All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Based on screen shot the web server is disabled, so there shouldn’t be anything listening on port 8000. Unless it’s not disabled then you should found reason why it’s not try to start it from splunkd... See more...
Based on screen shot the web server is disabled, so there shouldn’t be anything listening on port 8000. Unless it’s not disabled then you should found reason why it’s not try to start it from splunkd.log.
If you are sending exactly same email to all recipients then you probably could use e.g. *stats command to combine all recipients to mv-field and then transfer that to for a,b,…. 
Proper Solution: edit your /etc/systemd/system/Splunkd.service in the [Service] section add the following two lines: Environment=REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.pem Environment=SSL_CERT_F... See more...
Proper Solution: edit your /etc/systemd/system/Splunkd.service in the [Service] section add the following two lines: Environment=REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.pem Environment=SSL_CERT_FILE=/etc/ssl/ca-bundle.pem Replace /etc/ssl/ca-bundle.pem with the path to your CA bundle with your own certificate (or keep the path and add your ca certificates to the linux os truststore)   Python standard libs (httplib,urlib3) will use the CA trust bundle specified in SSL_CERT_FILE and the requests library will use REQUESTS_CA_BUNDLE.   One problem left: Splunk will often connect by IP adress instead of using proper hostnames. For Security Essentials you might have two options (I verified the first): -include IP 127.0.0.1 in the certificate of the Search Head or -in web.conf set mgmtHostPort =<SPLUNK-SEARCH-HEAD-FQDN>:8089 (Security Essentials will read this property in bin/sse_id_enrichment.py and will use it for the connection)    
Please share some anonymised sample data. the search you are using, your current results and your expected results
Please share the search you are using and the results and explain why this is not what you are expecting
Thanks For Shere This Blog !!
Hi @vehuiah, what's the scope of your request? if you pre-process and index logs using Splunk, you pay the license, so why should you pay the license and don't use Splunk (the best log search engin... See more...
Hi @vehuiah, what's the scope of your request? if you pre-process and index logs using Splunk, you pay the license, so why should you pay the license and don't use Splunk (the best log search engine) for searching? If you need Splunk logs in other systems, you can export subsets of data for your purposes, but you have Splunk to store,manage, normalize and aggregate data. Ciao. Giuseppe
Hi @fromero , if you run "your_ip_address:8000" can you access the web GUI of your Splunk server? If not there could be two issues: as @isoutamo said, the web interfaces could be disabled, if thi... See more...
Hi @fromero , if you run "your_ip_address:8000" can you access the web GUI of your Splunk server? If not there could be two issues: as @isoutamo said, the web interfaces could be disabled, if this is your firt installation it's very rare, you didn't disable the local firewall  (iptables). In the second case disable iptables and try again. Ciao. Giuseppe
Hi @vihshah , are you able to create the secondary search, please share it and I'll show you how to use it to filter results of the main search. Ciao. Giuseppe
Hi @raj98, in the Splunk documentation, in the Splunk YouTube Channel and in Community, you can find much material: https://www.youtube.com/watch?v=OT9UT5Cidxw https://www.youtube.com/watch?v=xGiL... See more...
Hi @raj98, in the Splunk documentation, in the Splunk YouTube Channel and in Community, you can find much material: https://www.youtube.com/watch?v=OT9UT5Cidxw https://www.youtube.com/watch?v=xGiLTayok6c https://docs.splunk.com/Documentation/SOARonprem/6.2.0/Install/Overview https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/splunk-soar/user-guide/ Ciao. Giuseppe
UNABLE TO EXACTLY LOCATE AND INSTALL SOAR TO LINUX  IF POSSIBLE CAN U PLZ SEND INSTALLATION PROCESS
@isoutamo  Yes sir. If my requirement cannot be met through sendemail.py script then I have to look for other way , like through some other tools I can handle this. This is my actual requirement. ... See more...
@isoutamo  Yes sir. If my requirement cannot be met through sendemail.py script then I have to look for other way , like through some other tools I can handle this. This is my actual requirement. It should be as below : action.email.to=$result.owner$ - all users from result here action.email.cc=$admin@foo.bar$ I think then I cannot make this happen through alert capability in splunk then. Note : gmail.com is just for example purpose here. This will be different in actual case, aligns with my org. Regards, PNV
@Splunkanator  Can you please share some sample events and expected output? KV
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot ha... See more...
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot have capability to send one email to different users with all of them in to fields ? We cannot do that ? Regards, PNV
Lets say i would like to query for message that has a URL field with values other than X,Y,Z added as query parameters , how do i go about this ? TIA
Hi you should check if you have disabled web server. See https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents r. Ismo
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of 'User' not the user field data  
I will look into that - question on it - will that affect other Mysql /MariaDB's that are newer? IE - will they still work with an older driver?
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. ... See more...
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. I suspect the posted data is just a snippet and not the complete event.  But the snippet itself looks compliant.  If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer.  If you don't have that, try set KV_MODE=xml.  If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it. Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)   | makeresults | eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>" ``` data emulation above ``` | spath input=data | fields - data _* | transpose column_name=fieldname | rename "row 1" as fieldvalue   This gives fieldname fieldvalue Event.EventData.Data 157f6670-a34e-4258-8c5a-695a5d47a600 1 1 Event.EventData.Data{@Name} InstanceId MaxRunspaces MinRunspaces Event.System.Channel Microsoft-Windows-PowerShell/Operational Event.System.Computer server.domain Event.System.Correlation{@ActivityID} {157f6670-a34e-4258-8c5a-695a5d47a600} Event.System.EventID 8194 Event.System.EventRecordID 5161615 Event.System.Execution{@ProcessID} 6056 Event.System.Execution{@ThreadID} 5928 Event.System.Keywords 0x0 Event.System.Level 5 Event.System.Opcode 16 Event.System.Provider{@Guid} {a0c1853b-5c40-4b15-8766-3cf1c58f985a} Event.System.Provider{@Name} Microsoft-Windows-PowerShell Event.System.Security{@UserID} S-1-5-21-3521695231-3467208260-910013933-395133 Event.System.Task 1 Event.System.TimeCreated{@SystemTime} 2024-01-25T22:00:11.2420989Z Event.System.Version 1 Event{@xmlns} http://schemas.microsoft.com/win/2004/08/events/event Hope this helps.