Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-03-2023
01:04 AM
Hi All, After restarting Splunk on my dev server I am getting the below error.
Labels
- Labels:
-
using Splunk Enterprise
11-03-2023
12:54 AM
Thanks for your response. Yes it is indeed a bad design. There is only one parent node "2023-03-16". This changes everyday "2023-03-16, 17, 18....." but the associated fields under this date that is...
See more...
Thanks for your response. Yes it is indeed a bad design. There is only one parent node "2023-03-16". This changes everyday "2023-03-16, 17, 18....." but the associated fields under this date that is employee id(1, 2,.....) remains the same. The problem arises when we create analytics/alerts for let say last 7 days. The top level key changes. Your response worked but I am getting all the events of "all time" even if I have selected a timestamp of 24h.
11-03-2023
12:52 AM
I was getting this error while searching Error in 'rex' command: Encountered the following error while compiling the regex '\b(?(java|javax).[\w.]+Exception)': Regex: syntax error in subpattern name...
See more...
I was getting this error while searching Error in 'rex' command: Encountered the following error while compiling the regex '\b(?(java|javax).[\w.]+Exception)': Regex: syntax error in subpattern name (missing terminator).
11-03-2023
12:50 AM
I am very new to SPLUNK and practicing using the botsv1 index. I need to use a "Wild Card" to find all the passwords used against a destination IP. I know I need to use the http_method= Post and se...
See more...
I am very new to SPLUNK and practicing using the botsv1 index. I need to use a "Wild Card" to find all the passwords used against a destination IP. I know I need to use the http_method= Post and search for the user passwords within the form_data field. I have been experimenting with the SPL command but no success as of yet
- Tags:
- wildcard
11-03-2023
12:37 AM
This would be a piece of cake for someone who uses SPLUNK. I am doing a search using the 'stats', çount' and sort commands in the botsv1 index. I am to find the top ten URI's in ascending order. W...
See more...
This would be a piece of cake for someone who uses SPLUNK. I am doing a search using the 'stats', çount' and sort commands in the botsv1 index. I am to find the top ten URI's in ascending order. What is the SPL command?
11-03-2023
12:23 AM
Does Splunk UBA use/require below Log4j 1.2? Currently below was flagged during the VA scanning thus I am not sure whether we can remove or require to update it? Apache Log4j 1.2
11-03-2023
12:16 AM
Do you mean this: index=dev | rex field=_raw "\b(?(java|javax).[\w.]+Exception)"
| timechart span=30d count by exception_type for graphics choose "Visualisations"
11-02-2023
11:58 PM
Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions ...
See more...
Hi Team, I want to have a query which displays me all types of exceptions occured in the last 30 days in a table way or else in a graphical way. We just wanted to see the count of the exceptions every 30 days. I have been using this query but it didnt work. Iam new to splunk so please help me to find out index=dev | rex field=_raw "\b(?(java|javax).[\w.]+Exception)" | chart count by exception_type
11-02-2023
10:03 PM
Thank you so much for your assistance.
11-02-2023
10:02 PM
I tested your suggestion and it worked. I accepted this as solution. I appreciate your help. Thank you so much. So, it's not possible in Splunk to make it only with 1 stats, correct?
11-02-2023
09:20 PM
Thanks @gcusello I will try to disable and then remove the app and see if it throws any messages from my end
11-02-2023
08:54 PM
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s...
See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.
Labels
- Labels:
-
using SOAR ⁄ Phantom
11-02-2023
08:50 PM
I have build such customized search page by Advance XML before. The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. ...
See more...
I have build such customized search page by Advance XML before. The example is like this : It will add more input fields on the search page, but still keep the UI features of search results. Our users love this!! and this is why we couldn't upgrade our Splunk to the latest version ( which is not support the Advance XML ) Is there anyway that I could customized the search page by Simple XML Dashboard?
Labels
- Labels:
-
simple XML
11-02-2023
08:48 PM
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are s...
See more...
Hi all, I have a large number of events that have been ingested into SOAR from a Service Now queue. A large amount of these events have been closed on the Service Now end, however, the events are still open in SOAR. I have written a playbook to check the status of these tickets in Service Now then close the event in SOAR if certain conditions are met. I am having trouble finding out how I can run this playbook on all of the events in the source as I can only select 50 at a time. If someone could point me in the right direction to run this playbook on all of the events in the source that would be very helpful. Thank you for reading.
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves o...
See more...
Hi all! Hoping you can help me out. We are setting up an alert in splunk that will feed into servicenow, that when triggered will allow us to reach out to our users whenever they lock themselves out instead of them calling through to IT desk. We don't want a snow alert to trigger every time they show up in the splunk seach however, instead if they have had an alert created in the last 4 hours for example they are not included and it only checks for new people in that time frame. After the time period has elapsed they can then be included in the alert again. I have the search to a point where it is finding the users with issues and creating a transaction so we are getting them at the point they would be calling us, just stuck on that last bit. index=prd_example sourcetype=LogSource "host=Host* | transaction UserID EventDescription maxspan=4h | table UserID EventDescription LockoutTime FirstName LastName EventCode eventcount | where eventcount >= 3 | sort -_time Any help would be greatly appreciated. I'm not even sure if this can be done at the splunk level or needs to be done at the SNow end
Labels
- Labels:
-
alert action
11-02-2023
07:44 PM
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down ...
See more...
Please let me know which metric to use to create detectors: 1. EC2 Status Check: The possible values for state change events for instances are: pending running stopping stopped shutting-down terminated 2. ACM Cert events: ACM Certificate Approaching Expiration event ACM Certificate Expired event ACM Certificate Available event ACM Certificate Renewal Action Required event
Labels
- Labels:
-
alert action
-
alert condition
11-02-2023
03:31 PM
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex...
See more...
Hello and thank you for your time. I would like to run a search in splunk, using the results against inputlookup lists to return the stats or multiple stats. Example: My search is: index="MyIndex" AND host="MyHost" AND (*string1* OR "*string2*" OR "*string3*") | dedup user | table user user_results user.name1 user.name2 user.name3 using those results: | inputlookup ACBounceList_a-c.csv | inputlookup append=t ACBounceList_d-g.csv | inputlookup append=t ACBounceList_h-l.csv | inputlookup append=t ACBounceList_m-q.csv | inputlookup append=t ACBounceList_r-s.csv | inputlookup append=t ACBounceList_t-v.csv | inputlookup append=t ACBounceList_w-z.csv | stats count by field_stats_wanted | where inputlookup_user = user_results resulting in: field_stats_wanted count value1 30 value2 35 etc etc Any assistance with this would be greatly appreciated.
Labels
- Labels:
-
stats
11-02-2023
03:28 PM
Hello, by any chance, did you find a solution for this? I got the same issue right now.
11-02-2023
03:25 PM
1 Karma
| stats values(score) as score sum(score) as vuln_score count by ip vuln
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score sum(vuln_score) as vuln_sc...
See more...
| stats values(score) as score sum(score) as vuln_score count by ip vuln
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score sum(vuln_score) as vuln_score sum(count) as count by ip
11-02-2023
02:59 PM
Do you have any docs/references for point 2? >> With older versions of UF, it was run with Local System user by default. New versions use a user with a bit more "trimmed" permissions.
