All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

  Hello @Strangertinz  Have you checked this?  https://community.splunk.com/t5/Getting-Data-In/Why-is-Windows-event-log-message-data-being-truncated-and-only/td-p/231310 Do you have any  other i... See more...
  Hello @Strangertinz  Have you checked this?  https://community.splunk.com/t5/Getting-Data-In/Why-is-Windows-event-log-message-data-being-truncated-and-only/td-p/231310 Do you have any  other issue with your sourcetype? If this is not working, please work with Splunk support, they might ask you generate a diag with DEBUG options to look out for the TRUNCATE message.   If this Helps, Please UpVote.
Inorder to get the response in json you want to add ?output_mode=json at the end of your rest api call url. Or you can add it as part of the payload.
@jbanAtSplunk Are you just seeing this errors on internal logs or are you stuck with the upgrade ( you cannot login)? (Thats telemetry information should've fixed in 9.3) Definitely you should reach... See more...
@jbanAtSplunk Are you just seeing this errors on internal logs or are you stuck with the upgrade ( you cannot login)? (Thats telemetry information should've fixed in 9.3) Definitely you should reach out to splunk support to get this checked. If this Helps, Please Upvote.    
Hi @abi2023 , It is not so clear to me if you want to apply color to the cells in the "user" column only if in a specific format and shape, so if you can clarify it would be nice. You can apply... See more...
Hi @abi2023 , It is not so clear to me if you want to apply color to the cells in the "user" column only if in a specific format and shape, so if you can clarify it would be nice. You can apply that to the table section in your XML code by adding the Format tag with type color. Under that, you specify the type of coloring logic that can be dynamic, range, scale, etc... For example, for a rule that will color the cells of User column whenever there is a value with a light green cell color: <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> Green will be valid values, red will be empty/null value cells. Is something like that you're looking for? Full sample: <dashboard version="1.1" theme="dark"> <label>My Dashboard</label> <row> <panel> <table> <search> <query>MySearchString</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> </table> </panel> </row> </dashboard>  
Hi,  I am dealing with an issue where I am ingesting some logs that contains a few regular line then followed by xml data, but I am only seeing 1 event show up properly with the regular lines and ... See more...
Hi,  I am dealing with an issue where I am ingesting some logs that contains a few regular line then followed by xml data, but I am only seeing 1 event show up properly with the regular lines and 2 other events get cut short after ingesting the first few lines (examples below).  So each event is meant to be structured like event1 however they are cut and when I check the actual log file everything is present.  I tried changing the limits.conf and including maxKBps to 0 but no luck. [thruput] maxKBps = 0 Any other ideas as to what could be causing the issue?  Event1: 2024-11-01 10:04:24,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx DateTime:2024-11-01 10:04:24 RequestBody: <?xml version="1.0" encoding="utf-16"?>........<closing tag> Event2: 2024-11-01 10:04:26,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Event3:  2024-11-01 10:04:28,488 23 INFO Sample1 - Customer:11111 ApiKey:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
FYI: the Baboon REST API is not free but it isn't expensive. We have used and it worked fine. As mentioned above, it is recommended to install and test it on a dev HF. 
I gave splunk table dashboard view. I need to highlight the "user" field all value with green. all these field value in number and letter. how do I highlight all the value with green. When select Col... See more...
I gave splunk table dashboard view. I need to highlight the "user" field all value with green. all these field value in number and letter. how do I highlight all the value with green. When select Color "values" I can only Automatic but it giving random color. how do I give only green.
@ITWhisperer  I couldn't paste the whole JSON so here is the sample.
There is no such thing as "corresponding value" between different multivalued fields. In case like yours you need to firstly parse out whole array into a multivalued field of json strings, do mvexpa... See more...
There is no such thing as "corresponding value" between different multivalued fields. In case like yours you need to firstly parse out whole array into a multivalued field of json strings, do mvexpand on that field and only then parse out single fields from those results.  
The link worked for us with version 3.2 of the WSO2 API Manger
"result":{"devices":[{"mac":"d8:43:ae:40:6a:c3","hostName":"DESKTOP-JDE9R7Q","medium":"ethernet","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:00.811Z","networkId":"defaul... See more...
