Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-17-2024
08:06 AM
custom code block? we are talking about an app action it may vary and a custom code block is not suitable here without further interactions -_- also what if there are 10 different paths, filter/decis...
See more...
custom code block? we are talking about an app action it may vary and a custom code block is not suitable here without further interactions -_- also what if there are 10 different paths, filter/decision simply should result in what path was derived from the condition... just like in ansible
01-17-2024
08:02 AM
I understand now. If the only thing you need to do is evaluate whether the user exists or not, and there are no actions you need to take down either branch, I'd say a simple custom code block is the ...
See more...
I understand now. If the only thing you need to do is evaluate whether the user exists or not, and there are no actions you need to take down either branch, I'd say a simple custom code block is the way to go. Filter and decision blocks are more useful for deciding a path for the playbook to continue down. Something along the lines of if user exists:
output_variable = True
else:
output_variable = False
01-17-2024
07:58 AM
2 Karma
If you're using the Box Plot viz at https://splunkbase.splunk.com/app/3157 then it's an archived app that probably is outdated and may have compatibility issues. Consider trying the box plot viz ava...
See more...
If you're using the Box Plot viz at https://splunkbase.splunk.com/app/3157 then it's an archived app that probably is outdated and may have compatibility issues. Consider trying the box plot viz available in https://splunkbase.splunk.com/app/5730. That said, does the time field have values greater than 20? If so, the lack of a default condition will cause the case function will set total_time to null, which might generate the "trace 0" graph points. | eval total_time=case(time<= 8, "8", time<= 9, "8~9", time<= 10, "9~10", time<= 11, "10~11", time<= 15, "11~15", time<= 20, "15~20", 1==1, ">20")
01-17-2024
07:57 AM
1 Karma
So the Report Completed message occurs before the Report Started message? Assuming it is actually the latest (by _time) that you want to keep, try something like this index="index" sourcetype=host=...
See more...
So the Report Completed message occurs before the Report Started message? Assuming it is actually the latest (by _time) that you want to keep, try something like this index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"
| rex "client\s'(?<client>[^']*)'"
| rex "transaction\s'(?<transaction>[^']*)'"
| rex "user\s'(?<user>[^']*)'"
| rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-" . user . "-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
01-17-2024
07:49 AM
Hi All, I have particular issue when getting data from kv store is working fine. But saving anything using helper.save_check_point is failling. Also added logs and found that this issue is o...
See more...
Hi All, I have particular issue when getting data from kv store is working fine. But saving anything using helper.save_check_point is failling. Also added logs and found that this issue is only for batch_save post API which splunk uses internaly and error I get is File "/opt/splunk/lib/python3.7/http/client.py", line 1373, in getresponse
response.begin()
File "/opt/splunk/lib/python3.7/http/client.py", line 319, in begin
version, status, reason = self._read_status()
File "/opt/splunk/lib/python3.7/http/client.py", line 288, in _read_status
raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response
01-17-2024
07:40 AM
Apologies here are events Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Re...
See more...
Apologies here are events Event 1: 2024-01-17 09:35:10.3370 [44] INFO[.java..TransLogCallback] Starting Report for client 'OBI96' user 'auto' for transaction '4826143 '' Report ID '222' - Retry #1 Date : 1/17/2024 Time : 9:35:10 AM Message : Mark transaction results: 1, Query : UPDATE transactions SET queued = 0, processing = 1, serviceip = ? , timestarted = now() WHERE clientcode = ? AND username = ? AND transid = ? (100.00.000.00, OBI96, auto, 4826143 ), port = 2222^^-------------------------------------------------------------------^^ Event 2: 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 ^^-----------------------------------------------
01-17-2024
07:37 AM
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some usef...
See more...
I can't speak to an app, but this sounds easy enough to do with the API. You'd need to build a way to loop through containers, pull the relevant date info, then decide which ones to delete. Some useful links # See the fields you're able to work with
my_query_url = phantom.build_phantom_rest_url('container','[id]')
my_response_json = phantom.requests.get(my_id_url, verify=False).json()
phantom.debug(my_response_json)
01-17-2024
07:24 AM
the filter/decision blocks doesnt have an output variable that tells you which route it took natively that you can use as a result...
