All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @AL3Z, both the approaches are correct. Ciao. Giuseppe
Hi @Jose.Macias, Did the information I sent you via PM last week help?
Hi @Ajith.Kumar, If the Community does not jump in and help, you can try contacting Sales here for further help. https://www.appdynamics.com/company/contact-us
What if the Program.exe is present in NewProcessName and ParentProcessName which one do we need to apply it to Regex ??
IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf.  Can you share what your stanza is for your sourcet... See more...
IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf.  Can you share what your stanza is for your sourcetype?  Is TRUNCATE=1000000?  You might need to change to TRUNCATE=0 to force Splunk to include all of the event.
@ITWhisperer Thanks, for sharing that valuable video. I have question, consider my below search which I am using to append the result in summary index. But here I am not using any subsearches, so whe... See more...
@ITWhisperer Thanks, for sharing that valuable video. I have question, consider my below search which I am using to append the result in summary index. But here I am not using any subsearches, so where I can use your suggested workaround here ? index=ABC (sourcetype=DepTsuEventTrackingUpdate DepTsuEventTrackingUpdate.LocationQualifiedName=Tray* DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!=null AND DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!="TsuUnknownContent") OR (sourcetype=DepTsuEventContentMove) | foreach *.OrderId [| eval OrderId=coalesce('OrderId','<<FIELD>>')] | replace ProtrusionFront with Protrusion , ProtrusionBack with Protrusion , ProtrusionLeft with Protrusion , ProtrusionRight with Protrusion , ProtrusionTop with Protrusion | rename DepTsuEventTrackingUpdate.TsuSuspect.CheckResult.CheckType as Error DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason as TsuSuspectReason DepTsuEventContentMove.SenderFmInstanceName as Location DepTsuEventTrackingUpdate.TsuId as TsuId DepTsuEventContentMove.TsuContent.Quantity as Quantity DepTsuEventContentMove.LocationQualifiedName as TrayLoad DepTsuEventContentMove.TsuContent.CaseTypeId as CaseTypeId | eval OrientationError=if(Error="Orientation","1","0") , ProtrusionError=if(Error="Protrusion","1","0") , LengthError=if(Error="Length","1","0") , WidthError=if(Error="Width","1","0") , HeightError=if(Error="Height","1","0") , OffCentreError=if(Error="OffCentre","1","0") | eval DimensionError=if(LengthError>0 OR WidthError>0 OR HeightError>0, "1","0") | eval ErrorQty=(OrientationError+ProtrusionError+DimensionError+OffCentreError) , TrayError=(OrientationError+ProtrusionError+LengthError+WidthError+HeightError+OffCentreError) , TrayError=if(TrayError>0,"1",null) | eval Dimension=if(DimensionError>0 AND ErrorQty="1" ,"1","0") , Orientation=if(OrientationError="1" AND ErrorQty="1","1","0") , Protrusion=if(ProtrusionError="1" AND ErrorQty="1","1","0") , Length=if(LengthError="1" AND ErrorQty="1","1","0") , Width=if(WidthError="1" AND ErrorQty="1","1","0") , Height=if(HeightError="1" AND ErrorQty="1","1","0") , OffCentre=if(OffCentreError="1" AND ErrorQty="1","1","0") , Mixed=if(Dimension="0" AND ErrorQty>1,"1","0") | eval Layer=if(TrayLoad="PalletInPosition","1",null) , CaseQty=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2",Quantity,null) , Tray=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2","1",null) | stats min(_time) as _time values(Location) as Location sum(Layer) as PalletLayers sum(Tray) as TrayQty sum(CaseQty) as CaseQty sum(TrayError) as TrayError sum(Orientation) as OrientationError sum(Length) as LengthError sum(Width) as WidthError sum(Height) as HeightError sum(Protrusion) as ProtrusionError sum(OffCentre) as OffCentreError sum(Dimension) as Dimension sum(Mixed) as Mixed values(CaseTypeId) as CaseTypeId by OrderId | eval reporttype="DepTrayCaseQty" | eval foo=Dimension+Mixed+OrientationError+ProtrusionError+OffCentreError | table _time reporttype OrderId CaseTypeId Location PalletLayers TrayQty CaseQty TrayError foo Dimension Mixed OrientationError LengthError WidthError HeightError ProtrusionError OffCentreError | where isnotnull(CaseQty) | collect index=analyst  
You're looking in the wrong place. You can _tell_ Splunk to use a proxy server if it wants to connect to the internet (but to make things more complicated, the main setting might not work for some mo... See more...
You're looking in the wrong place. You can _tell_ Splunk to use a proxy server if it wants to connect to the internet (but to make things more complicated, the main setting might not work for some modular inputs so you'd have to specify proxy settings in specific app's settings as well). But you can't tell Splunk to _not_ connect anywhere. Remember that Splunk does work by connecting various components over the network so it must be using the network. And if you write an input/output/external lookup/custom command which will connect to external services it will try to do so. You should handle this on the OS/network level by managing host firewall rules on Splunk servers and firewall filters on your network devices. The things that can be managed in Splunk's own config are: - telemetry settings - update checks/app installs - Splunk Secure Gateway
You incorrectly assumed that just because you didn't provide the year, month and day parts, your strptime will use zero values. It didn't. Strptime uses zero values for time but "current" values for ... See more...
You incorrectly assumed that just because you didn't provide the year, month and day parts, your strptime will use zero values. It didn't. Strptime uses zero values for time but "current" values for date if you don't provide them in your time spec. So if you try to strptime() just hours and minutes, it will indeed use zero seconds but will parse today's date with it. So obviously your numerical timestamp will be way way way more than you wanted. You can either as @ITWhisperer suggested, parse the duration manually or can do a very ugly hack (all time-manipulation hacks are dirty and ugly) by supplying the Epoch date as your "base" for strptime and of course telling strptime that it's in UTC (otherwise you'll get your timestamp parsed as being in your local timezone). The more you look, the uglier it gets
@gcusello , Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>"   right? By the way my ... See more...
