Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-09-2024
04:12 AM
Try something like this | eval keyword=substr(Asset,0,3)
| lookup country_categorization keyword
01-09-2024
03:55 AM
1 Karma
Hi here is the default spl of App: Splunk App for Data Science and Deep Learning (Time Series Anomalies with STUMPY -Time Series Anomaly Detection with Matrix Profiles) | inputlookup cyclical_busin...
See more...
Hi here is the default spl of App: Splunk App for Data Science and Deep Learning (Time Series Anomalies with STUMPY -Time Series Anomaly Detection with Matrix Profiles) | inputlookup cyclical_business_process.csv | eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S") | timechart span=15m avg(logons) as logons | fit MLTKContainer algo=stumpy m=96 logons from _time into app:stumpy_anomalies | table _time logons matrix_profile | eventstats p95(matrix_profile) as p95_matrix_profile | eval anomaly=if(matrix_profile>p95_matrix_profile,1,0) | fields - p95_matrix_profile now want to run this command for my data, here is the sample log: 2022-11-30 23:59:00,122,124 2022-11-30 23:58:00,113,112 2022-11-30 23:57:00,144,143 2022-11-30 23:56:00,137,138 2022-11-30 23:55:00,119,120 2022-11-30 23:54:00,103,102 2022-11-30 23:53:00,104,105 2022-11-30 23:52:00,143,142 2022-11-30 23:51:00,138,139 2022-11-30 23:50:00,155,153 2022-11-30 23:49:00,100,102 timestamp: 2022-11-30 23:59:00 logons: 122 here is the spl that i run: | rex field=_raw "(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),(?<logons>\d+)" | eval _time=strptime(time, "%Y-%m-%d %H:%M:%S") | timechart span=15m avg(logons) as logons | fit MLTKContainer algo=stumpy m=96 logons from _time into app:stumpy_anomalies | table _time logons matrix_profile | eventstats p95(matrix_profile) as p95_matrix_profile | eval anomaly=if(matrix_profile>p95_matrix_profile,1,0) | fields - p95_matrix_profile before fit command _time show correctly, but after fit command it's empty! FYI: logon, matrix_profile, anomaly return correctly but _time is empty! Any idea?
Labels
- Labels:
-
eval
-
field extraction
-
rex
01-09-2024
03:46 AM
Hi Splunkers, I'm having a lookup country_categorization, which have the keyword and its equivalent country, we need to use this info for the main search asset when the country field from index i...
See more...
Hi Splunkers, I'm having a lookup country_categorization, which have the keyword and its equivalent country, we need to use this info for the main search asset when the country field from index is "not available" or "Unknown", we need to use this keyword from lookup, need to compare with asset name with index, usually keyqords are set of prefix of asset name with multiple entries and it should match with equivalent country. Index- Asset, country braiskdidi001, Britain breliudusfidf002, Unknown bruliwhdcjn001, not available lookup keyword, country bru - Britain bre - Britain the output should be braiskdidi001, Britain breliudusfidf002, Britain bruliwhdcjn001, Britain. Thanks in Advance! Manoj Kumar S
Labels
- Labels:
-
lookup
01-09-2024
03:30 AM
Hello, I'd like to know how to locate the correlation searches that XSOAR is monitoring, rather than the incident review panel in the ES. Could you please check if there's a REST API Search availabl...
See more...
Hello, I'd like to know how to locate the correlation searches that XSOAR is monitoring, rather than the incident review panel in the ES. Could you please check if there's a REST API Search available for this? Thanks!
Labels
01-09-2024
03:10 AM
Hi @Praz_123 1) the alert search query.. can you pls copy paste that here (remove the ip address, hostnames, sensitive details, etc) 2) the alert trigger conditions... results equal to 0 or greate...
See more...
Hi @Praz_123 1) the alert search query.. can you pls copy paste that here (remove the ip address, hostnames, sensitive details, etc) 2) the alert trigger conditions... results equal to 0 or greater or lesser than.. screenshot.. can you share it with us, thanks
01-09-2024
03:01 AM
|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:a...
