All Topics

Top

All Topics

I have this search index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user Instead of showing all src_ip's I want to group on the subnet part, that is us... See more...
I have this search index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user Instead of showing all src_ip's I want to group on the subnet part, that is using the dest_ip as an example, the three first (not being a network guy I might use the wrong wording ) in the stats  172.99.99  My guess is rex, but guessing that there might be some other easier functions in Splunk for doing this?
Hi, Are there any available applications to address the issue of incorrect parsing of secret server logs in Splunk cloud? Thnks
Hello all, I am trying to blacklist an event that is tied to a specific sAMAccountName which is sAMAccountName="Alertz - ProductFeedback" .  The only way I can think to achieve this is maybe with a ... See more...
Hello all, I am trying to blacklist an event that is tied to a specific sAMAccountName which is sAMAccountName="Alertz - ProductFeedback" .  The only way I can think to achieve this is maybe with a blacklist regex statement but I am not sure and not very good with regex. Below is a sample event. Please let me know if there are any questions.   08/16/2023 09:34:07.541 dcName=RNBSAD1.rightnetworks.com admonEventType=Update Names: objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=rightnetworks,DC=com name=Alertz - ProductFeedback distinguishedName=CN=Alertz - ProductFeedback,OU=Expired Alert Groups,OU=Desk Alerts,OU=Security Groups,DC=rightnetworks,DC=com cn=Alertz - ProductFeedback Object Details: sAMAccountType=268435456 sAMAccountName=Alertz - ProductFeedback objectSid=S-1-5-21-2605281412-2030159296-1019850961-856824 objectGUID=1e0bcfbf-dc8b-43e9-855a-7004ce3d6b3b whenChanged=09:33.53 AM, Wed 08/16/2023 whenCreated=09:31.41 AM, Tue 08/01/2023 objectClass=top|group Event Details: uSNChanged=820790490 uSNCreated=813674539 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z groupType=-2147483646
I would like to add a label for the upper/lower 95. I was wondering how I could do that. Id like to have it the same color as the line as well, similar to --Upper|Lower95.
We have successfully configured the Microsoft Teams app in Splunk SOAR, and we are able to send messages to a Teams channel, but the messages are coming from the account of the Azure Global Admin who... See more...
We have successfully configured the Microsoft Teams app in Splunk SOAR, and we are able to send messages to a Teams channel, but the messages are coming from the account of the Azure Global Admin who created the App Registration and granted the permissions. Within the Asset Configuration in Splunk Soar, we have tried to use different users under the "Select a user on behalf of which automated actions can be executed (e.g. test connectivity, ingestion)" setting without success. How do we configure the app to send from a different user?
Hi, I need to display a message for the table and graph if the search results return no results.  Any idea how can display custom messages? 
I've been away from Splunk for a few years and trying to catch up.  I noticed at .conf23 it was mentioned that Splunk on-prem installations will be supported for the "foreseeable future".  Does this ... See more...
I've been away from Splunk for a few years and trying to catch up.  I noticed at .conf23 it was mentioned that Splunk on-prem installations will be supported for the "foreseeable future".  Does this imply that Splunk Cloud will at some point be the only way to go?  Is the skill of installing and maintaining a distributed, clustered on-prem environment a soon to be obsolete skillset?  Or, will it most likely follow the same timeline of any other product and the general gravitation toward cloud.  What skill/knowledge around Splunk is the most in-demand at this point?
what does this cron mean ? 1-30/10 * * * * one place its given - Every 10 minutes, minutes 1 through 30 past the hour not able to got it fully.  does it mean every 10 min, for 30 min ? if yes then... See more...
what does this cron mean ? 1-30/10 * * * * one place its given - Every 10 minutes, minutes 1 through 30 past the hour not able to got it fully.  does it mean every 10 min, for 30 min ? if yes then it will answer my query for another cron.       
Hi, I have a alert scheduled to monitor, if 2 different users who are accessing same device for authentication from okta and I'm monitoring it for 1 month. Once the alert is triggered , the same ... See more...
Hi, I have a alert scheduled to monitor, if 2 different users who are accessing same device for authentication from okta and I'm monitoring it for 1 month. Once the alert is triggered , the same users details should not trigger for next 1 month. Any suggestions how can I achieve this ? ( Can be in query / alert actions ) Below is sample query: index=okta result=success NOT ( device=null) | eval _time=strftime(_time) | stats values (user ) as user dc(user) as "number of users per device" by device _time | lookup XXX | search "number of users per device">1 | regex device =myregx| rex field=user (myregex) | where isnull(match) | table fileds  | stats fields X y Z dc(_time) as detected by device | where detected>=1 | sort _time
