All Topics

Top

All Topics

I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG f... See more...
I encountered an error while configuring Splunk to connect to LDAP. Failed to retrieve a user with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.
How can we fetch the events performed by users in Splunk Enterprise security product from API's?
Hi Team, I have installed the on-prem controller in http format now, I need to change it to https format. Kindly provide the steps for changes.
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of th... See more...
I have used VT4Splunk app for notable enriching process in Splunk Enterprise Security. Does somebody know if  I can get comment values from VirusTotal <hash,ip, domain> results? Not only count of them. Below is an example of      | makeresutls | eval file_hash="43dbf0a7df3b78cffbe5732b9da758fddfe13a8c9775da1214622837e8d30d28" | vt4splunk hash=file_hash     the results   Here is an example of a particular API request I found in the VT docs and want to use with splunk: https://docs.virustotal.com/reference/files-comments-get Thanks in advance!
in splunk dashboard i see there are ways to add default visualisation. I want to add my own visualisation from my own app to this menu how do I do that?
I am trying to generate a list of the percentages of response codes by resultCode by app.   A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appNa... See more...
I am trying to generate a list of the percentages of response codes by resultCode by app.   A simplified version of events are: appName=app1, resultCode=500 appName=app1, resultCode=500 appName=app1, resultCode=404 appName=app2, resultCode=404 ... If I do  <initial search that returns the above events>   |   stats count by appName resultCode it gets me very close to what I am trying to do and outputs something like this to the Statistics tab: appName resultCode count app1 500 25 app1 404 10 app1 200 100 app2 500 14 I need to take this one step further, and have an output that instead of showing the count by resultCode, will instead show the percentage each resultCode comprises by appName.   The ideal result is: appName 200 404 500 app1 90 2 8 app2 85 10 5 ...       This is ideal, but even if the result was  app1, 200, 90 app1, 404, 2 app1, 500, 8 ... (where the columns are appName, resultCode, and percentage (based on the count of events by code for an app over all events for the app) I can get a count of events by appName in a separate query to be able to get to the total, but I am just not finding how to use that specific appName's total used for each of the specific app error values all together.   I'm missing how to do  | stats count by appName as appTotal | stats count by appName resultCode as appResult | eval resultPerc=rount((appResult*100)/appTotal, 2) and have that show in a table in a way that can be clearly displayed.   Thanks for any ideas on what I might be missing here would be appreciated!      
Hi All, This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.cs... See more...
Hi All, This may be a bit of a peculiar question, but I'm trying to figure out if there's a way to use a certain expression in a search query to pull a "maximum" value based upon a custom table (.csv import) that is pulled into the query via the "lookup" command. The table has 4 possible "Attribute" values which range from "level-1-access" to "level-4-access". In the stats table, a given UserID may have activity that reflect 1 or more of these (thus, a maximum of 4 per UserID). Below is a sample dataset. What I'm attempting to do is filter this data so that it's only showing the "maximum" (or, "highest") value for each UserID. The rows bolded in green is what I'd want to see, with everything else excluded; thus, there should only be 1 row per distinct UserID. One possible thought that comes to mind is adding an numeric field to the .csv lookup, though still not 100% certain how to go about rendering the stats table to only include the highest value per UserID.  Any help would be appreciated. Thanks!  UserID Attribute jdoe level-1-access jdoe level-3-access jdoe level-4-access asmith level-1-access asmith level-2-access ejones level-3-access ejones level-4-access pthomas level-1-access pthomas level-2-access pthomas level-3-access pthomas level-4-access
I have the follow time: EPOCH HUMAN READABLE 1703630919 12/26/2023 19:48:39 I would like to convert the EPOCH to CST time. Currently I am testing the following, but I am curious to kno... See more...
