All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Strip the quotes with the trim function. index=prd sourcetype=core Step=* Time=* | eval Step=trim(Step, "'") | timechart avg(Time) by Step span=1d  
You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? Yes we have a Universal Forwarder on the suricata box. Cur... See more...
You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.  2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to  /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.  3.3. Did you verify the inputs on the forwarder? yes btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json] splunk list monitor /var/log/suricata/eve.json, /var/log/syslog splunk list input status /var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch) splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed. Then an INFO about trimming input to first line Then an INFO about shutting down while reading file /var/log/suricata/eve.json Then INfO about Batch file input finished reading the file.  It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.      
Hi @Oliver.Ulfik, One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other. If you have not yet seen them, here a... See more...
Hi @Oliver.Ulfik, One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other. If you have not yet seen them, here are some Otel Technical Knowledge Base articles we have around Otel. If I find any more specific info, I'll be sure to share it. In the meantime, let's see if the Community can jump in and help out.
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simpl... See more...
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simple change as single quotation marks were added around the field but it's giving me a big headache.  index=prd sourcetype=core Step=* Time=* |  timechart avg(Time) by Step span=1d Field in event log changed: FROM: Step=CONVERSION_APPLICATION TO: Step='CONVERSION_APPLICATION'  (with single quotation marks)
Wait a second. Your description is a bit chaotic. 1. You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? 2. ... See more...
Wait a second. Your description is a bit chaotic. 1. You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? 2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? 3. Did you verify the inputs on the forwarder? splunk btool inputs list monitor splunk list monitor splunk list inputstatus 4. Did you check splunkd.log from the suricata box for errors regarding eve.json? (Especially permission-related ones)
Hi @atebysandwich  I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults | eval _raw="DNS,Identified_Host host1.domain.com,host1.domain... See more...
Hi @atebysandwich  I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults | eval _raw="DNS,Identified_Host host1.domain.com,host1.domain.com host1-admin.domain.com,host1.domain.com host1-mgt.domain.com,host1.domain.com host2.domain.com,host2.domain.com host2-admin.com,host2.domain.com host2-mgt.admin.com,host2.domain.com host3.domain.com,host3.domain.com host3-admin.com,host3.domain.com" | multikv forceheader=1 | table DNS Identified_Host ```^^^ dummy events ^^^``` | where DNS!=Identified_Host | stats values(DNS) BY Identified_Host  
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in thi... See more...
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in this case since strptime should give you a number it would be a bit surprising.
Hey you may need to change them to a string. Can  you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTi... See more...
Hey you may need to change them to a string. Can  you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff= tostring((MyEndUnix - MyStartUnix),"duration") | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff  
Thanks for the help. Changed it and still no eve.json data on the server.
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections:   Risk Modifiers By A... See more...
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections:   Risk Modifiers By Annotations Risk Score By Annotations Risk Modifiers By Threat Object   For the annotations part - we do manually tag Mitre Attack tactics within our content, so not sure why these panels do not show anything. Also, does anyone know what savedsearches run in the background to populate these panels? I'd like to double check to make sure I have these enabled.   Thanks!        
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this:   MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldSt... See more...
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this:   MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff=MyEndUnix-MyStartUnix | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff   And my table is returned as: MyStartTime MyEndTime MyStartUnix MyEndUnix diff 2023-10-10T14:48:39 2023-10-10T14:15:15 1696963719.000000 1696961715.000000   2023-10-10T14:57:50 2023-10-10T13:56:53 1696964270.000000 1696960613.000000  
This helped a lot. Thank you!  
Result i need from raw data is, current=parker encrypted=true keywordp=****** boriskhan=boriskhan1-cmx_prty rolename=role.customermanager . . . .
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet | rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]... See more...
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet | rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]+)<\/\1>" Results i got,    key current encrypted keywordp boriskhan rolename . . value parker true ****** role.customermanager false . . .
Thank you for your help here Rich!  I replaced the regex with the one you provided and still am not seeing any data at all.  Both my regular expression, as well as the one you provided, worked to loc... See more...
Thank you for your help here Rich!  I replaced the regex with the one you provided and still am not seeing any data at all.  Both my regular expression, as well as the one you provided, worked to locate the string "authentication failure" in regex101.  This has left me more or less stumped.  It's like the Heavy Forwarder is completely ignoring the "set_parse" setting.  Perhaps the issue lies with props.conf?  I have use props and transforms before, just not sure what the issue is here. What do you think? Thanks Grant
i'm trying to find right regex for Splunk search time extraction first, via Splunk GUI.
Where in Splunk are you using this regex?  If it's in transforms.conf then please share the full stanza.
The input is disabled (disabled=true) so nothing will be read from the file.  Set disabled=false and restart the Splunk instance.
I need help in regex for key and value to be extracted from raw data, below regex working with xml_kv_extraction. While its working in regex101 but not in splunk with rex, any suggesstions. <(?<fiel... See more...
I need help in regex for key and value to be extracted from raw data, below regex working with xml_kv_extraction. While its working in regex101 but not in splunk with rex, any suggesstions. <(?<field_header>[^>]+)>(?<field_value>[^<]+)<\/\1>https://regex101.com/r/IBsMhK/1  eg: events with <field_title><field_header1>field_value1</field_header1><field_header2>field_value2</field_header2></field_title> Should appear fields as below. field title = <field_header1>field_value1</field_header1><field_header2>field_value2</field_header2> field_header1=field_value1 field_header2=field_value2   1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:36:22.742479", LAST_UPDATE_DATE="1997-10-10 13:36:22.74", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.388887", LAST_UPDATE_DATE="1997-10-10 13:03:58.388", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384984", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.384947", LAST_UPDATE_DATE="1997-10-10 13:03:58.384", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.378965", LAST_UPDATE_DATE="1997-10-10 13:03:58.378", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374242", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.374235", LAST_UPDATE_DATE="1997-10-10 13:03:58.373", ACTION="externalFactor", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactor><current>parker</current><keywordp><encrypted>true</encrypted><keywordp>******</keywordp></keywordp><boriskhan>boriskhan1-CMX_PRTY</boriskhan></externalFactor>" 1997-10-10 15:35:13.046, CREATE_DATE="1997-10-10 13:03:58.325953", LAST_UPDATE_DATE="1997-10-10 13:03:58.325", ACTION="externalFactor.RESPONSE", STATUS="info", DATA_STRING="<?xml version="1.0" encoding="UTF-8"?> <externalFactorReturn><roleName>ROLE.CustomerManager</roleName><roleName>ROLE.DataSteward</roleName><pepres>false</pepres><externalFactor>false</externalFactor><parkeristrator>true</parkeristrator><current>parker</current></externalFactorReturn>"    @priit @PriA @yonmost @jameshgibson @bnikhil0584 
The regex looks fine, although it's not necessary to escape underscore (_) characters. The blacklist5 setting is missing "$XmlRegex=" and delimiters around the regex.