Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-27-2023
11:24 AM
So, top does not take NULL into account for total and percentage? IS there a way top can take NULL into consideration? @ITWhisperer
11-27-2023
11:19 AM
1 Karma
Hi @Marcin.Kluzek,
Just confirming your post is live. Let's see if the Community can jump in and help. You may also reach out to Support if the problem is urgent.
How do I submit a Support ticket...
See more...
Hi @Marcin.Kluzek,
Just confirming your post is live. Let's see if the Community can jump in and help. You may also reach out to Support if the problem is urgent.
How do I submit a Support ticket? An FAQ
11-27-2023
10:46 AM
Hello, I have a table that shows vulnerabilities by asset name and severity level. For example, I have an asset name that has 3 critical, 2 high, 3 medium, and 1 low. Now what I want to do is be a...
See more...
Hello, I have a table that shows vulnerabilities by asset name and severity level. For example, I have an asset name that has 3 critical, 2 high, 3 medium, and 1 low. Now what I want to do is be able to just click on the field critical and just be able to show those critical vulnerabilities for that asset name and so on. I am not sure if that requires a condition and how that is set up or if it just requires a simple drill-down. Can someone please help?
Labels
- Labels:
-
drilldown
11-27-2023
10:30 AM
@ITWhisperer I will try this by tommorow when I am on my machine as a workaround. I am still not figuring out from where two extra stash file created. Please help me to identify those things. What d...
See more...
@ITWhisperer I will try this by tommorow when I am on my machine as a workaround. I am still not figuring out from where two extra stash file created. Please help me to identify those things. What do I need to check? I have checked audit index logs and internal index logs but nothing I have found.
11-27-2023
10:19 AM
Those two fields have different meanings so use the one that applies to your use case(s). NewProcessName is more common, IME, but both may useful.
11-27-2023
10:19 AM
1 Karma
Assuming _time and OrderId uniquely identify events in the search and summary index, try something like this index=ABC (sourcetype=DepTsuEventTrackingUpdate DepTsuEventTrackingUpdate.LocationQualifi...
See more...
Assuming _time and OrderId uniquely identify events in the search and summary index, try something like this index=ABC (sourcetype=DepTsuEventTrackingUpdate DepTsuEventTrackingUpdate.LocationQualifiedName=Tray* DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!=null AND DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!="TsuUnknownContent") OR (sourcetype=DepTsuEventContentMove)
| foreach *.OrderId
[| eval OrderId=coalesce('OrderId','<<FIELD>>')]
| replace ProtrusionFront with Protrusion , ProtrusionBack with Protrusion , ProtrusionLeft with Protrusion , ProtrusionRight with Protrusion , ProtrusionTop with Protrusion
| rename DepTsuEventTrackingUpdate.TsuSuspect.CheckResult.CheckType as Error DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason as TsuSuspectReason DepTsuEventContentMove.SenderFmInstanceName as Location DepTsuEventTrackingUpdate.TsuId as TsuId DepTsuEventContentMove.TsuContent.Quantity as Quantity DepTsuEventContentMove.LocationQualifiedName as TrayLoad DepTsuEventContentMove.TsuContent.CaseTypeId as CaseTypeId
| eval OrientationError=if(Error="Orientation","1","0") , ProtrusionError=if(Error="Protrusion","1","0") , LengthError=if(Error="Length","1","0") , WidthError=if(Error="Width","1","0") , HeightError=if(Error="Height","1","0") , OffCentreError=if(Error="OffCentre","1","0")
| eval DimensionError=if(LengthError>0 OR WidthError>0 OR HeightError>0, "1","0")
| eval ErrorQty=(OrientationError+ProtrusionError+DimensionError+OffCentreError) , TrayError=(OrientationError+ProtrusionError+LengthError+WidthError+HeightError+OffCentreError) , TrayError=if(TrayError>0,"1",null)
| eval Dimension=if(DimensionError>0 AND ErrorQty="1" ,"1","0") , Orientation=if(OrientationError="1" AND ErrorQty="1","1","0") , Protrusion=if(ProtrusionError="1" AND ErrorQty="1","1","0") , Length=if(LengthError="1" AND ErrorQty="1","1","0") , Width=if(WidthError="1" AND ErrorQty="1","1","0") , Height=if(HeightError="1" AND ErrorQty="1","1","0") , OffCentre=if(OffCentreError="1" AND ErrorQty="1","1","0") , Mixed=if(Dimension="0" AND ErrorQty>1,"1","0")
| eval Layer=if(TrayLoad="PalletInPosition","1",null) , CaseQty=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2",Quantity,null) , Tray=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2","1",null)
| stats min(_time) as _time values(Location) as Location sum(Layer) as PalletLayers sum(Tray) as TrayQty sum(CaseQty) as CaseQty sum(TrayError) as TrayError sum(Orientation) as OrientationError sum(Length) as LengthError sum(Width) as WidthError sum(Height) as HeightError sum(Protrusion) as ProtrusionError sum(OffCentre) as OffCentreError sum(Dimension) as Dimension sum(Mixed) as Mixed values(CaseTypeId) as CaseTypeId by OrderId
| eval reporttype="DepTrayCaseQty"
| eval foo=Dimension+Mixed+OrientationError+ProtrusionError+OffCentreError
| table _time reporttype OrderId CaseTypeId Location PalletLayers TrayQty CaseQty TrayError foo Dimension Mixed OrientationError LengthError WidthError HeightError ProtrusionError OffCentreError
| where isnotnull(CaseQty)
| eval flag=1
| append [search index=analyst
| eval flag=2]
| eventstats sum(flag) as flags by _time OrderId
| where flags = 1
| fields - flag flags
| collect index=analyst
11-27-2023
09:58 AM
Hi @AL3Z, both the approaches are correct. Ciao. Giuseppe
11-27-2023
09:57 AM
Hi @Jose.Macias,
Did the information I sent you via PM last week help?
