All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks @gcusello for your response and guidance.  I tried your query and it's giving me results, however it's only populating 5 fields which are ones that are common to both indices.   How do you ... See more...
Thanks @gcusello for your response and guidance.  I tried your query and it's giving me results, however it's only populating 5 fields which are ones that are common to both indices.   How do you suggest I modify the query so the output also displays all the following fields that are under index="*firewall*"?     src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name         My intent is to display the data in the following order (that includes fields from both indices) if possible - ***specific fields from index=corelight are in bold for reference src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC", ssl_version AS Version, ssl_cipher AS ENCRPT_ALGO   Thanks!
Hi Kiran,   Thanks for the prompt reply. Its not working for me and after removing eval no data popping up.  my goad is to get the hostname while hovering the host_count variable from query
Here is my raw data in the splunk query <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/20... See more...
Here is my raw data in the splunk query <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <application xmlns="http://www.abc.com/services/listService"> <header> <user>def@ghi.com</user> <password>al3yu2430nald</password>   If I want to mask the password value and show in the splunk output as: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <application xmlns="http://www.abc.com/services/listService"> <header> <user>def@ghi.com</user> <password>xxxxxxxxxxxx</password> How can I do that?
Hi @sdcig , as you experienced, don't use join because it's very slow! use the OR conditions correlated using stats, something like this to adapt to your requirements: (index=*corelight* sourcetyp... See more...
Hi @sdcig , as you experienced, don't use join because it's very slow! use the OR conditions correlated using stats, something like this to adapt to your requirements: (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | dedup src_ip, dest_ip | fields src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | stats values(*) AS * BY dest_ip | rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC" If possible, try to avoid to use asterisk at the beginning of a string (as in your case in index, sourcetype and host). Ciao. Giuseppe
Hello, I have 2 queries where indices are different and have a common field dest_ip which is my focus(same field name in both indices). Please note that there are also some other common fields such ... See more...
Hello, I have 2 queries where indices are different and have a common field dest_ip which is my focus(same field name in both indices). Please note that there are also some other common fields such as src_ip, action etc.   Query 1:   index=*corelight* sourcetype=*corelight* server_name="*microsoft.com*   additional fields: action, ssl_version, ssl_cipher   Query 2:   index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100   additional fields: _time, src_zone, src_ip, dest_zone, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name     I'm trying to output all the corresponding server_names for each dest_ip, as a table with all the listed fields from both query outputs   I'm new to Splunk and learning my way; I've tried the following so far -   A) using join (which is usually very slow and sometimes doesn't give me a result)   index=*corelight* sourcetype=*corelight* server_name=*microsoft.com* | join dest_ip [ search index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100 | fields src_ip, src_user, dest_ip, rule, action, app, transport, version, session_end_reason, dvc_name, bytes_out ] | dedup server_name | table _time, src_ip, dest_ip, transport, dest_port, app, rule, server_name, action, session_end_reason, dvc_name | rename _time as "timestamp", transport as "protocol"     b) using an OR    (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | dedup src_ip, dest_ip | table src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC"       My questions - Would you suggest a better way to write/construct my above queries?   In my OR output, I only see a couple of columns populating values (eg. src_ip, dest_ip, action) while the rest are empty. My guess is they're populating because I'm doing an inner join and these are the common fields between the two. Since I'm unable to populate the others, maybe I need to do a left join?   Can you kindly guide me on how to rename fields specific to each index when combining queries using OR? I've tried a few times but haven't been successful For example, in my above OR statement - how and where in the query do I rename the field ssl_cipher in index=*corelight* to ENCRYPT_ALGORITHM?    Many thanks!
Yesterday I upgraded Splunk on one of my Deployment Servers from 9.3.1 with the 9.4.0 rpm on a Amazon Linux host and ran into the following error after starting splunk with: /opt/splunk/bin/splunk s... See more...
Yesterday I upgraded Splunk on one of my Deployment Servers from 9.3.1 with the 9.4.0 rpm on a Amazon Linux host and ran into the following error after starting splunk with: /opt/splunk/bin/splunk start --accept-license --no-prompt --answer-yes (typical batch of startup messages here ... until) sh: line 1: 16280 Segmentation fault      (core dumped) splunk migrate renew-certs 2>&1 ERROR while running renew-certs migration. Repeated attempts at starting failed to render anything different. Ended up having to revert to the prior version. This is, in fact, the first failed upgrade I've had since I started using this product over 10 years ago. I have backed out of the upgrade, but considering the vagueness of this error message, I'm asking the community if anyone has seen this before.   
Hi @avikc100 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
You're right... the original question wasn't clear enough.  Well it was to me... but that is always the case I suppose! I'll consider using the existing Web DM or potentially creating a new one that... See more...
You're right... the original question wasn't clear enough.  Well it was to me... but that is always the case I suppose! I'll consider using the existing Web DM or potentially creating a new one that will allow a little more customization for what I'm after. Thank you for the input.
It was not clear from the OP that the data comes from clients rather than servers/proxies - just that the data is *about* clients.  That doesn't mean the DM can't be used, but some fields won't apply... See more...
