Have a nice day! I have several Splunk instances and often see the message below: WorkloadsHandler [111560 TcpChannelThread] - Workload mgmt is not supported on this system. I know that the ...
See more...
Have a nice day! I have several Splunk instances and often see the message below: WorkloadsHandler [111560 TcpChannelThread] - Workload mgmt is not supported on this system. I know that the workload feature is not supported on the windows system, and it is obviously disabled How can I get rid of this annoying message in the splunkd.log?
Below are the CIM Macros where i am using and there are different indexes mapped in individual macros. I want to get the list of all indexes mapped in all the CIM Macros. Hence i did a scheduled se...
See more...
Below are the CIM Macros where i am using and there are different indexes mapped in individual macros. I want to get the list of all indexes mapped in all the CIM Macros. Hence i did a scheduled search which runs and check all the macros. But it is utilizing lot of memory and even searches are failing. Please help me with a better way to get the list of all indexes mapped in CIM Macros. cim_Authentication_indexes
cim_Alerts_indexes
cim_Change_indexes
cim_Endpoint_indexes
cim_Intrusion_Detection_indexes
cim_Malware_indexes
cim_Network_Resolution_indexes
cim_Network_Sessions_indexes
cim_Network_Traffic_indexes
cim_Vulnerabilities_indexes
cim_Web_indexes
and what can be the problem when the difference is 4-5 min between the indexing time and the _time, and the alert runs every 15 min and looks at the last 15 min.
Yes you understand correctly, I have two different log types ABC and EFG in the same index, but the sourcetype is different in both logs so the condition is when there will be error it will be calcu...
See more...
Yes you understand correctly, I have two different log types ABC and EFG in the same index, but the sourcetype is different in both logs so the condition is when there will be error it will be calculated from the ABC log but the details which it is containing it is in EFG log that is in other sourcetype and I will also fetch the details of that log but what I want is when I got total error is ABC is 5 then when I should search the ABC and EFG together it should show me 5 errors only related to the correlationid. I hope you understand my query from this .
Thanks, I've tried that but still didn't get the "null" values. I do get an error which says - "The specified span would result in too many (>175000) rows." I get this error a lot during this searc...
See more...
Thanks, I've tried that but still didn't get the "null" values. I do get an error which says - "The specified span would result in too many (>175000) rows." I get this error a lot during this search but i don't understand why would the null values only be missing? Additionally - does this error necessarily mean that search has failed or stopped at the limit?
As per my investigation the minute that was alerted on, there are "svc_radius_probe_ctx" events occurred. what type of changes I should make to resolve it ? should I increase the time ? or is there a...
See more...
As per my investigation the minute that was alerted on, there are "svc_radius_probe_ctx" events occurred. what type of changes I should make to resolve it ? should I increase the time ? or is there anything need to be done from RSA console ?
Are you saying that you are getting false alerts i.e. when you look back at the minute that was alerted on, there are "svc_radius_probe_ctx" events? If so, this could be that they have not been inde...
See more...
Are you saying that you are getting false alerts i.e. when you look back at the minute that was alerted on, there are "svc_radius_probe_ctx" events? If so, this could be that they have not been indexed by the time the alert report is executed, i.e. you have not left enough time between the event happening, and it being sent to Splunk, and it being indexed. There is (nearly) always a lag between the event time (_time) and the index time (_indextime), and your alert report schedule and time period should take this into account.
@Vasulaxnik Can you please share your sample code and JS? Or Let's follow the community best practice create new questions and tag me for new comments and conversations :). KV
Hi @KingUs80 , see in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435), or, if you already have, in Enterprise Security Premium App. The feature in ES is Threat Intellige...
See more...
Hi @KingUs80 , see in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435), or, if you already have, in Enterprise Security Premium App. The feature in ES is Threat Intelligence: you must have an internal list of malicious sites of a list downloaded from free or payment services. Other apps that you could use are MISP42 (https://splunkbase.splunk.com/app/4335) or https://splunkbase.splunk.com/apps?keyword=threat+intelligence Ciao. Giuseppe
Hi @phanikumarcs , as I supposed, Splunk dowsn't find the timestamp so it doesn't breaks the events. Remove the timestamp option and maintain the linebreaker: [ cmkcsv ]
DATETIME_CONFIG=CURRENT
IN...
See more...
Hi @phanikumarcs , as I supposed, Splunk dowsn't find the timestamp so it doesn't breaks the events. Remove the timestamp option and maintain the linebreaker: [ cmkcsv ]
DATETIME_CONFIG=CURRENT
INDEXED_EXTRACTIONS=csv
KV_MODE=none
LINE_BREAKER=\r\n
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
TRUNCATE=200
category=Structured
description=Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled=false
pulldown_type=true Ciao. Giuseppe
how to resolve the repetitive alert of RSA_Probe_Alert_RSA_SECUREID_null_Splunk will check every min for the events with key word "svc_radius_probe_ctx" and when there is no events with the key word ...
See more...
how to resolve the repetitive alert of RSA_Probe_Alert_RSA_SECUREID_null_Splunk will check every min for the events with key word "svc_radius_probe_ctx" and when there is no events with the key word found for that min alert will be triggered. all the vms and server is working fine. every week atleast once getting this alert.
Hi all, I'm monitoring compliance data for the past 7 days using timechart. My current query displays the count of "comply" and "not comply" events for each day. index= indexA | timechart span=1d c...
See more...
Hi all, I'm monitoring compliance data for the past 7 days using timechart. My current query displays the count of "comply" and "not comply" events for each day. index= indexA | timechart span=1d count by audit However, I'd like to visualize this data as percentages instead. Is it possible to modify the search to display the percentage of compliant and non-compliant events on top of each bar? Thanks in advance for your help!
To lock a single dashboard down, you would want to create a new custom user that does not inherit the user permission. Then you would grant that user read permissions to that single dashboard. Then...
See more...
To lock a single dashboard down, you would want to create a new custom user that does not inherit the user permission. Then you would grant that user read permissions to that single dashboard. Then the user can get to it via the link, but not even going to the app to browse for it. If they can view ES, they can view all the dashboards (by default). You could go dashboard by dashboard, and change the custom nav to reflect it. But if you want the user to only see that one part of ES, I'd recommend the method I laid out up top.