Let me quote myself from earlier: "Just one important thing - if you want to enable TLS, get yourself a CA and issue proper certificates. Using self-signeds everywhere will not help you much securit...
See more...
Let me quote myself from earlier: "Just one important thing - if you want to enable TLS, get yourself a CA and issue proper certificates. Using self-signeds everywhere will not help you much securitywise and you'll run into troubles when trying to validate them properly (which might be your case)". If you created self-signed certs for your components, you will have problems validating them. If you have a CA from which you issued those certs, you've probably not configured the root CA's cert as trusted.
Does Splunk already know what host name has to be replaced for each ip address? For example, are there some other events, or even the same events, which hold this relationship, or do you have a looku...
See more...
Does Splunk already know what host name has to be replaced for each ip address? For example, are there some other events, or even the same events, which hold this relationship, or do you have a lookup holding this information?
@cshewalkar Are you looking to change the host value? You can change the value using replace command. https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Replace I ho...
See more...
@cshewalkar Are you looking to change the host value? You can change the value using replace command. https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Replace I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@anandhalagaras1 Have you checked this community page? https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-edit-props/m-p/242367
Hi Team,
Need some help, while running below query I get host IP i.e. 10.65.x.x in Number display visualization but I need to replace with name "xyz"
index=network ((host=10.65.x.x) AND ...
See more...
Hi Team,
Need some help, while running below query I get host IP i.e. 10.65.x.x in Number display visualization but I need to replace with name "xyz"
index=network ((host=10.65.x.x) AND ((Interface Ethernet1/50 is *) OR (Interface Ethernet1/49 is *) OR (Interface Ethernet1/3 is *))) | table message_text, host
Attached is the screenshot
Can you assist me what needs to be done to solve this issue.
@Amira Hey, you can follow this document for more information. Installation and configuration overview for the Splunk Add-on for Citrix NetScaler About the Splunk Add-on for Citrix NetScaler - Sp...
See more...
@Amira Hey, you can follow this document for more information. Installation and configuration overview for the Splunk Add-on for Citrix NetScaler About the Splunk Add-on for Citrix NetScaler - Splunk Documentation https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Installationoverview https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Setup I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
@Jean-Sébastien You can use rex command. The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corres...
See more...
@Jean-Sébastien You can use rex command. The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Rex
Hello @Jean-Sébastien You can use regex. This will create a new field called output that contains the values running, drinking, and walking. Let me know if you need more assistance!
@bowesmana let me clarify you the exact issue. We are ingesting logs from syslogserver in real time manner (meaning that as and when the logs are getting generated at the device, immediately the spl...
See more...
@bowesmana let me clarify you the exact issue. We are ingesting logs from syslogserver in real time manner (meaning that as and when the logs are getting generated at the device, immediately the splunk forwarder is forwarding it to splunk for indexing. Now we are having threat intel in the form of .csv file containing multiple headers viz date, ip, valid_from, valid_until etc. we have ingested this csv file in lookup and it is accessible through searh and reporting. Our architecture is having one master/search-head and two indexers. We have configured deployment server on master and indexers (clients) and in sync with deployment server successfully. The deployment app has been created and is getting deployed on the clients also. The deployment app is aimed at enriching the logs with the threat intel in csv file. However, this enrichmet has to be done before the logs are getting indexed and any match of ip in the log event with the ip in csv should generate additional field "Add_field" which should also get indexed alongwith syslog logs. we have configured props.conf and transforms.conf in the deployment app, however exact configuration is not being achieved. regarding your specific query about real time: when we say real time, it means that logs are getting enriched at the time of indexing and additional contenxtual information present in the threat intel is also getting indexed in additional fields. the query run on the logs therefore does not need any lookup to be incorporated in search query. the match of threat intel done today should stay in the logs in case the csv file is updated tomorrow. looking forward for suitable solution / configurations to be done in props.conf and transforms.conf for index time enrichment (real time enrichment) and not search time enrichment. thanks and regards
Hello, I have big and complete log and want to extract specific value. Small part of log: "state":{"running":{"startedAt":"2024-12-19T13:58:14Z"}}}], I would like to extract running in this case...
See more...
Hello, I have big and complete log and want to extract specific value. Small part of log: "state":{"running":{"startedAt":"2024-12-19T13:58:14Z"}}}], I would like to extract running in this case, value can be other . Could you please help me ?
Thank you so much for your help. I am pleased to share that I was able to resolve the initial issue by adjusting the PEM file. However, when I execute the command: openssl s_client -showcerts -conne...
See more...
Thank you so much for your help. I am pleased to share that I was able to resolve the initial issue by adjusting the PEM file. However, when I execute the command: openssl s_client -showcerts -connect hostname:port I get a connected status, but it ultimately results in the following error: 80FB2563307F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Additionally, another error is displayed: Verification error: self-signed certificate in certificate chain Your help would be greatly appreciated.
I cloned HTTP traffic collection from Splunk Stream and created a new name as HTTP_test but no data is collected. However, data is currently being collected from Stream rules that collect HTTP data...
See more...
I cloned HTTP traffic collection from Splunk Stream and created a new name as HTTP_test but no data is collected. However, data is currently being collected from Stream rules that collect HTTP data. Is there a reason why the same item is not collected even though it is cloned?
Hi everyone, I’m new to working with Citrix NetScaler and need assistance with integrating it into Splunk Enterprise. Could someone please guide me on: The prerequisites required for this integrat...
See more...
Hi everyone, I’m new to working with Citrix NetScaler and need assistance with integrating it into Splunk Enterprise. Could someone please guide me on: The prerequisites required for this integration. The exact steps to follow for a successful setup and comprehensive data coverage. Any detailed insights or documentation links would be greatly appreciated. and please let me know when it required to use Splunk dashboards or visualization apps for NetScaler data Thank you! Splunk Add-on for Citrix NetScaler
Hi, I have three license keys for Splunk SOAR and Splunk UBA, each valid for one year. While I am able to install the keys on both SOAR and UBA, I would like to verify all the keys I have install...
See more...
Hi, I have three license keys for Splunk SOAR and Splunk UBA, each valid for one year. While I am able to install the keys on both SOAR and UBA, I would like to verify all the keys I have installed, identify which key is currently active, and check their expiration dates. Thank you
@sarathi125 FYI: Although you have a solution, using join is not a Splunk way of doing things, joining data sets should really be done using stats, it's faster, more efficient and does not have the l...
See more...
@sarathi125 FYI: Although you have a solution, using join is not a Splunk way of doing things, joining data sets should really be done using stats, it's faster, more efficient and does not have the limitations of join, which will silently discard results if the join subsearch exceeds 50,000 results - this may not be an issue in your case, but it's good practice to get your head around using stats to achieve joins. I also recommend you sort out the automatic field extraction so that you don't have to manually extract jobId - which then means you can use the fields in subsearches and only then have to make a single search.
Hi @bowesmana, With the below query able to achieve what I have tried to get, Thank you for your input. index="<index>" (source="user1" OR source="user2") "The transaction reference id is"
| r...
See more...
Hi @bowesmana, With the below query able to achieve what I have tried to get, Thank you for your input. index="<index>" (source="user1" OR source="user2") "The transaction reference id is"
| rex field=_raw "\"jobId\":\s?\"(?<jobId>[a-fA-F0-9\-]+)\""
| join jobId [
search index="<index>" (source="user1" OR source="user2") ("<ProcessName>" AND "Exception occurred")
| rex field=_raw "\"jobId\":\s?\"(?<jobId>[a-fA-F0-9\-]+)\""
| table jobId, _time, _raw
]
| table _time, jobId, _raw