Ok. So you can connect to Splunk's 8000 port from the SOAR machine, can connect to Splunk's 8089 port from local network and cannot connect to 8089 from SOAR computer? (I'm talking about connection w...
See more...
Ok. So you can connect to Splunk's 8000 port from the SOAR machine, can connect to Splunk's 8089 port from local network and cannot connect to 8089 from SOAR computer? (I'm talking about connection with telnet/netcat/curl/openssl, not from the SOAR itself)
This query appears to be unsuitable for conversion to tstats. It uses too many fields that must all be indexed for tstats to supply them. Also, the query is doing its own analysis of the events, b...
See more...
This query appears to be unsuitable for conversion to tstats. It uses too many fields that must all be indexed for tstats to supply them. Also, the query is doing its own analysis of the events, but tstats provides aggregated values, not events, which would break the calculations done in the query. What problem are you trying to solve? Perhaps tstats is not part of the answer.
You should check auditd logs to see if SELinux prevented your connectivity. SELinux does prevent unauthorized connectivity. Of course for short-term testing you can simply switch SELinux to permissiv...
See more...
You should check auditd logs to see if SELinux prevented your connectivity. SELinux does prevent unauthorized connectivity. Of course for short-term testing you can simply switch SELinux to permissive or disable it. Preferable good-time solution would be to either find a tunable boolean in the policies to allow this if there is one or adjust the policies.
Yes. I can connect to Splunk from SOAR machine. in linux now firewalld works with splunk phantom. It never occurred to me to check SELinux. It works in Enforcing mode, but I don't understand what ...
See more...
Yes. I can connect to Splunk from SOAR machine. in linux now firewalld works with splunk phantom. It never occurred to me to check SELinux. It works in Enforcing mode, but I don't understand what exactly is the effect on SOAR. Would it be appropriate to disable it or put it in Permissive mode?
Sorry, but I still can't understand what the problem is (true, that can be my fault). I'm not sure if you want something different than <search by your conditions> | stats values(status) by host <...
See more...
Sorry, but I still can't understand what the problem is (true, that can be my fault). I'm not sure if you want something different than <search by your conditions> | stats values(status) by host <and the rest of split fields> | eval finalstatus=if(status="No","No","Yes") | stats count by <your split fields> finalstatus
OK. I assume you can connect to Splunk's port 8000 locally, right? Can you do the same from the SOAR machine? (using curl, for example)? BTW, do you have SELinux enabled on the SOAR machine?
Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such. However, if you wish to proceed with regex, then you could try something like this | rex "chan...
See more...
Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such. However, if you wish to proceed with regex, then you could try something like this | rex "channel[^\w]+(?<channel>APP|web)"
Please share some raw anonymised representative sample events in a code block to preserve formatting. Please identify which fields (if any) you already have extracted. Also, please share a represen...
See more...
Please share some raw anonymised representative sample events in a code block to preserve formatting. Please identify which fields (if any) you already have extracted. Also, please share a representation of your expected output.
Table ServerName, Final Status is not necessary here. What i want is whenever i search based on department, Company, Location, I should get the count of servers unique in its status. based on conditi...
See more...
Table ServerName, Final Status is not necessary here. What i want is whenever i search based on department, Company, Location, I should get the count of servers unique in its status. based on condition i mentioned above. If any No in status, then everything to that server status is no. If all status column value are Yes, then only its Yes. So now. I want to display count of Status based on search department, or Company or Location. Provide the Final Status count for a server, based search of any of the above fields. Note Final status should be Unique for each server based on if else condition.
I have a deployment, where 2 HF's are acting as DS. and they are both connected to MC for licensing at port 8089. In HF 1 i tried to connect some Deployment Client (DC) and they were successfully...
See more...
I have a deployment, where 2 HF's are acting as DS. and they are both connected to MC for licensing at port 8089. In HF 1 i tried to connect some Deployment Client (DC) and they were successfully connected to HF. In HF 2 I tried the same method, bur DC are connecting to Monitoring console instead of DS. Why is this behaviour happening.
I would like to calculate the success rate of the Toup transaction via Channel( APP Or Web) in 4 API calls( E.g 4 Levels,Request will submit 1 do the validation and pass on level 2 and then at level ...
See more...
I would like to calculate the success rate of the Toup transaction via Channel( APP Or Web) in 4 API calls( E.g 4 Levels,Request will submit 1 do the validation and pass on level 2 and then at level 2 will do business validation and pass the transaction to next level and so on) in that few transactions may fail at level 1/2/3/4. The channel method will be available only in the Level 1 not in the Other level. Transaction ID is the only field comman in all the levels. If I apply filter on Channel the output only the list of transaction in Level 1 since Channel field available in level1. 1. If apply filter on Web/APP Channel I should get the list of transaction IDs respective of channel 2. Taking the transaction IDs as a input it should the validate the status of the transaction at each level (2/3/4). Note: In level 2/3/4 the log has both App and web logs only based on the transaction ID from level 1 need to differentiate. Https status -200(Success); 500(Failure)
Hello, As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening? Is there a conflict betwee...
See more...
Hello, As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening? Is there a conflict between deleting users in Splunk Enterprise and Splunk ES?
Hello. Splunk can now listen to all ports related to itself. I have no problems connecting to other services on the mac. I gave splunk full permission for incoming connections in the firewall on ...
See more...
Hello. Splunk can now listen to all ports related to itself. I have no problems connecting to other services on the mac. I gave splunk full permission for incoming connections in the firewall on Mac. Unfortunately, it does not happen despite this. Either I am missing a very simple point or there is a bug in the soar program for centOS 8 and I will wait for the next update :))
We have recently tried installing Machine Agent on Azure linux machine. Using Linuz Zip bundle Linux Install Using ZIP with Bundled JRE (appdynamics.com) Installation is successful, Appd machine a...
See more...
We have recently tried installing Machine Agent on Azure linux machine. Using Linuz Zip bundle Linux Install Using ZIP with Bundled JRE (appdynamics.com) Installation is successful, Appd machine agent Service is running & active at the OS End, but noticed that the registration request was failed yyyyyyyy000==> [system-thread-0] 29 Aug 2024 16:33:08,128 INFO ApacheClientImpl - Sending registration request: POST https://xxxxxxx.saas.appdynamics.com:443/controller/sim/v2/agent/machines HTTP/1.1 yyyyyyyy000==> [system-thread-0] 29 Aug 2024 16:33:08,193 ERROR ManagedHttpClient - Request failed with exception javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake From the Server, we are able to reach the SAAS endpoint,, without any proxy and default SSL enabled settings is activated, no certificated manually imported on either side. Any direction on this issue, please
Ok. Did you check whether/on which ports is your Splunk server listening? Did you try to connect to other ports/services on your Mac? Does your Mac have any kind of host firewall? (I don't know Mac...
See more...
Ok. Did you check whether/on which ports is your Splunk server listening? Did you try to connect to other ports/services on your Mac? Does your Mac have any kind of host firewall? (I don't know Mac so I have no idea if if it does something like that or not). These are the basic, not Splunk related as such, things you should check. That's why I suggested you get help locally from someone who knows networking - that would probably be much more quicker than to "remotely diagnose" this issue over such slowly responsive medium.