Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-02-2023
02:25 PM
Hi @briancronrath, Surprisingly, there are no documentations about this "total_slices" in Splunk docs. As I checked the audit logs, I could see there are two fields with the word "slices"... tot...
See more...
Hi @briancronrath, Surprisingly, there are no documentations about this "total_slices" in Splunk docs. As I checked the audit logs, I could see there are two fields with the word "slices"... total_slices and decompressed_slices index="_audit" | fields total_slices decompressed_slices | stats count by total_slices decompressed_slices
index="_audit" total_slices | fields user total_slices decompressed_slices | stats count by total_slices decompressed_slices user these two searches may give you some ideas. (but maynot give much i hope). maybe lets wait for Splunk Guru's reply, thanks.
11-02-2023
01:26 PM
https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Alert/AlertTriggerConditions Per the documentation, you can't control the ability to trigger via permissions.
11-02-2023
12:42 PM
The trick is I don't see any capability or other setting per role or user that would limit this option so that really seems unusual. If you have a realtime alert, you indeed have only the "per each r...
See more...
The trick is I don't see any capability or other setting per role or user that would limit this option so that really seems unusual. If you have a realtime alert, you indeed have only the "per each result" option available but in this case it makes sense since you're constantly monitoring the incoming events and don't have a "full" result set. But with a scheduled alert you normally should have two options. At least I have never seen the "once" option being unavailable. I'm at 9.1.1 at the moment. EDIT: Ok, wait a second. Do a screenshot from your report definition screen where you have this once/each result part.
11-02-2023
12:12 PM
@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked. It took me a while to understand that I need to wrap it not in the main query but in my additional part when ...
See more...
@ITWhisperer Want to say THANK YOU again! Just tried to wrap it and everything worked. It took me a while to understand that I need to wrap it not in the main query but in my additional part when I'm trying to pass the token to other components.
11-02-2023
11:57 AM
| rename 'old field name' as "new field name" or, change the field values before the timechart | eval connectionType=case(connectionType=="old field value 1","new field value 1", connectionType=="o...
See more...
| rename 'old field name' as "new field name" or, change the field values before the timechart | eval connectionType=case(connectionType=="old field value 1","new field value 1", connectionType=="old field value 2", "new field value 2", true(), connectionType)
Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable th...
See more...
Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable that option. Just to confirm, you have that option and what version are you running? Also, Thank you so much for your help!!
11-02-2023
11:22 AM
Hello everyone, Here is the story, we have a search head cluster with three members, lets call them sh1, sh2, sh3. these 3 search heads are not in the same domain/vlan, so each one used to have its ...
See more...
Hello everyone, Here is the story, we have a search head cluster with three members, lets call them sh1, sh2, sh3. these 3 search heads are not in the same domain/vlan, so each one used to have its own config of the SMTP server. Now we are having issues sending reports from Splunk. and I noticed that all 3 search heads are using just one SMTP server so the emails will not be delivered. I tried to put the correct config for each search head in .../system/local/alert_actions.conf but still not working. For now I will try to allow the search heads to communicate with all SMTP servers. but i am not sure it is the best solution. Is there a config I am missing about the email setting in a search head cluster? Thank you.
Labels
- Labels:
-
configuration
11-02-2023
11:20 AM
1 Karma
Ok, from what I understand you need something like <your_search> | stats list(module) as modules last(T) as T by transactionID | eval modules=mvjoin(modules," ") | stats count by modules T Depen...
See more...
Ok, from what I understand you need something like <your_search> | stats list(module) as modules last(T) as T by transactionID | eval modules=mvjoin(modules," ") | stats count by modules T Depending on your sort order you might want first(T) instead of last(T)
11-02-2023
10:28 AM
I have been investigating a particular search an api user runs which has become markedly slower past a specific date. When looking in the audittrail internal logs, what I noticed is that there is no...
See more...
I have been investigating a particular search an api user runs which has become markedly slower past a specific date. When looking in the audittrail internal logs, what I noticed is that there is no significant increase in event count, however the "total_slices" number significantly increases from before the date through after the date. I couldn't find much information in the documentation on what this value represents. Does this mean the data within each event increased around that time?