@gcusello , Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>"   right? By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc., can we whitelist all the windows events like C:\\ Windows\\*  we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc.,  Thanks..    
Hi @AL3Z, if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1 Ciao. Gi... See more...
Hi @AL3Z, if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1 Ciao. Giuseppe
@gcusello , These are the events which I want to exclude <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='ParentProc... See more...
@gcusello , These are the events which I want to exclude <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data> <Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data> <Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data> <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data> <Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data> <Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>  
Hi @AL3Z, ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them? Ciao. Giuseppe
Looking at the info times show that the events were added by different searches These appear to been executed on 22nd, with different time spans, 5th - 19th and 5th - 21st. These are the searche... See more...
Looking at the info times show that the events were added by different searches These appear to been executed on 22nd, with different time spans, 5th - 19th and 5th - 21st. These are the searches which have duplicated your events. I did a BSides presentation a year or so ago about making summary index reports idempotent to avoid duplicate entries. Summary Index Idempotency - Chris Kaye - YouTube
Throughout the custom search command process, splunkd and the Python script exchange metadata through a series of getinfo and execute commands. splunkd sends the getinfo command to request infor... See more...
Throughout the custom search command process, splunkd and the Python script exchange metadata through a series of getinfo and execute commands. splunkd sends the getinfo command to request information, including the command type and required fields, from the Python script. splunkd sends a separate execute command for each chunk of search results in the pipeline So what you're seeing is the getinfo step. As far as I know there's no way to disable it or easily shorten it. This also means that any latency that your script has will be doubled and given to the next person. Great stuff. It looks to me like Splunk doesn't care about custom search commands and the feature is pretty much unmaintained.  This is understandable of course, since it's only a small, young company, run by amateurs with only few resources to spare.
I had this same problem so I thought I would share. For me, I was dealing with a clustered Environment. I went and looked at Splunkd.log and saw a bunch of messages like network unreachable and could... See more...
I had this same problem so I thought I would share. For me, I was dealing with a clustered Environment. I went and looked at Splunkd.log and saw a bunch of messages like network unreachable and could not connect to peer etc.  Turned out Splunkd was down.  Restarted Splunkd on the CM and it reconnected. Hope that helps someone in the future.
@gcusello , Yes they're windows events...
The JS is implemented through an external file, colorFormat.js. I have overwritten that file but for some of my users they are getting the old file ran instead of the new one. Which in my mind doesn'... See more...
The JS is implemented through an external file, colorFormat.js. I have overwritten that file but for some of my users they are getting the old file ran instead of the new one. Which in my mind doesn't make sense because how would splunk still have that code, since I have overwritten it?
11/06/2023 23:57:02 +1100, info_min_time=1699189200.000, info_max_time=1700571600.000, info_search_time=1700625838.094, foo=3, Mixed=0, CaseQty=64, OrderId=52128969634, TrayQty=35, Location="DEP/Auto... See more...
11/06/2023 23:57:02 +1100, info_min_time=1699189200.000, info_max_time=1700571600.000, info_search_time=1700625838.094, foo=3, Mixed=0, CaseQty=64, OrderId=52128969634, TrayQty=35, Location="DEP/AutoDep03", Dimension=2, TrayError=3, OrientationError=1, ProtrusionError=0, CaseTypeId=6210, WidthError=2, reporttype=DepTrayCaseQty, OffCentreError=0, HeightError=0, LengthError=0, PalletLayers=4 OrderId = 52128969634host = MSRDC-BPIsource = D:\Splunk\var\spool\splunk\d0d3783e41cf130c_events.stash_newsourcetype = stash ===================================================================== 11/06/2023 23:57:02 +1100, search_name="File Collector: DepTrayCaseQty", search_now=1699279200.000, info_min_time=1699189200.000, info_max_time=1699275600.000, info_search_time=1699279202.226, foo=2, Mixed=0, CaseQty=29, OrderId=52128969634, TrayQty=17, Location="DEP/AutoDep03", Dimension=2, TrayError=2, OrientationError=0, ProtrusionError=0, CaseTypeId=6210, WidthError=2, reporttype=DepTrayCaseQty, OffCentreError=0, HeightError=0, LengthError=0, PalletLayers=4 OrderId = 52128969634host = MSRDC-BPIsource = File Collector: DepTrayCaseQtysourcetype = stash ================================================================= 11/06/2023 23:57:02 +1100, info_min_time=1699189200.000, info_max_time=1700398800.000, info_search_time=1700618994.511, foo=3, Mixed=0, CaseQty=64, OrderId=52128969634, TrayQty=35, Location="DEP/AutoDep03", Dimension=2, TrayError=3, OrientationError=1, ProtrusionError=0, CaseTypeId=6210, WidthError=2, reporttype=DepTrayCaseQty, OffCentreError=0, HeightError=0, LengthError=0, PalletLayers=4 OrderId = 52128969634host = MSRDC-BPIsource = D:\Splunk\var\spool\splunk\adb0f8d721bf93e3_events.stash_newsourcetype = stash
Rather than pasting pictures, please paste 3 "duplicated" raw events into a code block </>
Hi @AL3Z, are they windows events? if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf. Then you have to check if the regex I shared is correct or too large, for this ... See more...
Hi @AL3Z, are they windows events? if yes, you can blacklist them, if not, you cannot blacklist them in inputs.conf. Then you have to check if the regex I shared is correct or too large, for this reasono I asked to share also events to not discard. Ciao. Giuseppe