Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-25-2023
12:06 PM
Moh, Please email the POC provided in the "Contact" tab of the splunkbase listing: https://splunkbase.splunk.com/app/5222
09-25-2023
12:00 PM
Currently, the Oracle Cloud Infrastructure (OCI) Logging Addon needs to be installed on a Linux-based instance, a Windows client will result in the schema error.
09-25-2023
11:57 AM
I am having an issue with splunk version 9.0.4.1 it is not giving me the correct amount of license usage for my splunk instance. All the data appears as required however the license usage is not bein...
See more...
I am having an issue with splunk version 9.0.4.1 it is not giving me the correct amount of license usage for my splunk instance. All the data appears as required however the license usage is not being defined giving us unlimited usage.
- Tags:
- license
Labels
09-25-2023
11:54 AM
All, I am having this issue with my Splunk env. I keep getting Injestion_latency_gap_multiplier has exceeded configured value. It is saying it is an issue with my indexers. Any information would hel...
See more...
All, I am having this issue with my Splunk env. I keep getting Injestion_latency_gap_multiplier has exceeded configured value. It is saying it is an issue with my indexers. Any information would help I am running version 9.0.4.1.
Labels
09-25-2023
11:50 AM
Hi team, someone with de solution , i have updated to last version, 9.1.1, and gess what? it has the same error Indicator 'ingestion_latency_gap_multiplier' exceeded configured value Anyon that s...
See more...
Hi team, someone with de solution , i have updated to last version, 9.1.1, and gess what? it has the same error Indicator 'ingestion_latency_gap_multiplier' exceeded configured value Anyon that some solution?
09-25-2023
11:25 AM
@gcusello SPL Used index=test
|rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalCo...
See more...
@gcusello SPL Used index=test
|rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details
| strcat "Source Country: " src_country ", Source State: " src_state Src_Details | eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| eventstats
dc(period) AS period_count
BY src_ip user
| stats
count
values(period_count) AS period_count
min(_time) as firstTime
max(_time) as lastTime
by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City Outcome_Details User_Agent Client_Browser outcome.reason
09-25-2023
11:21 AM
@gcusello For all the results i am getting period_count=1. Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days. I want to particularly filter if, the IPs were used by user="*...
See more...
@gcusello For all the results i am getting period_count=1. Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days. I want to particularly filter if, the IPs were used by user="*@xyz.com*".
09-25-2023
10:56 AM
This did it. Thank you for all your help @Anonymous !!
09-25-2023
10:08 AM
1 Karma
The first dc() needs eval() as the main function. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now()
| stats dc(eval(if(_...
See more...
The first dc() needs eval() as the main function. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now()
| stats dc(eval(if(_time < relative_time(now(), "-1h"), dest_location. "-" .dest_ip, null())) as oldconnections
dc(eval(dest_location. "-" .dest_ip)) as allconnections
by src_ip For some reason Splunk doesn't print warning about such, perhaps assuming that all terms are strings unless it begins with eval.
09-25-2023
09:59 AM
1 Karma
For efficiency reasons, WILDCARD(searched_for) only supports wildcard after some initial fixed characters, like splunk*, spl*nk, etc. If you have a table keyword classification splunk* tes...
See more...
For efficiency reasons, WILDCARD(searched_for) only supports wildcard after some initial fixed characters, like splunk*, spl*nk, etc. If you have a table keyword classification splunk* test classification spl*nk test classification 2 with WILDCARD(keyword) in lookup definition and test the following keyword splunk splonk splunky splash wonk splunkie splunked splonking You'll get these: searched_for classification splunk test classification test classification 2 splonk test classification 2 splunky test classification splash wonk test classification 2 splunkie test classification splunked test classification splonking Here is the emulation for the above | makeresults
| eval searched_for = mvappend("splunk", "splonk", "splunky", "splash wonk", "splunkie", "splunked", "splonking")
| mvexpand searched_for
| lookup keywords.csv keyword AS searched_for OUTPUT classification
| table searched_for classification Hope this helps.
09-25-2023
09:59 AM
1 Karma
Thank you this worked and did what I needed
09-25-2023
09:43 AM
Try this transform [extract_host]
REGEX = Host:\s\w+\d+\s+(\w+)
FORMAT = newhostname::$1
09-25-2023
09:35 AM
Hi! We are facing the same issue, both on versions 8.2.9 and version 8.2.12. We did not find a solution yet, but raised a support ticket.
09-25-2023
09:18 AM
Hi everyone,
I've seen a few posts on here and elsewhere that seem to detail the same issue I'm having, but none of the solutions do the trick for me. Any help is appreciated.
The goal is t...
See more...
Hi everyone,
I've seen a few posts on here and elsewhere that seem to detail the same issue I'm having, but none of the solutions do the trick for me. Any help is appreciated.
The goal is to flag users whose search engine queries (fieldname searched_for) contain words stored in a lookup table. Because those words could occur anywhere in the search query, wildcard matching is needed.
I have a lookup table called keywords.csv. It contains two columns:
keyword,classification
splunk,test classification
The first use of the lookup works as it should, showing only events with keyword match anywhere in searched_for:
| search
[| inputlookup keywords.csv
| eval searched_for="*".keyword."*"
| fields searched_for
| format]
Next step is enrich the remaining events with the classification, and then filter out all events without a classification as such:
| lookup keywords.csv keyword AS searched_for OUTPUT classification
| search classification=*
The problem is the above SPL only enriches events in which the keyword exactly matches searched_for. If I search in Google for "splunk", the events are enriched; If I search for "word splunk word", the event is not enriched.
Is there a way around this without using | lookup? Or am I doing something wrong here? I'm out of ideas. I've tried:
Prepending and appending * to the keyword in the lookup table (*splunk*)
Adding lookup definition with matchtype WILDCARD(searched_for)
Thought maybe the issue is due to searched_for being an evaluated field, so I changed the matchtype and SPL to the field "url". It is coming straight from the logs and contains the search query string. Still get no enrichment.
Deleted and re-created the lookup, definition, and matchtype.
09-25-2023
09:00 AM
I will give this a shot to see what I get. thx
09-25-2023
08:51 AM
I tried the the following and all values for oldconnection field are coming up as 0, which I'm assuming is due to the if statement returning null for each event. index=<index1> src_ip IN (<srcv...
See more...
I tried the the following and all values for oldconnection field are coming up as 0, which I'm assuming is due to the if statement returning null for each event. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now()
| stats dc(if(_time < relative_time(now(), "-1h"), eval(dest_location. "-" .dest_ip), null())) as oldconnections
dc(eval(dest_location. "-" .dest_ip)) as allconnections
by src_ip
09-25-2023
08:47 AM
Hi @Giridhar.Nadipally,
Looks like we have some content in the Knowledge Base that might help. Please check them out -- https://community.appdynamics.com/t5/forums/searchpage/tab/message?filter=loc...
See more...
Hi @Giridhar.Nadipally,
Looks like we have some content in the Knowledge Base that might help. Please check them out -- https://community.appdynamics.com/t5/forums/searchpage/tab/message?filter=location&q=%22ABAP%22&noSynonym=false&inactive=false&location=category:Resources&collapse_discussion=true
Also check out AppD Docs
09-25-2023
08:37 AM
Hi @Jeffrey.Leedy,
I see you created a ticket, can you please share the learnings here as a reply, thanks!
09-25-2023
08:36 AM
1 Karma
Hi @AL3Z , please try: Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe" or Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\s...
See more...
Hi @AL3Z , please try: Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe" or Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe Ciao. Giuseppe
09-25-2023
08:24 AM
Do we need to put this inside double quotes? Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"
