All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How to know if the SDK is initialized or not in react native?
Now the Status field is missing. commonId Status Username xxxxxx                        xxxxxxxxxx
Try  <query>| loadjob $sid$</query>
OK I was missing some capitalisation | makeresults format=json data="[{\"attributes\": {\"type\": \"LoginHistory\", \"url\": \"xxxxx\"}, \"ApiType\": \"xxxxx\", \"ApiVersion\": \"xxxxx\", \"Applicat... See more...
OK I was missing some capitalisation | makeresults format=json data="[{\"attributes\": {\"type\": \"LoginHistory\", \"url\": \"xxxxx\"}, \"ApiType\": \"xxxxx\", \"ApiVersion\": \"xxxxx\", \"Application\": \"xxxxx\", \"Browser\": \"xxxxx\", \"ClientVersion\": \"\", \"Id\": \"xxxxx\", \"LoginTime\": \"xxxxx\", \"LoginType\": \"xxxxx\", \"LoginUrl\": \"xxxxx\", \"LoginGeoId\": \"xxxxx\", \"xxxxx\": {\"attributes\": {\"type\": \"xxxxx\", \"url\": \"xxxxx\"}, \"City\": \"xxxxx\", \"Latitude\": \"xxxxx\", \"Longitude\": \"xxxxx\"}, \"Platform\": \"xxxxx\", \"SourceIp\": \"xxx.xxx.xxx.xxx\", \"Status\": \"xxxxx\", \"UserId\": \"xxxxx\", \"UserAccountId\": \"xxxxx\"},{\"attributes\": {\"type\": \"User\", \"url\": \"xxxxx\"}, \"LastModifiedDate\": \"xxxxx\", \"City\": \"xxxxx\", \"Country\": \"xxxxx\", \"FirstName\": \"xxxxx\", \"Id\": \"xxxxx\", \"IsActive\": \"xxxxx\", \"LastLoginDate\": \"xxxxx\", \"LastName\": \"xxxxx\", \"Latitude\": \"xxxxx\", \"Longitude\": \"xxxxx\", \"MobilePhone\": \"xxxxx\", \"Name\": \"xxxxx\", \"PostalCode\": \"xxxxx\", \"State\": \"xxxxx\", \"Username\": \"xxxxx\", \"UserRoleId\": \"xxxxx\", \"UserType\": \"xxxxx\", \"Email\": \"xxxxx\", \"CompanyName\": \"xxxxx\", \"ProfileId\": \"xxxxx\", \"Profile\": {\"attributes\": {\"type\": \"Profile\", \"url\": \"xxxxx\"}, \"PermissionsApiEnabled\": \"xxxxx\", \"PermissionsModifyAllData\": \"xxxxx\", \"PermissionsViewSetup\": \"xxxxx\"}, \"UserAccountId\": \"xxxxx\"}]" | streamstats count as sourcetype | eval sourcetype="sourcetype".sourcetype | eval commonId = if(sourcetype = "sourcetype1", UserId, Id) | stats values(Status) as Status values(Username) as Username by commonId
This is not valid JSON - please supply event in valid format
{"attributes": {"type": "User", "url": "xxxxx"}, "LastModifiedDate": "xxxxx", "City": xxxxx, "Country": xxxxx, "FirstName": "xxxxx", "Id": "xxxxx", "IsActive": xxxxx, "LastLoginDate": "xxxxx", "LastN... See more...
{"attributes": {"type": "User", "url": "xxxxx"}, "LastModifiedDate": "xxxxx", "City": xxxxx, "Country": xxxxx, "FirstName": "xxxxx", "Id": "xxxxx", "IsActive": xxxxx, "LastLoginDate": "xxxxx", "LastName": "xxxxx", "Latitude": xxxxx, "Longitude": xxxxx, "MobilePhone": xxxxx, "Name": "xxxxx", "PostalCode": xxxxx, "State": xxxxx, "Username": "xxxxx", "UserRoleId": xxxxx, "UserType": "xxxxx", "Email": "xxxxx", "CompanyName": xxxxx, "ProfileId": "xxxxx", "Profile": {"attributes": {"type": "Profile", "url": "xxxxx"}, "PermissionsApiEnabled": xxxxx, "PermissionsModifyAllData": xxxxx, "PermissionsViewSetup": xxxxx}, "UserAccountId": "xxxxx"}     {"attributes": {"type": "LoginHistory", "url": "xxxxx"}, "ApiType": xxxxx, "ApiVersion": "xxxxx", "Application": "xxxxx", "Browser": "xxxxx", "ClientVersion": "", "Id": "xxxxx", "LoginTime": "xxxxx", "LoginType": "xxxxx", "LoginUrl": "xxxxx", "LoginGeoId": "xxxxx", "xxxxx": {"attributes": {"type": "xxxxx", "url": "xxxxx"}, "City": "xxxxx", "Latitude": xxxxx, "Longitude": xxxxx}, "Platform": "xxxxx", "SourceIp": "xxx.xxx.xxx.xxx", "Status": "xxxxx", "UserId": "xxxxx", "UserAccountId": "xxxxx"}
<row> <panel depends="$tok_tab_1$"> <table> <title>Alerts Fired</title> <search> <query> index=_audit action=alert_fired | rename ss_name AS Alert | stats latest... See more...
