All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi. In my company we have Symantec Endpoint Security (SES) which is in the cloud. I have created a Bearer Token and have made the configurations by symantec, the problem occurs when I need to integ... See more...
Hi. In my company we have Symantec Endpoint Security (SES) which is in the cloud. I have created a Bearer Token and have made the configurations by symantec, the problem occurs when I need to integrate it with Splunk. Someone with experience in Symantec who can help me.
hi, I have just opened code and adjusted and it works).    
I tried installing it in multiple instances and got the same error. Splunk version is 9.2.2
Hi @pedropiin , you have to run something like this:  <your_search> | bin span=1d _time | stats sum(metric1) AS metric1 sum(metric2) AS metric2 sum(metric3) AS metric3 BY day ... See more...
Hi @pedropiin , you have to run something like this:  <your_search> | bin span=1d _time | stats sum(metric1) AS metric1 sum(metric2) AS metric2 sum(metric3) AS metric3 BY day I could be more detailed is you share more information about your data. Ciao. Giuseppe
Here are some internal logs. 02-14-2025 08:57:21.124 -0600 ERROR PersistentScript [3645488 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/p... See more...
Here are some internal logs. 02-14-2025 08:57:21.124 -0600 ERROR PersistentScript [3645488 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/TA-virustotal-app/bin/lib/typing_extensions.py", line 1039     02-14-2025 08:57:21.124 -0600 ERROR PersistentScript [3645488 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/TA-virustotal-app/bin/lib/aiohttp/hdrs.py", line 13, in <module>     02-14-2025 08:57:21.124 -0600 ERROR PersistentScript [3645488 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/TA-virustotal-app/bin/lib/aiohttp/__init__.py", line 5, in <module>     02-14-2025 08:57:21.124 -0600 ERROR PersistentScript [3645488 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/lib/python3.7/site-packages/splunk/persistconn/appserver.py}: File "/opt/splunk/etc/apps/TA-virustotal-app/bin/lib/vt/client.py", line 23, in <module>
Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a ... See more...
Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a table, in which a row represents one day and the columns are the metrics itself. I need to apply the same query to a number of days given an interval and output the result of each day as a new row on the column. For example, if the user queries through the past 5 days, I need five rows, each with the metrics associated only to the data from that day. How could I do this?
Hi @Real_captain , please try this: index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABE... See more...
Hi @Real_captain , please try this: index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | eval STARTED_TIME=strptime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strptime(ENDED_TIME,"%d/%m/%Y") | stats earliest(eval(if(job="A",STARTED_TIME,""))) AS STARTED_TIME latest(eval(if(job="B",ENDED_TIME,""))) AS ENDED_TIME BY Application Date_of_reception | fillnull ENDED_TIME value="Job B not started" | eval Execution_Time=if(isnull(ENDED_TIME),"Job B not started",ENDED_TIME-STARTED_TIME) | eval STARTED_TIME=strftime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=if(isnull(ENDED_TIME),"Job B not started",strftime(ENDED_TIME,"%d/%m/%Y") | table Application Date_of_reception STARTED_TIME ENDED_TIME Execution_Time Ciao. Giuseppe
Yes. you are right.  But when the Job A is completed, and JOB B is still not started, then Application Start Time = Start time of the JOB A and  Application End Time = End time of the JOB A I... See more...
Yes. you are right.  But when the Job A is completed, and JOB B is still not started, then Application Start Time = Start time of the JOB A and  Application End Time = End time of the JOB A If JOB2 is not started, then Application End Time should be NULL as we are checking the end time of Job B.  Thats why i want to do below :  Application Start Time of A1 = Start time of the JOB A and  Application End Time A1 = End time of the JOB B Application Start Time of A2 = Start time of the JOB C and  Application End Time A2 = End time of the JOB D
Couple of possible ideas... 1. Route the alert to Splunk On-Call and use escalation policies to decide who gets alerted. 2. Choose the "webhook" option and provide a custom script that routes the a... See more...
Couple of possible ideas... 1. Route the alert to Splunk On-Call and use escalation policies to decide who gets alerted. 2. Choose the "webhook" option and provide a custom script that routes the alert however you want.  
Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job... See more...
Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job2. Ciao. Giuseppe
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 ... See more...
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 = STARTED_TIME of job A  ENDED_TIME of application A1 = ENDED_TIME of job B  STARTED_TIME of application A2 = STARTED_TIME of job C  ENDED_TIME of application A2 = ENDED_TIME of job D    
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ... See more...
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | eval STARTED_TIME=strptime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strptime(ENDED_TIME,"%d/%m/%Y") | stats earliest(STARTED_TIME) AS STARTED_TIME latest(ENDED_TIME) AS ENDED_TIME BY Application Date_of_reception | eval Execution_Time=ENDED_TIME-STARTED_TIME | eval STARTED_TIME=strftime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strftime(ENDED_TIME,"%d/%m/%Y") | table Application Date_of_reception STARTED_TIME ENDED_TIME Execution_Time Ciao. Giuseppe  
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  ... See more...
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(STARTED_TIME) as STARTED_TIME max(ENDED_TIME) as ENDED_TIME  by JOBNAME | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | table Application , JOBNAME, Date_of_reception , STARTED_TIME  , ENDED_TIME   
@Dikshi  Check this  KV store troubleshooting tools - Splunk Documentation
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS... See more...
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS certificates are correctly configured and valid.  Use the command:- ./splunk show kvstore-status to check the current status of the KV Store. This can provide insights into any specific issues that might be occurring. Check the mongod.log file located in $SPLUNK_HOME/var/log/splunk/ for any detailed error messages related to the KV Store. Look for messages about SSL certificate validation or other connectivity issues. If the issue persists, you might need to clean and reinitialize the KV Store And also check this documentation: Solved: Kvstore has stuck at starting stage for all the se... - Splunk Community
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This metho... See more...
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This method involves creating an HTTP Event Collector in Splunk and configuring BeyondTrust to send events to this collector https://docs.beyondtrust.com/insights/docs/splunk  Splunk
What constitutes a match between LKUP_DSN and DS_NAME?  How much of DS_NAME is allowed to vary?
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-in... See more...
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-incident-review-page.html#:~:text=To%20configure%20Incident%20Review%20and,see%20Incident%20Review%20%E2%80%93%20Event%20Attributes.
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to ... See more...
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to "start an investigation" and select "share a finding". This will generate the shortID and share link. I've attached a screenshot.  
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve infor... See more...
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve information from an investigation with https://SPLUNK:8089/servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we get the information. Now in SPLUNK, if we pass the request | rest /servicesNS/nobody/missioncontrol, we get an answer. However, if we try | rest /servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we don't get an error message but 0 result. My user has admin rights. Does anyone have any idea why? Did we miss something? Thank you for the help!!!