All Topics

Top

All Topics

Hi all, I have a case about monitoring Linux servers. Here what i am trying to do. I am not sure this is possible or not but i have to do these things with possibilities because System Staff wanted ... See more...
Hi all, I have a case about monitoring Linux servers. Here what i am trying to do. I am not sure this is possible or not but i have to do these things with possibilities because System Staff wanted these from me. 1-Root SSH access enabled servers --> Need Help 2-When someone changed sudoers file --> Done. 3-Root password change --> Done. 4-Users who have "0" ID except root --> Need Help   I did some steps but i need help about 2 step. Any help would be appreciated!
hi all, is there a way to demote a case to a container using a playbook?   thank you in advance
Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems usin... See more...
Is there a built-in solution in splunk that does the frequency analysis (for ex. on domain names) ? There is a solution by Mark Baggett in https://github.com/MarkBaggett/freq but I had problems using it in splunk. It either can be run using the python script: $ python3 freq.py freqtable2018.freq -m splunk.com (6.0006, 5.0954) Or using curl: $ curl http://127.0.0.1:20304/measure/splunk.com (6.0006, 5.0954) I want to run it against a field for ex. called "query" in my zeek dns logs and calculate the frequency and save it in another field 
Hello Team, help me with splunk query to trigger: 1-Bruteforce attacks, 2- malicious payloads and 3- zeroday exploits by creating , Splunk query and create email Alerts for it? Thank you
I have a below message. how can I only display ResponseID in output? thanks message: <?xml version='1.0' encoding='ISO-8859-1'?><Submission Id="12345" <LastName>XXX</LastName><ResponseID>137ce83fe8d... See more...
I have a below message. how can I only display ResponseID in output? thanks message: <?xml version='1.0' encoding='ISO-8859-1'?><Submission Id="12345" <LastName>XXX</LastName><ResponseID>137ce83fe8ddb052-1698535326634</ResponseID><Date>2023.10.28 23:23:14</Date>
Hello, we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc. Based on EPS, we need about 10 indexer based on splu... See more...
Hello, we have a data center with several type of equipment such as servers, switches, routers, EDR, some IOT Sensors, virtualization and etc. Based on EPS, we need about 10 indexer based on splunk recommendation. Now I want to  separate indexer to 4 cluster. one for servers, one for network device, one for services and last one for security such as Firewall and EDR.  each cluster has several indexer and each forwarder send data to the related cluster. data only replicate in the origin cluster not other clusters But I need each search head could search between 4 cluster. for example search for login failure in the all cluster (servers, network device and etc) could I have several cluster with one cluster master?   Best Regards
Hi I have created a basic datamodel called "TEST" I try to query on this datamodel with tstats but the only piece of code which return value is :   | tstats count from datamodel=TEST    But i c... See more...
Hi I have created a basic datamodel called "TEST" I try to query on this datamodel with tstats but the only piece of code which return value is :   | tstats count from datamodel=TEST    But i cant se the events related to this request And if i try to be more explicit in my request like below, I have no results   | tstats count from datamodel=TEST where EventCode=100    So what is the problem? Other question : what is the interest to use datamodel and pivot command since it's possible to query on a datamodel without SPL? Thanks
Hello, I want to copy my custom App, which includes a dashboard created in DashboardStudio, to another Splunk server. I have imported numerous images into DashboardStudio, and I would like to copy... See more...
Hello, I want to copy my custom App, which includes a dashboard created in DashboardStudio, to another Splunk server. I have imported numerous images into DashboardStudio, and I would like to copy those images (including the associated kv-store data). Please let me know if there is a method to do this, such as copying files or using APIs. (By the way, the source server is configured as a search head cluster.)
Hello Team, I have a .log flat file this file give us the data whenever we open and run command it give us some logs, now i am integrating this .log file with Splunk but it is not integrating. I r... See more...
Hello Team, I have a .log flat file this file give us the data whenever we open and run command it give us some logs, now i am integrating this .log file with Splunk but it is not integrating. I ran following command to integrate it, "/splunk/bin ---> ./splunk add monitor [file name]" it give me message that file has been added to monitor list.  However i don't see this file on my Splunk, further if i have this file on Splunk how it will takes data from it whenever we run any command, also this .log file doesn't store data in any other directory whenever we close the file data disappears. Please note the OS im using is Sun Solaris 
Hello Splunkers! I was wondering where I can turn on and view the MITRE ATT&CK posture for every notable in Enterprise Security as shown in the picture:
Hi Team, I have downloaded the Splunk for Salesforce installation file but I have not installed it. can some one will helps us on this issue? And I have created connected app in Salesforce to connec... See more...