11-02-2023
10:22 AM
I am created below query to get the hourly report of certain tasks. I go the final timechart values for four different "connectiontype" below. But I like to rename the column name to something else. ...
See more...
I am created below query to get the hourly report of certain tasks. I go the final timechart values for four different "connectiontype" below. But I like to rename the column name to something else.
- Tags:
- column name change
Labels
- Labels:
-
timechart
11-02-2023
10:09 AM
1 Karma
To get a total number of users, use the stats command again. ...
| stats count by IONS
| where count >= 10
``` So far we have one result per user. Count the number of results to get the number of u...
See more...
To get a total number of users, use the stats command again. ...
| stats count by IONS
| where count >= 10
``` So far we have one result per user. Count the number of results to get the number of users. ```
| stats count as IONS
| rename IONS as "User IDs"
11-02-2023
09:55 AM
Hey guys, Hope y'all are doing well! I wanted to experiment with Splunk's Deep Learning module to perform some tasks. As mentioned in the "barebone_template" there are two methods to pull data fro...
See more...
Hey guys, Hope y'all are doing well! I wanted to experiment with Splunk's Deep Learning module to perform some tasks. As mentioned in the "barebone_template" there are two methods to pull data from splunk in. Because I want the data to be live, I want to be able to run a search inside the Jupiter notebook itself, hence proceeding with method 1. Method 1 is done using Splunk's "dsdlsupport" Python library. But when I used the same commands they have in their template, it throws the following error for their default settings: I wanted to check if someone has faced/solved this issue already before diving into their source code myself. Thank you and have a nice day Best,
Labels
- Labels:
-
development
-
troubleshooting
11-02-2023
09:47 AM
Hi @TheBravoSierra, please try this: blacklist7 = EventCode\=4673.*Process Name:\s*C:\\Program Files\\WindowsApps.*\\win32\\DesktopExtension\.exe Ciao. Giuseppe
11-02-2023
09:41 AM
1 Karma
I am not sure what you mean, you can use the same timepicker if you want, it depends on how you want your dashboard to work.
11-02-2023
09:41 AM
I also played around with the addcoltotals command but that only gives me the totals of the count. I need the total of "User ID"
11-02-2023
09:38 AM
Hey ITWhisperer as my results come from an index summary, would i need to have a separate timepicker to get the index summary date? or can i also use timepicker=_time?
11-02-2023
09:35 AM
I was able to successfully blacklist the below, so I am not sure why the difference. blacklist6 = EventCode=5156 Application_Name="\device\harddiskvolume3\gcti\tsrvciscocm\cisco_cucm_tserver_bu_2\...
See more...
I was able to successfully blacklist the below, so I am not sure why the difference. blacklist6 = EventCode=5156 Application_Name="\device\harddiskvolume3\gcti\tsrvciscocm\cisco_cucm_tserver_bu_2\ciscocm_server.exe" Application Name: \device\harddiskvolume3\gcti\tsrvciscocm\cisco_cucm_tserver_bu_2\ciscocm_server.exe
11-02-2023
09:30 AM
11/02/2023 10:28:49 AM LogName=Security EventCode=4673 EventType=0 ComputerName=XXXX SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=XXXX Keywords=Audit Failure TaskCate...
See more...
11/02/2023 10:28:49 AM LogName=Security EventCode=4673 EventType=0 ComputerName=XXXX SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=XXXX Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID:XXXX Account Name:XXXX Account Domain:XXXX Logon ID:XXXX Service: Server: Security Service Name: - Process: Process ID:XXXX Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_25.52341.876.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege
11-02-2023
09:28 AM
Hi @TheBravoSierra, could you share a sample of your logs? Ciao. Giuseppe
11-02-2023
09:24 AM
Can someone help me with these regex on inputs.conf on universal forwarder? For some reason, isn't working. Much appreciated! blacklist7 = EventCode=4673 Process_Name="C:\Program Files\WindowsA...
See more...
Can someone help me with these regex on inputs.conf on universal forwarder? For some reason, isn't working. Much appreciated! blacklist7 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_25.52341.876.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe" blacklist8 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"
Labels
- Labels:
-
inputs.conf
-
universal forwarder
