Hi, I'm doing a project and I've installed Splunk Trial Enterprise on a server and Universal Forwarder on other three servers (with Ubuntu) that sends me logs. On forwarders exist a script that sends me logs of every processes that's running on server. I would to create a dynamic list where logs of processes is added and tagged as "Well-Knowned Processes".   After that when new logs of processes come to indexer they are compared with logs on dynamic list and if the process was not recognized (doesn't exist in the list) the alert is triggered. I would to do that to check suspicious process. Thanks   

Hi, I need to join data on my 2 source A and B on the fields "Workitems_URL" and "Work Item URL"  In source B, there is field "Type Name" that all of its join match must have this field contain value "Default" for a valid match. If any of the matches do not have "Type Name" as "Default" then it will not be counted. I tried to use a filter "Type Name"="Default" for the source B but it does not seem to be correct. Please let me know how to make this work Thanks  

Hi All,  Below are 2 sets of raw events from my DDOS appliance.  The sets are separated based on the eventID field.  In the 1st set, there are 3 events for the eventID=7861430818955774485  while in the 2nd set the eventID=7861430818955774999 has 2 events. Also, there is field called status which is a multi value field.  You will notice, in the 1st set the status has 3 values- starting, holding and end.   While in 2nd one, status has 2 values starting and hold.             Jun 20 13:58:05 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:57:38+08:00;eventID=7861430818955774485;status=starting;dstip=10.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=3450,bps=39006800;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 13:59:05 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:58:07+08:00;eventID=7861430818955774485;status=holding;dstip=14.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=0,bps=0;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 14:00:07 172.x.x.x logtype=attackevent;datetime=2022-06-20 13:59:07+08:00;eventID=7861430818955774485;status=end;dstip=14.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=0,bps=0;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 13:58:05 64.x.x.x logtype=attackevent;datetime=2022-06-20 13:57:38+08:00;eventID=7861430818955774999;status=starting;dstip=10.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=3450,bps=39006800;subtype=FIN/RST Flood;attackDirection=inbound; Jun 20 13:59:05 64.x.x.x logtype=attackevent;datetime=2022-06-20 13:58:07+08:00;eventID=7861430818955774999;status=holding;dstip=14.x.x.x;eventType=DDoS Attack Alert;severity=high;description=pps=0,bps=0;subtype=FIN/RST Flood;attackDirection=inbound;               My requirement is only to show (in table or stats) those eventIDs that do not have a status=end in their span.  Basically from the above raw events, the  search should filter out the 1st set completely and only show data about the 2nd set because there is no status=end for eventID=7861430818955774999 .  How to achieve this? I am using below search,  but it still ends up listing the 1st eventID also.           ...base search... | eval start=if(in(status, "starting"), _time, NULL), end =if(in(status,"holding"), _time, NULL) | stats earliest(start) as start_time , latest(end) as end_time, values(eventID) , values(status), values(eventType), values(severity), values(dstip), values(subtype) dc(status) as dc_status BY eventID | where dc_status > 2 | eval duration=tostring((end_time-start_time), "duration") | convert ctime(start_time)| convert ctime(end_time) | rename values(*) as *           If i put status!=end in my base search,  it still shows the other events where status=starting or holding for that eventID.   I want to eliminate the eventID completely  ( as in all events for that eventID) from my results which have status=end.  Any suggestions?

How can i create an alarm when a location goes down?  index=internal sourcetype=abc | timechart span=5m count(linecount) AS Count by loc useother=f usenull=f | sort by _time desc | table _time loc  | where loc< 10 2022-06-22 02:15:00 0 0 0 102 949 941 967 969 45 33 2022-06-22 02:14:00 0 0 0 143 1167 1139 1146 1195 49 75 2022-06-22 02:13:00 0 0 0 134 874 827 891 876 29 46 2022-06-22 02:12:00 1 0 0 130 770 789 773 736 59 60

I have a sub query that gives the output example below  Sub Query [ search index=prod_diamond sourcetype=CloudWatch_logs source=*downloadInvoice* AND *error* NOT ("lambda-warmer") | fields error.requestId | rename error.requestId as requestId | dedup requestId | format ] Output ( requestId="jjadjdfjjedd_jehdfjdjfhj" ) OR ( requestId="jgjfnfdn_jrhfjdbfd" ).... I need to edit the format that is returned from the first query.    Is there a way to change the search to something less specific? Such as (*jjadjdfjjedd_jehdfjdjfhj*) OR (*jgjfnfdn_jrhfjdbfd*) ..... As I need to find all events that include the requestId, not just when it is specific to that variable.

I am working producing a table that calculates the number of incidents resolved by each analyst.  What my query does is produces a table with three columns with a count of 'Class Names': Analyst / Class Name / count What I am trying to do is produce an output with (4) columns with a count under the descrete columns and a total of the row to the right: Analyst / Class Name 1 / Class Name 2 / Total Count (of all class names)     <query> | table "Analyst" "Class Name" | stats count by Analyst "Class Name"      

I have a Splunk server which runs both the Deployment Server and the License Master running on version 8.2.4. Due to the CVE released related to the Deployment Server, I would like to upgrade this server to 9.0 and I don't expect any issues between the DS and the universal forwarders. My concern is with the License Master as this component communicates with the rest of the deployment. The latest documentation of version compatibility is found here: Configure a license master - Splunk Documentation, which is for 8.2.6 as there is no version (as of today, 6/21/2022) of this page for version 9.0. Upgrading the entire Splunk Enterprise deployment right now is not feasible (we are planning in the near future to complete it), but upgrading this one component to mitigate the vulnerability is priority. Should I expect any issues with the licensing after the upgrade of the License Master when the major versions don't match with the rest of the deployment?

Hi All, is it possible to retrieve the (splunk soar) instance details inside a playbook? For instance when sending an email, I want to be able to tell if the playbook ran in dev or prod environment. Is there a list of all the global environment variables?   Thanks in advance