All Topics

Top

All Topics

When I create a new input,the prompt  prompts me to enter "User" and "Secret / Password",and it is required. But the value is "xpack.security.enabled: false" in my ElasticSearch.yml Now, I ... See more...
When I create a new input,the prompt  prompts me to enter "User" and "Secret / Password",and it is required. But the value is "xpack.security.enabled: false" in my ElasticSearch.yml Now, I can’t pull data from Elasticsearch to Splunk. How can I fix it?
Hello,   would like to know if there is a way to track the number of Dashboards created by Users over a period of time ?
Hello, I have downloaded all the Use Cases in ES app and now I want to open .spl file to look into these Use Cases but do not want to upload the file as an app 
  We have a disconnected network and have splunk installed on a RedHat Linux server. I can login to the web interface with a local splunk account just fine but cannot login with a domain account. Th... See more...
  We have a disconnected network and have splunk installed on a RedHat Linux server. I can login to the web interface with a local splunk account just fine but cannot login with a domain account. This machine has been configured with domain logins for quite a while and has worked but only recently stopped working with a domain login. I recently needed to put in a temporary license until we get our re-purchase of a new license. Have not gotten far with troubleshooting yet. Where can I look to troubleshoot this issue?. ty.
I have two different data sets within the Updates data model. I catered a few panels within a dashboard that I use to collect the installed updates and update errors. I want to combine both of these ... See more...
I have two different data sets within the Updates data model. I catered a few panels within a dashboard that I use to collect the installed updates and update errors. I want to combine both of these searches into one by combining the datasets to correlate which machines are updating or occurring errors. Here's the two searches I have so far.  Installed Updates:  | datamodel Updates Updates search | rename Updates.dvc as host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | rename Updates.signature as "Installed Update" | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | eval time = strftime(_time, "%m-%d-%y %H:%M:%S") | search * host=$host$ | rename lastTime as "Last Update Time", | table time host "Update Status" "Installed Update" | `no_windows_updates_in_a_time_frame_filter` Update Errors:  | datamodel Updates Update_Errors search | eval time = strftime(_time, "%m-%d-%y %H:%M:%S") | search * host=$host$ | table _time, host, _raw,    
I am playing around with the splunk-rolling-upgrade app in our DEV environment.  We dont use a kvstore there and we dont use a kvstore on our indexers in PROD either.  Which is were I would like to u... See more...
I am playing around with the splunk-rolling-upgrade app in our DEV environment.  We dont use a kvstore there and we dont use a kvstore on our indexers in PROD either.  Which is were I would like to use this once I sort out the process.  However, the automated upgrade process appears to be failing because it is looking for a healthy kvstore.  Is there a flag or something I can put into the rolling_upgrade.conf file so that it ignores the kvstore?  Especially when it comes to our CM and Indexers where we have the kvstore disabled.
Hello to everyone! My question looks very dummy, but I really can't understand how I can resolve it. So, what we are having step by step: 1. Some network device that sends an event via UDP directl... See more...
Hello to everyone! My question looks very dummy, but I really can't understand how I can resolve it. So, what we are having step by step: 1. Some network device that sends an event via UDP directly to an indexer 2. Indexer receives message according to capture of wireshark 3. Then I'm trying to find this event on a searchhead, and I see nothing 4. Somehow I generate another event on the network device 5. Then I expect to see two events during the search, but I see only the previous one This behavior is a little bit random but easy to reproduce with network devices that send events unfrequently. And, additionally, I can easily detect wrong behavior because of the significant difference between _time and _indextime of those events. A couple of words about indexer settings, props.conf on indexer looks like this, nothing special:   [cat_syslog] DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = true MAX_TIMESTAMP_LOOKAHEAD = 24 SHOULD_LINEMERGE = false TIME_PREFIX = ^<\d{1,3}>\d+:\s+.*:\s+\d+:\s+   Overall, what I can assume. 1. According to my props.conf, indexer expecting to find default ([\r\n]+) to apply line-breaking rule and create single event 2. But for some reason fails in it 3. From this moment, the indexer waits until the next event 4. An, I don't know why,  but ([\r\n}+) appears in the next message So, the question is, how to NOT wait until next event in this situation? I also understand that I can't change the line-breaking rule because of very unrequent events. And also, there are no special characters at the end of events because they look like this:   <172>153702: 172.21.0.13: 153696: Sep 13 16:30:50.797 RTZ: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.28.20.80:1812,1813 is being marked alive. <174>153700: 172.21.0.13: 153694: Sep 13 16:30:30.714 RTZ: %RADIUS-6-SERVERALIVE: Group AAA_RADIUS: Radius server 172.21.20.80:1812,1813 is responding again (previously dead). <173>153695: 172.21.0.13: 153689: Sep 13 16:25:05.626 RTZ: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to up  
Hi -  I have a quick props question. I need to write a props for a particular sourcetype, and the messages always start with before the timestamp starts: ukdc2-pc-sfn122.test.local - OR ukdc2-pc-s... See more...
Hi -  I have a quick props question. I need to write a props for a particular sourcetype, and the messages always start with before the timestamp starts: ukdc2-pc-sfn122.test.local - OR ukdc2-pc-sfn121.test.local -  When writing the TIME_PREFIX can a regex be written to account for this, is it just a basic one if so can someone provide this? Thanks  
hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Spl... See more...
hi I try to list the step to interface splunk with service now and to create an incident in servicenow from a splunk alert is it mandatory to use the splunk addon Splunk Add-on for ServiceNow | Splunkbase? and what are the steps after? thanks
Hi all, Is it possible to pass paramenters to the action [[action|sendtophantom]] in the field "Next Steps" . For example pass it the severity or SOAR instance? Thanks
Hello, Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, brok... See more...
Hello, Could you please provide guidance on how to retrieve the daily quantity of logs per host? Specifically, I am looking for a method or query to get the amount of logs generated each day, broken down by host. Best regards,
Hi, I have instrumented a node.js agent with auto instrumentation in cluster agent.My application is reporting but there is no call graph have been captured for BTs. I have checked the agent prope... See more...
Hi, I have instrumented a node.js agent with auto instrumentation in cluster agent.My application is reporting but there is no call graph have been captured for BTs. I have checked the agent properties and discovered that by default this property is disabled. AppDynamics options: excludeAgentFromCallGraph,true Can anyone suggest how can i enable this property for auto instrumentation method.
Hi All, I need to download and install below app via command line https://splunkbase.splunk.com/app/263 Please help me with the exact commands, I tried with multiple commands, login is success... See more...
Hi All, I need to download and install below app via command line https://splunkbase.splunk.com/app/263 Please help me with the exact commands, I tried with multiple commands, login is successful and getting token but during app download getting 404 bad request error
how can I use top command after migrating to tstats? I need the same result, but looks like it can be done only using top, so I need it index IN (add_on_builder_index, ba_test, cim_modactions, cis... See more...
how can I use top command after migrating to tstats? I need the same result, but looks like it can be done only using top, so I need it index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" status IN ("*") | rename analysis.threat_score AS ats | where isnum(ats) | eval ats_num=tonumber(ats) | eval selected_ranges="*" | eval token_score="*" | eval within_selected_range=0 | rex field=selected_ranges "(?<start>\d+)-(?<end>\d+)" | eval start=tonumber(start), end=tonumber(end) | eval within_selected_range=if( (ats_num >= start AND ats_num <= end) OR token_score="*", 1, within_selected_range ) | where within_selected_range=1 | rename "analysis.behaviors{}.title" as "Behavioral indicator" | top limit=10 "Behavioral indicator" I tried this but it doesnt return me percent | tstats prestats=true count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title | chart count by Secure_Malware_Analytics_Dataset.analysis_behaviors_title | sort - count | head 20
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macr... See more...
Hi, I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macro if the lookup has any new values.
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing withou... See more...
hi i need to do an heat map vizualization i have checked the dasbord examples addon and in this example a lookup is used   | inputlookup sample-data.csv is it possible to do the same thing without a lookup please? I mean by using an index and an eval command for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map Rgds
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"valu... See more...
Hi Team, I am sending json data to Splunk server and I want to create a dashboard out of it. My data is in the below format and I need help in creating the dashboard out of it.   example: {"value": ["new-repo-1: 2: yes: 17", "new-repo-2: 30:no:10", "new-one-3:15:yes:0", "old-repo: 10:yes:23", "my-repo: 10:no:15"]} and many more similar entries.   my dashboard should look like, repos count active count new-repo 2 yes 17 new-repo-2 30 no 10 new-one-3 15 yes 0 old-repo 10 yes 23 my-repo 10 no 15   I am able to write the rex for single field using extract pairdelim="\"{,}" kvdelim=":" but not able to do it for complete dashboard. can someone help?   Thanks, Veeresh Shenoy
I see this "extracted_eventtype" field in many saved searches and dashboard inline searches. However, I cannot find where it is generated. In the DUO events I do see "event_type" and "eventtype" fie... See more...
I see this "extracted_eventtype" field in many saved searches and dashboard inline searches. However, I cannot find where it is generated. In the DUO events I do see "event_type" and "eventtype" fields. But not "extracted_eventtype". Dashboards with that field show "No results found." because that field is nowhere to be found in DUO events. Any thoughts / pointers would be very much appreciated!
how can I monitoring an user if he is using the wireless in the company? thank you!
Is it possible to password protect emailed reports?