All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi,  I am creating the dashboard, where for couple of panels I will use similar query so I saved shared bit as base query. However I have 2 different indexes (environments) so I also created input ... See more...
Hi,  I am creating the dashboard, where for couple of panels I will use similar query so I saved shared bit as base query. However I have 2 different indexes (environments) so I also created input to choose appropriate index for the base search. However it looks like it picks up just prod, and not returning results for ppe. Can someone please help me to understand what is wrong with my code?     "dataSources": { "ds_baseSearch": { "type": "ds.search", "options": { "query": "index=\"$env$\" sourcetype=some_sourcetype risk=*\n| spath risk\n| rename risk AS risk\n| eval riskCategory = if(risk <= 1.0, \"low\", if(risk<= 2.0, \"moderate\", \"high\"))\n| stats count(eval(riskCategory==\"low\")) as low, count(eval(riskCategory==\"moderate\")) as moderate, count(eval(riskCategory==\"high\")) as high, count as total\n ", "queryParameters": { "earliest": "$time.earliest$", "latest": "$time.latest$" }, "enableSmartSources": true }, "name": "base_search" }, "ds_search_2": { "type": "ds.chain", "options": { "query": "| stats sum(total) as Total ", "extend": "ds_baseSearch" }, "name": "_total" }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": {} } } } }, "inputs": { "input_2": { "type": "input.timerange", "title": "Time period", "options": { "token": "time", "defaultValue": "-60m@m,now" } }, "input_hw3xXSsR": { "options": { "items": [ { "label": "prod", "value": "_prod" }, { "label": "ppe", "value": "_ppe" } ], "token": "evn", "defaultValue": "_prod" }, "title": "Environment", "type": "input.dropdown", "dataSources": {} } },      
I am working on a query to report on events generated within 2 minutes of the first event for the same host. In the following example, I need a query to look for any occurrence of EventType 4697 wi... See more...
I am working on a query to report on events generated within 2 minutes of the first event for the same host. In the following example, I need a query to look for any occurrence of EventType 4697 within two minutes of EventType 4624 for the same ComputerName ComputerName=x (This is a unique field) EventType=4624 EventType=4697 Thanks.  
Hi, Kindly help on sorting the values from append query as below: index=* source=* |stats sum(Tot) sum(in_prog) sum(submitted) sum(without_info) by Month |append [search index=* source=*  ch... See more...
Hi, Kindly help on sorting the values from append query as below: index=* source=* |stats sum(Tot) sum(in_prog) sum(submitted) sum(without_info) by Month |append [search index=* source=*  chart count by Month,with_info, |addtotals with_info] |append [search index=* source=*  chart count by Month,without_info, ] |untable Month,Category,Total |eval sort_field=case(Category="Tot",1,Category="in_prog",2,Category="Submitted",3,Category="without_info",4, Category="with_info",5) |sort sortfield |stats list(Category) as Category list(Total as Total by Month Result: Month            Category                     Total Feb-23            Tot                                  1000                            in_prog                           400                            Submitted                      600                             without_info                100                              with info                          500                              Occupation                   xxx                              Business                          xxx                               Null                                   xxx                                Others                             xxx From the above table, Occupation, Business are reasons derived from first append query and Null, Others are reasons derived from second append query and getting the append query results in the last. So, requirement is to display the without_info reasons next to that field and with_info reasons next to that field like below. Kindly help on sorting. Month            Category                     Total Feb-23            Tot                                  1000                            in_prog                           400                            Submitted                      600                             without_info                100                              Null                                  xxx                              Others                            xxx                              with info                          500                              Occupation                   xxx                              Business                          xxx                                
Hello,   I am running into a bit of a challenge getting the data from the Rapid7 InsightVM TA to extract properly. The data in question is a nested JSON structure-- when I run a search on the dat... See more...