"result":{"devices":[{"mac":"d8:43:ae:40:6a:c3","hostName":"DESKTOP-JDE9R7Q","medium":"ethernet","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:00.811Z","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.228","ipv6":["2600:6c55:7800:6c::107b","2600:6c55:7800:6c:403d:7bf4:2205:7e59","2600:6c55:7800:6c:90be:13dd:83dd:5ea3","fe80::eacd:8953:9d4f:94ab"],"steering":{},"name":"DESKTOP-JDE9R7Q","icon":"unknown","iconV2":"laptop-windows","category":"Laptop","osName":"Windows","health":{"status":"excellent","score":5,"details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T21:10:06.244Z","capabilities":{"radio24":false,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"windows","type":{"id":"windows","category":"Laptop","name":"Computer","icon":"unknown","iconV2":"laptop-windows","osName":"Windows","osVersion":"10.0","source":"rules","confidence":325},"category":"Laptop","name":"DESKTOP-JDE9R7Q","icon":"unknown","iconV2":"laptop-windows","osName":"Windows","osVersion":"10.0","source":"rules","confidence":325,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"approved"}},{"mac":"90:dd:5d:d5:a1:2e","keyId":1,"hostName":"Living-Room","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:49.071Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":true,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.206","ipv6":["2600:6c55:7800:6c:28e2:7128:e736:a0d7","2600:6c55:7800:6c:359c:ccb9:5198:5c58","2600:6c55:7800:6c:84a9:7a98:bdc1:29a5","2600:6c55:7800:6c:91cb:1c60:d7c1:4320","fd00:f452:465e:e7ac:8a9:3740:fe01:8930"],"channel":44,"freqBand":"5GL","steering":{},"name":"Living-Room","icon":"unknown","iconV2":"smartdevice-apple","brand":"Apple","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"SA91804F4A","nickname":"SA91804F4A","parentId":"f452465ee7ab","radio":"5GU","channel":157,"medium":"wifi"},{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:22.704Z","capabilities":{"radio24":true,"radio50":true,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"apple","type":{"id":"apple","brand":"Apple","icon":"unknown","iconV2":"smartdevice-apple","source":"rules","confidence":100},"brand":"Apple","name":"Living-Room","icon":"unknown","iconV2":"smartdevice-apple","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"48:27:e2:ec:1c:24","keyId":1,"hostName":"espressif","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:41:56.063Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.70","ipv6":[],"channel":1,"freqBand":"2.4G","steering":{},"name":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","category":"IoT Platform","brand":"Espressif","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:07.254Z","capabilities":{"radio24":true,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"espressif-iotplatform","type":{"id":"espressif-iotplatform","category":"IoT Platform","brand":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","source":"rules","confidence":20},"category":"IoT Platform","brand":"Espressif","name":"Espressif","icon":"unknown","iconV2":"iotplatform-espressif","source":"rules","confidence":20,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"c0:48:e6:a5:a5:7b","keyId":1,"hostName":"Samsung-33","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:42:00.362Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":false,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.209","ipv6":["2600:6c55:7800:6c::145d","fe80::c248:e6ff:fea5:a57b"],"channel":6,"freqBand":"2.4G","steering":{},"name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","brand":"Samsung","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"SA91804F4A","nickname":"SA91804F4A","parentId":"f452465ee7ab","radio":"5GU","channel":157,"medium":"wifi"},{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-04T05:46:20.274Z","capabilities":{"radio24":true,"radio50":false,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"samsung","type":{"id":"samsung","brand":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100},"brand":"Samsung","name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}},{"mac":"54:3a:d6:5a:4a:38","keyId":1,"hostName":"Samsung-29","medium":"wifi","connectionState":"connected","connectionStateChangeAt":"2024-10-29T04:46:53.982Z","vapType":"home","networkId":"default","favorite":false,"bandSteering":{"_version":"1.0.0","enable":true,"auto":true},"clientSteering":{"_version":"1.0.0","enable":true,"auto":true},"qos":{"prioritization":{"mode":"auto","realizedState":"ignore"}},"ip":"192.168.1.125","ipv6":["2600:6c55:7800:6c::18c6","fe80::563a:d6ff:fe5a:4a38"],"channel":157,"freqBand":"5G","steering":{},"name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","brand":"Samsung","health":{"score":5,"status":"excellent","details":null},"leafToRoot":[{"id":"f452465ee7ab","nickname":"f452465ee7ab"}],"alerts":[],"freeze":{"frozen":false,"suspended":{"id":"suspend","name":"Suspend","enable":false},"timeTemplates":[{"id":"untilMidnight","name":"Until