All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@bgresty I strongly agree with what @livehybrid says. Your 14 characters highlight, pointing towards a configuration that's unintentionally filtering or misinterpreting data based on this field's le... See more...
@bgresty I strongly agree with what @livehybrid says. Your 14 characters highlight, pointing towards a configuration that's unintentionally filtering or misinterpreting data based on this field's length which should be in your props/transforms conf.
@drodman29  As mentioned by everyone,  The action.email.domain_allowlist setting in alert_actions.conf performs a strict, literal string match against the domain part of the email address. It doe... See more...
@drodman29  As mentioned by everyone,  The action.email.domain_allowlist setting in alert_actions.conf performs a strict, literal string match against the domain part of the email address. It does not natively support wildcards like *.mydomain.com So, when you set action.email.domain_allowlist = *.mydomain.com, Splunk is literally looking for an email address like user@*.mydomain.com, which is not a valid email domain format and thus won't match a@temp.mydomain.com or b@perm.mydomain.com So i believe possible workaround you can do is Scripted Alert Action options. Instead of using the built-in sendemail alert action directly from the Splunk UI for these specific alerts, you configure the alert to trigger a custom script. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
@livehybrid @Kim  Yes you are right, streamfwd.conf natively only takes list of indexer and HEC only directly. The scenario i tested was using indexer discovery on the HF itself, Streamfwd can dyna... See more...
@livehybrid @Kim  Yes you are right, streamfwd.conf natively only takes list of indexer and HEC only directly. The scenario i tested was using indexer discovery on the HF itself, Streamfwd can dynamically take the list of indexers from the outputs.conf. It worked without any issues. The key is that the streamfwd process, after parsing network data, will then attempt to forward it. If its own streamfwd.conf doesn't specify a direct S2S or HEC target, it will fall back to using the Splunk forwarding mechanism configured in outputs.conf.
bit nerdy here, but @PickleRick if you know in advance what you want to do and can figure out the maths, then you can do others, e.g. post aggregation of average is simply sum/count index=_audit | e... See more...
bit nerdy here, but @PickleRick if you know in advance what you want to do and can figure out the maths, then you can do others, e.g. post aggregation of average is simply sum/count index=_audit | eval r=random() % 100 | timechart span=10m avg(r) as avg_r sum(r) as s_r count | eval h=strftime(_time, "%H"), d=strftime(_time, "%d"), m=strftime(_time, "%M") | eventstats sum(count) as count_1_hour sum(s_r) as sum_r_1_hour by d h | where (h>=7 AND h<19 OR m=0) | eval avg_r = if(h<7 OR h>=19, sum_r_1_hour / count_1_hour, avg_r) | fields - d h m sum_r_1_hour count_1_hour s_r percentiles on the other hand are a little more complicated. I suspect using the sitimechart function will do a lot of the work for the first pass and then it's a bit of post_processing of the psrsvd_rd* variables. I'm not totally sure how the si_* values are aggregated for percentiles, I did play around with it some years ago and got lost in the weeds, but it was a somewhat interesting exercise
Hi @shaunm001  Edit - you beat me to it Seems you've got it sorted anyway. You need to use $click.value2$ instead. I've included an example below to test this. It doesnt seem well documented but... See more...
