All Posts

Top

All Posts

Howdy Splunkers,   Working on my Splunk deployment and ran into a funky issue. I am ingesting Palo Alto FW and Meraki network device logs via syslog server. Rsyslog is set to write logs down to a f... See more...
Howdy Splunkers,   Working on my Splunk deployment and ran into a funky issue. I am ingesting Palo Alto FW and Meraki network device logs via syslog server. Rsyslog is set to write logs down to a file and the UF is set to monitor the directories.   No issues there, however I do run into an issue why I try to source type or set an index for these logs. I have edited the indexes.conf in the local folder on my cluster manager and pushed the required indexes to my indexers.  When I go to search for the logs on my search head I cannot find any data. However it works properly whenever i do not have sourcetyping and index destination in my inputs.conf. Any idea as to why?
test_id": "CHICKEN-0123456", "last_test_date": "2023-09-04 12:34:00"   with such above file and todays date 09/25/2023   once it is monitored by the splunk, I cannot search this data with th... See more...
test_id": "CHICKEN-0123456", "last_test_date": "2023-09-04 12:34:00"   with such above file and todays date 09/25/2023   once it is monitored by the splunk, I cannot search this data with the 'current' date or even current time; 15 or 60mintues.   instead it tends to read the dates off of the file which is the 'last test date' = 09/24/2023 therefore from the search I have to put either on that day or 1day to find the data.   Props.conf currently set as  DATETIME_CONFIG = CURRENT   I want the file to be 'read' today if it was uploaded today. (or 15 min if it was uploaded within 15min) NOT going off of the date in the file.   Gurus hop in plesae.
Does this mean that all the applicants under Beta version must complete the exam by end of September? Thank you
EDIT: Nevermind, I had an issue in my splunk server that was returning incorrect results, the solution works perfect! Thanks!
Hi @jhilton90 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi All, I am looking for a SPL query to generate the SLA metrics KPI dashboard for incidents in Splunk Mission Control. The dashboard should contain SLA status (met/not-met) and the Analyst assigne... See more...
Hi All, I am looking for a SPL query to generate the SLA metrics KPI dashboard for incidents in Splunk Mission Control. The dashboard should contain SLA status (met/not-met) and the Analyst assigned to the incident. Thank You
Hello, Does "WHERE" SQL clause have the same row limitation as "INNER JOIN"? Does "WHERE" and "INNER JOIN" have the same function and result? Thank you for your help For example: | dbxquery co... See more...
Hello, Does "WHERE" SQL clause have the same row limitation as "INNER JOIN"? Does "WHERE" and "INNER JOIN" have the same function and result? Thank you for your help For example: | dbxquery connection=DBtest query="SELECT a.name, b.department FROM tableEmployee a INNER JOIN tableCompany b ON a.id = b.emp_id | dbxquery connection=DBtest query="SELECT a.name, b.department FROM tableEmployee a, tableCompany b WHERE a.id = b.emp_id
Hi @JohnnyMnemonic, if the threshold value is fixed when not present in the lppkup, you can use an eval: index=main | loopup thresholds_table.csv object output threshold | eval threshold=if(isnull(... See more...
Hi @JohnnyMnemonic, if the threshold value is fixed when not present in the lppkup, you can use an eval: index=main | loopup thresholds_table.csv object output threshold | eval threshold=if(isnull(threshold),10,threshold) | where number > threshold Ciao. Giuseppe
Hi,  I'm trying to create a filter based on a threshold value that is unique for some objects and fixed for the others. index=main | loopup thresholds_table.csv object output threshold | ... See more...
Hi,  I'm trying to create a filter based on a threshold value that is unique for some objects and fixed for the others. index=main | loopup thresholds_table.csv object output threshold | where number > threshold   The lookup contains something like: object threshold chair    20 pencil  40   The problem here is that no all objects are inside the lookup, so I want to fix a threshold number for all other objects, for example I want to fix a threshold of 10 for every object except for those inside the lookup. I tried these things without success: index=main | loopup thresholds_table.csv object output threshold | eval threshold = coalesce(threshold, 10) | where number > threshold index=main | fillnull value=10 threshold | loopup thresholds_table.csv object output threshold | where number > threshold index=main | eval threshold = 10 | loopup thresholds_table.csv object output threshold | where number > threshold   The objective is identify when an object reach an X average value, except for those objects that have a higher average value.  
I am trying to create a timeline dashboard that shows the number of events for a specific user over the last 7 days (x-axis being _time and y-axis being the number of events). We do not have a field ... See more...
I am trying to create a timeline dashboard that shows the number of events for a specific user over the last 7 days (x-axis being _time and y-axis being the number of events). We do not have a field option for individual users yet. The syntax I have here will show a nice timeline from Search in Splunk but when I try to create a dashboard line chart for it, I either get nothing or mismatching info. Syntax I use for search: index="myindex1" OSPath="C:\\Users\\Snyder\\*".    
Hi Shaiju, when your engineering team will fix this bug?
Thank you @richgalloway  for help. Really appriciate your time. Thank you
Have you tried resetting your password?
Hi, we are using Splunk ES with notable events and suppressions. For sake of completeness, we have alerts that produce notable and some of these notable can be suppressed (through Splunk ES). So, in... See more...
Hi, we are using Splunk ES with notable events and suppressions. For sake of completeness, we have alerts that produce notable and some of these notable can be suppressed (through Splunk ES). So, in the "Incident Review" section we are able to see all the notables for which there are no suppressions. We are trying to send the same set (i.e. all the notables for which there are no suppressions). We tried to add the action "send to soar" in one of the alerts that produce notables but in this way we obtain that all the notables (even the one suppressed) arrive on the soar.  Do you know if there is a native feature (or quick way) to send all the notables for which there are no suppressions from Splunk to Splunk SOAR? Thank you in advance.
Hi @jhilton90, with the host field you should have the Universal Forwarder hostname, unless you manually configured a different host (e.g. when you're reading files in a syslog server). Ciao. Gius... See more...
Hi @jhilton90, with the host field you should have the Universal Forwarder hostname, unless you manually configured a different host (e.g. when you're reading files in a syslog server). Ciao. Giuseppe
Thanks Giuseppe, How do I actually go about finding out what local logs it's reading?
I'm totally and utterly new to splunk. Just ran the dockerhub sample, and followed the instructions: https://hub.docker.com/r/splunk/splunk/ I opened the search tab and most search commands seem to... See more...
I'm totally and utterly new to splunk. Just ran the dockerhub sample, and followed the instructions: https://hub.docker.com/r/splunk/splunk/ I opened the search tab and most search commands seem to work fine.  For example, the following command:     | from datamodel:"internal_server.server" | stats count      Returns a count of 33350. While this command:     | tstats count from datamodel:"internal_server.server"     as well as this one:     | tstats count     both return zero. How can I get tstats working in this docker env with the sample datasets?
Install the FortGate add-on (https://splunkbase.splunk.com/app/2846) on your UF and your Splunk indexers and search head(s).  That page will have installation instructions.
Hi @jhilton90, you can have the information about the UF only if it's reading the local logs, otherwise you cannot have this information and never about HFs. I asked this feature to Splunk Ideas (h... See more...
Hi @jhilton90, you can have the information about the UF only if it's reading the local logs, otherwise you cannot have this information and never about HFs. I asked this feature to Splunk Ideas (https://ideas.splunk.com/ideas/EID-I-1731) and it's "Under consideration", if you're interested, vote for it! Ciao. Giuseppe