Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-12-2024
03:46 AM
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve ...
See more...
Dears, Need assistance with a Splunk query to retrieve data from two sources: source X and source Y. I want to match records where child_file_id in source Y matches file_id in source X and retrieve the combined data. How can I achieve this? So, in my source X, specifically Stealer_* there are records, each of which includes a file_id, which is illustrated as 3382 in my example. So, when I search for file_id, I find 6 events, all structured similarly but with different values, all sharing the same file_id. In another source, I have data related to source X. To establish connections between them, I use child_file_id as a relational identifier, similar to a database key. As depicted in the screenshot below, you can see that the child_file_id corresponds to the same file_id in the first source." How can I construct a Splunk query to achieve this? Specifically, I want to retrieve the entire result set in a single query and table. In this query, the data from source 2 (child_file_id) should be duplicated in each event from the first source, creating a unified result. Final output something like this srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field1,srouce_field2,srouce_field2 BR.
01-12-2024
03:19 AM
Hi @tscroggins , Thanks for the hint. Yes, confirmed, the appLogo.png (appLogo_2x.png) - which is allowed to be a bit larger (wider) in size than appIcon*.png - automatically "disables" displayin...
See more...
Hi @tscroggins , Thanks for the hint. Yes, confirmed, the appLogo.png (appLogo_2x.png) - which is allowed to be a bit larger (wider) in size than appIcon*.png - automatically "disables" displaying of the label. And this is kind of "ok". So this is also my (ugly) workaround now: I created appLogo(_2x).png files which have an "embedded" textual element that is the label (or app name) that I want to have visible for users in the upper right corner. But when I remove the "appLogo*.png" files from the "static/" folder - why is THEN the label from app.conf not displayed ?? It should be, right ? Along with the small appIcon. I would really prefer to display the text label instead of the cumbersome appLogo.png containing text on it.
01-12-2024
03:12 AM
Hello i need your help, i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wro...
See more...
Hello i need your help, i did a free trial 14 days for splunk, about a hour ago. If i want so access instance, it isnt even accessable, like gray-mode. Should i just wait or did i something wrong? Thanks for your help
01-12-2024
03:09 AM
Hi, I still have no 100% working workaround. I tried to create an Alert on my search head> when the subscription failed, triggering a curl script to disable - re-enable the inputs. I learned two imp...
See more...
Hi, I still have no 100% working workaround. I tried to create an Alert on my search head> when the subscription failed, triggering a curl script to disable - re-enable the inputs. I learned two important things there: Order you should disable the webhook, then the subscription input then the call record input. Enable the webhook, and enable the subscription. This will update the subscription, but sometimes doesn't work correctly - in this case, you should clear the KV store first - and the webhook is Exit! So you should disable the webhook again, enable it then enable the call record input. This method above, if you do manually solving the issue all the time. But the second thing: Scripted disable/enable works 50-50%. Seems the call record is not correctly reset by the script. so currently, I have an alert to myself: "Go monkey and reset it manually"
01-12-2024
03:04 AM
How to find endpoints of our Splunk instance
Labels
- Labels:
-
HTTP Event Collector
01-12-2024
03:03 AM
@cmg it sounds like you are getting multiple artifacts in your container upon creation? If there are duplicate actions does that also mean there are duplicate artifact values? There is a setting in...
See more...
@cmg it sounds like you are getting multiple artifacts in your container upon creation? If there are duplicate actions does that also mean there are duplicate artifact values? There is a setting in the Splunk App for SOAR Export that will create just 1 artifact rather than multiple duplciates where generally only 1 field is different (if there are Multi Value fields in the results).
01-12-2024
02:10 AM
How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example: alert has trigger for the below data is 2:40 _...
See more...
How Send an alert if one event doesn't occur in 10 min with below format data. The data will send every 1 hour with 30mins interval. example: alert has trigger for the below data is 2:40 _time ID Bill_ID 2024-01-12T03:10:53.000-06:00 TTF5 80124 2024-01-12T03:08:07.000-06:00 TFB6 84958 2024-01-12T02:34:54.000-06:00 TFB6 84958 2024-01-12T02:09:48.000-06:00 TTF5 80124 2024-01-12T02:07:02.000-06:00 TFB6 84958 2024-01-12T01:36:59.000-06:00 TTF5 80124 2024-01-12T01:33:37.000-06:00 TFB6 84958 2024-01-12T01:11:13.000-06:00 TTF5 80124 2024-01-12T01:07:22.000-06:00 TFB6 84958 2024-01-12T00:37:08.000-06:00 TTF5 80124 2024-01-12T00:35:08.000-06:00 TFB6 84958 2024-01-12T00:11:16.000-06:00 TTF5 80124 2024-01-12T00:10:20.000-06:00 TFB6 84958 2024-01-11T23:36:19.000-06:00 TTF5 80124 2024-01-11T23:34:17.000-06:00 TFB6 84958
Labels
- Labels:
-
alert action
01-12-2024
01:47 AM
ok, if I use Percentage instead of Value - it gives 2 decimal points. Thank you.
