All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

One caveat: Top-level nodes without children are displayed as leaves, and the ordering could use some work. I don't know whether the viz supports an undocumented sort field similar to how tree visual... See more...
One caveat: Top-level nodes without children are displayed as leaves, and the ordering could use some work. I don't know whether the viz supports an undocumented sort field similar to how tree visualizations in most UI toolkits support a sorting callback; I haven't looked at the source code.
Hi @gcusello, I started with the PCF Excel workbook published at https://www.apqc.org/resource-library/resource-listing/apqc-process-classification-framework-pcf-cross-industry-excel-11. I exported... See more...
Hi @gcusello, I started with the PCF Excel workbook published at https://www.apqc.org/resource-library/resource-listing/apqc-process-classification-framework-pcf-cross-industry-excel-11. I exported the Combined sheet to a CSV file named pcf_combined.csv and uploaded the file to my Splunk instance as a new lookup file with the same name. I started with the following search: | inputlookup pcf_combined.csv | eval id='Hierarchy ID' | eval label='PCF ID'." - ".'Hierarchy ID'." ".Name | rex field=id "(?<parentId>[^.]+\\..+)\\." | table id label parentId The regular expression only extracts a parentId value for layer 3 and lower, i.e. x.y has a null parentId value, x.y.z has a parentId value of x.y, x.y.z.w has a parentId value of x.y.z, etc. Hierarchy ID values are unordered. To allow Treeview Viz to sort nodes more naturally, I modified the label field: | eval label='Hierarchy ID'." ".Name." [".'PCF ID'."]" The resulting visualization correctly displays all nodes: I'm running Splunk Enterprise 9.3.0 and Treeview Viz 1.6.0.
It doesn't have to be current search time. It might be the time from summarized values. A relatively good example would be tracing emails from some email systems. They tend to send multiple events du... See more...
It doesn't have to be current search time. It might be the time from summarized values. A relatively good example would be tracing emails from some email systems. They tend to send multiple events during a single message pass and you have to combine all those message to have a full picture of the message sender, recipients, action taken, scan results and so on. With an ad-hoc search you'd probably have to use transaction command which doesn't play nice with bigger data sets. But you can run a summarizing search every 10 or 30 minutes that will correlate all emails processed during given time window and write that summarized info into an index. I  such case you'd probably want one of the message's times (most probably an initial submission time) as a summary event's _time.
Actually, I find this even more complicated than a stand-alone cron-launched solution. I'm saying this as a seasoned admin. It is very "inconsistent". It is spawned by splunk, emits syslog and of c... See more...
Actually, I find this even more complicated than a stand-alone cron-launched solution. I'm saying this as a seasoned admin. It is very "inconsistent". It is spawned by splunk, emits syslog and of course each distro handles syslog differently. While it is tempting to use Splunk's internal scheduler, I'd rather advise using the system-wide cron and explicitly created log files. It's more obvious this way. Anyway, a question to @verbal_666 - why the need to delay the script's output in the first place? It seems a very unusual requirement.
Hi, Did you check your kVStore?  Few lookups are there related to Incident review verify them too.
Hi @jacksonDeng, Have you tried entering dummy values?
It is not mandatory to use that app, but unless you want to build the configurations yourself, you might as well use a pre-made app. The app has documentation describing how to install and use it: ht... See more...
It is not mandatory to use that app, but unless you want to build the configurations yourself, you might as well use a pre-made app. The app has documentation describing how to install and use it: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usecustomalertactions
Your first and second screenshots show, respectively, a dropdown menu from Splunk SOAR (the SOAR product from Splunk), and a dropdown menu from Splunk Enterprise (the SIEM product from Splunk). These... See more...
Your first and second screenshots show, respectively, a dropdown menu from Splunk SOAR (the SOAR product from Splunk), and a dropdown menu from Splunk Enterprise (the SIEM product from Splunk). These are entirely different products. I would recommend installing Splunk SOAR and then its interface should look like your first screenshot and you should then be able to make an Automation user.
Can you share your experience (use case) where you change your timestamp to current search time? Thank you!!
It depends on what you expect your users to expect. I have use cases for summary indexes which contain statistics on X days of previous data, but my users assume that a summarized event of weekly sta... See more...
It depends on what you expect your users to expect. I have use cases for summary indexes which contain statistics on X days of previous data, but my users assume that a summarized event of weekly statistics on the 15th of September would contain statistics about 8-15th September. In this case it makes sense to re-eval the _time value to the search time.
Hi @yuanliu  1) If I left join CSV and subsearch that have the same field name, will the data from subsearch rewrite the data from the CSV in that field? In my example above is the "source" fie... See more...
Hi @yuanliu  1) If I left join CSV and subsearch that have the same field name, will the data from subsearch rewrite the data from the CSV in that field? In my example above is the "source" field. I added this for tracking purposes.  2) I also found out that keepempty=true doesn't always work in dedup. Have you ever experienced the same? Thank you again for your help.
