All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Do you have a dashboard or report with these results in?
You can't use the time range filter on loadjob savedsearch for this purpose. The time range filter on the loadjob command applies to when the saved search was executed (and its results saved). It is ... See more...
You can't use the time range filter on loadjob savedsearch for this purpose. The time range filter on the loadjob command applies to when the saved search was executed (and its results saved). It is not applied to the results themselves. For this you would have to use a where command (as you already have), and for time ranges, you should parse your timestamp field into and epoch time (using the strptime() function) so that it can be compared with other epoch time values e.g. the start and end of your desired time range.
Hi @FlorianScho, as a workaround, we have added the IP addresses of our Splunk instances in the TLS certificates as SAN and also included them in the server.conf in the sslAltNameToCheck parameter. ... See more...
Hi @FlorianScho, as a workaround, we have added the IP addresses of our Splunk instances in the TLS certificates as SAN and also included them in the server.conf in the sslAltNameToCheck parameter. Best regards
Hi, I'm using: loadjob savedsearch because my query is big and it takes time to load. I have some multi-select filters and i want to add input time range filter. (| loadjob savedsearch="mp:search:... See more...
Hi, I'm using: loadjob savedsearch because my query is big and it takes time to load. I have some multi-select filters and i want to add input time range filter. (| loadjob savedsearch="mp:search:queryName" | where $pc$ AND  $Version$ ) I'm not sure how to do that because i need to use a field called: Timestamp (i get it in my query, this is the time the event is written to the json file ) and not  the _time field. In addition, I don't know how to use loadjob savedsearch with time range filter Can you help me, please? Thank, Maayan
I have gone through a few questions which are related to lookup file changes. I tried to use the same query to get the internal logs regarding my lookup file changes but I am unable to fetch any logs... See more...
I have gone through a few questions which are related to lookup file changes. I tried to use the same query to get the internal logs regarding my lookup file changes but I am unable to fetch any logs. I would like to know where can I find the information about the changes made to my lookup file. The information is more related to the user who modified and the respective time. I tried to search in _audit index, but I am unable to find the exact logs (may be the way of my searching is wrong) Could anyone please help me in finding the history of modification/changes made to any lookup file?
Hi @gcusello  | rename "response_details.response_payload.entities{}.onlineStatus" as status | stats count BY status | append [ | makeresults | eval name=xxxx, count=0 | fields name ] | stats sum... See more...
Hi @gcusello  | rename "response_details.response_payload.entities{}.onlineStatus" as status | stats count BY status | append [ | makeresults | eval name=xxxx, count=0 | fields name ] | stats sum(count) AS total BY status | eval status=if(total=0,"OFFLINE",status) | search status="ONLINE" OR status="OFFLINE" | table status I getting result is "ONLINE" How it will works on the alert ?  How can I set in the alert? Can you please guide me
@inventsekar Could you please suggest on this. We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework o... See more...
@inventsekar Could you please suggest on this. We have already integrated linux, palo alto,SAP log sources. Just looking to create Linux, Palo alto, SAP use cases which is based on MITRE framework or any attack pattern use cases, as we don't have that much knowledge to create SPL use cases.
Hi,  I want to export browser test results in some sort of csv or any file where I can see the performance of a browser test for the past year or month. How can this be possible?
Hi @parthiban, status = "OFFLINE" please try this: index=your_index | stats count BY device status | append [ | inputlookup perimeter.csv | eval count=0 | fields device count ] | stats sum(count)... See more...
Hi @parthiban, status = "OFFLINE" please try this: index=your_index | stats count BY device status | append [ | inputlookup perimeter.csv | eval count=0 | fields device count ] | stats sum(count) AS total BY device status | eval status=if(total=0,"down",status) | search status="recovery" OR status="offline" OR status="down" | table device status Ciao. Giuseppe
Hi @gcusello  This is on premises device and managed by cloud. If device went offline cloud will send log.   Which condition I need to add ?
How to get difference of  lastest value with now i have multiple values in latest column and only one value in now column i want output as difference  latest now 1701973800.000000 170145... See more...
