Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-06-2023
06:01 AM
Thank you so much! Out of curiosity, is the isnotnull(CIDR) referring to the column in the lookup table, or to the matchtype that was set up when creating the lookup definition?
11-06-2023
06:00 AM
Thank you for your response. I double checked and all the fields are correctly spelled. A coworker put 'AND' in front of the subsearch, and events are returning. She is using a lookup without the ma...
See more...
Thank you for your response. I double checked and all the fields are correctly spelled. A coworker put 'AND' in front of the subsearch, and events are returning. She is using a lookup without the match type being set to CIDR(ip_address), so now I'm more puzzled. EDIT: Oh yes, I forgot that you said that matchtype doesn't have meaning with inputlookup, so I guess that is why it doesn't matter in this case. Although I'm still puzzled as to why the 'AND' is making a difference.
11-06-2023
05:49 AM
@richgalloway I discovered that sending the log to the raw endpoint works. However, the log is stripped down to the log body which is what the documentation states (ie. from docs - `send only the ...
See more...
@richgalloway I discovered that sending the log to the raw endpoint works. However, the log is stripped down to the log body which is what the documentation states (ie. from docs - `send only the log's body`). export_raw: false endpoint: ".../services/collector/raw" Resulting log (only the log body shows up in Splunk) - Example log record I'm still having trouble figuring out why logs aren't coming through the normal event endpoint. The sample log I'm using is from the otlp log data spec.
11-06-2023
05:47 AM
Hi Team, We are using DB Connect 3.14.1 and Splunk enterprise version 9.1.1, we have installed DB connect APP, drivers and when we are configuring the database we are getting the error as databas...
See more...
Hi Team, We are using DB Connect 3.14.1 and Splunk enterprise version 9.1.1, we have installed DB connect APP, drivers and when we are configuring the database we are getting the error as database connection is invalid , Login failed for the user, but using same user name and pw we are able to login to Database directly ... can anyone please suggest the answer for this
Labels
- Labels:
-
configuration
11-06-2023
05:46 AM
Thank you so much, @ITWhisperer . That did the trick!
- Tags:
- much
11-06-2023
05:44 AM
Nailed it! Thanks so much.
11-06-2023
05:41 AM
Hi, I have tried your solution and for relative time and i dont get any results if i use it within a dash board, I only get the earliest_time when selecting Last xxxx eg last 30days. I wanted to se...
See more...
Hi, I have tried your solution and for relative time and i dont get any results if i use it within a dash board, I only get the earliest_time when selecting Last xxxx eg last 30days. I wanted to see what it looked like so ran | makeresults |eval timeTokenearliest="$time.earliest$" |eval timeTokenlatest="$time.latest$" |eval gap=timeTokenlatest-timeTokenearliest
|eval reltimeearl = relative_time(now(),"$time.earliest$")
|eval reltimelate = relative_time(now(),"$time.latest$")
|table _time reltimeearl reltimelate I have tried to use, https://www.youtube.com/watch?v=OzEb7Q-fuXs&t=649s, however i have found that the dashboard does not like the following eval statement; I get the reult of NaN the %z in the strptime is now not valid!! <progress>
<eval token="toearliest">strptime("$job.earliestTime$","%Y-%m-%dT%H:%M:%S.%3N+%z")</eval>
<eval token="tolatest">strptime("$job.latestTime$","%Y-%m-%dT%H:%M:%S.%3N+%Z")</eval>
<eval token="tokgap"></eval>(($job.latestTime$-$job.earliestTime$)/86400)
<set token="jobearliest">$job.earliestTime$</set>
<set token="joblatest">$job.latestTime$</set>
</progress> Has anybody else encountered this issue and found a solution?
11-06-2023
05:35 AM
Hello, I have dashboard with multiple panels. Each panel returns a table in the dashboard. I would like to view the complete dashboard as one big table. I am so far able to remove the column name fr...
See more...