It depends on what you are using the summary index for and what you want the timestamp to represent. There is no right way or wrong way, it is a choice you make based on your usecases for the data in... See more...
It depends on what you are using the summary index for and what you want the timestamp to represent. There is no right way or wrong way, it is a choice you make based on your usecases for the data in the summary index
Hello, When I write data to a summary index, the timestamp (_time) always follows the earliest time. For example, if my daily scheduled search runs at 1am today, 9/15/2024, to write the last 24-hou... See more...
Hello, When I write data to a summary index, the timestamp (_time) always follows the earliest time. For example, if my daily scheduled search runs at 1am today, 9/15/2024, to write the last 24-hour data to a summary index, the time stamp (_time) will be 9/14/2024. When I search the summary index in the last 24 hours, the result will be empty because it's always 24 hours behind, so I have to modify the search time to the last 2-day to see the data. Is it a best practice to keep the timestamp as the earliest time, or do you modify the timestamp to the search time? In my example, if I modify the timestamp to the search time, the time stamp would be 9/15/2024 1 a.m. Please suggest. Thank you so much for your help.
Expanding on @PickleRick's answer, we can use Splunk as the scheduler by "forking" the script to the background. The detached background process will continue to run after the parent script exits wit... See more...
Expanding on @PickleRick's answer, we can use Splunk as the scheduler by "forking" the script to the background. The detached background process will continue to run after the parent script exits with 0 (no error): #!/bin/bash if [ "${FORK:="0"}" = "0" ] then FORK=1 nohup "$0" "$@" >/dev/null 2>&1 & exit 0 fi BASENAME=$(basename -- "$0") logger --id=$$ -t "${BASENAME}" "start" sleep 90 logger --id=$$ -t "${BASENAME}" "finish" I've used the logger command in the example. On standard Linux configurations, this will log messages to /var/log/messages or /var/log/syslog, depending on the local syslog daemon configuration. We can use any log file, but since the background process is detached from splunkd, we can't use stdout. The scripted input can use either intervals or cron expressions. The file input or the input specific to wherever you write your script's output would be configured separately as required. Just be careful not to unintentionally fork b*mb yourself. Check Splunk (limits.conf) and host (ulimit) limits. We can also write a long-lived script or modular input that manages its own child processes.
If we don't care about ties, we can filter the pre-sorted values field in place:   ``` index=foo ``` | fieldsummary maxvals=0 username src dst port mail etc | fields field values | eval values="["... See more...
If we don't care about ties, we can filter the pre-sorted values field in place:   ``` index=foo ``` | fieldsummary maxvals=0 username src dst port mail etc | fields field values | eval values="[".mvjoin(mvindex(json_array_to_mv(values), 0, 2), ",")."]" EDIT: See @PickleRick's answer re: maxvals=3. My only caution here is that distinct_count will no longer be exact. We haven't used the field in this result, but its behavior changes nonetheless.  
If you just want to list both result sets in one table you need to combine two separate searches because datamodel is an event generating command. So it's either append (which has its limitations) or... See more...
If you just want to list both result sets in one table you need to combine two separate searches because datamodel is an event generating command. So it's either append (which has its limitations) or multisearch (but I'm not sure if you can use multisearch with datamodel)
You can just use maxvals=3 argument to fieldsummary.
Hi @siv, The fieldsummary command summarizes field values and counts as a JSON array. We can use that to return the top three values for each field. In the case of a tie, all tied values are returne... See more...
Hi @siv, The fieldsummary command summarizes field values and counts as a JSON array. We can use that to return the top three values for each field. In the case of a tie, all tied values are returned: ``` index=foo ``` | fieldsummary maxvals=0 username src dst port mail etc | fields field values | eval values=json_array_to_mv(values) | eval count=mvindex(mvdedup(mvmap(values, spath(values, "count"))), 0, 2) | mvexpand values | mvexpand count | where spath(values, "count")==count | eval value=spath(values, "value") | fields field value count The use of mvexpand makes this a suboptimal solution, but we can build on this with better use of JSON and multivalue eval functions.
Please could you give an example of what your desired output would look like?
for example  i have this fields and valus: stats count by username . i got this: username root | 102 admin | 71 yara | 34 this is the same for src src 168.172.1.1 | 132 10.10.0.1 | 60 168.... See more...
for example  i have this fields and valus: stats count by username . i got this: username root | 102 admin | 71 yara | 34 this is the same for src src 168.172.1.1 | 132 10.10.0.1 | 60 168.0.8.1 | 12 i want to see it one table but the i want it to check all fields , like dst , port , mail... it could be any thing on the event the goal is to get for each event the top field that have the most values that are repeated with the same value