Hi @shaunm001  Edit - you beat me to it Seems you've got it sorted anyway. You need to use $click.value2$ instead. I've included an example below to test this. It doesnt seem well documented but a few of the docs do reference click.value2 - it seems to suggest click.value sets the "X-axis value" which it presumably infers as _time. <form version="1.1" theme="dark"> <label>Search and Filter Dashboard (Makeresults Base)</label> <description>A dashboard to search and filter generated logs with drilldown capabilities.</description> <!-- Define default token values --> <!-- Define the base search using makeresults --> <search id="baseSearch"> <query> | makeresults count=15 | eval _time = now() - round(random() * 86400) | streamstats count as rec_num | eval UserId = case( rec_num % 3 == 0, "user_A", rec_num % 3 == 1, "user_B", rec_num % 3 == 2, "user_C" ) | eval subject = case( rec_num % 5 == 0, "Email sent successfully", rec_num % 5 == 1, "Login attempt failed", rec_num % 5 == 2, "Report generated", rec_num % 5 == 3, "File upload complete", rec_num % 5 == 4, "System error detected" ) | eval Operation = case( rec_num % 4 == 0, "LOGIN", rec_num % 4 == 1, "EMAIL", rec_num % 4 == 2, "UPLOAD", rec_num % 4 == 3, "REPORT" ) | eval messageId = "msg-" . rec_num . "-" . substr(md5(_time), 1, 8) | eval ClientInfoString = "{\"os\":\"Windows\",\"browser\":\"Chrome\",\"ipAddress\":\"192.168.1.10" . (rec_num % 5) . "\"}" | eval _raw = json("{\"os\":\"Windows\",\"browser\":\"Chrome\",\"ipAddress\":\"192.168.1.10" . (rec_num % 5) . "\"}") | spath | fields _time, UserId, subject, Operation, messageId, ClientInfoString, ipAddress </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <fieldset submitButton="true"> <input type="text" token="messageIdTok"> <label>Message ID:</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="userIdTok"> <label>User ID:</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="subjectTok"> <label>Subject Contains:</label> <default>*</default> <initialValue>*</initialValue> </input> <input type="text" token="ipAddressTok"> <label>IP Address:</label> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <table> <title>messageIdTok=$messageIdTok$ userIdTok=$userIdTok$ subjectTok=$subjectTok$ ipAddressTok=$ipAddressTok$</title> <search base="baseSearch"> <query> | search subject="*$subjectTok$*" UserId="$userIdTok$" ipAddress="$ipAddressTok$" messageId="$messageIdTok$" </query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <condition field="subject"> <set token="subjectTok">$row.subject$</set> <set token="messageIdTok">*</set> <set token="userIdTok">*</set> <set token="ipAddressTok">*</set> </condition> <condition field="messageId"> <set token="messageIdTok">$click.value2$</set> <set token="subjectTok">*</set> <set token="userIdTok">*</set> <set token="ipAddressTok">*</set> </condition> <condition field="UserId"> <set token="messageIdTok">*</set> <set token="subjectTok">*</set> <set token="userIdTok">$row.UserId$</set> <set token="ipAddressTok">*</set> </condition> <condition field="ipAddress"> <set token="messageIdTok">*</set> <set token="subjectTok">*</set> <set token="userIdTok">*</set> <set token="ipAddressTok">$row.ipAddress$</set> </condition> </drilldown> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Nevermind....looks like using $click.value2$ solves the problem. 
I have the following dashboard table: <table> <title>messageIdTok=$messageIdTok$ userIdTok=$userIdTok$ subjectTok=$subjectTok$</title> <search base="baseSearch"> <que... See more...
I have the following dashboard table: <table> <title>messageIdTok=$messageIdTok$ userIdTok=$userIdTok$ subjectTok=$subjectTok$</title> <search base="baseSearch"> <query>| search subject="*$subjectTok$*" UserId="$userIdTok$" ipAddress="$ipAddressTok$" messageId="$messageIdTok$" | table _time,UserId,subject,Operation,messageId,ClientInfoString,ipAddress</query> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <condition field="subject"> <set token="subjectTok">$row.subject$</set> <set token="messageIdTok">*</set> <set token="userIdTok">*</set> <set token="ipAddressTok">*</set> </condition> <condition field="messageId"> <set token="messageIdTok">$click.value$</set> <set token="subjectTok">*</set> <set token="userIdTok">*</set> <set token="ipAddressTok">*</set> </condition> <condition field="UserId"> <set token="messageIdTok">*</set> <set token="subjectTok">*</set> <set token="userIdTok">$row.UserId$</set> <set token="ipAddressTok">*</set> </condition> </drilldown> </table> In the "messageId" drilldown condition, i'm using $click.value$. But when I do this, clicking the cell always sets the messageIdTok to the value in the first column (_time in this case). I also notice that when i have table option "drilldown" set to "cell", moving the mouse over the table always highlights the cell I'm hovering over as well as the first cell of that row (video here).  Any suggestions on how to correct this behavior?
I understand this better now. Using the search you provided will search for anyone who did delete a record.  I can then go into Splunk and search the timeframe for who actually performed the delete.... See more...
I understand this better now. Using the search you provided will search for anyone who did delete a record.  I can then go into Splunk and search the timeframe for who actually performed the delete. index=_audit action=delete_by_keyword info=granted I can setup an alert using this search for any failure attempts to delete a record. index=_audit action=search info=failed | regex search="\\|(\\s|\\n|\\r|([\\s\\S]*))*delete"
What do you mean by "how to set that up"?