Hello, I have dashboard with multiple panels. Each panel returns a table in the dashboard. I would like to view the complete dashboard as one big table. I am so far able to remove the column name from 2nd panel onwards that gives the view of one columns name on top and below are the column values. The issue now I am facing is the column values are not aligned properly and the data is not readable. I have tried alignment also tried the cell resizing but no luck. Any help will be much appreciated. Above is a screenshot and we have 3 panels. Panel1: column name is displayed. Panel2&3: column name is hidden. we require to align the column values properly in orderly manner. Thanks.
Labels
- Labels:
-
dashboard
11-06-2023
05:32 AM
i get this error when upload a csv file with 2 column that included id number and maliciuos domain but when i go to threat intelligence audit i see this error: 2023-11-06 13:15:52,655+0000 WARNING p...
See more...
i get this error when upload a csv file with 2 column that included id number and maliciuos domain but when i go to threat intelligence audit i see this error: 2023-11-06 13:15:52,655+0000 WARNING pid=3558172 tid=MainThread file=add_threat_workload.py:_sinkhole_file:151 | status="Sinkholing of local files is not allowed" stanza="8 and 2023-11-06 13:16:22,699+0000 ERROR pid=3558172 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/threat_intel_meta2/batch_save: The read operation timed out',) Traceback (most recent call last): File "/Splunk-db/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 567, in simpleRequest serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload) File "/Splunk-db/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1968, in request cachekey, File "/Splunk-db/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1626, in _request conn, request_uri, method, body, headers File "/Splunk-db/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1564, in _conn_request response = conn.getresponse() File "/Splunk-db/splunk/lib/python3.7/http/client.py", line 1373, in getresponse response.begin() File "/Splunk-db/splunk/lib/python3.7/http/client.py", line 319, in begin version, status, reason = self._read_status() File "/Splunk-db/splunk/lib/python3.7/http/client.py", line 280, in _read_status line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1") File "/Splunk-db/splunk/lib/python3.7/socket.py", line 589, in readinto return self._sock.recv_into(b) File "/Splunk-db/splunk/lib/python3.7/ssl.py", line 1079, in recv_into return self.read(nbytes, buffer) File "/Splunk-db/splunk/lib/python3.7/ssl.py", line 937, in read return self._sslobj.read(len, buffer) socket.timeout: The read operation timed out During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/Splunk-db/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/Splunk-db/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 388, in do_run self.run(stanza) File "/Splunk-db/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 709, in run logger=self.logger File "/Splunk-db/splunk/etc/apps/SA-ThreatIntelligence/bin/threat_utils/utils.py", line 181, in set_threat_intel_meta options File "/Splunk-db/splunk/etc/apps/SA-Utils/lib/SolnCommon/kvstore.py", line 186, in batch_create uri, sessionKey=session_key, jsonargs=json.dumps(records)) File "/Splunk-db/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 579, in simpleRequest raise splunk.SplunkdConnectionException('Error connecting to %s: %s' % (path, str(e))) splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/threat_intel_meta2/batch_save: The read operation timed out',)
- Tags:
- splunk
Labels
- Labels:
-
using Enterprise Security
11-06-2023
05:31 AM
1 Karma
Each row is an event with various fields - if you want to combine the results events by User, try something like this: index=logs EventType="logon"
| stats count by User Status
| stats list(Status) ...
See more...
Each row is an event with various fields - if you want to combine the results events by User, try something like this: index=logs EventType="logon"
| stats count by User Status
| stats list(Status) as Status list(count) as count by User
11-06-2023
05:28 AM
Always best to fully describe your problem giving as much sufficient detail as possible. Try this | eval codes=mvsort(mvappend(code1, code2))
| eventstats count by codes
| eval result=if(count==2, ...
See more...
Always best to fully describe your problem giving as much sufficient detail as possible. Try this | eval codes=mvsort(mvappend(code1, code2))
| eventstats count by codes
| eval result=if(count==2, "yes", "no")
11-06-2023
05:23 AM
This is where I started, but it lists the User for each Status they have. I was hoping to have the user listed once with all of their different statues next to them.
