Hi, I'm planning on using LDAP user authentication for a mid size Splunk Enterprise environment. Reading through the splunk documentation Im getting confuse don what is the minimum required information needed to set it up.  Config files vs Splunk Web Is the the bindDN and bindDN password required or just optional? Is the set up through Splunk Web different from set up by config files? Cause i do see differences in the optional fields  LDAPS If I setup LDAPS meaning using SSL, what are the steps that need to be done? Do I need to use certificates? and where do these need to be placed?  Thank you Oj.

Ideally, JOB should start with Status as either RUNNING or STARTJOB or maybe both and it can end with either status as Termination, failure, Inactive, or success. Examples: [11/27/2021 08:00:00] TEST EVENT: STARTJOB JOB: A [11/27/2021 08:00:05] TEST EVENT: CHANGE_STATUS STATUS: RUNNING JOB: A [11/27/2021 08:06:23] TEST EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: A [11/28/2021 08:00:00] TEST EVENT: STARTJOB JOB: A [11/28/2021 08:00:05] TEST EVENT: CHANGE_STATUS STATUS: RUNNING JOB: A [11/28/2021 08:00:05] TEST EVENT: CHANGE_STATUS STATUS: FAILURE JOB: A [11/28/2021 09:06:23] TEST EVENT: CHANGE_STATUS STATUS: SUCCESS JOB: A [11/26/2021 08:00:05] TEST EVENT: CHANGE_STATUS STATUS: RUNNING JOB: B [11/26/2021 20:06:23] TEST EVENT: CHANGE_STATUS STATUS: FAILURE JOB: B [11/25/2021 08:00:00] TEST EVENT: STARTJOB JOB: C [11/25/2021 20:06:23] TEST EVENT: CHANGE_STATUS STATUS: INACTIVE JOB: C I have more than 1400 jobs, some are running daily, some monthly, and some quarterly. In this scenario, Ultimately I am looking to calculate the last 90 days' average of duration (job end time - job start time) but somehow events are not getting properly grouped.   Below is the query currently I am using:-  Example 1 | eval end=case(_raw LIKE "%INACTIVE%","FAIL", _raw LIKE "%TERMINAT%","FAIL", _raw LIKE "%FAILURE%","FAIL" ,_raw LIKE "%SUCCESS%","FAIL",true(),"NA") | reverse | sort - _time limit=0 | transaction JOB startswith="*STARTJOB* AND *RUNNING*" endswith="end="FAIL"" keeporphans=true maxevents=9999999 keepevicted=true Example 2 | transaction JOB startswith=(STATUS="RUNNING" OR STATUS="STARTJOB") endswith=(*TERMINATED*) OR (*FAILURE*) OR (*INACTIVE*) OR (*SUCCESS*) keeporphans=true maxevents=9999999 keepevicted=true Any help would be highly appreciated. Thanks in advance.  

Hi,   I have splunk security essentials app v3.3.2 installed in my splunk enterprise, but could not find post-filter macro related to it such as `detect_mimikatz_using_loaded_images_filter`. Kindly help

