All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

And quite probably those copies have moved into froze totally different time, based on situation on individual indexer. Moving it is always initiated by indexer not master.
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be ab... See more...
Hi @johnansett  We had something similar after moving our on-prem Splunk to Splunk Cloud.  Our on prem indexed data needed to be searchable as it aged out. As a Splunk customer you should be able to request a zero-ingest license from Splunk Support. This is better than a free or trail license as it gives all the benefit of a standard license (except no data ingestion) and does not need renewing every 6 weeks like a trail license does.  If you have a Splunk account manager then this is something you could discuss with them.  Hope that helps. 
provided you the query
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to b... See more...
Hey folks, been a while - I have a question I figured community would be better to answer:   We have a multisite cluster using SmartStore built in AWS.  We are not going to new Splunk but need to be able to access the data for the next 7 years and thus want to age it out, but it may need to be searched from time-to-time.   I understand we can convert to a Free license. However, does the architecture impact that (namely, that there is cluster replication)? Or is it possible to have a single standalone instance with Splunk Free to search as needed?
I think , i got it now, thanks @bowesmana 
@phanTom  could you also check the openssl version for the 9.3.0 UF?
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're comp... See more...
Close, but there is no "unless" - Splunk will not keep track of your frozen buckets whatever you do. The last moment Splunk cares about your data is when it moves it to frozen. After that you're completely on your own. That's also why if you want to get that data back into Splunk you have to move the frozen buckets into the thawed directory and manually rebuild them. So yes, you need to have some way to manually rotate frozen data. Your script is one of possible ways of handling that. Just be aware that 365 days from the move to frozen might happen not when you want, especially if you have some compliance-based requirements for data retention. It's probably better (but more troublesome) to base your retention script on timestamps from the bucket directory name. And last but not least - if you have a cluster, each node manages its own buckets so you might end up with several copies of the same bucket.
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is the... See more...
Right now, on a SOAR events/cases/playbooks menu page, a user can select a page size of 5, 10, 15, 25 or 50 which is the number of events, cases or playbooks to be displayed in a browser page. Is there a way to change that setting, for example, can SOAR display 100 events in one page? Thank you.
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Cod... See more...
When I attempted to configure the input to use the service principal, I started to get the following error message:   <?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account. RequestId:3d827a38-b01e-003e-7d90-46bd5c000000 Time:2024-12-04T21:05:06.5396465Z</Message></Error> Are there other items that I must reconfigure to get the service principal configured?  
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--... See more...
Hello, Than your for your answer but it doesn't work. panel 1 : <row> <panel> <title>AWS Services Monitoring</title> <table> <search> <!--done> <set token="Services">$click.name$</set> </done--> <query>index="aws_vpc_corp-it_security-prd" sourcetype="aws:s3:csv" ShortConfigRuleName="*" | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") |search Services!=Other | lookup aws_security_all_account_ids account_id AS AccountId OUTPUT name | table name AccountId Services ShortConfigRuleName ComplianceType OrderingTimestamp ResultRecordedTime | dedup AccountId Services ShortConfigRuleName ComplianceType | rename name as "AWS Account Name", "ComplianceType" as "Status", "OrderingTimestamp" as "Last Check", "ResultRecordedTime" as "Next Check" |fillnull value="N/A" |search $ResourceName$ $Services$ $Status$</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="count">100</option> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">true</option> <format type="color" field="Status"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <drilldown> <condition match="$row.Services$ != &quot;s3-bucket&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;S3_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;vpc&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;VPC_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> <condition match="$row.Services$ != &quot;ec2&quot;"> <link target="_blank">/app/search/dev_vwt_dashboards_uc48_details?ShortConfigRuleName=$row.ShortConfigRuleName$&amp;AccountId=$row.AccountId$&amp;Services=$row.Services$&amp;EC2_details=true&amp;earliest=$earliest$&amp;latest=$latest$&amp;Status=$row.Status$</link> </condition> </drilldown> </table> </panel> </row> panel 2: <row> <panel depends="$S3_details$"> <title>S3 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$VPC_details$"> <title>VPC DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$EC2_details$"> <title>EC2 DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> <panel depends="$SERVICES_details$"> <title>SERVICES DETAILS : $row.Services$ $click.name2$ $click.value$ $click.value$ $click.value3$ $click.Services$</title> <table> <search> <query>index="aws_vpc_corp-it_security-prd" | search ShortConfigRuleName=$ShortConfigRuleName$ |search AccountId=$AccountId$ |search ComplianceType=$Status$ | eval Services = case( match(ShortConfigRuleName, "s3-bucket"), "s3-bucket", match(ShortConfigRuleName, "iam-password"), "iam-password", match(ShortConfigRuleName, "iam-policy"), "iam-policy", match(ShortConfigRuleName, "iam-user"), "iam-user", match(ShortConfigRuleName, "guardduty"), "guardduty", match(ShortConfigRuleName, "ec2"), "ec2", match(ShortConfigRuleName, "vpc"), "vpc", match(ShortConfigRuleName, "ebs-snapshot"), "ebs-snapshot", match(ShortConfigRuleName, "rds-snapshots"), "rds-snapshots", match(ShortConfigRuleName, "cloudtrail"), "cloudtrail", match(ShortConfigRuleName, "subnet"), "subnet", match(ShortConfigRuleName, "lambda-function"), "lambda-function", 1=1, "Other") | where ResourceName!