Hi at all, I have to parse Juniper Switch logs that are very similar to Cisco ios. In the Juniper Add-On there isn't anythig for parse these logs so I have to create a new Add-On. is there anythig...
See more...
Hi at all, I have to parse Juniper Switch logs that are very similar to Cisco ios. In the Juniper Add-On there isn't anythig for parse these logs so I have to create a new Add-On. is there anythig that already did it and can give me some hint to avoid to create hot water? Ciao. Giuseppe
Each series has a single colour. If you want each column to be a different colour, you need to rearrange your data so that the values are in different fields (columns in a table).
Hi, Running Splunk 9.0.7 and addon Splunk_TA_MS_Security version 2.1.1. I followed the instructions from the addon https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure and re...
See more...
Hi, Running Splunk 9.0.7 and addon Splunk_TA_MS_Security version 2.1.1. I followed the instructions from the addon https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure and reviewed from Microsoft article https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide Basically I created an App Registration in our Azure tenant, add the following permissions and created a secret with all this, I followed the Microsot article and run the powershell scripts to test the connection and the token I obtain only gets a single permission. could someone tell me what I am doing wrong? I expected to get all the permissions assigned to the application and I think that is why I get the 403 error in the splunkd.log. 12-17-2023 13:14:32.037 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_defender_endpoint_atp_alerts.py"" 403 Client Error: Forbidden for url: https://api-eu.securitycenter.microsoft.com/api/alerts?$expand=evidence&$filter=lastUpdateTime+gt+2023-11-17T12:14:31Z 12-17-2023 13:17:38.251 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_365_defender_endpoint_incidents.py"" 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2023-11-17T12:17:31Z thanks
Hi all, I have this query: | timechart span=1s count AS TPS | eventstats max(TPS) as MaxPeakTPS | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime | fieldforma...
See more...
Hi all, I have this query: | timechart span=1s count AS TPS | eventstats max(TPS) as MaxPeakTPS | stats avg(TPS) as avgTPS first(peakTPS) as peakTPS first(peakTime) as peakTime | fieldformat peakTime=strftime(peakTime,"%x %X") This currently outputs Max TPS when Max TPS took place as well as the AVG TPS. I was wondering if it's possible to also display Min TPS and when that took place? TIA
Hi @cbiraris, adapt this sample to you use case: | makeresults | eval _time=strptime("2023-12-18 02:01:01","%Y-%m-%d %H:%M:%S")
| append [ | makeresults | eval _time=strptime("2023-12-18 04:01:01",...
See more...
Hi @cbiraris, adapt this sample to you use case: | makeresults | eval _time=strptime("2023-12-18 02:01:01","%Y-%m-%d %H:%M:%S")
| append [ | makeresults | eval _time=strptime("2023-12-18 04:01:01","%Y-%m-%d %H:%M:%S") ]
| append [ | makeresults | eval _time=strptime("2023-12-18 06:01:01","%Y-%m-%d %H:%M:%S") ]
| timechart count span=1h
| eval col=strftime(_time,"%Y-%m-%d %H:%M:%S")." - ".count
| stats values(col) AS col latest(count) AS latest
| where latest=0 it shuld be something similar to this: <your_search>
| timechart count span=1h
| eval col=strftime(_time,"%Y-%m-%d %H:%M:%S")." - ".count
| stats values(col) AS col latest(count) AS latest
| where latest=0 Ciao. Giuseppe
This is my source code </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</...
See more...
This is my source code </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart>
Well, your HEC input disagrees with you. If your data was wrong you'd get a different code (typically a round 400). 403 means that your token doesn't match the allowed tokens.
Thanks!! works! If you succeed to do that in loop (something like loop for i in (1h,5m,2m,1m...) ) it will be great because the query is very long Regarding the parameter - yes i can add dro...
See more...
Thanks!! works! If you succeed to do that in loop (something like loop for i in (1h,5m,2m,1m...) ) it will be great because the query is very long Regarding the parameter - yes i can add drop down filter to my dashboard, i wonder if i can give the users option to insert the span number and not to provide them predefined list in the drop down filter
Hi @cbiraris, you could simplify your alert running it every two hours using a simple search: index=your_index earliest=-2h@h latest=@h that fires if you haven't results. Ciao. Giuseppe
Hi I'm expecting that you are running splunk on normal port 8089 and host is e.g. my.splunk.host. Then just put on your URL "https://my.splunk.host:8089" and it should work. Maybe it needs to restar...
See more...
Hi I'm expecting that you are running splunk on normal port 8089 and host is e.g. my.splunk.host. Then just put on your URL "https://my.splunk.host:8089" and it should work. Maybe it needs to restart VScode before it work? Also you should create Token for authentication on splunk side and add it to your configuration. For some reason I haven't those entries on my settings.json? I just use GUI to configure Splunk extension for vscode with items: Splunk Rest Url Token Those two should be enough for using REST api for queries. 3rd one which you probably want to set it Splunk Search Head (https://my.splunk.host:8000). r. Ismo