How to get difference of  lastest value with now i have multiple values in latest column and only one value in now column i want output as difference  latest now 1701973800.000000 1701455400.000000 1701455400.000000 1700418600.000000 1700418600.000000 1702372339   1701973800.000000- 1702372339 = 1701455400.000000- 1702372339=  like this 
Hi @nehamvinchankar, does the regex extract only one value or doesn't it extract any value? if only one value, plese try this: | rex max_match=0 "(?ms)\"API_NAME\": \"(?<API_NAME>[^\"]+)\",\n\"DEP... See more...
Hi @nehamvinchankar, does the regex extract only one value or doesn't it extract any value? if only one value, plese try this: | rex max_match=0 "(?ms)\"API_NAME\": \"(?<API_NAME>[^\"]+)\",\n\"DEP_DATE\": \"(?<DEP_DATE>[^\"]+)\"" if no values, please check the source, because using the source you shared the regex extracts all the values, as you can test in regex101 Ciao. Giuseppe
not working fields are not getting extracted
Hi @parthiban, ok, but how can the device send a status if it's offline? if it continue to send logs even if it's offline, you can add this condition to the search, but, as I suppose, it doesnt sen... See more...
Hi @parthiban, ok, but how can the device send a status if it's offline? if it continue to send logs even if it's offline, you can add this condition to the search, but, as I suppose, it doesnt sends logs when offline, you can use my search. Ciao. Giuseppe
I am very new to Splunk but I just encountered the explanation for this in a course When no Dataset is specified in the From clause, Splunk assumes the first root Dataset is addressed. When you ... See more...
I am very new to Splunk but I just encountered the explanation for this in a course When no Dataset is specified in the From clause, Splunk assumes the first root Dataset is addressed. When you want to address any root Dataset other than the first one, you must specify it explicitly. Therefore, it is best practice to ignore the fact that Splunk assumes the first root Dataset and specify it in every use even if Splunk allows you to save that little bit of typing     | tstats summariesonly=t count FROM datamodel=model_name.dataset_1 where nodename=dataset_1 by dataset_1.FieldName      
Hi @gcusello   Yes want alert for online status="OFFLINE" and online status="Online"  for the same device
Hi @parthiban, please confirm: you want an alert if onlineStatus="recovery" or if, for a defined period, you don't receive logs from a device is is correct? In this case, you can use my second sear... See more...
Hi @parthiban, please confirm: you want an alert if onlineStatus="recovery" or if, for a defined period, you don't receive logs from a device is is correct? In this case, you can use my second search creating a list of devices to monitor in a lookup. Ciao. Giuseppe
We have the same issue.  Any news on this how to fix?
Hi @gcusello  In the log, we receive the payload model below. In the 'entities' section, I've only specified one device status, but in reality, there are 11 device statuses in a single log messa... See more...
Hi @gcusello  In the log, we receive the payload model below. In the 'entities' section, I've only specified one device status, but in reality, there are 11 device statuses in a single log message. I want to create an alert: if a device goes offline, it will trigger one alert, and when it comes online, it will trigger a clear alarm alert. I specify having only one alert because we receive logs every 2 minutes from AWS, and to avoid multiple alerts for the same device going offline and online..  Hope it is clear what my requirement is. response_details: ▼{ response_payload:▼ { entities: ▼{ id:"YYYYYYY", name:"ABC", onlineStatus:"ONLINE", serialNumber:"XXXXXXX", },
Hi @jhooper33 , don't use the search command: put all the search terms in the main search, so you'll have a faster search: index=pan_logs [ inputlookup url_intel.csv | fields ioc | rename ioc AS de... See more...
Hi @jhooper33 , don't use the search command: put all the search terms in the main search, so you'll have a faster search: index=pan_logs [ inputlookup url_intel.csv | fields ioc | rename ioc AS dest_url] NOT [| inputlookup whitelist.csv WHERE category=website | fields ignoreitem | rename ignoreitem as query ] NOT ("drop" OR "denied" OR "deny" OR "reset" OR "block") | eval Sensor_Name="Customer", Signature="URL Intel Hits", user=if(isnull(user),"-",user), src_ip=if(isnull(src_ip),"-",src_ip), dest_ip=if(isnull(dest_ip),"-",dest_ip), event_criticality="Medium" | rename _raw AS Raw_Event | table _time event_criticality Sensor_Name Signature user src_ip dest_ip Raw_Event Ciao. Giuseppe