See more...
|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:aci.owner eai:acl.sharing configured disabled visible check_for_updates update.version version
01-09-2024
03:00 AM
v|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:...
See more...
v|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:aci.owner eai:acl.sharing configured disabled visible check_for_updates update.version version
01-09-2024
02:56 AM
Hi @uagraw01 As you were checking bpi:8000/en-US/customer_data/data/macros could you pls check: bpi:8000/en-US/manager/search/data/macros maybe, on that "customer_data" app, your user may not ha...
See more...
Hi @uagraw01 As you were checking bpi:8000/en-US/customer_data/data/macros could you pls check: bpi:8000/en-US/manager/search/data/macros maybe, on that "customer_data" app, your user may not have permissions for that macros, could you pls doublecheck this, thanks.
01-09-2024
02:52 AM
@inventsekar 1) is it a production environment? yes 2) the SMTP details are configured or not yet?yes 3) do you have other alerts which are sending emails?yes 4) on the search bar, when you ...
See more...
@inventsekar 1) is it a production environment? yes 2) the SMTP details are configured or not yet?yes 3) do you have other alerts which are sending emails?yes 4) on the search bar, when you run the sendemail command, do you get the emails?yes
01-09-2024
02:45 AM
Hi @Praz_123 Pls provide us more details.. 1) is it a production environment? 2) the SMTP details are configured or not yet? 3) do you have other alerts which are sending emails? 4) on the sea...
See more...
Hi @Praz_123 Pls provide us more details.. 1) is it a production environment? 2) the SMTP details are configured or not yet? 3) do you have other alerts which are sending emails? 4) on the search bar, when you run the sendemail command, do you get the emails?
01-09-2024
02:40 AM
I have alert configure in Splunk and alert search query is generating the events but am not receiving any email alerts other alerts are working fine in my environment . I have selected "send email" ...
See more...
I have alert configure in Splunk and alert search query is generating the events but am not receiving any email alerts other alerts are working fine in my environment . I have selected "send email" in alert action In splunk .
Labels
- Labels:
-
installation
-
troubleshooting
01-09-2024
02:30 AM
Hello Splunkers!! While accessing the advance search setting macro page is not visible anymore. We have a macro folder that is present under the app default folder but is not visible on the UI. ...
See more...
Hello Splunkers!! While accessing the advance search setting macro page is not visible anymore. We have a macro folder that is present under the app default folder but is not visible on the UI.
01-09-2024
01:52 AM
1 Karma
Hi @SplunkExplorer You are right. Looks like the CLI got no app context parameters. the doc link - https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input...
See more...
Hi @SplunkExplorer You are right. Looks like the CLI got no app context parameters. the doc link - https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input_using_the_CLI Command Command syntax Action add add tcp|udp <port> [-parameter value] ... Add inputs from <port>. edit edit tcp|udp <port> [-parameter value] ... Edit a previously added input for <port>. remove remove tcp|udp <port> Remove a previously added data input. list list tcp|udp [<port>] List the currently configured monitor. The <port> is the port number on which to listen for data. The user you run the Splunk platform as must have access to this port. You can modify the configuration of each input by setting any of these optional parameters: Parameter Description sourcetype Provide a sourcetype field value for events from the input source. index Provide the destination index for events from the input source. hostname Provide a host name to set as the host field value for events from the input source. remotehost Provide an IP address to exclusively accept data from. resolvehost Set to true or false (T | F). Default is false. Set to true to use DNS to set the host field value for events from the input source. restrictToHost Provide a host name or IP address to accept connections only from the specified host or IP address. there is no options to specify the app's context. the CLI and web gui update methods got their limitations. the config file editing is the ultimate method which got all of its features and syntax. Best Regards, Sekar
01-09-2024
01:40 AM
Hi, We want to automate creation of Some common Health Rules & Policies for multiple Applications at a time, could you please help/Suggest us how we can implement without manual creation for each Ap...
