All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi There,  I got issue Drill-down and Next Step are not read in Incident Review, i create Splunk Lab for Research And Development by myself. I just install Splunk Enterprise and Enterprise Security ... See more...
Hi There,  I got issue Drill-down and Next Step are not read in Incident Review, i create Splunk Lab for Research And Development by myself. I just install Splunk Enterprise and Enterprise Security (nothing another external apps) and i ingest DVWA to my Splunk. As you know DVWA has various vulnerabilities, and I want to utilize this as a log that I will then manage in Splunk. Therefore, I made a rule regarding uploading inappropriate files. The query is like this    index=lab_web sourcetype="apache:access" | rex field=_raw "\[(?<Time>[^\]]+)\] \"(?<Method>\w+) (?<Path>/DVWA/vulnerabilities/upload/[^/]+\.\w+) HTTP/1.1\" (?<Status>\d{3}) \d+ \"(?<Referer>[^\"]+)\" \"(?<UserAgent>[^\"]+)\"" | eval FileName = mvindex(split(Path, "/"), -1) | eval FullPath = "http://localhost" . Path | where match(FileName, "\.(?!jpeg$|png$)[a-zA-Z0-9]+$") | table Time, FileName, FullPath, Status   In that correlation, I added notables that were filled in from the drill-down and also the next step.  But why when I enter the incident review, the drill-down and next steps that I created are not readable? Maybe there is an application that I haven't installed or something else? I will attach my full correlation setting include with notable, drill-down, and Next Steps.   Splunk Enterprise Version : 9.3.1 Enterprise Security Version : 7.3.2
Yes, HEC input stanza will honor all routing fields. _TCP_ROUTING/_SYSLOG_ROUTING/_INDEX_AND_FORWARD_ROUTING Also other fields as per inputs.conf.spec. outputgroup internally maps to _TCP_ROUTING ... See more...
Yes, HEC input stanza will honor all routing fields. _TCP_ROUTING/_SYSLOG_ROUTING/_INDEX_AND_FORWARD_ROUTING Also other fields as per inputs.conf.spec. outputgroup internally maps to _TCP_ROUTING value. But _TCP_ROUTING is multi-value field. You can set multiple output groups.
In addtion, I don't want to overwrite the hostnames.csv file.  You have no choice about this.  CSV file is just a file.  You can append new rows into a file - which your use case does not call... See more...
In addtion, I don't want to overwrite the hostnames.csv file.  You have no choice about this.  CSV file is just a file.  You can append new rows into a file - which your use case does not call for; or you can rewrite the file.
im here still no idea for this issue
In the past I've used outputgroup = <string> on the inputs.conf of [http] stanzas It sounds like the versions mentioned (and newer versions) now support: _TCP_ROUTING _meta   And a few other set... See more...
In the past I've used outputgroup = <string> on the inputs.conf of [http] stanzas It sounds like the versions mentioned (and newer versions) now support: _TCP_ROUTING _meta   And a few other settings, is that correct? It is nice to have the product match it's spec file documentation   Thanks
I'm trying to format timestamps in a table in dashboard studio. The original times are values such as: 2024-10-29T10:13:35.16763423-04:00 That is the value I see if I don't add a specific format.... See more...
I'm trying to format timestamps in a table in dashboard studio. The original times are values such as: 2024-10-29T10:13:35.16763423-04:00 That is the value I see if I don't add a specific format. If I add a format to the column : "YYYY-MM-DD HH:mm:ss.SSS Z" it is formatted as: 2024-10-29 10:13:35.000 -04:00 Why are the millisecond values zero? Here is the section of the source code for reference: "visualizations": { "viz_mfPU11Bg": { "type": "splunk.table", "dataSources": { "primary": "ds_xfeyRsjD" }, "options": { "count": 8, "columnFormat": { "Start": { "data": "> table | seriesByName(\"Start\") | formatByType(StartColumnFormatEditorConfig)" } } }, "context": { "StartColumnFormatEditorConfig": { "time": { "format": "YYYY-MM-DD HH:mm:ss.SSS Z" } } } } }, Any ideas what I'm doing wrong? Thanks, Andrew
Thank you. That's what I thought too. However,  30 05 8-14 * 2 is a valid cron and Splunk should consider fixing this 
Now it matches what document says # GENERAL SETTINGS: # The following settings are valid for all input types (except file system # change monitor, which is described in a separate section in this fi... See more...
