Hi how about something like index=test_index
| rex "\.(?<TestMQ>.*)\@"
| chart count by TestMQ Priority r. Ismo PS. Please use </> option when you are writing some SPL etc. That way it's format...
See more...
Hi how about something like index=test_index
| rex "\.(?<TestMQ>.*)\@"
| chart count by TestMQ Priority r. Ismo PS. Please use </> option when you are writing some SPL etc. That way it's formatted correctly and we can be sure that what we are seeing is what you have written.
First thing to verify would be to check your _internal logs for the sendemail.py activity and see whether it reports sending the email with the full subject (you won't see the message contents in the...
See more...
First thing to verify would be to check your _internal logs for the sendemail.py activity and see whether it reports sending the email with the full subject (you won't see the message contents in the log) or truncated one. This way you'll know if it's something between Splunk and the sendemail.py script or is it something in sendemail.py/between it and your email server.
Hi this should work as expected and documented. Only thing is what you have on $email$ and where you have set it? And where you are calling this partially SPL? I suppose that this csv file prefix i...
See more...
Hi this should work as expected and documented. Only thing is what you have on $email$ and where you have set it? And where you are calling this partially SPL? I suppose that this csv file prefix is fixed and you cannot change it? r. Ismo
Hi this could explain that behaviour to you https://docs.splunk.com/Documentation/Splunk/9.1.2/DMC/Configurefeaturemonitoring Based on this instructions you could see what those health messages mea...
See more...
Hi this could explain that behaviour to you https://docs.splunk.com/Documentation/Splunk/9.1.2/DMC/Configurefeaturemonitoring Based on this instructions you could see what those health messages means. r. Ismo
Hi @gcusello Thank you for your kind response. I tried the suggested approach but the result is same. This gives me result like example below: TestMQ | TotalCount | Low | Medium | High MQ...
See more...
Hi @gcusello Thank you for your kind response. I tried the suggested approach but the result is same. This gives me result like example below: TestMQ | TotalCount | Low | Medium | High MQNam1 | 120 | 0 | 0 | 0 MQNam2 | 152 | 0 | 0 | 0 The problem is that I am getting "0" value for Low, Medium & High columns - which is not correct. I want to combine both the stats and show the group by results of both the fields. Please suggest.
Hi based on those warnings You have some files on your app which have something else on umask that 0644 (owner r+w; group + other only read). You should fix this to avoid security issue. You have...
See more...
Hi based on those warnings You have some files on your app which have something else on umask that 0644 (owner r+w; group + other only read). You should fix this to avoid security issue. You have at leas one dashboard which haven't "<... version=1.1>" element on it's header r. Ismo
Hi there are excellent presentations kept on .conf about joining data sets without join. e.g. https://conf.splunk.com/watch/conf-online.html?search=PLA1528B#/ r. Ismo
Hi you also must have working email sending feature configured on your splunk. You could test this with command sendemail like index=*
| head 1
| stats count
| sendemail to="<your email address>" s...
See more...
Hi you also must have working email sending feature configured on your splunk. You could test this with command sendemail like index=*
| head 1
| stats count
| sendemail to="<your email address>" subject="Testing Splunk email sending" If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator. After that you could use email action on Alert configuration. r. Ismo
In which version AOB your app is build? Is it so old that it support only Python2 or is there also Python3 support? It seems that current AOB versions from 3.0.+ are supporting only python3 versions....
See more...
In which version AOB your app is build? Is it so old that it support only Python2 or is there also Python3 support? It seems that current AOB versions from 3.0.+ are supporting only python3 versions. I'm not sure but I expecting that older versions contains libaries like .../aob_py2/... or are even without that directory? Is it possible that you will get up a dev environment which contains that original AOB version and that app also? Then just check what that AOB will said about it. If it works then follow up how to update AOB to some recent versions. Another option (maybe) could be that you install that app on your current dev environment and then add current AOB version and try again if it could manage that app or not? Third option is just forget AOB and build that app from scratch if possible or using AOB and start from scratch with it.
How are you getting SCC events into Splunk? Are you using the add-on (https://splunkbase.splunk.com/app/6426)? Have you seen the docs at https://cloud.google.com/security-command-center/docs/how-to...
See more...
How are you getting SCC events into Splunk? Are you using the add-on (https://splunkbase.splunk.com/app/6426)? Have you seen the docs at https://cloud.google.com/security-command-center/docs/how-to-configure-scc-splunk?
Hi unfortunately (at least I don't know) that there is separate endpoints to get splunk audit logs. But you could get those by using search endpoint. https://docs.splunk.com/Documentation/Splunk/9....
See more...
Hi unfortunately (at least I don't know) that there is separate endpoints to get splunk audit logs. But you could get those by using search endpoint. https://docs.splunk.com/Documentation/Splunk/9.1.2/RESTREF/RESTsearch Just create some saved searches which give you needed information and then call those or use ad hoc queries over REST api. r. Ismo
Hey, Is there a way in which I can export my dashboard pdf using python and splunk-sdk so as to get the same result you would if you clicked on the export button?
Certainly, I have already reviewed the provided documentation on this matter. I received this " 1. check_for_addon_builder_version o Only the add_on_builder version in addon_builder.conf is updat...
See more...
Certainly, I have already reviewed the provided documentation on this matter. I received this " 1. check_for_addon_builder_version o Only the add_on_builder version in addon_builder.conf is updated to the 4.1.3 version of AOB and not the whole app. The AOB library files must also be updated to make Splunk cloud-compatible. This app contains an older AOB library. File: default/addon_builder.conf Line Number: 4" Since, the existing app is developed on some other instance, and we are trying to import that .tgz file downloaded from splunkbase on different instance. Need guidance to make it work.
Hi @shashankk, try to simplify your search because the eval isn't mandatory: index=test_index
| rex "\.(?<TestMQ>.*)\@"
| stats
count AS TotalCount
count(eval(Priority="Low")) AS Low
coun...
See more...
Hi @shashankk, try to simplify your search because the eval isn't mandatory: index=test_index
| rex "\.(?<TestMQ>.*)\@"
| stats
count AS TotalCount
count(eval(Priority="Low")) AS Low
count(eval(Priority="Medium")) AS Medium
count(eval(Priority="High")) AS High
BY TestMQ Ciao. Giuseppe