All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello! I'm working on setting up the integration between Splunk SOAR and Splunk using the Splunk App for SOAR Export. I was able to configure my SOAR server in the app and verify connectivity, but I... See more...
Hello! I'm working on setting up the integration between Splunk SOAR and Splunk using the Splunk App for SOAR Export. I was able to configure my SOAR server in the app and verify connectivity, but I'm running into errors when trying to use the alert action associated with the app. When using the "Send to SOAR" alert action, I receive "Alert script returned error code 5" in the logs. I wasn't able to find any information regarding this error code so I'm not sure what could be causing it. Any help would be appreciated, thank you!
If you have a support entitlement, you can submit a ticket with Splunk Support.
Onboarding of data is completely under your control even in Splunk Cloud.  To send the data to an events index, change the index name in inputs.conf to one that is for events. Note that there are tw... See more...
Onboarding of data is completely under your control even in Splunk Cloud.  To send the data to an events index, change the index name in inputs.conf to one that is for events. Note that there are two types of indexes: event indexes and metrics indexes.  Events indexes are the traditional type and can hold any text data.  Metrics indexes are relatively new and are designed to hold metrics data in a specific format for faster processing.  A metrics index cannot store events nor can it store data that is not properly formatted. Changing the format of the data depends on the source of that data.  You may have to work with the data engineer to get the data formatted such that it can be stored in a metrics index.
BIG-IP uses syslog-ng so the easiest approach would probably be to reconfigure it to send events to a remote destination. Then receive and ingest as you'd do with any other syslog source (with rsyslo... See more...
BIG-IP uses syslog-ng so the easiest approach would probably be to reconfigure it to send events to a remote destination. Then receive and ingest as you'd do with any other syslog source (with rsyslog/plain syslog-ng/SC4S... I wouldn't advise using built-in network port input) See for example https://my.f5.com/manage/s/article/K13080
Hey Community, We have 2 BIG-IP load balancer VMs and need to have the OS logs (like audit.d) forwarded to Splunk. So, this is not about the F5 application logs themselves, but the OS logs from the ... See more...
Hey Community, We have 2 BIG-IP load balancer VMs and need to have the OS logs (like audit.d) forwarded to Splunk. So, this is not about the F5 application logs themselves, but the OS logs from the underlying system. Is there a way to do this? Much appreciate your support.
@richgalloway  I'm working on Splunk cloud how we can correct the event format or send the data to an events index ?
Hi @richgalloway, At the moment, a few days later, 3 out of 4 CloudFront IPs are still serving an expired certificate. Leaving aside for the moment that I feel it's a bad look for a security platfo... See more...
Hi @richgalloway, At the moment, a few days later, 3 out of 4 CloudFront IPs are still serving an expired certificate. Leaving aside for the moment that I feel it's a bad look for a security platform to let its TLS certificate expire, whom can I contact about this without resorting to speaking to a sales person? There seems to be no tech support page on splunk.com that doesn't link to sales. Kind regards, Toon
I have time series data like this: _time digital_value: can be either 0.1 or 1 (see Note) analog_value: can be 0, 100, 500, 1000, 5000, 10000 Note) It's actually 0 or 1, but 0 doesn't show in a... See more...
I have time series data like this: _time digital_value: can be either 0.1 or 1 (see Note) analog_value: can be 0, 100, 500, 1000, 5000, 10000 Note) It's actually 0 or 1, but 0 doesn't show in a bar graph.   I want to plot this data in a diagram like this: X axis = _time digital_value=0.1 as a red bar digital_value=1 as a green bar analog_value as an overlaid line graph, with log scale Y axis To colorize digital_value, I understand I must split it into two series, like this:   | digital_value_red = if(digital_value=0.1, 0.1, null()) | digital_value_green = if(digital_value=1, 1, null()) | fields -digital_value   However, this creates two bars per data point, where only the non-null one is shown and the other one leaves a gap. That way, I don't have equally spaced bars along the X axis any more. See this example:       So, stacked bars? Yes, but that doesn't work with log scale Y axis for the overlaid line graph. So, calculate log(analog_value)  and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log).   Any ideas how I can achieve a colorized bar graph + log scale overlay?
The error message seems plain enough.  There is data going into a metrics index that is not formatted properly for that index type.  Either correct the event format or send the data to an events index.
You can add the token name and value to the url you define in your drilldown for the charts, then use this token in the dashboard. When you use tokens, you will notice that the URL address in your b... See more...
