All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a ... See more...
Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a table, in which a row represents one day and the columns are the metrics itself. I need to apply the same query to a number of days given an interval and output the result of each day as a new row on the column. For example, if the user queries through the past 5 days, I need five rows, each with the metrics associated only to the data from that day. How could I do this?
Hi @Real_captain , please try this: index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABE... See more...
Hi @Real_captain , please try this: index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | eval STARTED_TIME=strptime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strptime(ENDED_TIME,"%d/%m/%Y") | stats earliest(eval(if(job="A",STARTED_TIME,""))) AS STARTED_TIME latest(eval(if(job="B",ENDED_TIME,""))) AS ENDED_TIME BY Application Date_of_reception | fillnull ENDED_TIME value="Job B not started" | eval Execution_Time=if(isnull(ENDED_TIME),"Job B not started",ENDED_TIME-STARTED_TIME) | eval STARTED_TIME=strftime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=if(isnull(ENDED_TIME),"Job B not started",strftime(ENDED_TIME,"%d/%m/%Y") | table Application Date_of_reception STARTED_TIME ENDED_TIME Execution_Time Ciao. Giuseppe
Yes. you are right.  But when the Job A is completed, and JOB B is still not started, then Application Start Time = Start time of the JOB A and  Application End Time = End time of the JOB A I... See more...
Yes. you are right.  But when the Job A is completed, and JOB B is still not started, then Application Start Time = Start time of the JOB A and  Application End Time = End time of the JOB A If JOB2 is not started, then Application End Time should be NULL as we are checking the end time of Job B.  Thats why i want to do below :  Application Start Time of A1 = Start time of the JOB A and  Application End Time A1 = End time of the JOB B Application Start Time of A2 = Start time of the JOB C and  Application End Time A2 = End time of the JOB D
Couple of possible ideas... 1. Route the alert to Splunk On-Call and use escalation policies to decide who gets alerted. 2. Choose the "webhook" option and provide a custom script that routes the a... See more...
Couple of possible ideas... 1. Route the alert to Splunk On-Call and use escalation policies to decide who gets alerted. 2. Choose the "webhook" option and provide a custom script that routes the alert however you want.  
Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job... See more...
Hi @Real_captain , using my search, you take the earliest value and latest value of Application1, using both the jobs, so I suppose that the first value is from Job1 and the latest value is from job2. Ciao. Giuseppe
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 ... See more...
HI @gcusello  Is it possible to check the STARTED_TIME and ENDED_TIME of particular job of each application instead of earliest/latest time of the application??  STARTED_TIME of application A1 = STARTED_TIME of job A  ENDED_TIME of application A1 = ENDED_TIME of job B  STARTED_TIME of application A2 = STARTED_TIME of job C  ENDED_TIME of application A2 = ENDED_TIME of job D    
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ... See more...
Hi @Real_captain , please try this:   Index = xyz source = db (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | eval STARTED_TIME=strptime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strptime(ENDED_TIME,"%d/%m/%Y") | stats earliest(STARTED_TIME) AS STARTED_TIME latest(ENDED_TIME) AS ENDED_TIME BY Application Date_of_reception | eval Execution_Time=ENDED_TIME-STARTED_TIME | eval STARTED_TIME=strftime(STARTED_TIME,"%d/%m/%Y"), ENDED_TIME=strftime(ENDED_TIME,"%d/%m/%Y") | table Application Date_of_reception STARTED_TIME ENDED_TIME Execution_Time Ciao. Giuseppe  
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  ... See more...
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(STARTED_TIME) as STARTED_TIME max(ENDED_TIME) as ENDED_TIME  by JOBNAME | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | table Application , JOBNAME, Date_of_reception , STARTED_TIME  , ENDED_TIME   
@Dikshi  Check this  KV store troubleshooting tools - Splunk Documentation
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS... See more...
@Dikshi  Are you running KV Store on indexers? If yes, Indexers do not use KV Store, so there is no need to run it. Disabling KV Store on the indexers will stop the errors. Ensure that your SSL/TLS certificates are correctly configured and valid.  Use the command:- ./splunk show kvstore-status to check the current status of the KV Store. This can provide insights into any specific issues that might be occurring. Check the mongod.log file located in $SPLUNK_HOME/var/log/splunk/ for any detailed error messages related to the KV Store. Look for messages about SSL certificate validation or other connectivity issues. If the issue persists, you might need to clean and reinitialize the KV Store And also check this documentation: Solved: Kvstore has stuck at starting stage for all the se... - Splunk Community
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This metho... See more...
@mohsplunking  Refer to this documentation, where they have specified integration using an HEC token. You can use Splunk's HTTP Event Collector to forward data from BeyondTrust to Splunk. This method involves creating an HTTP Event Collector in Splunk and configuring BeyondTrust to send events to this collector https://docs.beyondtrust.com/insights/docs/splunk  Splunk
What constitutes a match between LKUP_DSN and DS_NAME?  How much of DS_NAME is allowed to vary?
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-in... See more...
On top of what @kiran_panchavat mentioned, once we generate the Short IDs, we can also add in Incident Review Dashboard as a custom field - https://www.splunk.com/en_us/blog/security/modifying-the-incident-review-page.html#:~:text=To%20configure%20Incident%20Review%20and,see%20Incident%20Review%20%E2%80%93%20Event%20Attributes.
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to ... See more...
Thank you for your reply, i found the solution, it's supported you find follow the below approach.   You need to click on a finding to open the right-hand side panel, then click the 3 dots next to "start an investigation" and select "share a finding". This will generate the shortID and share link. I've attached a screenshot.  
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve infor... See more...
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve information from an investigation with https://SPLUNK:8089/servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we get the information. Now in SPLUNK, if we pass the request | rest /servicesNS/nobody/missioncontrol, we get an answer. However, if we try | rest /servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we don't get an error message but 0 result. My user has admin rights. Does anyone have any idea why? Did we miss something? Thank you for the help!!!
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the contai... See more...
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the container_update custom function where i've set in the input_json box {"custom_fields": {"open_time": prompt_1:action_result.summary.responses.0}} 2. Created a new variable called prompt_value = container.get("prompt_1:action_result.summary.responses.1", None) input_json = {} input_json = {"container:open_time": prompt_value} parameters.append({ "inpu_json": json.dumps(input_json)}) But i'm receiving the following message  "Valid container entered but no valid container changes provided."   Perhaps someone has a different method to help me resolve this.
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be ... See more...
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be installed, but for Cloud Remote Support application how this can be achieved , is there a Custom TA for REST or a HEC can be used here. Appreciate some assistance here, Thanks! regards, Moh.    
i wonder if there is any client to test the Splunk REST API, something like postman. I can't seem to find the Splunk API collection.
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk... See more...
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk Enterprise license only (lookup table) b. Has Splunk Enterprise and Splunk Enterprise security license
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_... See more...
May i know where part should i refer to for the following error? ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c1106)