All Topics

Top

All Topics

hello all! is there a default time that events (containers/cases) are stored in the SOAR server to approach to? and if so, can I change the time? @phanTom  Thank you in advance
Hi, i would like to install additional tools on my splunk docker container but yum is not installed, rpm is available but needs to be configured along with a repo i guess? What is the best way to do... See more...
Hi, i would like to install additional tools on my splunk docker container but yum is not installed, rpm is available but needs to be configured along with a repo i guess? What is the best way to do this, do i need a Red Hat subscription for this?
Hello Splunkers!! I want to connect or configure Splunk with kafka. Our Kafka resides under kubernetes cluster. Please guide me what kind of approaches I want to follow. Because there are lot of s... See more...
Hello Splunkers!! I want to connect or configure Splunk with kafka. Our Kafka resides under kubernetes cluster. Please guide me what kind of approaches I want to follow. Because there are lot of stuffs available and its confusing for me. 
Hi, I would like to know about the triggered notable events from CS without accessing the incident review dashboard, as we are experiencing a significant number of notables being triggered c... See more...
Hi, I would like to know about the triggered notable events from CS without accessing the incident review dashboard, as we are experiencing a significant number of notables being triggered consistently. How can we identify the source of noise from a specific correlation search?   Thanks in advance   
Hi All, I updated Splunk Universal forwarder from 8.2.6 to 9.1.3 on a Debian host. No specific configuration basically, everything by default. I would like to use the REST capabilities which I alr... See more...
Hi All, I updated Splunk Universal forwarder from 8.2.6 to 9.1.3 on a Debian host. No specific configuration basically, everything by default. I would like to use the REST capabilities which I already used with the older version but this time the port is not listening, however startup says its listening. Checking mgmt port [8089]: open Netstat shows no 8089 as well. Host has no firewall, no bulls**t, just pure playground and as I said older version worked perfectly. What can be the problem, another bug in the software?
Hi Splunkers, I need a help with my dashboard because of I`m stuck in this problem. I`ve already search, tried many javascript codes and still not working. Basically what I need is:  After clickin... See more...
Hi Splunkers, I need a help with my dashboard because of I`m stuck in this problem. I`ve already search, tried many javascript codes and still not working. Basically what I need is:  After clicking in a drilldown button , the result should be a table that show me more the details about a use case. Look at the first down arrow. When I click it should show me the details. But I cannot render a table. The token to mue results should be the value os the use_case_name. My javascript code:  requirejs([ '../app/simple_xml_examples/libs/underscore-1.6.0-umd-min', 'splunkjs/mvc/tableview', 'splunkjs/mvc/chartview', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function(_, TableView, ChartView, SearchManager, mvc) { var EventSearchBasedRowExpansionRenderer = TableView.BaseRowExpansionRenderer.extend({ initialize: function() { // initialize will run once, so we will set up a search and a chart to be reused. this._searchManager = new SearchManager({ id: 'details-search-manager', preview: false }); this._tableView = new TableView({ 'managerid': 'details-search-manager', 'charting.legend.placement': 'none' }); }, canRender: function(rowData) { // Since more than one row expansion renderer can be registered we let each decide if they can handle that // data // Here we will always handle it. return true; }, render: function($container, rowData) { // rowData contains information about the row that is expanded. We can see the cells, fields, and values // We will find the sourcetype cell to use its value var use_case_nameCell = _(rowData.cells).find(function (cell) { return cell.field === 'use_Case_name'; }); //update the search with the sourcetype that we are interested in // this._searchManager.set({ search: 'index=_internal sourcetype=' + sourcetypeCell.value + ' | table user | dedup user' }); this._searchManager.set({ search: '| inputlookup XXXX.csv | search use_case_name=' + use_case_nameCell.value + ' | table XXX | transpose' }); // $container is the jquery object where we can put out content. // In this case we will render our chart and add it to the $container // $container.append(this._chartView.render().el); $container.append(this._tableView.render().el); } }); var tableElement = mvc.Components.getInstance('expand_with_events'); tableElement.getVisualization(function(tableView) { // Add custom cell renderer, the table will re-render automatically. tableView.addRowExpansionRenderer(new EventSearchBasedRowExpansionRenderer()); tableView.table.render(); }); });   Thank you guys.
I would like to start encrypting traffic between the universal forwarder on my Windows devices and my single Splunk 9.x indexer that is on a Windows server. For the moment I am only concerned with ge... See more...