Using the app user interface introduced in 5.1.0.70187, when running the app from this interface, it fails saving state. This is a new feature in 5.1 which does not exist in 5.0. When running the app from an event, there is no issue. Looking at the state directory, there are temporary files created in the directory for each failed execution. Note: there is a permission error chmod_func(dst, stat.S_IMODE(st.st_mode))\r\nPermissionError: [Errno 1] likely the root cause of the issue. {"identifier": "retrieve flows", "result_data": [{"data": [], "extra_data": [], "summary": {}, "status": "failed", "message": "Could not retrieve Tenants(Domains)", "parameter": {"timespan": 60, "start_time": "2022-01-24T15:30:00Z", "record_limit": 2000, "malicious_ip": "192.168.200.50"}, "context": {}}], "result_summary": {"total_objects": 1, "total_objects_successful": 0}, "status": "failed", "message": "Exception Occurred. [Errno 1] Operation not permitted: '/opt/phantom/local_data/app_states/eac976c5-c8d7-4b77-9fdd-52bab068679c/9_state.json'.\r\nTraceback (most recent call last):\r\n File \"../pylib/phantom/base_connector.py\", line 3252, in _handle_action\r\n File \"/opt/phantom/apps/ciscosecurenetworkanalytics_eac976c5-c8d7-4b77-9fdd-52bab068679c/ciscosecurenetworkanalytics_connector.py\", line 458, in finalize\r\n self.save_state(self._state)\r\n File \"../pylib/phantom/base_connector.py\", line 2978, in save_state\r\n File \"/opt/phantom/usr/python36/lib/python3.6/shutil.py\", line 246, in copy\r\n copymode(src, dst, follow_symlinks=follow_symlinks)\r\n File \"/opt/phantom/usr/python36/lib/python3.6/shutil.py\", line 144, in copymode\r\n chmod_func(dst, stat.S_IMODE(st.st_mode))\r\nPermissionError: [Errno 1] Operation not permitted: '/opt/phantom/local_data/app_states/eac976c5-c8d7-4b77-9fdd-52bab068679c/9_state.json'", "exception_occured": true, "action_cancelled": false} Traceback (most recent call last):   File "ciscosecurenetworkanalytics_eac976c5-c8d7-4b77-9fdd-52bab068679c/eac976c5-c8d7-4b77-9fdd-52bab068679c_2022_01_25_02_38_01.py", line 32, in <module> raise Exception("Action Failed") Exception: Action Failed   There is no issue with the code in 5.0.1.66250 as this user interface does not exist. The code functions fine from the shell/CLI or from the events screen.

Hello All, I have a simple search for the alert: Index="vpn" message="recently failed" |table _time, host,message Alert triggers when results are >2 I need to put all events field's results in the ServiceNow ticket description. Unfortunately, $results.fieldname$ take results of the first event. But this alert requires to have >2 events. Are there any options to manage it with multiple events? Thank you in advance!

Hello, i have added a Multiselect field to my dashboard and i am using a search to fill it with values, One of this values is "Not tested" and if i select this value in multiselect field i do  not get search results. All other values like "A" , "A+", "***" are working but no values whitespaces. code for use of the nultivaluefield in search to filter a table:         | search grade IN ($ms_X9Rhybia$)         I think the reason is the handling of the multiselect field with whitespace in $ms_X9Rhybia$ (wrong detection of whitspace as delimiter for example)

Hi, There is some host which is reporting to Splunk with a different sourcetype. We want to filter all the host which is only reporting for XYZ sourcetype. And host needs to be shown if it's reporting for XYZ sourcetype along with any other sourcetype. could you please help us on this query.

This is give me data in integers, I want calculate percentages. How can we do it? | savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | bin _time span=1d | chart count(incident_number) as IncidentCount over _time by hasAppBlueprints

Hi, I can only find old articles on this so apologies if I've missed something... Does anyone use Splunk for FIX.5.0? I can only find a now archived app which we are thus far unable to get working in our environment. Any guidance/suggestions would be most welcome. Thanks

Hi , I have requirement like there two panels, in which the 1st one has success and failure as a column name and on click of these success or failure count a drill down panel should show the result. these success and failure was categorized by below values in logs like statusCode = 200 , then its is success statusCode = 400 or 500, then it is failure   as said above the drilldown panel should show result on selection of the success/ failure count. it tried with below query it is not working  having token as $col$ which gets selection of that column name(Success/Failure) query is message.flow="individual" | eval status=$col$| eval source= case(status=="Success",200,status=="Failure",400 OR 500) | message. statusCode= source| table time,details, message. statusCode kindly help on fixing it. the parameter value of source should be passed to the message.statusCode

Hi Folks Is there a way to analyze the bandwith used between the SearchHeads and the indexer cluster peers? I know this has many dependencies on the search and its artifacts but we do need to have a rough calculation to size the environment. Any help is appreciated. Cheers, Claudio

Hi , am new to this... i want to Identify top 5 usage days from that i want to drill down to how many no. of visitors accessing that application, how many no. of page views are happening, which JSP/ASP pages are mostly accessed by end users.. Please suggest me the query