All Topics

Top

All Topics

Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the eve... See more...
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!
Hi All,   I want to get list of users using the splunk api to get the data from splunk, can you please guide how we can do that.    
Hi all,     I have two indexes,  and I want to check whether the data from one index=a exists in the other index=b, and extract the data from the other index=a     index=a id 1 1 2 3 3 inde... See more...
Hi all,     I have two indexes,  and I want to check whether the data from one index=a exists in the other index=b, and extract the data from the other index=a     index=a id 1 1 2 3 3 index=b id,name1,name2 1,10,a1 1,9,a2 3,9,a1 4,10,a1 4,12,a2 i want the result= id,name1,name2 1,10,a1 1,9,a2 3,9,a1             Anyone, have a good way to guide        Thank you!
Hello!   is it possible to search a field value and then count it for example first the current week and then add the count of the same search from the week before ?  something like:  index=index... See more...
Hello!   is it possible to search a field value and then count it for example first the current week and then add the count of the same search from the week before ?  something like:  index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-14d latest=-7d | eval flag="count1" | append [search index=indexa action=allowed app=DNS dest="8.8.8.8" earliest=-7d latest=now() | eval flag="count2"] | stats count(eval(flag="count1")) as count1 count(eval(flag="count2")) as count2 | eval count = count1+count2 Something in my use of the earliest/latest doesn't seem to work. what am I doing wrong? 
Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events",  but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules a... See more...
Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events",  but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules are not ready to deploy on Splunk Environment. I leave here an example of rule using this macro: https://github.com/splunk/security_content/blob/develop/detections/endpoint/ssa___applying_stolen_credentials_via_mimikatz_modules.yml Someone helps?
Hi ,   I'm trying to add a table right side of the dashboard. But not able to achieve. Can anyone suggest? not using Html dashboard, using XML dashboard. Exisiting  new   New one - expecting... See more...
Hi ,   I'm trying to add a table right side of the dashboard. But not able to achieve. Can anyone suggest? not using Html dashboard, using XML dashboard. Exisiting  new   New one - expecting new 
Hi, In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary. the format of the csv file (test.csv) is the followin... See more...
Hi, In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary. the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post) Threshold Value name1 value1 name2 value2 the only way to do what I want is the following query | eval tempField="name1" | lookup test.csv Threshold as tempField OUTPUT Value as test1value   any better or more efficient way of doing this? I was imagining something like the line below but it didnt manage to make it work. | lookup test.csv Threshold as "name1" OUTPUT Value as test1value thanks!  
Hello everyone! I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, whe... See more...
Hello everyone! I struggle to find a way to add a value (for example 1) to a fieldvalue in case a certain field exists. Let's say this certain field is fieldx and it only exists and has a value, when you specifically block a port. After you've unblocked it, the field disappears. what I'm currently looking at is a maxvalue of a field (for example the highest destination port number) so I go  index=firewall destport=* |stats max(destport) as max_port now I have my highest destination port. let's say it's 65000    what I'm now trying to accomplish is, that, if this port is currently blocked and the fieldx=blocked appears, I want to add a 1 to the max_port value -> 65001 and otherwise leave it be. I've tried an eval if  like that: |eval maxport=if(isnotnull(fieldx),max_port+1,max_port)   but it doesn't work. do I have something wrong?  ps: in reality I don't know what the value of the fieldx is, so I can't just if(fieldx==blocked,...). but since the field only appears if there is a value in it to begin with, I would use that to my advantage.   also, is it possible to add the +1 only for a certain period of time ? for example add +1 to the value as long as it is in a two week frame ?   
Hello All, I have several alerts which send email notifications. I know it might be very basic, but I need your help. One alert is to specify if a local host has accessed a blacklisted IP. So I e... See more...
