All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Looks like a networking issue. Your SOAR instance cannot find a network route to 192.168.208.144. Some things you could try are: Ping or interact with that ip address via any protocol, to see if i... See more...
Looks like a networking issue. Your SOAR instance cannot find a network route to 192.168.208.144. Some things you could try are: Ping or interact with that ip address via any protocol, to see if it connects outside of SOAR. Ping or interact with another IP address via any protocol, to see if networking is working on the SOAR machine. Check that your SOAR instance and 192.168.208.144 are in the same subnet, or have switches that can carry traffic between them.
I also expected the LOG field to be extracted.  Were the changes to props/transforms installed on the first full Splunk instance the sees the data?  Was that instance restarted?  Is the screenshot sh... See more...
I also expected the LOG field to be extracted.  Were the changes to props/transforms installed on the first full Splunk instance the sees the data?  Was that instance restarted?  Is the screenshot showing new data (since the restart)?
In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data)  $SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf ...... See more...
In SOAR, the webserver is nginx. It has a configuration file at: ($SOARDIR$= your soar/phantom install directory. E.g. /opt/phantom or /data)  $SOARDIR$/usr/nginx/conf/phantom-nginx-server.conf ... which includes the config in conf.d: $SOARDIR$/usr/nginx/conf/conf.d/phantom-nginx-server.conf which sets the SSL options: ssl_certificate /opt/phantom/etc/ssl/certs/httpd_cert.crt; ssl_certificate_key /opt/phantom/etc/ssl/private/httpd_cert.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ssl_session_cache shared:TLS:2m; ssl_dhparam /opt/phantom/etc/ssl/dhparams.pem;  
Unfortunately, those searches are of different types (one starts with a streaming search command, the other with report-generating tstats command) which means you can't combine them into one search a... See more...
Unfortunately, those searches are of different types (one starts with a streaming search command, the other with report-generating tstats command) which means you can't combine them into one search and process combined results or use multisearch to run both in parallel. You're limited to either using join command as you attempted or appending one results set to another and then do some summarizing stats. Having said that - I don't quite get how you imagine your desired output since the tstats will split results by three fields whereas your raw index search returns stats split only by host.
Currently, I have a field called pluginText which is the following (italicized words are anonymized to what they represent): <plugin_output> The following software are installed on the remote host:... See more...
Currently, I have a field called pluginText which is the following (italicized words are anonymized to what they represent): <plugin_output> The following software are installed on the remote host: Vendor Software  [version versionnumber] [installed on date] ... ... ... </plugin_output> I wish to extract out Vendor, Software and versionnumber to separate fields and require a rex to do so. I am unfamiliar with using rex on this type of list, so I was hoping someone could point me in the right direction
Not only is it possible, it's mandatory.  You don't have to worry about it, though, because Splunk manages it for you.
Not able to get that to work
Even using a field that has defined IP values doesn't work and returned the following error: "Streamed search execute failed because: Error in 'ipdetection' command: External search command exited u... See more...
Even using a field that has defined IP values doesn't work and returned the following error: "Streamed search execute failed because: Error in 'ipdetection' command: External search command exited unexpectedly with non-zero error code 1.." This works but you can't pass values to it within a query: | ipqualityscore field="IP Address" value="8.8.8.8"
Are you able to use the join command based on host? <search 1> | join host [<search 2>]
I am trying to join two searches together to table the combined results by host. First search below is showing number of events in the last hour by host, index, and sourcetype: | tstats count whe... See more...
I am trying to join two searches together to table the combined results by host. First search below is showing number of events in the last hour by host, index, and sourcetype: | tstats count where index=* by host, index, sourcetype | addtotals | sort -Total | fields - Total | rename count as events_latest_hour Second search is showing the ingest per hour in GB by host.  (index=_internal host=splunk_shc source=*license_usage.log* type=Usage) | stats sum(b) as Usage by h | eval Usage=round(Usage/1024/1024/1024,2) | rename h as host, Usage as usage_lastest_hour | addtotals | sort -Total | fields - Total Can you please help with how i would join these two searches together to display the host, index, sourcetype, events_latest_hour,  usage_lastest_hour Basically i want to table the results of the first search and also include the results "usage_lastest_hour"from the second search into the table.   
