All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What have you tried so far?  How did those results not meet expectations? Have you experimented with https://regex101.com?
When setting a value for the MetaData:Sourcetype key, the value MUST be prefixed with "sourcetype::".   [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::myty... See more...
When setting a value for the MetaData:Sourcetype key, the value MUST be prefixed with "sourcetype::".   [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::mytype1 WRITE_META = true See https://docs.splunk.com/Documentation/Splunk/9.4.0/Admin/Transformsconf#KEYS:  
Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 res... See more...
Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 results - when i search for "index=index1" i got 1000 results and can see all of those are of sourcetype=mytype1 - when i search for "index=index1 | stats count by sourcetype" can see 0 statistics - when looking at those events manually - all of them are of sourcetype=mytype1. - checked job inspector, all looks good, nothing special I am admin. Full access. Searching with 15 min all all time (no difference, the same results) Sourcetype "mytype1" has been created by transforms: [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = mytype1 WRITE_META = true No other definition of that sourcetype anywhere else (should i add it somewhere ??) What is wrong ? Why can not i search by sourcetype ? Thanks,
I also used this method ; it is very simple and engenious. thanks
Hi. I have a file that I want to remove portion of it during index time. Remove all the text between ************************************** For example: ******************************************... See more...
Hi. I have a file that I want to remove portion of it during index time. Remove all the text between ************************************** For example: ********************************************************************** Started at : 25/02/16 04:07:04 Terminated at: Elapsed time : Software: Version: 6.0.0.0 Built : 6.0.0.0.20141102.1-Release_ 14/11/02 10:06:52 Context: Account: SOC Machine: NEW IP addr: 255.555.543 CPU : Dual-Core LOG Recycle Count: ********************************************************************** 25/02/16 04:07:04.834 | 7904 | TEST1 25/02/16 04:07:04.834 | 7904 | TEST2 25/02/16 04:07:04.865 | 7860 | TEST3 25/02/16 04:07:04.881 | 7860 | TEST4 ...  In the end I need to get: 25/02/16 04:07:04.834 | 7904 | TEST1 25/02/16 04:07:04.834 | 7904 | TEST2 25/02/16 04:07:04.865 | 7860 | TEST3 25/02/16 04:07:04.881 | 7860 | TEST4 Please assist Thanks
The newer version is not stable right now, for example the documentation says it has enhanced workflows but there is no option available to trun it on its disabled by default. we can not open the co... See more...
The newer version is not stable right now, for example the documentation says it has enhanced workflows but there is no option available to trun it on its disabled by default. we can not open the coorelation searches because they have added versioning of searches, and you cannot open versions edited in 7.3 or piror to 8, we cant create short ids to track notables and we cant filter based on short id and many more issues.
Hi @Nawab , Notable are in a dedicated index that has the same name in bothe the versions, so there's no issue in downgrading. About Correlation Searches, it's always a best practice to save them i... See more...
Hi @Nawab , Notable are in a dedicated index that has the same name in bothe the versions, so there's no issue in downgrading. About Correlation Searches, it's always a best practice to save them in a dedicated app, not in the Enterprise Security App, but anyway they are in the local folders so the new installation does,'t touch them. But the most safe approach is to ask to Splunk Support. Only for my information: why do you want to downgrade? Ciao. Giuseppe
We have just upgraded to ES 8.0.2, and its is very bad or still in development stages and we want to roll back to 7.3, how can we do that keeping all our searches and notable data
This needs to search any group we want to include by specific name and then table out a list of the users that are members of each group sorted by the group name First, you need to illustrate ... See more...
This needs to search any group we want to include by specific name and then table out a list of the users that are members of each group sorted by the group name First, you need to illustrate how a user is represented in Splunk data.  Is memberOf already extracted into one string?   Second, you need to illustrate what is the form of that "specific name" by which you wish to use in Splunk search.  As your example LDAP search indicates, LDAP group is more than just CN, but a group of attributes strung together as a unique identifier.  Are you going to search only by CN?
Hi @cybersunny , where did you inserted the mailto protocol? it should be easier to help you, if you can share your dashboard code using the "Insert/Edit Code sample" button, not screenshot. Ciao.... See more...