I would like to start encrypting traffic between the universal forwarder on my Windows devices and my single Splunk 9.x indexer that is on a Windows server. For the moment I am only concerned with getting SSL going on the indexer. I see you can also setup a certificate on the clients for authentication to the server but I want to take it one step at a time.  I have a GoDaddy cert I would like to use with the indexer and I have looked over much of the documentation on Splunk's site on all the ways you can make this configuration work but it left me confused. I can't find any mention to what to do about the public key. I see where the documentation references the server certificate and even the sslPassword in the input.conf file but no reference where to to put the key location. Is it just assumed you combine the server cert + the private key into a single pem file and if so is the order just server cert first then private key? Example:   -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----  
I am very new to Splunk and having a hard time finding how to monitor applications. Can someone help? 
Hi, We are using following regex to capture "caused by" exceptions within java stack trace. Caused by: (?P<Exception>[^\r\n]+)   When testing in regex101, it seems to be working well. Captures bo... See more...
Hi, We are using following regex to capture "caused by" exceptions within java stack trace. Caused by: (?P<Exception>[^\r\n]+)   When testing in regex101, it seems to be working well. Captures both instances of "caused by" in the sample trace. https://regex101.com/r/yL1ucO/1  But when used with EXTRACT within props.conf, Splunk only gets the first instance, i.e. "SomeException". 2nd occurrence, "AnotherException" is not captured. Should I be using REPEAT_MATCH with transforms stanza, or is there a way to fix this within props itself?
Hello, I'm trying to sum by groups (I have 2 groups) and then plot them individually and also the sum. I'm using following script to plot group 1. | fields inbound_rate outbound_rate HOST | where... See more...
Hello, I'm trying to sum by groups (I have 2 groups) and then plot them individually and also the sum. I'm using following script to plot group 1. | fields inbound_rate outbound_rate HOST | where HOST like "%location_a%" | addtotals fieldname=a_TPS | timechart span=5m sum(a_TPS) as a_TPS This works and sums all the server TPS from location a. Now I have servers in another location (location_b). How can I plot TPS for location a, location b and sum of both? Thanks.
  Need help on getting rex query. I am getting below two events. I am able to rex for event 1 with NULL field. But I also need to capture the sample event 2 which does not have NULL value. Instead o... See more...
  Need help on getting rex query. I am getting below two events. I am able to rex for event 1 with NULL field. But I also need to capture the sample event 2 which does not have NULL value. Instead of NULL it just have ",," (no NULL values just two single quotes.). Need the rex command to capture the field in both the case. If event has NULL then need the NULL field and if just two single quote need blank value. sample event1: acd.55,1,NULL,C:\totalview\ftp\switches\customer1\55\020224.1100,PASS,2024-02-02 17:32:30.047 +00:00,2024-02-02 17:36:02.088 +00:00,212 Sample event 2: acd.85,1,,C:\totalview\ftp\switches\customer1\85\020224.1100,PASS,2024-02-02 17:31:30.032 +00:00,2024-02-02 17:32:00.226 +00:00,30   Created the below rex query which is working for event 1. But not recognizing if getting event 2 some time.  ^(?P<ACD>\w+\.\d+)\t(?P<ATTEMPTS>[^\t]+)\t(?P<FAIL_REASON>[^\t]+)\t(?P<INTERVAL_FILE>[^\t]+)\t(?P<STATUS>\w+)\t(?P<START>[^\t]+)\t(?P<FINISH>[^\t]+)\t(?P<INGEST_TIME>.+)
splunkd.log is flooded by following log. WARN AutoLoadBalancedConnectionStrategy [xxxx TcpOutEloop] - Current dest host connection nn.nn.nn.nnn:9997, oneTimeClient=0, _events.size()=41, _refCount=2,... See more...
splunkd.log is flooded by following log. WARN AutoLoadBalancedConnectionStrategy [xxxx TcpOutEloop] - Current dest host connection nn.nn.nn.nnn:9997, oneTimeClient=0, _events.size()=41, _refCount=2, _waitingAckQ.size()=5, _supportsACK=1, _lastHBRecvTime=Thu Jun 20 12:07:44 2023 is using 18446603427033668018 bytes. Total tcpout queue size is 26214400. Warningcount=841    
Hi Community, We are in the process of sending the alerts from Splunk to another application via REST API but response of the REST API is displaying in XML format as our other application would have... See more...
Hi Community, We are in the process of sending the alerts from Splunk to another application via REST API but response of the REST API is displaying in XML format as our other application would have expect  JSON format however we tried using Postman application as well but the response is same in XML so can any one suggest  JSON response REST API to get the alert details? Regards, Eshwar
I have an index that contains all the hits for our WAF and an index that contains the subsequent API call details for any of those hits that are an application calling one our APIs behind the WAF. Th... See more...
