All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello Tejas Thanks for your answer. I have setup Splunk with the keys provided by our Docusign admin. Looks like he doesn't know how to generate them. I had already reviewed the documentation. Fro... See more...
Hello Tejas Thanks for your answer. I have setup Splunk with the keys provided by our Docusign admin. Looks like he doesn't know how to generate them. I had already reviewed the documentation. From my point of view as Splunk admin, this is not clear what has to be done on the application side. Thanks Lionel  
Let me add a line of thought I tried and failed to resolve - looking at the deployed Splunk host files, I saw that the number I am trying to modify is being displayed from a variable called scanCount... See more...
Let me add a line of thought I tried and failed to resolve - looking at the deployed Splunk host files, I saw that the number I am trying to modify is being displayed from a variable called scanCount Also, in the search_results_info file (info.csv) of the job I saw a field called scan_count that was set to 0 through out the entire search process (which strengthened my suspicions that this is related), I tried to edit the file mid run but encountered issues and it didn't affect the UI when I succeeded. I also attempted to update it in a more generic way (instead of a one time bypass) - through the code of the application: self.search_results_info["scan_count"] = 100000 But this results in an Exception of: 'ObjectView' object does not support item assignment. that means it's a readonly variable that can't be modified from the code I was wondering if there's a different way to update it by a non-direct access Thanks!
I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I k... See more...
I think the easiest way to verify whether that field is indexed (there might be some additional index-time extraction, apart from simple indexed-extraction configuration for the whole event; yes, I know it's confusing ;-)) is to try to search for index=your_windows_index EventID::4624 The important thing is that you're not looking for  EventID=4624 but for  EventID::4624 If you get any results that will mean that this field is indeed indexed and you have to search where it's extracted in index time.
First of all, thanks for replying @livehybrid  I saw in the documentation that the default value of run_in_preview is true, I tried explicitly adding it to the commands.conf both as true and false (... See more...
First of all, thanks for replying @livehybrid  I saw in the documentation that the default value of run_in_preview is true, I tried explicitly adding it to the commands.conf both as true and false (separate tests) - and it doesn't affect my experience.. Two questions regarding that, since I don't completely understand the preview mode: 1. What did you expect it to change? The 0 number to increase in correlation with the fetched results? Or would I have been able to somehow set the "total" count? 2. Could you please expand what is exactly the preview mode? I can't find any difference in the behavior when running with false setting Other than that - if you might have any other suggestions on how can I resolve the original issue I would highly appreciate some more thoughts and things to try Thanks!
Hi @malix_la_harpe  Many thanks for this comprehensive answer. I've been testing the query and it gives promising results, however I have one issue and I hope you will be able to help me. In the r... See more...
Hi @malix_la_harpe  Many thanks for this comprehensive answer. I've been testing the query and it gives promising results, however I have one issue and I hope you will be able to help me. In the results table there shouldn't be example2 row with FAILURE result as this is a begin of login process successfully completed in example3 row. In other words, the row example2 should be removed from the table. I've tried to adjust the query but unfortunately wasn't able and I hope you will be able to help me. I hope I explained the problem clearly - if not, please let me know.    
Hi @ND1  There is a tutorial at https://help.splunk.com/en/splunk-soar/soar-cloud/develop-apps/build-playbooks/use-the-playbook-editor-to-create-and-view-playbooks-to-automate-analyst-workflows/add-... See more...
Hi @ND1  There is a tutorial at https://help.splunk.com/en/splunk-soar/soar-cloud/develop-apps/build-playbooks/use-the-playbook-editor-to-create-and-view-playbooks-to-automate-analyst-workflows/add-custom-code-to-your-splunk-soar-cloud-playbook-with-a-custom-function which might be useful for you as a starting guide. There is also a sample function here: https://gist.github.com/gf13579/e7cd4132c7c61c5cabec4ce953f5a455 and a bunch of custom function examples at https://github.com/phantomcyber/playbooks/tree/7.0/custom_functions which might also help! Good luck  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Can you tell me where to check if I have indexed extractions enabled? I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe 4624 4624 but the EventID is ... See more...
Can you tell me where to check if I have indexed extractions enabled? I don't know if this is relevant, but I do have the EventID field normal. So the EventCode maybe 4624 4624 but the EventID is just 4624. And like I mentioned in the comments below, this only happen to my "XmlWinEventLog:Security" and "XmlWinEventLog:DNS Server",  does not affect other XmlWinEventLog like Application and System. Which from my perspective, is really strange!
