Hi @splunky_diamond, probably this isn't the issue, but why do you use quotes? index=fudo_index completed_action="deleted session."
| stats
values(node_address) AS address
values(user) ...
See more...
Hi @splunky_diamond, probably this isn't the issue, but why do you use quotes? index=fudo_index completed_action="deleted session."
| stats
values(node_address) AS address
values(user) AS user
values(fudo_session) AS session
values(completed_action) AS "completed action"
count(completed_action) AS counter
| where counter>0 quots are mandatory when you have spaces or special chars in the field names. Then, why don't you use an aggregation key (the BY clause)? I'd try with something like this: index=fudo_index completed_action="deleted session."
| stats
values(user) AS user
values(fudo_session) AS session
values(completed_action) AS "completed action"
count(completed_action) AS counter
BY node_address
| where counter>0
| rename node_address AS address Ciao. Giuseppe
@gcusello , I tried your suggestion, it worked for the "fudo_session" field, thank you! However, I tried the same on "dvc" field and it does not work for some reason... I tried extracting new fi...
See more...
@gcusello , I tried your suggestion, it worked for the "fudo_session" field, thank you! However, I tried the same on "dvc" field and it does not work for some reason... I tried extracting new field called "node_address" and added it to my search in the following way: index=fudo_index completed_action="deleted session." | stats values("node_address") as address values("user") as user values("fudo_session") as session values("completed_action") as "completed action" count("completed_action") as counter | where 'counter'>0 And in the title of the notable I have the following: Deleted recorded session $session$ detected on $address$ Also I added both fields in the incident review settings as you said. Here is the result: The value that should appear instead of "$address$" is the IPv4 address. When I was extracting the field node_address, I did it in the enterprise security app in the search. For the permissions I made it global with everyone being able to read and only admin with write permissions (just like fudo_session field). If both of them are completely identical, why isn't this field getting evaluated like fudo_session? Could you please help with troubleshooting this?
Hi all I am ingesting k8s data with Opentelemetry in my enterprise environment. I would like to know if there is a list of available metrics and their description. Or if there is any example dash...
See more...
Hi all I am ingesting k8s data with Opentelemetry in my enterprise environment. I would like to know if there is a list of available metrics and their description. Or if there is any example dashboard that can help me to visualize the states and behaviors of clusters, pods, containers. I need to put order to show it to the different teams. Thanks and cheers JAR
Hi @LearningGuy , you can save your static data: in a csv lookup, in a kv-store lookup, in an Index, if you need time updates on your data. The more frequent approach is to use a csv lookup. ...
See more...
Hi @LearningGuy , you can save your static data: in a csv lookup, in a kv-store lookup, in an Index, if you need time updates on your data. The more frequent approach is to use a csv lookup. Ciao. Giuseppe
Hi @jacknguyen, yes, if you're speaking of frozen buckets, you don't need to save buckets from both the Indexers, but only one. Put attention to one thing: in an Indexer cluster, buckets are presen...
See more...
Hi @jacknguyen, yes, if you're speaking of frozen buckets, you don't need to save buckets from both the Indexers, but only one. Put attention to one thing: in an Indexer cluster, buckets are present in two parts: the part indexed by the same Indexer and the part indexed by the other Indexer and replicated on the first: you have to back-up both of them. Ciao. Giuseppe
Hi @splunky_diamond , I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review. The exa...
See more...
Hi @splunky_diamond , I suppose that You are confusing passing some Correlation Search fields in the title of the CS itself (using a token) with the fields to display in an Incident review. The example you gave is of the first type, but, if I correctly understand, you want to display other fields in the Notable information. to do this you must add these fields to the Correlation Search results (e.g. as values in the stats command), so that they are written in the Notable event and then, go to [Configure > Incident Review>Incident Settings] and add these fields to those displayed (if they were not already present). Ciao. Giuseppe
@VijaySrrie - I cannot tell by the name of the App who is the creator of the App, but you need to reach out to developer of that App and raise support case there.
