All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @vh , It took some work, but I finally got this addon up and running. On the addon's setup screen, you need to paste the contents of the certificate and the private key generated in the Cyber... See more...
Hello @vh , It took some work, but I finally got this addon up and running. On the addon's setup screen, you need to paste the contents of the certificate and the private key generated in the CyberArk console. The certificate and private key contents are in the following format: -----BEGIN%20CERTIFICATE-----xxxxxxxxxxxxxxxxxx-----END%20CERTIFICATE-----%0A To generate the necessary information in the CyberArk console, follow the procedure available at the following link: https://docs.cyberark.com/admin-space/latest/en/content/siem-integration/siem-export-splunk.htm After the setup, you can create the input at Settings > Data Input > CyberArk Audit for Splunk, filling in the fields with the data generated in the CyberArk console. You can monitor the addon's operation through the logs available at: index=_internal source="*splunkd.log" cyberark If you need to redo the addon's setup, you can do so by clicking the "Setup" link under Apps > Manage Apps.
https://community.splunk.com/t5/Monitoring-Splunk/Troubles-with-disk-space-quotas-SPLUNK-BASE-var-run-splunk/m-p/80218/highlight/true#M970
This looks like a classic dashboard?   I didn't think to mention we're using Dashboard Studio.  Is prefix/suffix available in Dashboard Studio?
Did you resolve this? I'm having the same issue.  
Lately our searchheads will run into issues where the srtemp folder baloons to 80+GB and fills the local hard drive.  To temporarily fix, I have to shut down splunk and then run the splunk command: ... See more...
Lately our searchheads will run into issues where the srtemp folder baloons to 80+GB and fills the local hard drive.  To temporarily fix, I have to shut down splunk and then run the splunk command: clean-srtemp  It will then be good for several days to a week and eventually it's back again, rinse and repeat.  I'm curious what my options are for determining what is causing the srtemp folder to fill consistently?
Hi @DATT  How about this?    <form version="1.1"> <label>ClassicTest</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="tags" searchWhenChanged="tr... See more...
Hi @DATT  How about this?    <form version="1.1"> <label>ClassicTest</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="tags" searchWhenChanged="true"> <label>Tags</label> <choice value="OS: MacOS">OS: MacOS</choice> <choice value="OS: Windows 10">OS: Windows 10</choice> <choice value="OS: Windows 11">OS: Windows 11</choice> <prefix>tags = </prefix> <valuePrefix>"*</valuePrefix> <valueSuffix>*"</valueSuffix> <delimiter> OR tags=</delimiter> </input> </fieldset> <row> <panel> <title></title> <table> <title>Output</title> <search> <query>|makeresults | eval msg="Event 1", tags="Junk1,OS: Windows 11,something1" | append [|makeresults | eval msg="Event 2", tags="Junk2,OS: Windows 10,something2"] | append [|makeresults | eval msg="Event 3", tags="Junk3,OS: MacOS 15.4,something1"] | search $tags$</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> This uses a selection of tags="*<something>*" OR .. instead of trying to use IN. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
I have a field that I need to search on that is a long string of comma-separated values.  It comes from our vulnerability scanner tool, Qualys, and looks something like this: "OS: Windows 10 22H2, P... See more...
I have a field that I need to search on that is a long string of comma-separated values.  It comes from our vulnerability scanner tool, Qualys, and looks something like this: "OS: Windows 10 22H2, Port: 53, AV: Installed, SW: Maya, SVC: SiegeTower" I have a multiselect dropdown on the dashboard with each unique tag that I want my users to be able to select any/all tags that matter to them.  Application owners may only be concerned about viewing data related to their particular service on a particular operating system (user selects "OS: Windows 10 22H2" and "SVC: SiegeTower" for example). The problem I'm running into is when users select multiple tags, the search looks like this: <base search> | search TAGS IN ("OS: Windows 10 22H2","SVC: SiegeTower") | ... which returns zero results. What I really need is: <base search> | search TAGS IN ("*OS: Windows 10 22H2*","*SVC: SiegeTower*") | ... Which has wildcard characters on each search selection and does return the correct results. Is there any way to add wildcards to the multiselect dropdown selections to get the right results?  The only other option I tried a combination of split and mvexpand on the TAGS field to perform the search but between thousands of endpoints and dozens of tags, I ran into memory issues that I won't be able to overcome any time soon. Any help here is appreciated!
It makes no sense to fiddle with fields since you're gonna do stats next. For example, performance of search index=_internal | stats count by sourcetype and search index=_internal | fields - ... See more...
It makes no sense to fiddle with fields since you're gonna do stats next. For example, performance of search index=_internal | stats count by sourcetype and search index=_internal | fields - _* | fields sourcetype | stats count by sourcetype is practically identical. The only difference in those commands is that one has this in map phase: litsearch index=_internal | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" "sourcetype" | prestats count by sourcetype While the other has this: litsearch index=_internal | fields - "_*" | fields + sourcetype | addinfo type=count label=prereport_events track_fieldmeta_events=true | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" "sourcetype" | prestats count by sourcetype The two fields commands in the "better" version are actually pointless since right before prestats Splunk does its own fields command which limits the data to the fields taking part in aggregation anyway.