Hi @alorw  I believe the number of events displayed in this scenario is driven from the "preview" - Have you got run_in_preview = true in your commands.conf ?  Did this answer help you? If so, pl... See more...
Hi @alorw  I believe the number of events displayed in this scenario is driven from the "preview" - Have you got run_in_preview = true in your commands.conf ?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I tried removing inputs.conf from the TA because I only wanted it for the props/transforms on my search head cluster.  Still got the error.  How?
Hello family, please does anyone knows or has sources that explains how to use or built custom functions in Splunk SOAR?
Thanks for the update.  can you pl guide us how to install from official (trusted source) Appdynamics NPM to avoid these malicious dependent packages?  
Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the... See more...
Are you sure you don't have indexed extractions enabled by any chance? Since automatic KV extractions happen after manual extractions the EventID field should not be populated when you're hitting the transforms so the first transform (EventID_as_EventCode) should _not_ set the field to any value.
Were you able to find a fix for this?   I'd really hate to have to modify all Detections again after prepping for ES8.
Hey, I have implemented a GeneratingCommand splunk application that fetches data from an API and yields the results chunk after chunk. I am encountering an issue, where the event count on the top l... See more...
Hey, I have implemented a GeneratingCommand splunk application that fetches data from an API and yields the results chunk after chunk. I am encountering an issue, where the event count on the top left seems funky - it shows `50000 of 0 events matched` and after the next chunk is fetched `100000 of 0 events matched` and so on. I would like to know if and how it's possible to update the `0` counter from within my application, I know the total amount of scanned events from the very first reply I get from the API, but even if it's not possible to set to any desired number I would at least expect it to be possible to "match" the left side of that is increased on every yield... Thanks in advance, Alon
Thanks for your help @livehybrid  I've added Groq as the default provider but still another issue occurs. Revised Prompt:  index=_internal log_level IN ("ERROR","WARNING", "WARN") | table _time ... See more...
Thanks for your help @livehybrid  I've added Groq as the default provider but still another issue occurs. Revised Prompt:  index=_internal log_level IN ("ERROR","WARNING", "WARN") | table _time _raw | ai prompt="please explain these error message to me: {_raw}" provider="Groq" model="llama3-70b-8192" Error Message: RunDispatch has failed: sid=[sid], exit=-1, error=Error in 'ai' command: The provider: '"Groq"' is invalid. Please check the configuration  
Thanks, @livehybrid - wasn't even aware of that param. I'll give that a shot and reply here with results the next time I promote a new version.
Thanks for Replying!  The issue was forwarded to Splunk Support by me. I was told that since the Search Head is standalone, the option point_in_time is not needed. The update was done successfully... See more...
Thanks for Replying!  The issue was forwarded to Splunk Support by me. I was told that since the Search Head is standalone, the option point_in_time is not needed. The update was done successfully and the backup was luckily not required to be used.
Hi @chenfan  That string starting dc736 is *not* your token. This is the token ID. Its not possible to retrieve the token once created so copy it somewhere safe. If using this type of token then yo... See more...
Hi @chenfan  That string starting dc736 is *not* your token. This is the token ID. Its not possible to retrieve the token once created so copy it somewhere safe. If using this type of token then you will need to set use "Bearer" as you were doing before.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
As far as I remember, the license consumption for Cloud in the ingest-based option is the same as on-prem one which means the event is measured by its _raw part just prior to indexing. This means tha... See more...
As far as I remember, the license consumption for Cloud in the ingest-based option is the same as on-prem one which means the event is measured by its _raw part just prior to indexing. This means that: 1) However you modify your event prior to indexing it in terms of the raw event contents (like cutting out some headers or unnecessary trailing parts) will affect your license usage 2) Indexed fields which are saved in the tsidx files but are not "exploding" your _raw event contents do not affect your license usage. Having said that - indexed extractions are very rarely the way to go but not for license-related reasons.
Can you describe in more details your situation, and had you any solution? Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index And str... See more...
Can you describe in more details your situation, and had you any solution? Because I don't think we are using any kind of summary index, we got this duplicate EventCode in the regular index And strangely enough, this only happen to our "XmlWinEventLog:Security" log, others like "XmlWinEventLog:Application" or "XmlWinEventLog:DNS Server" got their EventCode normal - as single values!