I have the follow time: EPOCH HUMAN READABLE 1703630919 12/26/2023 19:48:39 I would like to convert the EPOCH to CST time. Currently I am testing the following, but I am curious to know if there is an easier way.     | makeresults | eval _time = 1703630919 | eval cst_offset = "06:00" | convert ctime(_time) as utc_time timeformat="%H:%M" | eval utc_time = strptime(utc_time,"%H:%M") | eval cst_offset = strptime(cst_offset,"%H:%M") | eval cst_time = (utc_time - cst_offset) | convert ctime(cst_time) as cst_time timeformat="%H:%M"."CST" | convert ctime(utc_time) as utc_time timeformat="%H:%M"."UTC"     Results in: _time cst_offset cst_time utc_time 2023-12-26 19:48:39 1703667600.000000 16:48.CST 22:48.UTC
Hello, I'm currently working on a dashboard. I want to move the menus that are marked in green, in the space bellow the data (also marked in green) could someone help me how to do it, cause you can't... See more...
Hello, I'm currently working on a dashboard. I want to move the menus that are marked in green, in the space bellow the data (also marked in green) could someone help me how to do it, cause you can't drag and move down there.
I have tried to use the following eval to pretty up the return of a field but the result is always test.  I have tried single and double quotes around the host.domain field but it always just gives t... See more...
I have tried to use the following eval to pretty up the return of a field but the result is always test.  I have tried single and double quotes around the host.domain field but it always just gives test.  I keep on looking for a typo or something but I am at a loss   | eval dct_domain=case(host.domain=="prd", "Production", host.domain=="uat", "Pre-Production", host.domain=="dev", "Development", true(), "test" )     TEMPORARY EDIT - So while trying a thing from whats been suggested so far I found that when I click on host.domain in the left side and choose prd it gives me no results despite the fact it clearly lists it in results (which for that type of selection option it has to be in the results).  So I brought the search down to just:   index=dct_foglight_shr "host.domain"=prd   and no results show.  anyway im opening a splunk ticket  
Hi Team, Need your assistant for below    We have created new csv lookup and we are using the below query but we are getting  all the data from the index & sourcetype . we need to get the events o... See more...
Hi Team, Need your assistant for below    We have created new csv lookup and we are using the below query but we are getting  all the data from the index & sourcetype . we need to get the events only for the hosts which mentioned on the lookup is the requirement Lookup name : Palo_devices.csv, used only one column called Hostname index=security host=abc sourcetype = Palo |lookup Palo_devices.CSV Hostname OUTPUT Hostname   Regards, Nagalakshmi 
Hi  i would like to know how to install btool on windows and can you please tell how to locate the file.  i was trying to open in windows as an administrator and I could get the results. C:\Progra... See more...
Hi  i would like to know how to install btool on windows and can you please tell how to locate the file.  i was trying to open in windows as an administrator and I could get the results. C:\Program Files\Splunk\bin>splunk btool inputs list 'splunk' is not recognized as an internal or external command, operable program or batch file. C:\Program Files\Splunk\bin>splunk cmd transfors list 'splunk' is not recognized as an internal or external command, operable program or batch file. i used Thes commands and i was not able to get please help me out here.
Hello guys I need some help with making a table/dashboard that shows me changes to incidents in our Defender platform. The underlying issue that we see is that Defender sometimes, when an inciden... See more...
Hello guys I need some help with making a table/dashboard that shows me changes to incidents in our Defender platform. The underlying issue that we see is that Defender sometimes, when an incident is handled by automation, de-escalate the severity of a particular incident. So in my index of incidents i want to track for each specific incident that is handled by automation to show me when the severity field changes.  The table should look something link this. IncidentId       Description       Status    Old_Severity     New_Severity I don't know whether to use the streamstats or the dedup command. I've been fiddling abit with both but can't seem to get the right output. Anyways, hope you can help me out here. If theres something unclear about my question, let me know so i can clarify.
Hello everyone, I'm a beginner in using Splunk. I'm facing an issue in finding a search solution for the following idea: I'm logging the deletion behavior of files, and I have whitelisted some import... See more...
Hello everyone, I'm a beginner in using Splunk. I'm facing an issue in finding a search solution for the following idea: I'm logging the deletion behavior of files, and I have whitelisted some important files in a lookup. If the file_path in the event matches any of the file_paths in my lookup file, then it should produce a result. Here is the initial search, and it found 2 file_paths. This is my lookup file. Here is my search, but it's not working correctly. Thank you, everyone, for reading!
Hi, I have the following transforms.conf: [REPLACEMENT_COST] CLEAN_KEYS = 0 FORMAT = $1"REPLACEMENT_COST2":"$2$s"$3 REGEX = (.*)"REPLACEMENT_COST":([^,]+)(.*) #SOURCE_KEY = REPLACEMENT_COST DEST_... See more...
