Hello Fellow Splunk Admins, Not sure if this is the right place to ask this, if it is not please direct me to the right place. If it is your help is appreciated. Is anyone aware if Splunk Enterprise is affected by the recent Spring Boot Vulnerability? Do we need to be careful for any specific App which can have Spring Framework dependency? And, if we do then is there a way to detect such vulnerability in our environment?   Thanks & Regards, Arijit

Hi Community,   I am having a weird issue with Splunk Enterprise. I had set up a universal internal forwarder to execute a script that gives me the list of all different processes within the Linux environment. All of a sudden the script stopped producing results from 12 am and the panel didn't work. But again it starts working after 3 days by itself. This happened in both the test and production setup. Is there something that should be taken care of when using scripts in Universal forwarder or is there some reason for this unusual behaviour?   Regards, Pravin      

Hello, I recently upgraded the "Splunk Add-on for Microsoft Office 365" on my Splunk Heavy Forwarder to version 3.0.0, running on Splunk 8.1.4. I configured the "Cloud App Security" integration and the input for "Cloud Application Security Alerts". But, running the inputs, I think that this is bugged: the job is scheduled to download the alerts every 5 minutes. Every time the job runs, it downloads the alerts since the beginning (i. e.  from day 1 that the platform has been set up) and downloads just the first 100 alerts. Moreover, events are not indexed properly, since the timestamp that is applied is the timestamp at which the job runs, not the timestamp included in the event. Has everyone else experienced the same issue? Am I doing anything wrong?  Thanks in advance

Hi  I am trying to connect the SEP api via python and my code is as follows -  # encoding = utf-8 import os import sys import time import datetime import json import requests import base64 ''' IMPORTANT Edit only the validate_input and collect_events functions. Do not edit any other part in this file. This file is generated only once when creating the modular input. ''' ''' # For advanced users, if you want to create single instance mod input, uncomment this method. def use_single_instance_mode(): return True ''' def validate_input(helper, definition): """Implement your own validation logic to validate the input stanza configurations""" # This example accesses the modular input variable # text = definition.parameters.get('text', None) # text_1 = definition.parameters.get('text_1', None) pass def collect_events(helper, ew):  opt_clientid = helper.get_arg('clientid')  opt_clientsecret = helper.get_arg('clientsecret')  opt_customerid = helper.get_arg('customerid')  opt_domainid = helper.get_arg('domainid')  opt_apihost = helper.get_arg('apihost')    tokenUrl = "https://" + opt_apihost + "/v1/oauth2/tokens"  post = [] files = [] s = requests.Session() e = (opt_clientid + ':' + opt_clientsecret) en = e.encode('utf-8') en64 = base64.urlsafe_b64encode(en) s.headers.update({ 'Accept': 'application/json' }) s.headers.update({ 'Authorization': 'Basic ' + str(en64.decode()) }) s.headers.update({ 'Content-Type': 'application/x-www-form-urlencoded' }) s.headers.update({ 'Host': opt_apihost }) f = s.post(tokenUrl, data=post, files=files, verify=False) r = json.loads(f.text) access_token = r['access_token'] url = "https://" + opt_apihost + "/v1/devices" parameters = {"authorization":access_token} final_result = [] # The following examples send rest requests to some endpoint. response = helper.send_http_request(url, 'GET', parameters=None, payload=None,headers=parameters, cookies=None, verify=True, cert=None,timeout=None, use_proxy=True) # get the response headers #r_headers = response.headers # get the response body as text #r_text = response.text # get response body as json. If the body text is not a json string, raise a ValueError r_json = response.json() for devices in r_json["devices"]: state = helper.get_check_point(str(devices["id"])) if state is None: final_result.append(devices) helper.save_check_point(str(devices["id"]), "Indexed") event = helper.new_event(json.dumps(final_result), time=None, host=None, index=None, source=None, sourcetype=None, done=True, unbroken=False) ew.write_event(event) The test code works fine, but 1. The events are being indexed, each value is not appearing as a seperate entity but is rather grouped  2. The data is not being updated in the interval mentioned in the beginning   

