Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-18-2024
03:55 PM
Hey Guys, I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found Eg: LookupFile : Column n...
See more...
Hey Guys, I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found Eg: LookupFile : Column name is States and the values are as below: Alaska Arizona Arkansas California Colorado Now I want to search each of the states one after the other in a search and display the results with the column (States, IP, Country, user, workstation) . Pls help. Thank you
Labels
- Labels:
-
subsearch
01-18-2024
03:44 PM
Another solution that I would do to solve the problem would be with an executed actions in this case a code within a flow make the request through python code where the same url enter the token like ...
See more...
Another solution that I would do to solve the problem would be with an executed actions in this case a code within a flow make the request through python code where the same url enter the token like this example import requests url = 'https://api.amp.cisco.com/v3/organizations?size=10' headers = { 'Authorization': 'Bearer eyJhbGciOiJ.....' # Asegúrate de reemplazar esto con tu token real } # Realizar la petición GET response = requests.get(url, headers=headers) # Verificar si la petición fue exitosa (código de estado 200) if response.status_code == 200: # Imprimir la respuesta JSON print(response.json()) else: # Imprimir el código de estado y el mensaje de error en caso de falla print(f'Error: {response.status_code} - {response.text}')
01-18-2024
03:40 PM
Hello, apparently in SOAR the token section is optional, an idea would be that you do not enter anything in the token but you do enter the necessary credentials to carry out your request, in this...
See more...
Hello, apparently in SOAR the token section is optional, an idea would be that you do not enter anything in the token but you do enter the necessary credentials to carry out your request, in this case your username and password
01-18-2024
03:36 PM
1 Karma
Here I show you the example of where to put the name of your label
01-18-2024
03:33 PM
Hello, to be able to use a specific label, when creating your flow you have to click on the automation option, within the environment to create the flow you have to click on settings and in the opera...
See more...
Hello, to be able to use a specific label, when creating your flow you have to click on the automation option, within the environment to create the flow you have to click on settings and in the operates on section enter the label name, like this flow when active will only be executed with alerts that have this label
01-18-2024
03:27 PM
Because each of those 2 fields has 3 values, you are effectively doing a 3x3 matrics stats, hence the results. You will need to do something like this to join each of the policy bits of info togethe...
See more...
Because each of those 2 fields has 3 values, you are effectively doing a 3x3 matrics stats, hence the results. You will need to do something like this to join each of the policy bits of info together | eval Policy=mvzip('Policies{}.displayName','Policies{}.result', "##")
| stats count by Policy and then finish it with | eval Policy=split(Policy, "##")
| eval displayName=mvindex(Policy, 0), result=mvindex(Policy, 1)
| table displayName result count
01-18-2024
03:08 PM
Ah, ok - hence my confusion - I had to test whether that uses the definition or the csv and it appears to use the definition. I've always used the abstraction to hide the underlying name of the CSV,...
See more...
Ah, ok - hence my confusion - I had to test whether that uses the definition or the csv and it appears to use the definition. I've always used the abstraction to hide the underlying name of the CSV, as that can sometimes change or be substituted.
01-18-2024
02:27 PM
Hi You mean it excluded that traffic? Because I expect it to exclude the traffic from my results. version 9.0
01-18-2024
02:22 PM
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. Ther...
See more...
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input: Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1 However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result
01-18-2024
02:14 PM
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table. According to this blog post, a "Link to search" option was added a few months ago, but ...
See more...
Looking to create a dashboard in Dashboard Studio that drills down on an Event Messages column in in a table. According to this blog post, a "Link to search" option was added a few months ago, but I don't see the option in my editor in Splunk 9.1.2: I've also tried adding the JSON directly: "eventHandlers": [
{
"type": "drilldown.linkToSearch",
"options": {
"type": "auto",
"newTab": true
}
}
] and that didn't work either. Any help is appreciated.
Labels
- Labels:
-
Dashboard Studio
-
drilldown
-
table
01-18-2024
02:13 PM
1 Karma
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance ...
See more...
Hello all, is there a way to automate playbook to work only on events with specific tag? I saw in playbook settings an option to choose tag but it stills run on every event thank you in advance @phanTom @SOARt_of_Lost
Labels
- Labels:
-
using SOAR ⁄ Phantom
01-18-2024
02:04 PM
Hi @jholman2000, I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - You can create a simple search that w...
See more...
Hi @jholman2000, I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search. {
"type": "ds.search",
"options": {"query": "| makeresults\n| eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
} The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate. The key part is the "enableSmartSources" which you get when checking the "Access search results or metadata" checkbox. Now you can refer to the index name: $IndexName:result.index$ So your final search will be: index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType" Hope that helps you out. Cheers, Daniel
01-18-2024
01:45 PM
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in th...
