Hi All, I am trying to do a search to compare 2 different sources. Firstly, I created a lookup to catch some rules hitting my search. In the background, my alert is running and appending results to ...
See more...
Hi All, I am trying to do a search to compare 2 different sources. Firstly, I created a lookup to catch some rules hitting my search. In the background, my alert is running and appending results to this csv lookup file. Lookup file has also a field which is called Explanation. What I am trying is doing a search that provide me to update a row if anything is changed in raw data. However, there is an important point. If there is no change in raw data for the lookup field, the field in lookup file should not change and it should keep the explanation. If not, the row should be deleted. Thank you
For some strange reason, in version 8.2.12 "ui-prefs" is not managed anymore by default. This is not much documented, as it should!!! To get rid of it, and get back with original ui management, ...
See more...
For some strange reason, in version 8.2.12 "ui-prefs" is not managed anymore by default. This is not much documented, as it should!!! To get rid of it, and get back with original ui management, we could try to edit a "local/web-features.conf" [feature:ui_prefs_optimizations]
optimize_ui_prefs_performance = false But it's like playing the lottery, sometimes works, others not, with new apps not at all 🤦 I don't think this is a good idea changing the bahaviour of UI so drastically. Above all, it's not documented anywhere, and we had to go around the web to understand it!!!
Hi, I have this method: public ActionResult MethodEZ(EZDokumentJson dokument) JsonResult: {
"Data1": "",
"Data2": null,
"Data3": null,
"Data4": null,
"DokumentId": "dvsd-5dsafd-55555-1111-afd...
See more...
Hi, I have this method: public ActionResult MethodEZ(EZDokumentJson dokument) JsonResult: {
"Data1": "",
"Data2": null,
"Data3": null,
"Data4": null,
"DokumentId": "dvsd-5dsafd-55555-1111-afdfas"
} I would like to ask you for help with collecting data from JsonResult. Here are my last attempts that don't work. My Data Collection look like this: ToString().Split(string/"DokumentId": ).[1].Split(string/,).[0] toString().split("DokumentId").[1].split(\,).[0] Thanks....
Why are you looking for that TA? What problem are you trying to solve? What documentation said to install the UF TA? If you are a Splunk Cloud customer, the UF TA is available from your Splunk Clo...
See more...
Why are you looking for that TA? What problem are you trying to solve? What documentation said to install the UF TA? If you are a Splunk Cloud customer, the UF TA is available from your Splunk Cloud search head. Open the "Universal Forwarder" app then click the green Download button. If you are not a Splunk Cloud customer then you probably don't need the TA, depending on the answers to the above questions.
How are you obtaining the user IDs in the first place? Is the field not extracted properly? Is the search not looking for the right thing? How can Splunk distinguish a valid ID from an invalid one?
This is what worked for me. I added a TimeBucket dropdown box and created a token. | search cat IN ($t_endpoint$) AND Car IN ($t_car$)
|bin _time span=$t_bin$
| stats limit=15 sum(Numbercat) as Num...
See more...
This is what worked for me. I added a TimeBucket dropdown box and created a token. | search cat IN ($t_endpoint$) AND Car IN ($t_car$)
|bin _time span=$t_bin$
| stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by _time, Car, cat
| eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p")
|fields - _time
|fields Time, Numbercat
The issue is that in Splunk Enterpries 8.2.12 "ui-pref.conf" is not used anymore!!! ... and for our users this is a big problem!!! This is a thread where the issue is described, and solved, http...
See more...
The issue is that in Splunk Enterpries 8.2.12 "ui-pref.conf" is not used anymore!!! ... and for our users this is a big problem!!! This is a thread where the issue is described, and solved, https://community.splunk.com/t5/Splunk-Enterprise/quot-ui-prefs-conf-quot-no-more-working-from-Version-7-to/m-p/669303#M17896 .
Dear Team, I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings now i am stuck for UF technology add-on, from where i can find it? no op...
See more...
Dear Team, I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings now i am stuck for UF technology add-on, from where i can find it? no option from the ES interface and i can't find it on splunkbase portal I tried multiple search keyword on splunkbase with no luck
Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If...
See more...
Perhaps you should tell us a bit more about what you are trying to do - since you posted this in the Splunk Search section, I presume this is part of a search, perhaps for a dashboard or a report? If so, what do you have so far?
Sorry about that. Try this SEDCMD, instead. It does, however, make some assumptions about the order of fields. SEDCMD-rm-geo_protection = s/(.*\|action=Accept\|)(.*?)\|protection_type=geo_protecti...
See more...
Sorry about that. Try this SEDCMD, instead. It does, however, make some assumptions about the order of fields. SEDCMD-rm-geo_protection = s/(.*\|action=Accept\|)(.*?)\|protection_type=geo_protection\|(.*?)(\|service=23.*)/\1\2|---|\3\4/
Hi @jcgever , UFs can send logs ony to a Splunk HF or to an Indexer, it isn't possible to send logs to a DLP to mask them and then to an HF. If you want to mask your data before indexing, you can d...
See more...
Hi @jcgever , UFs can send logs ony to a Splunk HF or to an Indexer, it isn't possible to send logs to a DLP to mask them and then to an HF. If you want to mask your data before indexing, you can do this in the HF, following the instruction at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Anonymizedata Ciao. Giuseppe
Hi, I'm uncertain which Process name—CreatorProcessName, ParentProcessName, or NewProcessName—is the appropriate one to apply windows events blacklisting in this context. Thanks..
Hi @NeharikaVats , you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send...
See more...
Hi @NeharikaVats , you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure. Ciao. Giuseppe
Hi @gwen , as you like, but masking the information I don't think that you reveal your confidential information. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karm...
See more...
Hi @gwen , as you like, but masking the information I don't think that you reveal your confidential information. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
