All Posts

Top

All Posts

In your example, G01462 doesn't (completely) match any entry in either Resource or environment. Lookup requires an exact match (unless you define it as a wildcard lookup or CIDR). In the case of G014... See more...
In your example, G01462 doesn't (completely) match any entry in either Resource or environment. Lookup requires an exact match (unless you define it as a wildcard lookup or CIDR). In the case of G01462-mgmt-foo, would you want the lookup to find either G01462 - QA or  G01462 - SIT or both?
did you find a solution ? also seem to be experiencing the same problem  in my case the username and password are the ones i used when installing splunk enterprise after accepting licence agreement. ... See more...
did you find a solution ? also seem to be experiencing the same problem  in my case the username and password are the ones i used when installing splunk enterprise after accepting licence agreement. anyone?
Try something like this (?m)^.*field1 \=\s*(?<log1>\S*?)\s*\n (?m)^.*field2 \=\s*(?<log2>\S*?)\s*\n (?m)^.*field3 \=\s*(?<log3>\S*?)\s*\n
Done thank you @ITWhisperer 
Hi @ITWhisperer  @gcusello @ITWhisperer  please help This is the other issue which is related to csv dataset and lookup dataset. From this SPL: source="cmkcsv.csv" host="DESKTOP" index="cmk" sou... See more...
Hi @ITWhisperer  @gcusello @ITWhisperer  please help This is the other issue which is related to csv dataset and lookup dataset. From this SPL: source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" Getting output below Subscription  Resource  Key Vault  Secret  Expiration Date  Months BoB-foo  Dicore-automat  Dicore-automat-keycore Di core-tuubsp1sct  2022-07-28 -21 BoB-foo  Dicore-automat  Dicore-automat-keycore  Dicore-stor1scrt  2022-07-28 -21 BoB-foo  G01462-mgmt-foo  G86413-vaultcore  G86413-secret-foo   From this lookup: | inputlookup cmklookup.csv Getting output below Application environment appOwner Caliber Dicore - TCG foo@gmail.com Keygroup G01462 - QA goo@gmail.com Keygroup G01462 - SIT boo@gmail.com   Combine the two queries into one, where the output will only display results where the 'environment' and 'Resource' fields match. For instance, if 'G01462' matches in both fields across both datasets, it should be included in the output. How i can do this, could anyone help here to write spl. I wrote some of the Spls but it's not working for me. source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" |join type=inner [ | inputlookup cmklookup.csv environment] source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" | lookup cmklookup.csv environment AS "Resource" OUTPUT "environment"
If it is a new / different issue, please raise it as a new question, that way the solved one can stay solved and people can look to help with the unsolved one.
Or is there an option to tell Splunk to insert a separator between the events and not write them directly together?
Hi, We've just upgraded to to 9.2.0 which comes with a UI overhaul as detailed here. We previously had a default home dashboard set as a welcome/landing page for new users. With this new UI th... See more...
Hi, We've just upgraded to to 9.2.0 which comes with a UI overhaul as detailed here. We previously had a default home dashboard set as a welcome/landing page for new users. With this new UI the 'Quick Links' appear as default and you need to click on 'Dashboard' at the top to view the default dashboard. This isn't ideal as we want all users to see the default dashboard on login. Does anyone know any way we can change this? I don't want to set a different default app as having the apps list on the side bar is key. Thanks
Hello everyone I want to calculate the network address from an IP and a mask: IP = 192.168.1.10 Mask = 255.255.255.0 Desired result = 192.168.1.0 Unfortunately I can't find a function or method ... See more...
Hello everyone I want to calculate the network address from an IP and a mask: IP = 192.168.1.10 Mask = 255.255.255.0 Desired result = 192.168.1.0 Unfortunately I can't find a function or method to do this. I looked for the 'cidrmatch' function but it only seems to return a boolean. Is there another way? Thanks for your help!
Tie "ingest" can be list. But can't find in the application dashboard.
Hi @ITWhisperer  yes that is resolved. No worries. @gcusello @ITWhisperer  please help This is the other issue which is related to csv dataset and lookup dataset. From this SPL: source="cmkcsv.c... See more...
Hi @ITWhisperer  yes that is resolved. No worries. @gcusello @ITWhisperer  please help This is the other issue which is related to csv dataset and lookup dataset. From this SPL: source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" Getting output below Subscription  Resource  Key Vault  Secret  Expiration Date  Months BoB-foo  Dicore-automat  Dicore-automat-keycore Di core-tuubsp1sct  2022-07-28 -21 BoB-foo  Dicore-automat  Dicore-automat-keycore  Dicore-stor1scrt  2022-07-28 -21 BoB-foo  G01462-mgmt-foo  G86413-vaultcore  G86413-secret-foo   From this lookup: | inputlookup cmklookup.csv Getting output below Application environment appOwner Caliber Dicore - TCG foo@gmail.com Keygroup G01462 - QA goo@gmail.com Keygroup G01462 - SIT boo@gmail.com   Combine the two queries into one, where the output will only display results where the 'environment' and 'Resource' fields match. For instance, if 'G01462' matches in both fields across both datasets, it should be included in the output. How i can do this, could anyone help here to write spl. I wrote some of the Spls but it's not working for me. source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" |join type=inner [ | inputlookup cmklookup.csv environment] source="cmkcsv.csv" host="DESKTOP" index="cmk" sourcetype="cmkcsv" | lookup cmklookup.csv environment AS "Resource" OUTPUT "environment"