I have an index that contains all the hits for our WAF and an index that contains the subsequent API call details for any of those hits that are an application calling one our APIs behind the WAF. There is a shared identifier that the WAF passes to the API call so we can link them together and see what IP, user agent string, etc. made that API call. I am trying to pull data from both indexes together into a nice table so that our devs and our security folks can see what API calls are being made, who/what is calling them, and the payloads.  API search: index=api source=api_call | rename id as sessionID | fields apiName, payload, sessionID WAF search: index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID My attempt to join them on the sessionID which is not working. It returns no results. index=api source=api_call | rename message.id as sessionID | fields apiName, message.payload, sessionID | join sessionID [search index=waf | fields src_ip, requestHost, requestPath, requestUserAgent, sessionID] | table apiName, message.payload, sessionID, src_ip, requestHost, requestPath, requestUserAgent I know joins are not very performative, so I'm open to alternatives that don't use it, but I'm not sure what those would be.
Hello, Splunk forwarder powershell script is causing resource exhaustion and this script is running for 8-9 hours. Any idea on this issue? Thanks
I am trying to update DNSTwist Add-on for Splunk to it's latest version 1.0.4 but every time it is still showing me that the version update is available i.e. 1.0.4. I have tried it through the UI as... See more...
I am trying to update DNSTwist Add-on for Splunk to it's latest version 1.0.4 but every time it is still showing me that the version update is available i.e. 1.0.4. I have tried it through the UI as well by manually installing and replacing it to the latest version.  Is anyone else facing similar situation? Kindly suggest what needs to be done here.
Hello guys, I have below query which uses join. I see lots of examples how to replace that with stats, but I am not able to. I need to join on _time and another field called snat. Output should at le... See more...
Hello guys, I have below query which uses join. I see lots of examples how to replace that with stats, but I am not able to. I need to join on _time and another field called snat. Output should at least show client_ip Account_Name. Thanks index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=JohnDoe Source_Network_Address IN (10.10.10.10 20.20.20.20) | bucket span=1m _time | eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:")) | eval SourceIP = Source_Network_Address | eval Account_Name4625= case(EventCode=4625,mvindex(Account_Name,1)) | eval Account_Name4771= case(EventCode=4771,Account_Name) | eval Account_Name = coalesce(Account_Name4771, Account_Name4625) | eval Source_Network_Address_Port = SourceIP+":"+Source_Port | rex field=ComputerName "(?<DCName>^([^.]+))" | rename Source_Network_Address_Port as snat | stats count by _time snat Account_Name EventCode DCName | join type=inner _time snat [search index=_network snat IN (10.10.10.10*,20.20.20.20*) | bucket span=1m _time | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" | stats count by _time snat client_ip] @woodcock @MuS
Hello, I am attempting to write some regex with a lookahead. My event is pluginText: <plugin_output> Here is the list of packages installed on the remote Red Hat Linux system : libkadm5-1.18.2-2... See more...
Hello, I am attempting to write some regex with a lookahead. My event is pluginText: <plugin_output> Here is the list of packages installed on the remote Red Hat Linux system : libkadm5-1.18.2-26.el8_9|(none) Wed 17 Jan 2024 10:21:40 AM CST sssd-client-2.9.1-4.el8_9|(none) Wed 03 Jan 2024 06:05:06 AM CST plugin_id: 22869 I would like to capture everything before the plugin_id and after the "Here is the list of packages installed on the remote Red Hat Linux system :\n\n". So all of the software data. My plan is to first extract everything into a big field and then pipe it to another rex command and use max_mode=0 to extract the software into a MV field. I am having some trouble implementing this. Help is appreciated Thank you Nate    
Hi experts, We are in the process of sending the alerts from Splunk to another application via REST API but response of the REST API is displaying in XML format as our other application would have e... See more...
Hi experts, We are in the process of sending the alerts from Splunk to another application via REST API but response of the REST API is displaying in XML format as our other application would have expect  JSON format however we tried using Postman application as well but the response is same in XML so can any one suggest  JSON response REST API to get the alert details? Thank you in advance. Regards, Eshwar
Hello Everyone, I have created and alert which uses sendresults command to format the email notification. But the problem i have with this is, It does not have View Splunk Results link to view the ... See more...
Hello Everyone, I have created and alert which uses sendresults command to format the email notification. But the problem i have with this is, It does not have View Splunk Results link to view the splunk results. So i have add addinfo the search to grab search id and appended to the splunk url. https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$." | eval application_name = "<a href=https://<hostname>:8000/en-US/app/search/security_events_dashboard?form.field2=&form.application_name=" . application_name . ">" . application_name . "</a>" | eval email_subj="Security Events Alert", email_body="<p>Hello Everyone,</p><p>You are receiving this notification because the application has one or more security events reported in the last 24 hours..<br></p><p> Please click on the link available in the table to fetch events for specific application.</p> </p><p>To view splunk results <a href=https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$.">Click here</a></p> Iam able to receive the link but this link is not loading. Could someone please assist me on this. I want to receive a link similar to the one which i will receive when an alert is triggered. Regards, Sai