All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in m... See more...
Yes, so the results that are coming back are the latest events from the ptasks marked red, I'd want to omit all events related to these so the latest events from the green task are populated in my results
Do you wanna filter out some events based on the results that are produced by our shared search? Would be great if you could clarify the expected outcome. Furthermore please provide some sample data.
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the ass... See more...
Hi all. I am running into an issue with the Azure AD Graph asset in SOAR. I had an app created in Azure app registrations with the correct permissions based on the documentation. I configured the asset in SOAR with the corresponding tenant, app, and secret information. The redirect URI was entered into the Azure app registration page with /result per the instructions. When I test connectivity, the test will time out after about a minute. I may have missed something in the documentation, but the configuration all seems correct. Has anyone else run into this?
For feature enhancement requests you should visit https://ideas.splunk.com/ and if there is no existing idea matching with your request/idea you should raise a new idea.
The "query" (or in Splunk terminology - search) you're looking for will depend on what data you have indexed in your Splunk.
@prasireddy Sorry was on vacation the last two weeks. Are you still facing the issue?
It's the query to search those logs that I am looking for.  
@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options t... See more...
@Iñigo you can already make dynamic list options in the prompts but you need to use custom code and bear in mind it "breaks" the VPE control of the prompt block. You can use any of the API options to grab the dynamic fields you want to use then you just need to build the  choices variable in response_types and the prompt will show them. The issue you will have though is then how to handle the response if they are truly dynamic. i.e how would you know what they could choose to then handle the response. It can be done but needs to also be considered.  # responses response_types = [ { "prompt": "", "options": { "type": "list", "choices": [ "a", "b" ], }, } ]
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second per... See more...
Change the time period of your search to include both time periods e.g. (earliest=<start of first period> latest=<end of first period>) OR (earliest=<start of second period> latest=<end of second period>). Then evaluate which period the event falls into eval period=if(_time < end of first period, "first", "second"). Then add period to you by clause.
Hi ,  I follow below tutorial to setup the machine-agent but no luck. Please help to figure out the issue. Tutorial :  https://www.youtube.com/watch?v=nMowG41jaTU Command:  jre/bin/java -jar machin... See more...
Hi ,  I follow below tutorial to setup the machine-agent but no luck. Please help to figure out the issue. Tutorial :  https://www.youtube.com/watch?v=nMowG41jaTU Command:  jre/bin/java -jar machineagent.jar 2024-09-19 08:34:32.916 Using Java Version [11.0.23] for Agent 2024-09-19 08:34:32.916 Using Agent Version [Machine Agent v24.7.0.4315 GA compatible with 4.4.1.0 Build Date 2024-07-18 05:41:53] 2024-09-19 08:34:34.380 [INFO] Agent logging directory set to: [/root/machine-agent/logs] Error:     [system-thread-0] 19 Sep 2024 08:40:35,271  WARN RegistrationTask - Encountered error during registration. Will retry in 60 seconds. abc.com==> [system-thread-0] 19 Sep 2024 08:40:35,271 ERROR RegistrationTask - Encountered error during registration: {} com.appdynamics.voltron.rest.client.NonRestException: Method: SimMachinesAgentService#registerMachine(SimMachineMinimalDto) - Result: 401 Unauthorized - content: <!DOCTYPE html> <html lang="en"> <head>     <meta charset="UTF-8">     <title>Unauthorized</title> </head> <body> HTTP Error 401 Unauthorized <p/> This request requires HTTP authentication </body> </html> at com.appdynamics.voltron.rest.client.VoltronErrorDecoder.decode(VoltronErrorDecoder.java:62) ~[rest-client-1.1.0.324.jar:?] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:156) ~[feign-core-10.7.4.jar:?] at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:80) ~[feign-core-10.7.4.jar:?] at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100) ~[feign-core-10.7.4.jar:?] at com.sun.proxy.$Proxy116.registerMachine(Unknown Source) ~[?:?] at com.appdynamics.agent.sim.registration.RegistrationTask.run(RegistrationTask.java:170) [machineagent.jar:Machine Agent v24.7.0.4315 GA compatible with 4.4.1.0 Build Date 2024-07-18 05:41:53] at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?] at java.util.concurrent.FutureTask.runAndReset(Unknown Source) [?:?] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?] at java.lang.Thread.run(Unknown Source) [?:?]  
Oh, since it triggered for you once but then didn't trigger again, that might be explained by the alert condition never being cleared. This could be even more likely in a test environment with little... See more...
