All Topics

Top

All Topics

Dear Community, How do I display values from second dropdown values based on first dropdown value.   <input type="dropdown" token="site" searchWhenChanged="true"> | inputlookup regions_instan... See more...
Dear Community, How do I display values from second dropdown values based on first dropdown value.   <input type="dropdown" token="site" searchWhenChanged="true"> | inputlookup regions_instances.csv | fields region region_value   <input type="dropdown" token="instance" searchWhenChanged="true"> | inputlookup regions_instances.csv | search region=$site$ | fields  instance instance_value    
Hi Splunkers,  I have an issue with the timestamp the data is being indexed. Here is an example of my logs. I applied the props at sourcetype level. However it doesn't seem to be working- Please He... See more...
Hi Splunkers,  I have an issue with the timestamp the data is being indexed. Here is an example of my logs. I applied the props at sourcetype level. However it doesn't seem to be working- Please Help Scenario -1 Time                                                                  Event 6/20/22  10:35:59.833 PM               2022-06-20 18:35:59,833  [200] Error logs http client  props.conf TIME_FORMAT= %Y-%m-%d %H:%M:%S,%3N TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 24 TZ = UTC Scenario - 2 Time                                                                  Event 6/20/22 10:24:05.000 PM                  2022-06-20 22:23:53 Error logs http client       
Hello, I am digging through my _audit index to see what searches people are running over time, but I am confused by the following fields. api_et , api_It apiStartTime, apiEndTime It would... See more...
Hello, I am digging through my _audit index to see what searches people are running over time, but I am confused by the following fields. api_et , api_It apiStartTime, apiEndTime It would appear that api_et and apiEndTime are the same thing.  same with api_lt, and api_StartTime.   I get that api_(el)t are epoch times, and the others are formatted dates. Why do some entries (of type search) have api_et, api_lt, and others have apiStartTime,apiEndTime?  Thus far I have to do any calculations based on the presence of both sets and use coalesce to choose between the one that's not bogus. --jason    
Hello, I have a linux machine where Splunk Enterprise is installed and I would like to use Heavy forwarder to send the files to the cloud. How do I install the "app"(splunkclouduf.spl)  from the ... See more...
Hello, I have a linux machine where Splunk Enterprise is installed and I would like to use Heavy forwarder to send the files to the cloud. How do I install the "app"(splunkclouduf.spl)  from the cloud instance in Splunk Enterprise?  I don't have access to the Splunk Enterprise web interface, only access to the linux machine. Regards
First of all I am new to cyber, and got splunk dumped in my lap. I am really trying to get knowledgeable on it but 1) I am horrible with coding and apparently that includes Regex 2) Long lines of c... See more...
First of all I am new to cyber, and got splunk dumped in my lap. I am really trying to get knowledgeable on it but 1) I am horrible with coding and apparently that includes Regex 2) Long lines of code or search strings is like sensory overload to me That being said, I am trying to clean up our alerts as we are getting bogged down daily with well over 3k alerts that could most likely be expunged. Many of our alerts are based on tstat search strings. It shows a great report but I am unable to get into the nitty gritty. For example, the brute force string below, it brings up a Statistics table with various elements (src, dest, user, app, failure, success, locked) showing failure vs success counts for particular users who meet the criteria in the string.  My issue, I try to click on a user, choose view events, brings up new search with a modified string (of course) but still only shows tstats table, but with different headers (action, src, det, user, app, count, failure, success).  What I would like to do is when I click to choose view event for a particular user, it actually shows me that even and correlating log input. Is this possible? Why would I want an brute force alert if I cannot narrow down to the events, especially the failure logins? Again, please have mercy, I am entry level and still learning splunk. I love the apps and abilities it has but using the search box is like i lost all my intelligence. The brute force search | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user | `drop_dm_object_name("Authentication")` | search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-* | eval success=if(action="success",count,0),failure=if(action="failure",count,0) | stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src | join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count] | search failure>30 success>0 | where failure>success  
I have an event which is constructed like the following:   { name: string, time: string, duration: string, logs: JSONObjects[] }   When I download the event, I just want the logs ... See more...
