How do I export of list of triggered alerts in a CSV for a certain period of time from Splunk Cloud? This should be something like the view on the Activity>Triggered Alerts screen? The important fields are triggered time and title of alert. Thank you.

Hello, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   i already a below props and transforms to extract all the fields from message.  Props.conf [json_no_new] REPORT-json = report-json,report-json-new KV_MODE = none INDEXED_EXTRACTIONS = json LINE_BREAKER = ^{ NO_BINARY_CHECK = true disabled = false pulldown_type = true Transforms.conf [report-json] SOURCE_KEY = message REGEX = (?P<json2>{.+) DEST_KEY = _raw [report-json-new] REGEX = \\*"([^"]+)\":[\s]*"*(\[.*?\]|\{.*?\}"*\}*|[^"]+|\d+),* FORMAT = $1::$2 SOURCE_KEY = json2 Now from the result i have below field with json value user = {"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]} again with props and transform i want to extract values from user field. Please some one let me know if thats possible  Thanks

Hi Team,   I am checking for the update that if the Splunk application is also exposed to threat due to Vulnerability -  Apache Log4j.  Please let us know the work around if there is any impact. Thanks User

Hello all, I need a hand with a basic Splunk search. I appreciate this is Splunk 101 basics, but with other commitments, I am struggling to remember all commands.  What I need is to edit the following search, (or someone kind enough to completely improve the search), that rather the showing the same day next to each URL in the field "day", it just shows all URLs next to one single entry of the day. hopefully, that makes sense? index=netproxy user=(user) (url=https://www* OR url=http://www.) | stats count by day, url day                                    url                                                                   count Mon, 13 Dec 2021    https://www.bizographics.com/         1 Mon, 13 Dec 2021 https://www.bleacherbreaker.com/     2788 Mon, 13 Dec 2021 https://www.google-analytics.com/     3 Mon, 13 Dec 2021 https://www.google.co.uk/                       5                     Mon, 13 Dec 2021 https://www.googletagmanager.com/ 10 Mon, 13 Dec 2021 https://www.googletagservices.com/  6 Sat, 11 Dec 2021 https://www.capitalfm.com/                     23 Sat, 11 Dec 2021 https://www.capitalxtra.com/                   26 Sat, 11 Dec 2021 https://www.globalplayer.com/                 8   Basically what I am after is a search that shows,  -    day                                             url                                            times visited(count) Mon, 13 Dec 2021    https://www.bizographics.com/            1                                           https://www.bleacherbreaker.com/      2788                                           https://www.google-analytics.com/      3                                           https://www.google.co.uk/                         5                                           https://www.googletagmanager.com/   10                                           https://www.googletagservices.com/   5 If anyone can improve on my basic search it would be greatly appreciated

Hello I have this below data, { [-] guessedService: ejj logGroup: /aws/ejj/cluster logStream: kube-apt-15444d2f8c4b216a9cb69ac message:{"kind":"Event","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/jej/endpoints/eji.com-aws-eji","verb":"update","user":{"username":"system:serviceaccount:efs:efs-provisioner","uid":"ab5d27b4c-71a4f77323b0","groups":["system:serviceaccounts","system:serviceaccounts:eji","system:authenticated"]},"sourceIPs":["10.0.0.0"],"userAgent":"eji-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"endpoints","namespace":"edd","name":"dds.com-aws-edds","uid":"44ad8-899f-fbc1f4befb2f","apiVersion":"v1","resourceVersion":"8852157"},"responseStatus":{"metadata":{},"code":200}}   Need to extract user:{username:.....} user part alone  need to write once regex to extarct all the values inside user object..like user.username, user.uid, user.groups    

Hi Splunkers ,   The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value on an affected endpoint. Can you please help me to these below Addon's & Apps are impacted or Not -- Splunk Add-on for Microsoft SCOM Okta Identity Cloud Add-on for Splunk Lookup Editor Number Display Viz Splunk Dashboard Examples Tanium App Splunk Enterprise Dashboards Beta Python for Scientific Computing Solarwinds Add on for splunk Tanium Technology Add on 100_genpact_splunkcloud Splunk DB Connect Tanium App Microsoft windows DHCP Add on for splunk Website Monitoring rest_ta   These are not listed in below links :-  Splunk Security Advisory for Apache Log4j (CVE-2021-44228) | Splunk https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html

I try to use the query   eval ID = if(ORG="MC",ID=substr(ID,-6),0)   Basically, I want in my result, if ORG="MC", I want to extract the last 6 characters of the field ID that go with it, otherwise stay the same. But the result table always show ID as False if ORG="MC" How do I fix my query or have to go the other way?

Hi, We need to move certain indexes to a completely different deployment. I need to make an estimate on how many heavy forwarders are currently being used to process data to these indexes. Your advice will be very helpfull   Thanks

I set up an Intelligence Download for https://threatfox-api.abuse.ch/api/v1  to use with the POST argument. However I am constantly getting the error:  Caught HTTPError when querying https://threatfox-api.abuse.ch/api/v1: code=405 exc=HTTP Error 405: Method Not Allowed I also see the log line: file=threatlist.py:download_csv:333 | status="CSV download starting" However this url does not return a csv. It will return a json and I am planning to use (?ms) in the extract regex to parse it. Is ES thinking that this is a csv and doing a GET instead of a POST? How do I control that? I have in the UI set the POST argument to be a json string required by the API. I am able to run curl and retrieve the output from this url.

I have a few error messages in my ES about searches being delayed. How do I find the root causes. If multiple delays are taking place at different stages. Possible to find the stops & why searches are being delayed? Thank you for your response.

This includes High priority mostly. How do I view a list & provide a solution please. The error indicating the delays shows up as error message on the Ent. & even the ES server we have. Thanks a million.