01-17-2024
07:22 AM
I have having this issue with 9.1.1 as well. We upgraded to 9.1.1, just before 9.1.2 came out. Upgraded from 8.2.5. Getting the same message, "Failed to load source for Statistics Table visualizat...
See more...
I have having this issue with 9.1.1 as well. We upgraded to 9.1.1, just before 9.1.2 came out. Upgraded from 8.2.5. Getting the same message, "Failed to load source for Statistics Table visualization".
01-17-2024
07:18 AM
If you aren't going to share your events, it is difficult to advise you further than I have already, especially when you appear to be ignoring my suggestions.
01-17-2024
07:13 AM
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*...
See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
01-17-2024
07:00 AM
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*...
See more...
This is my first query which returns a table user_transaction in order 0BI96-auto-4826143 index="index" sourcetype=host=hq " Mark transaction results" "port = 2022"| rex "client\s'(?<client>[^']*)'" | rex "transaction\s'(?<transaction>[^']*)'" | rex "user\s'(?<user>[^']*)'" | table client,transaction,user | eval user_transaction = client . "-" . user . "-" . transaction | table user_transaction 2024-01-17 08:41:35.9174 [94] INFO [.java..TransLogCallback] OBI96-auto-4826143 Report Finished successfully at 8:41:35 AM on 1/17/2024 this is my actual data i want to match too
01-17-2024
06:58 AM
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call th...
See more...
Unfortunately, according to the documentation, calling a playbook from within a custom function is not supported. What you could do instead is move the custom function into the playbook, then call the playbook anywhere you would have put the custom function. As for calling the playbook once for each deviceID, if you're getting them from an artifact field, you can plug that field in, and SOAR will loop through each value for you.
01-17-2024
06:46 AM
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a> ...
See more...
I suspect you were using the "send email" action. I wasn't able to find a good way to make links work with that. If you use the "send htmlemail" action, this will work. <a href="url">link text</a>
01-17-2024
06:41 AM
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the documen...
See more...
Thank Ryan for your response. I followed the URL but the document says ways to configure Log Analytics. I am curious to know how are these Logs stored, in any particular DB? Also, as per the document, I understand we can only ingest 5GB of log data into AppDynamics and it can be retained for upto 8 days. For more than 8 days we need to purchase add on space. Please correct me if wrong. Also after 8 days, how are the logs deleted from AppDynamics, is it on time basis like 24hrs of data or quantity based like 1 GB per day?
01-17-2024
06:33 AM
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook det...
See more...
I'm not entirely clear what the problem is here since you decide what the outputs are when building an input playbook. Working off your example, I would say it's better to have the input playbook determine whether the user exists, output that result, then make any decisions in the parent playbook.
01-17-2024
06:31 AM
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-auto-" . tr...
See more...
Again, without seeing your actual data, this may not work | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-auto-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
01-17-2024
06:26 AM
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified" C:\Windows\ccmcache\10>msiexec...
See more...
I updated the exact path, the msi running & conf file is copied. Still, we are getting the "System error 3 has occurred. The system cannot find the path specified" C:\Windows\ccmcache\10>msiexec /i "C:\Windows\ccmcache\10\splunkforwarder-9.1.2-xxxx-x64-release.msi" AGREETOLICENSE=Yes /quiet /norestart C:\Windows\ccmcache\10>net stop SplunkForwarder The SplunkForwarder Service service is not started. More help is available by typing NET HELPMSG 3521. C:\Windows\ccmcache\10>copy deploymentclient.conf "c:\Program Files\splunkuniversalforwarder\etc\system\default\" 1 file(s) copied. C:\Windows\ccmcache\10>net start SplunkForwarder System error 3 has occurred. The system cannot find the path specified.
01-17-2024
06:20 AM
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column,...
See more...
oh i am sorry my current search returns below sample 0BI96-auto-4826143 I need to match this result and correlate if its matching 0BI96-auto-4826143 Report finished and return as finished column, basically comparing two strings
01-17-2024
05:38 AM
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished success...
See more...
Try something like this (although to be fair, you haven't shared any sample events or details of your current searches, so this may not work) | rex "(?<user_transaction>\S+)\sReport Finished successfully"
| eval user_transaction = if(isnull(user_transaction), client . "-" . transaction, user_transaction)
| stats latest(_raw) as _raw by user_transaction