End of Day","enable":false},{"id":"schoolNights","name":"School Nights","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[7,1,2,3,4]}]},{"id":"bedTime","name":"Bed Time","enable":false,"schedules":[{"times":[{"start":"20:00","end":"06:00"}],"daysOfWeek":[1,2,3,4,5,6,7]}]},{"id":"forever","name":"Indefinitely","enable":false}],"autoExpire":{"id":"autoExpire","enable":false,"expiresAt":null},"schedules":[],"forever":{"id":"forever","name":"Indefinitely","enable":false}},"locallyAdministeredShifty":false,"locallyAdministeredShiftyExpired":false,"locallyAdministeredMac":false,"accessZone":{"id":0,"type":"home","description":"Home","createdAt":"2024-10-30T16:48:50.189Z","_version":"1.0.0"},"firstConnectedAt":"2024-10-03T22:44:37.294Z","capabilities":{"radio24":true,"radio50":true,"radio60":false},"features":{},"isPartnerComponent":false,"kind":{"id":"samsung","type":{"id":"samsung","brand":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100},"brand":"Samsung","name":"Samsung","icon":"unknown","iconV2":"smartdevice-samsung","source":"rules","confidence":100,"typeIdentified":false,"ohpCapable":false},"nickname":null,"plumeTypeIdentified":false,"customerTypeIdentified":false,"ohp":{"capable":false},"wpaMode":"psk2","accessZoneType":"home","quarantine":{"enable":false,"anomalyBlacklist":[],"anomalyWhitelist":[]},"groupOfUnassignedDevices":true,"networkAccess":{"mode":"auto"}}
2024-11-01 12:25:49,065 +0000 ERROR startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=__init__() got an unexpected keyword argument 'context' 2024-11-01 12... See more...
2024-11-01 12:25:49,065 +0000 ERROR startup:116 - Unable to read in product version information; isSessionKeyDefined=False error=__init__() got an unexpected keyword argument 'context' 2024-11-01 12:25:49,066 +0000 INFO startup:148 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True productType=splunk instanceType=UNKNOWN 2024-11-01 12:25:49,066 +0000 INFO decorators:130 - loading uri: /en-US/ 2024-11-01 12:25:49,068 +0000 INFO error:342 - GET /en-US/ 127.0.0.1 8065 2024-11-01 12:25:49,068 +0000 INFO error:345 - 500 Internal Server Error The server encountered an unexpected condition which prevented it from fulfilling the request. 2024-11-01 12:25:49,068 +0000 ERROR error:346 - Traceback (most recent call last): File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond response.body = self.handler() File "/opt/splunk/lib/python3.9/site-packages/cherrypy/lib/encoding.py", line 219, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 78, in wrapper resp = handler(*args, **kwargs) File "/opt/splunk/lib/python3.9/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__ return self.callable(*self.args, **self.kwargs) File "&lt;/opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1740&gt;", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 52, in rundecs return fn(*a, **kw) File "&lt;/opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1738&gt;", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 134, in check return fn(self, *a, **kw) File "&lt;/opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1737&gt;", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 185, in validate_ip return fn(self, *a, **kw) File "&lt;/opt/splunk/lib/python3.9/site-packages/decorator.py:decorator-gen-1736&gt;", line 2, in index File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 264, in preform_sso_check update_session_user(sessionKey, remote_user) File "/opt/splunk/lib/python3.9/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 207, in update_session_user en = splunk.entity.getEntity('authentication/users', user, sessionKey=sessionKey) File "/opt/splunk/lib/python3.9/site-packages/splunk/entity.py", line 276, in getEntity serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True) File "/opt/splunk/lib/python3.9/site-packages/splunk/rest/__init__.py", line 573, in simpleRequest h = httplib2.Http(timeout=timeout, proxy_info=None, context=ctx) TypeError: __init__() got an unexpected keyword argument 'context'
Hello team, I’ve developed a custom command script that works perfectly when executed through the CLI, but it fails to run in the Splunk Web UI. I suspect this may be due to permissions or configura... See more...
