All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, Tried as below; still no luck , logs are keep coming;    props.conf  [sourcetype::cato_source] TRANSFORMS-filter_logs = cloudparsing   transforms.conf [cloudparsing] REGEX = \"event_sub_t... See more...
Hi, Tried as below; still no luck , logs are keep coming;    props.conf  [sourcetype::cato_source] TRANSFORMS-filter_logs = cloudparsing   transforms.conf [cloudparsing] REGEX = \"event_sub_type\":\"(WAN|TLS) DEST_KEY = queue FORMAT = nullQueue    
Hi @gcusello ,   When I run the below search, I get results like these. Not sure if this is empty value or no value. Regards, Pravin  
Hi @venkateshn2382 , Yes, it will work. Ciao. Giuseppe
Hi @_pravin , see in interesting fields: have you empty values or you don't have values? Ciao. Giuseppe
@gcusello  will this work with Splunk cloud as well? is this option available? 
hi @gcusello ,   I get an empty cell for the column Module.  Regards, Pravin  
Hi @venkateshn2382 , you have to try to use the INDEXED_EXTRACTIONS = json in the sourcetype associated to the HEC. Ciao. Giuseppe 
Subsearches are executed before the main search so your ip_address_integer has no value when the inputlookup is executed. You could try using the map command (although this has its limitations and p... See more...
Subsearches are executed before the main search so your ip_address_integer has no value when the inputlookup is executed. You could try using the map command (although this has its limitations and perhaps should be avoided where possible). | makeresults | eval ip_address_integer = 1317914622 | map search="| inputlookup geobeta | where endIPNum >= $ip_address_integer$ AND startIPNum <= $ip_address_integer$ | table latitude,longitude"
@gcusello The data is ingested via http event collector. 
Hi @Scottk1 , see if this url answers to your question: https://www.splunk.com/en_us/about-splunk/splunk-data-security-and-privacy/cloud-security-at-splunk.html Ciao. Giuseppe
Hi @QuantumRgw , let me understand: you want to monitor a server using Splunk is it correct? to do this, you have to send all logs from this server in Splunk using a Universal Forwarder (an agent) ... See more...
Hi @QuantumRgw , let me understand: you want to monitor a server using Splunk is it correct? to do this, you have to send all logs from this server in Splunk using a Universal Forwarder (an agent) installed on this server and index your logs in a different server where Splunk is installed. Then you have to identify the security use cases to implement in Splunk, the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435) could help you, but your question is too vague for a more detailed answer.  Ciao. Giuseppe
Hi @himaniarora20 , I completely agree with @isoutamo , you cannot use internal Splunk connection without https. If you don't have your own certificate, you can use the default certificate produced... See more...
Hi @himaniarora20 , I completely agree with @isoutamo , you cannot use internal Splunk connection without https. If you don't have your own certificate, you can use the default certificate produced by the internal Splunk Certification Authority until you'll have your own. Ciao. Giuseppe
Hi @roopeshetty , please try this regex in transforms.conf: REGEX = \"event_sub_type\":\"(WAN|TLS) Ciao. Giuseppe
Hello, I am trying to integrate chatgpt with my dashboard and I am using OpenAPI add on. I am getting the following error code: "HTTP 404 Not Found -- Could not find object id=TA-openai-api:org_i... See more...
Hello, I am trying to integrate chatgpt with my dashboard and I am using OpenAPI add on. I am getting the following error code: "HTTP 404 Not Found -- Could not find object id=TA-openai-api:org_id_default: ERROR cannot unpack non-iterable NoneType object"   Can anyone help me with this?
hi @venkateshn2382 , did you tried to use INDEXED_EXTRACTIONS = json in your props.conf? you can find more details at https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf  This opti... See more...
hi @venkateshn2382 , did you tried to use INDEXED_EXTRACTIONS = json in your props.conf? you can find more details at https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf  This option must be located in the Universal Forwarder and in the Heavy Forwarder (if present) and in the Search Heads. Ciao. Giuseppe
Hi Guys,   In Splunk a field by name “event_sub_type” has multiple values. We don’t want to ingest any logs into splunk whose field “event_sub_type” value is either “WAN Firewall” or “TLS” (as mark... See more...