Now it matches what document says # GENERAL SETTINGS: # The following settings are valid for all input types (except file system # change monitor, which is described in a separate section in this file).
These two sections of inputs.conf( whatever is applicable for monitor/splunktcpin/tcpin etc.) ############################################################################ # GENERAL SETTINGS: # The f... See more...
These two sections of inputs.conf( whatever is applicable for monitor/splunktcpin/tcpin etc.) ############################################################################ # GENERAL SETTINGS: # The following settings are valid for all input types (except file system # change monitor, which is described in a separate section in this file). # You must first enter a stanza header in square brackets, specifying the input # type. See later in this file for examples. Then, use any of the # following settings. # # To specify global settings for Windows Event Log inputs, place them in # the [WinEventLog] global stanza as well as the [default] stanza. ############################################################################   ############################################################################ # This section contains options for routing data using inputs.conf rather than # outputs.conf. # # NOTE: Concerning routing via inputs.conf: # This is a simplified set of routing options you can use as data comes in. # For more flexible options or details on configuring required or optional # settings, see outputs.conf.spec. ############################################################################
The stream app can save pcaps using the configure packet stream. I was able to get packets saved using just IPs. Now I want to search for content based on some snort rules. For ascii content I am try... See more...
The stream app can save pcaps using the configure packet stream. I was able to get packets saved using just IPs. Now I want to search for content based on some snort rules. For ascii content I am trying to create new target using the field: content/contains by just putting in an ascii word. For hex values, there are no instructions. Do I use escape characters \x01\x02...., |01 02 ...| or a regular expression? Is there an example.
1. 9.0.5 is a fairly old version. Unless there are any severe known bugs it's recommended to use the latest version available for the platform in question. 2. What do you mean by "stops"? Does the p... See more...
1. 9.0.5 is a fairly old version. Unless there are any severe known bugs it's recommended to use the latest version available for the platform in question. 2. What do you mean by "stops"? Does the process exist but stops sending data or is the process killed? Did you check the logs (both UF's logs as well as general system logs)? 3. I'm assuming the server wasn't restarted lately, right?
https://docs.splunk.com/Documentation/Splunk/9.3.1/Updating/Upgradepre-9.2deploymentservers
1. What do you mean by "capture dataset"? 2. If you just do stats by _time without binning the _time first, you'll get a lot of results which will be uncomparable with anything.
You explicitly search for earliest=-30d so you're getting results from last 30 days.
So if I understand that correctly, all the typical config items applicable to inputs are now available at separate HEC tokens level, right?
I'll take a look, and thank you!
@dataisbeautiful  You should be able to control this by adding this line: display.visualizations.charting.chart = line to the following .conf file(s): Global: $SPLUNK_HOME/etc/syst... See more...
@dataisbeautiful  You should be able to control this by adding this line: display.visualizations.charting.chart = line to the following .conf file(s): Global: $SPLUNK_HOME/etc/system/local/ui-prefs.conf Per User: $SPLUNK_HOME/etc/users/<username>/system/local/ui-prefs.conf For more information see: https://docs.splunk.com/Documentation/Splunk/9.3.1/admin/Ui-prefsconf
When creating an incident for a specific server, we want to include a link to that entity in IT Essentials Work however the URL appears to only be accessible using the entity_key.    Is there any si... See more...
When creating an incident for a specific server, we want to include a link to that entity in IT Essentials Work however the URL appears to only be accessible using the entity_key.    Is there any simple way to get the URL directly to an entity from the hostname or is it required to get the entity_key from the kvstore itsi_entities then combine that into the url?    In  Splunk App for Infrastructure, you could simply use the host name in the URL, but I cannot find any way to do this with ITEW.   Example URL:  https://<stack>.splunkcloud.com/en-US/app/itsi/entity_detail?entity_key=82570f87-9544-47c8-bc6g-e030c522barb Looking to see if there's a way to do something like this:  https://<stack>.splunkcloud.com/en-US/app/itsi/entity_detail?host=<hostname>   
Thanks, @hrawat .  What tags are available?  Where can we find out more information about this feature?
Try setting DATETIME_CONFIG = in props.conf to disable the automatic timestamp extractor.