Hello All, I have several alerts which send email notifications. I know it might be very basic, but I need your help. One alert is to specify if a local host has accessed a blacklisted IP. So I expect to have a table with: Src, Dest, Port  The search returns table, but I do not understand why does it attach a Line-Chart diagram! I want it as Static table. In Visualization tab, it does not show me static table. I even tried to create a new alert without even going to the visualization tab, but I got same result. I have even changed the search and used Table instead of stats. Please advise. Thank you
你好,我有个问题。我需要更少的值,   l stats count list(fileame) as filename by user 当我使用它时,心灵返回100个值。我需要快乐的值,10-20个值
Hi, I have to get % of 2 and 3 values in a same field . Status count  True       200 False       50 Error      10 exc          5 temp      6 Total   271 I need to get true% by  true+error /T... See more...
Hi, I have to get % of 2 and 3 values in a same field . Status count  True       200 False       50 Error      10 exc          5 temp      6 Total   271 I need to get true% by  true+error /Total * 100 and False% by False+exc+temp/Total*100. Please help me with the solution .    
https://community.splunk.com/t5/Splunk-Search/Why-am-I-only-getting-a-maximum-of-100-events-returned-through-a/m-p/207639/thread-id/60523 In my case even after setting the setCount to 0, I am unable... See more...
https://community.splunk.com/t5/Splunk-Search/Why-am-I-only-getting-a-maximum-of-100-events-returned-through-a/m-p/207639/thread-id/60523 In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries) I have confirmed that stream contains all entries by printing it String result = IOUtils.toString(stream, StandardCharsets.UTF_8); System.out.println(result);  
In handler 'savedsearch': Expecting different token Above error pop while creating an alert. Is there any fix?
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the eve... See more...
Can someone please help with the Splunk query for the below scenario: I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses. If the event has one IP ---> then extract that IP If the event has more than one IP ---> then extract the last IP Thanks!
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct infor... See more...
Hi Community, I provision cluster agent with auto instrument, cluster and nodes information is showing up correctly in the controller. In clusters Pods, Inventory and Events show the correct information. But the application is not auto instrumentating and I found these error logs in cluster agent pods. Could you guide me on what the cluster agent looking for?  [ERROR]: 2021-09-07 03:45:21 - agentregistrationmodule.go:369 - Cluster Agent node name environment variable not found
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its work... See more...
I am trying to integrate McAfee ATD app in Phantom. I get the following error when I try to test the connectivity. Firewall burns are complete and when I test the connectivity in the backend its working fine, Any suggestions ?  
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed.... See more...
My index has client_ip. However, I want to use the client_ip that exists in the user_ip.csv field. index="my_index" [ | inputlookup user_ip.csv | search client_ip="*" ] Attempted but failed. After that, I will perform stats.
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event... See more...
Hi, I'm new to Splunk and was unable to find an answer to this exact question so sorry if it has been asked before or if it's a simple question but I'm  unable to import all of my local windows event logs into Splunk Enterprise.  I'm able to get around 60% of them imported but anymore then that I receive an error stating "Encountered the following error while trying to update: Splunkd Daemon is not responding:('Error connecting to /servicesNS/nobody/launcher/data/inputs/win-event-log-collections/localhost: The read operation timed out',)" . I'm sure the problem is most likely the service timing out because there are so many log channels I'm trying to import but I'm not sure how to increase the timeout timer or if there is a way to create multiple localhost inputs.  Any help you can provide would be appreciated. 
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs ... See more...
Hi, I have a task where I need to make my search head cluster to be able to search from two different data center/indexer clusters. One in east and another one in west coast. According to the docs below: this can be done in 2 ways; single-site or multisite: https://docs.splunk.com/Documentation/Splunk/6.3.3/Indexer/Configuremulti-clustersearch I have some ideas of how both work but I need more in-depth explanation why one approach is better than the other (in terms of searching/indexing performance, latency, cost, maintenance, complexity, etc). I do need to bring up that I will enable Smartstore to store data to AWS S3 instead of locally in indexer nodes. Thank you so much in advance!