+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and ...
See more...
+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.
I am confused. You say that you only want to suppress alert when count is 1. If count is greater than 1 or if count is 0, you want to send alert. In your screenshot, you get count 0 - so the alert...
See more...
I am confused. You say that you only want to suppress alert when count is 1. If count is greater than 1 or if count is 0, you want to send alert. In your screenshot, you get count 0 - so the alert is valid. No?
Upon further investigation It seems the _time field needs to be present for Splunk to show the results. A code like this works: def stream(self, events):
yield {"myfield": "fff", "_time": "1748...
See more...
Upon further investigation It seems the _time field needs to be present for Splunk to show the results. A code like this works: def stream(self, events):
yield {"myfield": "fff", "_time": "1748073052.114"}
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses t...
See more...
You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query.
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/...
See more...
Interestingly I did consider this as I posted it and decided not to do := based on the examples of setting _time from Rich’s examples at https://github.com/silkyrich/ingest_eval_examples/blob/master/default/transforms.conf which only use = (but oddly only on _time fields), I wonder why this is the case? I might check but I thought it wasn’t possible to set a multi value field for _time (and _raw) using ingest eval?
Usually process is that start to look from right to left and find first blocked / queue which is full. Then look the next processor of right hand side. Usually issue is there.
@gcusello tried this is it suppose to return the lookup table? and it Still Alerted Only for discussing: what do you want to check? So the Goal here is to check if there...
See more...
@gcusello tried this is it suppose to return the lookup table? and it Still Alerted Only for discussing: what do you want to check? So the Goal here is to check if there is More than 1 Event Alert if there is 0 Event Alert Issue currently facing Currently the Search is look at 0 event so on default it will always alert because there is 0 event What I am trying to test is the Mute in effect. on the Lookuptable Ive added Today's date to see if it will take in effect and looks like I am still being Alerted. Looking for answers to fix the Alert to MUTE on the Dates ive included in the lookuptable
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch t...
See more...
Hi, I'm trying to rewrite a given query and then execute it. I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it. The issue I'm having is how to execute the new query? I've tried with the SDK but the run time is much higher + the results return to the statistics page. I've tried to inject the query into a field and then use map but it also wasn't successful. Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work. Thanks.
@Ramachandran Create a Correlation Search in Splunk Define the logic to detect specific patterns or threats. Schedule the search to run periodically. Set an Alert Action for the Correl...
See more...
@Ramachandran Create a Correlation Search in Splunk Define the logic to detect specific patterns or threats. Schedule the search to run periodically. Set an Alert Action for the Correlation Search Choose the action as Send to Phantom (Splunk SOAR). Ensure proper configuration for communication between Splunk and Phantom. Create a Label in SOAR (Phantom) Create a label in SOAR that matches the label used in the Splunk alert. This label helps route and categorize the incoming events properly. Test the Workflow Trigger the correlation search manually or wait for a scheduled run. Verify that the alert is sent to Phantom and is processed with the correct label. Refer the docs: https://lantern.splunk.com/Security/Product_Tips/SOAR/Sending_events_from_the_Splunk_platform_to_SOAR
Hi @nagar57 , Did you manage to find a solution to this issue? We also have many dashboards, and the font size is different in most of the single visualisation.
Hi, we are trying to get some of the pretrained models from Splunk ESCU app running but without success so far. When I run any of their searches, it fails due to missing response. The search job indi...
See more...
Hi, we are trying to get some of the pretrained models from Splunk ESCU app running but without success so far. When I run any of their searches, it fails due to missing response. The search job indicates that the connection eventually times out. In our FW logs I can clearly see that the connections are being dropped with a (seemingly odd) message info that says Invalid TCP packet - source / destination port 0. I verified that message by running a tcpdump on the corresponding search head and re-initiated the apply command. Indeed, it attempts to connect on Port 0. I also verified the YAML of the service in the Network section of Openshift and it righfully points to api / tcp 5000. I can also connect to the exposed API of the Pod via Curl. At this point im not sure where and what exactly is going wrong. Any hints would be greatly appreciated. KR
I don't have any trouble in the first update event, the trouble only in the second. in the first status can be changed perfectly also the comment is fine.
Hi @zksvc Whilst the status is displayed as "In Progress" in the UI - I think it could be "in_progress" (or maybe "in-progress") that you need to send in your code as a response. Please try these ...
See more...
Hi @zksvc Whilst the status is displayed as "In Progress" in the UI - I think it could be "in_progress" (or maybe "in-progress") that you need to send in your code as a response. Please try these two and see if this resolve the issue. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing