All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options t... See more...
@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options to grab the dynamic fields you want to use then you just need to build the  choices variable in response_types and the prompt will show them. The issue you will have though is then how to handle the response if they are truly dynamic. i.e how would you know what they could choose to then handle the response. It can be done but needs to also be considered.  # responses response_types = [ { "prompt": "", "options": { "type": "list", "choices": [ "a", "b" ], }, } ]
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second per... See more...
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second period>). Then evaluate which period the event falls into eval period=if(_time < end of first period, "first", "second"). Then add period to you by clause.
Hi ,  I follow below tutorial to setup the machine-agent but no luck. Please help to figure out the issue. Tutorial :  https://www.youtube.com/watch?v=nMowG41jaTU Command:  jre/bin/java -jar machin... See more...
Hi ,  I follow below tutorial to setup the machine-agent but no luck. Please help to figure out the issue. Tutorial :  https://www.youtube.com/watch?v=nMowG41jaTU Command:  jre/bin/java -jar machineagent.jar 2024-09-19 08:34:32.916 Using Java Version [11.0.23] for Agent 2024-09-19 08:34:32.916 Using Agent Version [Machine Agent v24.7.0.4315 GA compatible with 4.4.1.0 Build Date 2024-07-18 05:41:53] 2024-09-19 08:34:34.380 [INFO] Agent logging directory set to: [/root/machine-agent/logs] Error:     [system-thread-0] 19 Sep 2024 08:40:35,271  WARN RegistrationTask - Encountered error during registration. Will retry in 60 seconds. abc.com==> [system-thread-0] 19 Sep 2024 08:40:35,271 ERROR RegistrationTask - Encountered error during registration: {} com.appdynamics.voltron.rest.client.NonRestException: Method: SimMachinesAgentService#registerMachine(SimMachineMinimalDto) - Result: 401 Unauthorized - content: <!DOCTYPE html> <html lang="en"> <head>     <meta charset="UTF-8">     <title>Unauthorized</title> </head> <body> HTTP Error 401 Unauthorized <p/> This request requires HTTP authentication </body> </html> at com.appdynamics.voltron.rest.client.VoltronErrorDecoder.decode(VoltronErrorDecoder.java:62) ~[rest-client-1.1.0.324.jar:?] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:156) ~[feign-core-10.7.4.jar:?] at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:80) ~[feign-core-10.7.4.jar:?] at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[feign-core-10.7.4.jar:?] at com.sun.proxy.$Proxy116.registerMachine(Unknown Source) ~[?:?] at com.appdynamics.agent.sim.registration.RegistrationTask.run(RegistrationTask.java:170) [machineagent.jar:Machine Agent v24.7.0.4315 GA compatible with 4.4.1.0 Build Date 2024-07-18 05:41:53] at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?] at java.util.concurrent.FutureTask.runAndReset(Unknown Source) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?] at java.lang.Thread.run(Unknown Source) [?:?]  
Oh, since it triggered for you once but then didn't trigger again, that might be explained by the alert condition never being cleared. This could be even more likely in a test environment with little... See more...
Oh, since it triggered for you once but then didn't trigger again, that might be explained by the alert condition never being cleared. This could be even more likely in a test environment with little traffic. The alerts won't fire again until the previous alert condition has been cleared. There is a setting in the alert to automatically clear after X amount of time if that signal isn't reported. You might want to try that setting. Or try generating successful traffic with no errors over the period of time you're detecting on (e.g., past 15 mins).
Hi together, I try to compare the PERC90 response times of an application before and after a software release for the 50 most used actions. Here's the query index=myindex source=mysource | rex... See more...
Hi together, I try to compare the PERC90 response times of an application before and after a software release for the 50 most used actions. Here's the query index=myindex source=mysource | rex field=_raw "^(?:[^;\n]*;){4}\s+(?P<utc_tsl_tranid>\w+:\w+)" | rex field=_raw "^.+\/(?P<ui_locend>\w+\.[a-z_-]+\.\w+\.\w+)" | dedup utc_tsl_tranid | stats sum(DURATION) as weight by ui_locend | sort - weight | head 50 Is there a way I can compare 2 time periods (for example: first start 2024-08-10 end 2024-08-15, second start 2024-08-20 end 2024-08-25).  Field ui_locend has to match and I like to compare PERC(90) of DURATION, which can be calculated with STATS-Command. It's a tricky one, will appreciate every idea.
We are trying to ingest a STIX file into the Threat Intelligence Management, the STIX parses, but does not find anything of interest in the file. the _internal index has the message 'status="No obse... See more...
