Yes, this is a Heavy Forwarder (to be specific, 2 Heavy Forwarders). Juniper device events logs are sent directly to these Heavy Forwarders. According to our inputs.conf file the sourcetype for th...
See more...
Yes, this is a Heavy Forwarder (to be specific, 2 Heavy Forwarders). Juniper device events logs are sent directly to these Heavy Forwarders. According to our inputs.conf file the sourcetype for these events is: juniper
Hello , I am trying to change in the search itself to change the span in timechart. So if the hour is say greater than 7 and less than 19 make the span=10m else 1hr example | eval hour=strftime(...
See more...
Hello , I am trying to change in the search itself to change the span in timechart. So if the hour is say greater than 7 and less than 19 make the span=10m else 1hr example | eval hour=strftime(_time,"%H") | eval span=if(hour>=7 AND hour<19,"10m","1h") |timechart span=span count(field1) ,count(field2) by field3
@livehybrid The issue is in my query I am fetching data for last 6 months. so If someone run the query till date it will give results from December till now and also there is 0 count for some months...
See more...
@livehybrid The issue is in my query I am fetching data for last 6 months. so If someone run the query till date it will give results from December till now and also there is 0 count for some months, so it will look blank. something like this if I hardcode the months
Hi @mchoudhary The easiest way might be to add a table on the end, something like this: | table Source Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec * Did this answer help you? If so, please...
See more...
Hi @mchoudhary The easiest way might be to add a table on the end, something like this: | table Source Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec * Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi Everyone! I wrote a search query to get the blocked count of emails for last 6months and below is my query- | tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from d...
See more...
Hi Everyone! I wrote a search query to get the blocked count of emails for last 6months and below is my query- | tstats summariesonly=false dc(Message_Log.msg.header.message-id) as Blocked from datamodel=pps_ondemand where (Message_Log.filter.routeDirection="inbound") AND (Message_Log.filter.disposition="discard" OR Message_Log.filter.disposition="reject" OR Message_Log.filter.quarantine.folder="Spam*") earliest=-6mon@mon latest=now by _time
| eval Source="Email"
| eval Month=strftime(_time, "%b")
| stats sum(Blocked) as Blocked by Source Month
| eventstats sum(Blocked) as Total by Source
| appendpipe [ stats values(Total) as Blocked by Source | eval Month="Total" ]
| xyseries Source Month Blocked
| fillnull value=0 and its output looks something like this - The only issue is in the output the month field is not chronologically sorted instead it is alphabetical. I intend to sort it chronologically. I tried with the below query as well to achieve the desired output but no go- | eval MonthNum=strftime(_time, "%Y-%m"), MonthName=strftime(_time, "%b")
| stats sum(Blocked) as Blocked by Source MonthNum MonthName
| eventstats sum(Blocked) as Total by Source
| appendpipe [ stats values(Total) as Blocked by Source | eval MonthNum="9999-99", MonthName="Total" ]
| sort MonthNum
| eval Month=MonthName
| table Source Month Blocked Could someone please help here! Thanks In advance
Hi @ralphsteen There is some free Veteran training over at https://workplus.splunk.com/veterans as part of the WorkPlus+ scheme, so you may be able to use this to get onto the Enterprise Security (...
See more...
Hi @ralphsteen There is some free Veteran training over at https://workplus.splunk.com/veterans as part of the WorkPlus+ scheme, so you may be able to use this to get onto the Enterprise Security (ES) training, however if its specifically for CompTIA Security+ then you might need to contact them through their site to see if they can determine why there is a cost showing against the training. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Is there a Special Log In for Veterans Workforce Program? Am I currently signed in as a regular user? I signed up for the Veteran's Workforce Program a while back and thought I got a confirmation...
See more...
Is there a Special Log In for Veterans Workforce Program? Am I currently signed in as a regular user? I signed up for the Veteran's Workforce Program a while back and thought I got a confirmation but now can't find it. Under that program is there a free program for Splunk Enterprise Security? When I find it under this login there is a price for that course. That course is pre approved by CompTIA for PDUs to renew my Security X so that's why I want to take it. Any help would be appreciated. Ralph P Steen Jr
Hi @berrybob When testing with Curl, were you using the same Pod address as used in DSDL, or directly on the Pod IP? Are you able to hit port 5000 on the container host and reach the API within the...
See more...
Hi @berrybob When testing with Curl, were you using the same Pod address as used in DSDL, or directly on the Pod IP? Are you able to hit port 5000 on the container host and reach the API within the Pod? Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
[yourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\S\s\n]+"predictions":\s\[\s*)|}(\s*\,\s*){|([\s\n\r]*\][\s\n\r]*}[\s\n\r]*)
NO_BINARY_CHECK=true
TIME_PREFIX="ds":\s"
TIME_FORMAT=%Y-%m-%dT%H:%...
See more...
[yourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\S\s\n]+"predictions":\s\[\s*)|}(\s*\,\s*){|([\s\n\r]*\][\s\n\r]*}[\s\n\r]*)
NO_BINARY_CHECK=true
TIME_PREFIX="ds":\s"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=20 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Okay @Praz_123 Lets try again! [yourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\S\s\n]+"predictions":\s\[\s*)|}(\s*\,\s*){|([\s\n\r]*\][\s\n\r]*}[\s\n\r]*)
NO_BINARY_CHECK=true
TIME_PREFIX="ds":\s"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=20 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
When importing playbooks from the Splunk Research repository https://research.splunk.com/playbooks/ the imported playbooks appear with "Input" status and cannot be activated through the standard int...
See more...
When importing playbooks from the Splunk Research repository https://research.splunk.com/playbooks/ the imported playbooks appear with "Input" status and cannot be activated through the standard interface. Additionally, attempts to delete these inactive playbooks result in errors or incomplete deletion processes. Question is : 1. Is there a best way to import and activate it? (However, it still needs configuration like an API) 2. Why can't I delete this from the playbook list even though I have logged in with an admin privilege account ?