Hi All,   Does Splunk Security Essentials app also map our custom (user defined) correlation searches to different MITRE tactics ?  I know it does so for the pre defined ones but what about for user defined searches? Thanks

Hi All, I have logs in splunk like below (this is one log): { "connector": { "state": "RUNNING", "worker_id": "mwgcb-csrla02u.nam.nsroot.net:8084" }, "name": "source.mq.apac.tw.ebs.ft.ft.raw.int.rawevent", "tasks": [ { "id": 0, "state": "RUNNING", "worker_id": "mwgcb-csrla02u.nam.nsroot.net:8084" } ], "type": "source" } { "connector": { "state": "RUNNING", "worker_id": "mwgcb-csrla01u.nam.nsroot.net:8084" }, "name": "source.mq.apac.tw.cards.ecms.ecms.raw.int.rawevent", "tasks": [ { "id": 0, "state": "RUNNING", "worker_id": "mwgcb-csrla02u.nam.nsroot.net:8084" } ], "type": "source" } { "connector": { "state": "RUNNING", "worker_id": "mwgcb-csrla01u.nam.nsroot.net:8084" }, "name": "sink.mq.apac.tw.cards.ecms.ecms.derived.int.sinkevents", "tasks": [ { "id": 0, "state": "RUNNING", "worker_id": "mwgcb-csrla01u.nam.nsroot.net:8084" }, { "id": 1, "state": "RUNNING", "worker_id": "mwgcb-csrla01u.nam.nsroot.net:8084" } ], "type": "sink" } I have created below query to extract the fields and create a table of those values: ..... | rex field=_raw max_match=0 "\"connector\"\:\s\{\s+\"state\"\:\s\"(?P<Connector_State>[^\"]+)\"" | rex field=_raw max_match=0 "\"connector\"\:\s\{\s+\"state\"\:\s\"\w+\"\,\s+\"\w+\"\:\s\"(?P<Worker_ID>[^\:]+)" | rex field=_raw max_match=0 "\"connector\"\:\s\{\s+\"state\"\:\s\"\w+\"\,\s+\"\w+\"\:\s\"[^\:]+\:(?P<Port>\d+)\"" | rex field=_raw max_match=0 "\"connector\"\:\s\{\s+\"state\"\:\s\"\w+\"\,\s+\"\w+\"\:\s\"[^\"]+\"\s+\}\,\s+\"name\"\:\s\"(?P<Connector_Name>[^\"]+)\"" | search Connector_State=RUNNING | table Connector_Name,Worker_ID,Port It gives me the table in below format: Connector_Name Worker_ID Port source.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent sink.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent sink.mq.apac.hk.ebs.im.im.derived.int.sinkevents gtgcb-csrla02s.nam.nsroot.net gtgcb-csrla01s.nam.nsroot.net gtgcb-csrla02s.nam.nsroot.net 8087 8087 8087 sink.mq.apac.hk.ebs.im.im.derived.int.sinkevents gtgcb-csrla02s.nam.nsroot.net 8087 source.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent sink.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent gtgcb-csrla02s.nam.nsroot.net gtgcb-csrla01s.nam.nsroot.net 8087 8087 But the requirement is to get the table as below: Connector_Name Worker_ID Port source.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent gtgcb-csrla02s.nam.nsroot.net 8087 sink.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent gtgcb-csrla01s.nam.nsroot.net 8087 sink.mq.apac.hk.ebs.im.im.derived.int.sinkevents gtgcb-csrla02s.nam.nsroot.net 8087 sink.mq.apac.hk.ebs.im.im.derived.int.sinkevents gtgcb-csrla02s.nam.nsroot.net 8087 source.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent gtgcb-csrla02s.nam.nsroot.net 8087 sink.mq.apac.tw.cards.ecs.ecs.raw.sit.rawevent gtgcb-csrla01s.nam.nsroot.net 8087 Please help to modify the query to get the output in the desired manner.

Hello, I have 3 fields from which I need to build a line chart on a Time series.   ServerTime Endpoint ResponseTime   I need to show  endpoint response time over a 95 percentile on servertime. So the servertime will be on the Y-Axis, the time series on the X-Axis and a legend that shows the endpoints. Can you please suggest a query that would achieve this.   Thank you