@vh  I’ve set up this add-on in my lab environment and can see the data input option listed below. Could you please take a look and confirm?   Navigate to Settings > Data Inputs.     Mu... See more...
@vh  I’ve set up this add-on in my lab environment and can see the data input option listed below. Could you please take a look and confirm?   Navigate to Settings > Data Inputs.     Multiple CyberArk data inputs.  
Hi @Sultan77  I think there may be some confusion in this thread. It sounds like you're creating an Enterprise Security Correlation Search, right? The screenshots you posted where you specify host=$... See more...
Hi @Sultan77  I think there may be some confusion in this thread. It sounds like you're creating an Enterprise Security Correlation Search, right? The screenshots you posted where you specify host=$host$ in the DrillDown search is for when a notable event has been created and a security analyst is viewing it. They'll be presented a DrillDown search link designed to help take them to the event(s) which caused the notable to fire.  Is that your understanding? Is it the drilldown you are wanting to restrict further, rather than the initial correlation search which created the notables? If so you need to find other fields in the returned data that can limit the events returned in the drilldown, such as as eventID. Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @azer271,  have you solved the issue? I'm also having the same.
I have no idea what they mean by "certificate" and "private key" since the fields are just text fields (and neither splunkbase page nor Cyberark's docs help here). But when you type anything in and c... See more...
I have no idea what they mean by "certificate" and "private key" since the fields are just text fields (and neither splunkbase page nor Cyberark's docs help here). But when you type anything in and click save, you'll get to the "add input" dialog, where you can type in stuff like API endpoint or region.
Is there any documentation on creating an input for this app? (https://splunkbase.splunk.com/app/6608) I installed the app. Upon launching, it's asking for certificate and private key. There is no... See more...
Is there any documentation on creating an input for this app? (https://splunkbase.splunk.com/app/6608) I installed the app. Upon launching, it's asking for certificate and private key. There is no place for me to configure the API endpoint. thanks,
I didn't realize that table forces localop.  So, optimizing further would be: index=main sourcetype="access_combined_wcookie" action=purchase status=200 file="success.do" | fields - _* | fields JSE... See more...
I didn't realize that table forces localop.  So, optimizing further would be: index=main sourcetype="access_combined_wcookie" action=purchase status=200 file="success.do" | fields - _* | fields JSESSIONID, action, status | stats count by JSESSIONID, action, status | rename JSESSIONID as UserSessions to discard _raw and other internal fields.
This sounds like a significantly different question - please start a new topic with more specifics as to your usecase, e.g. 25% of what over what time period, etc. Ideally, also provide your expected... See more...
This sounds like a significantly different question - please start a new topic with more specifics as to your usecase, e.g. 25% of what over what time period, etc. Ideally, also provide your expected output.
Hi @Sultan77 , you cannot use a token in a Correlation Search, because it is automatically executed and you canno pass to it a parameter. Ciao. Giuseppe
Dear @ITWhisperer , I am trying to set a correlation search. ( content management -> correlation search)    
Is this in a dashboard? Are you using Classic SimpleXML or Studio? Where is the token being set?
Hello everyone, I’ve encountered a problem while setting up a correlation search. For instance, when I use the following query: index=windows AND EventCode=4624 I end up getting multiple alerts. ... See more...
Hello everyone, I’ve encountered a problem while setting up a correlation search. For instance, when I use the following query: index=windows AND EventCode=4624 I end up getting multiple alerts. To refine this, I attempted to add a Drill Down Search like this: index=windows AND EventCode=4624 host="$host$" However, this returns no results. Does anyone have suggestions or ideas that might help resolve this? Any input would be greatly appreciated!
Well, you have this | search UID=1 part in your search which means that you're effectively getting just two series in output. And if you want the data for just this UID, it's best to filter your d... See more...
Well, you have this | search UID=1 part in your search which means that you're effectively getting just two series in output. And if you want the data for just this UID, it's best to filter your data as early as possible so that Splunk doesn't drag all unnecessary data along just to filter most of it out at the end. So you can completely refactor your search to something like. index=snmp sourcetype=snmp_attributes Name IN (ifHCInOctets,ifHCOutOctets) host=xyz UID=1 | streamstats current=t global=f window=2 range(Value) AS delta BY  Name | eval mbps=delta*8/1024/1024 | timechart span=5m per_second(mbps) AS Mbps BY Name This should give you two series as output - ifHCInOctets and ifHCOutOctets. You can of course | rename ifHCInOctets as In, ifHCOutOctets as Out for brevity. And now you can just do | eval InPerc=In/(10*1024*1024) | eval OutPerc=Out/(10*1024*1024) You can multiply it by 100 if you want actual percents.