All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Everyone, i need an help about the following problem: during the analysis of some logs, we found that for a specific Index the Sourcetype had the only value Unknown. The first question we asked ... See more...
Hi Everyone, i need an help about the following problem: during the analysis of some logs, we found that for a specific Index the Sourcetype had the only value Unknown. The first question we asked ourselves was that there could have been some App or Add-on that probably did not match the data well, but neither was present. Subsequently we tried to see if there could be some missing value at the files.conf level, but even in this case we found no problems. So what could be the reason why for that specific Index the Sourcetype only has that value?
I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something. Goal: Have a stat/chart/search that has the unique user attribute per d... See more...
I seem to be close on trying to find the statistics to be able to pull unique users per day but I know I'm missing something. Goal: Have a stat/chart/search that has the unique user attribute per day for a span of 1 week / 1 month / 1 year search. Search queries trialed: EventCode=4624 user=* stats count by user | stats dc(user) EventCode=4624 user=* | timechart span1d count as count_user by user | stats count by user So the login event 4624 would be a successful log in code and then trying to get it to give me a stat number of the unique values of user names that get it each day for a time span. Am I close? Any help would be appreciated!
I'm using the Cisco FireAMP app to return the trajectory of an endpoint, and the data includes a list of all running tasks/files.  For my test there are 500 items returned, with 9 marked as 'Maliciou... See more...
I'm using the Cisco FireAMP app to return the trajectory of an endpoint, and the data includes a list of all running tasks/files.  For my test there are 500 items returned, with 9 marked as 'Malicious'.  I'm trying to filter for those and write the details to a note.  But the note always contains all 500 items, not just the 9. My filter block (filter_2) is this:   if get_device_trajectory_2:action_result.data.*.events.*.file.disposition == Malicious     My format block (format_3) is this:   %% File Name: {0} - File Path: {1} - Hash: {2} - Category: {4} - Parent: {3} %%   where each of the variables refer to the filter block e.g.:   0: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_name 1: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_path 2: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.identity.sha256 3: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.parent.file_name 4: filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.detection     Finally, I use a Utility block to add the note.  The Utility block contents reference the format block:   format_3:formatted_data.*     The debugger shows this when running the filter block:   Mar 25, 13:52:54 : filter_2() called Mar 25, 13:52:54 : phantom.condition(): called with 1 condition(s) '[['get_device_trajectory_2:action_result.data.*.events.*.file.disposition', '==', 'Malicious']]', operator : 'or', scope: 'new' Mar 25, 13:52:54 : phantom.get_action_results() called for action name: get_device_trajectory_2 action run id: 0 app_run_id: 0 Mar 25, 13:52:54 : phantom.condition(): condition 1 to evaluate: LHS: get_device_trajectory_2:action_result.data.*.events.*.file.disposition OPERATOR: == RHS: Malicious Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:54 : phantom.condition(): condition loop: condition 1, 'Clean' '==' 'Malicious' => result:False Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Malicious' '==' 'Malicious' => result:True Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'None' '==' 'Malicious' => result:False Mar 25, 13:52:55 : phantom.condition(): condition loop: condition 1, 'Unknown' '==' 'Malicious' => result:False   so it looks like it's correctly identifying the malicious files.  The debugger shows this when running the format block:   Mar 25, 13:52:55 : format_3() called Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_name'], scope: new and filter_artifacts: [] Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1 Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>] Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.file_path'], scope: new and filter_artifacts: [] Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1 Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>] Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.identity.sha256'], scope: new and filter_artifacts: [] Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1 Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>] Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.file.parent.file_name'], scope: new and filter_artifacts: [] Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1 Mar 25, 13:52:55 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>] Mar 25, 13:52:55 : phantom.collect2(): called for datapath['filtered-data:filter_2:condition_1:get_device_trajectory_2:action_result.data.*.events.*.detection'], scope: new and filter_artifacts: [] Mar 25, 13:52:55 : phantom.get_run_data() called for key filtered-data:filter_2:condition_1 Mar 25, 13:52:56 : phantom.collect2(): Classified datapaths as [<DatapathClassification.NAMED_FILTERED_ACTION_RESULT: 9>] Mar 25, 13:52:56 : save_run_data() saving 136.29 KB with key format_3:formatted_data_ Mar 25, 13:52:56 : save_run_data() saving 140.23 KB with key format_3__as_list:formatted_data_   there are 9 malicious files and it looks like that's what it's saying in the debugger, so again it seems like it's using the filtered data correctly.   But my note always has 500 items in it.  I'm not sure what I'm doing wrong.  Can anyone offer any help, because I'm stuck.  Thanks.        
so if I do a "join" with your query, the correct index will be associated with the sourcetype?
