Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-06-2023
08:10 AM
Hi Team, I used two timepickers to set the time for the two panels. Tokens used are CurrentTime and ComparedTime. I want the difference generated for the two panels that runs on each timepicker in a...
See more...
Hi Team, I used two timepickers to set the time for the two panels. Tokens used are CurrentTime and ComparedTime. I want the difference generated for the two panels that runs on each timepicker in a third panel or naywhere
10-06-2023
08:07 AM
Hi @SplunkExplorer , in this case for the intermediate part that I added, you should try "+" instead "*" that meanse that if this part isn't present the url must not be matched: \]\sA\s+(.*)microso...
See more...
Hi @SplunkExplorer , in this case for the intermediate part that I added, you should try "+" instead "*" that meanse that if this part isn't present the url must not be matched: \]\sA\s+(.*)microsoft(\(\d+\))(\d+\(\d+\))+(com|net|us)(\(\d+\))\s as you can test at https://regex101.com/r/9mZoCU/4 Ciao. Giuseppe
10-06-2023
08:03 AM
Hi Community, I have created a dashboard having two panels. The query used in both the panels are same. Except that both the panel runs at different timeframe. The timeframe is sent based on the Tim...
See more...
Hi Community, I have created a dashboard having two panels. The query used in both the panels are same. Except that both the panel runs at different timeframe. The timeframe is sent based on the Time input for both the panels. The token is then set to each of the panel( current time, Compared time). I wanted a third panel should have the difference of the out generated in the first two panels. Can someone guide me?
Labels
- Labels:
-
Dashboard Studio
10-06-2023
08:01 AM
I fear I explained myself in a bad way Giuseppe, sorry. Our purpose is to filter out only the case when domain you can find in parenthesis have a "proper" form. For example: microsoft.com azure.n...
See more...
I fear I explained myself in a bad way Giuseppe, sorry. Our purpose is to filter out only the case when domain you can find in parenthesis have a "proper" form. For example: microsoft.com azure.net office.us Those domain for us are admitted ones, so we don't need to see them on SIEM and we want avoid that UF send logs with them on SPlunk Cloud. On the other side, if the domain is "strange", like: microsoft.123.com azure-pirate.com office.tryhackme.us we want to be alerted and so, in this scenario, logs must be sent to Splunk. Now, based on this, if you see Regex I shared with you, the normal behavior may be: Case 1: regex matched -> Logs NOT send to Splunk Case 2: regex NOT matched -> Logs MUST be sent on Splunk. So, what the problem? The logs for case 1 has been sent to Splunk, even if it match the regex and so it should be discarded. In other words: the log of Regex Matched contain "microsoft.com", match the regex, should be discarded but it has been sent anyway to Splunk.
10-06-2023
07:58 AM
Hello everyone. I'm currently working on a lab assignment and I'm having trouble understanding the meaning of two specific fields in PowerShell log hunting. Could someone please explain these two fie...
See more...
Hello everyone. I'm currently working on a lab assignment and I'm having trouble understanding the meaning of two specific fields in PowerShell log hunting. Could someone please explain these two fields to me? I would greatly appreciate it. Thank you.
Labels
- Labels:
-
stats
10-06-2023
07:36 AM
I want to know if there is any provision for NON-PROFIT organizations in the cybersecurity to use splunk as a part of real world lab training, related educational training, and on the job training. ...
See more...
I want to know if there is any provision for NON-PROFIT organizations in the cybersecurity to use splunk as a part of real world lab training, related educational training, and on the job training. Our program is an apprenticeship one certified by DOL and approved to train IT specialist I and Cybersecurity defense analyst. https://each1teach1.us Our challenge is getting all the tools needed to make our apprentices time worth it.
Labels
- Labels:
-
using Splunk Enterprise
10-06-2023
07:34 AM
Hey @gcusello @inventsekar @PickleRick ++ @Dhivakarpn adding Environment information. Indexer version 9.x This in amazon Linux 2023 https://github.com/amazonlinux/amazon-linux-2023 Kernel ve...
See more...
Hey @gcusello @inventsekar @PickleRick ++ @Dhivakarpn adding Environment information. Indexer version 9.x This in amazon Linux 2023 https://github.com/amazonlinux/amazon-linux-2023 Kernel version 6.1. A per our understanding, UF 9.0.1 can support up to kernel 5.x. This Amazon Linux 3 running with 6.1 kernel version. We would like to know does this configuration supported ? or any issues reported with latest kernel?
10-06-2023
07:32 AM
Can you provide an example of what that would look like?
10-06-2023
07:29 AM
Hi, Can you check /var/log/syslog on your ubuntu instance and see if there are errors reported?
10-06-2023
07:24 AM
after performing the query
base search | nomv FieldB | nomv FieldC| nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")]
my...
See more...
after performing the query
base search | nomv FieldB | nomv FieldC| nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")]
my result table is like below
field A
count
Field c
Field D
Field E
Field F
abc.com
2
a
b
A
B
abc.com
bcf.com
def.com
sub1
sub 2
sub 3
def.com
4
A
B
A
B
bcc.com
xyz.com
sub 5
sub 6
sub 6
efg.com
6
B
A
A
B
jhg.com
abc.com
ghj.com
sub 4
sub 7
sub 8
I want to ask is their anyway/operation that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed. Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.
such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)
10-06-2023
07:21 AM
Hi @st1, the logic of your search isn't so clear for me. Anyway, if you want to have as results only the events in the ast 24 hours, you can run (not changing your search!): index=cisco sourcetype...
See more...
