All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhispererhello mister, please help or can you tag some guys, who can help us please.  thank you! 
For Ubuntu: I used the command  [sudo] $SPLUNK_HOME/bin/splunk enable boot-start But when i rebooted the machine, I check the status of splunk forwader by using command ./splunk status. It return... See more...
For Ubuntu: I used the command  [sudo] $SPLUNK_HOME/bin/splunk enable boot-start But when i rebooted the machine, I check the status of splunk forwader by using command ./splunk status. It returned "splunkd is not running".   For Windows: according to Splunk document, Splunk will run automatically after startup. But after restarting the machine, i checked in the Task Manager, the SplunkForwarder was not running.  
Hi @deephi .. Splunk UF is compatible with most of the linux available in the market. Pls check the documentations. if you hvae very old linux versions (or very latest linux with very advanced featur... See more...
Hi @deephi .. Splunk UF is compatible with most of the linux available in the market. Pls check the documentations. if you hvae very old linux versions (or very latest linux with very advanced features.. even 90% of the times, this we can neglect)
Is Splunk Universal Forwarder compatible with Amazon Linux?  
How can I remove the "Open in Search" (search magnifying glass) icon/option from a panel in a Dashboard Studio dashboard? I know how it's done in the Classic dashboard, but cannot work out how to do... See more...
How can I remove the "Open in Search" (search magnifying glass) icon/option from a panel in a Dashboard Studio dashboard? I know how it's done in the Classic dashboard, but cannot work out how to do it in Dashboard Studio. Thanks
It's possible Splunk's regex library doesn't handle \b well.  Is there something else that indicates the start and end of the desired string?  Perhaps \Wauthentication\sfailure\W?
Strip the quotes with the trim function. index=prd sourcetype=core Step=* Time=* | eval Step=trim(Step, "'") | timechart avg(Time) by Step span=1d  
You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? Yes we have a Universal Forwarder on the suricata box. Cur... See more...
You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.  2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to  /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.  3.3. Did you verify the inputs on the forwarder? yes btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json] splunk list monitor /var/log/suricata/eve.json, /var/log/syslog splunk list input status /var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch) splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed. Then an INFO about trimming input to first line Then an INFO about shutting down while reading file /var/log/suricata/eve.json Then INfO about Batch file input finished reading the file.  It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.      
Hi @Oliver.Ulfik, One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other. If you have not yet seen them, here a... See more...
Hi @Oliver.Ulfik, One of your posts was flagged for spam, (the one with the larger code snippet). I've decided to leave this post here and archive the other. If you have not yet seen them, here are some Otel Technical Knowledge Base articles we have around Otel. If I find any more specific info, I'll be sure to share it. In the meantime, let's see if the Community can jump in and help out.
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simpl... See more...
A recent change to logs has broken my dashboard panels and reporting. I'm struggling to find the best way to modify my search criteria to pick up data prior to the change and after. It's a very simple change as single quotation marks were added around the field but it's giving me a big headache.  index=prd sourcetype=core Step=* Time=* |  timechart avg(Time) by Step span=1d Field in event log changed: FROM: Step=CONVERSION_APPLICATION TO: Step='CONVERSION_APPLICATION'  (with single quotation marks)
Wait a second. Your description is a bit chaotic. 1. You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? 2. ... See more...
Wait a second. Your description is a bit chaotic. 1. You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? 2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? 3. Did you verify the inputs on the forwarder? splunk btool inputs list monitor splunk list monitor splunk list inputstatus 4. Did you check splunkd.log from the suricata box for errors regarding eve.json? (Especially permission-related ones)
Hi @atebysandwich  I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults | eval _raw="DNS,Identified_Host host1.domain.com,host1.domain... See more...
Hi @atebysandwich  I'm not 100% sure I understand what you are trying to do but does this run anywhere example help... | makeresults | eval _raw="DNS,Identified_Host host1.domain.com,host1.domain.com host1-admin.domain.com,host1.domain.com host1-mgt.domain.com,host1.domain.com host2.domain.com,host2.domain.com host2-admin.com,host2.domain.com host2-mgt.admin.com,host2.domain.com host3.domain.com,host3.domain.com host3-admin.com,host3.domain.com" | multikv forceheader=1 | table DNS Identified_Host ```^^^ dummy events ^^^``` | where DNS!=Identified_Host | stats values(DNS) BY Identified_Host  
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in thi... See more...
With Splunk usually if something looks like a number but doesn't behave like a number it means that it's not a number but a string representation of a number and you have to tonumber() it. But in this case since strptime should give you a number it would be a bit surprising.
Hey you may need to change them to a string. Can  you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTi... See more...
Hey you may need to change them to a string. Can  you try this and let me know if it works ( I am new to Splunk lol) MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff= tostring((MyEndUnix - MyStartUnix),"duration") | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff  
Thanks for the help. Changed it and still no eve.json data on the server.
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections:   Risk Modifiers By A... See more...
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections:   Risk Modifiers By Annotations Risk Score By Annotations Risk Modifiers By Threat Object   For the annotations part - we do manually tag Mitre Attack tactics within our content, so not sure why these panels do not show anything. Also, does anyone know what savedsearches run in the background to populate these panels? I'd like to double check to make sure I have these enabled.   Thanks!        
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this:   MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldSt... See more...
I'm having trouble getting a duration between two timestamps from some extracted fields. My search looks like this:   MySearchCriteria index=MyIndex source=MySource | stats list(ExtractedFieldStartTime) as MyStartTime, list(ExtractedFieldEndTime) as MyEndTime by AnotherField | eval MyStartUnix=strptime(MyStartTime, "%Y-%m-%dT%H:%M:%S") | eval MyEndUnix=strptime(MyEndTime, "%Y-%m-%dT%H:%M:%S") | eval diff=MyEndUnix-MyStartUnix | table MyStartTime MyEndTime MyStartUnix MyEndUnix diff   And my table is returned as: MyStartTime MyEndTime MyStartUnix MyEndUnix diff 2023-10-10T14:48:39 2023-10-10T14:15:15 1696963719.000000 1696961715.000000   2023-10-10T14:57:50 2023-10-10T13:56:53 1696964270.000000 1696960613.000000  
This helped a lot. Thank you!  
Result i need from raw data is, current=parker encrypted=true keywordp=****** boriskhan=boriskhan1-cmx_prty rolename=role.customermanager . . . .
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet | rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]... See more...
I have regex in description and also url from regex101.com. its not working in Splunk when i used rex with SPL query. index=universe sourcetype=planet | rex field=_raw "<(?<key>[^>]+)> (?<value>[^<]+)<\/\1>" Results i got,    key current encrypted keywordp boriskhan rolename . . value parker true ****** role.customermanager false . . .