Hello team, I’ve developed a custom command script that works perfectly when executed through the CLI, but it fails to run in the Splunk Web UI. I suspect this may be due to permissions or configuration issues, as both environments might not be using the same settings. Details Environment: Splunk Enterprise 9.2.2 Script: A custom Python script located in the bin directory of my app. The script runs successfully when executed via the CLI, but in the UI, it either returns errors or no results. Troubleshooting Steps Taken Verified that the script is in the correct bin directory with appropriate execution permissions. Checked commands.conf, authorization.conf, app.conf files for any configuration inconsistencies. Ensured that roles in the UI environment have the necessary permissions. Could this issue be related to role-based restrictions or specific configurations in the UI? Any insights on additional configuration checks or steps to align CLI and UI permissions would be greatly appreciated. Thank you in advance!
Hi @mackey , this solution is if you don't have Enterprise Security. If you have ES, you can add your IOC list to the threat intelligence lookups. Ciao. Giuseppe
You can also check out two nice commands - xyseries and untable which can be used to (de)tabularize such data series.
Ok, the only thing we know for sure is that for this particular event timestamp has not been extracted from the event itself. There can be several reasons for it: 1) Props for this sourcetype, sourc... See more...
Ok, the only thing we know for sure is that for this particular event timestamp has not been extracted from the event itself. There can be several reasons for it: 1) Props for this sourcetype, source or host specify assuming ingestion time, not the event time 2) Timestamp format for extraction is wrongly defined and doesn't match the event 3) The event is ingested with a method bypassing timestamp extraction (HEC /event endpoint) 4) Timestamp has been extracted but was out of limits so Splunk assumed timestamp from previous event (but that's relatively unlikely, you'd probably either see many events with the same timestamp or mostly well-extracted time and single exceptions). This can be connected with 2). 5) You have another timestamp within your event which Splunk extracts time from (but I suppose you'd notice that). Usually the most probable causes are 2, 1 and 3 (in order of frequency).
Hi @mackey  Is your Org using Enterprise Security of Splunk?
Hi @tbessie , as also @sainag_splunk said, maybe there's a timestamp extraction error. Could you share some sample of your events and the props.conf related to the sourcetype of these events? Ciao... See more...
Hi @tbessie , as also @sainag_splunk said, maybe there's a timestamp extraction error. Could you share some sample of your events and the props.conf related to the sourcetype of these events? Ciao. Giuseppe
Hi @mwolfe , don't use sum but count: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | ev... See more...
Hi @mwolfe , don't use sum but count: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | eval success=if(status=200,1,0) | eval failure=if(status=400,1,0) | stats count(failure) AS fail_count count(success) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate otherwise, you could insert the eval in the stats: index=web uri_path="/somepath" status="200" OR status="400" | rex field=useragent "^(?<app_name>[^/]+)/(?<app_version>[^;]+)?\((?<app_platform>[^;]+); *" | eval app=app_platform+" "+app_name+" "+app_version | stats count(eval(status=400)) AS fail_count count(eval(status=200)) AS success_count BY app | eval success_rate=round((success_count / (success_count + fail_count))*100,1) | table app success_rate Ciao. Giuseppe
Hi @mackey , if you have these IOCs in a lookup table you can run a very simple search: if your lookup is called my_ioc.csv and the ip list is in a column alled ip, you could run: index=* [ | inpu... See more...
Hi @mackey , if you have these IOCs in a lookup table you can run a very simple search: if your lookup is called my_ioc.csv and the ip list is in a column alled ip, you could run: index=* [ | inputlookup my_ioc.csv | rename ip AS query | fields query ] in this way you execute a search for all the ips listed in your lookup in full text search on all your events. If instead you want to search these ips in pre-defined fields, you have only to change the field name in the subsearch, es. if you want to search in the src field, you could run: index=* [ | inputlookup my_ioc.csv | rename ip AS src | fields src ] Ciao. Giuseppe