Hi, I have the following transforms.conf: [REPLACEMENT_COST] CLEAN_KEYS = 0 FORMAT = $1"REPLACEMENT_COST2":"$2$s"$3 REGEX = (.*)"REPLACEMENT_COST":([^,]+)(.*) #SOURCE_KEY = REPLACEMENT_COST DEST_KEY = _raw I had to write s in the FORMAT field right after $, since otherwise, it does nothing. Is there any option to escape the dollar sign in this field? The relevant props.conf is: [json_multiline] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) MAX_DAYS_AGO = 10000 NO_BINARY_CHECK = true TIMESTAMP_FIELDS = LAST_UPDATE TIME_FORMAT = %m/%e/%y %H:%M category = Custom pulldown_type = 1 disabled = false KV_MODE = none EVAL-DESCRIPTION = replace(DESCRIPTION, "([A-Z])", " \1") EVAL-SPECIAL_FEATURES = split(replace(SPECIAL_FEATURES, "([A-Z])", " \1"), ",") LOOKUP-LANGUAGE = LANGUAGE.csv LANGUAGE_ID TRANSFORMS-REPLACEMENT = REPLACEMENT_COST Thanks
Hi, I have below spl query and trying to combine them together. please could you suggest? Expected count is 13919 spl 1: index=abc sourcetype=123 source="allocation" TERM("1=1") OR TERM("2=2"... See more...
Hi, I have below spl query and trying to combine them together. please could you suggest? Expected count is 13919 spl 1: index=abc sourcetype=123 source="allocation" TERM("1=1") OR TERM("2=2") TERM("3=C") Sender=aaa TERM("4=region") | dedup ExecId | stats count ## Results Count = 4698 spl 2: index=abc sourcetype=123 source=*block* TERM("1=1") OR TERM("2=2") | dedup ExecId | stats count ## Results Count = 9221
Hi, I see some saved searches and knowledge objects created under user local profile like below /opt/splunk/etc/users/username/search/local/savedsearches Can I append above "savedsearches" file to... See more...
Hi, I see some saved searches and knowledge objects created under user local profile like below /opt/splunk/etc/users/username/search/local/savedsearches Can I append above "savedsearches" file to the "savedsearch" file under app folder like /opt/splunk/etc/apps/search/local/ ? As we are migrating our Splunk infra to a new one, I am trying to clean up things and this effort is part of the migration.  Not sure if this makes sense but I would want all the savedsearches at one location which is /opt/splunk/etc/apps/.   If this is possible, how can I implement it and will there be any impact ?
Hi, I need help generating search queries using SPL, especially in my new role as a SOC Analyst. I would like to know if you can guide me towards any other training programs on SPL. While I did take... See more...
Hi, I need help generating search queries using SPL, especially in my new role as a SOC Analyst. I would like to know if you can guide me towards any other training programs on SPL. While I did take some training from the Splunk website, I still needed to meet my expectations. I would appreciate any advice you could give me. Thank you for your time and support. I wish you a wonderful holiday season and a happy new year. Best regards, Osama Faheem  
I want to send custom logs to Splunk Enterprise from Apigee API proxy. I have installed the trial version of Splunk Enterprise. I am following the method with HEC token explained in this article: htt... See more...
I want to send custom logs to Splunk Enterprise from Apigee API proxy. I have installed the trial version of Splunk Enterprise. I am following the method with HEC token explained in this article: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-Apigee-Edge-to-Splunk/m-p/546923. However, I am unable to send logs to Splunk. Any help in this regard will be appreciated.
Hi, I have a botsv1 dataset uploaded in Splunk simulated environment. But when I search "index=botsv1" , it returns 0 events. Although I have seen the dataset in apps folder. Also it can be seen in ... See more...
Hi, I have a botsv1 dataset uploaded in Splunk simulated environment. But when I search "index=botsv1" , it returns 0 events. Although I have seen the dataset in apps folder. Also it can be seen in indexes in settings section. Nothing  can be searched using keyword botsv1. I have tried various search options, but all failed. Please help me. Thanks in advance.