All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Please is it possible to create a Tag  for a group of IP addresses? i need to do to search on a group of servers.
I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.  I was able to start with the search below, which provides me... See more...
I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.  I was able to start with the search below, which provides me a count of distinct user account change grouped by the source user.  When I try to apply a threshold logic to it, it doesn't appear to work. source="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | stats count(Target_Account_Name) by Subject_Account_Name
Hi I cross the results of a subsearch with a main search like this index=toto [inputlookup test.csv |eval user=Domain."\\"Sam |table user] |table _time user Imagine I need to add a new lookup i... See more...
Hi I cross the results of a subsearch with a main search like this index=toto [inputlookup test.csv |eval user=Domain."\\"Sam |table user] |table _time user Imagine I need to add a new lookup in my search  For example i would try to do something like this  index=toto [inputlookup test.csv OR inputlookup test2.csv |eval user=Domain."\\"Sam |table user] |table _time user How to do this please?
Hi @anooshac, it's the same thing: | rex field=your_field "^\w:\\\w+\\\w+\\\w+\\\w+(?<filename>.*)" Ciao. Giuseppe
Hi @gcusello , Thanks for the response.. I don't want to  extract the first 4 folders.. I want to skip them and extract the rest of the path.. I was finding hard writing a regex.. How can i do this?
It's possible no events have the expected fileName value during the selected time range.  Try removing the where command to see if results are shown.  If they are, then examine the events closely to ... See more...
It's possible no events have the expected fileName value during the selected time range.  Try removing the where command to see if results are shown.  If they are, then examine the events closely to ensure they are filtered as desired.
Hi @daniaabujuma, check the Correlation Search Name: it must be different than others, otherwise you cannot distinguish it from the others. Ciao. Giuseppe
Hello @gcusello , Yes everything is the exact same
I actually ended up resolving the issue myself, I didn't have my indexes.conf file on my search head which didn't allow me to see the data on my cluster.
Hi @daniaabujuma, check if the options in the Notable crattion are the same of other Notables that are usually triggered. Ciao. Giuseppe
Hi @gcusello , Thanks for the reply. This is what I did, it works every time without issues but I noticed that recently the newly created correlations aren't creating notables when triggered. ... See more...
Hi @gcusello , Thanks for the reply. This is what I did, it works every time without issues but I noticed that recently the newly created correlations aren't creating notables when triggered.  
How to change the colour of info button in dashboard.
Hi @daniaabujuma, a very stupid question: did you created as Requested Action the Notable creation? Notable Creation isn't enabled by default. If yes, check the parameters you used. Ciao. Giuseppe
Hi Splunkers! I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many even... See more...
Hi Splunkers! I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many events matched, but no notable events are being created. To test my correlation, I have added another action (send email) when the correlation is triggered, and sure enough, an email was sent to me. Can anyone help me solve this issue?
Hi @derchrischkya, lookups are only on Search Heads, infact usually KV-Store is disabled on Indexers. The only ways to replicate lookups are: have a Search Head Cluster, where Lookups are automat... See more...
Hi @derchrischkya, lookups are only on Search Heads, infact usually KV-Store is disabled on Indexers. The only ways to replicate lookups are: have a Search Head Cluster, where Lookups are automatically replicated between Search Heads, don't use lookups but Summary Indexes, that are saved on Indexers. You can use a summary index  as a lookup creating a scheduled search that saves in the summary index the same content of the lookup (e.g. every day). Ciao. Giuseppe
Hey @Aaron_H when you say "Dropped by a decision" I think you are needing to use decisions and filters as decisions pass ALL the data through based on a True Evaluation, whereas filters will only sen... See more...
Hey @Aaron_H when you say "Dropped by a decision" I think you are needing to use decisions and filters as decisions pass ALL the data through based on a True Evaluation, whereas filters will only send the data value(s) that passes the condition. You then use the "filtered_data...." datapath to only grab/use the value passed out of the filter.  Always use a decision 1st as they offer the ELSE clause so you can at least handle any non-match (add comment/send email/etc).  If no conditions are matched in a filter then the playbook just stops and there is no way to catch this.   
Hi @richgalloway  I tried with this query but not able to see any result: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "StatisticBalancer - st... See more...
Hi @richgalloway  I tried with this query but not able to see any result: index="abc" sourcetype =$Regions$ source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "StatisticBalancer - statisticData: StatisticData" |rex "totalOutputRecords=(?<totalOutputRecords>),busDt=(?<busDt>),fileName=(?<fileName>),totalAchCurrOutstBalAmt=(?<totalAchCurrOutstBalAmt>),totalAchBalLastStmtAmt=(?<totalAchBalLastStmtAmt>),totalClosingBal=(?<totalClosingBal>),totalRecordsWritten=(?<totalRecordsWritten>),totalRecords=(?<totalRecords>)" | where fileName="TRIM.UNB.D082923.T045920" |table busDt fileName totalAchCurrOutstBalAmt totalAchBalLastStmtAmt totalClosingBal totalRecordsWritten totalRecords
Hi @Dustem, let me understand: you want to discover if, in one time period, there was a Windows EventCode=4769 but not a Windows EventCode=4770, is it correct? I suppose that you have a common ID t... See more...
Hi @Dustem, let me understand: you want to discover if, in one time period, there was a Windows EventCode=4769 but not a Windows EventCode=4770, is it correct? I suppose that you have a common ID to correlate the events. If this is your requirement, you could try something like this: index=wineventlog EventCode IN (4769,4770) | stats dc(EventCode) AS EventCode_count BY TGT_Id | where EventCode_count=1 Cioao. Giuseppe  
Dear Splunkers, actual i am facing an issue, we have an Lookup on the SHC with some location infromation e.g location.csv   ____ location DE EN   Scope is to ingest data only on indexers, whe... See more...
Dear Splunkers, actual i am facing an issue, we have an Lookup on the SHC with some location infromation e.g location.csv   ____ location DE EN   Scope is to ingest data only on indexers, when the location in events showing up on lookups too. The solution works with ingest_eval and lookup filtering.   The question right know is do we have the possibility to manage this lookup on SH level and provide some roles the permission to add/remove locations on their demand from this index. e.g. I'll update the lookup on the SH and this will be replicated to lookup on Index Cluster too..how can i achieve this one? Kind Regards
Looping is not supported, yet, in the platform.  There was an announcement at .Conf23 that stated a Loop Block was coming soon. I would highly recommend waiting for that.  Also @nongingerale why ... See more...
Looping is not supported, yet, in the platform.  There was an announcement at .Conf23 that stated a Loop Block was coming soon. I would highly recommend waiting for that.  Also @nongingerale why are you not just passing all the items into the child playbook and then looping through the values inside the playbook? This is most certainly best practise for this. I appreciate I don't know your use case but there are many ways to not need to build bespoke loops using the platform capabilities.