If I remember correctly, the alert created "normally" with a "create notable" action should work as well (although it will have less configuration options). But in order to be able to create notables...
See more...
If I remember correctly, the alert created "normally" with a "create notable" action should work as well (although it will have less configuration options). But in order to be able to create notables the user who the alert is run with must have proper privileges within the ES app. So if an alert was created with a normal alert creation means instead of ES Content Management, the user might not be able to create notable due to insufficient permissions. (yes, I'm aware that it sounds a bit convoluted).
The CLONE_SOURCETYPE option in a transform causes Splunk to create a copy (at this moment of the ingestion pipeline, so all the state of the event at this point is retained) of the processed event, c...
See more...
The CLONE_SOURCETYPE option in a transform causes Splunk to create a copy (at this moment of the ingestion pipeline, so all the state of the event at this point is retained) of the processed event, changes its sourcetype to the one specified in the CLONE_SOURCETYPE option and reingests the event back at the (almost) beginning of the pipeline (skipping the initial phases of line breaking and time recognition). See the usual https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 CLONE_SOURCETYPE is called from a transform in the typing phase. The original event is processed without changes as if the transform containing the CLONE_SOURCETYPE option wasn't there. But the copy is moved back to the typing queue and starts the whole typing phase with a new sourcetype and triggers completely new set of transforms according to the new sourcetype (and possibly new source and host if they were overwritten during the initial transforms run).
OK now I get it, so I need to define one more stanza in my transforms to overwrite the _TCP_ROUTING For example [mydevice_overwrite_tcprouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = an_e...
See more...
OK now I get it, so I need to define one more stanza in my transforms to overwrite the _TCP_ROUTING For example [mydevice_overwrite_tcprouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = an_empty_output
Props.conf
[my_device_clone]
TRANSFORMS-deletetcprouting = mydevice_overwrite_tcprouting Something like this ? is it possible to define an empty values in an outputs.conf ? Thanks Nicolas
Hi @Nicolas2203 With the anonymized sourcetype you are overwriting the original _TCP_ROUTING with output_externalhf: DEST_KEY = _TCP_ROUTING
FORMAT = output_externalhf However with mydevice:clon...
See more...
Hi @Nicolas2203 With the anonymized sourcetype you are overwriting the original _TCP_ROUTING with output_externalhf: DEST_KEY = _TCP_ROUTING
FORMAT = output_externalhf However with mydevice:clone you are *not* overwriting the existing _TCP_ROUTING, instead you are also adding _SYSLOG_ROUTING but this does not overwrite the _TCP_ROUTING. You will need to apply a transform to mydevice:clone to set _TCP_ROUTING to a blank value to prevent it using the original local_indexers output. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Ok so if I understand, when I clone a sourcetype, he will clone it's destination too ? Not sure to understand, I have some other log sources that I clone, and forward to a secondary splunk with th...
See more...
Ok so if I understand, when I clone a sourcetype, he will clone it's destination too ? Not sure to understand, I have some other log sources that I clone, and forward to a secondary splunk with the same clone methods. Cloning the sourcetype to sourcetype:anonymized In the transforms I applied on the cloned sourcetype some regex for anonymization And this sourcetype is routed via _TCP_ROUTING to an output that is a heavy forwarder that route to the secondary splunk. For example Transforms.conf
[firewall_log-clone]
CLONE_SOURCETYPE = firewall_log:clone
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = output_externalhf
Props.conf
[firewall_log]
TRANSFORMS-clone = firewall_log-clone
This is working, logs are properly sent to an HF that will forward those logs to a secondary splunk But it's not syslog log source so maybe this is the difference ? Thanks for the help
Like I said above, there are a million ways to do this. But you have to decide the exact behavior. In the demo dashboard I posted, I used preselect. You can edit the input to select these 4 as def...
See more...
Like I said above, there are a million ways to do this. But you have to decide the exact behavior. In the demo dashboard I posted, I used preselect. You can edit the input to select these 4 as default selection. An alternative behavior could be a special selection that has label "all 4" and the four values as value. Implementation details will depend on how you use the token and so on. There are other alternatives. You need to be clear in describing how you want the UI to behave.
As @bowesmana diagnoses, default field extraction stops at 50K. You can change this in limits.conf. The stanza is [kv], property name is maxchars. I recommend that you fix another problem @livehyb...
See more...
As @bowesmana diagnoses, default field extraction stops at 50K. You can change this in limits.conf. The stanza is [kv], property name is maxchars. I recommend that you fix another problem @livehybrid hinted at: You should extract id field from message field, not from _raw, i.e., | rex field=message "(SENDER|RECEIVER)\[(?<id>\d+)\]"
Note: The 10 result limit for map is a soft limit, you can go more with the maxsearches=X setting, but again, map is rarely useful. Glad you got a working solution.
Is your data JSON? If so, Splunk will only extract the first 5K of the JSON object in an event. I'm not totally sure if it has that 5k limit for other auto kv field extraction.
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false
| untable ...
See more...
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false
| untable _time USER Mem_Used_GB
| where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256
| sort Mem_Used_GB desc
| head 20
Hi @jialiu907 Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous ...
See more...
Hi @jialiu907 Sorry, I took your original timechart field eval which I believe may be incorrect. I do not have test data to check this but please can you try the following in place of the previous stats block? | stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am getting an error with the stats command after trying your query. Error in 'stats' command: The argument 'eval((sum(RSZ_KB)/1024/1024))' is invalid.
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent install...
See more...
i do have access to it its under index=falcon with a sourcetype="crowdstrike:events:sensor or crowdstrike*". Just trying to find a full proof way to view 100% of the hosts that have the agent installed with each of the hosts source IP. if I could get a true and false statement saying no crowdstrike agent is installed on the list that would be great. But sadly im not that versed at Splunkfu.
I'm having issues getting this to work. I posted my search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not ...
See more...
I'm having issues getting this to work. I posted my search in a earlier post. I was told not to use the eval _raw line, I've tried removing it and I have used | eval msgTxt=" and it is still not working. What am I doing wrong? Please help. thanks
Hi @Ghost Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it? Did ...
See more...
Hi @Ghost Its generally not advisable to run index=* if you can avoid it - do you know where you crowdstrike data is being ingested, and are you able to confirm that you have access to it? Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @jialiu907 After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart...
See more...
Hi @jialiu907 After you have applied your timechart you no longer have "Mem_Used_GB" as each field/column is the name of the USER containing the value. If you used "stats" instead of you "timechart" you would get the "Mem_Used_GB" column however you wont get the _time element in. It isnt clear what your usecase is but if you use bin and stats you might get the desired outcome? index=os sourcetype=ps (tag=dcv-na-himem)
NOT tag::USER="LNX_SYSTEM_USER"
| bin span=1m _time
| stats sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by _time, USER
| where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256
| sort Mem_Used_GB desc
| head 20 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches. Ive used the following "CSFalconservice.exe | stats count by ho...
See more...
Hello, Got tasked with finding all hosts that didnt have the crowdstrike agent installed and running into problems with my searches. Ive used the following "CSFalconservice.exe | stats count by host" & "index=*sourcetype="crowdstrike:events:sensor" | stats count by host" but its not giving me the information per each individual hosts. V/r Ghost