Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-11-2024
01:22 AM
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo pr...
See more...
This is my JSON data. How should I write a query syntax to directly traverse to the last parentProcess, and then provide the complete process chain? Like This time username processInfo processInfo.pid processChain 2024-03-07T07:46:27Z randomuser:staff bash 51097 /bin/bash -c pmset -g batt ← %APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1 /Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched ← %APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2 /Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched ← /sbin/launchd ← /sbin/launchd ← kernel_task ← kernel_task I dont know how to search.....please help me ,Thank you!!, This is my json data {
"timestamp": "2024-03-07T07:46:27Z",
"eventName": "ProcessEvent",
"computer": {
"name": "randomMacBook-Pro.local",
"uuid": "9b85f341-3a24-4f70-a371-8863f8a72f1c"
},
"processInfo": {
"imageName": "bash",
"pid": 51097,
"systemProcess": false,
"imagePath": "/bin/bash",
"commandLine": "-c pmset -g batt",
"exeHash": {
"sha1": "87FD78930606102F09D607FC7305996CEFA6E028",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess1",
"pid": 51097,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1",
"commandLine": "/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-07T07:46:27Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "randomprocess2",
"pid": 603,
"systemProcess": false,
"imagePath": "%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2",
"commandLine": "/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched",
"exeHash": {
"sha1": "E31C5F2840F47A094D58A181586B802FA8531C7E",
"sha256": null
},
"sid": "",
"username": "randomuser:staff",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 603,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T08:02:32Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "launchd",
"pid": 1,
"systemProcess": false,
"imagePath": "/sbin/launchd",
"commandLine": "",
"exeHash": {
"sha1": "AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-03-01T07:57:30Z",
"currentDirPath": "/",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 1,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": "",
"parentProcess": {
"imageName": "kernel_task",
"pid": 0,
"systemProcess": true,
"imagePath": "kernel_task",
"commandLine": "",
"exeHash": {
"sha1": "24BF148FA83C8A5D908C33954B5CA91A5E4E3659",
"sha256": null
},
"sid": "",
"username": "root:wheel",
"sidNameUse": 0,
"startTime": "2024-02-27T10:17:35Z",
"currentDirPath": "",
"isCompromised": false,
"lnkPath": ""
}
}
}
}
}
}
},
"eventType": "Process/PosixExec"
}
Labels
- Labels:
-
field extraction
-
JSON
03-11-2024
01:22 AM
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still se...
See more...
HI , I have a Web data model where i recently got it mapped with the dest field.the issue is that event hough every filed has a dest in the index from where i am pulling data in datamodel i still see alot of fields with value unknown for dest while running stats or tstats command .I can see the the dest field when i specifically search it within a datamodel with a src ip . can anyone help to tell how do i rectify that . Thanks.
03-11-2024
01:15 AM
Hi @Nawab, sorry! I misunderstood, but anyway, also the Notable name, for my knowldge cannot be dinamic. Ciao. Giuseppe
03-11-2024
01:12 AM
yes i have configured drill down search
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a c...
See more...
Hi all, I have seen that pass4symmkey is optional when enabling indexer clustering. Some say that if someone knows this value, they can access the entire cluster, and it is necessary to consider a complex value for it. Would it be possible to clarify if this value should be complex and if it is simple it could cause a security breach or not? If someone knows this value, can it be a threat to the cluster and gain access to the cluster or not? Thank you
- Tags:
- splunk
Labels
- Labels:
-
authentication
-
encryption
-
permissions
03-11-2024
01:09 AM
Not a dynamic rule name but notable name, where in the alert it will refelect the details on while alert was triggered, rule name : test rule notable name: test rule triggered on $src$ and $dest...
See more...
Not a dynamic rule name but notable name, where in the alert it will refelect the details on while alert was triggered, rule name : test rule notable name: test rule triggered on $src$ and $dest$ new notable name: test rule triggered on 10.10.1.1 and 10.10.1.2
03-11-2024
01:07 AM
Hi @Nawab , did you configured a drilldown search for your Correlation Search? it's not automatic. Ciao. Giuseppe
03-11-2024
01:06 AM
Hi @Nawab, in this way you can display these fields in the Incident Review dashboard, I'm not sure that's possible to have a dinamic Rule Name! Anyway, why? having different Rule Names you cannot ...
See more...
Hi @Nawab, in this way you can display these fields in the Incident Review dashboard, I'm not sure that's possible to have a dinamic Rule Name! Anyway, why? having different Rule Names you cannot have statistic and grouping of Rules. It's instead very important to have the needed information in the Incident Review dashboard. Ciao, Giuseppe
03-11-2024
01:05 AM
also, the drill down search is not available as well
03-11-2024
01:02 AM
yes i have these fields in my coorelation search, but when i set notable name, it only shows the rule name instead of fileds i have added. test_alert $src$ $dest$ $user$
03-11-2024
12:59 AM
Hi @Nawab, to display additional fields in the Incident Review dashboard, you have to chech if these fields are present in the Correlation Search that creates the Notable. If they are, you can cust...
