All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

custom code block? we are talking about an app action it may vary and a custom code block is not suitable here without further interactions -_- also what if there are 10 different paths, filter/decis... See more...
custom code block? we are talking about an app action it may vary and a custom code block is not suitable here without further interactions -_- also what if there are 10 different paths, filter/decision simply should result in what path was derived from the condition... just like in ansible
I understand now. If the only thing you need to do is evaluate whether the user exists or not, and there are no actions you need to take down either branch, I'd say a simple custom code block is the ... See more...
I understand now. If the only thing you need to do is evaluate whether the user exists or not, and there are no actions you need to take down either branch, I'd say a simple custom code block is the way to go. Filter and decision blocks are more useful for deciding a path for the playbook to continue down. Something along the lines of if user exists: output_variable = True else: output_variable = False  
If you're using the Box Plot viz at https://splunkbase.splunk.com/app/3157 then it's an archived app that probably is outdated and may have compatibility issues.  Consider trying the box plot viz ava... See more...
If you're using the Box Plot viz at https://splunkbase.splunk.com/app/3157 then it's an archived app that probably is outdated and may have compatibility issues.  Consider trying the box plot viz available in https://splunkbase.splunk.com/app/5730. That said, does the time field have values greater than 20?  If so, the lack of a default condition will cause the case function will set total_time to null, which might generate the "trace 0" graph points. | eval total_time=case(time<= 8, "8", time<= 9, "8~9", time<= 10, "9~10", time<= 11, "10~11", time<= 15, "11~15", time<= 20, "15~20", 1==1, ">20")  
So the Report Completed message occurs before the Report Started message? Assuming it is actually the latest (by _time) that you want to keep, try something like this index="index" sourcetype=host=... See more...
So the Report Completed message occurs before the Report Started message? Assuming it is actually the latest (by _time) that you want to keep, try something like this index="index" sourcetype=host=hq " Mark transaction results" "port = 2022" | rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | rex "(?<user_transaction>\S+)\sReport Finished successfully" | eval user_transaction = if(isnull(user_transaction), client . "-" . user . "-" . transaction, user_transaction) | stats latest(_raw) as _raw by user_transaction  
Hi All,    I have particular issue when getting data from kv store is working fine. But saving anything using  helper.save_check_point  is failling. Also added logs and found that this issue is o... See more...
Hi All,    I have particular issue when getting data from kv store is working fine. But saving anything using  helper.save_check_point  is failling. Also added logs and found that this issue is only for  batch_save post API which splunk uses internaly and error I get is                  File "/opt/splunk/lib/python3.7/http/client.py", line 1373, in getresponse response.begin() File "/opt/splunk/lib/python3.7/http/client.py", line 319, in begin version, status, reason = self._read_status() File "/opt/splunk/lib/python3.7/http/client.py", line 288, in _read_status raise RemoteDisconnected("Remote end closed connection without" http.client.RemoteDisconnected: Remote end closed connection without response                
  Apologies here are events   Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Re... See more...
  Apologies here are events   Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Retry #1 Date : 1/17/2024 Time : 9:35:10 AM Message : Mark transaction results: 1, Query : UPDATE transactions SET queued = 0, processing = 1, serviceip = ? , timestarted = now() WHERE clientcode = ? AND username = ? AND transid = ? (100.00.000.00, OBI96, auto, 4826143 ), port = 2222^^-------------------------------------------------------------------^^   Event 2:   2024-01-17 08:41:35.9174 [94] INFO  [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 ^^-----------------------------------------------  
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some usef... See more...
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some useful links # See the fields you're able to work with my_query_url = phantom.build_phantom_rest_url('container','[id]') my_response_json = phantom.requests.get(my_id_url, verify=False).json() phantom.debug(my_response_json)  
the filter/decision blocks doesnt have an output variable that tells you which route it took natively that you can use as a result... 
I have having this issue with 9.1.1 as well.  We upgraded to 9.1.1, just before 9.1.2 came out.  Upgraded from 8.2.5.  Getting the same message, "Failed to load source for Statistics Table visualizat... See more...
I have having this issue with 9.1.1 as well.  We upgraded to 9.1.1, just before 9.1.2 came out.  Upgraded from 8.2.5.  Getting the same message, "Failed to load source for Statistics Table visualization".
If you aren't going to share your events, it is difficult to advise you further than I have already, especially when you appear to be ignoring my suggestions.
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143   index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*... See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143   index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction     2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143   index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*... See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143   index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction     2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call th... See more...
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call the playbook anywhere you would have put the custom function. As for calling the playbook once for each deviceID, if you're getting them from an artifact field, you can plug that field in, and SOAR will loop through each value for you.
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a> ... See more...
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a>  
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the documen... See more...
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the document, I understand we can only ingest 5GB of log data into AppDynamics and it can be retained for upto 8 days. For more than 8 days we need to purchase add on space. Please correct me if wrong. Also after 8 days, how are the logs deleted from AppDynamics, is it on time basis like 24hrs of data or quantity based like 1 GB per day?
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook det... See more...
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook determine whether the user exists, output that result, then make any decisions in the parent playbook.
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully" | eval user_transaction = if(isnull(user_transaction), client . "-auto-" . tr... See more...
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully" | eval user_transaction = if(isnull(user_transaction), client . "-auto-" . transaction, user_transaction) | stats latest(_raw) as _raw by user_transaction
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified"   C:\Windows\ccmcache\10>msiexec... See more...
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified"   C:\Windows\ccmcache\10>msiexec /i "C:\Windows\ccmcache\10\splunkforwarder-9.1.2-xxxx-x64-release.msi" AGREETOLICENSE=Yes /quiet /norestart C:\Windows\ccmcache\10>net stop SplunkForwarder The SplunkForwarder Service service is not started. More help is available by typing NET HELPMSG 3521. C:\Windows\ccmcache\10>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 1 file(s) copied. C:\Windows\ccmcache\10>net start SplunkForwarder System error 3 has occurred. The system cannot find the path specified.
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column,... See more...
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column, basically comparing two strings
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished success... See more...
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished successfully" | eval user_transaction = if(isnull(user_transaction), client . "-" . transaction, user_transaction) | stats latest(_raw) as _raw by user_transaction