11-06-2023
05:22 AM
1 Karma
The preferred way to parse key/value pairs is to use KV_MODE=auto in props.conf. An app installed in one SH will have no effect on other SHs. Install the app on the ES SH for the configuration to h...
See more...
The preferred way to parse key/value pairs is to use KV_MODE=auto in props.conf. An app installed in one SH will have no effect on other SHs. Install the app on the ES SH for the configuration to have effect. To change the owner of an object, click the Reassign Knowledge Objects button in the top-right corner of the All Configurations page.
11-06-2023
05:14 AM
Use the head command to limit the number of results. The rare does not do what you want it to do because it discards fields and once fields are discarded they cannot be retrieved again. index=myind...
See more...
Use the head command to limit the number of results. The rare does not do what you want it to do because it discards fields and once fields are discarded they cannot be retrieved again. index=myindex earliest=-24h
``` Count each hash value ```
| eventstats count by SHA256HashData
``` Find the hash value with the lowest count ```
| eventstats min(count) as minCount
``` Keep the hashes with the lowest count ```
| where count=minCount
| head 10
| collect index=summary
11-06-2023
05:13 AM
Hello @ITWhisperer . Thank you for the quick response. I have updated my post. There are multiple potential combinations--not just ab and cd--so the actual combination cannot be defined.
11-06-2023
05:13 AM
index=logs EventType="logon"
| stats count by User Status
11-06-2023
05:04 AM
Sorry, I am unsure how to describe what I am looking for using Splunk terminology, and I am sure that is why I am having trouble finding the answer. What I am looking for: User | Status |...
See more...
Sorry, I am unsure how to describe what I am looking for using Splunk terminology, and I am sure that is why I am having trouble finding the answer. What I am looking for: User | Status | coun --------------------------------- Mike | True | 2 | False | 1 -------------------------------- Loagn | True | 4 | False | 2
So far my search looks like this:
index=logs EventType="logon"
| stats values(Status) as Status count by User
It is almost there, but in the count column, it combines the count for True and False and only gives a single number.
Labels
- Labels:
-
stats
11-06-2023
04:57 AM
| eval result=if((code1=="ab" AND code2=="cd") OR (code1=="cd" AND code2=="ab"), "yes", "no")
11-06-2023
04:55 AM
Hello, Thanks for your suggestion. I already looked it up before I posted my question. The previous post do not answer my questions and I don't have an admin role 1) Why does Splunk send search...
See more...
Hello, Thanks for your suggestion. I already looked it up before I posted my question. The previous post do not answer my questions and I don't have an admin role 1) Why does Splunk send searches via GET request? 2) How do I fix this without an admin role?
11-06-2023
04:50 AM
Hello! I have run a search which results in displaying a table. In this table, I would like to check if a combination of values between two fields exists, and, if so, return "Yes." I have done this i...
See more...
Hello! I have run a search which results in displaying a table. In this table, I would like to check if a combination of values between two fields exists, and, if so, return "Yes." I have done this in PowerBI using the following command, but I am unsure how to do it in SPL. VAR _SEL = SELECTCOLUMNS('table1', "code1", [code1]) RETURN IF ('table1'[code2] IN _SEL, "Yes", "No") An example initial table is below: id, code1, code2 1, ab, cd 2, cd, de 3, ab, hi 4, cd, ab 5, jk, cd 6, hi, jk 7, jk, hi The result I am looking for is that it will find that the combination of ab+cd and hi+jk exists in both directions (code1, code2 and code2, code1). id, code1, code2, result 1, ab, cd, yes 2, cd, de, no 3, ab, hi, no 4, cd, ab, yes 5, jk, cd, no 6, hi, jk, yes 7, jk, hi, yes Thank you for your help!
Labels
- Labels:
-
table
