Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-23-2023
05:45 AM
Hai can you help with full query to get status if down
index=test_index host="test" (source=ps COMMAND=*cybAgent* OR COMMAND=*event_demon* OR COMMAND=*as_server*)
| streamstats current=f last(P...
See more...
Hai can you help with full query to get status if down
index=test_index host="test" (source=ps COMMAND=*cybAgent* OR COMMAND=*event_demon* OR COMMAND=*as_server*)
| streamstats current=f last(PID) as lastPID by COMMAND
10-23-2023
05:39 AM
This is defined in props.conf for the sourcetype, see the ADD_EXTRA_TIME_FIELDS setting in this documentation https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extract...
See more...
This is defined in props.conf for the sourcetype, see the ADD_EXTRA_TIME_FIELDS setting in this documentation https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration
10-23-2023
05:35 AM
@abazgwa21cz For a new question, please ask it in a new topic, so that any answers relate to the new question.
10-23-2023
05:33 AM
1 Karma
Just updating this old post with the info that we never reached the implementation part of this extension because the client went another route. So my knowledge on this is about as extensive as the a...
See more...
Just updating this old post with the info that we never reached the implementation part of this extension because the client went another route. So my knowledge on this is about as extensive as the above posts.
10-23-2023
05:30 AM
Splunk ES supports any device that can send text. Enterprise Security is a Splunk app so any platform that can run Splunk can run ES, however most admins will recommend using Linux.
10-23-2023
05:27 AM
I solved the problem by updating the lookup editor app to last version (4.0.2) and editing the view as explained by tomapatan
10-23-2023
05:08 AM
Hey @Gaikwad, The error message itself shows what the issue is. The dashboards in the Splunk App for AWS Security are powered by the macro "aws-security-cloudtrail-service". By default, the macro de...
See more...
Hey @Gaikwad, The error message itself shows what the issue is. The dashboards in the Splunk App for AWS Security are powered by the macro "aws-security-cloudtrail-service". By default, the macro definition is present in the app. However, it doesn't know what index to look into. You can navigate to Settings -> Advanced Search -> Search Macros and locate the macro in the window. Then you'll need to define what index does it need to search to and add the arguments accordingly. In addition to this, you'll also need to make sure that the permissions to the macro are adequate for a user to access it outside the app or should at least have read access to all the users for the dashboard to load the panels properly. Once the macro is defined with the appropriate index definition and the permissions are properly provided, the dashboard panels will show the expected results. Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated.
10-23-2023
05:07 AM
Hi @vijreddy30 ... pls check your Profile's inbox.. i have sent a msg to you. this looks like a POC / test / dev environment setup. most probably you may not need "high availability" at all. ...
See more...
Hi @vijreddy30 ... pls check your Profile's inbox.. i have sent a msg to you. this looks like a POC / test / dev environment setup. most probably you may not need "high availability" at all. we may need more details about what you meant by "high availability".. thanks.
10-23-2023
04:58 AM
1 Karma
Hi @Eyal, for joinining a lookup you don't need the join command that anyway shoud be avoided all the times and used only when there isn't any other solution. You can use the lookup command that's ...
See more...
Hi @Eyal, for joinining a lookup you don't need the join command that anyway shoud be avoided all the times and used only when there isn't any other solution. You can use the lookup command that's a left join, something like this: <your_search>
| lookup my_list.csv group_name OUTPUT Severity
| where isnotnull(Severity) if the field to use gor joining is different beteen the main swarch and the lookup, you can use AS. for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Lookup Ciao. Giuseppe
10-23-2023
04:57 AM
Hey, Thanks for the info, it was just the management port that needed changing, I picked a different port, finished the installation and everything seems to be working as expected. Thanks again for...
See more...
Hey, Thanks for the info, it was just the management port that needed changing, I picked a different port, finished the installation and everything seems to be working as expected. Thanks again for the information Jamie
10-23-2023
04:54 AM
1 Karma
Hey @jamie1, It is completely okay to have Splunk services running on different ports other than the default ones. You just need to make sure that the appropriate configuration files are updated wit...
See more...
Hey @jamie1, It is completely okay to have Splunk services running on different ports other than the default ones. You just need to make sure that the appropriate configuration files are updated with the port that you change. For eg: Default ingestion port is 9997. However, if you wish to change it to let's say 3434, then you need to make sure to update the inputs.conf and outputs.conf with the same value for the appropriate stanza. Thanks, Tejas. ---- If the above solution is helpful, an upvote is appreciated.
10-23-2023
03:41 AM
Hi, I have a query that trigger when a user has been added to a specific types of groups. The query depends on lookup with 2 columns inside (one for group_name, Another for Severity). I want to fi...
See more...
