https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ when i give this command Operation!="Disable Strong Authentication." i am getting the MFA enabled users details. But whe...
See more...
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ when i give this command Operation!="Disable Strong Authentication." i am getting the MFA enabled users details. But when the below query is executed i am not getting any output. Can some one help me in sharing some docs `o365_management_activity` Operation="Disable Strong Authentication."
| stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation UserId ResultStatus object
| rename UserType AS user_type, Operation AS action, UserId AS src_user, object AS user, ResultStatus AS result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_disable_mfa_filter` as per the
hi I have created a tag for the field "counter" called "a" But when I run a search with tag=a or with tag::counter="a", there is no results what is the problem please?
Hi @jeradb , as @richgalloway said, you should add in your Data Model, a new calculated field using your eval. Remember that you have to rebuild the Data Model, otherwise the new calculated field w...
See more...
Hi @jeradb , as @richgalloway said, you should add in your Data Model, a new calculated field using your eval. Remember that you have to rebuild the Data Model, otherwise the new calculated field will be available only from the time when you added it. Ciao. Giuseppe
Hi @Kat456 , I suppose that you ingested these data from the csv file in Splunk. When you have them in Splunk you cas have in the order you like: index=your_index
| table firstname lastname Ciao....
See more...
Hi @Kat456 , I suppose that you ingested these data from the csv file in Splunk. When you have them in Splunk you cas have in the order you like: index=your_index
| table firstname lastname Ciao. Giuseppe
Hi @edalbanese , I still didn't used it, but I saw a colleague that used the OB OpenAI ChatGPT App at https://splunkbase.splunk.com/app/6957 . About images, for my knowledge, at the moment Splunk s...
See more...
Hi @edalbanese , I still didn't used it, but I saw a colleague that used the OB OpenAI ChatGPT App at https://splunkbase.splunk.com/app/6957 . About images, for my knowledge, at the moment Splunk stores and searches only text files. Ciao. Giuseppe
Hi @Muthu_Vinith , you can use the Splunk Lookup Editor App ( https://splunkbase.splunk.com/app/1724 )to create the lookup. To create the Lookup Definition, you can use the second item of the dashb...
See more...
Hi @Muthu_Vinith , you can use the Splunk Lookup Editor App ( https://splunkbase.splunk.com/app/1724 )to create the lookup. To create the Lookup Definition, you can use the second item of the dashboard that you shared. Ciao. Giuseppe
Could I create my own certificate for SAML configuration if the IDP certificate if the IDP certificate setup isn't working as expected? if so, how can I do this?
Hi you can enable debug mode for splunkd.log file before taking diag. Enable debug logging on all of splunkd.log Splunk software has a debugging parameter (--debug) that you can use when yo...
See more...
Hi you can enable debug mode for splunkd.log file before taking diag. Enable debug logging on all of splunkd.log Splunk software has a debugging parameter (--debug) that you can use when you start Splunk software from the CLI in *nix. This command outputs logs to the $SPLUNK_HOME/var/log/splunk/splunkd.log file. This option is not available on Windows. To enable debugging on Splunk software running on Windows, enable debugging on a specific processor. See Enable debug logging in Splunk Web or Enable debug logging using log.cfg. Navigate to $SPLUNK_HOME/bin. Stop the Splunk platform instance, if it is running. Save your existing splunkd.log file by renaming it, like splunkd.log.old. Restart the instance in debug mode with splunk start --debug. When you notice the problem, stop the instance. Move the new splunkd.log file elsewhere and restore the old file. Stop or restart the instance normally (without the --debug flag) to disable debug logging. Not all messages marked WARN or ERROR indicate actual problems with Splunk software; some indicate that a feature is not being used. for splunk diag run following command *nix example Windows example ./splunk diag splunk diag @raghunandan1
Hi @raghunandan1 , You can try below; index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE"
| eval assignment_group = case(host=="sitpdb0033","Sql_Production...
See more...
