If I have two queries:
1.
index=poc container_name=app horizontalId=orange
outputs events with the trace ids
2.
index=poc container_name=app ExecutionTimeAspect Elastic Vertical Search Quer...
See more...
If I have two queries:
1.
index=poc container_name=app horizontalId=orange
outputs events with the trace ids
2.
index=poc container_name=app ExecutionTimeAspect Elastic Vertical Search Query Service | rex field=_raw "execution time is[ ]+(?<latency>\d+)[ ]+ms" | stats p90(latency) as Latency
outputs a Latency = 845
I want to link output of query 2 and query 1 via the trace ids for the P90 Latency.
There are several different issues touched here. As you have already indexed data, you cannot break the events again and re-index them. You can, however manipulate your data during searching. But yo...
See more...
There are several different issues touched here. As you have already indexed data, you cannot break the events again and re-index them. You can, however manipulate your data during searching. But you will have to "break" the data into separate results on each search explicitly using search commands. If you want newly ingested data properly broken and indexed as separate events you need to configure your ingestion settings properly. But that will only work on newly ingested data. Old data will stay as it was.
Hi @bowesmana I tried our suggestion but doesn't works maybe I wrong something? <dashboard version="1.1" theme="light">
<label>ID patient</label>
<row>
<panel>
<html depends="$hi...
See more...
Hi @bowesmana I tried our suggestion but doesn't works maybe I wrong something? <dashboard version="1.1" theme="light">
<label>ID patient</label>
<row>
<panel>
<html depends="$hidden$">
<style>
#coloured_cell table tbody td div.multivalue-subcell[data-mv-index="0"]{
display: none;
}
</style>
</html>
<table id="coloured_cell">
<search>
<query>sourcetype=csv
| eval value=mvappend(sex,'S_N mm')
| table Age id sex "S_N mm" N_S_Ba value</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="id"></format>
<format type="color" field="value">
<colorPalette type="expression">case(mvindex(value, 1) >"79" AND mvindex(value, 0) == "male","#00FF00")</colorPalette>
</format>
</table>
</panel>
</row>
</dashboard>
Actually, with Linux in general, everything needs "some work" to be done. A"Linux box" is a very broad term and a Linux server can be based on one of many different distributions (or even be install...
See more...
Actually, with Linux in general, everything needs "some work" to be done. A"Linux box" is a very broad term and a Linux server can be based on one of many different distributions (or even be installed as LFS), can be configured in a gazillion different ways so while you could cover some typical cases (like RHEL9/default install/default rsyslog configuration), there is no way to cover "any Linux". Also remember that audit logs depend greatly (mostly, if not exclusively) on which audit rules you have defined in your system.
SELinux has nothing to do with firewalld in the sense that adding a rule to firewalld should work regardless of SELinux status - the rule should show. True, SELinux coud prevent the process from proc...
See more...
SELinux has nothing to do with firewalld in the sense that adding a rule to firewalld should work regardless of SELinux status - the rule should show. True, SELinux coud prevent the process from processing connection but that's completely independent from firewalld.
Adding to what @richgalloway already said - remember than some options might simply be not available in specific situations. Many Splunk components will actually run without web interface enabled so ...
See more...
Adding to what @richgalloway already said - remember than some options might simply be not available in specific situations. Many Splunk components will actually run without web interface enabled so in those cases you will obviously not be able to use it for upgrade. If your environment grows and you step into the clustering grounds the only way of installing apps (including upgrading) will be using clustering mechanisms (either pushing from deployer or cluster manager). Even with small-scale installation you can use deployment server to serve apps to your Splunk components. And that's actually a typical Splunk way of automating app install/upgrade.
87 views of my question and zero comments. Same question posted by a different person 3 years ago and no answer to them either. It seems like no one responsible for this product actually looks at...
See more...
87 views of my question and zero comments. Same question posted by a different person 3 years ago and no answer to them either. It seems like no one responsible for this product actually looks at the questions. A reply that states "this is not possible or will never be implemented" is preferable to complete silence. Even better would be acknowledging the use case as valid and committing to adding the feature or providing a workaround such as code that could be inserted into the app configuration to enable it as a custom feature.