11-27-2023
09:53 AM
Hi @Ajith.Kumar,
If the Community does not jump in and help, you can try contacting Sales here for further help.
https://www.appdynamics.com/company/contact-us
11-27-2023
09:53 AM
What if the Program.exe is present in NewProcessName and ParentProcessName which one do we need to apply it to Regex ??
11-27-2023
09:45 AM
IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf. Can you share what your stanza is for your sourcet...
See more...
IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf. Can you share what your stanza is for your sourcetype? Is TRUNCATE=1000000? You might need to change to TRUNCATE=0 to force Splunk to include all of the event.
11-27-2023
09:40 AM
@ITWhisperer Thanks, for sharing that valuable video. I have question, consider my below search which I am using to append the result in summary index. But here I am not using any subsearches, so whe...
See more...
@ITWhisperer Thanks, for sharing that valuable video. I have question, consider my below search which I am using to append the result in summary index. But here I am not using any subsearches, so where I can use your suggested workaround here ? index=ABC (sourcetype=DepTsuEventTrackingUpdate DepTsuEventTrackingUpdate.LocationQualifiedName=Tray* DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!=null AND DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason!="TsuUnknownContent") OR (sourcetype=DepTsuEventContentMove)
| foreach *.OrderId
[| eval OrderId=coalesce('OrderId','<<FIELD>>')]
| replace ProtrusionFront with Protrusion , ProtrusionBack with Protrusion , ProtrusionLeft with Protrusion , ProtrusionRight with Protrusion , ProtrusionTop with Protrusion
| rename DepTsuEventTrackingUpdate.TsuSuspect.CheckResult.CheckType as Error DepTsuEventTrackingUpdate.TsuSuspect.TsuSuspectReason as TsuSuspectReason DepTsuEventContentMove.SenderFmInstanceName as Location DepTsuEventTrackingUpdate.TsuId as TsuId DepTsuEventContentMove.TsuContent.Quantity as Quantity DepTsuEventContentMove.LocationQualifiedName as TrayLoad DepTsuEventContentMove.TsuContent.CaseTypeId as CaseTypeId
| eval OrientationError=if(Error="Orientation","1","0") , ProtrusionError=if(Error="Protrusion","1","0") , LengthError=if(Error="Length","1","0") , WidthError=if(Error="Width","1","0") , HeightError=if(Error="Height","1","0") , OffCentreError=if(Error="OffCentre","1","0")
| eval DimensionError=if(LengthError>0 OR WidthError>0 OR HeightError>0, "1","0")
| eval ErrorQty=(OrientationError+ProtrusionError+DimensionError+OffCentreError) , TrayError=(OrientationError+ProtrusionError+LengthError+WidthError+HeightError+OffCentreError) , TrayError=if(TrayError>0,"1",null)
| eval Dimension=if(DimensionError>0 AND ErrorQty="1" ,"1","0") , Orientation=if(OrientationError="1" AND ErrorQty="1","1","0") , Protrusion=if(ProtrusionError="1" AND ErrorQty="1","1","0") , Length=if(LengthError="1" AND ErrorQty="1","1","0") , Width=if(WidthError="1" AND ErrorQty="1","1","0") , Height=if(HeightError="1" AND ErrorQty="1","1","0") , OffCentre=if(OffCentreError="1" AND ErrorQty="1","1","0") , Mixed=if(Dimension="0" AND ErrorQty>1,"1","0")
| eval Layer=if(TrayLoad="PalletInPosition","1",null) , CaseQty=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2",Quantity,null) , Tray=if(TrayLoad="TrayLoad1" OR TrayLoad="TrayLoad2","1",null)
| stats min(_time) as _time values(Location) as Location sum(Layer) as PalletLayers sum(Tray) as TrayQty sum(CaseQty) as CaseQty sum(TrayError) as TrayError sum(Orientation) as OrientationError sum(Length) as LengthError sum(Width) as WidthError sum(Height) as HeightError sum(Protrusion) as ProtrusionError sum(OffCentre) as OffCentreError sum(Dimension) as Dimension sum(Mixed) as Mixed values(CaseTypeId) as CaseTypeId by OrderId
| eval reporttype="DepTrayCaseQty"
| eval foo=Dimension+Mixed+OrientationError+ProtrusionError+OffCentreError
| table _time reporttype OrderId CaseTypeId Location PalletLayers TrayQty CaseQty TrayError foo Dimension Mixed OrientationError LengthError WidthError HeightError ProtrusionError OffCentreError
| where isnotnull(CaseQty)
| collect index=analyst
11-27-2023
09:39 AM
You're looking in the wrong place. You can _tell_ Splunk to use a proxy server if it wants to connect to the internet (but to make things more complicated, the main setting might not work for some mo...
