All Topics

Top

All Topics

Hello Logs are being collected through fschange. Do you know the field description of the fschange log? Particularly curious are isdir, gid, and uid.
I am trying to create a playbook where the first step is a manual block an email address  in the restricted users portal in Microsoft O365 then automatically unblock after 90 days. I have no idea whe... See more...
I am trying to create a playbook where the first step is a manual block an email address  in the restricted users portal in Microsoft O365 then automatically unblock after 90 days. I have no idea where to start especially when the first block is a manual step! Please help.
Based on the search results, show icons, like 1-5 stars ❤❤❤ - for result 3 ❤❤❤❤❤ - for result 5
I'm working to upload some data sets from the splunk tutorial page in order to learn how to use Splunk and am unable to get the datasets fully added and am receiving an error message of: Upload faile... See more...
I'm working to upload some data sets from the splunk tutorial page in order to learn how to use Splunk and am unable to get the datasets fully added and am receiving an error message of: Upload failed with WARN : supplied index 'Web' missing.  I have downloaded the zip files from https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchTutorial/Systemrequirements the Add Data process seems to be working fine up until the review page and when I try to Submit it I receive the above error message. I am fairly new to learning Splunk and any assistance anyone can offer would be greatly appreciated. 
Hello, On the HF of this add-on there is an Inputs configuration.  On the Content Type drop down, there is a choice of four different types for audit.  Screen shot attached. Does anyone have the li... See more...
Hello, On the HF of this add-on there is an Inputs configuration.  On the Content Type drop down, there is a choice of four different types for audit.  Screen shot attached. Does anyone have the link to documentation for what the differences are for logging the those audit.selections?
Hello! I can't set up my SVG because it's not recognizing my query as valid. I validated my svg on validator.w3.org/check I think the issue is with my query, but it results in one column wit... See more...
Hello! I can't set up my SVG because it's not recognizing my query as valid. I validated my svg on validator.w3.org/check I think the issue is with my query, but it results in one column with the ids, and one column with a number SPL:     <blah blah blah initial search> | eval shield-one_to_ten=if(percent>0, 1, 0), shield-ten_to_twenty=if(percent>=0.1, 1, 0), shield-twenty_to_thirty=if(percent>=0.2, 1, 0), shield-thirty_to_forty=if(percent>=0.3, 1, 0), shield-forty_to_fifty=if(percent>=0.4, 1, 0), shield-fifty_to_sixty=if(percent>=0.5, 1, 0), shield-sixty_to_seventy=if(percent>=0.6, 1, 0), shield-seventy_to_eighty=if(percent>=0.7, 1, 0), shield-eighty_to_ninety=if(percent>=0.8, 1, 0), shield-ninety_to_hundo=if(percent>=0.9, 1, 0) | fields shield-one_to_ten, shield-ten_to_twenty, shield-twenty_to_thirty, shield-thirty_to_forty, shield-forty_to_fifty, shield-fifty_to_sixty, shield-sixty_to_seventy, shield-seventy_to_eighty, shield-eighty_to_ninety, shield-ninety_to_hundo | transpose column_name="id" | rename "row 1" AS "count"     which results in which matches the id names in my svg:     <svg