See more...
While it's possible to change the color of a single value icon based on a result, is it possible display an entirely different icon for different results or ranges? Not readily seeing an option in the Dashboard Studio. https://docs.splunk.com/Documentation/Splunk/9.0.2/DashStudio/chartsSV#Single_value_icon
Labels
- Labels:
-
Dashboard Studio
01-18-2024
01:20 PM
You probably already figured it out by now but you will can use the ACS CLI or Terraform splunk/scp provider to manage indexes in Splunk Cloud. Splunk ACS API REST reference: https://docs.splunk.co...
See more...
You probably already figured it out by now but you will can use the ACS CLI or Terraform splunk/scp provider to manage indexes in Splunk Cloud. Splunk ACS API REST reference: https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Config/ACSREF#Manage_indexes Creating a new index in Splunk Cloud example: curl -X POST 'https://admin.splunk.com/{stack}/adminconfig/v2/indexes'
--header 'Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0Iiwi…' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "testindex"
}' ACS CLI: https://docs.splunk.com/Documentation/SplunkCloud/latest/Config/ACSCLI Splunk Splunk Cloud Platform Terraform provider: https://github.com/splunk/terraform-provider-scp
01-18-2024
12:36 PM
Have you checked the _audit logs to confirm user and roles values?
01-18-2024
11:56 AM
@richgalloway I think HF/UF doesn't have any role here; main use case: we have a server need to write data from that server to AWS S3 Bucket; do we have any TA?
- Tags:
- ta
01-18-2024
11:46 AM
Unfortunately it doesn't work, I configured the same rules in a working instance and it works.
01-18-2024
11:42 AM
1 Karma
Please tell us more about the environment. Can the server relay data to Splunk via an intermediate forwarder? Why is an HF installed instead of a Universal Forwarder (UF)? UFs have a much smaller ...
See more...
Please tell us more about the environment. Can the server relay data to Splunk via an intermediate forwarder? Why is an HF installed instead of a Universal Forwarder (UF)? UFs have a much smaller footprint and attack surface.
01-18-2024
11:29 AM
Hi guys, So heres what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to popul...
See more...
Hi guys, So heres what im trying to do. I have a lookup csv with 3 columns. I have data with string values that might contain a value in my lookup. I have the basic setup working but i want to populate additional fields in my data set. Here is a very stripped down version of what i am doing. First I have a basic lookup csv. It has 3 columns:
active flagtype colorkey yes sticker blue yes tape red no tape pink
then my search which creates a couple test records looks like this:
| makeresults count=4
| streamstats count
| eval number = case(count=1, 25, count=2, 39, count=3, 31, count=4, null())
| eval string1 = case(count=1, "I like blue berries", count=3, "The sea is blue", count=2, "black is all colors", count=4, "Theredsunisredhot")
| table flagtype, flag, string1, ck
|search [ inputlookup templookup.csv
| eval string1 = "string1=" + "\"" + "*" + colorkey + "*" + "\""
| return 500 $string1
]
| eval flag = "KEYWORD FLAG"
| table flagtype, flag, string1, colorkey
my 4 column output results are:
flagtype flag string1 colorkey empty KEYWORD FLAG I like blue berries empty empty KEYWORD FLAG The sea is blue empty empty KEYWORD FLAG Theredsunisredhot empty
How do I populate the two empty columns using other columns in the lookup table.
Thanks in advance for any help I can get.
Labels
- Labels:
-
field extraction
01-18-2024
11:26 AM
Hello, I'm writing some field extractions for a Tomcat access log. The logging format is "%{E M/d/y @ hh:mm:ss.S a z}t %h (%{X-Forwarded-For}i) > %A:%p "%r" %{requestBodyLength}r %D %s %B...
See more...
Hello, I'm writing some field extractions for a Tomcat access log. The logging format is "%{E M/d/y @ hh:mm:ss.S a z}t %h (%{X-Forwarded-For}i) > %A:%p "%r" %{requestBodyLength}r %D %s %B %I "%{Referer}i" "%{User-Agent}i" %u %S %{username}s %{sessionTracker}s" The X-Forwarded Field has multiple headers, so multiple X-Forwarded-For IP's are being logged for a small, but important, percentage of these events. An example log is Thu 1/18/2024 @ 06:52:30.918 PM UTC 00.000.00.000 (00.000.000.000, 00.000.00.00, 00.000.00.00) > 00.000.00.0:0000 "PUT /uri/query/here HTTP/1.1" - 1270 200 3466 https-openssl-nio-00.000.00.0-000-exec-15 "hxxps://url.splunk.com/" "user_agent" - - - - How can I perform a multivalue field extraction to grab 0, 1, 2 or 3 x-forwarded-for IP's?
Labels
