Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-16-2023
04:05 AM
Hi,
I have a modular input that is connected to CIM through eventtypes and tags as follows:
default/eventtypes.conf
[my_event_type]
search = sourcetype=my_default_source_type
default/tags...
See more...
Hi,
I have a modular input that is connected to CIM through eventtypes and tags as follows:
default/eventtypes.conf
[my_event_type]
search = sourcetype=my_default_source_type
default/tags.conf
[eventtype=my_event_type]
alert = enabled
This generally works up until a user decides to reconfigure the default sourcetype and index. When the sourcetype is altered the eventtype stanza breaks. How to go about this? What is the best practive to allow a user to reconfigure sourcetype while ensuring the CIM integration works. Should I relay on other fields that I create? Can this damage the efficiency of the query? Thanks
Labels
- Labels:
-
data model
-
event type
-
field extraction
-
tag
10-16-2023
04:02 AM
Hi @gcusello , created the add-on using addon builder and uploaded it on splunkcloud SH. in classic experience it is deployed on the indexers as well.
10-16-2023
03:53 AM
Hi @Praz_123, you should create an alert when data flow stopped and immediately see if there something that blocked it. then, if the data flow arrives from text files, you could see if in the files...
See more...
Hi @Praz_123, you should create an alert when data flow stopped and immediately see if there something that blocked it. then, if the data flow arrives from text files, you could see if in the files there are data in the missing periods. Ciao. Giuseppe
10-16-2023
03:52 AM
How to import Beautifulsoup file in splunk python to get the python script work.
- Tags:
- pythonscript
10-16-2023
03:50 AM
Hi @Sid , how did you passed the two conf files to Splunk Cloud? The conf files are correct. Ciao. Giuseppe
10-16-2023
03:46 AM
@gcusello Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for tha...
See more...
@gcusello Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for that
- Tags:
- @
10-16-2023
03:43 AM
Hi @Sid, how are you taking these logs, from a Universal Forwarder? Ciao. Giuseppe
10-16-2023
03:42 AM
1 Karma
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You ca...
See more...
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You can check the first choice viewing if someone modified the inputs.conf that should ingest data. For the second choice you should analyze, if you're still receiving data and when the data stopped: index=your_index sourcetype=your_sourcetype
| head 10 Ciao. Giuseppe
10-16-2023
03:38 AM
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056 We found that it applied hash only ...
See more...
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056 We found that it applied hash only some groups on SentinelOne. Does anyone found this issue before? Please advise.
Labels
- Labels:
-
development
10-16-2023
03:36 AM
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win...
See more...
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ]
| dedup ComputerName
| sort ComputerName
| table ComputerName Ciao. Giuseppe
10-16-2023
03:36 AM
i dont have any HF in my environment, so i kept it as custom app on cloud indexers.
10-16-2023
03:32 AM
Hi @Sid , where did you located conf files: on Splunk Cloud or on on-premise systems? As I said, they must be located on the first full Splunk instance that data pass through. Ciao. Giuseppe
10-16-2023
03:21 AM
@gcusello its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME...
See more...
@gcusello its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME_PREFIX = ^ TRUNCATE = 99999 pulldown_type = 1 TRANSFORMS-null = setnull transforms- [setnull] REGEX = DEBUG DEST_KEY = queue FORMAT = nullQueue
10-16-2023
02:56 AM
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exe...
See more...
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121). I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above. Regards,
10-16-2023
02:43 AM
1 Karma
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. ht...
See more...
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Rex (i copied rex command's link... on the left side you will see a list of commands, alphabetically) 2) this should be from a app or add-on... mostly from a macros.conf file from that app/add-on so, pls try to look into the macros conf files. 3) may we know if this was working previously and just recently it didnt work? was there any app/add-on upgrades? 4) not sure, but, lets try... that error msg got an yellow triangle.. like a splunk warning msg.. are you able to click on it?.. does it give you more details? 5) on the internal logs for that app/add-on, do you see any warnings/errors
10-16-2023
02:26 AM
Will i am seeing the events data is showing but there is sourcetype is missing for last 24 hours. What could be the reason , how to check .
Labels
- Labels:
-
panel
10-16-2023
01:37 AM
In the process of Splunk Integration with lastPass , we are getting an error like "Your SIEM refused to connect" Please
Labels
- Labels:
-
indexer clustering
10-16-2023
01:17 AM
Hi @Eric.Miller , Can we get this account acces key using any API command instead of getting it from the controller? Regards, Mohammed Saad
