Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-21-2023
12:51 PM
ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe
11-21-2023
12:27 PM
Hi Can you pls give me and eg. for above regex with out group ? Thanks
11-21-2023
12:08 PM
First count the number of recipients then filter out those with fewer than 10. | eventstats dc(emailID) as msg_count by recip
| where msg_count >= 10
| stats dc(emailID) as email_count
11-21-2023
11:59 AM
Use the distinct_count function of the stats command. | stats dc(recip) as recip_count by attachment_type
11-21-2023
11:57 AM
1 Karma
I don't know why Splunk is not matching that event. The regex looks good to me. Perhaps try without the groups? It shouldn't matter, but perhaps it will and the groups are not necessary.
11-21-2023
11:35 AM
Has anyone been successful logging command execution events on RedHat and having them be sent to Splunk via rsyslog? The logs get written to tty but they are not making its way to our HF. We can eas...
See more...
Has anyone been successful logging command execution events on RedHat and having them be sent to Splunk via rsyslog? The logs get written to tty but they are not making its way to our HF. We can easily log all of auditd and system events but nothing for command execution.
11-21-2023
11:05 AM
@richgalloway , When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Micros...
See more...
@richgalloway , When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)" https://regex101.com/r/Jq2IKb/1 What changes do we need here? Thanks..
11-21-2023
10:55 AM
Hello, Why does long base search not work in drop down list? For example if the base query on id="StudentName" has a long search "Request-URI Too long" the drop down search did not populate, but ...
See more...
Hello, Why does long base search not work in drop down list? For example if the base query on id="StudentName" has a long search "Request-URI Too long" the drop down search did not populate, but it worked just fine on the pie chart Please help. Thank you so much <search id="StudentName">
<query>index=test</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<input type="dropdown" token="StudentTok">
<label>Student Name</label>
<fieldForLabel>studentname</fieldForLabel>
<fieldForValue>studentname</fieldForValue>
<search base="StudentName">
<query>| head 10</query>
</search>
</input>
11-21-2023
10:55 AM
How do I count the number of unique recipients of each type of unique attachment from emails. The same user could receive the same attachment in multiple emails. Using the “dedup” command?
11-21-2023
10:47 AM
How do I count the number of emails from a search but only get recipients that received ten or more emails?
Labels
- Labels:
-
stats
11-21-2023
09:51 AM
1 Karma
For daily count > 4 per user, do this index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" us...
See more...
For daily count > 4 per user, do this index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time
| where count > 4
| stats sum(count) as count by user | sort – count
11-21-2023
09:48 AM
I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others
11-21-2023
09:46 AM
Were you able to find a solution for it?
11-21-2023
09:41 AM
Try something like this (assuming this pattern matches your valid user ids!) index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!...
See more...
Try something like this (assuming this pattern matches your valid user ids!) index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME
| regex user="[^\"]+@[^\"]+"
| bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count
11-21-2023
09:39 AM
Also had found about the keyword to be added in transforations.conf max_matches but this has an upper limit of 1000. I need more... Refer: https://docs.splunk.com/Documentation/Splunk/latest/Ad...
See more...
Also had found about the keyword to be added in transforations.conf max_matches but this has an upper limit of 1000. I need more... Refer: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#Lookup_tables
11-21-2023
09:36 AM
To give more context: https://dev.splunk.com/enterprise/docs/devtools/externallookups/createexternallookup/
11-21-2023
09:34 AM
Hi, I am using an external lookup to basically run a Python script which runs an API call to return the results using a csv.dictwriter to the sys.stdout. There are around 1250 rows being written to...
See more...
Hi, I am using an external lookup to basically run a Python script which runs an API call to return the results using a csv.dictwriter to the sys.stdout. There are around 1250 rows being written to the console But only the first 100 rows are being shown in Splunk. How can I disable this 100-row limit on external lookups? Thank you and have a nice day, Best,
Labels
- Labels:
-
transforms.conf
11-21-2023
09:11 AM
We are configuring for Brute Force login attempts, failures obviously. Here is the search string we have put together as we are working from TAs coming from Splunkbase. index=* action=fail* OR a...
See more...
We are configuring for Brute Force login attempts, failures obviously. Here is the search string we have put together as we are working from TAs coming from Splunkbase. index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense. I cant post much publicly but you get the idea
11-21-2023
08:52 AM
1 Karma
Splunk supports none of those directly. You'd have to use a regex on the Message field to filter on the desired process name. The most likely candidate is NewProcessName, but that depends on what e...
See more...
Splunk supports none of those directly. You'd have to use a regex on the Message field to filter on the desired process name. The most likely candidate is NewProcessName, but that depends on what event(s) you're filtering.
11-21-2023
08:48 AM
Hi at all, I have to ingest logs from securelog and I'm able to take and parse linux logs, but I have an issue when parsing windows logs: how can I connect winlogbeat format to a Splunk_TA_Windows ...
See more...
Hi at all, I have to ingest logs from securelog and I'm able to take and parse linux logs, but I have an issue when parsing windows logs: how can I connect winlogbeat format to a Splunk_TA_Windows to correctly parse events? in winlogbeat events format is different from the normal windows logs so te Splunk_TA_windows doesn't reach to parse logs. Is there a connector or must I manually parse winlogbeat logs to reduce them to Splunk_TA_windows logs? Thank you for your help. Ciao. Giuseppe
- Tags:
- winlogbeat
Labels
- Labels:
-
Windows