<row> <panel depends="$tok_tab_1$"> <table> <title>Alerts Fired</title> <search> <query> index=_audit action=alert_fired | rename ss_name AS Alert | stats latest(_time) AS "Event_Time" sparkline AS "Alerts Per Day" count AS "Times Fired" first(sid) AS sid by Alert | eval Event_Time=strftime(Event_Time,"%m/%d/%y %I:%M:%S %P") | rename Event_Time AS "Last Fired" | sort -"Times Fired" </query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <fields>Alert, "Last Fired", "Times Fired", "Alerts Per Day"</fields> <option name="count">10</option> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> <drilldown> <set token="sid">$row.sid$</set> <unset token="tok_tab_1"></unset> <set token="tok_tab_2">active</set> <set token="tok_display_dd"></set> <set token="Alert">$row.Alert$</set> <link target="_blank">search?sid=$row.sid$</link> </drilldown> </table> </panel> </row> <row> <panel depends="$tok_tab_2$"> <table> <title>$Alert$</title> <search> <query>| search?sid=$sid$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>     In the code above the below line works correctly opening a new search tab with the Alert search query. <link target="_blank">search?sid=$row.sid$</link> I would like to know how to have this same functionality, but within a token so I can keep it on the same page within another table.    
Please share the raw source (not formatted) version of your events
Returns empty username field commonId Status Username xxxxxxxxx Success
Assuming these fields have already been extracted, try something like this | eval commonId = if(sourcetype = "sourcetype1", UserId, id) | stats values(Status) as Status values(Username) as Username ... See more...
Assuming these fields have already been extracted, try something like this | eval commonId = if(sourcetype = "sourcetype1", UserId, id) | stats values(Status) as Status values(Username) as Username by commonId
sourcetype1: { [-] ApiType: xxxxx ApiVersion: xxxxx Application: xxxxx Browser: xxxxx ClientVersion: xxxxx Id: xxxxx LoginGeo: {[+] } LoginGeoId: xxxxx LoginTime: xxxx-xx-xx xx:xx:xx Logi... See more...
sourcetype1: { [-] ApiType: xxxxx ApiVersion: xxxxx Application: xxxxx Browser: xxxxx ClientVersion: xxxxx Id: xxxxx LoginGeo: {[+] } LoginGeoId: xxxxx LoginTime: xxxx-xx-xx xx:xx:xx LoginType: xxxxx LoginUrl: xxxxx Platform: xxxxx SourceIp: xxxxx Status: xxxxx UserAccountId: xxxxx UserId: xxxxx attributes: { [+] } } sourcetype2: { [-] City: xxxxx CompanyName: xxxxx Country: xxxxx Email: xxxxx FirstName: xxxxx Id: xxxxx IsActive: xxxxx LastLoginDate: xxxx-xx-xx xx:xx:xx LastModifiedDate: xxxx-xx-xx xx:xx:xx LastName: xxxxx Latitude: xxxxx Longitude: xxxxx MobilePhone: xxxxx Name: xxxxx PostalCode: xxxxx Profile: { [+] } ProfileId: xxxxx State: xxxxx UserAccountId: xxxxx UserRoleId: xxxxx UserType: xxxxx Username: xxxxx attributes: { [+] } }
Please provide sample (anonymised) events for your two sourcetypes, preferably in a code block </>
Hi @richgalloway  Good Day!! How to fix the vulnerabilities in Splunk? Please guide me with some example. Thanks
thanks @richgalloway  with that change,  around 5 million logs were ingested in couple of mins. 
I'm hoping the community can help you out here because I'm having the same issue.
Hello, Looking for some real guidance here. We just implemented Splunk with an Implementation team. We are pulling out Notables to send to our case management product and then closing the notable (... See more...
Hello, Looking for some real guidance here. We just implemented Splunk with an Implementation team. We are pulling out Notables to send to our case management product and then closing the notable ( this way we are only searching for open notables to send and if for some reason it doesnt send it doesnt close so it can attempt again) .   We are having to add a |head 1 to this search in order for the update Notable command knows which notable to update and set to close ( Not having the Head command caused issues updating the notable to closed.....seeing say 5 notables and then trying to update became to confusing for splunk) . This has caused us to make this search real-time search ( we get 10 Notables at the same time we dont want to wait 10 minuets for that event to get over to us) . I am going to provide some of the SPL and see if anyone knows a better way....we have been waiting for 4 months from Splunk on this. `notable` | where (status==1 AND notable_xref_id!="") Some eval commands and table | head 1 | sendalert XXXX param.X_instance_id=X param.alert_mode="X" param.unique_id_field="" param.case_template="X" param.type="alert" param.source="splunk" param.timestamp_field="" param.title=X param.description=X param.tags="X" param.scope=0 param.severity=X param.tlp=X param.pap=X | table status event_id | eval status=5|updatenotable Has anyone attempted to search in the notable index and pull multiple events and tried to update the notable in that search and had successful results for multiple entries? 
I have two sourcetypes containing login information and user information Sourcetype1: Login information (useful paramaters: UserId, status) Sourcetype1: Id = accountId Sourcetype2: User informatio... See more...
I have two sourcetypes containing login information and user information Sourcetype1: Login information (useful paramaters: UserId, status) Sourcetype1: Id = accountId Sourcetype2: User information (useful parameters: username. Id) Sourcetype2; Id = userId Both sourcetypes contains the parameter Id but refers to different information. I want to get a list/table with number of logins and the result for each user Mapping login data with user data: UserId (Sourcetype1) = Id (Sourcetype2)   Example: username     status        count aa@aa.aa     success     3  
Make sure you have this in limits.conf on the UF [thruput] maxKBps = 0  
Is there any tooling (btool perhaps) that would tell me what props/transfroms are being applied to my sourcetype? Even if I drop the sourcetype form my inputs.conf the issue perists 
ITWhisperer - thanks for your answer  - fits perfect!   Is the creation of own source-type difficult -  any hints, tutorials about it ?   KP