Hello @gcusello, We are currently working on a script to verify the existence of various tools, including Tanium, Forescout, Akamai, and Splunk Forwarder, on all the machines.
Hi @aleccese -- Looks like this question has gained a lot of interest, but it is originally from 2021. Could you please post this issue as a new question to gain more visibility?
Thanks!
-Kar...
See more...
Hi @aleccese -- Looks like this question has gained a lot of interest, but it is originally from 2021. Could you please post this issue as a new question to gain more visibility?
Thanks!
-Kara
Splunk Community Manager
Greetings, I have a search that list every index and what sourcetypes are contained within it. |tstats values(sourcetype) where index=* by index What I like about it is that I can see each ind...
See more...
Greetings, I have a search that list every index and what sourcetypes are contained within it. |tstats values(sourcetype) where index=* by index What I like about it is that I can see each index and a list of all of the sourcetypes specific tot that index. I'm trying to see this same data format by with a column of the indexes and a column of all of the fields that index contains. I'm working on adding indexes to an app that already list what fields it needs but doesn't know what index they are associated to. So I have something like hash value fields md5 and MD5. They are different because of the source they come from but I need to find the index they live to add it. I also think it would just be useful for audit purposes so if expected fields can be confirmed at a glance. Please let me know if you have any questions. Thank you! Best, Brian
Hi @dc17! Kara here, Splunk Community Manager. Thanks for following up on this question from 2020, but I recommend posting it as a brand new question so that it can get more visibility. Cheers!
I'm looking to use the following as my timestamp. What should I use in props as my timestamp format and timestamp prefix. [20230718:001541.421] : [WARN ]
Hello All,
Im having an issue where my license has stopped showing that any data is getting ingested. The data is still coming in and everything looks to be good, but the license is showing that n...
See more...
Hello All,
Im having an issue where my license has stopped showing that any data is getting ingested. The data is still coming in and everything looks to be good, but the license is showing that no data is getting ingested but it is. Does anyone have a solution or ever ran into this problem?
I have the following search that works but I'm trying to display more information in the search results.
I have a watchlist lookup. I use that to search notable events so that I can alert on a us...
See more...
I have the following search that works but I'm trying to display more information in the search results.
I have a watchlist lookup. I use that to search notable events so that I can alert on a user or asset that is part of a new notable. I'm trying to figure out how to display the new notable in the results.
| inputlookup user_watchlist | search _key=* | rename _key as user | table user asset | dedup user asset | eval flag="no" | join type=left user asset [ search index=notable | where isnotnull(src) | table src user _time | mvexpand src | mvexpand user | dedup src user | eval user=mvindex(split(user,"@"),0) | eval flag="yes" | rename src as asset | eval asset=lower(asset)] | where flag="yes"
So my first SPL, it gets me the URLs I'm looking for but doesn't list the URLs (in the lookup) that don't get any results. The parenthesis "(in the lookup)" is key here. My first reading of "...
See more...
So my first SPL, it gets me the URLs I'm looking for but doesn't list the URLs (in the lookup) that don't get any results. The parenthesis "(in the lookup)" is key here. My first reading of "only counting the matches, i need the URLs that don't exist to count 0" took it to mean URLs in the index that didn't have a match. This new description makes perfect sense. And your search is more efficient. index="web_index"
[| inputlookup URLs.csv
| fields kurl
| rename kurl as url]
| stats count by url
| append
[inputlookup URLs.csv
| fields kurl
| rename kurl AS url]
| stats sum(count) as count by url
| fillnull count ``` or you can omit this and leave nonexistent to show null ``` Alternatively, you can do index="web_index"
[| inputlookup URLs.csv
| fields kurl
| rename kurl as url]
| append
[inputlookup URLs.csv
| fields kurl
| rename kurl AS url]
| eval match = if(isnull(match), 0, 1)
| stats sum(match) as count by url
Hi @gcusello I am using "Splunk Add-on for Check Point Log Exporter" from https://splunkbase.splunk.com/app/5478. I installed this on splunk SH and did rename sourcetype on Splunk HF to "cp_lo...
See more...
Hi @gcusello I am using "Splunk Add-on for Check Point Log Exporter" from https://splunkbase.splunk.com/app/5478. I installed this on splunk SH and did rename sourcetype on Splunk HF to "cp_log:syslog" as per the add-on.
Hello Splunkers,
I need some help with writing a SPL, I have a field called "DcPolicyAction" where the value could be 0 or 1, if its 0 I want to basically call it Successful and If its 1 it is Fai...
See more...
Hello Splunkers,
I need some help with writing a SPL, I have a field called "DcPolicyAction" where the value could be 0 or 1, if its 0 I want to basically call it Successful and If its 1 it is Failure , can someone help me with the SPL syntax. I dont want to use the stats command. Just a simple query that lists the field.
Thank you,
regards,
Moh.
Hi @willsy , I know this is an old topic but did you find any solution for this ? I have to send data in XML to a third party and maintain the data flow to Splunk indexers. It is possible to s...
See more...
Hi @willsy , I know this is an old topic but did you find any solution for this ? I have to send data in XML to a third party and maintain the data flow to Splunk indexers. It is possible to separate the "renderXML=true" command and "renderXML=false" in some way? Thank you,
Hi, I came across a guide on the official Tufin website detailing the integration between Tufin and SOAR Phantom: https://extensions.tufin.com/details/tufin-splunk-phantom-integration This integra...
See more...
Hi, I came across a guide on the official Tufin website detailing the integration between Tufin and SOAR Phantom: https://extensions.tufin.com/details/tufin-splunk-phantom-integration This integration offers a range of actions, including the capability to block domains. However, when I checked the Splunk App Store, the available Tufin app seems to have a limited set of actions and does not include the ability to block IPs or domains: https://splunkbase.splunk.com/app/5859 Is anyone having this app and would be willing to share it? Or if you have developed something similar in the past, could you share some tips? Thanks
Rich, Ok, this is it. Thank you. LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me. @gcusello Hi Giuseppe, Th...
See more...
Rich, Ok, this is it. Thank you. LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me. @gcusello Hi Giuseppe, Thank you for your responses as well Yeah, it is the second one, but I guess I was unsure if it is better to say, do this as a lookup, based on the number of potential renames, or whether it is less effort to just define the conditions to trigger the rename based on the results from the stats output, since it isn't always the case that a specific interface value will populate. But coming back to original question, I have clarity on how to proceed given Rich's response.
| eval Device_Interface=case(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX","This String",Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY","Th...
See more...
| eval Device_Interface=case(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX","This String",Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY","This Other String",true(),Device_Interface)