Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-27-2024
09:39 AM
Hi @altink , never modify something in the default folder! at the first upgrade you'll loose every changes. copy the entire file or only the stanza to modify in the local folder and modify the val...
See more...
Hi @altink , never modify something in the default folder! at the first upgrade you'll loose every changes. copy the entire file or only the stanza to modify in the local folder and modify the value. At the end, restart Splunk. Ciao. Giuseppe
02-27-2024
09:35 AM
1 Karma
Hi @thaghost99, please try this regex: | rex "(?ms)(?<node>node\d+).*?Attack database version:(?<Attack_database_version>\d+).*?Detector version\s*:(?<Detector_version>[^\n]+).*?Policy template ver...
See more...
Hi @thaghost99, please try this regex: | rex "(?ms)(?<node>node\d+).*?Attack database version:(?<Attack_database_version>\d+).*?Detector version\s*:(?<Detector_version>[^\n]+).*?Policy template version\s*:(?<Policy_template_version>\d+)" that you can test at https://regex101.com/r/R9SWnM/1 Ciao. Giuseppe
02-27-2024
09:32 AM
1 Karma
Using SOAR export app in Splunk, we are pulling certain alerts to SOAR. Depending on the ip, the artifacts are grouped to a single container. Now I need to create 1 ticket for each container using pl...
See more...
Using SOAR export app in Splunk, we are pulling certain alerts to SOAR. Depending on the ip, the artifacts are grouped to a single container. Now I need to create 1 ticket for each container using playbook. But what happens is that if the container is having multiple artifacts, it creates 1 ticket for each artifact. Any idea on how to solve this? Phantom Splunk App for SOAR Export
Phantom
Phantom
Splunk App for SOAR Export
Splunk App for SOAR Export
Labels
- Labels:
-
development
-
using SOAR ⁄ Phantom
02-27-2024
09:32 AM
Hi Folks, I have a quick question. currently I have a syslog event and I need to see in splunk the raw data the info in different order: Example original syslog (?<field1>REGEX),(?<field2>REG...
See more...
Hi Folks, I have a quick question. currently I have a syslog event and I need to see in splunk the raw data the info in different order: Example original syslog (?<field1>REGEX),(?<field2>REGEX),(?<field3>REGEX), etc....... what I want to see indexed in splunk (?<field1>REGEX),(?<field3>REGEX),,(?<TIMESTAP>REGEX),(?<field2>REGEX). I tried with SED command in props.conf is really useful to clean the data but not to reorder the info. Thanks in advance Alex
Labels
- Labels:
-
field extraction
-
heavy forwarder
-
indexer
02-27-2024
09:23 AM
I have a saved "MySearch" that takes a parameter "INPUT_SessionId", something like this: index=foo | ... some stuff | search $INPUT_SessionId$ | ... more stuff And then "MySearch" invoked like...
See more...
I have a saved "MySearch" that takes a parameter "INPUT_SessionId", something like this: index=foo | ... some stuff | search $INPUT_SessionId$ | ... more stuff And then "MySearch" invoked like this | savedsearch "MySearch" INPUT_SessionId="abc123" My challenge is that sometimes me & my users accidentally invoke with curly braces around the SessionId (it's a long story), like this: | savedsearch "MySearch" INPUT_SessionId="{abc123}" When invoked this way, the search produces no results, which is confusing for user until they realize they accidentally included curly braces. I'd like to change things inside of "MySearch" so that it strips curly braces from $INPUT_SessionId$ before continuing to use the value. For a typical field value I know how to use trim like | eval someField=trim(someField, "{}") How do I do something like trim() but on the value of the parameter $INPUT_SessionId$ ?
- Tags:
- parameter
- savedsearch
02-27-2024
09:03 AM
Hello @PickleRick Understood. So, Splunk trimmed the space on purpose My goal is to move the text to the left like it does on Splunk Dashboard Studio. I applied CSS on the panel using "text-ali...
See more...
Hello @PickleRick Understood. So, Splunk trimmed the space on purpose My goal is to move the text to the left like it does on Splunk Dashboard Studio. I applied CSS on the panel using "text-align: left", but it didn't work. Is it possible to align text to the left in a single value panel? Thanks
02-27-2024
08:58 AM
I have no search to share.
02-27-2024
08:55 AM
Dear All, Thank you so much for the response. I am extremely sorry as I made it very difficult by sharing the whole Use Case. Actually, the requirement here is as follows: 1. If an email comes wh...
See more...
Dear All, Thank you so much for the response. I am extremely sorry as I made it very difficult by sharing the whole Use Case. Actually, the requirement here is as follows: 1. If an email comes which was never seen before, we investigate and when confirmed that it is legit, we should whitlelist it 2. If any email comes from the same domain, then we shouldn't get any alert (depending on the throttling value) 3. If an email comes from a new domain, again that's not seen previously, then we should get an alert in the Splunk. After that, we repeat the step 1. Is it possible for you to help me with a query to satiate this requirement? I tried my level best but it doesn't seem to be working. I would really appreciate all the help and support. Regards, Anoop
02-27-2024
08:53 AM
Hi Giuseppe, Greetings from another Joseph. We have a distributed environment with multiple SHs, 8 I think in 2 different groups. For that reason any app/TA that have API calls or binaries go onto...
See more...
