All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I don't want a pdf.  I want a piece of software running in my Splunk Enterprise.   Thanks
Thank you so much, one of our stanzas looks like the following -   [script://./bin/ulimit.sh] interval = 27 5 * * * source = scripted_input sourcetype = virtualization:sanity:ulimit index = os disa... See more...
Thank you so much, one of our stanzas looks like the following -   [script://./bin/ulimit.sh] interval = 27 5 * * * source = scripted_input sourcetype = virtualization:sanity:ulimit index = os disabled = false     Based on the link you provided, a reload should be fine. How would we run a "reload"? inputs.conf http reload inputs.conf script reload inputs.conf monitor reload inputs.conf <modular_input> reload inputs.conf batch reload
hey, how did you solve it then. i am having the same issue. is there a way to switch to 32? i am very very new in this
Have you tried printing the dashboard to a PDF?
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityP... See more...
I would like to download the Security Posture Dashboard.   The document “Security Posture dashboard” does not include a download link: https://docs.splunk.com/Documentation/ES/7.3.1/User/SecurityPosturedashboard
What are some good dashboards for displaying data ingested from AWS CloudWatch/CloudTrail?   thanks in advance 
I fixed the error of "Can't read key file" by putting the contents of my server private key into the pem file. Using this two commands can properly show information now: openssl rsa -in /opt/splunk... See more...
I fixed the error of "Can't read key file" by putting the contents of my server private key into the pem file. Using this two commands can properly show information now: openssl rsa -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text openssl x509 -in /opt/splunk/etc/auth/mycerts/myServerCertificate.pem -text -noout openssl rsa is properly showing the rsa private key (modulus, prime etcetc) now. openssl x509 works fine as i mentioned before. However, splunkd.log still shows sslv3 alert certificate unknown. Thanks.  
|rest /servicesNS/-/-/data/ui/views splunk_server=local ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells ... See more...
|rest /servicesNS/-/-/data/ui/views splunk_server=local ``` Produces all views that are present in local searchhead ``` | table id,updated,eai:acl.removable, eai:acl.app ```eai:acl.removable tells whether the dashboard can be deleted or not. removable=1 means can be deleted. removable=0 means could be system dashboard``` | rename eai:acl.* as * | rex field=id ".*\/(?<dashboard>.*)$" | table app dashboard updated removable | join type=left dashboard app [search index=_audit ```earliest=<setasperyourneeds> host=<yoursearchhead>``` action=search provenance="UI:Dashboard:*" sourcetype=audittrail savedsearch_name!="" | stats earliest(_time) as earliest_time latest(_time) as latest_time by app provenance | convert ctime(*_time) | rex field=provenance ".*\:(?<dashboard>.*)$" | table earliest_time latest_time app dashboard ```produces dashboards that are used in timerange given in earliest/global time range```] | where isnull(earliest_time) AND removable=1 ``` condition to return only dashboards that are not viewed ``` | stats values(dashboard) as dashbaord by app
Hi @splunky_diamond , it's always a pleasure! Ciao. Giuseppe
Thank you very much @gcusello !  You never fail to deliver best solutions for splunk newbies like me
Hi @splunky_diamond , the best guide in ad-on creation is the Splunk Add-On Builder app (https://splunkbase.splunk.com/app/2962). It guides you in the creation and in the normalization of your data... See more...
Hi @splunky_diamond , the best guide in ad-on creation is the Splunk Add-On Builder app (https://splunkbase.splunk.com/app/2962). It guides you in the creation and in the normalization of your data to have a CIM compliant data flow that you can use also in ES or ITSI. Ciao. Giuseppe
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "sy... See more...
Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "syslog" sourcetype doesn't suit the events coming from my source. I was searching the web for some tutorials on how to create your own add-on in Splunk in order to parse the unusual logs like in my case, but I haven't found any.  Could someone please help me with that? Does anyone have any tutorial or guide on how to create your own parser, or can maybe explain what is needed for that, in case it's not a difficult task? If someone decides to provide answer themselves, by explaining how to create your own add-on, I would really appreciate detailed description that will involve such notes as: required skills, difficulty, how long it will take, and whether it's the best practice in such situations or there are more efficient ways. Again, the main goal for me is to get my logs from Fudo PAM (coming over syslog) parsed properly.  Thank you for taking your time reading my post and replying to it
 1. My task is to calculate number of events with "FAILED" value in "RESULT" key, it looks like this and it works (thanks to you guys!) - `index="myIndex" sourcetype ="mySourceType" | foreach "*DEV*"... See more...