Hi, I have a query that trigger when a user has been added to a specific types of groups. The query depends on lookup with 2 columns inside (one for group_name, Another for Severity). I want to find any event of adding to one of the monitored groups, But also to enrich my final table with the severity right next to the group_name. I have tried to resolve this using: | join type=left group_name [| inputlookup my_list.csv] | where isnotnull(Severity) But somehow only 2 groups with low severity is being found even though all the groups in the list has its own severity. How can I managed to make my table show the group with its severity?
10-23-2023
03:37 AM
Dears How to find out what Devices (Switch, Router, etc.), operating systems (Windows, linux, MacOs, etc.), applications(web application, mobile application, etc.) and services (database server, web...
See more...
Dears How to find out what Devices (Switch, Router, etc.), operating systems (Windows, linux, MacOs, etc.), applications(web application, mobile application, etc.) and services (database server, web server, etc. ) does Splunk Enterprise Security support? And also the support for Search head and Indexer OS, Is it windows server or Linux? because I could not find out in their documentation or over the internet Thank you in advance!
- Tags:
- support
10-23-2023
03:24 AM
In zone- HF instance and (SH+Indexer) one instance same Zone -2 also. Here my project there is no Deployer, indexer cluster and SH cluster and there is no Cluster master also. How do i implemen...
See more...
In zone- HF instance and (SH+Indexer) one instance same Zone -2 also. Here my project there is no Deployer, indexer cluster and SH cluster and there is no Cluster master also. How do i implement High Availability server?
10-23-2023
03:14 AM
1 Karma
Hi richgalloway, Thank you for reply, I did try as you suggested with lookup command and it didn't work but.... Because of you response I went and tried it again, this time utilizing lower() option...
See more...
Hi richgalloway, Thank you for reply, I did try as you suggested with lookup command and it didn't work but.... Because of you response I went and tried it again, this time utilizing lower() option and finding it work Thank you for help
10-23-2023
02:38 AM
Hi There, I am currently trying to set up a universal forwarder on a CentOS 7 server. I have extracted the package and am attempting to start the service but receive the following: ERROR: mgmt ...
See more...
Hi There, I am currently trying to set up a universal forwarder on a CentOS 7 server. I have extracted the package and am attempting to start the service but receive the following: ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. The port is in fact in use and thus the only solution seems to be using a non-default port. Will this cause any issues in the long run or is running Splunk on different ports completely supported? As I have only ever used the default ports for previous installations. Any help/info would be appreciated, Jamie
Labels
- Labels:
-
Linux
-
universal forwarder
10-23-2023
02:21 AM
Hi, Splunk usually takes the log time event (_time) and parse it to: date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year I have found that some of our indexes ...
See more...
Hi, Splunk usually takes the log time event (_time) and parse it to: date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year I have found that some of our indexes does not contain this parse only the _time field. What may cause this issue? In addition, I am not sure but I have found something related to "DATETIME_CONFIG = /etc/datetime.xml" might be a good point not much on the internet that explain pretty well how to resolve this. Would appreciate your help here
- Tags:
- time
Labels
10-23-2023
01:59 AM
Yeah this seems to mitigate the problem. Unfortunatly if you are using chrome you have to change your global system settings. I hope this will get patched in the next update.
10-23-2023
01:47 AM
Thanks alot , i have one more questions , I just install misp42 app in my splunk , and add misp instance to splunk , it work
But i want compare from : index=firewall srcip=10.x.x...
See more...
Thanks alot , i have one more questions , I just install misp42 app in my splunk , and add misp instance to splunk , it work
But i want compare from : index=firewall srcip=10.x.x.x , it my log from firewall , so i want compare dstip with ip-dst from misp to detect unusual access activities , like when dstip=ip-dst : 152.67.251.30 , how can i search this , misp_instance=IP_Block field=value , i just try some search but it not work:
index=firewall srcip=10.x.x.x
| mispsearch misp_instance=IP_Block field=value
| search dstip=ip=dst
| table _time dstip ip-dst value action
It can't get ip-dst from misp instance , Can you help me with this OR can i get some solution to resolve this Many thanks and Best regards !!
10-23-2023
01:46 AM
Hi guys , I just install misp42 app in my splunk , and add misp instance to splunk , it work But i want compare from : index=firewall srcip=10.x.x.x , it my log from firewall , so i w...
See more...
Hi guys , I just install misp42 app in my splunk , and add misp instance to splunk , it work But i want compare from : index=firewall srcip=10.x.x.x , it my log from firewall , so i want compare dstip with ip-dst from misp to detect unusual access activities , like when dstip=ip-dst : 152.67.251.30 , how can i search this , misp_instance=IP_Block field=value , i just try some search but it not work: index=firewall srcip=10.x.x.x | mispsearch misp_instance=IP_Block field=value | search dstip=ip=dst | table _time dstip ip-dst value action It cant get ip-dst from misp instance , Can anyone help me with this OR can i get some solution to resolve this Many thanks and Best regards !!
