All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Checking history in answers and Dell/EMC websites this has been an issue for a few years, no obvious solutions were ever provided.
Hello to everyone! My question looks very dummy, but I really can't understand how I can resolve it. So, what we are having step by step: 1. Some network device that sends an event via UDP directl... See more...
Hello to everyone! My question looks very dummy, but I really can't understand how I can resolve it. So, what we are having step by step: 1. Some network device that sends an event via UDP directly to an indexer 2. Indexer receives message according to capture of wireshark 3. Then I'm trying to find this event on a searchhead, and I see nothing 4. Somehow I generate another event on the network device 5. Then I expect to see two events during the search, but I see only the previous one This behavior is a little bit random but easy to reproduce with network devices that send events unfrequently. And, additionally, I can easily detect wrong behavior because of the significant difference between _time and _indextime of those events. A couple of words about indexer settings, props.conf on indexer looks like this, nothing special:   [cat_syslog] DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = true MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = false TIME_PREFIX = ^<\d{1,3}>\d+:\s+.*:\s+\d+:\s+   Overall, what I can assume. 1. According to my props.conf, indexer expecting to find default ([\r\n]+) to apply line-breaking rule and create single event 2. But for some reason fails in it 3. From this moment, the indexer waits until the next event 4. An, I don't know why,  but ([\r\n}+) appears in the next message So, the question is, how to NOT wait until next event in this situation? I also understand that I can't change the line-breaking rule because of very unrequent events. And also, there are no special characters at the end of events because they look like this:   <172>153702: 172.21.0.13: 153696: Sep 13 16:30:50.797 RTZ: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.28.20.80:1812,1813 is being marked alive. <174>153700: 172.21.0.13: 153694: Sep 13 16:30:30.714 RTZ: %RADIUS-6-SERVERALIVE: Group AAA_RADIUS: Radius server 172.21.20.80:1812,1813 is responding again (previously dead). <173>153695: 172.21.0.13: 153689: Sep 13 16:25:05.626 RTZ: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to up  
Hi -  I have a quick props question. I need to write a props for a particular sourcetype, and the messages always start with before the timestamp starts: ukdc2-pc-sfn122.test.local - OR ukdc2-pc-s... See more...
Hi -  I have a quick props question. I need to write a props for a particular sourcetype, and the messages always start with before the timestamp starts: ukdc2-pc-sfn122.test.local - OR ukdc2-pc-sfn121.test.local -  When writing the TIME_PREFIX can a regex be written to account for this, is it just a basic one if so can someone provide this? Thanks  
Checking in other Answers it doesn't appear that "extracted_eventtype" is specific to DUO logs or app extractions.  Leads me to believe this is automagically generated at search time via Splunk defau... See more...
Checking in other Answers it doesn't appear that "extracted_eventtype" is specific to DUO logs or app extractions.  Leads me to believe this is automagically generated at search time via Splunk default behavior.
Thank you! Unfortuantely | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*(?P<STEP>[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s... See more...
Thank you! Unfortuantely | rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*(?P<STEP>[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*(?P<PKEY>.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*(?P<STATE>[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*(?P<MSG0>.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*(?P<EXCID>[a-zA-Z_]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*[a-zA-Z_]+,\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#" did not help much.
Hi @BRFZ , every dashboard in Splunk is a search, you can Open in Search the panel (using the button with the same name) and see how it's written to modify it, in few words, this: index=_internal [... See more...
Hi @BRFZ , every dashboard in Splunk is a search, you can Open in Search the panel (using the button with the same name) and see how it's written to modify it, in few words, this: index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | dedup _time stack | stats sum(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] Ciao. Giuseppe
Copy and Paste in a formatted or code window the exact command you are using.  The web browser accepts some special characters that something like wget can not interpret.
| tstats count where index=* index!=_* by host This will only give you a count of events, there is no insight to size of storage requirements.  You can add sourcetype and/or source after the host fi... See more...
| tstats count where index=* index!=_* by host This will only give you a count of events, there is no insight to size of storage requirements.  You can add sourcetype and/or source after the host field if you need more detailed information. It all depends upon what your specific goals are. 
hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Spl... See more...
hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Splunkbase? and what are the steps after? thanks
In my case it is about:   @PickleRick wrote: In case of a downed indexer(s) Splunk is warning you that it might not have all the data it should have. And it makes sense because the missing inde... See more...
In my case it is about:   @PickleRick wrote: In case of a downed indexer(s) Splunk is warning you that it might not have all the data it should have. And it makes sense because the missing indexers could have had buckets which have not been replicated yet or might have been replicated but are not searchable. I want my search to not store the data in a lookup when Splunk raises this warning. And here I'm stuck.   
correct
Hello @gcusello, Is this not achievable via a search, please? Best regards,
Is what you expected to get what you got from your non-tstats search?
here's what I get from my previous query, and what I expect to get Environment Convicted Not Convicted Environment convicted not convicted browser 8 12 win10 79 250 win10-x64-2-be... See more...
here's what I get from my previous query, and what I expect to get Environment Convicted Not Convicted Environment convicted not convicted browser 8 12 win10 79 250 win10-x64-2-beta 0 117 win10-x64-browser 12 6 win7-x64 2 832 here's what I get from the query you provided, I hope it helps Secure_Malware_Analytics_Dataset.analysis_behaviors_title Count Percent Total Secure_Malware_Analytics_Dataset.analysis_behaviors_title count percent total Executable Imported the IsDebuggerPresent Symbol 835 14.421416234887737 5790 PE Contains TLS Callback Entries 690 11.917098445595855 5790 Executable with Encrypted Sections 622 10.7426597582038 5790 Executable Artifact Imports Tool Help Functions 428 7.392055267702936 5790 PE Checksum is Invalid 403 6.960276338514681 5790 Artifact With Multiple Extensions Detected 364 6.286701208981002 5790 Executable Signed With Digital Certificate 277 4.784110535405873 5790 Process Modified File in a User Directory 250 4.317789291882556 5790 Executable Signing Date Invalid 220 3.7996545768566494 5790 Possible Registry Persistence Mechanism Detected 140 2.4179620034542313 5790 PE DOS Header Initial SP Value is Abnormal 138 2.383419689119171 5790 Static Analysis Flagged Artifact As Anomalous 86 1.4853195164075994 5790 Windows Crash Tool Execution Detected 85 1.468048359240069 5790 Artifact Flagged Malicious by Antivirus Service 81 1.3989637305699483 5790 A Crash Dump File Was Created 77 1.3298791018998273 5790
Thank you, @ITWhisperer. It's working as expected
I don't know what this means, please can you show what you are getting and what you expected to get?
Hi all, Is it possible to pass paramenters to the action [[action|sendtophantom]] in the field "Next Steps" . For example pass it the severity or SOAR instance? Thanks
good try, but it skipped the list of the titles I have in my input query, I have a correct output of counts, but without titles
now it works... Last question : how to change the rangemap of the colors It iis in the xml or is it automatic?  
Hi @BRFZ , you can use the License Usage Report [Settings > Licensing > Usage Report > Previous 30 days >Split by Host] and customize it or the Monitoring Console App tha tgives the same results. T... See more...
Hi @BRFZ , you can use the License Usage Report [Settings > Licensing > Usage Report > Previous 30 days >Split by Host] and customize it or the Monitoring Console App tha tgives the same results. The only limit is the retention time of yur _internal data. Ciao. Giuseppe