All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events",  but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules a... See more...
Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events",  but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules are not ready to deploy on Splunk Environment. I leave here an example of rule using this macro: https://github.com/splunk/security_content/blob/develop/detections/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.yml Someone helps?
Hi ,   I'm trying to add a table right side of the dashboard. But not able to achieve. Can anyone suggest? not using Html dashboard, using XML dashboard. Exisiting  new   New one - expecting... See more...
Hi ,   I'm trying to add a table right side of the dashboard. But not able to achieve. Can anyone suggest? not using Html dashboard, using XML dashboard. Exisiting  new   New one - expecting new 
Hi, In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary. the format of the csv file (test.csv) is the followin... See more...
Hi, In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary. the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post) Threshold Value name1 value1 name2 value2 the only way to do what I want is the following query | eval tempField="name1" | lookup test.csv Threshold as tempField OUTPUT Value as test1value   any better or more efficient way of doing this? I was imagining something like the line below but it didnt manage to make it work. | lookup test.csv Threshold as "name1" OUTPUT Value as test1value thanks!  
Hello everyone! I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, whe... See more...
Hello everyone! I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, when you specifically block a port. After you've unblocked it, the field disappears. what I'm currently looking at is a maxvalue of a field (for example the highest destination port number) so I go  index=firewall destport=* |stats max(destport) as max_port now I have my highest destination port. let's say it's 65000    what I'm now trying to accomplish is, that, if this port is currently blocked and the fieldx=blocked appears, I want to add a 1 to the max_port value -> 65001 and otherwise leave it be. I've tried an eval if  like that: |eval maxport=if(isnotnull(fieldx),max_port+1,max_port)   but it doesn't work. do I have something wrong?  ps: in reality I don't know what the value of the fieldx is, so I can't just if(fieldx==blocked,...). but since the field only appears if there is a value in it to begin with, I would use that to my advantage.   also, is it possible to add the +1 only for a certain period of time ? for example add +1 to the value as long as it is in a two week frame ?   
Hello All, I have several alerts which send email notifications. I know it might be very basic, but I need your help. One alert is to specify if a local host has accessed a blacklisted IP. So I e... See more...
Hello All, I have several alerts which send email notifications. I know it might be very basic, but I need your help. One alert is to specify if a local host has accessed a blacklisted IP. So I expect to have a table with: Src, Dest, Port  The search returns table, but I do not understand why does it attach a Line-Chart diagram! I want it as Static table. In Visualization tab, it does not show me static table. I even tried to create a new alert without even going to the visualization tab, but I got same result. I have even changed the search and used Table instead of stats. Please advise. Thank you
你好,我有个问题。我需要更少的值,   l stats count list(fileame) as filename by user 当我使用它时,心灵返回100个值。我需要快乐的值,10-20个值
Hi, I have to get % of 2 and 3 values in a same field . Status count  True       200 False       50 Error      10 exc          5 temp      6 Total   271 I need to get true% by  true+error /T... See more...
Hi, I have to get % of 2 and 3 values in a same field . Status count  True       200 False       50 Error      10 exc          5 temp      6 Total   271 I need to get true% by  true+error /Total * 100 and False% by False+exc+temp/Total*100. Please help me with the solution .    
https://community.splunk.com/t5/Splunk-Search/Why-am-I-only-getting-a-maximum-of-100-events-returned-through-a/m-p/207639/thread-id/60523 In my case even after setting the setCount to 0, I am unable... See more...
https://community.splunk.com/t5/Splunk-Search/Why-am-I-only-getting-a-maximum-of-100-events-returned-through-a/m-p/207639/thread-id/60523 In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries) I have confirmed that stream contains all entries by printing it String result = IOUtils.toString(stream, StandardCharsets.UTF_8); System.out.println(result);  
In handler 'savedsearch': Expecting different token Above error pop while creating an alert. Is there any fix?
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the eve... See more...
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct infor... See more...
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct information. But the application is not auto instrumentating and I found these error logs in cluster agent pods. Could you guide me on what the cluster agent looking for?  [ERROR]: 2021-09-07 03:45:21 - agentregistrationmodule.go:369 - Cluster Agent node name environment variable not found
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its work... See more...
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its working fine, Any suggestions ?  
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed.... See more...
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed. After that, I will perform stats.
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event... See more...
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event logs into Splunk Enterprise.  I'm able to get around 60% of them imported but anymore then that I receive an error stating "Encountered the following error while trying to update: Splunkd Daemon is not responding:('Error connecting to /servicesNS/nobody/launcher/data/inputs/win-event-log-collections/localhost: The read operation timed out',)" . I'm sure the problem is most likely the service timing out because there are so many log channels I'm trying to import but I'm not sure how to increase the timeout timer or if there is a way to create multiple localhost inputs.  Any help you can provide would be appreciated. 
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs ... See more...
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs below: this can be done in 2 ways; single-site or multisite: https://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Configuremulti-clustersearch I have some ideas of how both work but I need more in-depth explanation why one approach is better than the other (in terms of searching/indexing performance, latency, cost, maintenance, complexity, etc). I do need to bring up that I will enable Smartstore to store data to AWS S3 instead of locally in indexer nodes. Thank you so much in advance!  
wget -O splunk-8.2.2-87344edfcdb4-linux-2.6-amd64.deb ' : Read-only file system
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now ... See more...
Hi,  Need to create dashboard with visualization type as line chart,  need to have a default value which is as reference line, for this i have added eval Target=1|table Target in splunk query. Now i need to highlight the target/default  line always, and this line is to thicker than remaining lines in visualization and Bold, so that it can be distinct from others.  Need to achieve this only from Splunk , no JS or others is needed. TIA.
Please assist to provide detailed steps to replace cluster master for the indexer cluster.  I've tried few things however peers are not connecting to the new clustermaster.   
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is ... See more...
Hello Team, I not sure what I am missing but I am unable to extract or display ModifiedProperties{}.Name fields into table. For example: Under extended fields of ModifiedProperties{}.Name there is another field "OtherMail". I would like to display OtherMail field value/data into a table I remember doing sometime back but seems to have completely forgotten. Can someone please help with it. Thanks in advance,