All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I recommend coding your modular input. You can use the page number as a checkpoint, then index a page and increment or decrement the checkpoint. Set an interval so that your input gets a page every X... See more...
I recommend coding your modular input. You can use the page number as a checkpoint, then index a page and increment or decrement the checkpoint. Set an interval so that your input gets a page every X seconds, then has a condition to stop when the checkpoint gets to the end. 
I haven't upgraded UF in a while, and I'm having some trouble figuring out how I should proceed with bringing it up to date.  I see that the current version has changed the user from splunk to splunk... See more...
I haven't upgraded UF in a while, and I'm having some trouble figuring out how I should proceed with bringing it up to date.  I see that the current version has changed the user from splunk to splunkfwd.  I also see that updating an existing UF keeps the user as splunk (this seems to work but not always).  This will means that new installations will use a different username than updated UF. This is a problem for me because I use scripts to make the permission changes to give splunk access to the appropriate log files.  I'm not finding a lot of guidance on how to keep this sane.  How have other organizations dealt with this? I'm tempted to uninstall UF and do a fresh install on every system.  That will force me to manage splunk servers differently than other linux servers, but that has to be less complicated than trying to keep track of which systems use splunk and which use splunkfwd.
You can download several versions directly from Splunkbase. But if the data "is not sending" it means that it's actually not being ingested because otherwise, unless you're explicitly filtering it, i... See more...
You can download several versions directly from Splunkbase. But if the data "is not sending" it means that it's actually not being ingested because otherwise, unless you're explicitly filtering it, it should be forwarded to your downstream receivers. So check your config, check your logs, check your metrics. There are no miracles - something must be wrong.
Can you clarify what you meant "join" will get me nowhere?   Based on several discussions, it is apparent that you treat data in Splunk like they are in a SQL database.   join is one of the ... See more...
Can you clarify what you meant "join" will get me nowhere?   Based on several discussions, it is apparent that you treat data in Splunk like they are in a SQL database.   join is one of the commands that is included in SPL for good reasons but often used outside of those reasons. It is true that left join can give you similar effect as append.  However, by using join command in this manner, you misguide yourself into thinking that Splunk is actually performing a useful join when there is nothing to "join".  This thinking is quite obvious in the initial searches you illustrated.  The sooner you get out of the habit of using join command, the easier Splunk will become for you. (Join in NoSQL should generally be avoided because of cost penalties; left join in NoSQL is even more expensive.  Although that is a lesser consideration in learning to program in SPL.)
There is no error message the data is just not sending from my HF.  will you please share all of the versions possible with Splunk enterprise 9.x or if you can share where I can download it at 
You ever figure out how to get it working? I'm having similar issue.
Disregard.  I had put the setting in the [default] stanza, moved it to the [email] stanza, now the warning has resolved.
Add it outside the fieldset grouping.
Hi @Strangertinz  Let me know the version of DB Connect you have installed and the version of Splunk you’re using.Additionally, Could you please provide more details about the error you’re encounter... See more...
Hi @Strangertinz  Let me know the version of DB Connect you have installed and the version of Splunk you’re using.Additionally, Could you please provide more details about the error you’re encountering when sending the data?
Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid. 
I just upgraded to 9.3.1 and was also getting that warning.  I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to... See more...
I just upgraded to 9.3.1 and was also getting that warning.  I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to post in case other experience the same behavior.
Hello @akulg  If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the  watchlist (threat feeds). If there’s a match, an i... See more...
Hello @akulg  If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the  watchlist (threat feeds). If there’s a match, an incident should be created. And looking for a way  to  implementing this functionality within Enterprise Security.  Yes, there is a framework in the ES known as THREAT INTELlIGENCE which will help you to  enhance your security monitoring by integrating threat intelligence into your deployment, allowing you to correlate indicators of suspicious activity and known or potential threats with your events. This addition provides valuable context for your analysts' investigations. Splunk Enterprise Security supports various types of threat intelligence, enabling you to incorporate your own as well. Please refer the below doc for more information.  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security Let me know if you have any further questions!!
Hi @Kaja.Mohiuddeen, Thanks for asking your question on the community. Did you happen to find a solution you can share here? If you did not and still need help with this question, you can contac... See more...
Hi @Kaja.Mohiuddeen, Thanks for asking your question on the community. Did you happen to find a solution you can share here? If you did not and still need help with this question, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields https://knowledgebase.paloaltonetworks.com/KCSArticleDeta... See more...
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmQCAS Risk Calculation Weights CharacteristicFactor Evasive 3 Excessive Bandwidth Use 1 Used by Malware 4 Capable of File Transfer 3 Known Vulnerabilities 3 Tunnels Other Apps 2 Prone to Misuse 2 Pervasive 1 Total 19   Risk Assignment RiskRange 1 0–3 2 4–6 3 7–9 4 10–13 5 14+   Your example log actually shows which of the risk factors were part of the calculation.   internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing   I believe you would be better served by correlating with DNS records sourced from the original machine, and/or investigating how to have Palo Alto resolve the URL inside the session log.  You might actually have that already in the "threat" log entries.  
Hi @venkatesh.radhakrishnan, Thank you for asking your question on the community. Did you happen to find a solution you can share? If you are still looking for help, you can contact support: How... See more...
Hi @venkatesh.radhakrishnan, Thank you for asking your question on the community. Did you happen to find a solution you can share? If you are still looking for help, you can contact support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi All,  I am having issues with DB connect version that I downloaded is having issues with sending data
It was just a versioning issue. Had to install the latest db connect app and that solved my issue.  However I am facing the issue again as I tried to go back to an older version with a splunk db c... See more...
It was just a versioning issue. Had to install the latest db connect app and that solved my issue.  However I am facing the issue again as I tried to go back to an older version with a splunk db connect and facing the same issue while on splunk 9.3.1
Try the limit option to the chart command. index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=20 values(s... See more...
Try the limit option to the chart command. index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=20 values(sessions) BY _time, instance  or index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=0 values(sessions) BY _time, instance
Hi I am kinda stuck and need help. I am creating a chart in the splunk dashboard and for the y axis I have nearly 20 values which are to be shown as legends. After a certain number of values they ar... See more...
Hi I am kinda stuck and need help. I am creating a chart in the splunk dashboard and for the y axis I have nearly 20 values which are to be shown as legends. After a certain number of values they are grouped as "other" which dont want and need to display as separate ones. Also I am also ready to turn off the legend. The query used is  index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart values(sessions) BY _time, instance May I know which option in the chart will not collapse the values of the y axis?