All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you @bowesmana   I actually tried this before | stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack"  but it didn't return anything. However this is working : ... See more...
Thank you @bowesmana   I actually tried this before | stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack"  but it didn't return anything. However this is working : | stats values(attack_type) as "Types of attack" count as attack_number by FQDN,uri I guess this way the by clause applies to both count and values function. seems logic now that I see it !
Just put the  values(attack_type) as "Types of attack" into the first stats. You can't do 2 stats like that as you don't have the attack_type anymore after the first stats
Hi folks,   I have a quick question based on this kind of data. consider this table    Age sex id ^N-S-Ba S-N mm 17 male 1 125 84 17 female 2 133 75   I have to create a dynamic range for the ... See more...
Hi folks,   I have a quick question based on this kind of data. consider this table    Age sex id ^N-S-Ba S-N mm 17 male 1 125 84 17 female 2 133 75   I have to create a dynamic range for the field "S-N mm" for the female is from 74,6  to 77 for the male is from 79,3 to 87,7 I need to create a table that when one of these values ​​is within range it should turn green thanks for the support Ale
Hello, I'm trying to obtain a table like this : FQDN uri list of  attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Tr... See more...
Hello, I'm trying to obtain a table like this : FQDN uri list of  attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Traversal 30 prod.com /sample Abuse of Functionality Forceful Browsing Command Execution 10   I can obtain the table without the list of attack_types, but I can't figure out how to add the values function. | stats count as attack_number by FQDN,uri | stats values(attack_type) as "Types of attack"  For each FQDN/uri I want to have the number of attacks, and all the attack_types seen. It seems obvious, but I'm missing it. Can someone help me ?
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are ... See more...
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are getting the right approvals and documenting things.
A local account is one that does not use SAML or LDAP for authentication.  It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on a... See more...
A local account is one that does not use SAML or LDAP for authentication.  It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on all instances.  The account is know to the search heads, but not to indexers or universal forwarders and probably not to heavy forwarders.  Each could have had an admin account created when Splunk was installed.  If it was not created or if you don't have the password, reset the account using the instructions at https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622
The local admin account is not just an account with an admin role, it is the built-in local admin account that was created when you installed Splunk. See (for example): Install on Windows - Splunk... See more...
The local admin account is not just an account with an admin role, it is the built-in local admin account that was created when you installed Splunk. See (for example): Install on Windows - Splunk Documentation
The biggest difference is #3 requires a restart of Splunk before the app can be used.  For the other methods, a restart may be needed (depending on what is changed), but may not be required.
Thanks for the reply Rich.  I have an splunk admin account (that I log onto the splunk console with), but that password doesn't work. When you say local account - is this different and if it is, how... See more...
Thanks for the reply Rich.  I have an splunk admin account (that I log onto the splunk console with), but that password doesn't work. When you say local account - is this different and if it is, how would I set one of these up?
Did you end up creating the tag to get the endpoint.processes data model to populate? I am seeing the same issue in Splunk_TA_nix 9.7.0 
@KhalidAlharthi  1. Reload Firewall Rules : sudo firewall-cmd --reload 2. Verify the Rule is Active: sudo firewall-cmd --list-all 3. Consider SELinux: If you're using SELinux (Security-Enhanced Li... See more...
@KhalidAlharthi  1. Reload Firewall Rules : sudo firewall-cmd --reload 2. Verify the Rule is Active: sudo firewall-cmd --list-all 3. Consider SELinux: If you're using SELinux (Security-Enhanced Linux), it could also be blocking access. You can temporarily disable it to test if that's the issue :  sudo setenforce 0
@Siddharthnegi You can use the mvexpand command in Splunk to separate the port numbers into individual rows.    If the above solution works, an upvote is appreciated !!     ... See more...
@Siddharthnegi You can use the mvexpand command in Splunk to separate the port numbers into individual rows.    If the above solution works, an upvote is appreciated !!      
We are partners with Splunk and the partner case link worked for me. https://splunk.my.site.com/partner/s/cases  Also, if it's urgent, you could just the phone to open a case: https://www.splunk.c... See more...
We are partners with Splunk and the partner case link worked for me. https://splunk.my.site.com/partner/s/cases  Also, if it's urgent, you could just the phone to open a case: https://www.splunk.com/en_us/about-splunk/contact-us.html#customer-support    Please find the attached screenshot for reference.   
When a CLI command asks for credentials, it expects a Splunk local account name with admin privileges.   If you do not have the admin password then you should reset it. Except for indexers and unive... See more...
When a CLI command asks for credentials, it expects a Splunk local account name with admin privileges.   If you do not have the admin password then you should reset it. Except for indexers and universal forwarders, just about any Splunk instance may be using KVStore.  It's also possible a new app will be installed that uses KVStore so it should be running.
Hello, Already tried with different browsers, but Partner portal is also not working.  
Thanks, so this means only certain out-of-box use cases can be used immediately. The rest would need some works to be done.
Hello @solg  @bendeloitte  Go to the https://partners.splunk.com and select "My Cases".         
As it's built on Node.JS, It should work. best to try it and see if you pick up any issues
Hi, did you find a solution?
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id | sort -sky_id catchup_updated_time | filldown catchup_updated_time... See more...
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id | sort -sky_id catchup_updated_time | filldown catchup_updated_time, sky_ui_timestamp