Hi, regex _raw is here the wrong command… regex - Splunk Documentation but rex seems wrong too rex - Splunk Documentation because it can't do a key value extraction in search. I found an odd ... See more...
Hi, regex _raw is here the wrong command… regex - Splunk Documentation but rex seems wrong too rex - Splunk Documentation because it can't do a key value extraction in search. I found an odd way tho handle this: | spath | rename _raw AS temp date AS _raw | extract pairdelim="|" kvdelim="=" | rename _raw as date temp as _raw reference: extract - Splunk Documentation Is this what you are searching for? Kind Regards
Hi All, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging ... See more...
Hi All, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user.
I haven't found a definitive answer in any of the docs yet.  Is it possible to utilize Splunk Smartstore when everything is in Splunk Cloud and we do not have an on-prem Enterprise?
The subsearch derived the Member field from TeamMember so it would seem the main search, which uses the same index and sourcetype, would expect a field called "TeamMember" to come from the subsearch.... See more...
The subsearch derived the Member field from TeamMember so it would seem the main search, which uses the same index and sourcetype, would expect a field called "TeamMember" to come from the subsearch.  For a join to work properly, both sides must use the same field name(s).  This can be done using rename in the subsearch. Run the subsearch by itself with | format appended to see what the subsearch turns into.  That resulting string, inserted into the main search, is what produces the final result set.  Adjust the subsearch (or the join command itself) appropriately to get the results you want.
Done
If you edit your earlier answer to correct the syntax, I'll be able to mark it as the solution...
Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cl... See more...
Hi @sajo.sam, I did some digging and found this info. We can see 401 when there is an issue either in the access key or in the account name   kubectl -n appdynamics create secret generic cluster-agent-secret --from-literal=controller-key="myaccount access key valid" Can you please check and confirm if the access key you have used to create the secret is same with the access key under Settings#licenses#Account.   If not the same then please pass the same and repeat the steps of creating a secret and create yaml .
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:... See more...
Hi @Ryan.Paredez  I tried but I'm stuck with another issue. The logs given below show it faces some errors with "Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" [ERROR]: 2024-04-09 11:20:38 - secretconfig.go:68 - Problem With Getting /opt/appdynamics/cluster-agent/secret-volume/api-user Secret: open /opt/appdynamics/cluster-agent/secret-volume/api-user: no such file or directory [INFO]: 2024-04-09 11:20:38 - main.go:78 - Kubernetes version: v1.29.0 [INFO]: 2024-04-09 11:20:38 - main.go:236 - Registering cluster agent with controller host : accountname.saas.appdynamics.com controller port : 8080 account name : accountname [WARNING]: 2024-04-09 11:20:38 - agentregistrationmodule.go:352 - "default" is not a valid namespace in your kubernetes cluster [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:356 - Established connection to Kubernetes API [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:68 - Cluster name: fromKube [INFO]: 2024-04-09 11:20:38 - agentregistrationmodule.go:119 - Initial Agent registration [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:131 - Failed to send agent registration request: Post "accountname.saas.appdynamics.com:8080/sim/v2/agent/clusterRegistration": context deadline exceeded (Client.Timeout exceeded while awaiting headers) [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:132 - clusterId: -1 [ERROR]: 2024-04-09 11:21:08 - agentregistrationmodule.go:134 - Registration properties: {} [INFO]: 2024-04-09 11:21:38 - agentregistrationmodule.go:119 - Initial Agent registration ^ Post edited by @Ryan.Paredez to remove mentions and links to Account name. For security and privacy reasons, please redact the name of your Account in Community posts.
Hi @Sagar.Nalawade, Did you get a chance to review the links I sent above? Did they help out or did you find a solution you can share here?
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(st... See more...
There are many formats that someone would consider "normal".  Almost none of them require rex.  Use the strptime and strftime functions to convert one time format to another. | eval ts = strftime(strptime(ts, "%Y-%m-%dT%H:%M:%S.%9N%Z"), "<<your 'normal' format>>")