All Topics

Top

All Topics

I want to use the new search signature="test" in the below search. I don't want to add this new signature to the existing lookup.     | tstats summariesonly=true values (IDS_Attacks.action) ... See more...
I want to use the new search signature="test" in the below search. I don't want to add this new signature to the existing lookup.     | tstats summariesonly=true values (IDS_Attacks.action) as action from datamodel=Intrusion_Detection.IDS_Attacks by _time, IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.signature | `drop_dm_object_name(IDS_Attacks)` | lookup rq_subnet_zones Network as dest OUTPUTNEW Name, Location | lookup rq_subnet_zones Network as src OUTPUTNEW Name, Location | search NOT Name IN ("*Guest*","*Mobile*","*byod*","*visitors*","*phone*") | lookup rq_emergency_signature_iocs_v01 ioc as signature OUTPUTNEW last_seen | where isnotnull(last_seen) | dedup src | head 51  
I need to upgrade MongoDB from 3.6 to 4.2 as part of the pre-upgrade process for Splunk 8.2.0 to 9.1.0. So far I have not found a link to a reference which explains how this is done in context of a ... See more...
I need to upgrade MongoDB from 3.6 to 4.2 as part of the pre-upgrade process for Splunk 8.2.0 to 9.1.0. So far I have not found a link to a reference which explains how this is done in context of a Splunk installation. Any clear recommendation is welcome.
My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF f... See more...
My organization is a Splunk Cloud subscriber, and I am working on installing the Cisco Secure eStreamer Client Add-On. Currently, on-prem, we have one Heavy Forwarder (enterprise server) and two UF forwarding events to our cloud indexer. I am wondering what is the best practice for installing the eStreamer Client Add-On. Does the eStreamer Client Add-On have to be installed on the HF or can it go on the UF? I previously installed it on the HF, but it caused errors with I/O latency (there are many millions of events coming from the Cisco FMC). I'm wondering if there is any way to distribute the load - I know the UF is better for handling many events. Any help would be greatly appreciated.  
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could... See more...
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could be the reason for this? Troubleshooting attempts made: 1. Confirming with network team that rules are in place. 2. TCP Dump from the dest (HF), packets received. 3. Telnet from UF to dest (9997), telnet completes. Any other things I missed? tcpdump from the HF HF's splunkd.log
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event?  I have seen the email response action, but that only triggers ... See more...
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event?  I have seen the email response action, but that only triggers when the notable event is created. I have seen the ticketing system apps and that function is not what I am looking for.  If this is not an option currently please think about implementing it as a base feature of ES.
Hello, I need help with increasing the default height of a Dashboard label.  I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this... See more...
Hello, I need help with increasing the default height of a Dashboard label.  I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this: I can manually increase the Height to look like this:  But, i need it to be defaulted at this Height: If it's not possible, is there a way to add a static text box below the Label?   Here's the Source for the Label I currently have. <label>SiteOne Automated Health Check Clone</label> <description>test Infrastructure - +13 Press 1 for the Batch Processing Team Press 2 for the Security Team Press 3 for the Network Team Press 4 for the VOIP Team Press 5 for the Monitoring Team Press 6 for the Citrix Team Press 7 for the Server Team</description> <row> <panel>   Thanks for any help on this one, Tom  
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was... See more...
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was the produced unit bad instead of only that is was bad). Basically there are a few big buttons to choose from and select a error reason for example. If the button is pressed a Splunk search is executed with a collect command and the selected data is written into a summary index.  This works most of the time but not always. I assume in 10-20% of searches, the search could not be finished because of network connection error. This also happens at logging in into Splunk sometimes, an error "no network connection " occurs.  Our network guys didn't find any issues on their side.  And the other interesting part is, it only happens on iPads/iOS. On Windows machines it never happens!   Does anybody came across the same issues or something similar?    Thanks!
Hi , In splunk query I need to convert date format as below . Current format - 07/09/23 Required Format : 2023-09-07
I have indexes created and i have 2 csv first is ipv6.csv and its has coulmn called ip and second csv is cmd.csv it contain critical_command coulmn. example : ipv6.csv ip 11.11.11.11 2.2.2.2 ... See more...
I have indexes created and i have 2 csv first is ipv6.csv and its has coulmn called ip and second csv is cmd.csv it contain critical_command coulmn. example : ipv6.csv ip 11.11.11.11 2.2.2.2 cmd.csv critical_command restart shutdown now i want to search ip 11.11.11.11 and critical_command restart or ip 2.2.2.2 and restart in certain index. how i will write the
Hi, In the splunk 9.1.x version and above,  we are noticing that the moment.js is missing in the following location, /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js Due to ... See more...
Hi, In the splunk 9.1.x version and above,  we are noticing that the moment.js is missing in the following location, /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js Due to this our custom app functionalities are not working and we are getting error as attached, Please let us know if this is a known issues and any resolutions for this. In spite of  placing the moment.js in our app folder we still notice the app is trying to use the default moment js in this location "/opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js"  We have also tried other solution from the community by  placing  var moment = require('moment'); but still its returning error.  Can you please provide any possible  solution to resolve this issue.