See more...
Hi, We want to automate creation of Some common Health Rules & Policies for multiple Applications at a time, could you please help/Suggest us how we can implement without manual creation for each Application individually?
- Tags:
- Health Rule
01-09-2024
01:38 AM
Hi @Sharath22 maybe, pls update how much you have configured the attack range, which things you have installed, did you try to simulate any attacks, etc.. thanks.
01-09-2024
01:36 AM
Hi Splunkers, I'm performing some test on my test environment and I'm curious about observed behavior. I want to add some network inputs, so tcp and udp ones, to my env. I found easily on doc how t...
See more...
Hi Splunkers, I'm performing some test on my test environment and I'm curious about observed behavior. I want to add some network inputs, so tcp and udp ones, to my env. I found easily on doc how to achieve this: Monitornetworkports and it works fine, with no issues. Inputs are correctly added to my Splunk. I can confirm this with no problem on both web GUI and from CLI using btool. My wonder is: if I use the command in the above link, inputs are added on inputs.conf located in SPLUNK_HOME\etc\apps\search\local. For example, if I use: splunk add tcp 3514 -index network -soucetype checkpoint And then, I digit splunk btool inputs list --debug | findstr 3514 The output is: C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [tcp://3514] And, checking manually the file, confs related to my add command are exactly on it. So, I assume that search is the default app if no additional parameter are provided. Now, I know well that if I want edit another inputs.conf file, I can simply manually edit it. But what about if I want edit another inputs.conf from CLI? In other words: I want to know if I can use the splunk add command and specify which inputs.conf file modify. Is it possible?
Labels
- Labels:
-
administration
-
configuration
01-09-2024
01:35 AM
1. Please don't shout. 2. It depends on what kind of data you have. Without knowing that we can't help you. Properly deployed Splunk infrastructure should have some docummented inventory of the sour...
See more...
1. Please don't shout. 2. It depends on what kind of data you have. Without knowing that we can't help you. Properly deployed Splunk infrastructure should have some docummented inventory of the sources ingested, sourcetypes, destination indexes and so on. 3. Also just because you can log in to your Splunk server doesn't mean you have access rights to the indexes containing information you need. You have to consult with your local Splunk admin about it.
01-09-2024
01:33 AM
Try something like this index=au_axs_common_log source=*Visa* "++EXT-ID[C0] FLD[Authentication Program..] FRMT[TLV] LL[1] LEN[2] DATA[01]" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DAT...
See more...
Try something like this index=au_axs_common_log source=*Visa* "++EXT-ID[C0] FLD[Authentication Program..] FRMT[TLV] LL[1] LEN[2] DATA[01]" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DATA\[(?<TID>[^\]]*).*)"
|append [search index=au_axs_common_log source=*Visa* "FORMATTING:" | rex field=_raw "(?s)(.*?FLD\[62-2 Transaction Ident.*?DATA\[(?<TID>[^\]]*).*)" |rex field=_raw "(?s)(.*?FLD\[Response Code.*?DATA\[(?<VRC>[^\]]*).*)"]
| stats values(index) as index values(VRC) as VRC by TID
| where index="au_axs_common_log" By the way, this is untested - if you want people to suggest tested examples, you should provide (anonymised) sample events (together with example expected results).
01-09-2024
01:33 AM
Hi @RJ2 Splunk does not uses any database. It uses some simple "flat files" and some bigdata map reduce algorithms at the backend. so we can not find out the queries of delete, update, etc hope...
See more...
Hi @RJ2 Splunk does not uses any database. It uses some simple "flat files" and some bigdata map reduce algorithms at the backend. so we can not find out the queries of delete, update, etc hope its clear to you, if you have further questions, pls let us know. upvotes appreciated, if a reply solved your issue, pls accept it as the solution, thanks. Best Regards, Sekar
