All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Add it outside the fieldset grouping.
Hi @Strangertinz  Let me know the version of DB Connect you have installed and the version of Splunk you’re using.Additionally, Could you please provide more details about the error you’re encounter... See more...
Hi @Strangertinz  Let me know the version of DB Connect you have installed and the version of Splunk you’re using.Additionally, Could you please provide more details about the error you’re encountering when sending the data?
Issue still persists in Splunk enterprise. I don't know why Splunk din't fix the issue yet. However, the answer is still valid. 
I just upgraded to 9.3.1 and was also getting that warning.  I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to... See more...
I just upgraded to 9.3.1 and was also getting that warning.  I set a value for allowedDomainList in system/local/alert_actions.conf, restarted the daemon, but I still get the message. Just wanted to post in case other experience the same behavior.
Hello @akulg  If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the  watchlist (threat feeds). If there’s a match, an i... See more...
Hello @akulg  If I understand your requirement correctly, you're looking to correlate Carbon Black data which will be indexed in Splunk with the  watchlist (threat feeds). If there’s a match, an incident should be created. And looking for a way  to  implementing this functionality within Enterprise Security.  Yes, there is a framework in the ES known as THREAT INTELlIGENCE which will help you to  enhance your security monitoring by integrating threat intelligence into your deployment, allowing you to correlate indicators of suspicious activity and known or potential threats with your events. This addition provides valuable context for your analysts' investigations. Splunk Enterprise Security supports various types of threat intelligence, enabling you to incorporate your own as well. Please refer the below doc for more information.  https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security Let me know if you have any further questions!!
Hi @Kaja.Mohiuddeen, Thanks for asking your question on the community. Did you happen to find a solution you can share here? If you did not and still need help with this question, you can contac... See more...
Hi @Kaja.Mohiuddeen, Thanks for asking your question on the community. Did you happen to find a solution you can share here? If you did not and still need help with this question, you can contact AppDynamics Support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields https://knowledgebase.paloaltonetworks.com/KCSArticleDeta... See more...
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmQCAS Risk Calculation Weights CharacteristicFactor Evasive 3 Excessive Bandwidth Use 1 Used by Malware 4 Capable of File Transfer 3 Known Vulnerabilities 3 Tunnels Other Apps 2 Prone to Misuse 2 Pervasive 1 Total 19   Risk Assignment RiskRange 1 0–3 2 4–6 3 7–9 4 10–13 5 14+   Your example log actually shows which of the risk factors were part of the calculation.   internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing   I believe you would be better served by correlating with DNS records sourced from the original machine, and/or investigating how to have Palo Alto resolve the URL inside the session log.  You might actually have that already in the "threat" log entries.  
Hi @venkatesh.radhakrishnan, Thank you for asking your question on the community. Did you happen to find a solution you can share? If you are still looking for help, you can contact support: How... See more...
Hi @venkatesh.radhakrishnan, Thank you for asking your question on the community. Did you happen to find a solution you can share? If you are still looking for help, you can contact support: How to contact AppDynamics Support and manage existing cases with Cisco Support Case Manager (SCM) 
Hi All,  I am having issues with DB connect version that I downloaded is having issues with sending data
It was just a versioning issue. Had to install the latest db connect app and that solved my issue.  However I am facing the issue again as I tried to go back to an older version with a splunk db c... See more...
It was just a versioning issue. Had to install the latest db connect app and that solved my issue.  However I am facing the issue again as I tried to go back to an older version with a splunk db connect and facing the same issue while on splunk 9.3.1
Try the limit option to the chart command. index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=20 values(s... See more...
Try the limit option to the chart command. index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=20 values(sessions) BY _time, instance  or index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart limit=0 values(sessions) BY _time, instance
Hi I am kinda stuck and need help. I am creating a chart in the splunk dashboard and for the y axis I have nearly 20 values which are to be shown as legends. After a certain number of values they ar... See more...
Hi I am kinda stuck and need help. I am creating a chart in the splunk dashboard and for the y axis I have nearly 20 values which are to be shown as legends. After a certain number of values they are grouped as "other" which dont want and need to display as separate ones. Also I am also ready to turn off the legend. The query used is  index = "xyz" |rex field=group "<Instance>(?<instance>[^<]+)</Instance>" |rex field=group "<SESSIONS>(?<sessions>\d+)</SESSIONS>" | chart values(sessions) BY _time, instance May I know which option in the chart will not collapse the values of the y axis?
Thank you for your reply. I extracted data from palo alto using Splunk Add-on for Palo Alto Networks. Here is an example. Oct 28 13:46:12 192.168.248.2 1 2024-10-28T13:46:12+09:00 PA-VM - - - - 1,2... See more...
Thank you for your reply. I extracted data from palo alto using Splunk Add-on for Palo Alto Networks. Here is an example. Oct 28 13:46:12 192.168.248.2 1 2024-10-28T13:46:12+09:00 PA-VM - - - - 1,2024/10/28 13:46:09,007254000360102,TRAFFIC,start,2818,2024/10/28 13:46:09,192.168.252.100,13.107.5.93,192.168.252.2,13.107.5.93,dmz-to-internet,,,web-browsing,vsys1,DMZ,INTERNET,ethernet1/2,ethernet1/1,SecurityCheck,2024/10/28 13:46:12,497655,1,54084,443,35405,443,0x1400000,tcp,allow,5636,1220,4416,11,2024/10/28 13:46:10,0,computer-and-internet-info,,7423264892787200760,0x0,192.168.0.0-192.168.255.255,United States,,6,5,n/a,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A,0,0,0,0,c2a50b1f-ea25-41ce-9c7c-709bde6deec4,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-10-28T13:46:12.041+09:00,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no,0,NonProxyTraffic,,0,0,0 About the second comment, The risk value is shown in the log. In the above example, the risk value is 4. (the value can be 1 ~ 5)  It is seems to be determined by Palo Alto (Palo Alto Add-on). However I wonder the true high risk communication can be extracted from logs and what action is the cause of the risky communication (by correlation search).  For now, I want to make correlation search from the palo alto log and Windows event log.
Hi, If i add init getting below error Still on the background without submitting "submit" button it runs the query of the env and fetch the result
Persistent queue support for monitor inputs will be very useful once it's available.
Real-time searches see events before they are indexed.
I am a grad student and I recently gave a quiz on splunk. There was a true/false question. Q: Splunk Alerts can be created to monitor machine data in real-time, alerting of an event as soon as it lo... See more...
I am a grad student and I recently gave a quiz on splunk. There was a true/false question. Q: Splunk Alerts can be created to monitor machine data in real-time, alerting of an event as soon as it logged by the host.  I marked it as false because it should be "as soon as the event gets indexed by Splunk" instead of "as soon as the event gets logged by the host".  I have raised a question because I was not awarded marks for this question. But the counter was "Per-result triggering helps to achieve this". But isn't it basic that Splunk can only read the indexed data? Can anyone please verify if I'm correct?  Thanks in advance.
https://community.splunk.com/t5/Getting-Data-In/Missing-per-thruput-metrics-on-9-3-x-Universal-forwarders/m-p/702914/highlight/true#M116255