All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AL3Z, they match with the correlation searches, but thei contain also other alerts outside ES and anyway don't matcj with disabled CS. Ciao. Giuseppe
Well, yeah, I understand how I can convert the time from epoch, but I am trying to do this inside of a workflow action.  Someone searches "index=firewall", and then they click on "Event Actions" to c... See more...
Well, yeah, I understand how I can convert the time from epoch, but I am trying to do this inside of a workflow action.  Someone searches "index=firewall", and then they click on "Event Actions" to click on the workflow action.  How does the time get converted through that mechanism?
@gcusello , Why the triggered alerts from the search  are not matching with the incident review alerts why so ?
No, there is not a common userbase for all Splunk products. There is no API request specific to audit logs.  Submit an API request to search the _audit index for the desired information.
I know of one file we have (multifix.js) We use it to modify the behavior of multi-select filters. /************************************************************************************* Multisele... See more...
I know of one file we have (multifix.js) We use it to modify the behavior of multi-select filters. /************************************************************************************* Multiselect Behavior Modification multifix.js v0.2 Automatically removes 'All' option in multiselect fields when a value is selected and remove individual values when 'All' is re-selected. Any multiselect with an CSS id of multi_1 - multi_15 will function in this way if the script is included or the app's dashboard.js or directly. *************************************************************************************/ require(['splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!'], function (mvc) { $(document).ready(function () { var selection = []; for (var i = 1; i < 16; i++) { multiFixer('multi_' + i); } function multiFixer(fieldId) { var multi = splunkjs.mvc.Components.getInstance(fieldId); if (typeof multi !== 'undefined' && multi !== 'undefined') { multi.on('change', function () { selection = multi.val(); if (selection.length > 1 && ~selection.indexOf('*')) { if (selection.indexOf('*') == 0) { selection.splice(selection.indexOf('*'), 1); multi.val(selection); multi.render(); } else { multi.val('*'); multi.render(); } } }); } } }); });  
Hi, I want to import the entities via csv to entity management in Splunk ITSI, so please help me with this. Thanks
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest a... See more...
Hello Experts, I'm currently having CSV file that contains fields such as ID, IP, OS, status, tracking_method, Last_boot, First_found_date, last_activity, hostname, domain, etc. I want to ingest as metrics data. Is it possible? I'd appreciate any guidance or examples how to achieve this.? Thanks in advance
@andrewtrobec  Are you sure all power user has the same issue or only a specific user, please check that. If only this user is having this issue, there is a great deal of chance that the user has ... See more...
@andrewtrobec  Are you sure all power user has the same issue or only a specific user, please check that. If only this user is having this issue, there is a great deal of chance that the user has navigation in his/her etc/user/local folder. Which is overriding what the App's default navigation. If all power user is having this issue, then you may have changes some capability for roles in your environment..   I hope this helps!!!
@anandhalagaras1 - Run the query like this: <your index, sourcetype search> earliest=0 latest=now <your_search> | eval Timestamp=strptime(Timestamp,"%Y-%m-%dT%H:%M:%S.%6N%:z") | addinfo | where Time... See more...
@anandhalagaras1 - Run the query like this: <your index, sourcetype search> earliest=0 latest=now <your_search> | eval Timestamp=strptime(Timestamp,"%Y-%m-%dT%H:%M:%S.%6N%:z") | addinfo | where Timestamp>=info_min_time AND Timestamp<=info_max_time   With this query, you can change the timerange from UI to apply on search directly.   Performance Hint: This query will be run on "All Time" as the earliest and latest suggest in the first line of the query, you can twick it for dashboard to improve performance of the query.   I hope this helps!!!
@Dharani - I think you explained the question well, but you need to provide sample logs to explain what do you mean by pair of error events.  
@jianzgao - I think you are using C# SDK for Splunk. Splunk has made that SDK deprecated - https://github.com/splunk/splunk-sdk-csharp-pcl I would recommend using either Python SDK (https://github.... See more...
@jianzgao - I think you are using C# SDK for Splunk. Splunk has made that SDK deprecated - https://github.com/splunk/splunk-sdk-csharp-pcl I would recommend using either Python SDK (https://github.com/splunk/splunk-sdk-python ) or Java SDK (https://github.com/splunk/splunk-sdk-java ) or Javascript SDK (https://github.com/splunk/splunk-sdk-javascript )   I hope this helps!!!
@sh254087 - You shouldn't be doing sslVerifyServerCert false.   Ideally, if you have a custom CA cert added to your Splunk machine, you should be adding appsCA.pem file content at the end of your C... See more...
@sh254087 - You shouldn't be doing sslVerifyServerCert false.   Ideally, if you have a custom CA cert added to your Splunk machine, you should be adding appsCA.pem file content at the end of your CA cert file, to avoid SSL-related errors on the App installation page.   Though, this error seems to be more like a slow connection speed with Splunkbase on the Splunk machine.   I hope this helps!!!
@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query. in... See more...
@BEN_ - While this covers much of what you are trying to find. It's important to keep in mind that this would not cover all the scenarios. Some example queries would not be covered by the query. index IN (murex_metrics) index=* index=murex* etc  
As this is still not possible AFAIK, I've created an App, which provides the ability to add custom HTML forms to the Splunk SOAR UI. https://github.com/Benni0/Phantom-s-Bag-of-Tricks
thanks this solution is working for some test cases. in other test case like in this one count field is zero , so i want custom message if count field is zero , any suggestions.
Hi bowesmana, Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter. I found that the search in the dashboard contains ""  {... See more...
Hi bowesmana, Yes you are right. The query is working fine for both event and Metrics indexes. the problem was at level of the search filter. I found that the search in the dashboard contains ""  {... WHERE "index"="murex_metrics" AND ... } this explains why the filter in my search "eai:data"="*index=murex_metrics*" didn't return any data. Thanks again  
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk a... See more...
Getting "Unexpected error downloading update: Connection reset by peer" while trying to install add-on from splunkbase (via 'Find more apps)   Internet is connected, I'm able to access splunk application as well. Only the installation is failing. Earlier to this, I was getting SSL error when I try to open this page. Then I set sslVerifyServerCert to false, after which the page started loading. I'm not sure if some SSL related blocking still exists.  Any suggestions around getting through this? 
 @arunsunny  Did you find a config for send traps to diff logs files?
Hi @yuanliu ,    I think append had some limits to append it, so if we are handling with large volumes of data set like 2lakhs events, which command will be useful!
Hi @AL3Z , the above search lists the triggered alerts, if an alert is disablen is also never triggered| Ciao. Giuseppe