All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick I think the point is that @cs308 wants to be able to determine if an IP address is private or not. Yes, the regex may not be pretty, but it is doable (about 135 characters for a version t... See more...
@PickleRick I think the point is that @cs308 wants to be able to determine if an IP address is private or not. Yes, the regex may not be pretty, but it is doable (about 135 characters for a version that detects private ip addresses, and about 150 characters for a version that detects non-private ip addresses). As I said, this depends on what the definition of private is and how robust the expression needs to be.
1. Don't think about it like that. If a field in your data is - let's say - the source of the connection, it is that source regardless of whether it is a public IP or a private one. You can filter on... See more...
1. Don't think about it like that. If a field in your data is - let's say - the source of the connection, it is that source regardless of whether it is a public IP or a private one. You can filter on that field later. 2. Even if you tried doing that it will not be pretty using regex alone.
  To get here I click apps > addon builder > add on list > data inputs.  Then the list of scripts that I built are listed. If I hit edit, it goes through the entire configuration again, if I cli... See more...
  To get here I click apps > addon builder > add on list > data inputs.  Then the list of scripts that I built are listed. If I hit edit, it goes through the entire configuration again, if I click on code, it goes to the script. All scripts run when I hit test and can be found via a search.  
Please share what you have tried so far and some anonymised sample events that you are working with. Also, is this ipv4 only? In general, ipv4 private addresses fall into distinct groups, is it tha... See more...
Please share what you have tried so far and some anonymised sample events that you are working with. Also, is this ipv4 only? In general, ipv4 private addresses fall into distinct groups, is it that you want to use these groups to determine which sort of address it is? If so, which groups do you want to treat as private? For example: 127.x.x.x, 192.168.x.x, etc?
I have trouble with getting public and private IP addresses fields separately. How can I extract private and public IP addresses fields separately using regex???  Because, when I extract IP field fro... See more...
I have trouble with getting public and private IP addresses fields separately. How can I extract private and public IP addresses fields separately using regex???  Because, when I extract IP field from failed ssh login log, I get both public and private  fields in same filed, therefore I want extract them in different fields.
If you prefer, you could use an SVG instead of emoji using this:   <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> ... See more...
If you prefer, you could use an SVG instead of emoji using this:   <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;"><svg focusable="false" height="1.3em" width="1em" viewBox="0 0 1500 1313" aria-hidden="false" preserveAspectRatio="xMidYMid" xmlns="http://www.w3.org/2000/svg" data-test-name="warning-icon" class="warningIcon"><title>Warning</title><path style="fill:currentColor;" d="M.956 1196.326l668.58-1144.89C689.395 17.736 718.71 0 749.916 0c31.207 0 59.577 15.963 80.382 51.436l668.58 1144.89c7.565 12.416-23.642 116.174-77.544 116.174H85.474c-53.902 0-92.083-102.872-84.518-116.174zm643.333-684.743l32.146 257.167c4.908 39.264 34.086 74.685 69.815 91.187 36.612-16.018 64.87-50.826 69.914-91.187l32.146-257.167C855.18 456.623 815.582 411 759.7 411h-26.8c-55.908 0-95.555 45.033-88.61 100.583zm101.294 644.209c63.283 0 114.584-51.301 114.584-114.584 0-63.282-51.301-114.583-114.584-114.583-63.282 0-114.583 51.3-114.583 114.583s51.3 114.584 114.583 114.584z"></path></svg></span> Important Notice </h3> <p class="text-muted"> Avoid long date ranges like <strong>Last 30 days</strong> to avoid performance bottlenecks. </p> <p class="text-muted"> Please ensure an <strong>Index</strong> is selected before running this dashboard. </p> </div> </div> </html> <input type="dropdown" token="field1"> <label>Index</label> <choice value="_internal">_internal</choice> </input> <input type="dropdown" token="field2"> <label>Something else</label> <choice value="*">*</choice> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@livehybrid wrote: Hi @splunklearner  Ive adjusted the styling now so its based on the Splunk theme colouring and adjusts for both:   Regarding the emoji and dark-mode, it seems to work ok... See more...