Hi @cybersunny , where did you inserted the mailto protocol? it should be easier to help you, if you can share your dashboard code using the "Insert/Edit Code sample" button, not screenshot. Ciao. Giuseppe  
@Wiessiet- Thanks for posting your findings on Splunk community.   Though I have a suggestion for you. If you already have a solution to the problem. What I would do is post a question and post a r... See more...
@Wiessiet- Thanks for posting your findings on Splunk community.   Though I have a suggestion for you. If you already have a solution to the problem. What I would do is post a question and post a reply to your question & accept your answer. This way other people see that question as resolved & available with solution straightaway.   I hope this make sense!!
@Anit_Mathew- If it is Splunk ES default dashboard without any change in it and if it is still giving you error you can raise Splunk support ticket for it.  
@mpc7zh- Downgrading never works the same way as Upgrade. Will the commands work?? -> Yes, maybe. But it will break functionalities and stuff. Soar may not work properly. It may even create issues w... See more...
@mpc7zh- Downgrading never works the same way as Upgrade. Will the commands work?? -> Yes, maybe. But it will break functionalities and stuff. Soar may not work properly. It may even create issues when you upgrade it in the future as well.   Maybe Splunk support might be able to help you with this. You can raise a support ticket for it.   But my question to you is, why do you need to downgrade in the first place?? Because a lot of time, usually thing that you need to do might be possible even without downgrading the soar.   I hope this helps!!! Kindly upvote if it does!!!
@JagsP- I don't see this App on the Splunkbase. Where did you get this App?? ( The reason I'm asking is because the error is coming from the Python code within this App.)   I hope this helps!!!
@cybersunny- Can you please post part of the dashboard XML which includes this mailto?? ( You can hide any sensitive information.)  
@ryanaa- I think question better suitable for Machine Learning community.
@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that: Your query-1 is not working, because it seems you are using the old query, that ma... See more...
@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that: Your query-1 is not working, because it seems you are using the old query, that macro from old query does not exist anymore it seems. The new query is based on firewall data. Here - https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/ But because this is dependent on firewall traffic data, it only works when you have firewall between those two machines. It could be traditional firewall or AWS firewall or anything. For your query-2, again you are looking for source=firewall* data. And windows data contain contain that sourcetype that's why you are seeing no results.   Summary: If you have the traffic monitoring device in-between those two machines, use the traffic logs to detect it. https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/ https://research.splunk.com/network/3141a041-4f57-4277-9faa-9305ca1f8e5b/ But you don't then the only option is to have something on the Windows Victim device that logs all traffic to the machine, and use that traffic logs to build the query.   I hope this helps!!! Kindly upvote if it does!!!
@darling- Its public release App now, I don't think there should be any restriction on which Cloud stack you can install. But for better clarity maybe you can contact Splunk support for Cloud & they... See more...
@darling- Its public release App now, I don't think there should be any restriction on which Cloud stack you can install. But for better clarity maybe you can contact Splunk support for Cloud & they should resolve your confusion.   I hope this helps!!!
Your solution works perfectly. I still need to do some wider testing to make sure there's no gaps, but it looks like exactly what I need.....the only issue is....I'm not sure *exactly* what it works.... See more...
Your solution works perfectly. I still need to do some wider testing to make sure there's no gaps, but it looks like exactly what I need.....the only issue is....I'm not sure *exactly* what it works. I know what fillnull and eval do, but the way you've used mvfilter confuses me. If you have the time, could you explain in simple terms how your solution works, pelase?
Thnak you for your help.   For example, If I have a MV field with the values "red", "blue", "N/A", "N/A" I would want to filter out the "N/A" fields. However, if instead I have an MV field with ... See more...
Thnak you for your help.   For example, If I have a MV field with the values "red", "blue", "N/A", "N/A" I would want to filter out the "N/A" fields. However, if instead I have an MV field with the single value "red", then I would want it left alone And third, if I have an MV field with the values "N/A", "N/A", and "N/A", then I would want it left alone. Only when there's a MV field with both the "N/A" field and a non-N/A  field do I want the N/A fields removed.