See more...
You're looking in the wrong place. You can _tell_ Splunk to use a proxy server if it wants to connect to the internet (but to make things more complicated, the main setting might not work for some modular inputs so you'd have to specify proxy settings in specific app's settings as well). But you can't tell Splunk to _not_ connect anywhere. Remember that Splunk does work by connecting various components over the network so it must be using the network. And if you write an input/output/external lookup/custom command which will connect to external services it will try to do so. You should handle this on the OS/network level by managing host firewall rules on Splunk servers and firewall filters on your network devices. The things that can be managed in Splunk's own config are: - telemetry settings - update checks/app installs - Splunk Secure Gateway
11-27-2023
09:32 AM
You incorrectly assumed that just because you didn't provide the year, month and day parts, your strptime will use zero values. It didn't. Strptime uses zero values for time but "current" values for ...
See more...
You incorrectly assumed that just because you didn't provide the year, month and day parts, your strptime will use zero values. It didn't. Strptime uses zero values for time but "current" values for date if you don't provide them in your time spec. So if you try to strptime() just hours and minutes, it will indeed use zero seconds but will parse today's date with it. So obviously your numerical timestamp will be way way way more than you wanted. You can either as @ITWhisperer suggested, parse the duration manually or can do a very ugly hack (all time-manipulation hacks are dirty and ugly) by supplying the Epoch date as your "base" for strptime and of course telling strptime that it's in UTC (otherwise you'll get your timestamp parsed as being in your local timezone). The more you look, the uglier it gets
11-27-2023
09:27 AM
@gcusello , Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>" right? By the way my ...
See more...
@gcusello , Is this regex going to exclude all the windows events starting with this "\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>" right? By the way my intention is to exclude all the secutiy tool events specific to eventcode 4688 eg, tanium,splunk ,windows defender etc., can we whitelist all the windows events like C:\\ Windows\\* we need to ingesting all the windows events like eg. cmd.exe,reg.exe etc., Thanks..
11-27-2023
09:17 AM
Hi @AL3Z, if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1 Ciao. Gi...
See more...
Hi @AL3Z, if you want to discard the four samples you shared in the original question but not the last one, the above regex is correct, as you can check at https://regex101.com/r/x5zuYc/1 Ciao. Giuseppe
11-27-2023
09:12 AM
@gcusello , These are the events which I want to exclude <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='ParentProc...
See more...
@gcusello , These are the events which I want to exclude <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data> <Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data> <Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data> <Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumFileInfo.exe</Data> <Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\Patch\tools\TaniumExecWrapper.exe</Data> <Data Name='NewProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseCnCProxy.exe</Data> <Data Name='ParentProcessName'>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\MsSense.exe</Data>
11-27-2023
09:03 AM
Hi @AL3Z, ok, I'm not sure that the regex I shared is ok for you: you shared events to discard, but I also need events to not discard, could you share them? Ciao. Giuseppe
11-27-2023
09:03 AM
1 Karma
Looking at the info times show that the events were added by different searches These appear to been executed on 22nd, with different time spans, 5th - 19th and 5th - 21st. These are the searche...
See more...
Looking at the info times show that the events were added by different searches These appear to been executed on 22nd, with different time spans, 5th - 19th and 5th - 21st. These are the searches which have duplicated your events. I did a BSides presentation a year or so ago about making summary index reports idempotent to avoid duplicate entries. Summary Index Idempotency - Chris Kaye - YouTube
11-27-2023
09:03 AM
Throughout the custom search command process, splunkd and the Python script exchange metadata through a series of getinfo and execute commands. splunkd sends the getinfo command to request infor...
See more...
Throughout the custom search command process, splunkd and the Python script exchange metadata through a series of getinfo and execute commands. splunkd sends the getinfo command to request information, including the command type and required fields, from the Python script. splunkd sends a separate execute command for each chunk of search results in the pipeline So what you're seeing is the getinfo step. As far as I know there's no way to disable it or easily shorten it. This also means that any latency that your script has will be doubled and given to the next person. Great stuff. It looks to me like Splunk doesn't care about custom search commands and the feature is pretty much unmaintained. This is understandable of course, since it's only a small, young company, run by amateurs with only few resources to spare.
