Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
09-06-2023
02:24 PM
bowesmana' Thank you for your response. I am new to Splunk. I do not understand all the code you provided. My next question is how do I incorporate the actual search using your code. Here is the se...
See more...
bowesmana' Thank you for your response. I am new to Splunk. I do not understand all the code you provided. My next question is how do I incorporate the actual search using your code. Here is the search: index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table, timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status
09-06-2023
02:21 PM
Hi @linaaabad This is a 3rd party Splunk app that relies on the Splunk Add-on For Salesforce so it's likely that it has some compatibility. Splunk App for Salesforce: https://splunkbase.splunk.c...
See more...
Hi @linaaabad This is a 3rd party Splunk app that relies on the Splunk Add-on For Salesforce so it's likely that it has some compatibility. Splunk App for Salesforce: https://splunkbase.splunk.com/app/1931 Hope that helps
- Tags:
- hi @
09-06-2023
01:54 PM
1 Karma
You need to tell volunteers what "doesn't work" means. This is a phrase to be avoided in the best of scenarios. This said, if Target_Account_Name and Subject_Account_Name are both available in raw ...
See more...
You need to tell volunteers what "doesn't work" means. This is a phrase to be avoided in the best of scenarios. This said, if Target_Account_Name and Subject_Account_Name are both available in raw events, maybe you are looking for distinct_count (aka dc) instead of count? Something like source="WinEventLog:Security" EventCode IN (628, 627, 4723, 4724)
| stats dc(Target_Account_Name) by Subject_Account_Name Hope this helps.
- Tags:
- dc
09-06-2023
01:26 PM
With SOAR 6.1's addition of the "Run automatically when" field, it would be great to be able to run a playbook on container resolution that can read the closure comment. Bonus points if you can expla...
See more...
With SOAR 6.1's addition of the "Run automatically when" field, it would be great to be able to run a playbook on container resolution that can read the closure comment. Bonus points if you can explain why Comment data is separate from Event data in the export while notes aren't.
Labels
- Labels:
-
development
-
using SOAR ⁄ Phantom
09-06-2023
12:34 PM
Thank you so much for your fast reply! Unfortunately, adding a filter after my decision block did not fix my problem. In the debugger, it shows the filter as working after my decision, but still all...
See more...
Thank you so much for your fast reply! Unfortunately, adding a filter after my decision block did not fix my problem. In the debugger, it shows the filter as working after my decision, but still all 5 artifacts make it through to my Post block. I'm very new to SOAR/phantom so I apologize for my ignorance; I had edited some artifact's CEF so that they have unique values that I then put into the decision/filter so that they will specifically be pulled as intended. It still shows that even after the filter working, all 5 are being posted to my Confluent stream. When you're pulling multiple artifacts from a container, are they "tied" together as in they will be moved together through a playbook as long as at least one of them proves true for a decision or filter? Because that's what is appearing to happen. Thank you again for your assistance in this matter!
09-06-2023
11:22 AM
@VatsalJaganiI looked in a couple of environments and I don't see it as automatic lookup. Any ideas?
09-06-2023
10:47 AM
1 Karma
Hour IN (13, 14) would be between 1PM and 3PM not 1AM and 2:59AM. Try Hour != 1 AND Hour !=2
09-06-2023
10:40 AM
What I have done is to add these lines at the end of my query, from my initial testing it works. Is this what you were getting at ? | eval hour=strftime(now(),"%H") | eval weekday=strftime(now(),"...
See more...
What I have done is to add these lines at the end of my query, from my initial testing it works. Is this what you were getting at ? | eval hour=strftime(now(),"%H") | eval weekday=strftime(now(),"%w") | where NOT (hour IN (13,14)) AND weekday != 0 This would not generate any results if its Sunday between 1 AM through 2:59 AM ?
09-06-2023
10:21 AM
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one ...
See more...
Good day. I am trying to use the sendalert command in Splunk to send a set of results to Splunk SOAR(Phantom), each result appears in phantom as a new event, would there be a way to receive only one event with all the results. I'll appreciate your answer
Labels
- Labels:
-
using Splunk Enterprise
09-06-2023
09:55 AM
Is it possible to add some parameters in Splunk URL so that after clicking the URL, the viewer will see a well formatted SPL search and does not need to format manually?
09-06-2023
09:53 AM
Digging into the job inspector, it looks like the subsearch is not actually running before the ldapsearch runs.
09-06-2023
09:46 AM
@smanojkumar Can you please share more details like which info button you want to change color? A screenshot of a sample dashboard or panel would be helpful. KV
09-06-2023
09:45 AM
| eval hour=strftime(now(),"%H")
| eval day=strftime(now(),"%d") | where false()
09-06-2023
09:44 AM
Your solution make sense but I am still getting this error when I try to run the search. External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter "....
See more...
Your solution make sense but I am still getting this error when I try to run the search. External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid filter ".
09-06-2023
09:24 AM
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLE...
See more...
Hello, I set up several hosts in Forwarding and Receiving section (different servers and ports) to forward logs. I can see there is Automatic Load Balancing option ENABLED. I want to have it DISABLED but do not know how to disable it. Can anybody help me pls ? thanks, pawel
Labels
- Labels:
-
indexer
09-06-2023
08:54 AM
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject. I do not want an alert to be triggered if lets say its Sunday between 1-2 AM. I can...
See more...
I have an idea and am looking for some input on how to approach it, where to start. As mentioned in the subject. I do not want an alert to be triggered if lets say its Sunday between 1-2 AM. I cannot do this via CRON so looking for an alternative solution. Questions/Thoughts: (1) What is the best/simplest way to get from Splunk the Day and Hour (2) Once I get day & hour how should I incorporate that into my existing alert query. Should I create a var to indicate outage or not (0/1) (3) Once I determine if I am in an outage (1) is there an easy way to force the alerts results to = 0 I know there are going to be many questions so fire away and I will try to explain or answer the best I can as there are many alerts im trying to make this work for and they are all slightly different in their implementation...
09-06-2023
08:52 AM
Lack of indexes.conf on SH results only in lack of auto-completion in the search edit window. You still can manually write which index you want to search and it works.
09-06-2023
08:43 AM
@phanTom Thank you for your answer, it will be very useful. I was just asking why from the events that come to me it seems as if my playbook were running in more than one event at the same time, if i...
See more...
@phanTom Thank you for your answer, it will be very useful. I was just asking why from the events that come to me it seems as if my playbook were running in more than one event at the same time, if it were running in 2 events or more at the same time it wouldn't work for me.I need it to execute one event at a time.
09-06-2023
08:25 AM
it's really nothing to share honestly. [test] DATETIME_CONFIG = current
09-06-2023
08:22 AM
Thank you!!
