Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-01-2023
06:41 AM
Hi @Roy_9, you have to rename the title field in host and add the Team field to display it, something like this: | tstats count latest(_time) AS latest WHERE index=_internal BY host
| append [ | in...
See more...
Hi @Roy_9, you have to rename the title field in host and add the Team field to display it, something like this: | tstats count latest(_time) AS latest WHERE index=_internal BY host
| append [ | inputlookup 123.csv | rename title AS host | count=0 | fields host Team count ]
| stats
sum(count) AS total
value(latest) AS latest
values(Team) AS Team
BY host
| where now()-latest>900 OR total=0
| eval
latest=strftime(latest,"%Y-%m-%d %H:%M:%S"),
status=if(total=0,"Never sent","Last event: ".latest)
| table host Team status Ciao. Giuseppe
11-01-2023
06:37 AM
Thanks @gcusello, yes i already have a lookup in the name of 123.csv where the host's are listed under column called "title" and different team names are listed under column Teams. Can you please ad...
See more...
Thanks @gcusello, yes i already have a lookup in the name of 123.csv where the host's are listed under column called "title" and different team names are listed under column Teams. Can you please advise how do i need to append these two fields Title and Teams to the above search?
11-01-2023
06:35 AM
Hi @delly_fofie , the only way to avoid to index twice a log, is to run an SQl query that checks is data i duplicated before index them. This action can be performed on SQL, not in Splunk. In Splu...
See more...
Hi @delly_fofie , the only way to avoid to index twice a log, is to run an SQl query that checks is data i duplicated before index them. This action can be performed on SQL, not in Splunk. In Splunk you could ingest also duplicated events and then, using Splunk Search Programming Language (SPL), remove duplicates in search results, but not in indexing. In other words, it isn't possible to check if a data is already indexed before index it, the only way to do this is in the generating SQL query that you use to extract events suing DB-Connect. Ciao. Giuseppe
11-01-2023
06:29 AM
Hello @gcusello Lets assume I would go with your idea. But still if on the day 1 I manage to only get unique in the indexing, the next day I will have new entries and already existing entries in Spl...
See more...
Hello @gcusello Lets assume I would go with your idea. But still if on the day 1 I manage to only get unique in the indexing, the next day I will have new entries and already existing entries in Splunk and will still create duplicate data in Splunk.
11-01-2023
06:29 AM
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just trie...
See more...
Hello, i have no clues, thanks for reading in advance: In any case, right now, i can't open splunk web because it gives me 500 internal error and i found the critical point: server.conf, i just tried and if don't put nothing it works, but if i put any path it brokes everything. Behind this problem there is that after writing the configurations files (i followed the splunk documentation strictly so...) the connection doesnt't work when i try to troubleshoot. I will post my files here so i hope it should be more clear what i did: inputs.conf on the index: [splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /path/to/mycervercombinedfile.pem
sslPassword = mypass
requireClientCert = false outputs.conf on the forwarders : [tcpout]
defaultGroup = mygroup
[tcpout:mygroup]
server = index ip:9997
sslCertPath = path/to/my combinedservercert.pem
sslPassword = mypass
sslVerifyServerCert = true
useClientSSLCompression = true server.conf on both index and forwarder: [sslConfig]
sslPassword = mypass
sslRootCAPath = path/to/myCertAuthCertificate.pem to putting something on web.conf i'm waiting to solve these internals problems before. I almost forgot to say that i do not think there is a problem with how i created the certificates, i repeated the process n times already and i followed the instructions; TheCaRootCert is the same that I shared with forwarders and index, then i created from this certificate, a separate one for all the servers involved and then i concatened them in one. Thank so much for reading and i would appreciate receiving some advices on hot to proceed further, I'm going insane. P.S: Sorry for my english but i'm not a native speaker.
Labels
- Labels:
-
configuration
11-01-2023
06:29 AM
1 Karma
Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: ...
See more...
Hi @LearningGuy , as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this: base search <search id="base">
<query>
index=testindex
| fields company ip id AvgScore
</query>
</search> Panel 1 (without id field): <search base="base">
<query>
index=testindex
| table company ip AvgScore
</query>
</search> Panel 2 (with id field): <search base="base">
<query>
| lookup example.csv id OUTPUTNEW id location
| table company id ip AvgScore location
</query>
</search> Ciao. Giuseppe
11-01-2023
06:25 AM
Did they give you a SPL- number for what bug it is?
11-01-2023
05:58 AM
Hello @gcusello Thank you for your help. I have 2 "statistics table" panels: 1) statistic table for the base search (id="base") I don't want to display "id "field on the table 2) st...
See more...
Hello @gcusello Thank you for your help. I have 2 "statistics table" panels: 1) statistic table for the base search (id="base") I don't want to display "id "field on the table 2) statistic table panel for the second search (derived from the base search base="base") I want to display "id" field on the table How do I not display "id" field on the statistic table panel for the base search, but display "id" field on the statistic table panel for the second search? If I remove "id" from "| table" the base search, it doesn't display on the statistic table for the base search couldn't use it on the second search 1) statistic table for the base search <search id="base"> <query> index=testindex | table company, ip, AvgScore </query> </search> company ip AvgScore CompanyA ip1 1 CompanyA ip2 3 CompanyA ip3 4 2) statistic table panel for the second search <search base="base"> <query> | lookup example.csv id as id OUTPUTNEW id, location | table company, id, ip, AvgScore, location </query> </search> company id ip AvgScore location CompanyA idA ip1 1 loc1 CompanyA idA ip2 3 loc1 CompanyA idA ip3 4 loc1
11-01-2023
05:54 AM
@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact? I think for this you might be best to use a Code Block / Custom Function to have a singl...
