Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\" It might be smart to look into the ingestion process and try to optimize it.
To be precise, you could use two DS-es in the same environment prior to 9.2 but they would need to serve different DCs (or you'd have to have some huge load-balanced setup but that's clearly not what...
See more...
To be precise, you could use two DS-es in the same environment prior to 9.2 but they would need to serve different DCs (or you'd have to have some huge load-balanced setup but that's clearly not what we're talking about here). Anyway, +1 on that question about setting up the HF. Especially since you can't set a server externally as a DC for a given DS (unless you're using DS to distribute an app updating the DC settings but again - it's almost surely not the case here).
Hi @ITWhisperer , Above is the 2 Sample events with transactionID, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its ge...
See more...
Hi @ITWhisperer , Above is the 2 Sample events with transactionID, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.
I need some clarification. Are the HFs acting as deployment clients (DCs) or deployment servers (DSs)? You can't have 2 DSs in the same environment prior to Splunk 9.2. If the HFs are DCs then wher...
See more...
I need some clarification. Are the HFs acting as deployment clients (DCs) or deployment servers (DSs)? You can't have 2 DSs in the same environment prior to Splunk 9.2. If the HFs are DCs then where is the DS? Is the MC a separate instance? You set up HF2 using "the same method". What exactly was that method? We can't tell where you went wrong without knowing what you did.
Ok. So you can connect to Splunk's 8000 port from the SOAR machine, can connect to Splunk's 8089 port from local network and cannot connect to 8089 from SOAR computer? (I'm talking about connection w...
See more...
Ok. So you can connect to Splunk's 8000 port from the SOAR machine, can connect to Splunk's 8089 port from local network and cannot connect to 8089 from SOAR computer? (I'm talking about connection with telnet/netcat/curl/openssl, not from the SOAR itself)
This query appears to be unsuitable for conversion to tstats. It uses too many fields that must all be indexed for tstats to supply them. Also, the query is doing its own analysis of the events, b...
See more...
This query appears to be unsuitable for conversion to tstats. It uses too many fields that must all be indexed for tstats to supply them. Also, the query is doing its own analysis of the events, but tstats provides aggregated values, not events, which would break the calculations done in the query. What problem are you trying to solve? Perhaps tstats is not part of the answer.
You should check auditd logs to see if SELinux prevented your connectivity. SELinux does prevent unauthorized connectivity. Of course for short-term testing you can simply switch SELinux to permissiv...
See more...
You should check auditd logs to see if SELinux prevented your connectivity. SELinux does prevent unauthorized connectivity. Of course for short-term testing you can simply switch SELinux to permissive or disable it. Preferable good-time solution would be to either find a tunable boolean in the policies to allow this if there is one or adjust the policies.
Yes. I can connect to Splunk from SOAR machine. in linux now firewalld works with splunk phantom. It never occurred to me to check SELinux. It works in Enforcing mode, but I don't understand what ...
See more...
Yes. I can connect to Splunk from SOAR machine. in linux now firewalld works with splunk phantom. It never occurred to me to check SELinux. It works in Enforcing mode, but I don't understand what exactly is the effect on SOAR. Would it be appropriate to disable it or put it in Permissive mode?
Sorry, but I still can't understand what the problem is (true, that can be my fault). I'm not sure if you want something different than <search by your conditions> | stats values(status) by host <...
See more...
Sorry, but I still can't understand what the problem is (true, that can be my fault). I'm not sure if you want something different than <search by your conditions> | stats values(status) by host <and the rest of split fields> | eval finalstatus=if(status="No","No","Yes") | stats count by <your split fields> finalstatus
OK. I assume you can connect to Splunk's port 8000 locally, right? Can you do the same from the SOAR machine? (using curl, for example)? BTW, do you have SELinux enabled on the SOAR machine?
Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such. However, if you wish to proceed with regex, then you could try something like this | rex "chan...
See more...
Firstly, this looks like it might be some sort of JSON, so you might be better of treating it as such. However, if you wish to proceed with regex, then you could try something like this | rex "channel[^\w]+(?<channel>APP|web)"
Please share some raw anonymised representative sample events in a code block to preserve formatting. Please identify which fields (if any) you already have extracted. Also, please share a represen...
See more...
Please share some raw anonymised representative sample events in a code block to preserve formatting. Please identify which fields (if any) you already have extracted. Also, please share a representation of your expected output.
Table ServerName, Final Status is not necessary here. What i want is whenever i search based on department, Company, Location, I should get the count of servers unique in its status. based on conditi...
See more...
Table ServerName, Final Status is not necessary here. What i want is whenever i search based on department, Company, Location, I should get the count of servers unique in its status. based on condition i mentioned above. If any No in status, then everything to that server status is no. If all status column value are Yes, then only its Yes. So now. I want to display count of Status based on search department, or Company or Location. Provide the Final Status count for a server, based search of any of the above fields. Note Final status should be Unique for each server based on if else condition.