Apologies here are events Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Re...
See more...
Apologies here are events Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Retry #1 Date : 1/17/2024 Time : 9:35:10 AM Message : Mark transaction results: 1, Query : UPDATE transactions SET queued = 0, processing = 1, serviceip = ? , timestarted = now() WHERE clientcode = ? AND username = ? AND transid = ? (100.00.000.00, OBI96, auto, 4826143 ), port = 2222^^-------------------------------------------------------------------^^ Event 2: 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 ^^-----------------------------------------------
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some usef...
See more...
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some useful links # See the fields you're able to work with
my_query_url = phantom.build_phantom_rest_url('container','[id]')
my_response_json = phantom.requests.get(my_id_url, verify=False).json()
phantom.debug(my_response_json)
I have having this issue with 9.1.1 as well. We upgraded to 9.1.1, just before 9.1.2 came out. Upgraded from 8.2.5. Getting the same message, "Failed to load source for Statistics Table visualizat...
See more...
I have having this issue with 9.1.1 as well. We upgraded to 9.1.1, just before 9.1.2 came out. Upgraded from 8.2.5. Getting the same message, "Failed to load source for Statistics Table visualization".
If you aren't going to share your events, it is difficult to advise you further than I have already, especially when you appear to be ignoring my suggestions.
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*...
See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*...
See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call th...
See more...
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call the playbook anywhere you would have put the custom function. As for calling the playbook once for each deviceID, if you're getting them from an artifact field, you can plug that field in, and SOAR will loop through each value for you.
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a> ...
See more...
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a>
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the documen...
See more...
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the document, I understand we can only ingest 5GB of log data into AppDynamics and it can be retained for upto 8 days. For more than 8 days we need to purchase add on space. Please correct me if wrong. Also after 8 days, how are the logs deleted from AppDynamics, is it on time basis like 24hrs of data or quantity based like 1 GB per day?
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook det...
See more...
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook determine whether the user exists, output that result, then make any decisions in the parent playbook.
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-auto-" . tr...
See more...
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-auto-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified" C:\Windows\ccmcache\10>msiexec...
See more...
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified" C:\Windows\ccmcache\10>msiexec /i "C:\Windows\ccmcache\10\splunkforwarder-9.1.2-xxxx-x64-release.msi" AGREETOLICENSE=Yes /quiet /norestart C:\Windows\ccmcache\10>net stop SplunkForwarder The SplunkForwarder Service service is not started. More help is available by typing NET HELPMSG 3521. C:\Windows\ccmcache\10>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 1 file(s) copied. C:\Windows\ccmcache\10>net start SplunkForwarder System error 3 has occurred. The system cannot find the path specified.
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column,...
See more...
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column, basically comparing two strings
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished success...
See more...
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
Thank you @jkat54 for sharing your inputs. Strangely, its just that expression that leads to such issue. Like when I try to remove characters from the string one by one, the drilldown works.
there is no easy way of doing it but check the macros an app uses and then in that macro normally there is a search which points to an index. settings-->advanced search-->search macros and there you...
See more...
there is no easy way of doing it but check the macros an app uses and then in that macro normally there is a search which points to an index. settings-->advanced search-->search macros and there you can find the index being used by app.
There is no 100% reliable way. There are some common cases which can be covered but you can only detect some typical cases where the indexes are specified explicitly. I can think of so many ways of s...
See more...
There is no 100% reliable way. There are some common cases which can be covered but you can only detect some typical cases where the indexes are specified explicitly. I can think of so many ways of specifying indexes dynamically (even generating index names randomly) that you can't find it automaticaly. But the question is why do you even need that.