Hi Guys,   In Splunk a field by name “event_sub_type” has multiple values. We don’t want to ingest any logs into splunk whose field “event_sub_type” value is either “WAN Firewall” or “TLS” (as marked in attached screen shot) as these are huge unwanted logs.     Our search query is : index=cato sourcetype=cato_source   We tried multiple ways by editing the props.conf and transforms.conf to exclude these logs as below but none of them are successful to exclude those logs;   props.conf [sourcetype::cato_source] TRANSFORMS-filter_logs = cloudparsing   transforms.conf [cloudparsing] REGEX = \"event_sub_type\":\"(WAN Firewall|TLS)\" DEST_KEY = queue FORMAT = nullQueue   Can someone please guide how to exclude these events whose “event_sub_type” value contains either “WAN Firewall” or “TLS” by editing props.conf and transforms.conf?     RAW Events for reference which needs to be excluded ; 1. event_sub_type":"WAN   {"event_count":1,"ISP_name":"Shanghai internet","rule":"Initial Connectivity Rule","dest_is_site_or_vpn":"Site","src_isp_ip":"0.0.0.0","time_str":"2023-11-28T04:27:40Z","src_site":"CHINA-AZURE-E2","src_ip":"0.0.0.1","internalId":"54464646","dest_site_name":"china_112,"event_type":"Security","src_country_code":"CN","action":"Monitor","subnet_name":"cn-001.net-vnet-1","pop_name":"Shanghai_1","dest_port":443,"dest_site":"china_connect","rule_name":"Initial Connectivity Rule","event_sub_type":"WAN Firewall","insertionDate":1701188916690,"ip_protocol":"TCP","rule_id":"101238","src_is_site_or_vpn":"Site","account_id":5555,"application":"HTTP(S)","src_site_name":"china_connect","src_country":"China","dest_ip":"0.0.0.0","os_type":"OS_ANDROID","app_stack""TCP","TLS","HTTP(S)"],"time":1701188860834}   2. "event_sub_type":"TLS","   {"event_count":4,"http_host_name":"isp.vpn","ISP_name":"China_internet","src_isp_ip":"0.0.0.0","tls_version":"TLSv1.3","time_str":"2023-11-28T04:27:16Z","src_site":"china_mtt","src_ip":"0.0.0.0","internalId":"rtrgrtr","domain_name":"china.gh.com","event_type":"Security","src_country_code":"CN","tls_error_description":"unknown CA","action":"Alert","subnet_name":"0.0.0.0/24","pop_name":"china_1","dest_port":443,"event_sub_type":"TLS","insertionDate":1701188915580,"dest_country_code":"SG","tls_error_type":"fatal","dns_name":"china.com","traffic_direction":"OUTBOUND","src_is_site_or_vpn":"Site","account_id":56565,"application":"Netskope","src_site_name":"CHINA-44","src_country":"China","dest_ip":"0.0.0.0","os_type":"OS_WINDOWS","time":1701188836011,"dest_country":"Singapore"}    
Hi @_pravin , as I said, if you run  | mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.n... See more...
Hi @_pravin , as I said, if you run  | mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ | rename module.names as Module | rename host as Hostname | rename severity as lvl | rename pid as PID have you null (or similar) values for the Module field? Ciao. Giuseppe
Hi @vishenps , you can set up the Timezone at system level or at user level, as you prefer, there isn't abest practice for this, use the one you require for your final users. Ciao. Giuseppe
Hi @MattKr , what have you to do? use the lookup's geo coordinates to filter results or what else? if you want to use the values in the lookup for a subsearch, you have to use the rules of a subsea... See more...