@livehybrid wrote: Hi @splunklearner  Ive adjusted the styling now so its based on the Splunk theme colouring and adjusts for both:   Regarding the emoji and dark-mode, it seems to work okay for me. Occasionally when switching between light/dark mode I needed to do a hard refresh but it certainly looks to be working as per the above screenhot. Below is the XML code the example dashboard: <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p class="text-muted"> Avoid long date ranges like <strong>Last 30 days</strong> to avoid performance bottlenecks. </p> <p class="text-muted"> Please ensure an <strong>Index</strong> is selected before running this dashboard. </p> </div> </div> </html> <input type="dropdown" token="field1"> <label>Index</label> <choice value="_internal">_internal</choice> </input> <input type="dropdown" token="field2"> <label>Something else</label> <choice value="*">*</choice> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @splunklearner  This thread is getting hard to follow so I've edited this to include two variants, Ive adjusted the styling now so its based on the Splunk theme colouring and adjusts for both: ... See more...
Hi @splunklearner  This thread is getting hard to follow so I've edited this to include two variants, Ive adjusted the styling now so its based on the Splunk theme colouring and adjusts for both: Below is the XML code the example dashboard:   <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;">⚠️</span> Important Notice </h3> <p class="text-muted"> Avoid long date ranges like <strong>Last 30 days</strong> to avoid performance bottlenecks. </p> <p class="text-muted"> Please ensure an <strong>Index</strong> is selected before running this dashboard. </p> </div> </div> </html> <input type="dropdown" token="field1"> <label>Index</label> <choice value="_internal">_internal</choice> </input> <input type="dropdown" token="field2"> <label>Something else</label> <choice value="*">*</choice> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>   Regarding the emoji and dark-mode, it seems to work okay for me. Occasionally when switching between light/dark mode I needed to do a hard refresh but it certainly looks to be working as per the above screenhot. *HOWEVER* below is a version which uses an embedded SVG image instead:   The code for that is: <form version="1.1" theme="dark"> <label>Dashboard</label> <fieldset submitButton="true" autoRun="false"> <html> <div class="dashboard-row"> <div class="dashboard-panel" style="border-left: 6px solid #f57c00; padding:10px; width:90%; box-shadow: 0 2px 6px rgba(255, 255, 255, 0.1); border-radius: 6px;"> <h3 class="text-warning" style="display: flex; align-items: center; margin-bottom: 8px; color:#f57c00;"> <span style="font-size: 32px; margin-right: 12px;"><svg focusable="false" height="1.3em" width="1em" viewBox="0 0 1500 1313" aria-hidden="false" preserveAspectRatio="xMidYMid" xmlns="http://www.w3.org/2000/svg" data-test-name="warning-icon" class="warningIcon"><title>Warning</title><path style="fill:currentColor;" d="M.956 1196.326l668.58-1144.89C689.395 17.736 718.71 0 749.916 0c31.207 0 59.577 15.963 80.382 51.436l668.58 1144.89c7.565 12.416-23.642 116.174-77.544 116.174H85.474c-53.902 0-92.083-102.872-84.518-116.174zm643.333-684.743l32.146 257.167c4.908 39.264 34.086 74.685 69.815 91.187 36.612-16.018 64.87-50.826 69.914-91.187l32.146-257.167C855.18 456.623 815.582 411 759.7 411h-26.8c-55.908 0-95.555 45.033-88.61 100.583zm101.294 644.209c63.283 0 114.584-51.301 114.584-114.584 0-63.282-51.301-114.583-114.584-114.583-63.282 0-114.583 51.3-114.583 114.583s51.3 114.584 114.583 114.584z"></path></svg></span> Important Notice </h3> <p class="text-muted"> Avoid long date ranges like <strong>Last 30 days</strong> to avoid performance bottlenecks. </p> <p class="text-muted"> Please ensure an <strong>Index</strong> is selected before running this dashboard. </p> </div> </div> </html> <input type="dropdown" token="field1"> <label>Index</label> <choice value="_internal">_internal</choice> </input> <input type="dropdown" token="field2"> <label>Something else</label> <choice value="*">*</choice> </input> </fieldset> <row> <panel> <table> <search> <query>|tstats count where index=_internal by host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> Please let me know how you get on and if you need any other changes.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
thanks you @richgalloway 
You query shows the correct result but the fields are not in a order how I want to display. The easiest way to get the display order you wanted is to use table command, like | table _time API T... See more...
You query shows the correct result but the fields are not in a order how I want to display. The easiest way to get the display order you wanted is to use table command, like | table _time API Total AvgDur TXN_1000 1sec-2sec 2sec-5sec 5sec+  @ITWhisperer already pointed out the mistake in your data emulation that is fixed by strptime.  The two method gives exactly the same result.  The only difference is in field names, which can easily be coordinated.
We're experiencing the same issue.  Were you able to resolve this?
We're trying to customize the Meantime to Triage and Meantime to Resolution queries in the ES Executivity Summary dashboard to filter for specific urgency or rule names.  We previously were using the... See more...