Oh, since it triggered for you once but then didn't trigger again, that might be explained by the alert condition never being cleared. This could be even more likely in a test environment with little traffic. The alerts won't fire again until the previous alert condition has been cleared. There is a setting in the alert to automatically clear after X amount of time if that signal isn't reported. You might want to try that setting. Or try generating successful traffic with no errors over the period of time you're detecting on (e.g., past 15 mins).
Hi together, I try to compare the PERC90 response times of an application before and after a software release for the 50 most used actions. Here's the query index=myindex source=mysource | rex... See more...
Hi together, I try to compare the PERC90 response times of an application before and after a software release for the 50 most used actions. Here's the query index=myindex source=mysource | rex field=_raw "^(?:[^;\n]*;){4}\s+(?P<utc_tsl_tranid>\w+:\w+)" | rex field=_raw "^.+\/(?P<ui_locend>\w+\.[a-z_-]+\.\w+\.\w+)" | dedup utc_tsl_tranid | stats sum(DURATION) as weight by ui_locend | sort - weight | head 50 Is there a way I can compare 2 time periods (for example: first start 2024-08-10 end 2024-08-15, second start 2024-08-20 end 2024-08-25).  Field ui_locend has to match and I like to compare PERC(90) of DURATION, which can be calculated with STATS-Command. It's a tricky one, will appreciate every idea.
We are trying to ingest a STIX file into the Threat Intelligence Management, the STIX parses, but does not find anything of interest in the file. the _internal index has the message 'status="No obse... See more...
We are trying to ingest a STIX file into the Threat Intelligence Management, the STIX parses, but does not find anything of interest in the file. the _internal index has the message 'status="No observables or indicators found in file"' The STIX file has the format below (which from what I can tell is a valid format, containing indicators       { "more": false, "objects": [ { "confidence": "70", "created": "2023-09-08T00:02:39.000Z", "description": "xxxxxxxxx", "id": "xxxxxxx", "modified": "2023-09-08T00:02:39.000Z", "name": "xxxxxxx", "pattern": "[ipv4-addr:value = '101.38.159.17']", "spec_version": "2.1", "type": "indicator", "valid_from": "2023-09-08T00:02:39.000Z", "valid_until": "2025-11-07T00:02:39.000Z" }, ......         Has anyone had any success with STIX files and be able to share the basic format of what worked for them?  Or anyone have anything other to suggest? Many thanks Simon   Splunk Enterprise Security 
I see the same issue with trying to delete a duplicate and it never goes away
Hi I've seen many recent changes on SOAR 6.3 regarding prompts, but I still don't see a way to define the allowed choices list as a parameter while creating a prompt block from the GUI. Many times ... See more...
Hi I've seen many recent changes on SOAR 6.3 regarding prompts, but I still don't see a way to define the allowed choices list as a parameter while creating a prompt block from the GUI. Many times the options that are available to the user are dynamic, so hard-coding the choices list isn't practical for the user, is prone to get out of date and force playbook redeployments. The only way I see so far is by using code blocks or by adding custom code to the prompt blocks (and losing the GUI handling in the process). Is there any way I'm missing to get the question choices from a datapath or a custom list?
Splunk has good write-ups on this at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS and https://docs.splunk.com/Documentation/Splunk/9.3.... See more...
Splunk has good write-ups on this at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_with_TLS and https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/AboutsecuringyourSplunkconfigurationwithSSL  
Splunk is _not_ an active monitoring solution. That's what you use - for example - rancid or some commercial tools for. But if you get logs from such tool (or have audit logs from your appliances tel... See more...
Splunk is _not_ an active monitoring solution. That's what you use - for example - rancid or some commercial tools for. But if you get logs from such tool (or have audit logs from your appliances telling you that change happened), you can search from that data. But it will depend on what data you have.
I am new to Splunk administration, and I need a query that captures changes to configuration of switches, firewalls, routers etc, in my environment
|rex "\[KOREASBC1\]\s(?<field_name>[^;]+)"  
So I've got a list containing multiple strings, depending on these strings I want to run 1 or more actions using a filter. When I use the 'in' filter to check if a certain string is in the list the m... See more...
So I've got a list containing multiple strings, depending on these strings I want to run 1 or more actions using a filter. When I use the 'in' filter to check if a certain string is in the list the matching condition is not met.  Example input = ['block_ioc', 'reset_password'] Filter block: I can successfully use the 'in' condition in a decision block, just not a filter block.    Any ideas?