All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest a... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest as metrics data. Is it possible? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
@andrewtrobec  Are you sure all power user has the same issue or only a specific user, please check that. If only this user is having this issue, there is a great deal of chance that the user has ... See more...
@andrewtrobec  Are you sure all power user has the same issue or only a specific user, please check that. If only this user is having this issue, there is a great deal of chance that the user has navigation in his/her etc/user/local folder. Which is overriding what the App's default navigation. If all power user is having this issue, then you may have changes some capability for roles in your environment..   I hope this helps!!!
@anandhalagaras1 - Run the query like this: <your index, sourcetype search> earliest=0 latest=now <your_search> | eval Timestamp=strptime(Timestamp,"%Y-%m-%dT%H:%M:%S.%6N%:z") | addinfo | where Time... See more...
@anandhalagaras1 - Run the query like this: <your index, sourcetype search> earliest=0 latest=now <your_search> | eval Timestamp=strptime(Timestamp,"%Y-%m-%dT%H:%M:%S.%6N%:z") | addinfo | where Timestamp>=info_min_time AND Timestamp<=info_max_time   With this query, you can change the timerange from UI to apply on search directly.   Performance Hint: This query will be run on "All Time" as the earliest and latest suggest in the first line of the query, you can twick it for dashboard to improve performance of the query.   I hope this helps!!!
@Dharani - I think you explained the question well, but you need to provide sample logs to explain what do you mean by pair of error events.  
@jianzgao - I think you are using C# SDK for Splunk. Splunk has made that SDK deprecated - https://github.com/splunk/splunk-sdk-csharp-pcl I would recommend using either Python SDK (https://github.... See more...
@jianzgao - I think you are using C# SDK for Splunk. Splunk has made that SDK deprecated - https://github.com/splunk/splunk-sdk-csharp-pcl I would recommend using either Python SDK (https://github.com/splunk/splunk-sdk-python ) or Java SDK (https://github.com/splunk/splunk-sdk-java ) or Javascript SDK (https://github.com/splunk/splunk-sdk-javascript )   I hope this helps!!!
@sh254087 - You shouldn't be doing sslVerifyServerCert false.   Ideally, if you have a custom CA cert added to your Splunk machine, you should be adding appsCA.pem file content at the end of your C... See more...
@sh254087 - You shouldn't be doing sslVerifyServerCert false.   Ideally, if you have a custom CA cert added to your Splunk machine, you should be adding appsCA.pem file content at the end of your CA cert file, to avoid SSL-related errors on the App installation page.   Though, this error seems to be more like a slow connection speed with Splunkbase on the Splunk machine.   I hope this helps!!!
@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query. in... See more...
@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query. index IN (murex_metrics) index=* index=murex* etc  
As this is still not possible AFAIK, I've created an App, which provides the ability to add custom HTML forms to the Splunk SOAR UI. https://github.com/Benni0/Phantom-s-Bag-of-Tricks
thanks this solution is working for some test cases. in other test case like in this one count field is zero , so i want custom message if count field is zero , any suggestions.
Hi bowesmana, Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter. I found that the search in the dashboard contains ""  {... See more...
Hi bowesmana, Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter. I found that the search in the dashboard contains ""  {... WHERE "index"="murex_metrics" AND ... } this explains why the filter in my search "eai:data"="*index=murex_metrics*" didn't return any data. Thanks again  
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk a... See more...
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk application as well. Only the installation is failing. Earlier to this, I was getting SSL error when I try to open this page. Then I set sslVerifyServerCert to false, after which the page started loading. I'm not sure if some SSL related blocking still exists.  Any suggestions around getting through this? 
 @arunsunny  Did you find a config for send traps to diff logs files?
Hi @yuanliu ,    I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful!
Hi @AL3Z , the above search lists the triggered alerts, if an alert is disablen is also never triggered| Ciao. Giuseppe
Hi @AL3Z , No, you have only to define the asset (or the identity) in the correlation search. In other words, in the results of your CS you must have an asset (or the identity) and define this fiel... See more...
Hi @AL3Z , No, you have only to define the asset (or the identity) in the correlation search. In other words, in the results of your CS you must have an asset (or the identity) and define this field for the risk score. Ciao. Giuseppe
Hey, that SPL is good. But it have 99 Data section and getting Regex backlag errors on Regex101.  Currently I make it like [test_xmldata_to_fields] SOURCE_KEY = EventData_Xml REGEX = (?ms)<Data>(.*... See more...
Hey, that SPL is good. But it have 99 Data section and getting Regex backlag errors on Regex101.  Currently I make it like [test_xmldata_to_fields] SOURCE_KEY = EventData_Xml REGEX = (?ms)<Data>(.*?)<\/Data> FORMAT = test_data::$1 MV_ADD = 1 And then (dirty one, but it's working for start) EVAL-t_process_name=mvindex(test_data,0) EVAL-t_signature_name=mvindex(test_data,1) EVAL-t_binary_description=mvindex(test_data,2)   Regarding the <Data> field, does it always have the same format (process_name, signature_name,binary_description)? * Yes   Sourcetype, I create my own and just using Splunk_TA_Windows for initial report to extract Data_Xml. Basically, it's new Sourcetype and can do transform, props as I like.   
Does splunk shares common userbase amongst all splunk products? Which API request fetch Audit logs or events for splunk users?
@gcusello , Why we are not seeing the alerts for the disabled CS using the above search ?
Hi @AL3Z, yes you can use it in cs, but you can also use Notables. Anyway, as action when an alert is triggered, you can define a Risk Score to assign to an asset or to an identity instead to trigg... See more...
Hi @AL3Z, yes you can use it in cs, but you can also use Notables. Anyway, as action when an alert is triggered, you can define a Risk Score to assign to an asset or to an identity instead to trigger an alert. Then you can define a threshold for the risk score, so, you'll have a Notable when the risk score, for an asset or an identity exceeds the threshold. See in the Actions from a Correlation Search the Risk Score and make some try, I cannot guide you more. For more infos see at https://docs.splunk.com/Documentation/ES/7.2.0/RBA/Analyzerisk Ciao. Giuseppe  
Can we use this CS in ES ? Could you pls guide me how we could use the Risk Score for assets and identities?