Hello, I'm trying to obtain a table like this : FQDN uri list of attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Tr...
See more...
Hello, I'm trying to obtain a table like this : FQDN uri list of attack_types attack_number www.test.com /index Information Leakage Path Traversal 57 www.test.com /test Path Traversal 30 prod.com /sample Abuse of Functionality Forceful Browsing Command Execution 10 I can obtain the table without the list of attack_types, but I can't figure out how to add the values function. | stats count as attack_number by FQDN,uri
| stats values(attack_type) as "Types of attack" For each FQDN/uri I want to have the number of attacks, and all the attack_types seen. It seems obvious, but I'm missing it. Can someone help me ?
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are ...
See more...
@Dabbsy to add a proviso to Rich's response, make sure that you are coordinating with the system owner or backend admin or support team, to make sure that if they need those credentials that you are getting the right approvals and documenting things.
A local account is one that does not use SAML or LDAP for authentication. It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on a...
See more...
A local account is one that does not use SAML or LDAP for authentication. It's the default if you have not configured SSO. The account you log onto the Splunk console with may not be available on all instances. The account is know to the search heads, but not to indexers or universal forwarders and probably not to heavy forwarders. Each could have had an admin account created when Splunk was installed. If it was not created or if you don't have the password, reset the account using the instructions at https://community.splunk.com/t5/Security/How-to-Reset-the-Admin-password/m-p/10622
The local admin account is not just an account with an admin role, it is the built-in local admin account that was created when you installed Splunk. See (for example): Install on Windows - Splunk...
See more...
The local admin account is not just an account with an admin role, it is the built-in local admin account that was created when you installed Splunk. See (for example): Install on Windows - Splunk Documentation
The biggest difference is #3 requires a restart of Splunk before the app can be used. For the other methods, a restart may be needed (depending on what is changed), but may not be required.
Thanks for the reply Rich. I have an splunk admin account (that I log onto the splunk console with), but that password doesn't work. When you say local account - is this different and if it is, how...
See more...
Thanks for the reply Rich. I have an splunk admin account (that I log onto the splunk console with), but that password doesn't work. When you say local account - is this different and if it is, how would I set one of these up?
@KhalidAlharthi 1. Reload Firewall Rules : sudo firewall-cmd --reload 2. Verify the Rule is Active: sudo firewall-cmd --list-all 3. Consider SELinux: If you're using SELinux (Security-Enhanced Li...
See more...
@KhalidAlharthi 1. Reload Firewall Rules : sudo firewall-cmd --reload 2. Verify the Rule is Active: sudo firewall-cmd --list-all 3. Consider SELinux: If you're using SELinux (Security-Enhanced Linux), it could also be blocking access. You can temporarily disable it to test if that's the issue : sudo setenforce 0
@Siddharthnegi You can use the mvexpand command in Splunk to separate the port numbers into individual rows. If the above solution works, an upvote is appreciated !! ...
See more...
@Siddharthnegi You can use the mvexpand command in Splunk to separate the port numbers into individual rows. If the above solution works, an upvote is appreciated !!
We are partners with Splunk and the partner case link worked for me. https://splunk.my.site.com/partner/s/cases Also, if it's urgent, you could just the phone to open a case: https://www.splunk.c...
See more...
We are partners with Splunk and the partner case link worked for me. https://splunk.my.site.com/partner/s/cases Also, if it's urgent, you could just the phone to open a case: https://www.splunk.com/en_us/about-splunk/contact-us.html#customer-support Please find the attached screenshot for reference.
When a CLI command asks for credentials, it expects a Splunk local account name with admin privileges. If you do not have the admin password then you should reset it. Except for indexers and unive...
See more...
When a CLI command asks for credentials, it expects a Splunk local account name with admin privileges. If you do not have the admin password then you should reset it. Except for indexers and universal forwarders, just about any Splunk instance may be using KVStore. It's also possible a new app will be installed that uses KVStore so it should be running.
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id
| sort -sky_id catchup_updated_time
| filldown catchup_updated_time...
See more...
Try both | eventstats values(catchup_updated_time) as catchup_updated_time, values(sky_ui_timestamp) as sky_ui_timestamp by sky_id
| sort -sky_id catchup_updated_time
| filldown catchup_updated_time, sky_ui_timestamp
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses mo...
See more...
Hi, Has anyone tried using the node.js agent to see if it will work with detecting the Nest.js framework? NestJS is a framework for building efficient, scalable Node.js web applications. It uses modern JavaScript. So don't know if this would at least partially work.
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible...
See more...
hello, I have an issue when creating some visualization in splunk dashboard. Im using dashboard studio, and my objective is want made a table panel with multiple token for each column, Is it possible in splunk? Like for this capture dashboard, is it possible when i click in signature value The rest visualization belows the table will dynamically changes based on the clicked column values, the action also can applied when i click on different column values from the first table. Is it possible in dashboard studio ?