See more...
@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact? I think for this you might be best to use a Code Block / Custom Function to have a single output and do all the checking in code based on the inputted value(s). -- Happy SOARing! --
11-01-2023
05:53 AM
Many others have had the same problem after upgrading. It seems the alert is too sensitive. Once you have confirmed the instances are healthy, consider adjusting the alert threshold or disabling it.
11-01-2023
05:50 AM
While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local. Apart from that, you can put it "anywhere" - see h...
See more...
While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local. Apart from that, you can put it "anywhere" - see how Splunk merges the separate files into effective config https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles
11-01-2023
05:39 AM
Which dashboard is this from? Which app is it in? Which version of Splunk are you using?
11-01-2023
05:31 AM
Hi, during a playbook, I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then ...
See more...
Hi, during a playbook, I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter. is there a way to do that without duplicating a lot of blocks?
Labels
- Labels:
-
using SOAR ⁄ Phantom
11-01-2023
05:23 AM
This appears to be a single event. The correlation id doesn't match and neither do any of the dates. Please can you provide the correct corresponding events for the row shown?
11-01-2023
05:15 AM
Hi Splunkers!
How to change the color of info button in dashboard.
<panel id="global_status_op">
<title>Global Compliance</title>
<html>
<style>
</style>
<div class="infobutton" par...
See more...
Hi Splunkers!
How to change the color of info button in dashboard.
<panel id="global_status_op">
<title>Global Compliance</title>
<html>
<style>
</style>
<div class="infobutton" parent="global_status_op" type="collapse" style="display: none">
<p style="font-size:15pt;">
The compliance is calculated as follow:</p>
<p style="font-size:9pt;">
- If compliant, the asset is considered as complinat</p>
<p style="font-size:9pt;">
- If not compliant, the asset is considered as not compliant</p>
</div>
</html>
</panel>
Thanks!
Labels
- Labels:
-
CSS
11-01-2023
05:09 AM
Hi @ITWhisperer I am not sure, this is you are expecting.. If not can you please give some assist how to get it. Correlation ID Event start time Event end time Difference 930fd232-8...
See more...
Hi @ITWhisperer I am not sure, this is you are expecting.. If not can you please give some assist how to get it. Correlation ID Event start time Event end time Difference 930fd232-8d16-4d1f-8725-a5893e9a46c7 11-01-2023 13:19:06:653 11-01-2023 13:19:23:359 16.706 {"message_type": "INFO", "processing_stage": "Obtained data", "message": "Successfully received data from API/SQS", "correlation_id": "0cd56112-6346-4ea3-8a2f-2b59b9eb68ba", "error": "", "invoked_component": "prd-start-step-function-from-lambda-v1", "request_payload": "", "response_details": "{'executionArn': 'arn:aws:states:eu-central-1:981503094308:execution:contact-centre-dialer-service:8a1acb14-b170-4f95-99bc-7a89ff814207', 'startDate': datetime.datetime(2023, 11, 1, 11, 33, 41, 354000, tzinfo=tzlocal()), 'ResponseMetadata': {'RequestId': '60427a29-6dd4-4cdf-b5c0-fc6cb45b08b2', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '60427a29-6dd4-4cdf-b5c0-fc6cb45b08b2', 'date': 'Wed, 01 Nov 2023 11:33:41 GMT', 'content-type': 'application/x-amz-json-1.0', 'content-length': '165', 'connection': 'keep-alive'}, 'RetryAttempts': 0}}", "invocation_timestamp": "2023-11-01T11:33:41Z", "response_timestamp": "2023-11-01T11:33:41Z", "custom_attributes": {"entity-internal-id": "", "root-entity-id": "", "student_id": "64690945", "lead-id": "37079165", "country": "Nepal"}}
11-01-2023
05:02 AM
Hi @jip31 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
11-01-2023
04:13 AM
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do ...
See more...
hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files. We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ? cheers
11-01-2023
03:54 AM
Hi @jip31, when you use sourcetype, you don't need to specify it; [Perfmon:mem]
FIELDALIAS-Value = Value AS titi counter AS tutu only for host and source you have to specify them but with a differ...
See more...
Hi @jip31, when you use sourcetype, you don't need to specify it; [Perfmon:mem]
FIELDALIAS-Value = Value AS titi counter AS tutu only for host and source you have to specify them but with a different syntax: [source::your_source]
FIELDALIAS-Value = Value AS titi counter AS tutu
[host::your_host]
FIELDALIAS-Value = Value AS titi counter AS tutu Ciao. Giuseppe
11-01-2023
03:51 AM
This is too vague. What exactly are you trying to achieve? What are your desired results? What events are you working with?
