All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @PReynoldsBitsIO , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
How to create total average/median/max of field in a separate table? Thank you in advance | index=testindex | table company, ip, Vulnerability, Score company ip Vulnerability Score C... See more...
How to create total average/median/max of field in a separate table? Thank you in advance | index=testindex | table company, ip, Vulnerability, Score company ip Vulnerability Score CompanyA ip1 Vuln1 2 CompanyA ip1 Vuln2 0 CompanyA ip2 Vuln3 4 CompanyA ip2 Vuln4 2 CompanyA ip3 Vuln5 3 CompanyA ip3 Vuln6 5 Group by IP  => This worked just fine | stats values(company), avg(Score) as AvgScore by ip company ip AvgScore CompanyA ip1 1 CompanyA ip2 3 CompanyA ip3 4 Group by Company   =>  how do I group by company after group by ip (using stats) and put it on a separate table? | stats avg(AvgScore) as Average, avgAvgScore) as Median, max( AvgScore) as Max by company Company Average Median Max CompanyA 2.7 3 4
@meshorer whenever you update a playbook it will save with a different id to enable version control.  Is something about it changing the id causing you some issues in automation (or other places)?
hi, I see that playbooks ID keep changing all the time. can anyone explain the reasons to it?     thank you,   Daniel    
Hello, I have installed the Add on for Microsoft Azure. How can i get data in from Azure Service Bus?
You got that fixed?
Hi, I have onboarded my Splunk to the LDAP and subsequently mapped the AD group to the respective roles in Splunk. However, I have noted that the users are not populated or shown in the "Users" in t... See more...
Hi, I have onboarded my Splunk to the LDAP and subsequently mapped the AD group to the respective roles in Splunk. However, I have noted that the users are not populated or shown in the "Users" in the web ui. I have asked user which I have mapped the roles to login (LDAP authentication) and they are able to login and search. There are no existing local account for the user.  Running Splunk Enterprise v9.0.6.  Appreciate if anyone can help with this.  Thanks.
This query will tell you when each user last logged in.  It's up to you to decide which of them is "inactive". | rest /services/authentication/users splunk_server=local | table title last_successful... See more...
This query will tell you when each user last logged in.  It's up to you to decide which of them is "inactive". | rest /services/authentication/users splunk_server=local | table title last_successful_login
I wound up coming up with a solution.  Any spaces at the start of the field will be truncated when Splunk builds that chart.  I made a sort_order field that adds spaces to the start of the field valu... See more...
I wound up coming up with a solution.  Any spaces at the start of the field will be truncated when Splunk builds that chart.  I made a sort_order field that adds spaces to the start of the field value.  The more spaces, the earlier in the chart order the field is placed. Here's the code now:   <Base Search> | eval sort_order=case( income=="$24,000 and under"," $24,000 and under", income=="$25,000 - $39,999"," $25,000 - $39,999", income=="$40,000 - $79,999"," $40,000 - $79,999", income=="$80,000 - $119,999"," $80,000 - $119,999", income=="$120,000 - $199,999"," $120,000 - $199,999", income=="$200,000 or more","$200,000 or more") | chart count by sort_order    
So far, Splunk only supports HTTP 1.1.  Go to https://ideas.splunk.com to make a case for HTTP 2.0.
Is there any search query from which we can get the inactive users? @richgalloway @_JP 
Those fields are not present in every event.  See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usedefaultfields
Sadly, this didn't work.  The rename won't change the column values.  I have found a solution though, thank you.
This didn't work.  The chart doesn't respond to the sort order.  Thanks for the attempt though.
Hai can you help with full query to get status if down   index=test_index host="test" (source=ps COMMAND=*cybAgent* OR COMMAND=*event_demon* OR COMMAND=*as_server*) | streamstats current=f last(P... See more...
Hai can you help with full query to get status if down   index=test_index host="test" (source=ps COMMAND=*cybAgent* OR COMMAND=*event_demon* OR COMMAND=*as_server*) | streamstats current=f last(PID) as lastPID by COMMAND
This is defined in props.conf for the sourcetype, see the  ADD_EXTRA_TIME_FIELDS setting in this documentation https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extract... See more...
This is defined in props.conf for the sourcetype, see the  ADD_EXTRA_TIME_FIELDS setting in this documentation https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration
@abazgwa21cz For a new question, please ask it in a new topic, so that any answers relate to the new question.  
Just updating this old post with the info that we never reached the implementation part of this extension because the client went another route. So my knowledge on this is about as extensive as the a... See more...
Just updating this old post with the info that we never reached the implementation part of this extension because the client went another route. So my knowledge on this is about as extensive as the above posts. 
Splunk ES supports any device that can send text. Enterprise Security is a Splunk app so any platform that can run Splunk can run ES, however most admins will recommend using Linux.
I solved the problem by updating the lookup editor app to last version (4.0.2) and editing the view as explained by tomapatan