All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens You need to use $result.your_field_name$ in your case it will be $result.Total_Count$
The main question is what the dashboard is supposed to be for. Are you solving some problem from within your organization? In such case - as @richgalloway pointed out - you should have requirements ... See more...
The main question is what the dashboard is supposed to be for. Are you solving some problem from within your organization? In such case - as @richgalloway pointed out - you should have requirements for this dashboard. Are you preparing a PoC/PoV as a partner? Consult partner portal resources for existing demo resources. Are you looking to expand existing Splunk infrastructure within your company to different divisions and use cases? Consult potential stakeholders and check what would be their expectations on the product and try to make something targeting their needs. The general answer is "depends on what you have and what you need".
Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well. These are qu... See more...
Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well. These are questions only your stakeholders can answer.  If the proposed panels answer the questions they have or solve their problems then modifications may not be necessary.
So I have my Query working and I have a webhook created in a Channel It says that I can send Tokens when I send the Alert - It says the Message can include tokens that insert text based on the resul... See more...
So I have my Query working and I have a webhook created in a Channel It says that I can send Tokens when I send the Alert - It says the Message can include tokens that insert text based on the result of search query My Field / Label I created was Total_Count How do I pass that as a Token?
You (or a responsible person designated by your organization) should have received a license file. You need to upload this file to the webui (or copy-paste its contents). Or use the CLI to add this l... See more...
You (or a responsible person designated by your organization) should have received a license file. You need to upload this file to the webui (or copy-paste its contents). Or use the CLI to add this license file. Anyway, you need a _file_ describing your license capacities. If you don't have it and due to some organizational changes have no idea who should have received it work with your Splunk sales contact on this issue.
Well, the Add-On for MSSQL is the supported way of getting audit data from MSSQL databases. If you want to do it another way, you're pretty much on your own.
When you have a LM and it's configured on other servers as LM then there isn't needed any actions on other server side.  On LM side it told to you if it needs restart or not. Usually it doesn't need... See more...
When you have a LM and it's configured on other servers as LM then there isn't needed any actions on other server side.  On LM side it told to you if it needs restart or not. Usually it doesn't need it.
No i didnt because there is no sourcetype or input if logs are coming in application channel  
Hi @Nawab , did you installed the SQL-Server Add-On https://splunkbase.splunk.com/app/2648 on the Search Heads and on the Indexers or (if present) on the Heavy Forwarders? Ciao. Giuseppe
Keeping this post since it may help others, It appears to me lately that the filed hostname has to be selected under the fields. 
and how to renew Splunk license with license number and GUID provided by Splunk team? unable to login to license number.
The MSSQL Add-On has installation and configuration docs. Did you read them? https://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/About
We need to integrate MSSQL standard edition with splunk, so we tried sending logs to Windows Event Viewer application channel. Now we are getting logs, but the issue is logs are not parsed and we are... See more...
We need to integrate MSSQL standard edition with splunk, so we tried sending logs to Windows Event Viewer application channel. Now we are getting logs, but the issue is logs are not parsed and we are getting all logs. My question is if someone has integrated MSSQL standard edition with splunk. how you did it and is data parsed
Hi @richgalloway , thanks for the reply.  what about this - and do we need to push it to all other nodes or is it already configured? where to check is it configured or not? Please clarify.
Hi @Sankar , only training on ES: you must define a search to extract assets and identities from AD logs or from Servicenow. these items must be formatted (field names) using the names that you ca... See more...
Hi @Sankar , only training on ES: you must define a search to extract assets and identities from AD logs or from Servicenow. these items must be formatted (field names) using the names that you can find in assets and identities management in ES. When you created this search, you can schedule it adding the information about priority (e.g. Domain Controllers have a critical Priority, pcs of CEO and managers have a critical priority, if you are an eCommerce company, payment services are critical and so on based on your Business Impact Analysis. Ciao. Giuseppe
Hello all, I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available: Total Traffic vs Attack Traffic -  | stats count as "T... See more...
Hello all, I have an ask to create a sample dashboard with the data present. Hence I have created following panels with dropdowns available: Total Traffic vs Attack Traffic -  | stats count as "Total Traffic" count(eval(isnotnull(attack_type))) as "Attack Traffic". Top 10 Hostnames / FQDN Targeted - |stats count by fqdn No of Error logs - |search severity = Error |stats count No of Critical logs - |search severity = Critical |stats count Attack Classification by % - (Num of Attacks) - |top limit=10 attack_type Top 10 IP Addresses - | top ip_client limit=10 Daily Attack Trend - |timechart count(attack_type) as count span=1d Weekly Attack Trend - |timechart count(attack_type) as count span=1w Status Codes Trend - |stats count by response_code HTTP Method Used - |stats count by method Log Details - |table _time, ip_client, method, policy_name, response_code, support_id, severity, violations, sub_violations, violation_rating, uri All searches followed by base search. Please let me know if any panel needs to be modified or more detailed than this basic ones. Also please suggest if any new panel can be added. Please suggest any drilldowns as well.
Exactly that way. Never use any x.0.0 version and avoid also x.y.0 if you can! If you cannot, then test everything what you have and need on test environment first and fix your findings. Then do fu... See more...
Exactly that way. Never use any x.0.0 version and avoid also x.y.0 if you can! If you cannot, then test everything what you have and need on test environment first and fix your findings. Then do full backup from all nodes, kvstores etc. Prefer offline if possible. Be sure that you have rollback plan and resources on place when something goes wrong and you cannot use your new version. Look from logs that update has finished before start any components and ensure that logs didn't contains any errors and if those must fix before start. Also join Splunk Slack and look what other has already found and if there is any fix for those. Here is direct link into https://splunk-usergroups.slack.com/archives/C03M9ENE6AD splunk_9_upgrade_issues channel.
Hi @gcusello  do we have any reference guide from splunk? or servicenow?
I have data that contains the LOGINDate, UserName, and USERID. I need to use the MLTK to detect user behavior individually, not for all users together. The goal is to use Machine Learning to detect... See more...
I have data that contains the LOGINDate, UserName, and USERID. I need to use the MLTK to detect user behavior individually, not for all users together. The goal is to use Machine Learning to detect the normal behavior of each user based on hours and days. Additionally, I need to detect: If the user logs in on off days, to determine whether it’s normal behavior. If the user logs in at abnormal hours on any day, this should also be detected. I successfully implemented this using Python, but the customer requires it to be done using Splunk MLTK without any static values.
Hi @arunkuriakose , it's always a best practice to have all the ES customizations in a custom app, in this way it's easier to migrate it. In your case, the best approach I hint is to move all of th... See more...
Hi @arunkuriakose , it's always a best practice to have all the ES customizations in a custom app, in this way it's easier to migrate it. In your case, the best approach I hint is to move all of them in a custom app, otherwise, you could copy all the folders of the ES installation on the Deployer, but I'm not so sure that't the correct approach, I'd prefer to use the custom app. Anyway, the migration process should be: back-up the ES Search Head, configure the Deployer, move all custom configurations (Correlation Searches, Reports, Dashboards, field extractions, custom eventtypes, etc...) in a custom app called e.g. SA-SOC where SA means Supporting Add-On, install ES on the Deployer, copy the SA-SOC app in the Deployer, configure the Search Heads in the Cluster, deploy apps, test your evnvironment. this is a long job, so it would be the best, if you don't use the ES Search Head in the Cluster but a new machine and you use the stand-alone ES SH it in the meantime you migrate your environment, then at the end you can disable it. Ciao. Giuseppe