All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Spl... See more...
hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Splunkbase? and what are the steps after? thanks
In my case it is about:   @PickleRick wrote: In case of a downed indexer(s) Splunk is warning you that it might not have all the data it should have. And it makes sense because the missing inde... See more...
In my case it is about:   @PickleRick wrote: In case of a downed indexer(s) Splunk is warning you that it might not have all the data it should have. And it makes sense because the missing indexers could have had buckets which have not been replicated yet or might have been replicated but are not searchable. I want my search to not store the data in a lookup when Splunk raises this warning. And here I'm stuck.   
correct
Hello @gcusello, Is this not achievable via a search, please? Best regards,
Is what you expected to get what you got from your non-tstats search?
here's what I get from my previous query, and what I expect to get Environment Convicted Not Convicted Environment convicted not convicted browser 8 12 win10 79 250 win10-x64-2-be... See more...
here's what I get from my previous query, and what I expect to get Environment Convicted Not Convicted Environment convicted not convicted browser 8 12 win10 79 250 win10-x64-2-beta 0 117 win10-x64-browser 12 6 win7-x64 2 832 here's what I get from the query you provided, I hope it helps Secure_Malware_Analytics_Dataset.analysis_behaviors_title Count Percent Total Secure_Malware_Analytics_Dataset.analysis_behaviors_title count percent total Executable Imported the IsDebuggerPresent Symbol 835 14.421416234887737 5790 PE Contains TLS Callback Entries 690 11.917098445595855 5790 Executable with Encrypted Sections 622 10.7426597582038 5790 Executable Artifact Imports Tool Help Functions 428 7.392055267702936 5790 PE Checksum is Invalid 403 6.960276338514681 5790 Artifact With Multiple Extensions Detected 364 6.286701208981002 5790 Executable Signed With Digital Certificate 277 4.784110535405873 5790 Process Modified File in a User Directory 250 4.317789291882556 5790 Executable Signing Date Invalid 220 3.7996545768566494 5790 Possible Registry Persistence Mechanism Detected 140 2.4179620034542313 5790 PE DOS Header Initial SP Value is Abnormal 138 2.383419689119171 5790 Static Analysis Flagged Artifact As Anomalous 86 1.4853195164075994 5790 Windows Crash Tool Execution Detected 85 1.468048359240069 5790 Artifact Flagged Malicious by Antivirus Service 81 1.3989637305699483 5790 A Crash Dump File Was Created 77 1.3298791018998273 5790
Thank you, @ITWhisperer. It's working as expected
I don't know what this means, please can you show what you are getting and what you expected to get?
Hi all, Is it possible to pass paramenters to the action [[action|sendtophantom]] in the field "Next Steps" . For example pass it the severity or SOAR instance? Thanks
good try, but it skipped the list of the titles I have in my input query, I have a correct output of counts, but without titles
now it works... Last question : how to change the rangemap of the colors It iis in the xml or is it automatic?  
Hi @BRFZ , you can use the License Usage Report [Settings > Licensing > Usage Report > Previous 30 days >Split by Host] and customize it or the Monitoring Console App tha tgives the same results. T... See more...
Hi @BRFZ , you can use the License Usage Report [Settings > Licensing > Usage Report > Previous 30 days >Split by Host] and customize it or the Monitoring Console App tha tgives the same results. The only limit is the retention time of yur _internal data. Ciao. Giuseppe
As far as I remember you only get a warning about possible incomplete results if some of your indexers are down. It has nothing to do with source servers (and that's how I interpret your question - y... See more...
As far as I remember you only get a warning about possible incomplete results if some of your indexers are down. It has nothing to do with source servers (and that's how I interpret your question - you want to know when one of source servers isn't sending data). In case of a downed indexer(s) Splunk is warning you that it might not have all the data it should have. And it makes sense because the missing indexers could have had buckets which have not been replicated yet or might have been replicated but are not searchable. But it deals only with the state of the Splunk infrastructure, not the sources. Splunk has no way of knowing what "partial" data is in case of missing sources. There are some apps meant for detecting downed sources but they don't affect searches running on the data from those sources (although you could add a safeguard based on similar technique to the one with require based on a lookup or something).
I dont know why but the fields "Value" displays anything when i execute your search even if the field exists  
Not sure why you are using prestats=true - try something like this | tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_tes... See more...
Not sure why you are using prestats=true - try something like this | tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title | eventstats sum(Count) as Total | eval Percent=100*Count/Total | sort - Count | head 20
If there is no such input to choose from it might indeed be the case that there is no direct possibility to capture pods status. Which wouldn't be that surprising since Splunk typically deals with lo... See more...
If there is no such input to choose from it might indeed be the case that there is no direct possibility to capture pods status. Which wouldn't be that surprising since Splunk typically deals with logs and logs usually contain transitions between states, not states themselves. You could probably write your own scrpited input to periodically call proper API endpoint to capture those states and ingest it into Splunk but that requires some development on your side.
Hello, Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, brok... See more...
Hello, Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, broken down by host. Best regards,
You should understand what your data is not blindly copy other searches and expect them to work on different data! Your data probably already has the _time field with valid data (although I am guess... See more...
You should understand what your data is not blindly copy other searches and expect them to work on different data! Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this index="main" sourcetype="Perfmon:disk" | timechart eval(round(avg(Value),0)) by host If it doesn't work, may I suggest you provide more information such as the event you have in your index?
Thank you soo much @ITWhisperer  this worked for me
Convert your lookup so it has a pattern and name for the pattern e.g. logline pattern Deprecated configuration detected in path Please update your settings to use the latest configuration opt... See more...
Convert your lookup so it has a pattern and name for the pattern e.g. logline pattern Deprecated configuration detected in path Please update your settings to use the latest configuration options. *Deprecated configuration detected in path* Please update your settings to use the latest configuration options.* Query execution time exceeded the threshold: seconds. Query: SELECT * FROM users WHERE last_login *Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM users WHERE last_login* Query execution time exceeded the threshold: seconds. Query: SELECT * FROM contacts WHERE contact_id *Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM contacts WHERE contact_id* Then add a lookup definition and use advanced option to set WILDCARD(pattern) Now you can use lookup on your events to find out which type of loglines you have   | lookup patterns.csv pattern as _raw | stats count by logline