id="shield" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 897 1114" shape-rendering="geometricPrecision" text-rendering="geometricPrecision"><defs><filter id="shield-ninety_to_hundo-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ninety_to_hundo-filter-opacity-0" result="result"><feFuncA id="shield-ninety_to_hundo-filter-opacity-0-A" type="table" tableValues="0 0.95"/></feComponentTransfer></filter><filter id="shield-eighty_to_ninety-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-eighty_to_ninety-filter-opacity-0" result="result"><feFuncA id="shield-eighty_to_ninety-filter-opacity-0-A" type="table" tableValues="0 0.9"/></feComponentTransfer></filter><filter id="shield-seventy_to_eighty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-seventy_to_eighty-filter-opacity-0" result="result"><feFuncA id="shield-seventy_to_eighty-filter-opacity-0-A" type="table" tableValues="0 0.85"/></feComponentTransfer></filter><filter id="shield-sixty_to_seventy-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-sixty_to_seventy-filter-opacity-0" result="result"><feFuncA id="shield-sixty_to_seventy-filter-opacity-0-A" type="table" tableValues="0 0.8"/></feComponentTransfer></filter><filter id="shield-fifty_to_sixty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fifty_to_sixty-filter-opacity-0" result="result"><feFuncA id="shield-fifty_to_sixty-filter-opacity-0-A" type="table" tableValues="0 0.75"/></feComponentTransfer></filter><filter id="shield-fourty_to_fifty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-fourty_to_fifty-filter-opacity-0" result="result"><feFuncA id="shield-fourty_to_fifty-filter-opacity-0-A" type="table" tableValues="0 0.7"/></feComponentTransfer></filter><filter id="shield-thirty_to_fourty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-thirty_to_fourty-filter-opacity-0" result="result"><feFuncA id="shield-thirty_to_fourty-filter-opacity-0-A" type="table" tableValues="0 0.65"/></feComponentTransfer></filter><filter id="shield-twenty_to_thirty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-twenty_to_thirty-filter-opacity-0" result="result"><feFuncA id="shield-twenty_to_thirty-filter-opacity-0-A" type="table" tableValues="0 0.6"/></feComponentTransfer></filter><filter id="shield-ten_to_twenty-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-ten_to_twenty-filter-opacity-0" result="result"><feFuncA id="shield-ten_to_twenty-filter-opacity-0-A" type="table" tableValues="0 0.55"/></feComponentTransfer></filter><filter id="shield-one_to_ten-filter" x="-400%" width="600%" y="-400%" height="600%"><feComponentTransfer id="shield-one_to_ten-filter-opacity-0" result="result"><feFuncA id="shield-one_to_ten-filter-opacity-0-A" type="table" tableValues="0 0.5"/></feComponentTransfer></filter></defs><path id="shield-ninety_to_hundo" d="M403.15385,39.86098C403.15385,39.86098,402.48718,40.46214,401.15385,41.66444C399.82052,42.26559,391.15385,46.17308,375.15385,53.38691C360.48718,60.60074,351.82052,64.50823,349.15385,65.10938C347.15385,66.31168,339.82052,69.61802,327.15385,75.02839C313.82052,80.43876,296.82052,87.35201,276.15385,95.76814C255.48718,103.58312,233.15385,111.3981,209.15385,119.21308C192.48063,124.22464,175.16391,128.94608,157.20368,133.37738L652.89442,133.37738C650.08098,132.60354,647.16746,131.7896,644.15385,130.93554C620.82052,124.32286,605.82052,120.1148,599.15385,118.31134C591.82052,116.50788,579.82052,112.29981,563.15385,105.68714C545.82052,99.07447,528.48718,92.16122,511.15385,84.94739C493.15385,77.73356,474.48718,69.91858,455.15385,61.50245C435.15385,53.08632,422.48718,47.37537,417.15385,44.36961L409.15385,39.86097L403.15385,39.86097L403.15385,39.86098Z" transform="matrix(1.163815 