Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-22-2023
06:05 AM
Hi @anooshac, my sample is a sample without any logic except the one you described. So the order of values isn't relevant and can also be different. If you have many values, I hint to use a lookup...
See more...
Hi @anooshac, my sample is a sample without any logic except the one you described. So the order of values isn't relevant and can also be different. If you have many values, I hint to use a lookup. Ciao. Giuseppe
11-22-2023
06:03 AM
1 Karma
Hello David in General, AppDynamics Different components uses MySQL Databases , not centralized but with each component (each controller has it's MySQL database, enterprise console has its database,...
See more...
Hello David in General, AppDynamics Different components uses MySQL Databases , not centralized but with each component (each controller has it's MySQL database, enterprise console has its database, EUM too, etc.) check the bundled Database Controller Component Versions (appdynamics.com) you don't have to be super MySQL admin, but mandatory to write down the admin user and password as support will need it for any support issues, also you will find here how to backup and restore the bundled Database Controller Data Backup and Restore (appdynamics.com) Database agent is the agent that monitor different Databases. that you application work with. remotely connected to these Databases through JDBC connection, and run queries to get the performance data about each , you can find here the supportability matrix Database Visibility Supported Environments (appdynamics.com) BR
11-22-2023
06:02 AM
1 Karma
Hi @Jack90, answering to your questions: 1) roles aren't distributed between Splunk servers and you have to manually populate them. Anyway, remember that it's mandatory to create roles on Search ...
See more...
Hi @Jack90, answering to your questions: 1) roles aren't distributed between Splunk servers and you have to manually populate them. Anyway, remember that it's mandatory to create roles on Search Heads and Indexers, not on the other servers. 2) I didn't see best practices for roles creations, I give you only one hint:avoid to use hineritance, because you could have features and grants that you could not want. 3) you can create roles using GUI or conf files, it's the same thing: i prefer GUI to avoid syntax errors. you can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/UseaccesscontroltosecureSplunkdata and https://lantern.splunk.com/Splunk_Success_Framework/People_Management/Setting_roles_and_responsibilities Ciao. Giuseppe
11-22-2023
05:55 AM
The link provided is to this question, not to any documentation. If the TA is already installed on the indexers then you have what you need. Just install the same TA on the forwarders.
11-22-2023
05:44 AM
i have setup splunk on my local and now trying to connect to it via java code what i see is Service.connect() step passes but further when i try to create the search job jobs.create(mySearch);...
See more...
i have setup splunk on my local and now trying to connect to it via java code what i see is Service.connect() step passes but further when i try to create the search job jobs.create(mySearch);
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import com.splunk.Application;
import com.splunk.Service;
import com.splunk.ServiceArgs;
import com.splunk.*;
import com.splunk.HttpService;
import com.splunk.SSLSecurityProtocol;
/**
* Log in using an authentication token
*/
public class SplunkTest {
static Service service = null;
/**
* Authentication Token.
* Actual token length would be longer than this token length.
* @throws IOException
* @throws `
*/
//static String token = "1k_Ostpl6NBe4iVQ5d6I3Ohla_U5";
public static void main(String args[]) throws InterruptedException, IOException {
HttpService.setSslSecurityProtocol( SSLSecurityProtocol.TLSv1_2 );
String token = "REDACTED";
ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setPort(8089);
loginArgs.setHost("localhost");
loginArgs.setScheme("https");
loginArgs.setToken(String.format("Bearer %s", token));
// Initialize the SDK client
service = Service.connect(loginArgs);
System.out.println(service.getHost());
System.out.println("connected successfully");
JobCollection jobs = service.getJobs();
//System.out.println("There are " + jobs.size() + " jobs available to 'admin'\n");
// Create a simple search job
String mySearch = "search * | head 5";
// Retrieves the collection of search jobs
//JobCollection jobs = service.getJobs();
// Creates a search job
Job job1 = jobs.create(mySearch);
Labels
- Labels:
-
search
-
troubleshooting
11-22-2023
05:32 AM
1 Karma
Here are my findings from a case I opened on this issue a while back. This fixed it for me. Splunk verifies the TLS certificates using SHA-1 cryptography. The default policy on the Linux server need...
See more...
Here are my findings from a case I opened on this issue a while back. This fixed it for me. Splunk verifies the TLS certificates using SHA-1 cryptography. The default policy on the Linux server needed to be updated to SHA-1. update-crypto-policies --set DEFAULT:SHA1 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
11-22-2023
05:17 AM
Here is a sample dashboard showing how to set the colours for the pie charts using CSS - note that the order of the pie charts in the trellis is assumed to be fixed. <row>
<panel depends="$alw...
See more...
Here is a sample dashboard showing how to set the colours for the pie charts using CSS - note that the order of the pie charts in the trellis is assumed to be fixed. <row>
<panel depends="$alwayshide$">
<html>
<style>
#trellis_pie div.facets-container div.viz-panel:nth-child(1) g.highcharts-series path
{
fill: red !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(2) g.highcharts-series path
{
fill: green !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(3) g.highcharts-series path
{
fill: blue !important;
}
#trellis_pie div.facets-container div.viz-panel:nth-child(4) g.highcharts-series path
{
fill: yellow !important;
}
</style>
</html>
</panel>
<panel>
<chart id="trellis_pie">
<search>
<query>| makeresults count=100
| fields - _time
| eval Computer_Name=mvindex(split("ABCDE",""),random()%5).mvindex(split("ABCDE",""),random()%5)
| eval Category__Names_of_Patches=mvindex(split("XYZ",""),random()%3)
| stats count(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
totalNumberOfPatches >= 1 AND totalNumberOfPatches <= 5, "Low Exposure",
totalNumberOfPatches >= 6 AND totalNumberOfPatches <= 9, "Medium Exposure",
totalNumberOfPatches >= 10, "High Exposure",
totalNumberOfPatches == 0, "Compliant",
1=1, "<not reported>"
)
| stats sum(totalNumberOfPatches) as total by exposure_level
| eval category=exposure_level
| xyseries category exposure_level total</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">none</option>
<option name="trellis.enabled">1</option>
</chart>
</panel>
</row>
11-22-2023
05:09 AM
I am working on a playbook and I'm facing a challenge in synchronizing and comparing the outputs from two different actions, in particular domain reputation checks via VirusTotal and Cisco Umbrella a...