Hi Team, I have downloaded the Splunk for Salesforce installation file but I have not installed it. can some one will helps us on this issue? And I have created connected app in Salesforce to connect to Splunk and i have to implement and test the feature one of the Salesforce feature.  Best Regards Siva
Anyone figure out how to use Splunk SOAR IMAP app to connect to exchange mailbox ? The goal is to read new email coming in to the mailbox.
Hi Team,   We need to display single latest event in Splunk by query 
I have field CI extracted from json payload  { "Name": "zSeries", "Severity":5, "Category":"EVENT", "SubCategory":"Service issues - Unspecified", "TStatus": "OPEN", "CI": "V2;Y;Windows;srv048;... See more...
I have field CI extracted from json payload  { "Name": "zSeries", "Severity":5, "Category":"EVENT", "SubCategory":"Service issues - Unspecified", "TStatus": "OPEN", "CI": "V2;Y;Windows;srv048;LogicalDisk;C:", "Component": "iphone" } Further, i want the CI field value extracted using DELIMS = ";". I have created below props & transforms configuration but not working. [source::cluster_test] REPORT-fields = ci-extraction [ci-extraction] SOURCE_KEY = CI DELIMS = ";" FIELDS = CI_V2,CI_1,CI_2,CI_3,CI_4,CI_5 Any help highly appreciated.  
Hi, Below is my current search at the moment,  index=o365 sourcetype=* src_ip="141.*" | rex field=_raw "download:(?<download_bytes>\d+)" | rex field=_raw "upload:(?<upload_bytes>\d+)" | dedup ... See more...
Hi, Below is my current search at the moment,  index=o365 sourcetype=* src_ip="141.*" | rex field=_raw "download:(?<download_bytes>\d+)" | rex field=_raw "upload:(?<upload_bytes>\d+)" | dedup UserId, ClientIP | table UserId, download_bytes, upload_bytes | head 10 I am trying to get downloaded bytes and uploaded bytes into a table and find out if anything suspicious is going on in the network however I have been unable to return anything other than the source ip.   Thanks in advance.
I have three indexes I am trying to join that have at least three similar columns each. I want to table the results in order to generate a report and alert. What would be the fastest method to work a... See more...
I have three indexes I am trying to join that have at least three similar columns each. I want to table the results in order to generate a report and alert. What would be the fastest method to work around using the join command if possible? Because my environment is built to min specs I need to not utilize something that is not resource heavy. Below is my query the "| table" is where I am having issues. Cyber is my elevated account vault AD is my active directory and the unix is for my redhat environment. I am a little lost currently as I have not played with Splunk in a couple of years. index=cyber  AND index=AD  AND index=unix | table _eventtime, issuer, requestor, purpose (for cyber) | table user, issuer, elevID, action (for AD) | table user, path, cmd (for unix)
Hello,   I have requirement to create a Orange button in splunk dashboard and upon orange button click need to load few panels.   Kindly let me know how this can be accomplished?   Thanks
I'm confused how to truncate from this log. how do I do it from props.conf or from the SPL command? Can anyone provide a solution to this?   <11>1 2021-03-18T15:05:30.501Z abcdefghi-jajaj-b1bc070... See more...
I'm confused how to truncate from this log. how do I do it from props.conf or from the SPL command? Can anyone provide a solution to this?   <11>1 2021-03-18T15:05:30.501Z abcdefghi-jajaj-b1bc07001-xb0k7.abcdefghi-user - - - [Originator@7776 kubernetes__container_name="abcdefghi-jajaj" docker__container_id="a1bbddc80312d8501f1b1ac015d525722f105a71d6521be0728e8b057066eda1" kubernetes__pod_name="abcdefghi-jajaj-b1bc07001-xb0k7" bosh_index="0" stream="stbcd" kubernetes__namespace_name="abcdefghi-develop" bosh_id="e0700d15-ca5a-1f35-8e01-bd83d3eb705a" bosh_deployment="service-instance_f08cb851-fa53-1206-0a6b-705f3fa0f301" docker_id="a1bbddc80312d" tag="kubernetes.var.log.containers.abcdefghi-user-b1bc07001-xb0k7_abcdefghi-develop_abcdefghi-user-a1bbddc80312d8501f1b1ac015d525722f105a71d6521be0728e8b057066eda1.log" instance_type="werkir"] 2021-03-18 22:05:00.210 INFO [abcdefghi-jajaj,3010acf256f7c7e0,717ea36c0d67f3da,true] 6 --- [nio-0020-exec-1] c.id.bankabcde.common.util.SplunkUtil : [LOGIN_abc]|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|uobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|sessionID=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|appVersion=ABC123|mobilePhone=ABC123|custGroup=ABC123   i want to cut it to something like this: [LOGIN_abc]|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|uobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|sessionID=ABC123|mobilePhone=ABC123|mobilePhone=ABC123|appVersion=ABC123|mobilePhone=ABC123|custGroup=ABC123   THANKYOU
Hello, Does stats values command combine unique values? For example: company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 index=regular_index | stats v... See more...
Hello, Does stats values command combine unique values? For example: company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 index=regular_index | stats values(company) by ip | table company, ip Should the command above produce the following output? company ip companyA 1.1.1.1 companyB 1.1.1.2 Thank you so much  
I've downloaded the splunk security essential files all into my laptop, but I can't figure out how to upload into into splunk enterprise as an app. What is my next step and where do I go to do this?