All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Jasmine, You can assign the field value to a temporary field first, and then use the rex command to extract the value you want: index="aaa" (source="/test/log/testing.log") host IN (host1) c=... See more...
Hi @Jasmine, You can assign the field value to a temporary field first, and then use the rex command to extract the value you want: index="aaa" (source="/test/log/testing.log") host IN (host1) c=* | eval DB=if(c=="I", 'attr.namespace', 'attr.ns') | rex field=DB "(?<DB>[^\.]*)" | table DB | dedup DB
@Sumi Kindly go through the below links and understand about the .pid  The absence of the splunkd.pid file in the /opt/splunkforwarder/var/run/splunk directory can indeed cause issues with Splunk st... See more...
@Sumi Kindly go through the below links and understand about the .pid  The absence of the splunkd.pid file in the /opt/splunkforwarder/var/run/splunk directory can indeed cause issues with Splunk startup. https://community.splunk.com/t5/Getting-Data-In/Splunk-is-not-starting-due-to-presence-of-PID-file-Why/m-p/152053   
splunkd.pid file is completely missing from cd /opt/splunkforwarder/var/run/splunk path, kindly suggest how can this be reoslved.
In the below query if c= I,  the reg expression is | rex field=attr.namespace "(?<DB>[^\.]*)" if c= other than "I" then rex would be | rex field=attr.ns "(?<DB>[^\.]*)"   index="aaa" (source="/tes... See more...
In the below query if c= I,  the reg expression is | rex field=attr.namespace "(?<DB>[^\.]*)" if c= other than "I" then rex would be | rex field=attr.ns "(?<DB>[^\.]*)"   index="aaa" (source="/test/log/testing.log") host IN(host1) c=N | rex field=attr.ns "(?<DB>[^\.]*)" | table DB| dedup DB  how can i adjust the query?
Hi @splunky_diamond , good for you, see next time! let me know if I can help you more, or, please, accept one answer (eventually your last) for the other people of Community. Ciao and happy splunk... See more...
Hi @splunky_diamond , good for you, see next time! let me know if I can help you more, or, please, accept one answer (eventually your last) for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I checked, it does not apply to Security Posture, but I found something, we can add the time range to that dashboard:  I just need to figure out how to bind it to my specific dashboard, and it s... See more...
I checked, it does not apply to Security Posture, but I found something, we can add the time range to that dashboard:  I just need to figure out how to bind it to my specific dashboard, and it should work!
Hi @splunky_diamond, see in [Incident Management > Incident Review Settings] As I said, in this form you can configure the default Time Picker for the Incident Review dashboard, see (I'm not sure!)... See more...
Hi @splunky_diamond, see in [Incident Management > Incident Review Settings] As I said, in this form you can configure the default Time Picker for the Incident Review dashboard, see (I'm not sure!)  if the same setting is applied also to Security Posture. Ciao. Giuseppe
Hello @bowesmana , thanks for replying to my post. Regarding your last suggestion, if I got it right, I can assign priority value in the search string itself? So far what I've read is that the ide... See more...
Hello @bowesmana , thanks for replying to my post. Regarding your last suggestion, if I got it right, I can assign priority value in the search string itself? So far what I've read is that the identities and assets are added via lookups to Splunk, from which the information about their priority is pulled. So, if I got your suggestion about assigning priorities in the searches themselves, could you please provide an example? I would really appreciate it! Cheers, Splunky diamond
Hello @gcusello ,  Thanks for replying to my post! I am sorry, but I don't think I quite understand what you are suggesting. Just FYI, here are all the available configurations in the [Configur... See more...
Hello @gcusello ,  Thanks for replying to my post! I am sorry, but I don't think I quite understand what you are suggesting. Just FYI, here are all the available configurations in the [Configure > All configurations]:  I checked multiple settings, but I don't think any of them relate to a specific dashboard that I am looking to change settings for.  Cheers, splunky_diamond.
Hi @Cerum  You didn't mention IP allow lists checks, so might be worth checking your cloud  IP allow list config . In the past this has caught me out, for all your Apps (I'm assuming SaaS types) s... See more...
Hi @Cerum  You didn't mention IP allow lists checks, so might be worth checking your cloud  IP allow list config . In the past this has caught me out, for all your Apps (I'm assuming SaaS types) send to HEC cloud, therefore you may need to add them to your IP Allow list for the Splunk cloud feature (HEC access for ingestion), that is if you are even using IP allow lists, if you haven't then all the features are accessible and this is not the issue.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Config/ConfigureIPAllowList       
Hi @splunky_diamond, did you tried to go in [Configure > Incident Review]? Surely, in this dashboard it's possible to change the time picker of the Incident Review dashboard, I'm not sure that's th... See more...