0 0 1 -22.90216 23.13903)" filter="url(#shield-ninety_to_hundo-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-eighty_to_ninety" d="M740,115.16155C728.66667,113.35809,711.33333,109.15002,688,102.53735L210.76683,102.53735C199.75935,105.3544,188.50374,108.05959,177,110.6529C150.33333,116.66442,127,121.47364,107,125.08055C87.66667,127.48516,65.66667,130.79149,41,134.99956L3,141.31166L2,141.31166L1,142.21339L1,186.39808L2.16394,206.86445L896.60263,206.86445C896.86754,202.10046,897,199.4864,897,199.02228C897,197.81997,897,187.60038,897,186.39808L898,186.39808L898,141.31166L897,141.31166L895,139.5082L894,139.5082C893.33333,139.5082,882,137.70474,860,134.09783C838,131.69322,815.33333,128.38689,792,124.17882C768.66667,119.97076,751.33333,116.965,740,115.16154L740,115.16155Z" transform="matrix(1 0 0 1 -1 55.97906)" filter="url(#shield-eighty_to_ninety-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-seventy_to_eighty" d="M897.09355,204.42209L0.09355,204.42209L0.09355,207.14939L2.09355,242.31679C2.93397,257.09451,4.17169,276.76838,5.80671,301.3384L7.78706,301.3384C7.71233,300.24738,7.63819,299.16361,7.56464,298.08709L889.62247,298.08709C889.55561,299.17789,889.48893,300.26166,889.42245,301.3384L891.36427,301.3384C894.51712,248.56297,896.09355,221.3747,896.09355,219.77356C896.09355,218.57125,896.09355,208.35166,896.09355,207.14936L897.09355,207.14936L897.09355,204.42209Z" transform="matrix(1 0 0 1 -0.09355 60.5097)" filter="url(#shield-seventy_to_eighty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-sixty_to_seventy" d="M9,317.40839C8.49895,310.17944,8.0205,303.22893,7.56464,296.55687L889.62247,296.55687C886.21876,352.08469,883.30811,389.38367,880.89052,408.45379L880.63628,408.45379C880.63628,408.45379,880.63628,408.45379,880.63628,408.45379L16.36373,408.45379C16.36373,408.45379,16.36373,408.45379,16.36373,408.45379L15.90733,408.45379C14.55985,394.75357,12.2574,364.40511,9,317.40839Z" transform="matrix(1 0 0 1 -0.093555 64.29416)" filter="url(#shield-sixty_to_seventy-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fifty_to_sixty" d="M891.40641,402.6281C891.59233,401.45453,891.78149,400.16115,891.9739,398.74795L27.70135,398.74795C30.24546,411.9551,32.48048,423.76865,34.4064,434.18859C36.4064,445.00933,41.4064,464.2462,49.4064,491.8992C49.77931,493.44602,50.15222,494.97779,50.52513,496.49451L869.58145,496.49451C873.07533,483.84591,876.35031,471.4934,879.40639,459.43696C884.73972,438.39664,888.73972,419.46034,891.40639,402.62808L891.40641,402.6281Z" transform="matrix(1 0 0 1 -11.337625 76)" filter="url(#shield-fifty_to_sixty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-fourty_to_fifty" d="M860.58347,529.85845C853.9168,552.70223,846.25014,574.34371,837.58347,594.78289C837.03482,596.03875,836.48751,597.28738,835.94153,598.52878L81.97014,598.52878C77.13218,587.2482,72.66996,576.08056,68.58347,565.02586C61.9168,546.99129,55.25014,524.14751,48.58347,496.49451L870.02181,496.49451C867.04009,507.39347,863.89398,518.51478,860.58347,529.85845Z" transform="matrix(1 0 0 1 -10.80264 78)" filter="url(#shield-fourty_to_fifty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-thirty_to_fourty" d="M812.71154,648.80715C804.71154,664.43711,796.71154,678.86476,788.71154,692.09011C786.55816,695.81182,784.54969,699.22865,782.68612,702.34058L135.38342,702.34058C127.43105,689.5131,120.54042,678.2813,114.71153,668.64517C108.04486,655.41982,100.3782,639.18871,91.71153,619.95184C88.36976,612.76613,85.17668,605.6251,82.13227,598.52876L836.03467,598.52876C827.96867,616.86601,820.1943,633.62547,812.71154,648.80715Z" transform="matrix(1 0 0 1 -10.58347 80.00002)" filter="url(#shield-thirty_to_fourty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-twenty_to_thirty" d="M821.22193,863.28898C824.62574,858.68501,829.47778,851.03392,835.77806,840.33568L183.20086,840.33568C186.95596,846.40586,190.96299,852.85465,195.22194,859.68206C207.22194,878.31778,213.55527,887.63564,214.22194,887.63564C214.88861,887.63564,215.88861,889.13852,217.22194,892.14428C218.55527,894.54889,221.55527,898.75696,226.22194,904.76848C230.22194,910.78,232.88861,914.38692,234.22194,915.58922C236.22194,916.79152,241.88861,924.00535,251.22194,937.2307C253.46683,939.88757,255.62314,942.43793,257.69086,944.88179L761.20792,944.88179C764.18562,941.02488,767.52363,936.67105,771.22194,931.82033C787.22194,911.9823,798.55527,896.9535,805.22194,886.73391C813.22194,875.91317,818.55527,868.09819,821.22194,863.28897L821.22193,863.28898Z" transform="matrix(1 0 0 1 -60.98946 -55.99508)" filter="url(#shield-twenty_to_thirty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-ten_to_twenty" d="M683,923.50572C679.66667,927.11263,677.66667,928.91609,677,928.91609C676.33333,928.91609,674.66667,930.41897,672,933.42473C669.33333,935.82934,667,937.93337,665,939.73683C662.33333,942.14144,661,943.64432,661,944.24547C660.33333,944.84662,656,949.05469,648,956.86967C640,964.68465,634.66667,969.79444,632,972.19905C630,974.60366,628,976.40712,626,977.60942C624,978.81172,622,980.61518,620,983.01979C617.33333,985.4244,615.33333,986.92728,614,987.52843C612,988.12958,611,988.73073,611,989.33189C610.48468,989.79657,608.5752,991.33881,605.27156,993.95861L289.99178,993.95861C272.2308,979.01828,257.56688,965.75358,246,954.16449C234,942.14145,224,932.52301,216,925.30918C210.40494,918.75039,203.40118,910.49791,194.9887,900.55172L701.33535,900.55172C691.72932,913.02202,685.61753,920.67336,683,923.50572Z" transform="matrix(1 0 0 1 0.337975 -9.66501)" filter="url(#shield-ten_to_twenty-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><path id="shield-one_to_ten" d="M602,1002.44724C596.66667,1006.65531,584.33333,1016.57432,565,1032.20427C545.66667,1046.63192,526,1059.85727,506,1071.88032C485.33333,1083.90336,470,1091.71834,460,1095.32526C450.66667,1098.93217,442.66667,1098.93217,436,1095.32526C428.66667,1092.92065,416,1086.30798,398,1075.48724C379.33333,1065.8688,366.66667,1058.65498,360,1053.84576C352.66667,1049.03654,349,1046.33136,349,1045.7302C348.33333,1045.12905,345,1042.42386,339,1037.61464C332.33333,1032.80542,327.66667,1029.49908,325,1027.69563C322.33333,1025.89217,311.33333,1017.17547,292,1001.54551C291.32616,1000.98129,290.65667,1000.41942,289.99151,999.85991L605.27184,999.85991C604.30151,1000.62939,603.21089,1001.49183,602,1002.44724Z" transform="matrix(1 0 0 1 0.868325 -13.56631)" filter="url(#shield-one_to_ten-filter)" fill="rgb(0,141,199)" fill-rule="evenodd" stroke="none" stroke-width="1"/><g id="shield-g1"/></svg>     Is it my query or the svg file that needs help? Thanks
Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field cal... See more...
Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field called "excludedRules" that is null.  When it is not null, it is a list containing a dictionary with a field called ruleId.    ruleGroupList: [ [-]      { [-]        excludedRules: null        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesBotControlRuleSet        terminatingRule: null      }      { [-]        excludedRules: [ [-]          { [-]            exclusionType: EXCLUDED_AS_COUNT            ruleId: SizeRestrictions_BODY          }        ]        nonTerminatingMatchingRules: [ [+]        ]        ruleGroupId: AWS#AWSManagedRulesCommonRuleSet        terminatingRule: null      } In this case, I want to: list the ruleGroupList{}.ruleGroupId and the ruleGroupList{}.excludedRules{}.ruleId in a table, when ruleGroupList{}.excludedRules is not NULL.  If it is NULL, then I don't want to display the values for that dictionary.  There are 7 dictionaries in this ruleGroupList{} (as long as I don't change my WAF settings in AWS). This is my search: <search> | | spath input=ruleGroupList{} path=excludedRules | rename ruleGroupList{}.ruleGroupId as ruleGroup, ruleGroupList{}.excludedRules{}.ruleId as ruleGroupId, ruleGroupList{}.excludedRules as testNullExcludedRules | eval x=case(!isnull(testNullExcludedRules),mvzip(ruleGroup,ruleGroupId),isnull(testNullExcludedRules),x) | mvexpand x | eval x = split(x,",") | eval ruleGroupId=case(!isnull(testNullExcludedRules),mvindex(x,1)) | eval ruleGroup=case(!isnull(testNullExcludedRules),mvindex(x,0)) | table _time,ruleGroup,ruleGroupId This gives me the ruleGroupId correctly, but it always lists the first instance of the ruleGroup: I can't figure out how to ignore the ruleGroup when it's corresponding excludedRules is NULL. thanks for any help! Kevin
Hi All, I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems. I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log... See more...
Hi All, I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems. I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log. I'm using the addon: https://splunkbase.splunk.com/app/4310/ Has anyone in the community already been through this, or do they have an idea of what it could be? Splunk Enterprise Version:8.2.2 Akamai-siem-splunk-connector: 1.4.9 java version "1.8.0_311" Java(TM) SE Runtime Environment (build 1.8.0_311-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)   splunkd.log 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : Connection refused (Connection refused), Exception : java.lang.RuntimeException: Connection refused (Connection refused) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:462) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:449) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116) 10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Caused by: java.net.ConnectException: Connection refused (Connection refused)     Thank you very much. James \°/
Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounter. The opscounter keeps count of how many times the field's value, or in this case, ... See more...
Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounter. The opscounter keeps count of how many times the field's value, or in this case, the value equates to a username is promoted to admin. If a user is promoted to admin, their count goes up on the opscounter; however, if they are demoted, the deopscounter goes up as well. As you can see in the opscounter image below, user1 was made an admin, and in the opscounter the count of 1, but in the deopscounter, you can see that user1 has a count of one, meaning they were demoted. If they are promoted again, their opscounter value will go to two. If a new user is added, they will automatically be added to the field same if they are demoted, but they will have the same value in both fields. I would like to create a dashboard that displays a list of current admins.   Knowing that is there a way to put every value that is in these fields in an if statement? My thought process is if user1 from opscounter is greater than user1 from deopcounter, display that user. I would like to figure out a way to make this work. If not, I'm open to suggestions on how to get the same results in a dashboard but through a different method. Any help is appreciated!
Hello everyone, I've seen a number of older posts about automating dashboard exporting with Splunk's API. However, those methods don't seem to apply to the new Dashboard Studio. Does anyone know ho... See more...
Hello everyone, I've seen a number of older posts about automating dashboard exporting with Splunk's API. However, those methods don't seem to apply to the new Dashboard Studio. Does anyone know how exporting can be automated for Dashboard Studio dashboards? Thanks in advance.
My index shows the latest event section "in an hour", I have never seen that before. What exactly does that mean?
I am getting the error "SSL certificate verification failed. Please add a valid SSL Certificate or Change VERIFY_SSL flag to False" when attempting to add a new account in the configuration for the C... See more...
I am getting the error "SSL certificate verification failed. Please add a valid SSL Certificate or Change VERIFY_SSL flag to False" when attempting to add a new account in the configuration for the Cybervision add on. I am interested in setting the verify_ssl to false, but am having a difficult time finding the location to change this. Does anyone know the path/file that I can make this change on?
I used a custom function that parses out email addresses from an alert, I used the phantom.add_artifact function to add the artifact to the container. I am then using a filter to check for the artifa... See more...
I used a custom function that parses out email addresses from an alert, I used the phantom.add_artifact function to add the artifact to the container. I am then using a filter to check for the artifact ("artifact:*.label", "==", "notiresponse"). It evaluates as false each time even though if I check the container it is there. What can I do to ensure that the filter is seeing this artifact? When I check the debug log, I can see the loop checking against all of the artifacts in the container except for the one I am creating via custom function. We have multiple playbooks that do this, but this one, in particular, is giving me trouble. 
I have two fields below that show up in our log files.  I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that di... See more...
I have two fields below that show up in our log files.  I used Splunk tool to create the Regex to extract the fields and at first I thought it worked until we had fields with different values that didn't extract.  Is there a simple Regex I can use to extract ObjectType and Domain Controller fields in example below?  Values should never have space so we can end value after first space. ObjectType User Domain Controller TSTETCDRS001
I am trying to assigning back Numeric value to $ps$ token which I change to ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4 by Eval. after I click the Bar in a bar... See more...
I am trying to assigning back Numeric value to $ps$ token which I change to ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4 by Eval. after I click the Bar in a bar chart and token $ps$ gets the value as one of the processingStepNames(ProcessingStepName1, ProcessingStepName2, ProcessingStepName3, ProcessingStepName4) but I need to to change the Names back to Number's which I changed by Eval. How should I do that? I tried Eval to do so but it is not working. Any suggestion please? <dashboard> <label>Processing_Step_Clone_2</label> <row> <panel> <chart> <title>$form.Source$ between $form.earliest_date$ $form.second_dash.earliest$ - $form.second_dash.latest$</title> <search> <query>index=Idx1 sourcetype=sourcetype#  Datatype=$form.Datatype$ |spath Source | search Source=$form.Source$ |eval type = if(ProcessStatus=0,"Success","Failure") |eval ProcessingStep=if(ProcessingStep="6","ProcessingStepName1",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="21","ProcessingStepName2",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="1","ProcessingStepName3",ProcessingStep) |eval ProcessingStep=if(ProcessingStep="2","ProcessingStepName4",ProcessingStep) |chart count over ProcessingStep </query> <earliest>$form.second_dash.earliest$</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> . . . <option name="trellis.size">medium</option> <drilldown> <set token="ps">$click.value$></set> </drilldown> </chart> </panel> </row> <row> <panel> <chart> <title>Success/Failure visualization for $ps$ </title> <search> <query>index=Idx1 sourcetype=sourcetype# Datatype=$form.Datatype$ | spath Source | search Source=$form.Source$ | eval type = if(ProcessStatus=0,"Success","Failure") | search ProcessingStep=$ps$ | timechart count by type</query> <earliest>$form.second_dash.earliest$</earliest> <latest>now</latest> </search>
My current search returns a series of events like:  {'field1' : {'field2' : [obj1, obj2, obj3]}} {'field1' : {'field2' : [obj4, obj5]}} {'field1' : {'field2' : [obj6]}}   I want to return the to... See more...
My current search returns a series of events like:  {'field1' : {'field2' : [obj1, obj2, obj3]}} {'field1' : {'field2' : [obj4, obj5]}} {'field1' : {'field2' : [obj6]}}   I want to return the total sum of the lengths of the field1.field2 lists - in this case, would be 3 + 2 + 1 = 6 Can anyone help me with an easy way to do this? 
I just installed Splunk on a Windows 10 Pro and iPad Apple  and when I start it I get: I tried modifying my firewall but that didn't solve the issue. I was thinking it might be a port forw... See more...
I just installed Splunk on a Windows 10 Pro and iPad Apple  and when I start it I get: I tried modifying my firewall but that didn't solve the issue. I was thinking it might be a port forwarding issue but if so, what addresses and ports do I need to forward? P/s: iPad cũ and giá iPhone cũ view more laptop cũ hcm Vietnamese language
Hi, We have a large amount of data in /opt/app/axtract_fe1/var/log/apache2/main_collector_access-*.log file, and we do not want HTTP 200, 204 or 401 logs. How do I filter this out from being indexe... See more...
Hi, We have a large amount of data in /opt/app/axtract_fe1/var/log/apache2/main_collector_access-*.log file, and we do not want HTTP 200, 204 or 401 logs. How do I filter this out from being indexed? //SAMPLE LOG 70.166.76.65 - - [27/Oct/2021:12:42:56 -0400] "POST / HTTP/1.1" 200 2949 "-" "-" R:1 Conn:- PID:12954 RD:45125 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/45125 70.166.76.65 - - [27/Oct/2021:12:42:56 -0400] "POST / HTTP/1.1" 204 248 "-" "-" R:1 Conn:close PID:12954 RD:40522 CSt:- FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/40522 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 200 800 "-" "-" R:0 Conn:- PID:12945 RD:34579 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/34579 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 200 2949 "-" "-" R:1 Conn:- PID:12945 RD:43790 CSt:+ FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/43790 70.166.76.65 - - [27/Oct/2021:12:43:03 -0400] "POST / HTTP/1.1" 204 248 "-" "-" R:1 Conn:close PID:12945 RD:40819 CSt:- FT:forwarded CPE_IP:70.166.77.73, 70.166.76.65 RespTime:0/40819 //Props.conf file [source::/path/to/your/access.log*] TRANSFORMS-null= setnull    
What Splunk MINT applications and components are going End of Support and End of Life? Splunk MINT SDK Splunk MINT Management Console (including MINT Web Service) Splunk MINT App Splunk MIN... See more...
What Splunk MINT applications and components are going End of Support and End of Life? Splunk MINT SDK Splunk MINT Management Console (including MINT Web Service) Splunk MINT App Splunk MINT Add-on When is this happening? End of Support: December 31, 2021 End of Life: December 31, 2021 What is the impact on your Splunk MINT application? Splunk MINT SDK Splunk will not provide any updates/bug fixes to the MINT SDK. Splunk will remove the download links for the MINT SDK.  Splunk MINT Management Console (including MINT Web Service) The MINT web service will be unavailable after Dec 31 2021. Any data sent to the MINT web service will not be captured / stored. You will not see a disruption in service if you're not using the MINT web service and sending data to the Splunk platform via HEC.  Splunk MINT Add-on Since the MINT management console and the MINT web service will be discontinued, this add-on will not pull any information.  Splunk MINT App If you're using the dashboards provided by the Splunk MINT App, you will start seeing a banner that states the plugin is not supported. The MINT dashboards can be built using the best practices provided in the example searches. Please make sure that you have this information saved for a future use as these URLs will stop working on the End of Life date.   What is the recommended action for MINT customers? Customers who want to measure how their end-users are perceiving the performance of their web and mobile applications should leverage the new Splunk RUM available now. Sign up for a free trial here.  — Wes Cooper, Product Marketing Manager - Observability Solutions for IT and DevOps at Splunk 
hello I need to calculate a percentage value from 2 differents stats  First I tried to do something like this   index=toto sourcetype=:request web_domain="*" web_status=* | stats dc(web_domain)... See more...
hello I need to calculate a percentage value from 2 differents stats  First I tried to do something like this   index=toto sourcetype=:request web_domain="*" web_status=* | stats dc(web_domain) as nbdomain, count(web_status) as nbdomainko | eval KO=round(nbdomain/nbdomainko*100,1) | table KO   it returns a result but it's wrong because I need to count the web_status by web_domain in order to count the number of web_status by web_domain for being able to calculate my percentage value   | stats dc(web_domain) as nbdomain, count(web_status) as nbdomainko by web_domain   So I try to separate the 2 search with an append command but it returns anything   index=toto sourcetype=request web_domain="*" web_status=* | stats dc(web_domain) as nbdomain | append [ search index=toto sourcetype=:request web_domain="*" web_status=* | stats count(web_status) as nbstatus by web_domain] | eval prcerreur = round(nbdomain/nbstatus*100,1). " %" | table prcerreur   so what is the best way to solve my use case please?