Hi all, I am ingesting data and I have  a problem : event example: field1 = /var/log/asas/log1.log field2 = /var/log/as/as/log2.log field3 = /var/log/as/as/log3.log in the sourcetype (props.c... See more...
Hi all, I am ingesting data and I have  a problem : event example: field1 = /var/log/asas/log1.log field2 = /var/log/as/as/log2.log field3 = /var/log/as/as/log3.log in the sourcetype (props.conf) I do it like this: ^.*field1 \=\s*(?<log1>.*?)\s*\n ^.*field2 \=\s*(?<log2>.*?)\s*\n ^.*field3 \=\s*(?<log3>.*?)\s*\n The problem is when the value of some field appears empty. In that case capture the following line. like this: source: field1 = /var/log/as/as/log1.log field2 =  field3 = /var/log/log/as/log3.log result: log2= field3 = /var/log/logs/log3.log   I'm sure there is a way to fix it and make the field appear empty, but I can't find it. Does anyone know how to do it?   BR JAR
I can't see any sourcetype parsing issues.  I only see old bugs from testing the app. But these should not be necessary for us.
Hi @gcusello  I checked the macros again and they contain the same values you listed earlier. Unless we've missed something, very basic they look in order. I've attached the screenshots of the macr... See more...
Hi @gcusello  I checked the macros again and they contain the same values you listed earlier. Unless we've missed something, very basic they look in order. I've attached the screenshots of the macro configs. I believe they are correct? They were all self populated when the App was installed. There are no details about special settings for the index which I created via the WebUI with the suggested default index name. Thanks again  
Instead of dealing with the messiness of a natural language, it might be better to use standard notation of duration, like | fieldformat max(event.Properties.duration) = tostring('max(event.Properti... See more...
Instead of dealing with the messiness of a natural language, it might be better to use standard notation of duration, like | fieldformat max(event.Properties.duration) = tostring('max(event.Properties.duration)', "duration") Instead of 40 mins , 30 mins or 1 hrs, you get 00:40:00, 00:30:00, 01:00:00, and so on.
Hi @slider8p2023, did you customized the three macros that are present in this app to populate the lookups? they are: `data_model_wrangler_index` Index to which summary data will be sent Defaul... See more...
Hi @slider8p2023, did you customized the three macros that are present in this app to populate the lookups? they are: `data_model_wrangler_index` Index to which summary data will be sent Default: data_model_wrangler `datamodel_wrangler_data_model_list` Comma separated list of data models to monitor Default: Authentication, Change, Change_Analysis, DLP, Databases, Email, Endpoint, Intrusion_Detection, Malware, Network_Resolution, Network_Sessions, Network_Traffic, Web `data_model_wrangler_health_review_lookup` The name of the lookup containing review information Default: data_model_wrangler_health_review.csv Put attention especially to the first  that contains the list of indexer to check. Ciao. Giuseppe
Hi @CarolinaHB, there are two solutions that depend on the  location of the monitoring perimeter: if you have a lookup containing the list of each app that should be present in each host (called e.... See more...
Hi @CarolinaHB, there are two solutions that depend on the  location of the monitoring perimeter: if you have a lookup containing the list of each app that should be present in each host (called e.g. app_perimeter.csv and containing at least two fields: host and application), you could run something like this: <your_search> | stats count BY host application | append [ | inputlookup app_perimeter.csv | eval count=0 | fields host application count ] | stats sum(count) AS total BY host application | eval status=if(total=0,"Missing","Present") | table host application status If instead you don't have this lookup and you want to compare results e.g. of the last 24 hours with the results of the last 30 days, you could run something like this: <your_search> earliest=30d latest=now | eval period=if(_time>now()-86400,"Last day","Previous days") | stats dc(period) AS period_count values(period) AS period BY host application | eval status=if(period_count=1 AND period="Previous days","Missing","Present") | table host application status Ciao. Giuseppe  
Thank you for the insights @hrawat . I believe this should be part of Monitoring Console as well to identify the queue behavior.   Thanks, Tejas.
Good Morning,  I'm working in a query to see which application is missing on each host.  Can you help me, please? For example Host     application             Guardicore  Host1 cortex         ... See more...
Good Morning,  I'm working in a query to see which application is missing on each host.  Can you help me, please? For example Host     application             Guardicore  Host1 cortex               Tenable                Trend Micro Host2 cortex              Tenable I need, it to show me what is missing In its example Guardicore y tenable   Regardes
Got it to work - thank you