@venkatramana - You can use Splunk SDK for Java. Below are references: https://dev.splunk.com/enterprise/docs/devtools/java/sdk-java https://github.com/splunk/splunk-sdk-java https://dev.splunk.c...
See more...
@venkatramana - You can use Splunk SDK for Java. Below are references: https://dev.splunk.com/enterprise/docs/devtools/java/sdk-java https://github.com/splunk/splunk-sdk-java https://dev.splunk.com/enterprise/docs/devtools/java/sdk-java/gettingstartedsdkjava/installsdkjava/ I hope this helps!!! If it does kindly upvote!!!
@Roy_9 - Yes, you need to set the Lookup file and Lookup definition permission to set as "Global" instead of Private or App. You can do that from from UI on their respective page under Settings on S...
See more...
@Roy_9 - Yes, you need to set the Lookup file and Lookup definition permission to set as "Global" instead of Private or App. You can do that from from UI on their respective page under Settings on Splunk. I hope this helps!!! Kindly upvote if it does!!!
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $ I saw this trick of passing...
See more...
Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $ I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason: Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue. Thanks for taking your time reading and replying to my post
Hi @VatsalJagani 1. Checkpoint file is not getting update 2. It happens only in DC1 3. modinput_tyk_analytics_mongodb is the app having the python script 4. Whenever we see error in splunk inte...
See more...
Hi @VatsalJagani 1. Checkpoint file is not getting update 2. It happens only in DC1 3. modinput_tyk_analytics_mongodb is the app having the python script 4. Whenever we see error in splunk internal logs, duplicate logs are seen
You mean, I can use 2 folder for two Indexer in a disk? I wanna ask If I just use one folder and save one Frozen' s Indexer 1 which can be used for backup data for all Indexer Cluster (both Indexer 1...
See more...
You mean, I can use 2 folder for two Indexer in a disk? I wanna ask If I just use one folder and save one Frozen' s Indexer 1 which can be used for backup data for all Indexer Cluster (both Indexer 1 and 2), Is that ok? I'm very hard to find document say clearly about this. My customer wanna know about that. Do you know any documents Splunk say about this situation?
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspa...
See more...
Hi All, I setup splunk and trying to capture security logs from the client machine.My VM is setup as server / client with active directory group setting.But i am getting diskspace error."The diskspace remaining =9620 has breached the yellow threshold for filesystems=C:]Program Files \splunk\var\lib\splunk\_metrics\colddb. But i have free space in c drive.Please clarify
Hi, We re measuring with a code snippet like the below, the time before we called the logger subtract the time the logger completed. Long start1 = System.currentTimeMillis();
log.info("Test loggin...
See more...
Hi, We re measuring with a code snippet like the below, the time before we called the logger subtract the time the logger completed. Long start1 = System.currentTimeMillis();
log.info("Test logging");
Long start2 = System.currentTimeMillis();
log.info("logTime={}", start2 - start1); We have not use a tcpdump yet as this is running on a container, not able to use batch too since we needed type=raw which don't support batch configs from my understanding. Is there a way to work with Raw type and send as batch? Thanks.
So there's a bug with installing Splunk Enterprise 9.2.x and the universal forwarder on the same server, something that should work. I have opened a case with Splunk and requested them to document th...
See more...
So there's a bug with installing Splunk Enterprise 9.2.x and the universal forwarder on the same server, something that should work. I have opened a case with Splunk and requested them to document the issue in the known issues. They have not done that yet.
Ah, then I guess we have different understandings of what "download a dashboard" means. The software you want is Splunk Enterprise Security. It's a premium product, meaning it is available for down...
See more...
Ah, then I guess we have different understandings of what "download a dashboard" means. The software you want is Splunk Enterprise Security. It's a premium product, meaning it is available for download only by customers who have paid for it. Contact your Splunk account team for more information.