Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-11-2023
02:07 AM
Hi Thanks, we will try this, just one thing to mention, this is happening on one install and working on another install. Both have the same Spunk version 9.0.1. Regards Robert
10-11-2023
01:25 AM
Hi @AL3Z , it's a regex, instead these are Splunk fields: try only the regex. the EventCode=4688 is inside the regex, so you don't need to repeat it. Ciao. Giuseppe
10-11-2023
01:13 AM
1 Karma
Hi @kyoshiike, at first you have to identify the indexes where proxy and firewall logs are stored. then you have to identify the key )e.g. src or src_ip to correlate events. The transaction comman...
See more...
Hi @kyoshiike, at first you have to identify the indexes where proxy and firewall logs are stored. then you have to identify the key )e.g. src or src_ip to correlate events. The transaction command is a command to use only in defined situations because it's a very slow command, it should be used only when you haven0t fields to use as correlation keys and you must use startswith and(or endswith strings to correlate events. In your case, you could use stats, see my approach and adapt to your requirement: index=firewall OR index=proxy
| stats
dc(dst_port) AS dst_port_count
dc(dst) AS dst
BY src in this way you know id a src is calling more destinations or more ports. Anyway, the approach is to put all in the main search and use the correlation key in a stats command, identifying what to search. The options to use in the stats command are many, for this reason I hinted to follo the Splunk Search Tutorial. ciao. Giuseppe
10-11-2023
01:09 AM
Hi @gcusello , This regex is not working ! Do we need to use followed by EventCode="4688" Message=" " to get it work ?
10-11-2023
12:43 AM
I already checked this tutorial. However it didn't provide right answer for my question... I want to know good index to search from objective to right comamnds. Is it only way to search docs.splunk...
See more...
I already checked this tutorial. However it didn't provide right answer for my question... I want to know good index to search from objective to right comamnds. Is it only way to search docs.splunk.com with related words manually?
10-11-2023
12:30 AM
Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname IP Host A 10.10.10...
See more...
Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname IP Host A 10.10.10.1 10.10.10.2 Host B 172.1.1.1 Lookup B Hostname IP Host A 10.10.10.1 Host B 172.1.1.1 172.1.1.2 Based on scenario above, I need a result on IP which lookup A and B does not match based on Host. But as long 1 IP in lookup A matches with lookup B, it is fine and lookup B should not have multiple IP. So, it should not match even have match IP. For your info,both lookups have multiple IPs for a host. Based on above lookup sample, Host A should match and Host B should not match based on my condition. Please assist on this. Thank you
- Tags:
- eval
10-11-2023
12:08 AM
Hi @AL3Z, don't use quotes: blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program...
See more...
Hi @AL3Z, don't use quotes: blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe) Ciao. Giuseppe
10-11-2023
12:07 AM
Hi All, We are a Splunk Cloud customer having ES. Is there a way to fetch the ISP, domain info for an IP address directly in the splunk results ? I have looked at this post : https://community....
See more...
Hi All, We are a Splunk Cloud customer having ES. Is there a way to fetch the ISP, domain info for an IP address directly in the splunk results ? I have looked at this post : https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-query-whois-by-ip/m-p/316975 but Domain Tools add on requires a paid subscription. Alternatively i know that we can setup a workflow to perform whois lookup via right click implementation but that is again a manual task and it ends up redirecting us to whois website. I am looking for something open source that can fetch me the ISP and domain for an IP-address easily. Any thoughts or suggestions ? Any ES users how do you accomplish this ?
- Tags:
- whois
Labels
- Labels:
-
fields
10-11-2023
12:06 AM
Hi @kyoshiike, if you don't knoe SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial9 that helps you to underst...
See more...
Hi @kyoshiike, if you don't knoe SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial9 that helps you to understand how to search in Splunk. In community there are many answers (also from me) listing all the free trainings that you can follow to use SPL. Ciao. Giuseppe
10-11-2023
12:02 AM
Hi @yuanliu , noted on that. Thank you for your assist on this. its really helpful
- Tags:
- @
10-11-2023
12:02 AM
Nope, I have added $xmlRegex followed by your regex Is this a right one as you mentioned in the regex101 if not pls correct it blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventI...
See more...
Nope, I have added $xmlRegex followed by your regex Is this a right one as you mentioned in the regex101 if not pls correct it blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)" Thanks
10-10-2023
11:59 PM
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search. Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to ...
See more...
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search. Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to various destinations. (I doubt this clients are infected by malware) How can I find this client by Splunk search with proxy or firewall log? transaction command will help to find how many sessions generated by single IP, but I don't know next steps.
Labels
- Labels:
-
count
-
transaction
10-10-2023
11:54 PM
Hi @AL3Z, this regex seems to not work, Did you tried the one I shared (that works on rgex101)? Ciao. Giuseppe
10-10-2023
11:52 PM
@gcusello Is this a right format of applying? blacklist5 = EventCode="4688" $XmlRegex=" \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Adv...
See more...
@gcusello Is this a right format of applying? blacklist5 = EventCode="4688" $XmlRegex=" \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)" Thanks..
10-10-2023
11:41 PM
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any...
See more...
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any specific topic as we have in splunk docs for Splunk Enterprise/Cloud. Please help . Rgds\Uday
Labels
- Labels:
-
Splunk Observability Cloud
10-10-2023
11:33 PM
Hi @Tejkumar451, as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command: splunk set deploy-poll <IP_address/hostn...
See more...
Hi @Tejkumar451, as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command: splunk set deploy-poll <IP_address/hostname>:<management_port> or manually modify the file deploymentclient.conf to address your Deployment Server. My hint is to create an Add-On, called e.g. TA_Forwarders, containing at least two files: deploymentclient.conf, to address the Deployment Server, outputs.conf, to address the Indexers. in this way you can dinamically manage eventual change of DS. Ciao. Giuseppe
10-10-2023
11:29 PM
Hi @AL3Z , as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662" with equ...
See more...
Hi @AL3Z , as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662" with equal and quotes, the filter doesn't work. Use regex101 (as I did in my first answer) to find the regex to filter your logs. Ciao. Giuseppe
10-10-2023
11:25 PM
Hi @shai, this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes]. Anyway, it's always a best practice to use the index filter in every se...
See more...
Hi @shai, this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes]. Anyway, it's always a best practice to use the index filter in every search, trying to limit the indexes to only the ones where the log to search are stored: this approach redduces the time search. Ciao. Giuseppe
