All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job... See more...
Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job2. Ciao. Giuseppe
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 ... See more...
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 = STARTED_TIME of job A  ENDED_TIME of application A1 = ENDED_TIME of job B  STARTED_TIME of application A2 = STARTED_TIME of job C  ENDED_TIME of application A2 = ENDED_TIME of job D    
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ... See more...
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | eval STARTED_TIME=strptime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strptime(ENDED_TIME,"%d/%m/%Y") | stats earliest(STARTED_TIME) AS STARTED_TIME latest(ENDED_TIME) AS ENDED_TIME BY Application Date_of_reception | eval Execution_Time=ENDED_TIME-STARTED_TIME | eval STARTED_TIME=strftime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strftime(ENDED_TIME,"%d/%m/%Y") | table Application Date_of_reception STARTED_TIME ENDED_TIME Execution_Time Ciao. Giuseppe  
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  ... See more...
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(STARTED_TIME) as STARTED_TIME max(ENDED_TIME) as ENDED_TIME  by JOBNAME | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | table Application , JOBNAME, Date_of_reception , STARTED_TIME  , ENDED_TIME   
@Dikshi  Check this  KV store troubleshooting tools - Splunk Documentation
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS... See more...
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS certificates are correctly configured and valid.  Use the command:- ./splunk show kvstore-status to check the current status of the KV Store. This can provide insights into any specific issues that might be occurring. Check the mongod.log file located in $SPLUNK_HOME/var/log/splunk/ for any detailed error messages related to the KV Store. Look for messages about SSL certificate validation or other connectivity issues. If the issue persists, you might need to clean and reinitialize the KV Store And also check this documentation: Solved: Kvstore has stuck at starting stage for all the se... - Splunk Community
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This metho... See more...
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This method involves creating an HTTP Event Collector in Splunk and configuring BeyondTrust to send events to this collector https://docs.beyondtrust.com/insights/docs/splunk  Splunk
What constitutes a match between LKUP_DSN and DS_NAME?  How much of DS_NAME is allowed to vary?
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-in... See more...
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-incident-review-page.html#:~:text=To%20configure%20Incident%20Review%20and,see%20Incident%20Review%20%E2%80%93%20Event%20Attributes.
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to ... See more...
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to "start an investigation" and select "share a finding". This will generate the shortID and share link. I've attached a screenshot.  
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve infor... See more...
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve information from an investigation with https://SPLUNK:8089/servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we get the information. Now in SPLUNK, if we pass the request | rest /servicesNS/nobody/missioncontrol, we get an answer. However, if we try | rest /servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we don't get an error message but 0 result. My user has admin rights. Does anyone have any idea why? Did we miss something? Thank you for the help!!!
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the contai... See more...
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the container_update custom function where i've set in the input_json box {"custom_fields": {"open_time": prompt_1:action_result.summary.responses.0}} 2. Created a new variable called prompt_value = container.get("prompt_1:action_result.summary.responses.1", None) input_json = {} input_json = {"container:open_time": prompt_value} parameters.append({ "inpu_json": json.dumps(input_json)}) But i'm receiving the following message  "Valid container entered but no valid container changes provided."   Perhaps someone has a different method to help me resolve this.
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be ... See more...
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be installed, but for Cloud Remote Support application how this can be achieved , is there a Custom TA for REST or a HEC can be used here. Appreciate some assistance here, Thanks! regards, Moh.    
i wonder if there is any client to test the Splunk REST API, something like postman. I can't seem to find the Splunk API collection.
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk... See more...
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk Enterprise license only (lookup table) b. Has Splunk Enterprise and Splunk Enterprise security license
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_... See more...
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c1106)
The file ACF2DS_Data.csv comprises columns such as TIMESTAMP, DS_NAME, and JOBNAME. I need to perform a partial match of the LKUP_DSN column from the DSN_LKUP.csv file with the DS_NAME column in the... See more...
The file ACF2DS_Data.csv comprises columns such as TIMESTAMP, DS_NAME, and JOBNAME. I need to perform a partial match of the LKUP_DSN column from the DSN_LKUP.csv file with the DS_NAME column in the ACF2DS_Data.csv file in order to retrieve the relevant events from ACF2DS_Data.csv.
Hi @Cheng2Ready , please, see this my old answer: https://community.splunk.com/t5/Splunk-Search/Bank-holiday-exclusion-from-search-query/m-p/491071 Ciao. Giuseppe
Hi @Dikshi  Please could you check your splunkd.log for any errors relating to Mongo/KVStore and report back. Also - Have you made any changes recently to either Splunk version, permissions, certif... See more...
Hi @Dikshi  Please could you check your splunkd.log for any errors relating to Mongo/KVStore and report back. Also - Have you made any changes recently to either Splunk version, permissions, certificates or operating system? Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will
How to solve my mongod.log file is empty