01-12-2024
01:36 AM
Not working I want list of servers which are having index data from the list provided
01-12-2024
01:31 AM
Hi this is not a json data. It could be part of if but not really full, working json. If you have full json, it should be usable without any difficulties e.g. with spath if/when onboarding has done...
See more...
Hi this is not a json data. It could be part of if but not really full, working json. If you have full json, it should be usable without any difficulties e.g. with spath if/when onboarding has done correctly. If it's not working json then you must use e.g. rex command to get wanted values from _raw event. | rex "\"reqUser\":\"(?<reqUser>[^\"]+)\",\"evtTime\":\"(?<evtTime>[^\"]+)\","
| rex "\"resource\":\"(?<resource>[^\"]+)\""
| table reqUser evtTime resource r. Ismo
01-12-2024
12:54 AM
@cmg as @inventsekar has confirmed, this is possible. When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of t...
See more...
@cmg as @inventsekar has confirmed, this is possible. When you build Workbooks/Response Templates in SOAR/Mission Control you are able to assign actions or playbooks for users to run as part of that task. I would recommend also updating the task during the playbook run to assign to the playbook runner and change the status automatically too. In most of my customers even if there is a status/label change on the container we control it via playbook to control and track the lifecycle of Security Events.
01-12-2024
12:50 AM
I sent feedback to doc team and they promise to take this on their backlog and clarify this on docs.
01-12-2024
12:47 AM
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz. for example, I would like to ...
See more...
Hello, I am using a Filler Gauge in one of my dashboards and I would like to use values with 2 decimal values, but I do not see any precision option for Gauge Viz. for example, I would like to display this as 99.60 and not 100. Is it not possible to do at the moment in dashboard studio or is there any workaround available to achieve this? Thank you.
Labels
- Labels:
-
Dashboard Studio
01-12-2024
12:18 AM
Hi @nehamvinchankar, you could insert the server list in a lookup (called e.g. "perimeter.csv"9 containing at least one column (host). Remember to create also the lookup definition. then you could...
See more...
Hi @nehamvinchankar, you could insert the server list in a lookup (called e.g. "perimeter.csv"9 containing at least one column (host). Remember to create also the lookup definition. then you could run a search like this: | tstats count WHERE index=your_index BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0 Ciao. Giuseppe
01-12-2024
12:11 AM
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,veh...
See more...
"reqUser":"mhundi","evtTime":"2023-06-08 14:04:06.504","access":"SELECT","resource":"dsc60180_ici_sde_tz_db/vehicle_master/light_truck_lob_flag,lincoln_lob_flag,model_e_lob_flag,vehicle_make_desc,vehicle_type_desc,warranty_start_date,vehicle_type_desc,warranty_start_date","resType":"@column","action":"select","result":1,"agent":"hiveServer2","policy":101343,"enforcer":"ranger-acl","sess":"00ef27f9-75a4-4821-9e8a-60f16af6b962","cliType":"HIVESERVER2","cliIP":"19.51.78.185","reqData":"SELECT * FROM (SELECT `Left`.`advisor_name`, `Left`.`appointment_created_by`, `Left`.`appointment_datetime Fields to be extract reqUser, evtTime, resource
Labels
- Labels:
-
Splunk Web Framework
01-12-2024
12:06 AM
Hi all, I have list of 3k+ servers for which i want to check data flow from specific index. How can i do this with optimize search
- Tags:
- splunk search
Labels
- Labels:
-
lookup
01-11-2024
10:41 PM
Thanks a lot. This worked perfectly.
01-11-2024
10:31 PM
Hi @ckang, Unfortunately, I don't think Splunk Cloud support will do this.
01-11-2024
10:30 PM
These are all individual commands and are running at every a minute. We are looking for the same as these are critical to the business and trying to figure out how we can achieve it using Splunk Ob...
See more...
These are all individual commands and are running at every a minute. We are looking for the same as these are critical to the business and trying to figure out how we can achieve it using Splunk Observability. Kindly help
01-11-2024
09:27 PM
1 Karma
Hello @Rajesh.Ganapavarapu, Thanks for your reply it really help us, To set the sim.docker.monitorAPMContainersOnly property as false, we have raised a ticket with the OPS team. Once the issue is ...
See more...
Hello @Rajesh.Ganapavarapu, Thanks for your reply it really help us, To set the sim.docker.monitorAPMContainersOnly property as false, we have raised a ticket with the OPS team. Once the issue is solve i will update here. Thanks & Regards, Dishant
