All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Neither I have check it with _time field if it have some internal limitations for mv fields or not, but other fields this is needed.
Upon further investigation It seems the _time field needs to be present for Splunk to show the results.  A code like this works: def stream(self, events): yield {"myfield": "fff", "_time": "1748... See more...
Upon further investigation It seems the _time field needs to be present for Splunk to show the results.  A code like this works: def stream(self, events): yield {"myfield": "fff", "_time": "1748073052.114"}
Thanks! So dashboard is indeed a good solution. But I’m looking for a solution that will also work on the search itself.
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses t... See more...
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query. 
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/... See more...
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/default/transforms.conf which only use = (but oddly only on _time fields), I wonder why this is the case? I might check but I thought it wasn’t possible to set a multi value field for _time (and _raw) using ingest eval?  
That option is in source tab not visible in UI tab.
You should use := instead of = ! Otherwise you will get mv field.
Usually process is that start to look from right to left and find first blocked / queue which is full. Then look the next processor of right hand side. Usually issue is there.
@gcusello  tried this is it suppose to return the lookup table? and it Still Alerted   Only for discussing: what do you want to check? So  the Goal here is to check if there... See more...
@gcusello  tried this is it suppose to return the lookup table? and it Still Alerted   Only for discussing: what do you want to check? So  the Goal here is to check if there is More than 1 Event Alert if there is 0 Event Alert Issue currently facing Currently the Search is look at 0 event so on default it will always alert because there is 0 event What I am trying to test is the Mute in effect. on the Lookuptable Ive added Today's date to see if it will take in effect and looks like I am still being Alerted. Looking for answers to fix the Alert to MUTE on the Dates ive included in the lookuptable
@yuanliu  I still get alerted, I added today's date so it should of Muted the Alert, but it didnt    
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch t... See more...
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it. The issue I'm having is how to execute the new query? I've tried with the SDK but the run time is much higher + the results return to the statistics page. I've tried to inject the query into a field and then use map but it also wasn't successful. Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work. Thanks.
I don't see the depens option in panel.
@Ramachandran  Create a Correlation Search in Splunk Define the logic to detect specific patterns or threats. Schedule the search to run periodically. Set an Alert Action for the Correl... See more...
@Ramachandran  Create a Correlation Search in Splunk Define the logic to detect specific patterns or threats. Schedule the search to run periodically. Set an Alert Action for the Correlation Search Choose the action as Send to Phantom (Splunk SOAR). Ensure proper configuration for communication between Splunk and Phantom. Create a Label in SOAR (Phantom) Create a label in SOAR that matches the label used in the Splunk alert. This label helps route and categorize the incoming events properly. Test the Workflow Trigger the correlation search manually or wait for a scheduled run. Verify that the alert is sent to Phantom and is processed with the correct label. Refer the docs: https://lantern.splunk.com/Security/Product_Tips/SOAR/Sending_events_from_the_Splunk_platform_to_SOAR 
Hi @nagar57 , Did you manage to find a solution to this issue? We also have many dashboards, and the font size is different in most of the single visualisation.
Hi, we are trying to get some of the pretrained models from Splunk ESCU app running but without success so far. When I run any of their searches, it fails due to missing response. The search job indi... See more...
Hi, we are trying to get some of the pretrained models from Splunk ESCU app running but without success so far. When I run any of their searches, it fails due to missing response. The search job indicates that the connection eventually times out. In our FW logs I can clearly see that the connections are being dropped with a (seemingly odd) message info that says Invalid TCP packet - source / destination port 0. I verified that message by running a tcpdump on the corresponding search head and re-initiated the apply command. Indeed, it attempts to connect on Port 0.  I also verified the YAML of the service in the Network section of Openshift and it righfully points to api / tcp 5000. I can also connect to the exposed API of the Pod via Curl. At this point im not sure where and what exactly is going wrong. Any hints would be greatly appreciated. KR
I don't have any trouble in the first update event, the trouble only in the second. in the first status can be changed perfectly also the comment is fine.  
Hi @zksvc  Whilst the status is displayed as "In Progress" in the UI - I think it could be "in_progress" (or maybe "in-progress") that you need to send in your code as a response. Please try these ... See more...
Hi @zksvc  Whilst the status is displayed as "In Progress" in the UI - I think it could be "in_progress" (or maybe "in-progress") that you need to send in your code as a response. Please try these two and see if this resolve the issue.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @jagan_jijo  Both ES and ITSI have their own use-cases and strengths. They can also exist together in the same Splunk deployment but ultimately ITSI is used for IT Operations Monitoring (e.g. ale... See more...
Hi @jagan_jijo  Both ES and ITSI have their own use-cases and strengths. They can also exist together in the same Splunk deployment but ultimately ITSI is used for IT Operations Monitoring (e.g. alerting based on availability of services, Key Performance Indicators etc - whereas ES is all about Security Monitoring. If you're looking at pulling ES incidents then there is an additional set of APIs that you can make use of (see https://docs.splunk.com/Documentation/ES/8.0.40/API/AboutSplunkESAPI)  What is the system you are looking to integrate with here?  The Better Webhooks is just a free app which can be installed within your Splunk environment, just like a custom webhook app would, however there isnt anything stopping you from building your own Splunk alert action custom app to do the same thing if you dont want to use the community-built app. https://dev.splunk.com/enterprise/docs/devtools/customalertactions/ is a good starting point for building a custom alert action - which has a Slack alert example that you might be able to modify. Alternatively you could download the Better Webhook app to see how that is coded and build as required.  Just for clarity, the Better Webhook app would be as "native" within Splunk as a custom webhook app would be, both would tie in to the alert action framework, it isnt something you have to host separately.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @zksvc  Further to my other reply, have you been through this process of configuring a service account between UBA/ES? https://docs.splunk.com/Documentation/UBA/5.4.2/Integration/SendIRdatatoES ... See more...
Hi @zksvc  Further to my other reply, have you been through this process of configuring a service account between UBA/ES? https://docs.splunk.com/Documentation/UBA/5.4.2/Integration/SendIRdatatoES  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @zksvc  It might be worth reviewing the _internal logs in Splunk to see which page is throwing the Unauthorized - I would have thought it would be HEC but you said you have already checked that? ... See more...
Hi @zksvc  It might be worth reviewing the _internal logs in Splunk to see which page is throwing the Unauthorized - I would have thought it would be HEC but you said you have already checked that?  It might be worth double checking with a CURL command such as: curl https://<splunkServer>:8088/services/collector/health?token=<tokenFrom_uba-site.properties> If you run that from your UBA host it would validate that it can reach HEC with the token You should get  {"text":"HEC is healthy","code":17} Does anything appear in _internal? index=_internal status=401 OR "Unauthorized"  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing