I am very new to Splunk and trying to gain as much knowledge as possible. I found there is an App called Splunk Global Threat Lankscape/Ip Watch List which I installed but I am getting zero results. I most definitely feel I should be seeing some type of results. Is anyone familiar with this app that can provide some feedback? 

I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10.    | rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)" | eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S") | rename JOBNAME as Jobname Time as Date | eval Workload = substr(Jobname,1,3) | stats count(Message) as "Security Violations" by Jobname User   Resulting table User Security Violations ABC 1 DEF 4 GHI 12 JKL 3 XYZ` 20   Thank you,

I am actually new to splunk and trying to learn . Is there a way to group by the results based on a particular string. Although i found some of the answers here already, but its confusing for me. It will be really helpful if someone can answer based on my use case.  Below is the sample log that i am getting:   [2022-01-19T13:30:15.664+00:00] [odi] [ERROR] [ODI-1134] [oracle.odi.agent] [tid: 304720] [ecid: 0000NtmXuVIC^qqMwMmZMG1XqvzZ000cRu,0:68:129:176:208:135] [oracle.odi.runtime.MrepExtId: 1501670917734] [oracle.odi.runtime.AgentName: OracleDIAgent2] [oracle.odi.runtime.ExecPhase: ExecuteTask] [oracle.odi.runtime.OdiUser: _odi] [oracle.odi.runtime.WrepName: WORKREP] [oracle.odi.runtime.ScenarioName: WEB_BOOKINGS_MV] [oracle.odi.runtime.ScenarioVer: 001] [oracle.odi.runtime.LoadPlanName: wfl_WebDataSet_MV_Refresh_2TimesAD]   I want to group the results based on oracle.odi.runtime.LoadPlanName and find the latest log of it. Could someone please assist.

Could you help us in confirming whether Splunk REST APIs supports OAuth authentication apart from the existing basic authentication(username/password) and authentication tokens(link). ? We see a lot of customers enquiring about it.  Also, is it mandatory to always use an authentication token mechanism for a service account in Splunk or can we use a username/password as well ? @sloshburch 

Hi guys  I tried installing Splunk Phantom as an underprivileged user as per the documentation: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage The installation does continue and then completes (i think) I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom Has anyone experienced something similar? Also I cannot access the frontend but I assume this is because phantom is not running   

Hi all, Does anyone know if it's possible to create a file from a field in an artifact? Scenario: We have an alert in Splunk SIEM that sends various bits of, tabulated, info to SOAR. One of the fields is a comma delimited list of ID's - this could be 1 or several hundred This kicks off a playbook to process this info and email the info to the 'owner' The ID data must be added to the sent email as an attachment I'm aware of the option to add attachments from the file vault to an email from SOAR using the smtp app but...... How do we get the ID data from the field in the artifact into a file? Any help would be much appreciated. Cheers, Mark.

Hi, I'm Trying to calculate success percentage, for that I'm taking total and request count. but, I'm unable to get count for the request. Please see the attachments to get more insights. Image1 :- Gives total count of book appointment  request count. Image2 :-  Unable to get Request count from the total book appointments. Image3 :-  Example of   Successfully getting results.   Please help me to resolve this. 

I am passing in the following token host_token=$host_token$ in a URL   <link target="_blank">/app/RTPM/blackwidow_testing__technical_dashboard_19_01_2022_v2?host_token=$host_token$&amp;host_token1=$host_token$</link>   However, the Screen that is receiving the token blackwidow_testing__technical_dashboard_19_01_2022_v2 allready has an input for host_token (As the screen can be used on its own, with out someone passing in tokens) It looks like this. Ideally if the host_token comes in from the URL, i want the value to be set to that. However that does not happy, the URL host_token seems to be ignored and the original dropdown works as if nothing happened.    <input type="dropdown" token="host_token"> <label>HOST</label> <fieldForLabel>mx.env</fieldForLabel> <fieldForValue>mx.env</fieldForValue> <search> <query>| mstats avg("mx.process.cpu.utilization") as X WHERE "index"="metrics_test" span=10s BY "mx.env" | dedup mx.env | table mx.env</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input>   As a test I pass in 2 tokens host_token and host_token1 - host_token is set to undefined. This is the one that i need to get set when it come in from the URL      Any help would be amazing - thanks - Robbie