Could you tell me how to set that up?  Or, can you point me to a location on how to do it?
Hi @drodman29  Unfortunately it isnt possible to use wildcards in the allowedDomainList for emails, check out the following snippet of code where the checks are made: domains.extend(sec.EMA... See more...
Hi @drodman29  Unfortunately it isnt possible to use wildcards in the allowedDomainList for emails, check out the following snippet of code where the checks are made: domains.extend(sec.EMAIL_DELIM.split(ssContent['action.email.allowedDomainList'])) domains = [d.strip() for d in domains] domains = [d.lower() for d in domains] recipients = [r.lower() for r in recipients] for recipient in recipients: dom = recipient.partition("@")[2] if not dom in domains: logger.error("For subject=%s, email recipient=%s is not among the allowedDomainList=%s > % (ssContent.get('action.email.subject'), recipient, ssContent.get('action> else: validRecipients.append(recipient) This takes the value of allowedDomainList, splits it and converts to lowercase then checks if the second half (the domain) is in the list of domains. There is no regex matching etc so wildcarding isnt possible.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Are you sure you're adding the same Splunk version and kvstore version (and engine) instance as the rest of the SHC?
As usual with similar "monitoring" searches - this will not find searches when delete isn't invoked directly. The obvious way to do so would be with a macro.
@rahulkumar  Since the client is pushing Sentinel logs to your Splunk HEC endpoint, you can filter out unwanted events within Splunk to reduce the indexed data volume, using a null queue to discard ... See more...
@rahulkumar  Since the client is pushing Sentinel logs to your Splunk HEC endpoint, you can filter out unwanted events within Splunk to reduce the indexed data volume, using a null queue to discard events before they’re indexed.  Configure Splunk’s props.conf and transforms.conf on your heavy forwarder to route unwanted events to a null queue, preventing them from consuming your Splunk license.   https://docs.splunk.com/Documentation/Splunk/9.4.2/Forwarding/Routeandfilterdatad  https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues 
Thanks @kiran_panchavat  it helped alot I can look into this.  but if client denies for the azure credentials which have high chances ..! is there any other way also to do this ?
@rahulkumar  If the client is willing to set up the Azure AD application and provide you with the necessary credentials (Client ID, Client Secret, Tenant ID, Workspace ID, etc.), you can configure t... See more...
@rahulkumar  If the client is willing to set up the Azure AD application and provide you with the necessary credentials (Client ID, Client Secret, Tenant ID, Workspace ID, etc.), you can configure the Splunk Add-on to pull logs from the Log Analytics workspace, Event Hub, or Blob Storage without needing direct Azure access.
Hi @kiran_panchavat  thanks for replying  the concern is using the Splunk Add-on for Microsoft Cloud Services in splunk enterprise needs azure side configurations as well I think and I will be hav... See more...
Hi @kiran_panchavat  thanks for replying  the concern is using the Splunk Add-on for Microsoft Cloud Services in splunk enterprise needs azure side configurations as well I think and I will be having no access to it as its client side and they will just provide us with the data only ? is it possible you can clear my doubt about add on services using azure config as well
Does not answer the question. I know how to set this. I don't want to explicitly list every possible domain. I want a wildcard for the sake of maintenance. 
@rahulkumar  Instead of HEC, the Azure team can configure Sentinel to stream logs to an Azure Event Hub, which Splunk can then pull using the Splunk Add-on for Microsoft Cloud Services or a custom A... See more...
@rahulkumar  Instead of HEC, the Azure team can configure Sentinel to stream logs to an Azure Event Hub, which Splunk can then pull using the Splunk Add-on for Microsoft Cloud Services or a custom Azure Function.   https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data  https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html  https://splunkbase.splunk.com/app/3110 
Hello  I just want to know if I have Sentinel logs forwarded to Splunk via HEC directly. Is there any other way to get these logs? I am given the Sentinel logs directly in Splunk and have no acces... See more...
Hello  I just want to know if I have Sentinel logs forwarded to Splunk via HEC directly. Is there any other way to get these logs? I am given the Sentinel logs directly in Splunk and have no access to Azure. I do not want to use HEC because of the huge amount of unfiltered data. Is there any way to resolve this issue or can I ask the Azure team to do something that gives me filtered data, even if I have to use HEC in the end? Sentinel