See more...
I am working on a playbook and I'm facing a challenge in synchronizing and comparing the outputs from two different actions, in particular domain reputation checks via VirusTotal and Cisco Umbrella apps, executed on multiple artifacts within a container. (the mentioned apps are just an example) Below the two challanges that I'm facing: Synchronizing and Comparing Action Outputs: my main issue is obtaining an output that allows me to verify and compare which IOCs have been flagged as malicious by both the VirusTotal and Cisco Umbrella apps. The current setup involves running both actions on each artifact in the container, but I'm struggling with how to effectively gather and compare these results to determine which IOCs are considered high-risk (flagged by both apps) versus low-risk (flagged by only one app). Filtering Logic Limitation in Splunk SOAR: Another issue is that the SOAR filtering logic is applied at the container level, not at the individual artifact level. This is problematic when a container has multiple IOCs, as benign IOCs might get included in the final analysis even after the application of the filter. I need an effective method to ensure that only artifacts identified as potentially malicious are shown for the final output. Below an example of the scenario and the desired output: - A container contains multiple artifacts. - Actions executed: VirusTotal and Cisco Umbrella reputation checks on all artifacts. - Expected Output: A list or a summary indicating which artifacts are flagged as malicious by both apps, which would be classified as high-risk, and which are flagged by only one app, classified as low-risk. I am looking for advice on how to structure the playbook to efficiently filter and analyze these artifacts, ensuring accurate severity assessment based on the action of the app results. Do you have any insights, examples, or best practices on how to define the filtering logic and analysis process in Splunk SOAR? Thank you for your help
Labels
- Labels:
-
development
-
using SOAR ⁄ Phantom
11-22-2023
05:01 AM
Hello, I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C. I have few questions and I would be thankful if you could help me clarify that: 1) ...
See more...
Hello, I manage Splunk hybrid (cloud SH, on-premise DS, HF etc). I have task to create custom roles and R-B-A-C. I have few questions and I would be thankful if you could help me clarify that: 1) Do the custom roles populate between Splunk instances? Example, if I create role at cloud SH, will it populate automatically to other cloud SH and on-premise DS? Or do I have to create manually roles and assign users everywhere? 2) Is there a set of Splunk best practices for roles creation? 3) What is the difference if I create roles at web GUI vs backend (at on-prem instances)? Is the final result the same?
Labels
- Labels:
-
permissions
11-22-2023
04:59 AM
The sort is unnecessary. By default Splunk returns results in reverse chronological order so they are sorted (ok, the other way around but it's not that much of a problem). Transaction might indeed ...
See more...
The sort is unnecessary. By default Splunk returns results in reverse chronological order so they are sorted (ok, the other way around but it's not that much of a problem). Transaction might indeed work but you have to remember that transaction is a tricky command because it's resource-intensive and has its limitations.
11-22-2023
04:44 AM
Splunk Enterprise (shows the correct version) automatically redirects to Splunk cloud (Unknown_version) post logging in again. Is there any way to stop this redirect?
11-22-2023
04:23 AM
sorry , category = exposure_level
11-22-2023
04:23 AM
Where is category coming from? You only have totalNumberOfPatches, Computer_Name and exposure_level
11-22-2023
04:18 AM
exactly and will show the number of the count for the specific category
11-22-2023
04:17 AM
So, each pie chart would be all one colour?
11-22-2023
04:15 AM
Are you wanting a separate pie chart for each exposure level or a single pie chart where all the counts for each exposure level are combined?
11-22-2023
04:11 AM
You need to add (or subtract) the timezone offset from the times. To do this, you should parse the time strings to epoch datetimes with strptime(), change the time appropriately, and then reformat t...
See more...
You need to add (or subtract) the timezone offset from the times. To do this, you should parse the time strings to epoch datetimes with strptime(), change the time appropriately, and then reformat them with strftime().
11-22-2023
04:10 AM
Thanks It looks better I just want to color the pie in different colors so : "Low Exposure" - blue "Medium Exposure" - yellow "High Exposure" - red "Compliant" - green <not reported> - gra...
See more...
Thanks It looks better I just want to color the pie in different colors so : "Low Exposure" - blue "Medium Exposure" - yellow "High Exposure" - red "Compliant" - green <not reported> - gray I couldn't find an option to do it
11-22-2023
04:06 AM
Hi, I want to find out how many license warnings there is in the current 60 day rolling window. Why is there not an easy way to find this? Surely this should be included in the license usage report? ...
See more...
Hi, I want to find out how many license warnings there is in the current 60 day rolling window. Why is there not an easy way to find this? Surely this should be included in the license usage report? regards, Knut
Labels
- Labels:
-
using Splunk Enterprise