Hi I am trying to count values based on values if they equal a range of values. Is that possible?  | search fieldName=$Token $ | stats count(eval(fieldName)) AS Label by FieldName | table FieldName
Hi,  I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM, can anyone please help for this cron exp? i only know this -  */10 7-20 * * 1-5 bu... See more...
Hi,  I am not able to give cron exp for alert to run every 10 min, for Mon to Fri for time 7:30AM to 8:00PM, can anyone please help for this cron exp? i only know this -  */10 7-20 * * 1-5 but dont know how give 7:30 min instead 7am in this case.    Thanks, Taslim.    
Hello, We are currently running splunk on 8.1 and we upgraded the cloudflare app for splunk to its latest version (2.0.0) Although we see that the dashboards from the app is getting populated pro... See more...
Hello, We are currently running splunk on 8.1 and we upgraded the cloudflare app for splunk to its latest version (2.0.0) Although we see that the dashboards from the app is getting populated properly, we are getting this error related to the macro. SearchParser - The search specifies a macro 'cloudflare_zt_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. We have given the macro global permissions, added a setting in the distsearch.conf to ensure the data replication but still the error is showing up. We have disabled the app for now. However, we are trying to investigate, what would be the issue. Kindly help
Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. Firs... See more...
Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. First issue : Since this workflow action should work with a variety of fields (src_ip, dest_ip, host, src, dest, etc.) : What variable shall I use in order to return in the workflow action the selected value ? Is there a sort of global variable like $the_selected_value$ no matter it's an IP address, a hostname or whatsoever ? Second issue : I selected my workflow to be applied on any field with a * but the workflow action is just not available anywhere. Thanks in advance for your kind help on this matter ! Best
Hi, is it possible to get the list of splunk alerts, reports and dashboard via 3 different splunk queries? Thank you Kind regards Marta  
I want to show this requirement in splunk. when year<="2020" &&  time_type = "ALL" make variable "day_type" must have "day" when year>"2020" &&  time_type = "ALL" make variable  "day_type" can hav... See more...
I want to show this requirement in splunk. when year<="2020" &&  time_type = "ALL" make variable "day_type" must have "day" when year>"2020" &&  time_type = "ALL" make variable  "day_type" can have "day" and "night" when time_type="half" make variable "day_type" must have "morning" So, I wrote my code like this, but it doesn't working at all. where day_type = case("$time_type$"=="ALL", case("$year$"<="2020", "day",1=1, in("day","night")), "$time_type$"=="half", "morning", 1=1,day_type)  How could I make this Requirement ??
Hi, I am looking for a search query to get respectively: - list of all alerts - list of all reports - list of all dashboards Any hint on how to achieve that? Thank you Marta
Hi, I would like to learn how to save an SPL search and be able to retrieve it whenever necessary. I'm unsure about the process of saving an SPL search without setting a schedule for it to run, and ... See more...
Hi, I would like to learn how to save an SPL search and be able to retrieve it whenever necessary. I'm unsure about the process of saving an SPL search without setting a schedule for it to run, and I'm seeking guidance on how to achieve this.  Thanks
I have been trying to install Splunk on Windows 10, but it gives me an error that says "Splunk enterprise setup wizard ended prematurely because of an error". I have tried installing it in command pr... See more...
I have been trying to install Splunk on Windows 10, but it gives me an error that says "Splunk enterprise setup wizard ended prematurely because of an error". I have tried installing it in command prompt running as an administrator, but it does not work either. 
I'm using the trial version and would like to simply look at any sample applications that may be available.  In other words, something that is already instrumented that I could take a look at a sampl... See more...
I'm using the trial version and would like to simply look at any sample applications that may be available.  In other words, something that is already instrumented that I could take a look at a sample transaction or two.  I'd also like to look at a sample dashboard related to that test app. Any help would be appreciated.