Hi @raghunandan1 , You can try below; index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE"
| eval assignment_group = case(host=="sitpdb0033","Sql_Production Support", like(source,"%mssql_mfg%"),"Winows_Support - Operations",1=1, "Sql_Production Support")
Hi @aniketsamudra You should use case statement like below; | eval Test=case(like('thrown.extendedStackTrace',"%403%"),"403", like('thrown.extendedStackTrace',"%404%"),"404",1=1,"###ERROR####")
Hello, The only count I need in my report is client_ip counts I dont understand how you can count matching events but if you can modify my last query (and replace join with something more efficient...
See more...
Hello, The only count I need in my report is client_ip counts I dont understand how you can count matching events but if you can modify my last query (and replace join with something more efficient) that would be a great help. Thanks
Use /service/search/jobs REST API. When you set up an alert, you must have a saved search. Assuming that you give it a name "My alarming alert: Everybody panic!", the following search will tell you...
See more...
Use /service/search/jobs REST API. When you set up an alert, you must have a saved search. Assuming that you give it a name "My alarming alert: Everybody panic!", the following search will tell you when the last alert happened and when the first clear occurred. (It will display the time of latest clean search if last alert already expired.) | rest /services/search/jobs
| where isDone = 1 AND label == "My alarming alert: Everybody panic!"
| fields updated resultCount label
| eval _time = strptime(updated, "%FT%T.%3N%z")
| transaction startswith="resultCount>0" endswith="resultCount=0" keeporphans=1
| fields - _*
| where closed_txn == 1 OR resultCount == 0
| eval last_alert_count = max(resultCount)
| eval last_alert_time = min(updated)
| fields label last_alert_time last_alert_count
We are rolling out a customer service chatbot. Has anyone needed to collect the data such as input/output and logs between an chatbot and OpenAI to monitor it in Splunk? If so, what did you use to GD...
See more...
We are rolling out a customer service chatbot. Has anyone needed to collect the data such as input/output and logs between an chatbot and OpenAI to monitor it in Splunk? If so, what did you use to GDI? One other note; there is the possibility for customers to share images or video with the chatbot; wondering if anyone has tried to collect this type of data in Splunk?
I have a search from which i produce a trellis of the sum of various error codes from multiple machines I would like to enhance the charts with a short description of text. I could add the tex...
See more...
I have a search from which i produce a trellis of the sum of various error codes from multiple machines I would like to enhance the charts with a short description of text. I could add the text to the code value and create a new value name and do the split on the new "codetext". But, then I can't use the drill down feature. Is there another way to add some text to the individual graphs
Hi Team, We have DB alerts for server sitpdb0033 are assigning to windows support team first , it needs to be assign to SQL team, How to change the assignment group from windows support team to SQL...
See more...
Hi Team, We have DB alerts for server sitpdb0033 are assigning to windows support team first , it needs to be assign to SQL team, How to change the assignment group from windows support team to SQL team. The index=mssql there are 30+ host's are configured. We want only change the group for this server sitpdb0033 we have using this SPL query: index=mssql sourcetype="mssql:database" OR sourcetype="mssql:databases" state_desc!="ONLINE" | eval assignment_group = case(like(source,"%mssql_mfg%"),"Winows_Support - Operations",1=1, "Sql_Production Support") Can you please help on this requirement. Thank you Nandan
I get this error whether I use <<FIELD>> or <<ITEM>>. Error in 'EvalCommand': The arguments to the 'mvappend' function are invalid. | eval type=mvappend(if(isnotnull('<<ITEM>>'), '<<ITEM>>', typ...
See more...
I get this error whether I use <<FIELD>> or <<ITEM>>. Error in 'EvalCommand': The arguments to the 'mvappend' function are invalid. | eval type=mvappend(if(isnotnull('<<ITEM>>'), '<<ITEM>>', type)) ]
Splunk Docs is your friend. See foreach. <<FIELD>> is a symbol in SPL's foreach command, not to be replaced by the user. SPL will iterate this symbol over the field names following the command name.