We're trying to customize the Meantime to Triage and Meantime to Resolution queries in the ES Executivity Summary dashboard to filter for specific urgency or rule names.  We previously were using the stand alone Mission Control app before it was integrated into Enterprise Security. Reviewing the incident_updates_lookup table, it seemed to have stopped updating both "urgency" and "rule_name" around the time we migrated into Enterprise Security's Mission Control.  We can see old entries prior to that, but more recent ones are very infrequent. Anyone know how to resolve this or know of another way to filter?
Hey @spamarea1, So, where do you see 0 events? On the sourcetype-extraction page of the Add-on Builder? Can you please share a screenshot of it? I assume it is because of the nature of the data flo... See more...
Hey @spamarea1, So, where do you see 0 events? On the sourcetype-extraction page of the Add-on Builder? Can you please share a screenshot of it? I assume it is because of the nature of the data flow set up. Your Add-on Builder would be present on one of the Enterprise Servers and the data would be ingested into different server on which Indexer is residing. So, whenever the input runs, it collects the data and sends it to the indexer server. If the indexing happens locally, you would be able to see the events on the Add-on Builder page. Let me know if what I'm understanding is incorrect and screenshot would be better to troubleshoot further. Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! 
I did the save and finish buttons.  I get output when I hit the test and I see it when I search using the index and sourcetype.  The data is even put into dashboard.  I just have to run this manually... See more...
I did the save and finish buttons.  I get output when I hit the test and I see it when I search using the index and sourcetype.  The data is even put into dashboard.  I just have to run this manually.   
Hello @spamarea1, Did you run the test button before saving? If the output shows blank white screen, it'll not ingest any data. Also, try to add more loggers to isolate the problem. Also, for once, ... See more...
Hello @spamarea1, Did you run the test button before saving? If the output shows blank white screen, it'll not ingest any data. Also, try to add more loggers to isolate the problem. Also, for once, add a info log of the response.txt itself. So that you can understand what the output should look like.  Thanks, Tejas. 
@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 second... See more...
@tej57  Here is the code, I reused the template that the addon builder app started.  The data input is also setup, it was built by the app, I have to give it a name and put the interval to 30 seconds. Formatting here is not good....   # encoding = utf-8 import os import sys import time import datetime ''' IMPORTANT Edit only the validate_input and collect_events functions. Do not edit any other part in this file. This file is generated only once when creating the modular input. ''' ''' # For advanced users, if you want to create single instance mod input, uncomment this method. def use_single_instance_mode(): return True ''' def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable # password = definition.parameters.get('password', None) # username = definition.parameters.get('username', None) # finesse_ip = definition.parameters.get('finesse_ip', None) pass def collect_events(helper, ew): import requests from requests.auth import HTTPBasicAuth finesse_ip = helper.get_arg('finesse_ip') username = helper.get_arg('username') password = helper.get_arg('password') url = f"https://{finesse_ip}/finesse/api/SystemInfo" try: response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False) if response.status_code == 200: helper.log_info(f"Successfully retrieved data from {url}") else: helper.log_error(f"Request failed. Status: {response.status_code}, Body: {response.text}") event = helper.new_event( data=response.text, source=helper.get_input_type(), index=helper.get_output_index(), host="finesse1a", sourcetype=helper.get_sourcetype() ) ew.write_event(event) except Exception as e: helper.log_error(f"Error during request to {url}: {str(e)}")        
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also ch... See more...
Hello @spamarea1, Would you be able to share the python code to check further why it is not ingesting events? And can you also confirm if ew.write_event(event) has been set properly? Did you also check on the Add-on Builder UI if it is ingesting events when you run the Test button? Thanks, Tejas. 
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the... See more...
Hello @sl, You can alternatively use this wonderful tool developed by Ryan Adler - https://github.com/ryanadler/downloadSplunk I found this one one of the previous answers on Community. Running the bash script will help you download whatever version you wish if Splunk Support doesn't help you better.   Thanks, Tejas. --- If the above solution helps, an upvote is appreciated..!! 
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need ... See more...
Hi   @Narendra_Rao  for upgrading to KV store 7.x first kV store need to be in 4.2x, by looking at your kv store version its in 4.1.7  this is reason upgrade is failing  you need to upgrade to 4.2x. then go for 7.x  Upgarde document to 4.2.x https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.3/administer-the-app-key-value-store/migrate-the-kv-store-storage-engine then upgrade document to 7.x https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/MigrateKVstore#Prepare_for_the_upgrade
This worked perfectly! thank you so much!!!      Diana