Hello Im trying to create a DB Connect input to log the result of a query inside an index. The query returns data as I can see when I execute it from Splunk however when I go to the Search I cant f...
See more...
Hello Im trying to create a DB Connect input to log the result of a query inside an index. The query returns data as I can see when I execute it from Splunk however when I go to the Search I cant find anything in the index that I configured it. 1 - From the "DB Connect Input Health" I see no errors and it shows events from the input I created every x minutes (exactly as I configured it). It also shows this metric that also confirm that there are data been returned in the execution: DBX - Input Performance - HEC Median Throughput Search is completed 0.0465 MB 2 - From "index=_internal pg6 source="/opt/splunk/var/log/splunk/splunk_app_db_connect_server.log"" I can see that it: Job 'my_input_name' started Job 'my_input_name' stopping Job 'my_input_name' finished with status: COMPLETED 3 - If I search the index I created for it, it is empty. 4 - splunk_app_db_connect 3.9.0 Thanks for any light!
Hi, I am currently working on a ticket reporting. Each ticket has a lastUpdateDate field which gets updates multiple times leading to duplicates. I only need the first lastUpdateDate and latest las...
See more...
Hi, I am currently working on a ticket reporting. Each ticket has a lastUpdateDate field which gets updates multiple times leading to duplicates. I only need the first lastUpdateDate and latest lastUpdateDate to determine when the ticket has entered the pipe and the latest to see if changes were made in the specific period range of the reporting. I tried using | stats first(_raw) as first_entry last(_raw) as last_entry by ticket_id but it shows me the same lastUpdateDate for both. I have read to use min and max but do not gain results from that either. Thanks in advance for any hints and tips!
Are you asking if you can do this on egress in Azure or are you trying to do equivalent thing on ingress in Splunk? You can do filtering on input, if you use ingest-evals even using lookups (but not...
See more...
Are you asking if you can do this on egress in Azure or are you trying to do equivalent thing on ingress in Splunk? You can do filtering on input, if you use ingest-evals even using lookups (but not in the Cloud).
If you see the option, but its greyed out, you may want to check this link https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-option-to-export-CSV-or-PDF-in-Splunk-Dashboard/m-...
See more...
If you see the option, but its greyed out, you may want to check this link https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-option-to-export-CSV-or-PDF-in-Splunk-Dashboard/m-p/558071/highlight/true
One caveat though - the host field might be being parsed out from the raw message during ingestion. In such case you can't use it for specifying props stanza.
Hi all, I am integrating a Splunk form/dashboard with SOAR, where I use "sendtophantom" to create a container on which a playbook needs to run. However, what I am noticing is that when the contai...
See more...
Hi all, I am integrating a Splunk form/dashboard with SOAR, where I use "sendtophantom" to create a container on which a playbook needs to run. However, what I am noticing is that when the container has multiple artifacts, the playbook takes all the artifacts' CEF fields and combines them into one, which then causes havoc with my playbooks. I have considered changing the ingest settings to send MV fields as a list instead of creating new artifacts, but this will break too many other playbooks, so it isn't an option right now. My flow is basically as follows: Container gets created with information coming from splunk artifact(s) contain subject and sender email information Playbook needs to run through each artifact to get the subject and sender info Playbook processes these values Is there a way to specify that a playbook must run against each artifact in a container individually, or another way to alter the datapaths in the VPE to run through each artifact?
Hi @hv64 , you may need to check if you have the role/privilege to view that option. Are you by any chance a Splunk admin or just an end user of Splunk ?
Currently on Splunk ES 7.3.2 Splunk Enterprise Security where i can see users, who used to be part of the organisation, but are now deleted/disabled (in Splunk) are still populating when i try to as...
See more...
Currently on Splunk ES 7.3.2 Splunk Enterprise Security where i can see users, who used to be part of the organisation, but are now deleted/disabled (in Splunk) are still populating when i try to assign new investigations to other current members of the organisation For instance, Incident Review -> Notable -> Create Investigation In the investigation panel, when i try to assign the investigation to other members of the team, i can also see disabled/deleted accounts/users/members as an option to assign the investigation to. Any way we can remove these members from populating so that the list of investigators replicate the current numbers we have in the team.
Hi @Iris_Pi , yes, as per the documentation: For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additional...
See more...
Hi @Iris_Pi , yes, as per the documentation: For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.
Hi @NK , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ar...
See more...
Hi @NK , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
I don't see a Splunk question here. Rather, this is an HTML question. If you can illustrate your search result of 140, and the raw data iFrame receives (not what iFrame renders), show that the two ...
See more...
I don't see a Splunk question here. Rather, this is an HTML question. If you can illustrate your search result of 140, and the raw data iFrame receives (not what iFrame renders), show that the two are different, this can become a Splunk question. Even as an HTML question, you need to illustrate data so others can tell you possible causes. (But this is not the best place to ask HTML questions.)