I am trying to be able to show the results of the drilldown search of a notable without having to leave the event/case page. I am able to grab the drilldown search and send it back to Splunk using ...
See more...
I am trying to be able to show the results of the drilldown search of a notable without having to leave the event/case page. I am able to grab the drilldown search and send it back to Splunk using the 'run_query' command and receive the information but regardless of what fields I put in the "display" field of the command nothing shows up in the widget and attempting to create a new artifact with the data throws errors around it not being correctly formatted Json. Does anyone have a best practice to show the results of a SPL query within Splunk SOAR within the event that it was run on?
Hi there, looks like it is a known issue for this version, Splunk dev team is working on it and will be fixed in next releases. As a workaround you can try 1. Open Settings menu and select Adva...
See more...
Hi there, looks like it is a known issue for this version, Splunk dev team is working on it and will be fixed in next releases. As a workaround you can try 1. Open Settings menu and select Advanced Search 2. Next, select Macros 3. Search for dmc_licensing_base_summary. The app must be monitoring console or All. You won't find the macro otherwise. 4. Click on the macro to edit it. 5. In the definition box, change pool="$pool_clause$" to "$pool_clause$" only 6. Save the macro and reload the Historic License Usage dashboard in monitoring console.
I'm assuming this is in a dashboard. If you are using simple XML you can do this using the technique described in these links below. As you need to colour the cell based on dependency of data elsewh...
See more...
I'm assuming this is in a dashboard. If you are using simple XML you can do this using the technique described in these links below. As you need to colour the cell based on dependency of data elsewhere (male/female) you need to calculate the colour you want in the SPL and then make the S-N mm field a multivalue field and then use the expression type of syntax. https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-the-color-of-row-based-on-cell-value-in-splunk/m-p/525471/highlight/true#M35637 https://community.splunk.com/t5/Dashboards-Visualizations/Changing-the-color-of-a-table-row-if-the-response-time-is/m-p/678151/highlight/true#M55537 https://community.splunk.com/t5/Dashboards-Visualizations/How-color-a-field-by-other-value-in-XML/m-p/671094/highlight/true#M54930
Thank you @bowesmana I actually tried this before | stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack" but it didn't return anything. However this is working : ...
See more...
Thank you @bowesmana I actually tried this before | stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack" but it didn't return anything. However this is working : | stats values(attack_type) as "Types of attack" count as attack_number by FQDN,uri I guess this way the by clause applies to both count and values function. seems logic now that I see it !
Just put the values(attack_type) as "Types of attack" into the first stats. You can't do 2 stats like that as you don't have the attack_type anymore after the first stats
Hi folks, I have a quick question based on this kind of data. consider this table Age sex id ^N-S-Ba S-N mm
17 male 1 125 84
17 female 2 133 75 I have to create a dynamic range for the ...
See more...
Hi folks, I have a quick question based on this kind of data. consider this table Age sex id ^N-S-Ba S-N mm
17 male 1 125 84
17 female 2 133 75 I have to create a dynamic range for the field "S-N mm" for the female is from 74,6 to 77 for the male is from 79,3 to 87,7 I need to create a table that when one of these values is within range it should turn green thanks for the support Ale
Hello, I'm trying to obtain a table like this : FQDN uri list of attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Tr...
See more...
Hello, I'm trying to obtain a table like this : FQDN uri list of attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Traversal 30 prod.com /sample Abuse of Functionality Forceful Browsing Command Execution 10 I can obtain the table without the list of attack_types, but I can't figure out how to add the values function. | stats count as attack_number by FQDN,uri
| stats values(attack_type) as "Types of attack" For each FQDN/uri I want to have the number of attacks, and all the attack_types seen. It seems obvious, but I'm missing it. Can someone help me ?
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are ...
See more...
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are getting the right approvals and documenting things.
A local account is one that does not use SAML or LDAP for authentication. It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on a...
See more...
A local account is one that does not use SAML or LDAP for authentication. It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on all instances. The account is know to the search heads, but not to indexers or universal forwarders and probably not to heavy forwarders. Each could have had an admin account created when Splunk was installed. If it was not created or if you don't have the password, reset the account using the instructions at https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622