Hi @MattKr , what have you to do? use the lookup's geo coordinates to filter results or what else? if you want to use the values in the lookup for a subsearch, you have to use the rules of a subsearch, so the fields in the subsearch must have the same field names. Then you can use thewhere clause inside the inputlookup command. Put attention that the AND logical operator must be in uppercase to be recognized: | inputlookup geobeta WHERE endIPNum>=1317914622 AND startIPNum<=1317914622 | table latitude longitude Then, how are your IP address written? At least, using lookups, you can also have CIDR match type as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents  Ciao. Giuseppe
I have a log like below displayed in SPlunk UI. I want the "message" key to be parsed into json as well. how to do that? The below is the raw text.       {"stream":"stderr","logtag":"F","message... See more...
I have a log like below displayed in SPlunk UI. I want the "message" key to be parsed into json as well. how to do that? The below is the raw text.       {"stream":"stderr","logtag":"F","message":"{\"Context\":{\"SourceTransactionID\":\"UMV-626036c8-b843-46e8-8ef3-0bd78376bf93\",\"CaseID\":\"UMV-UMV_OK_CAAS_MMR_Mokcup_PIPE_2023-11-28-151036894\",\"CommunicationID\":\"UMV-64b9c2a9-be74-4ec6-9fd0-f545c1dd890f\",\"RequestID\":\"4ea2b9be-752b-4e6f-8972-0c435d1ad282\",\"RecordID\":\"332ebe12-0269-4ae6-90fc-98c8887e3703\"},\"LogCollection\":[{\"source\":\"handler.go:44\",\"timestamp\":\"2023-11-30T15:01:07.209285695Z\",\"msg\":{\"specversion\":\"1.0\",\"type\":\"com.cnc.caas.documentgenerationservices.documentgeneration.completed.public\",\"source\":\"/events/caas/documentgenerationservices/record/documentgeneration\",\"id\":\"Rec#332ebe12-0269-4ae6-90fc-98c8887e3703\",\"time\":\"2023-11-30T15:01:06.972071059Z\",\"subject\":\"record-documentgenerationservices-wip\",\"dataschema\":\"/caas/comp_01_a_events-spec.json\",\"datacontenttype\":\"application/json\",\"data\":{\"CAAS\":{\"Event\":{\"Version\":\"2.0.0\",\"EventType\":\"documentgeneration.completed\",\"LifeCycleStatus\":\"wip\",\"EventSequence\":4,\"OriginTimeStamp\":\"2023-11-30T15:01:06.972Z\",\"SourceName\":\"UMV\",\"SourceTransactionID\":\"UMV-626036c8-b843-46e8-8ef3-0bd78376bf93\",\"CaseID\":\"UMV-UMV_OK_CAAS_MMR_Mokcup_PIPE_2023-11-28-151036894\",\"CommunicationID\":\"UMV-64b9c2a9-be74-4ec6-9fd0-f545c1dd890f\",\"RequestID\":\"4ea2b9be-752b-4e6f-8972-0c435d1ad282\",\"RecordID\":\"332ebe12-0269-4ae6-90fc-98c8887e3703\",\"RequestedDeliveryChannel\":\"Print\",\"RecordedDeliveryChannel\":\"Print\",\"AdditionalData\":{\"CompositionAttributes\":{\"IsOCOENotificationRequired\":true,\"JobID\":47130}},\"S3Location\":{\"BucketName\":\"cnc-caas-csl-dev-smartcomm-output\",\"ObjectKey\":\"output/4ea2b9be-752b-4e6f-8972-0c435d1ad282/47130/4ea2b9be-752b-4e6f-8972-0c435d1ad282_332ebe12-0269-4ae6-90fc-98c8887e3703_UMV-64b9c2a9-be74-4ec6-9fd0-f545c1dd890f_Payload.json\"},\"Priority\":false,\"EventFailedStatus\":0,\"RetryCount\":1,\"Errors\":null,\"OriginalSqsMessage\":{\"data\":{\"CAAS\":{\"Event\":{\"AdditionalData\":{\"CompositionAttributes\":{\"IsOCOENotificationRequired\":true,\"JobID\":47130}},\"CaseID\":\"UMV-UMV_OK_CAAS_MMR_Mokcup_PIPE_2023-11-28-151036894\",\"CommunicationGroupID\":\"mbrmatreqok\",\"CommunicationID\":\"UMV-64b9c2a9-be74-4ec6-9fd0-f545c1dd890f\",\"Errors\":null,\"EventFailedStatus\":0,\"EventSequence\":4,\"EventType\":\"recordcomposition.response.start\",\"LifeCycleStatus\":\"wip\",\"OriginTimeStamp\":\"2023-11-30T15:00:04.996Z\",\"PreRendered\":false,\"Priority\":false,\"RecipientID\":\"68032561\",\"RecipientType\":\"Member\",\"RecordID\":\"332ebe12-0269-4ae6-90fc-98c8887e3703\",\"RecordedDeliveryChannel\":\"Print\",\"RequestID\":\"4ea2b9be-752b-4e6f-8972-0c435d1ad282\",\"RequestedDeliveryChannel\":\"Print\",\"RetryCount\":1,\"S3Location\":{\"BucketName\":\"cnc-caas-csl-dev-smartcomm-output\",\"ObjectKey\":\"output/4ea2b9be-752b-4e6f-8972-0c435d1ad282/47130/4ea2b9be-752b-4e6f-8972-0c435d1ad282_332ebe12-0269-4ae6-90fc-98c8887e3703_UMV-64b9c2a9-be74-4ec6-9fd0-f545c1dd890f_Payload.json\"},\"SourceName\":\"UMV\",\"SourceTransactionID\":\"UMV-626036c8-b843-46e8-8ef3-0bd78376bf93\",\"Version\":\"2.0.0\"}}},\"datacontenttype\":\"application/json\",\"dataschema\":\"/caas/comp_01_a_events-spec.json\",\"id\":\"Rec#332ebe12-0269-4ae6-90fc-98c8887e3703\",\"source\":\"/events/caas/smart/record/composition\",\"specversion\":\"1.0\",\"subject\":\"record-composition-response-start\",\"time\":\"2023-11-30T15:01:05.756937686Z\",\"type\":\"com.cnc.caas.composition.response.start.private\"},\"CommunicationGroupID\":\"mbrmatreqok\",\"RecipientID\":\"68032561\",\"RecipientType\":\"Member\",\"PreRendered\":false}}}}},{\"source\":\"handler.go:46\",\"timestamp\":\"2023-11-30T15:01:07.21572506Z\",\"msg\":\"mongo insert id is 6568a3b3ab042d54478ef071\"}],\"RetryCount\":1,\"level\":\"error\",\"msg\":\"Log collector output\",\"time\":\"2023-11-30T15:01:07Z\"}","kubernetes":{"pod_name":"eventsupdatetomongo-d98bb8594-cnbsd","namespace_name":"caas-composition-layer","pod_id":"50d49842-793a-41c8-a903-11c23607dfd6","labels":{"app":"eventsupdatetomongo","pod-template-hash":"d98bb8594","version":"dcode-801-1.0.1-2745653"},"annotations":{"cattle.io/timestamp":"2023-06-08T22:30:33Z","cni.projectcalico.org/containerID":"58cf3b42ab43fac0a5bf1f97e5a4a7db9dbf6a572705f02480384e63c2a53288","cni.projectcalico.org/podIP":"172.17.224.31/32","cni.projectcalico.org/podIPs":"172.17.224.31/32","kubectl.kubernetes.io/restartedAt":"2023-11-20T17:28:31Z"},"host":"ip-10-168-125-122.ec2.internal","container_name":"eventsupdatetomongo","docker_id":"c83dd87422fbdcae60a40ac50bcad0f387d50f3021975b81dbccac1bc0d965b2","container_hash":"artifactory-aws.centene.com/caas-docker_non-production_local_aws/eventsupdatetomongo@sha256:3b7e5e0908cec3f68baa7f9be18397b6ce4aa807f92b98b6b8970edac9780388","container_image":"artifactory-aws.centene.com/caas-docker_non-production_local_aws/eventsupdatetomongo:dcode-801-1.0.1-2745653"}}