We are trying to ingest a STIX file into the Threat Intelligence Management, the STIX parses, but does not find anything of interest in the file. the _internal index has the message 'status="No observables or indicators found in file"' The STIX file has the format below (which from what I can tell is a valid format, containing indicators       { "more": false, "objects": [ { "confidence": "70", "created": "2023-09-08T00:02:39.000Z", "description": "xxxxxxxxx", "id": "xxxxxxx", "modified": "2023-09-08T00:02:39.000Z", "name": "xxxxxxx", "pattern": "[ipv4-addr:value = '101.38.159.17']", "spec_version": "2.1", "type": "indicator", "valid_from": "2023-09-08T00:02:39.000Z", "valid_until": "2025-11-07T00:02:39.000Z" }, ......         Has anyone had any success with STIX files and be able to share the basic format of what worked for them?  Or anyone have anything other to suggest? Many thanks Simon   Splunk Enterprise Security 
I see the same issue with trying to delete a duplicate and it never goes away
Hi I've seen many recent changes on SOAR 6.3 regarding prompts, but I still don't see a way to define the allowed choices list as a parameter while creating a prompt block from the GUI. Many times ... See more...
Hi I've seen many recent changes on SOAR 6.3 regarding prompts, but I still don't see a way to define the allowed choices list as a parameter while creating a prompt block from the GUI. Many times the options that are available to the user are dynamic, so hard-coding the choices list isn't practical for the user, is prone to get out of date and force playbook redeployments. The only way I see so far is by using code blocks or by adding custom code to the prompt blocks (and losing the GUI handling in the process). Is there any way I'm missing to get the question choices from a datapath or a custom list?
Splunk has good write-ups on this at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS and https://docs.splunk.com/Documentation/Splunk/9.3.... See more...
Splunk has good write-ups on this at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS and https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/AboutsecuringyourSplunkconfigurationwithSSL  
Splunk is _not_ an active monitoring solution. That's what you use - for example - rancid or some commercial tools for. But if you get logs from such tool (or have audit logs from your appliances tel... See more...
Splunk is _not_ an active monitoring solution. That's what you use - for example - rancid or some commercial tools for. But if you get logs from such tool (or have audit logs from your appliances telling you that change happened), you can search from that data. But it will depend on what data you have.
I am new to Splunk administration, and I need a query that captures changes to configuration of switches, firewalls, routers etc, in my environment
|rex "\[KOREASBC1\]\s(?<field_name>[^;]+)"  
So I've got a list containing multiple strings, depending on these strings I want to run 1 or more actions using a filter. When I use the 'in' filter to check if a certain string is in the list the m... See more...
So I've got a list containing multiple strings, depending on these strings I want to run 1 or more actions using a filter. When I use the 'in' filter to check if a certain string is in the list the matching condition is not met.  Example input = ['block_ioc', 'reset_password'] Filter block: I can successfully use the 'in' condition in a decision block, just not a filter block.    Any ideas?   
Thank you. Maybe that could be used as a workaround. I guess I have to to the extraction change/enhancement myself then  
| eval id=random() | sort 0 id | streamstats count as id | eval group=((id - 1)%5) + 1 | stats list("Display Name") as "Display Name" by group
thank  you the second option works for what i need  
This doesn't trigger the alert either. My original alert (with traces.count) was triggered once during my tests, when I had 3 traces with errors in a short time period, but then it wasn't triggered a... See more...
This doesn't trigger the alert either. My original alert (with traces.count) was triggered once during my tests, when I had 3 traces with errors in a short time period, but then it wasn't triggered anymore. Is there maybe a better way to create an alert for such single events in Splunk? I think, the "static threshold" should be rather used for continuous metrics like CPU usage. But I didn't find any other option so far.  
i've looked at similar search online and have come up with this | table "Display Name" | eval "group" = (random() % 2) +1 | stats list("Display Name") as "Display Name" by "group" this is returni... See more...
i've looked at similar search online and have come up with this | table "Display Name" | eval "group" = (random() % 2) +1 | stats list("Display Name") as "Display Name" by "group" this is returning random names in two groups        group display Name 1 joe blogs 5 joe blogs 2 joe blogs  6 2 joe blogs 7 joe blogs 8 joe blogs  12   Any ideas how i can set the number returning for each group? maybe using the limit function???  
Ref Doc - Splunk Add-on for GCP Docs Currently, the Cloud Storage Bucket input doesn’t support pre-processing of data, such as untar/unzip/ungzip/etc. The data must be pre-processed and ready for in... See more...
Ref Doc - Splunk Add-on for GCP Docs Currently, the Cloud Storage Bucket input doesn’t support pre-processing of data, such as untar/unzip/ungzip/etc. The data must be pre-processed and ready for ingestion in a UTF-8 parseable format
If your values are in a multi-value field, you can do something like this | eval choice=mvindex(displayName, random()%200) If the names are in separate events, you could do something like this | e... See more...
If your values are in a multi-value field, you can do something like this | eval choice=mvindex(displayName, random()%200) If the names are in separate events, you could do something like this | eval id=random()%500 | sort 0 id | head 5