You can add the token name and value to the url you define in your drilldown for the charts, then use this token in the dashboard. When you use tokens, you will notice that the URL address in your browser will change to include any tokens which have been defined - you can use this as a guide to the format you need for your drilldown URL
Hi @ITWhisperer , Here it seems that transpose was not the good approach. Your solution is working as expected. Many thanks, Emile
Hi Splunkers,    I'm having a drodown for index_value with console, standard and aws as options, also having separate pie charts for standard, console and aws, when we click the pie chart in any one... See more...
Hi Splunkers,    I'm having a drodown for index_value with console, standard and aws as options, also having separate pie charts for standard, console and aws, when we click the pie chart in any one of these 3, it will take to another dashboard, over there i need to mark the value of index_valrue of drilldown as standard if we select the standard pie chart in the drilldown of new dashboard that is same for all other two selections. Thanks in Advance, Manoj Kumar S
@Arty yes but it depends how you want to send.  E.g. The SSH App does have the ability to send files. I suspect there are other apps that can too but you would need to check the actions list on sp... See more...
@Arty yes but it depends how you want to send.  E.g. The SSH App does have the ability to send files. I suspect there are other apps that can too but you would need to check the actions list on splunkbase, or if you have access to a SOAR platform you can type the action name in the top-left search field, such as "put file" and then select `apps` and it will show you apps with the action.   I saw SSH/HTTP/Windows when i checked so there should be plenty of options.   
Try to get error failures from live integration and create Splunk alert for every continuous 5 Alerts
@Arty there is a VSCode extension: https://splunk.github.io/vscode-extension-splunk-soar/  This allows you to connect to your instance and download, upload, edit and test apps from VSCode.    -- H... See more...
@Arty there is a VSCode extension: https://splunk.github.io/vscode-extension-splunk-soar/  This allows you to connect to your instance and download, upload, edit and test apps from VSCode.    -- Hope this helps! If so please mark as a solution for others! Happy SOARing! --
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the servi... See more...
Hi Team,   Is it possible to automate the entity creation in Splunk ITSI from CMDB? Currently, we are creating entities manually and adding the required fields and values in order to map the service.   Regards, Dayananda
I went to appdynamics download portal but there is nothing like enterprise console and controller product.
| timechart span=1mon sum(cisco_*) as cisco_* | rename cisco_* as * | rename stoppedbyreputation as reputation | untable _time name count | fields - _time | eventstats sum(count) as total | eval perc... See more...
| timechart span=1mon sum(cisco_*) as cisco_* | rename cisco_* as * | rename stoppedbyreputation as reputation | untable _time name count | fields - _time | eventstats sum(count) as total | eval percentage=round(100*count/total,2) | fields - total
Hello, To achieve this, you can iterate through your events, calculate the SHA256 hash for each event, and then construct a new JSON object. The resulting JSON will have SHA256 hashes as keys, each ... See more...
Hello, To achieve this, you can iterate through your events, calculate the SHA256 hash for each event, and then construct a new JSON object. The resulting JSON will have SHA256 hashes as keys, each associated with the original event. Here's an example implementation in Python: import json import hashlib # Your list of events in JSON format events = [ { "key1": "val1", "key2": "val2" }, { "key1": "val1a", "key2": "val2a" }, # Add more events as needed ] # Function to calculate SHA256 hash for a given event def calculate_sha256(event): event_json = json.dumps(event, sort_keys=True) sha256_hash = hashlib.sha256(event_json.encode()).hexdigest() return sha256_hash # Construct the new JSON object with SHA256 hashes as keys new_json = {} for event in events: sha256_key = calculate_sha256(event) new_json[sha256_key] = event # Print the result print(json.dumps(new_json, indent=2)) This script defines a function (calculate_sha256) to calculate the SHA256 hash for a given event and then constructs the new JSON object (new_json) as per your requirements. You can check this :  https://stackoverflow.com/questions/76263284/how-to-convert-event-object-to-json/blue prism certification I hope this will help you.
The result without the transpose looks like: reputation rep_perc spam spam_perc virus virus_perc 740284221 82.46 9695175 1.08 700 0.000078 I would like to include thi... See more...
The result without the transpose looks like: reputation rep_perc spam spam_perc virus virus_perc 740284221 82.46 9695175 1.08 700 0.000078 I would like to include this table in a glass table, but as it is formatted here it taking to much place.