I have an event which is constructed like the following:   { name: string, time: string, duration: string, logs: JSONObjects[] }   When I download the event, I just want the logs which is everything inside [] but without the head part which is "{logs:" and the last "}" To do that how do I construct the search query? 
I have this query and I want to count how many logins were made by id, like if a person logged in 3 times I just want to count once and if there were 15 logins in total I just want to count one per i... See more...
I have this query and I want to count how many logins were made by id, like if a person logged in 3 times I just want to count once and if there were 15 logins in total I just want to count one per id basic search | fields idLogin | stats values(idLogin) as Login, dc(idLogin) as Quantity | table Quantity   but my field idLogin is return null 
I have configured the Splunk Add-on for Google Workspace on a Heavy Forwarder that is performing data collection and then forwarding the data to Splunk Cloud. We followed the instructions at https:... See more...
I have configured the Splunk Add-on for Google Workspace on a Heavy Forwarder that is performing data collection and then forwarding the data to Splunk Cloud. We followed the instructions at https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/About both when configuring the Google Cloud service account and configuring the Add-On. I configured the Add-On with the Google Cloud service account with the JSON key generated on console.cloud.google.com and then configured the inputs. We are not getting any data and when we look at the internal logs from the Heavy Forwarder where the Splunk Add-on for Google Workspace is deployed we are seeing 401 responses like the following:         requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.464Z&endTime=2022-06-22T19%3A07%3A10.464Z requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.521Z&endTime=2022-06-22T19%3A07%3A10.521Z         We also went through the troubleshooting section of the docs: https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot to no avail Any guidance from some one who has deployed the GWS Add-On and gotten a 401 after configuring the inputs will be greatly appreciated
Hi Good Afternoon, Our Heavy Forwarder is unable to forward to one of the indexer but able to send data another indexer. Here is what I saw in splunkd.log of Heavy Forwarder: 06-22-2022 13:24:03.... See more...
Hi Good Afternoon, Our Heavy Forwarder is unable to forward to one of the indexer but able to send data another indexer. Here is what I saw in splunkd.log of Heavy Forwarder: 06-22-2022 13:24:03.471 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer 06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer 06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer 06-22-2022 13:24:03.472 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=xx.xx.xxx.xxx port=9996 _numberOfFailures=2 06-22-2022 13:24:03.473 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer 06-22-2022 13:24:03.473 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=yy.yy.yy.yy port=9996 _numberOfFailures=2
  Hello Would anyone be able to help me with this  in Dashboard Studio? I have a date time picker and only want to display the between from and to time. I don't want the rest of the options to ... See more...
  Hello Would anyone be able to help me with this  in Dashboard Studio? I have a date time picker and only want to display the between from and to time. I don't want the rest of the options to be visible. Please see attached picture. The stuff in the red boxes should not be visible. OR Just have the calendar visible to pick dates.    
Using Dashboard Studio, I am having trouble adding a drilldown that will allow me to see the attributing events of the dashboard selection. There only appears to be a way to add links to the open int... See more...
Using Dashboard Studio, I am having trouble adding a drilldown that will allow me to see the attributing events of the dashboard selection. There only appears to be a way to add links to the open internet? The only options for drilldown are  No Action or Link to custom URL  Use a relative URL or absolute URL, for example, /app/search/datasets, or https://www.splunk.com Am I missing something?  Did I create the alert incorrectly?
Hello, I could use a little help with displaying the results of a search.  I have to display 4 search results on a page. Search A(5 results) Search B (2 results) Search C (4 results) Sear... See more...