Hi @splunky_diamond, did you tried to go in [Configure > Incident Review]? Surely, in this dashboard it's possible to change the time picker of the Incident Review dashboard, I'm not sure that's the same thing also for Securty Posture. Ciao. Giuseppe
Try starting with something like this | streamstats values(aggregator_status) as previous_aggregator_status by aggregator window=1 current=f global=f | eval changetime=if((aggregator_status="Up" and... See more...
Try starting with something like this | streamstats values(aggregator_status) as previous_aggregator_status by aggregator window=1 current=f global=f | eval changetime=if((aggregator_status="Up" and previous_aggregator_status="Error") or (aggregator_status="Error" and previous_aggregator_status="Up"),_time,null()) | where isnotnull(changetime) | streamstats current=t global=f window=2 range(_time) as time_diff2 by aggregator | where aggregator_status="Error"
Hello Splunkers! I want to change the time picker of this dashboard in Enterprise security to provide the count of notables not over the last 24 hours, but over 12 hours.  I tried changing va... See more...
Hello Splunkers! I want to change the time picker of this dashboard in Enterprise security to provide the count of notables not over the last 24 hours, but over 12 hours.  I tried changing values related to time in the source code via GUI: It does not work, for some reason, the changes are not being saved, even though I am hitting the save button. Is there a way to add a time picker for this dashboard, so that we can select our interested time period at any time, and update the dashboard instantly? Thanks in advance for taking time reading and replying to my post
Please share the complete search which is not working. Also, please include some representative anonymised sample events so we can see what you are dealing with.
OK. The easiest thing would indeed be to try to push to the /raw endpoint from your solution to verify whether anything is being sent at all (and checking any available logs on the sender's side if t... See more...
OK. The easiest thing would indeed be to try to push to the /raw endpoint from your solution to verify whether anything is being sent at all (and checking any available logs on the sender's side if there are problems). Aaaaand did you check for the usual culprit of "missing data" - time misconfiguration? It's a fairly common issue that the data is being indexed but it's just indexed at wrong moment in time so that you're not finding it properly. (it's more obvious if you index it ahead of time because then you can find it after some time if your source is constantly sending events but if it's indexing data "late", you won't find it if you're intuitively search for "last 30 minutes" or so).
This is actually a question to your Windows/AD gurus. Splunk is "just" a data processing platform. Splunk can gather data from external sources, search it, analyze, aggregate, visualize and so on but... See more...
This is actually a question to your Windows/AD gurus. Splunk is "just" a data processing platform. Splunk can gather data from external sources, search it, analyze, aggregate, visualize and so on but interpretation of the data and Splunk search results is up to you. You must know what the data you push into Splunk is about.
OK. And what is your problem here? You've shown us some data sample (not in entirety though - it seems it's cut after a comma and we can't know if it's - for example - a well formed XML) but we don't... See more...
OK. And what is your problem here? You've shown us some data sample (not in entirety though - it seems it's cut after a comma and we can't know if it's - for example - a well formed XML) but we don't know what have you tried so far and what isn't working the way you'd expect. Do you have problems extracting fields? Or searching for matching data? Aggregating? Visualizing?
And check permissions. The lookup itself might be OK but you might not have permissions to use it.
No, you can't. Search just pulls data from the index. It doesn't do any inter-event comparisons and such so you can't just get latest event. That's what stats is for. Also remember that in a cluster... See more...
No, you can't. Search just pulls data from the index. It doesn't do any inter-event comparisons and such so you can't just get latest event. That's what stats is for. Also remember that in a clustered environment the latest event will come from just one of the indexers and the search command is a distributed streaming command so it obviously gets distributed to all search peers and runs independently on each of them. How would you like to get latest event from a particular index not knowing if other peers have a more recent event? And since it's a distributed streaming command subsequent commands which do not move the processing to the SH tier (more distributed searching commands - most notably eval) will also get executed on all indexers taking part in the search. So no, search is for searching, stats is for aggregation (and latest() is a form of aggregation).
Hi @SplunkNinja , search in the lookups and in the lookup definitions the automatic lookup named "threatprotect-severity", probably it's missed or there are some missed fields, called by your search... See more...
Hi @SplunkNinja , search in the lookups and in the lookup definitions the automatic lookup named "threatprotect-severity", probably it's missed or there are some missed fields, called by your searches, in the lookup definition. Ciao. Giuseppe