All Topics

Top

All Topics

I can't seem to be able to set a variable or a token to the window parameter in the streamstats command.    | streamstats avg(count) as avg_count window=$window_token$ | eval c = 2 | streamstats a... See more...
I can't seem to be able to set a variable or a token to the window parameter in the streamstats command.    | streamstats avg(count) as avg_count window=$window_token$ | eval c = 2 | streamstats avg(count) as avg_count window=c   I get the error saying the option value is not an integer. Seems it doesn't take the value of the variable/token. Is there any way to change the parameter dynamically? "Invalid option value. Expecting a 'non-negative integer' for option 'window'. Instead got 'c'."
I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU... See more...
I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable events to make it esier to investigate. We have this correlation serach enabled "ESCU - Detect New Local Admin account - Rule" `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter` When I run the above serach using the search and reporting app I get way more fields than what I see on the Additional Fields from the notable itself. for example, in the notable event the User field shows the SID and no other fields to idenity the actual username. To fix this I could add the field  Account_Name that shows when I  run the above serach from the search and reporting app.  I tried adding that field by going into Configure -> Incident Management -> Incidnet Review Settings -> Incident Review - Event Attributes. But it is still not showing. Am I missing something here? 
I have a DBConnect Input defined that produces the following output: Date Group_Name Number_of_Submissions 2023-10-02 Apple 780 2023-10-03 Apple 1116 2023-10-04 Apple 1154 2... See more...
I have a DBConnect Input defined that produces the following output: Date Group_Name Number_of_Submissions 2023-10-02 Apple 780 2023-10-03 Apple 1116 2023-10-04 Apple 1154 2023-10-05 Apple 786 2023-10-06 Apple 699 2023-10-02 Banana 358 2023-10-03 Banana 760 2023-10-04 Banana 254 2023-10-05 Banana 1009 2023-10-06 Banana 876 2023-10-02 Others 1265 2023-10-03 Others 1400 2023-10-04 Others 257 2023-10-05 Others 109 2023-10-06 Others 1709   I want to have this data displayed on a Dashboard as a multi-line chart, x-axis is the Date, y-axis is the Number of submissions, and there should be different color lines representing the different groups.  I am new to Splunk.  Very new.  I need succinct instructions pls.  Thanks!!!
Hi Community, I have created a dashboard having two panels. The query used in both the panels are same. Except that both the panel runs at different timeframe. The timeframe is sent based on the Tim... See more...
Hi Community, I have created a dashboard having two panels. The query used in both the panels are same. Except that both the panel runs at different timeframe. The timeframe is sent based on the Time input for both the panels. The token is then set to each of the panel( current time, Compared time). I wanted a third panel should have the difference of the out generated in the first two panels. Can someone guide me?
Hello everyone. I'm currently working on a lab assignment and I'm having trouble understanding the meaning of two specific fields in PowerShell log hunting. Could someone please explain these two fie... See more...
Hello everyone. I'm currently working on a lab assignment and I'm having trouble understanding the meaning of two specific fields in PowerShell log hunting. Could someone please explain these two fields to me? I would greatly appreciate it. Thank you.  
I want to know if there is any provision for NON-PROFIT organizations in the cybersecurity to use splunk as a part of real world lab training, related educational training, and on the job training.  ... See more...
I want to know if there is any provision for NON-PROFIT organizations in the cybersecurity to use splunk as a part of real world lab training, related educational training, and on the job training.  Our program is an apprenticeship one certified by DOL and approved to train IT specialist I and Cybersecurity defense analyst.  https://each1teach1.us   Our challenge is getting all the tools needed to make our apprentices time worth it. 
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_t... See more...
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_time" |table _time, "HQ AP", RogueApMacAddress Example results: _time HQ AP RogueAPMacAddress 2023-10-05 12:56:41 flr1-ap-5198-AP05 6e:e8:e9:cd:40:10 2023-10-06 04:09:29 flr1-ap-51c4 da:55:b8:8:db:b8 2023-10-06 08:42:14 flr1-ap-514E_AP07 84:fd:d1:fa:a7:3f 2023-10-06 08:53:12 flr1-ap-518C-B92 0:25:0:ff:94:73 2023-10-06 09:20:22 flr2-ap-51CA 28:24:ff:fd:a6:c0 2023-10-06 09:30:58 flr1-ap-51C2 flr2-ap-463C-AP02 32:b:61:48:a3:c3 2023-10-07 04:09:29 flr1-ap-444x-B11 da:55:b8:8:db:b8 2023-10-07 08:53:12 flr1-ap-69x4 0:25:0:ff:94:73   The search is showing access points in our office that have detected unauthorized access points. I have my search to look at the last 24 hours. I only want to filter for RogueApMacAddresses that have been present/detected for over 24 hours. In this example, both the red and blue events have been there for over the last 24 hours. How can I alert on just those events and disregard the rest? Thanks for any help
  I am taking the free GDI training on  Splunk Cloud observability.  Installed Ubuntu VM in my Windows  laptop and everything went ok after initial configurtion. Saw my hostname and metrics once.   ... See more...
  I am taking the free GDI training on  Splunk Cloud observability.  Installed Ubuntu VM in my Windows  laptop and everything went ok after initial configurtion. Saw my hostname and metrics once.   It happened yesterday (10/05/2023) around 22:00 Hrs EST. This morning not seeing any active communication. rebooted my VM. Seeing the process running in VM, but not seeing any active charts in https://app.us1.signalfx.com/#/infra?endTime=now&startTime=-3h.   Am I missing anything? How do i troubleshoot this communication issue?  
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, ar... See more...