Hi @st1, the logic of your search isn't so clear for me. Anyway, if you want to have as results only the events in the ast 24 hours, you can run (not changing your search!): index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected"
| rename cLApName_0 as "HQ AP"
| dedup "HQ AP"
| stats list(*) as * by _time
| where _time>now()-86400
| table _time, "HQ AP", RogueApMacAddress Ciao. Giuseppe
10-06-2023
07:11 AM
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_t...
See more...
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_time" |table _time, "HQ AP", RogueApMacAddress Example results: _time HQ AP RogueAPMacAddress 2023-10-05 12:56:41 flr1-ap-5198-AP05 6e:e8:e9:cd:40:10 2023-10-06 04:09:29 flr1-ap-51c4 da:55:b8:8:db:b8 2023-10-06 08:42:14 flr1-ap-514E_AP07 84:fd:d1:fa:a7:3f 2023-10-06 08:53:12 flr1-ap-518C-B92 0:25:0:ff:94:73 2023-10-06 09:20:22 flr2-ap-51CA 28:24:ff:fd:a6:c0 2023-10-06 09:30:58 flr1-ap-51C2 flr2-ap-463C-AP02 32:b:61:48:a3:c3 2023-10-07 04:09:29 flr1-ap-444x-B11 da:55:b8:8:db:b8 2023-10-07 08:53:12 flr1-ap-69x4 0:25:0:ff:94:73 The search is showing access points in our office that have detected unauthorized access points. I have my search to look at the last 24 hours. I only want to filter for RogueApMacAddresses that have been present/detected for over 24 hours. In this example, both the red and blue events have been there for over the last 24 hours. How can I alert on just those events and disregard the rest? Thanks for any help
10-06-2023
07:10 AM
I am taking the free GDI training on Splunk Cloud observability. Installed Ubuntu VM in my Windows laptop and everything went ok after initial configurtion. Saw my hostname and metrics once. ...
See more...
I am taking the free GDI training on Splunk Cloud observability. Installed Ubuntu VM in my Windows laptop and everything went ok after initial configurtion. Saw my hostname and metrics once. It happened yesterday (10/05/2023) around 22:00 Hrs EST. This morning not seeing any active communication. rebooted my VM. Seeing the process running in VM, but not seeing any active charts in https://app.us1.signalfx.com/#/infra?endTime=now&startTime=-3h. Am I missing anything? How do i troubleshoot this communication issue?
Labels
- Labels:
-
OpenTelemetry
-
troubleshooting
10-06-2023
07:06 AM
Thanks ! your provided answer worked.
Additionally, explaining for others coming here.
| nomv FieldB —- multivalue command to convert multivalued field to a single value field
| nomv FieldC ...
See more...
Thanks ! your provided answer worked.
Additionally, explaining for others coming here.
| nomv FieldB —- multivalue command to convert multivalued field to a single value field
| nomv FieldC
| nomv FieldD
| stats count values(*) as * by FieldA —to get count of field values
| foreach FieldB FieldC FieldD
[| eval <<FIELD>>=split(<<FIELD>>,"
")]. —- for every MV field converted to singlevalue field , converting them back to multivalue fields
10-06-2023
06:54 AM
Do you ingest events as "old format" or XML? With XML events you have to do it differently. https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf * $XmlRegex: Use this key for fil...
See more...
Do you ingest events as "old format" or XML? With XML events you have to do it differently. https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf * $XmlRegex: Use this key for filtering when you render Windows Event
log events in XML by setting the 'renderXml' setting to "true". Search
the online documentation for "Filter data in XML format with the
XmlRegex key" for details.
10-06-2023
06:36 AM
Hi @SplunkExplorer, there's a difference in the two logs that you have to manage: in the not matching log there's "123(3)" between microsoft and com. Please try this regex: \]\sA\s+(.*)(microsoft...
See more...
Hi @SplunkExplorer, there's a difference in the two logs that you have to manage: in the not matching log there's "123(3)" between microsoft and com. Please try this regex: \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(\d+\(\d+\))*(com|net|us)(\(\d+\))\s that you can test at https://regex101.com/r/9mZoCU/3 Ciao. Giuseppe
10-06-2023
06:19 AM
Hi Giuseppe, below the link to regex101 with a used regex and a log that match it: Matching regex Here same things but with a little change to log that made it not matching the regex, like expe...
See more...
Hi Giuseppe, below the link to regex101 with a used regex and a log that match it: Matching regex Here same things but with a little change to log that made it not matching the regex, like expected: Not matching regex Another idea is my use of capturing groups; should I use them in another way?
10-06-2023
05:59 AM
Hi @SplunkExplorer, could you share a sample of your logs (some to filter and some to not filter)? Anyway, after the equal you don't need quotes or other. Ciao. Giuseppe
10-06-2023
05:38 AM
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, ar...
See more...
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, are working fine with no problem, while the one based on regex not. Of course, as first thing, I checked regex syntax and I can confirm it works fine; testing it on regex101, it match perfectly what I want. Tests have been with different source logs, to be sure of a full proper working. This is how we placed regex on UF: [<stanza name>]
...other parameter...
blacklist = \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(com|net|us)(\(\d+\))\s This filter must be applied to logs coming by Windows DNS; its purpose is to avoid ingestion of legit domain, in all their combination, but only if they have a "normal" form. In regex you can see I put a filter about (<number>), because in raw log we have domains in format main_domain(<number>)root_domain, like microsoft(3)net. For example, microsoft(2)com and microsoft(3)net match the regex and should be filtered out, while microsoft(9)123(5)com not and should be sent to Splunk. My assumption is that I missed out some delimiter after the equals symbol; I mean, should I put regex code between any kind of symbols? Something like regex = '<regex code'> Or regex = "<regex code>" etcetera.
Labels
