19AgentClassLoader@14bf9759 [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Error Objects registered with controller :{java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436=2272876} [AD Thread Pool-Global1] 17 May 2024 11:26:39,094 INFO ErrorProcessor - Adding entry to errorKeyToUniqueKeyMap [2272876], StackTraceErrorKey{hashCode=-1702013436}, java.sql.SQLSyntaxErrorException:oracle.jdbc.OracleDatabaseException:-1702013436 Kindly assist. Regards, Amit Singh Bisht
Thanks for your fast responses. Some more context: For incidence response, we want to generate a text block with all notables below each other where a security analyst can write his conclusion bel... See more...
Thanks for your fast responses. Some more context: For incidence response, we want to generate a text block with all notables below each other where a security analyst can write his conclusion below every notable, like this: * Short-lived group membership ID: F3y4IS Time: 05/14/2024 11:12:28 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Usage of Default Account "administrator" ID: L32op/, WTBxMy Date: 05/17/2024 20:39:04 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Malware detected ... For this, I already wrote the following query to get the current notables to analyse: `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression` | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default`  If I transpose this, I get the first table I posted. In the macro `text_block_fields_default` are interesting fields to include in the report like "action, app, dest, src, etc". So the solution shouldn't be dependent on column names. I already have this query which generates the text block for 1 specific notable: `notable` | search event_id="BAAAD325-8391-4075-81A2-AB145A1FA2FB@@notable@@80497c055c45b92d73bd74e700c1b6f9" | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default` | `ctime(_time)` | rename _time as time | transpose include_empty=False column_name=text_block | eval row 1=mvjoin('row 1',",") | eval text_block=if(text_block="search_name","* ",text_block.": "),text_block=replace(text_block,"(.{21}).*","\1") | eval text_block=text_block . 'row 1' | append [| makeresults | eval text_block="--> " ] | table text_block  Thanks in advance for your help!
@PaulPanther, Thanks for your response. Yes,  i want to embed a Splunk dashboard in an external site (my website) using SplunkUI tool. Not using by any splunkbase market app. My objective is,  I... See more...
@PaulPanther, Thanks for your response. Yes,  i want to embed a Splunk dashboard in an external site (my website) using SplunkUI tool. Not using by any splunkbase market app. My objective is,  I want to provide a service where i can display their Splunk dashboard data in visualization form on external website for public users. I have successfully access dashboard definition of splunk dashboard as per follow this guideline data/UI/views/{name}. I am trying to use SplunkUI tool where i can render dashboard definition to visualize Splunk dashboard data on an external website.
Has anyone attempted to enable all the correlation searches in the "Use Case Library" for enterprise security? There are over 1,000 correlation searches. Will this impact the performance of the Sea... See more...
Has anyone attempted to enable all the correlation searches in the "Use Case Library" for enterprise security? There are over 1,000 correlation searches. Will this impact the performance of the Search Head (SH) and indexer? If I have 1,000 EPS, what hardware resources would be required? Alternatively, what minimum hardware resources are needed to enable all the correlation searches in the use case library? Thank you.
Hi,   We recently changed the tsidxWritingLevel from 1 to 4 for performance and space-saving. Is there any way to check if the above modification has improved the performance and space in our envir... See more...
Hi,   We recently changed the tsidxWritingLevel from 1 to 4 for performance and space-saving. Is there any way to check if the above modification has improved the performance and space in our environment   Thanks
Hello @gcusello  But source doesn't contain any duplicate fields while sending to Splunk & they are appearing  only if we search within particular app.  As said earlier, If I run the same query out... See more...
Hello @gcusello  But source doesn't contain any duplicate fields while sending to Splunk & they are appearing  only if we search within particular app.  As said earlier, If I run the same query outside the app, I don't see these duplicate field values. My users don't have permissions to run the searches outside their app so they see duplicate entries every time. 
As richgalloway write.  There should be one License Manager and all servers that need License should talk to that server on port 8089 (can be changed).  Servers running full splunk like Search Head, ... See more...
As richgalloway write.  There should be one License Manager and all servers that need License should talk to that server on port 8089 (can be changed).  Servers running full splunk like Search Head, Heavy forwarders, Indexes, HEC etc needs to be able to talk to LM Server.
I tried using the 'isnull' and 'isnotnull' functions, but received the same 'false' result for both.
@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There ... See more...
@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There is a huge amount of data in these logs that could be teased out into SPL Alerts.  Are you able to advise what kind of things you are looking to monitor? OS Health can be done using the *nix Splunk Add-on, playbook/action failure is in the logs as well as access data via the wsgi.log file. Daemon logs, such as decided/ingestd/etc can also provide data about functionality and these are also able to be sent to Splunk via the Forwarder Settings in Administration in SOAR.    -- Hope this helps! Happy SOARing --
Hi @Yashvik, as I said, these are your logs and we cannot change them, you can only display them only one time to avoid unuseful duplications. In addition, this is very frequent having json logs. ... See more...
Hi @Yashvik, as I said, these are your logs and we cannot change them, you can only display them only one time to avoid unuseful duplications. In addition, this is very frequent having json logs. For this reason, I hint to use stats to display your logs in Statistics (and dashboard Panels) even if, in the raw logs you have duplicated values in some fields. You shouldn't modify your logs, they are as they are and you use them displaying what you need. Ciao. Giuseppe