Ahh my mistake, which makes what I was reading in the documentation make much more sense thank you! I'll also accept this as the solution, apologies for my ignorance! 
Nothing "happens".  It's legitimate for a sourcetype to be present in more than one index.  It may complicate your query, though.
To be pedantic, reports power dashboards rather than the other way around.  What you call a "report" is merely scheduled emailing of a dashboard. Yes, you can modify the dashboard and those edits sh... See more...
To be pedantic, reports power dashboards rather than the other way around.  What you call a "report" is merely scheduled emailing of a dashboard. Yes, you can modify the dashboard and those edits should be reflected in the email.
This is precisely my problem, I have to start from this command and therefore retrieve the index elsewhere... but then what happens if the indexes have sourcetype names in common?
You can't retrieve the index from the log if it isn't there, which is the case for these events.  You'll have to search for the index by sourcetype. | tstats count where index=* sourcetype=data_sour... See more...
You can't retrieve the index from the log if it isn't there, which is the case for these events.  You'll have to search for the index by sourcetype. | tstats count where index=* sourcetype=data_sourcetype | fields - count
Hi all,  I was wondering if anyone could help with hopefully a simple question. I have a dashboard that is used to power a report that sends a pdf to a number of individuals via email but we're look... See more...
Hi all,  I was wondering if anyone could help with hopefully a simple question. I have a dashboard that is used to power a report that sends a pdf to a number of individuals via email but we're looking to extract some further data and I was wondering if I just simply edit the existing dashboard with a few more searches will that reflect in the report?    Cheers,
additional: It appears the forwarder manager is servicing clients, but they are not being reflected in the GUI or at the commandline: [root@splunkdeployer ~]# /opt/splunk/bin/splunk list deploy-c... See more...
additional: It appears the forwarder manager is servicing clients, but they are not being reflected in the GUI or at the commandline: [root@splunkdeployer ~]# /opt/splunk/bin/splunk list deploy-clients Splunk username: admin Password: Login successful, running command... No deployment clients have contacted this server. Go figure... More Googling...
Good morning, I hope you can help me, we maintain an infrastructure with splunk enterprise with SIEM and we must forward the security events to an elastic and kafka, I would like to know how I could... See more...
Good morning, I hope you can help me, we maintain an infrastructure with splunk enterprise with SIEM and we must forward the security events to an elastic and kafka, I would like to know how I could forward the events and if this will consume license.
Hello splunk community,  I have this query but I would also like to retrieve the index to which the sourcetype belongs index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd... See more...
Hello splunk community,  I have this query but I would also like to retrieve the index to which the sourcetype belongs index=_internal splunk_server=* source=*splunkd.log* sourcetype=splunkd (component=AggregatorMiningProcessor OR component=LineBreakingProcessor OR component=DateParserVerbose OR component=MetricSchemaProcessor OR component=MetricsProcessor) (log_level=WARN OR log_level=ERROR OR log_level=FATAL) | rex field=event_message "\d*\|(?<st>[\w\d:-]*)\|\d*" | eval data_sourcetype=coalesce(data_sourcetype, st) | rename data_sourcetype as sourcetype | table sourcetype event_message component thread_name _time _raw | stats first(event_message) as event_message by sourcetype component any ideas ? thx in advance
If your JSON was already in a field, you could have used the input parameter to spath (this defaults to _raw) | spath input=<your field> ...
The difference is that with SEDCMD you can "blank" part of a multiline event. If you send to nullQueue, you'll discard whole event.
eval'ed my extracted payload to _raw and voila , it works !!! Thanks a lot for your time and expertise !
Then I propose you to use transforms.conf and send those lines into dev null. There are quite many examples on community and also on docs. See e.g. https://community.splunk.com/t5/Getting-Data-In/sen... See more...
Then I propose you to use transforms.conf and send those lines into dev null. There are quite many examples on community and also on docs. See e.g. https://community.splunk.com/t5/Getting-Data-In/sending-specific-events-to-nullqueue-using-props-amp-amp/m-p/660688 just replace that REGEX to match your line or beginning of your line. Basically SEDCMD do almost same. It just clears that line but it didn't remove it. Basically there are sill "empty" line on your log events, not removed line.
Fieldformat is just to keep those values as numbers instead of covert those to string as happened with eval.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
That is difficult to determine since you haven't shared your raw event nor how you have extracted the JSON part.