 1. My task is to calculate number of events with "FAILED" value in "RESULT" key, it looks like this and it works (thanks to you guys!) - `index="myIndex" sourcetype ="mySourceType" | foreach "*DEV*" "UAT*" [| eval keep=if(isnotnull('<<FIELD>>'), 1, keep)] | where keep==1 | stats count(eval('RESULT'=="FAILED")) as FAILS | stats values(FAILS)` This gets even more confusing. 'number of events with "FAILED" value in "RESULT" key' implies that you already have a field (key) named "RESULT" that may have a value of "FAILED".  If this is correct, shouldn't your search begins with index="myIndex" sourcetype ="mySourceType" RESULT=FAILED? | stats count(eval('RESULT'=="FAILED")) as FAILS gives one single numeric value.  What is the purpose of cascading |statsvalues(FAILS) after this? | stats count(eval('RESULT'=="FAILED")) as FAILS | stats values(FAILS) gives the exact same single value. Most importantly still, as @PickleRick and I repeatedly point out, Splunk (and most programming languages) do not perform sophisticated calculations in name space, mostly because there is rarely need to do so.  When there is a serious need for manipulating variable name space, it is usually because the upstream programmer made poor design.  In Splunk's case, it is super flexible in handling data without preconceived field names.  As @bowesmana suggested, if you can demonstrate your raw data containing those special keys, it is probably much easier (and more performant) to simply use TERM() filter to limit raw events rather than trying to apply semantics in extracted field names. (TERM is case insensitive by default.)  If you find TERM() too limiting, you can also use Splunk's super flexible field extraction to extract environment groups "Prod" and "Dev" using regex.  This way, all you need to do is index="myIndex" sourcetype ="mySourceType" RESULT=FAILED environment=Dev | stats count You can even do something like index="myIndex" sourcetype ="mySourceType" RESULT=FAILED | stats count by environment Any of these alternatives is better in clarity and efficiency.
This is a Splunk forum, not a security analyst forum.  No one knows what data is in your sources.  Very few has expertise in the exact domain you work from.  If you know what data will get the answer... See more...
This is a Splunk forum, not a security analyst forum.  No one knows what data is in your sources.  Very few has expertise in the exact domain you work from.  If you know what data will get the answer you are asked but have difficulty get the result you wanted, illustrate the data and desired results, then explain the logic between the two without SPL.  Volunteers can help you from there.
SOLVED : the install.sh script was ignoring the call for the proxy script so by ruuning the runSDKproxy.sh , the problem revsolved (even in appdynamics-agent.conf the parameter to automatically star... See more...
SOLVED : the install.sh script was ignoring the call for the proxy script so by ruuning the runSDKproxy.sh , the problem revsolved (even in appdynamics-agent.conf the parameter to automatically start the proxy is ON) Creating a service for the proxy resolved this second point
Hi @dgiberson look at the macro : [cisco_ios_index] definition = (index=*)  
Hi @gcusello thanks, just confirmed then that we don't need to go especially to the MC server to see this kind of warning/error.
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "... See more...
Hi, We are testing manual JavaScript injection in an Oracle APEX application; however, the Dev teams tell us that only the "ords/r" page is showing in the list of pages in AppDynamics, not all the "internal" pages that run underneath. Anyone has experience in configuring EUM/JavaScript agent for APEX to give us a hint of how to improve the default configuration to detect all pages used within the application? Thanks, Roberto
Hi @splunkreal , it's normal that all warning or erro messages are displayed for admin on the servers that are usually accessed: SHs and MC. what's your doubt? If you think that these messages sho... See more...
Hi @splunkreal , it's normal that all warning or erro messages are displayed for admin on the servers that are usually accessed: SHs and MC. what's your doubt? If you think that these messages shouldn't be displayed, add it in Splunk Ideas (ideas.splunk.com). Ciao. Giuseppe
Hello   I'm wondering if warnings like "Local KV Store has replication issues" are shown to any admin user on any Splunk web (DMC server and any SHC member) ? Thanks.