All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is trigge... See more...
hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.
Are there any security related concerns due to this , as this file contains the authToken ? Can this be miss used  in any possible way?
I am also receving same error after installing and ask end user to access. Can any one please let me know what extra capabilities are required to access and add inputs.    Note: Admin user can be a... See more...
I am also receving same error after installing and ask end user to access. Can any one please let me know what extra capabilities are required to access and add inputs.    Note: Admin user can be able to access the add-on app and creating inputs. Issue is with end user (we can't give admin privileges to the end user).    Regards,  Ramesh Babu Chedulla
Hello, thank you for this idea. Will try this soulution this week. Thanks, Flenwy
Hello Thanks for your reply I cannot attach the real logs but let have an example The log will start with timestamp so 08:30:23 Started by Sarit Shvartzman Raw Raw Raw 08:32:34 Finished: I w... See more...
Hello Thanks for your reply I cannot attach the real logs but let have an example The log will start with timestamp so 08:30:23 Started by Sarit Shvartzman Raw Raw Raw 08:32:34 Finished: I want all of this to be in one event Instead of as it now that it breaks by raw
OK. The tstats command has a bit different way of specifying dataset than the from command. So you should be doing | tstats count from datamodel=internal_server.server And it's irrelevant whether ... See more...
OK. The tstats command has a bit different way of specifying dataset than the from command. So you should be doing | tstats count from datamodel=internal_server.server And it's irrelevant whether it's a docker container or any other way of deploying Splunk because the commands work the same way regardless of how the software is deployed.
Splunk should automatically be capturing that time into the _time field.  If you still need to extract it into a field though, try :  | rex field=_raw "^(?<time_field>[^\s]+)\s"  
Try looking to see if it has already been extracted - this is usually in a field called _time
Hi All, I have below two logs: First Log 2023-09-05 00:17:56.987 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D090423.T001603 Second Log 2023-09-05 03... See more...
Hi All, I have below two logs: First Log 2023-09-05 00:17:56.987 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D090423.T001603 Second Log 2023-09-05 03:55:15.808 [INFO ] [Thread-20] FileEventCreator - Completed Settlement file processing, CARS.HIER.D090423.T001603 records processed: 161094 I want to capture the trimmings for both logs: My current queries index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Reading Control-File /absin/CARS.HIERCTR." index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Completed Settlement file processing, CARS.HIER."
Hi @smanojkumar, in this case, please try this: | rex "OS\=\"*(?<OS>[^,\"]*).*OSRelease\=\"*(?<OSRelease>[^,\"]*)" that you can test at https://regex101.com/r/SQFX88/1 Ciao. Giuseppe
Without "" info_search_time=1693969036.181, OS=Linux, isBo=false, isFo=false, SCOPE=Unknown, isVIP=false, OSType=Linux, isCACP=false, isCMDB=false, isLost=false, Country=Unknown, isIndus=false, is... See more...
Without "" info_search_time=1693969036.181, OS=Linux, isBo=false, isFo=false, SCOPE=Unknown, isVIP=false, OSType=Linux, isCACP=false, isCMDB=false, isLost=false, Country=Unknown, isIndus=false, isMcAfee=true, isStolen=false, OSRelease=Unknown, With "" info_search_time=1693969036.181, OS="Windows Server 2019 Standard", isBo=true, isFo=false, SCOPE="IN", isVIP=false, OSType=Win, isCACP=false, isCMDB=true, isLost=false, Country=Germany, isIndus=false, isMcAfee=true, isStolen=false, OSRelease="EL Server 7.4 (Maipo", mcafee_LastCommunication="2023-09-05 20:30:35",
Hey @PickleRick , I went into the settings for the dataset and enabled acceleration (via Edit Acceleration). Also the dataset shows up as accelerated in the list of datasets. Shouldn't that have reso... See more...
Hey @PickleRick , I went into the settings for the dataset and enabled acceleration (via Edit Acceleration). Also the dataset shows up as accelerated in the list of datasets. Shouldn't that have resolved the issue? Also, why do you say it's irrelevant on a docker image? Is it not supposed to work on docker?   Do you know of any documentation describing this?
Hi @smanojkumar, if you don't have quotes, you should be sue about the log forma to find a different rule, could you share some samples of your logs with and without quotes? Ciao. Giuseppe
Hi @gcusello ,    Thanks for your response!    At rare cased we don't have " " in OS and OSRelease, What would be the regex, that should extract in both the cases, Like OS="Windows", OS=Window... See more...
Hi @gcusello ,    Thanks for your response!    At rare cased we don't have " " in OS and OSRelease, What would be the regex, that should extract in both the cases, Like OS="Windows", OS=Windows, OSRelease="jhvdhjc", OSRelease=nsvcv Thanks in advance! Manoj Kumar S
Hi @anooshac, I suppose that you have this path in a field, so you could use something like this: | rex field=your_field "^(?<path>\w:\\\w+\\\w+\\\w+\\\w+)" that you can test at https://regex101.c... See more...
Hi @anooshac, I suppose that you have this path in a field, so you could use something like this: | rex field=your_field "^(?<path>\w:\\\w+\\\w+\\\w+\\\w+)" that you can test at https://regex101.com/r/kpyTLl/1 It could be possible that there's an issue for a difference between regex101.com and Splunk, so, if the above regex doesn't run, please try this: | rex field=your_field "^(?<path>\w:\\\\w+\\\\w+\\\\w+\\\\w+)" Ciao. Giuseppe
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\ab... See more...
Hi Everyone, I have to extract a file path from a path. The path will be in the format C:\a\b\c\abc\xyz\abc.h. I want to skip first 4 folders. That is in this example i want to extract \abc\xyz\abc.h. How can i dot it using regex?  
To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets. For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will ... See more...
To add to the above details, the "thaweddb" folder is blank and doesn't contain any buckets. For now, I have increased the "frozenTimePeriodInSecs" by a few more months, but I'm not sure if it will work. Any other advice would be very helpful.
Single field extraction still wondering why it didn't work. 
Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all th... See more...
Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
@yuanliu - Its not working for this requirement. I see its returning entire output field value multiple times (equal to number of lines in the field.)