  Hi, We are seeing log parsing issue with Juniper SRX logs for the following logs RT_FLOW_SESSION_CREATE RT_FLOW_SESSION_CLOSE. It doesn't parsing at all. As far as i could see from the release... See more...
  Hi, We are seeing log parsing issue with Juniper SRX logs for the following logs RT_FLOW_SESSION_CREATE RT_FLOW_SESSION_CLOSE. It doesn't parsing at all. As far as i could see from the release notes that the Add-on has a known issues with Junper SRX Logs Parsing for RT_FLOW_SESSION_CLOSE_LS. However not with the ones which i mentioned above (RT_FLOW_SESSION_CREATE or RT_FLOW_SESSION_CLOSE). Can you please help. Is this related. ? Date filed Issue number Description 2022-12-29 ADDON-59372 Junper SRX Logs Parsing for RT_FLOW_SESSION_CLOSE_LS
Hello all, I'm quite new to the wonderful world of Splunk, but not new to monitoring or IT in general. We are optimizing our operations processes and I'd like to get a state of the last 24h of our e... See more...
Hello all, I'm quite new to the wonderful world of Splunk, but not new to monitoring or IT in general. We are optimizing our operations processes and I'd like to get a state of the last 24h of our environment, specifically our Firewall status. It sends all it's logging to Splunk and I've created the following filter to find all the errors, but it's not working: host="hostname" AND ( CASE(CONFIG) CASE(commit*) NOT Succeeded ) OR "snmpd.log due to log overflow" OR ( ("TS-Agent" AND "connect-agent-failure") | where NOT (date_hour >= 1 AND date_hour < 5) ) It gives me back: "Error in 'search' command: Unable to parse the search: unbalanced parentheses." The last part of the filer (TS-Agent and so on) has to be filtered because I wish to exclude a timeframe from the results (reboot schedule of said servers), however, the other searches need to be from all the time (e.g. the last 24h or whatever  I set). I think I'm doing something wrong or things just don't work like I expect. I hope you folks can help me out or point me in the right direction. I'd like to get all the errors on one tile so I can see if I can get my coffee in the morning slowly or fast Many thanks in advance!
Halo,  i have problem when start splunk, it's no problem before, but when i try to restart the splunk, it just show warning and the web interface cannot be accessed   and when i check the log ... See more...
Halo,  i have problem when start splunk, it's no problem before, but when i try to restart the splunk, it just show warning and the web interface cannot be accessed   and when i check the log with ERROR, it just show this  and here the picture when i try to check the splunk service status   anyone can help?
Hello, I am trying to drilldown in a dashboard to a URL that checks malicious IP's and Domains. Issue I am having is the URL for IP search and Domain search is different. All IOC's are in the same... See more...
Hello, I am trying to drilldown in a dashboard to a URL that checks malicious IP's and Domains. Issue I am having is the URL for IP search and Domain search is different. All IOC's are in the same field called "threat_match_value" but there is another field in log called "threat_key" which specifies if it is a IP or Domain. Is it possible to add a condition like: If threat_key=Domain drill down to Domain URL but the click.value be the "threat_match_value".   Don't really want to separate into 2 panels   Thanks,
Hello, I have a few questions about the time in Splunk. That is a entry from an older logfile and here the _time field and the timestamp in the log does not match! 4/30/23 1:32:16.000 PM Mai... See more...
Hello, I have a few questions about the time in Splunk. That is a entry from an older logfile and here the _time field and the timestamp in the log does not match! 4/30/23 1:32:16.000 PM Mai 08 13:32:16 xxxxxx sshd[3312558]: Failed password for yyyyyyyy from 192.168.1.141 port 58744 ssh2   How could that happen? How does time come up with the time fields? And how does it handle files which comtain no time-stamps? Is then the index-time used?  Ther is a few things which I do not fully understand - maybe there is some article in the documentation which explain that in detail but I have not found with a quick search.  Could pleas someone clearify how splunk handle that or link to an article? Thanks!
Hi, HTTP 503 Service Unavailable -- {"messages":[{"type":"ERROR","text":"This node is not the captain of the search head cluster, and we could not determine the current captain. The cluster is eithe... See more...
Hi, HTTP 503 Service Unavailable -- {"messages":[{"type":"ERROR","text":"This node is not the captain of the search head cluster, and we could not determine the current captain. The cluster is either in the process of electing a new captain, or this member hasn't joined the pool"}]} We received this error on one of the Search head cluster member. Is there any way to troubleshoot this? Please assist. Thankyou.  
While integrating the Speakatoo API into my project, I'm encountering a "cookies error." I'm seeking assistance and guidance on how to resolve this issue.
I have 2 questions here: I am using Splunk cloud. 1. Is there a way I can import csv file into Splunk dashboard and display the view. Ex: we are trying to show order data as dashboard in Splunk 2.... See more...
I have 2 questions here: I am using Splunk cloud. 1. Is there a way I can import csv file into Splunk dashboard and display the view. Ex: we are trying to show order data as dashboard in Splunk 2. I am looking to import logs into Splunk using rest Api calls, how can I do it? I haven't leveraged it earlier. Ex: If that can be done, we can leverage OMS APIs or extract the OMS DB data through TOSCA and load the summary information into Splunk.
how to  calculate the count for each field in the past 3 days. If the count for all 3 days is 0, and the count for today is greater than 0, then the command triggers an alert that shows log. 
Hello, When I was trying to Add Account under AWS Configuration from SPLUNK UI, getting "SSL validation failed for https://*.amazonaws.com [SSL_CERTIFICATE_VERIFY_FAILED] certificate verify failed: ... See more...
Hello, When I was trying to Add Account under AWS Configuration from SPLUNK UI, getting "SSL validation failed for https://*.amazonaws.com [SSL_CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate" error message. Any recommendation will be highly appreciated. Thank you so much.