Hi Giuseppe, Greetings from another Joseph. We have a distributed environment with multiple SHs, 8 I think in 2 different groups. For that reason any app/TA that have API calls or binaries go onto an HF that we use for this purpose. We actually don't care about the UI for the app since all we want to do is pull in the events using the binaries. I tried splitting the App into an input and a search piece but that didn't work. We have suggested to Bloodhound that they do this. For now the app runs on the HF which is where the kvstores are created. The teams use the SHs to look at the events in the Search app. I've had a request to copy the kvstores to one of the SH groups so they can be examined instead of using the alerts that get created from the kvstores. Regards, Joe
02-27-2024
08:46 AM
@n3wbi3 The error message you mentioned, “Data Durability Root Cause(s): Replication Factor is not met,” indicates that the replication factor for some buckets is not being fulfilled. Ch...
See more...
@n3wbi3 The error message you mentioned, “Data Durability Root Cause(s): Replication Factor is not met,” indicates that the replication factor for some buckets is not being fulfilled. Check if any peers are offline or experiencing connectivity problems. An offline peer can prevent the replication factor from being met https://docs.splunk.com/Documentation/Splunk/9.2.0/DMC/Usefeaturemonitoring The message “All data is not searchable” suggests that some buckets are not fully searchable. Ensure that all buckets have primary copies. If a bucket lacks a primary copy, it can impact searchability. Resync the state of the affected bucket copies on the manager. https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Anomalousbuckets Anomalous bucket issues - Splunk Documentation
02-27-2024
08:38 AM
@richgalloway , Can you pls share the possible search from your side if possible !
02-27-2024
08:36 AM
@nmboner Can you check this Deleting the Unsupported Splunk Windows Universal Forwarder TekStream Solutions
02-27-2024
08:34 AM
1 Karma
@jdhart1312 Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query: index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR T...
See more...
@jdhart1312 Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query: index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)
02-27-2024
08:33 AM
1 Karma
@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk. First, ensure that the user account associated with the alerts has the necessary permissions to send...
See more...
@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk. First, ensure that the user account associated with the alerts has the necessary permissions to send emails. Sometimes, issues arise due to permission restrictions. Verify that the user has the appropriate access. Test with |sendemail Command: Run an ad-hoc test using the | sendemail command in your search query. This will help verify if emails are being sent correctly. If you receive the expected results via email, it indicates that the email functionality is working, and the issue might be specific to your alerts. Ensure that the dimensions of any attachments (such as PDFs) do not exceed the email attachment size limit. Large attachments may cause email delivery problems. Email notification action - Splunk Documentation
02-27-2024
08:24 AM
Is it a problem if I modify it directly under the defaul folder? Is a restart needed after ? best regards Altin
02-27-2024
08:18 AM
here is the current data Feb 27 14:12:38 node0: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector ...
See more...
here is the current data Feb 27 14:12:38 node0: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector version :12.2.140230313 Policy template version :3535 node1: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector version :12.2.140230313 Policy template version :3535 {primary:node0} i need help extracting the values for attack version (just the digit), detector version and policy template version, by node (ie: node 0 and node 1) output looks like something like this Node Attack database version Detector version Policy template version node0 3670 12.2.140230313 3535 node1 3670 12.2.140230313 3535 please and thank you, i am only able to get the node0 but not node1
- Tags:
- regex search
Labels
- Labels:
-
distributed search
02-27-2024
07:56 AM
Hi all, I have a dashboard that monitors deploys, and a table that tracks all info related to any given deploy. I have a column labeled "pull request urls" that populates with the Github link relat...
See more...
Hi all, I have a dashboard that monitors deploys, and a table that tracks all info related to any given deploy. I have a column labeled "pull request urls" that populates with the Github link related to the deploy, and I made it clickable with a drilldown. However, for local deploys with no link, it populates "N/A", and I would like to make that text excluded from the drilldown. Is there anyway to exclude certain strings from drilldowns? Drilldown is copied below. <option name="drilldown">cell</option> <drilldown> <condition field="PULL_REQUEST_URL"> <!-- this condition field can be modified based on column header --> <link target="_blank">$click.value2|n$</link> </condition> <condition> <!-- keep this blank --> </condition> </drilldown>
- Tags:
- spunk-enterprise
Labels
- Labels:
-
drilldown
02-27-2024
07:51 AM
1 Karma
Is the GUI running on a Windows machine? If not, they I believe you will get an error like that since there are no local Windows performance inputs. Instead, you'll need Remote Performance Monitori...
See more...
Is the GUI running on a Windows machine? If not, they I believe you will get an error like that since there are no local Windows performance inputs. Instead, you'll need Remote Performance Monitoring.
02-27-2024
07:44 AM
I'm not familiar enough with Windows to discuss lateral movement on that platform. I believe, however, the first step should be filtering out known-good events. Also, Splunk's User Behavior Analyti...
See more...
I'm not familiar enough with Windows to discuss lateral movement on that platform. I believe, however, the first step should be filtering out known-good events. Also, Splunk's User Behavior Analytics (UBA) product may be useful for this.
02-27-2024
07:43 AM
No. You should _not_ tag people when asking questions. This is a community-driven forum when people voluntarily help others in their own time. Tagging people when asking question can be perceived as...
See more...
No. You should _not_ tag people when asking questions. This is a community-driven forum when people voluntarily help others in their own time. Tagging people when asking question can be perceived as demanding answer from such person. You can demand... well, if you buy a paid consultancy service, quite frankly. This is a place for sharing ideas and experiences, it's not meant as a replacement for support or as a free labor.
