Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-12-2023
10:01 PM
@ITWhispererhello mister, please help or can you tag some guys, who can help us please. thank you!
10-12-2023
08:49 PM
For Ubuntu: I used the command [sudo] $SPLUNK_HOME/bin/splunk enable boot-start But when i rebooted the machine, I check the status of splunk forwader by using command ./splunk status. It return...
See more...
For Ubuntu: I used the command [sudo] $SPLUNK_HOME/bin/splunk enable boot-start But when i rebooted the machine, I check the status of splunk forwader by using command ./splunk status. It returned "splunkd is not running". For Windows: according to Splunk document, Splunk will run automatically after startup. But after restarting the machine, i checked in the Task Manager, the SplunkForwarder was not running.
10-12-2023
08:16 PM
Hi @deephi .. Splunk UF is compatible with most of the linux available in the market. Pls check the documentations. if you hvae very old linux versions (or very latest linux with very advanced featur...
See more...
Hi @deephi .. Splunk UF is compatible with most of the linux available in the market. Pls check the documentations. if you hvae very old linux versions (or very latest linux with very advanced features.. even 90% of the times, this we can neglect)
10-12-2023
07:03 PM
Is Splunk Universal Forwarder compatible with Amazon Linux?
Labels
- Labels:
-
Linux
-
universal forwarder
10-12-2023
06:47 PM
How can I remove the "Open in Search" (search magnifying glass) icon/option from a panel in a Dashboard Studio dashboard? I know how it's done in the Classic dashboard, but cannot work out how to do...
See more...
How can I remove the "Open in Search" (search magnifying glass) icon/option from a panel in a Dashboard Studio dashboard? I know how it's done in the Classic dashboard, but cannot work out how to do it in Dashboard Studio. Thanks
Labels
- Labels:
-
Dashboard Studio
10-12-2023
05:30 PM
It's possible Splunk's regex library doesn't handle \b well. Is there something else that indicates the start and end of the desired string? Perhaps \Wauthentication\sfailure\W?
10-12-2023
05:27 PM
1 Karma
Strip the quotes with the trim function. index=prd sourcetype=core Step=* Time=*
| eval Step=trim(Step, "'")
| timechart avg(Time) by Step span=1d
10-12-2023
03:56 PM
You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?
Yes we have a Universal Forwarder on the suricata box. Cur...
See more...
You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?
Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.
2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.
3.3. Did you verify the inputs on the forwarder? yes
btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json]
splunk list monitor
/var/log/suricata/eve.json, /var/log/syslog
splunk list input status
/var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch)
splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed.
Then an INFO about trimming input to first line
Then an INFO about shutting down while reading file
/var/log/suricata/eve.json
Then INfO about Batch file input finished reading the file.
It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.
10-12-2023
03:55 PM
Hi @Oliver.Ulfik,
One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other.
If you have not yet seen them, here a...
See more...
Hi @Oliver.Ulfik,
One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other.
If you have not yet seen them, here are some Otel Technical Knowledge Base articles we have around Otel. If I find any more specific info, I'll be sure to share it. In the meantime, let's see if the Community can jump in and help out.
10-12-2023
03:32 PM
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simpl...
See more...
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simple change as single quotation marks were added around the field but it's giving me a big headache. index=prd sourcetype=core Step=* Time=* | timechart avg(Time) by Step span=1d Field in event log changed: FROM: Step=CONVERSION_APPLICATION TO: Step='CONVERSION_APPLICATION' (with single quotation marks)
10-12-2023
03:17 PM
1 Karma
Wait a second. Your description is a bit chaotic.
1. You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?
2. ...
See more...
Wait a second. Your description is a bit chaotic.
1. You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?
2. Did you deploy the addon with the enabled input to the forwarder on the suricata box?
3. Did you verify the inputs on the forwarder?
splunk btool inputs list monitor
splunk list monitor
splunk list inputstatus
4. Did you check splunkd.log from the suricata box for errors regarding eve.json? (Especially permission-related ones)
10-12-2023
03:11 PM
1 Karma
Hi @atebysandwich I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain...
See more...
Hi @atebysandwich I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain.com
host1-admin.domain.com,host1.domain.com
host1-mgt.domain.com,host1.domain.com
host2.domain.com,host2.domain.com
host2-admin.com,host2.domain.com
host2-mgt.admin.com,host2.domain.com
host3.domain.com,host3.domain.com
host3-admin.com,host3.domain.com"
| multikv forceheader=1
| table DNS Identified_Host
```^^^ dummy events ^^^```
| where DNS!=Identified_Host
| stats values(DNS) BY Identified_Host
- Tags:
- hi
10-12-2023
03:11 PM
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in thi...
See more...
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in this case since strptime should give you a number it would be a bit surprising.
10-12-2023
02:51 PM
Hey you may need to change them to a string. Can you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource
| stats list(ExtractedFieldStartTi...
See more...
Hey you may need to change them to a string. Can you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource
| stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField
| eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S")
| eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S")
| eval diff= tostring((MyEndUnix - MyStartUnix),"duration")
| table MyStartTime MyEndTime MyStartUnix MyEndUnix diff
10-12-2023
01:02 PM
Thanks for the help. Changed it and still no eve.json data on the server.
10-12-2023
12:40 PM
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections: Risk Modifiers By A...
See more...
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections: Risk Modifiers By Annotations Risk Score By Annotations Risk Modifiers By Threat Object For the annotations part - we do manually tag Mitre Attack tactics within our content, so not sure why these panels do not show anything. Also, does anyone know what savedsearches run in the background to populate these panels? I'd like to double check to make sure I have these enabled. Thanks!
Labels
10-12-2023
12:24 PM
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this: MySearchCriteria index=MyIndex source=MySource
| stats list(ExtractedFieldSt...
See more...
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this: MySearchCriteria index=MyIndex source=MySource
| stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField
| eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S")
| eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S")
| eval diff=MyEndUnix-MyStartUnix
| table MyStartTime MyEndTime MyStartUnix MyEndUnix diff And my table is returned as: MyStartTime MyEndTime MyStartUnix MyEndUnix diff 2023-10-10T14:48:39 2023-10-10T14:15:15 1696963719.000000 1696961715.000000 2023-10-10T14:57:50 2023-10-10T13:56:53 1696964270.000000 1696960613.000000
10-12-2023
12:03 PM
1 Karma
This helped a lot. Thank you!
- Tags:
- is worked
10-12-2023
11:55 AM
Result i need from raw data is, current=parker encrypted=true keywordp=****** boriskhan=boriskhan1-cmx_prty rolename=role.customermanager . . . .
10-12-2023
11:51 AM
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet
| rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]...
See more...
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet
| rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]+)<\/\1>" Results i got, key current encrypted keywordp boriskhan rolename . . value parker true ****** role.customermanager false . . .