See more...
Hi @Nawab, to display additional fields in the Incident Review dashboard, you have to chech if these fields are present in the Correlation Search that creates the Notable. If they are, you can customize your dashboard in [ Configure > Incident Management > Incident Review Settings > Incient Review - Table Attributes ]. Ciao. Giuseppe
03-11-2024
12:54 AM
Hi @Harish2 , it's clear, in your event's you haven't the starting hours (12:00). As I described in my first answer, you have to manage hours in a different way (outside the lookup): | tstats
...
See more...
Hi @Harish2 , it's clear, in your event's you haven't the starting hours (12:00). As I described in my first answer, you have to manage hours in a different way (outside the lookup): | tstats
count
latest(_time) as _time
WHERE index=app-idx host="*abfd*" sourcetype=app-source-logs
BY host
| eval
date=strftime(_time,"%Y-%m-%d"),
day=strftime(_time, "%d"),
hour=strftime(_time, "%H")
| search NOT (hour<8 OR hour>11 OR [ | inputlookup calendsr.csv WHERE type="holyday" | fields date ] )
| fields - _time day hour obviously, using the date in the lookup without hours and minutes. Ciao. Giuseppe
03-11-2024
12:48 AM
Hi @phanikumarcs , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
03-11-2024
12:47 AM
Hi @Satyapv, let me understand: for each TraceNumber you can have Error="yes" (or something else) or Exception="yes" (or something else) and ReturnCode="yes" (or something else).You want in a tab...
See more...
Hi @Satyapv, let me understand: for each TraceNumber you can have Error="yes" (or something else) or Exception="yes" (or something else) and ReturnCode="yes" (or something else).You want in a table the TraceNumber and in different columns Error, Exception and ReturnCode ="yes" if there's something or "NO" if there's nothing, is it correct? In this case, you have to use the fillnull command to give the values when there's no value, something like this: index=Application123 TraceNumber=*
| eval
Error=if(Error="*","YES","NO"),
Exception=if(Exception="*","YES","NO"),
ReturnCode=if(ReturnCode="*","YES","NO")
| table TraceNumber Error Exception ReturnCode It's not clear fom me if the Error, Exception and ReturnCode fields are already extracted or not, if not, please share some sample so I can help you inextraction. Ciao. Giuseppe
03-11-2024
12:37 AM
When we create a notable, we want to use certain fields such as source IP and destination IP, When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works...
See more...
When we create a notable, we want to use certain fields such as source IP and destination IP, When I create the rule and add these fields as $src$ and $dest$ in enterprise security 7.0.0 it works, but in 7.3.0 it does not show any result.
03-11-2024
12:31 AM
Hi @richgalloway How to consolidate Thousand Eyes into Splunk to centralize alerts on the dashboard? Please help me for the above question.. Thanks
03-11-2024
12:13 AM
Hello All, I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes. We have a requirements to su...
See more...
Hello All, I have an Index = Application123 and it contains an Unique ID known as TraceNumber. For each Trace number we have Error's, Exceptions and return codes. We have a requirements to summarize in a table Like below, If error is found in index need table value as YES if not found it should be No. Same for Exception if Exception is found then table should be Yes or else no. Note Error's, exceptions and retuncodes are in content of Index with field - Message log. TraceNumber Error Exception ReturnCode 11111 YES NO YES 1234 YES NO YES Any help would be appreciated
03-10-2024
11:15 PM
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and t...
See more...
Hi team, I mentioned that the payload field contains the entity-internal-id and lead-id in an array format. I want to print a separate event with one lead and one entity internal id present, and the rest of the values will be printed in the next event, respectively. Kindly suggest here. correlation_id: ******** custom_attributes: { [-] campaign-id: **** campaign-name: ****** country: entity-internal-id: [ [-] 12345678 87654321 ] lead-id: [ [-] 11112222 33334444 ] marketing-area: ***** record_count: root-entity-id: 2 }
Labels
- Labels:
-
eval
-
field extraction
-
join
03-10-2024
11:05 PM
hello, How to change the font size of y-values in a Splunk dashboard barchart? I try.. <html> <style> #rk g[transform] text { font-size:20px !important...
See more...
hello, How to change the font size of y-values in a Splunk dashboard barchart? I try.. <html> <style> #rk g[transform] text { font-size:20px !important; font-weight: bold !important; } g.highcharts-axis.highcharts-xaxis text{ font-size:20px !important; } g.highcharts-axis.highcharts-yaxis text{ font-size:20px !important; } </style> </html>
Labels
- Labels:
-
chart
-
Classic dashboard
-
CSS
03-10-2024
10:49 PM
Our pro license has been expired and wanted to check on the procedure for the upgraded license file
Labels
- Labels:
-
Accounts and Admin