Hello, I could use a little help with displaying the results of a search.  I have to display 4 search results on a page. Search A(5 results) Search B (2 results) Search C (4 results) Search D(3 results) Each of the items has a different search associated with it. Based on what is clicked, a search needs to run and display data in a a table. Also, this is in Dashboard Studio. The searches and the results need to be visible on the page and not in a dropdown.  Can someone point me in the right direction ?    
Hi, I recently watched an instructional video on Splunk attack range. I am wondering: Does splunk attack range allow me to test more than one server or workstation at a time? Am I limited in which ... See more...
Hi, I recently watched an instructional video on Splunk attack range. I am wondering: Does splunk attack range allow me to test more than one server or workstation at a time? Am I limited in which of my security tools I can use during the test for example if I wanted to test a new crowdstrike policy would that be possible using splunk attack range?   Thanks for your time! Adam
Hi As you can see, I use a first eval in order to rename the field "site" From the site renamed, I need to create a new field called "toto" in order to add new information for the field site. S... See more...
Hi As you can see, I use a first eval in order to rename the field "site" From the site renamed, I need to create a new field called "toto" in order to add new information for the field site. So I create an eval if command like below but it doesn't work. What is wrong please and is there another simple way to do this?   | eval site=case(site=="BR", "Espace Br", site=="PERI THEATRE", "Espace Périg", 1==1,site) | stats last(site) as "Espace BP" by s | eval toto=if("Espace BP"=="Espace Br", "4G") | table "Espace BPE" toto    
Hi, I have fields from a JSON file that are getting parsed like this:  I'm struggling to find a way to turn those fields into columns in a table. Anyone have any experience with this?    T... See more...
Hi, I have fields from a JSON file that are getting parsed like this:  I'm struggling to find a way to turn those fields into columns in a table. Anyone have any experience with this?    Thank you  
we are using splunk cloud  i want to know how much data indexed per index. is there anyway to check.   Thanks   
Hai , Is there any way to check Splunk forwarder even HF/UF stops sending data to Splunk cloud?  
Hello humans (and non-humans),  I am rocking the base model Enterprise (9.0) with an InfoSec app as my SIEM. Right now I see all of the scanner activity, along with service accounts. Since my scanne... See more...
Hello humans (and non-humans),  I am rocking the base model Enterprise (9.0) with an InfoSec app as my SIEM. Right now I see all of the scanner activity, along with service accounts. Since my scanners are testing for Apache vulns, I am getting alerts for it. Is there a way to prevent the InfoSec app from reporting "asset list" worthy events? My understanding is that Asset Lists are only configurable on ES. Thank you! theSOCguy 
We are unable to connect Pihole to Splunk, we have configured the pihole to SPLUNK but we are unable to view the dashboard with the data on SPLUNK. We tried doing the installation and configuration p... See more...
We are unable to connect Pihole to Splunk, we have configured the pihole to SPLUNK but we are unable to view the dashboard with the data on SPLUNK. We tried doing the installation and configuration process the way it was given on this website. https://thetechnologistchap.com/index.php/2022/01/08/pi-hole-as-a-cyber-security-tool-pt-3-installing-a-splunk-server/ However, after following this instruction we got the error message "TCP output processor has paused the data flow....." and an empty dashboard. I will be glad if anyone could throw some light on this matter.
Hello! I am deploying a custom input to a cluster of Heavy Forwarders from a Deployment Server.  Since I only want the input to be active on one HF I have set disabled=1 on the DS.  After deploying ... See more...
Hello! I am deploying a custom input to a cluster of Heavy Forwarders from a Deployment Server.  Since I only want the input to be active on one HF I have set disabled=1 on the DS.  After deploying I SSH into the HF I want to enable the input on and create local/inputs.conf and set disabled=0 and restart. I thought this was the way forward since I didn't think reloading the DS would cause the local folder to be overwritten, but after making a change and redeploying I notice that this does in fact happen. My question: how can I stop the DS from overwriting the local folder so it's easier to manage my HFs? Thanks! Andrew