It was not clear from the OP that the data comes from clients rather than servers/proxies - just that the data is *about* clients.  That doesn't mean the DM can't be used, but some fields won't apply.  It's normal for a DM to not have all fields populated.
Hi @richgalloway - I considered this one.  The description is: The fields in the Web data model describe web server and/or proxy server data in a security or operational context. Looking at the... See more...
Hi @richgalloway - I considered this one.  The description is: The fields in the Web data model describe web server and/or proxy server data in a security or operational context. Looking at the fields in this data model, this seems to me to be geared more for web servers, not the clients of those servers. Many recommended fields in this data model would not apply to the web browsing logs from the client's perspective.  Is attempting to squeeze logs from the clients into this data model commonly done? And to answer your questions - We have other data (from web servers) which use the Web data model. Furthermore, the data I want to group/find with this search is definitely NOT CIM compliant.  As the number of data sources for web browsing is high for our environment (something like 10+ sources), many of the sources do not have the same information available.  I'm building a list of fields myself to standardize the names and would ideally map them to a data model.
FYI, it's possible if you have HF => third party s2s => indexer.
The Web datamodel appears to have the fields needed for that use case.  It is documented at https://docs.splunk.com/Documentation/CIM/5.1.0/User/Web Do you have data for that DM?  Is the data CIM-co... See more...
The Web datamodel appears to have the fields needed for that use case.  It is documented at https://docs.splunk.com/Documentation/CIM/5.1.0/User/Web Do you have data for that DM?  Is the data CIM-compliant so the DM can find it?
I'm building a search which takes a URL and returns all events from separate indexes/products where a client (user endpoint, server, etc) attempted access.  The goal is to answer "who tried to visit ... See more...
I'm building a search which takes a URL and returns all events from separate indexes/products where a client (user endpoint, server, etc) attempted access.  The goal is to answer "who tried to visit url X". I have reviewed the default CIM data models here: https://docs.splunk.com/Documentation/CIM/5.1.0/User/CIMfields However, none seem to fit this specific use case.  Can anyone sanity check me to see if I've overlooked one?  Thanks!
Thanks for the new knowledge. That is what I was looking for
Have you checked the logs of the Otel Collector? Could you please define a separate pipeline for the statsd metrics like: service: pipelines: metrics/statsd: receivers: - stats... See more...
Have you checked the logs of the Otel Collector? Could you please define a separate pipeline for the statsd metrics like: service: pipelines: metrics/statsd: receivers: - statsd exporters: - signalfx
I actually started using this approach and I realized that adding some more search conditions to the returned $search could actually massively reduce the amount of data to look at. I may still face s... See more...
I actually started using this approach and I realized that adding some more search conditions to the returned $search could actually massively reduce the amount of data to look at. I may still face some problems when joining the data with the backbone of my search. It is a hairy problem, I must admit. In the end the problem I have is is that the eventID is far from unique for reasonable search windows and I am trying to figure out how to pair events in the two mostly independent streams of events. The lifetime of an eventID is less than 5 minutes, how to construct an attribute to join on from a time window. I have some more thinking to do.
thanks, this worked for me as well. Is there a way to rename the csv attached to the report ?
Hi @Chirag812 , at first you don't need to uninstall the old version, and anyway you can follow the instructions at https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Upgradetheunivers... See more...
Hi @Chirag812 , at first you don't need to uninstall the old version, and anyway you can follow the instructions at https://docs.splunk.com/Documentation/Forwarder/9.4.0/Forwarder/Upgradetheuniversalforwarder , you can upgrade your UFs using a deployment tool such as Group Policy or System Center Configuration Manager. Officially Splunk don't  support UF binary upgrade via DS., fortunately this feature seems to be in development phase https://ideas.splunk.com/ideas/EID-I-70. you can use two apps from Splunkbase: for nix Forwarders https://splunkbase.splunk.com/app/5004 for windows Forwarders https://splunkbase.splunk.com/app/5003 the only limitation is that they are archived.  Ciao. Giuseppe
1. form.Tail is used to not only change the token of Tail but to also set the filter Tail to be $Tail$ value 2) I am clicking on the legend of a chart where the values (names) there are the numbers ... See more...
1. form.Tail is used to not only change the token of Tail but to also set the filter Tail to be $Tail$ value 2) I am clicking on the legend of a chart where the values (names) there are the numbers of the tails *for eaxmple 120, 170 200 etc..), on the first click it's setting the token of $tail$ to be the legend i clicked which is working great, what not going great is on the second click to unset the token. 3) the base search is doing aggragation by other filters and is doing some of the thinking and indeed save loading times (tested before and after).
I need to upgrade the Splunk Universal forwarder version to all the existing installed windows 2016 and 2019 servers. I am using Splunk Enterprise as a Search head and indexer. Is there a way that I... See more...
I need to upgrade the Splunk Universal forwarder version to all the existing installed windows 2016 and 2019 servers. I am using Splunk Enterprise as a Search head and indexer. Is there a way that I can upgrade the old version with the latest without uninstalling the old and install the new one. And how this task can be done for all the servers together instead of one by one.