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, are working fine with no problem, while the one based on regex not. Of course, as first thing, I checked regex syntax and I can confirm it works fine; testing it on regex101, it match perfectly what I want. Tests have been with different source logs, to be sure of a full proper working. This is how we placed regex on UF: [<stanza name>] ...other parameter... blacklist = \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(com|net|us)(\(\d+\))\s This filter must be applied to logs coming by Windows DNS; its purpose is to avoid ingestion of legit domain, in all their combination, but only if they have a "normal" form. In regex you can see I put a filter about (<number>), because in raw log we have domains in format main_domain(<number>)root_domain, like microsoft(3)net. For example, microsoft(2)com and microsoft(3)net match the regex and should be filtered out, while microsoft(9)123(5)com not and should be sent to Splunk. My assumption is that I missed out some delimiter after the equals symbol; I mean, should I put regex code between any kind of symbols? Something like  regex = '<regex code'> Or regex = "<regex code>" etcetera.
Hi Splunkers!    I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protecti... See more...
Hi Splunkers!    I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protection", vendor_action="IDS_ACTION_WOULD_BLOCK", Thanks, Manoj Kumar S
Hi, I have total four fields lets say a,b,c and d. i want to show 'a' as a separate column and 'b','c' and 'd' as stacked and beside 'a' along with the sum of fields ('b'+'c'+'d') so that the count ... See more...
Hi, I have total four fields lets say a,b,c and d. i want to show 'a' as a separate column and 'b','c' and 'd' as stacked and beside 'a' along with the sum of fields ('b'+'c'+'d') so that the count of these fields would come on the top of their column so that we can easily compare field 'a' with the count of rest. Note:- I don't want separate column which would give sum of these three field.  Click visualization select column chart Click format and enable the stack mode. select show data values as on Click chart overlay and Click the text box and select Total field. makeView as Axis as off Click Apply. After the above steps that i had mentioned, I can see the total on the top along with the line,   I don't need line, Can you please help me in this. Thanks in Advance! Manoj Kumar S
Help me out to ingest .act and .authlog file format in splunk.
Hello, I have an index where data is ingested once a week. Objective of ingesting this data is to identify if there is any change to a field value from last week to current. I need help writing a SP... See more...
Hello, I have an index where data is ingested once a week. Objective of ingesting this data is to identify if there is any change to a field value from last week to current. I need help writing a SPL that can help me detect the change if there is one. For more context here's an example, The relevant fields are: Role Entitlement   I need to find out if there has been any change to the entitlements to that role between data ingested on this Saturday and the past. Any help would be appreciated. Thanks    
Hi Splunkers!    Good day!    I would like to add event and detection fields in stats command, after adding in stats command, I'm not getting the expected results. I need that fields as well but I ... See more...
Hi Splunkers!    Good day!    I would like to add event and detection fields in stats command, after adding in stats command, I'm not getting the expected results. I need that fields as well but I should get the expected results, Old command  | stats count as num by name country state scope  Modified command | stats count as num by name country state scope event description - giving me wrong results. Thanks in Advance! Manoj Kumar S
Buenos días comunidad queria saber si es posible instalar el splunk en solaris 11.4, si correcto me podria proporcionar los comandos necesarios para realizar la instalacion se lo agradezco (soy novato)
Hai Team/ @Ryan.Paredez  I have developed .NET sample MSMQ sender and receiver standalone application. I have tried Instrumenting that application. I could load the profiler and was able to see th... See more...
Hai Team/ @Ryan.Paredez  I have developed .NET sample MSMQ sender and receiver standalone application. I have tried Instrumenting that application. I could load the profiler and was able to see the MQ Details and transaction snapshots for sender application, but was unable to get MQ details for receiver application in AppDynamics controller. But we are expecting MSMQ Entry point for .NET consumer application. I have tried resolving the metrics issue by adding Message Queue entry points which AppDynamics has been mentioned in the below link, https://docs.appdynamics.com/appd/21.x/21.7/en/application-monitoring/configure-instrumentation/transaction-detection-rules/message-queue-entry-points Please look into this issue and help us to resolve this. Thanks in advance.
Is it possible to create backup the app with data and visualization for a specific date to keep for a future date ?
Hi Forum, I want to chart a list - say for example  {1..100}  and represent this in a mosaic type visual presentation., if a number has been used, or not. So I would probably look to introduce a s... See more...
Hi Forum, I want to chart a list - say for example  {1..100}  and represent this in a mosaic type visual presentation., if a number has been used, or not. So I would probably look to introduce a second dimension, 1 = used , 0 = unused. Punch card looks interesting - anyone done anything similar - maybe ip addressing or something else?  my use case is charting ldap attributes (I generate the data with a script so I can control the shape of it) Want to get everyone away from spreadsheets....
Does Splunk UF agent 9.0.1 supports AWS Linux 3?
Hi I would like to integrate a viz like below in my dashboard But i wonder what is used to integrate a chart in a table row What kind of vizualisation is really used? Is anybody have xml examples... See more...
Hi I would like to integrate a viz like below in my dashboard But i wonder what is used to integrate a chart in a table row What kind of vizualisation is really used? Is anybody have xml examples? Thanks