="N/A" | table AccountId ResourceName Services ComplianceType |rename ResourceName as "InstanceName" | table AccountId Services ComplianceType | dedup AccountId Services ComplianceType |appendcols [ search index="aws_vpc_corp-it_security-prd" source="s3://vwt-s3-secuprod-*" |search AccountId=$AccountId$ |table InstanceId InstanceName Platform State |dedup InstanceId InstanceName Platform State] | table AccountId Services ComplianceType InstanceId InstanceName Platform State</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <format type="color" field="ComplianceType"> <colorPalette type="map">{"NON_COMPLIANT":#D94E17}</colorPalette> </format> <format type="color" field="State"> <colorPalette type="map">{"stopped":#D94E17,"running":#55C169}</colorPalette> </format> <drilldown> <condition> <!-- Vérifiez que le filtre correspond exactement au service sélectionné --> <eval token="S3_details">if(match($click.value$, "s3-bucket"), "true", "false")</eval> <eval token="VPC_details">if(match($click.value$, "vpc"), "true", "false")</eval> <eval token="EC2_details">if(match($click.value$, "ec2"), "true", "false")</eval> </condition> </drilldown> </table> </panel> </row> But it does'nt work, when I select the vpc filter, I arrive at the S3_details view, instead of arriving at VPC_details when I select the s3-bucket filter, I go to VPC_details instead of S3_details when I select the ec2 filter, I end up on S3_details instead of EC2_details 
Answering my own question here - it needs to have dates to display results. In the end, I wrote the results to a summary index in a scheduled search using | collect index=test_summary addtime=true. 
Thank you @bowesmana  Its working perfectly  after adding the <done> section shared by you in the response.
Thanks for the response @gcusello   I will try the HTML button and an external JS approach shared in the link.
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  Ther... See more...
In my experience XML dashboards wont let you do scrolling for a single viz.  I just played around with Dashboard Studio and I can force a space between the lines but it just squeezes the lines.  There is no scrolling on the viz no matter the size of the panel.  I don't believe the behavior you want is possible.
@isoutamo @PickleRick  you mean that Once logs transition to frozen storage, they are typically outside Splunk's control unless you have configured specific mechanisms to manage them.  can I  han... See more...
@isoutamo @PickleRick  you mean that Once logs transition to frozen storage, they are typically outside Splunk's control unless you have configured specific mechanisms to manage them.  can I  handle frozen storage  using Automate Deletion of Old Frozen Data Example: Delete Frozen Data Older Than 1 Year #!/bin/bash # Path to the frozen storage directory FROZEN_DIR="/data/splunk_frozen" # Log file for the operation LOGFILE="/var/log/splunk_frozen_cleanup.log" # Retention period in days (365 days = 1 year) RETENTION_DAYS=365 # Find and delete directories older than the retention period echo "$(date): Starting cleanup of frozen data in $FROZEN_DIR" >> "$LOGFILE" find "$FROZEN_DIR" -type d -mtime +$RETENTION_DAYS -exec rm -rf {} \; -exec echo "$(date): Deleted {}" >> "$LOGFILE" \; echo "$(date): Cleanup complete" >> "$LOGFILE"  
I'll just reply to myself here: The issue was that the hostname for some reason doesn't resolve properly in the inputs.conf file. It is supposed to automatically insert the actual hostname, but it d... See more...
I'll just reply to myself here: The issue was that the hostname for some reason doesn't resolve properly in the inputs.conf file. It is supposed to automatically insert the actual hostname, but it doesn't. I created the file "$SPLUNK_HOME/etc/system/default/inputs.conf" (as it didn't exist yet) and entered the following lines (replace [HOSTNAME] with the name of your host system running Splunk):   [default] host = [HOSTNAME]    This should override the default configuration in "$SPLUNK_HOME/etc/system/local/inputs.conf". Afterwards, everything worked correctly
Hi this conf19 presentation shows how to find all KOs via rest api. https://github.com/paychex/Splunk.Conf19 r. Ismo
Hi All i have a bar chart, like this one, in some condition this may have a lot of values that need to be reported, but, as you can imagine, is not very readable is possible to specify a minimu... See more...
Hi All i have a bar chart, like this one, in some condition this may have a lot of values that need to be reported, but, as you can imagine, is not very readable is possible to specify a minimum size of each bar and enable to scroll bar to see (clearly....) all events?  Thanks.
my goal was to test splunk Rest API, Since I just needed to create an endpoint to access it so i used the hostname directly. I dont need to use the webUI  Does this affect the splunk configuratio... See more...
my goal was to test splunk Rest API, Since I just needed to create an endpoint to access it so i used the hostname directly. I dont need to use the webUI  Does this affect the splunk configuration? I am not sure what the issue is here or why would i get an internal server error? Any hints appreciated!
Move the trigger condition from the alert to the search.  IOW, put this on the end of the query | where count => 250 AND count <=500