Hello,   I am running into a bit of a challenge getting the data from the Rapid7 InsightVM TA to extract properly. The data in question is a nested JSON structure-- when I run a search on the data, the object appears to visualize properly, however the extracted fields are a mess and result in the data being unsearchable. I would expect that the nested fields get extracted into their own keys and values, however instead they get extracted into field* and in most cases those fields are comprised of a value from another key and the key itself.           Environment is distributed-- the TA is deployed on the HF ( which forwards to a UF forwarding tier, no TA there), Indexer Cluster, and Search Head cluster. The App is deployed on the SH cluster only.   Props.conf (HF, Indexer Cluster, SHC): [source::...ta-rapid7-insightvm*.log*] SHOULD_LINEMERGE = true sourcetype = tarapid7insightvm:log [source::...ta_rapid7_insightvm*.log*] SHOULD_LINEMERGE = true sourcetype = tarapid7insightvm:log [rapid7:insightvm:asset] FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_1 = host_name AS name FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_2 = os_description AS version FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_3 = os_description AS os FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_4 = os_architecture AS family FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_5 = os_system_name AS vendor_product SHOULD_LINEMERGE = 0 pulldown_type = 1 DATETIME_CONFIG = CURRENT [rapid7:insightvm:asset:vulnerability_finding] FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_1 = asset_hostname AS name FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_2 = asset_ip AS ip FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_3 = asset_ip AS dest SHOULD_LINEMERGE = 0 pulldown_type = 1 TRUNCATE = 50000 DATETIME_CONFIG = CURRENT [rapid7:insightvm:vulnerability_definition] FIELDALIAS-aob_gen_rapid7:insightvm:vulnerability_definition_alias_1 = categories AS category FIELDALIAS-aob_gen_rapid7:insightvm:vulnerability_definition_alias_2 = cves AS cve SHOULD_LINEMERGE = 0 pulldown_type = 1 TRUNCATE = 50000   btool output from SH: /opt/splunk/bin/splunk btool props list rapid7:insightvm:asset --debug /opt/splunk/etc/apps/search/local/props.conf [rapid7:insightvm:asset] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf DATETIME_CONFIG = CURRENT /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_1 = host_name AS name /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_2 = os_description AS version /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_3 = os_description AS os /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_4 = os_architecture AS family /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_5 = os_system_name AS vendor_product /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/apps/search/local/props.conf REPORT-rapid7 = REPORT-rapid7 /opt/splunk/etc/apps/search/local/props.conf REPORT-vm-cred-check = REPORT-vm-cred-check /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf SHOULD_LINEMERGE = 0 /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf pulldown_type = 1 /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf [rapid7:insightvm:asset:vulnerability_finding] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf DATETIME_CONFIG = CURRENT /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_1 = asset_hostname AS name /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_2 = asset_ip AS ip /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_3 = asset_ip AS dest /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf SHOULD_LINEMERGE = 0 /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf TRUNCATE = 50000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf pulldown_type = 1 /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false This appears to only be happening with the rapid7:insightvm:asset sourcetype, however that is the type that I have primarily been focused on while trying to get things working. It may be happening in the other sourcetypes however I have not yet seen it in my limited time experimenting with that data.    Any help is much appreciated, thank you!
When I run | makeresults command then collect it to summary index there is no result. I am testing this to Search Head in Cluster environment. sample code: | makeresults | eval a = "1" | collec... See more...
When I run | makeresults command then collect it to summary index there is no result. I am testing this to Search Head in Cluster environment. sample code: | makeresults | eval a = "1" | collect index = "sample_index"
I have a local install of SPlunk Enterprise 9.0.4.1 64bit, I installed the 64bit ODBC Driver and configured the data source.  I then go to PowerBi to GetData via ODBC, I get a list of tables. When ... See more...
I have a local install of SPlunk Enterprise 9.0.4.1 64bit, I installed the 64bit ODBC Driver and configured the data source.  I then go to PowerBi to GetData via ODBC, I get a list of tables. When I select a table some data visible while some tables generate an error as follows: DataSource.Error: ODBC: ERROR [HY000] [Splunk][SplunkODBC] (140) The saved search returned no results. Details: DataSourceKind=Odbc DataSourcePath=dsn=Splunk ODBC OdbcErrors=[Table] I do not see find my data or field extractions from Splunk. Any ideas?
Has anyone seen the ORA-01882 error when connecting to an Oracle database.  Currently unable to collect metrics. I have configured several other DB's with same agent with no issues.
Hello,   I am running into a bit of a challenge getting the data from the Rapid7 InsightVM TA to extract properly. The data in question is a nested JSON structure-- when I run a search on the data,... See more...
Hello,   I am running into a bit of a challenge getting the data from the Rapid7 InsightVM TA to extract properly. The data in question is a nested JSON structure-- when I run a search on the data, the object appears to visualize properly, however the extracted fields are a mess and result in the data being unsearchable. I would expect that the nested fields get extracted into their own keys and values, however instead they get extracted into field* and in most cases those fields are comprised of a value from another key and the key itself.      Environment is distributed-- the TA is deployed on the HF ( which forwards to a UF forwarding tier, no TA there), Indexer Cluster, and Search Head cluster. The App is deployed on the SH cluster only.   Props.conf (HF, Indexer Cluster, SHC): [source::...ta-rapid7-insightvm*.log*] SHOULD_LINEMERGE = true sourcetype = tarapid7insightvm:log [source::...ta_rapid7_insightvm*.log*] SHOULD_LINEMERGE = true sourcetype = tarapid7insightvm:log [rapid7:insightvm:asset] FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_1 = host_name AS name FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_2 = os_description AS version FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_3 = os_description AS os FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_4 = os_architecture AS family FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_5 = os_system_name AS vendor_product SHOULD_LINEMERGE = 0 pulldown_type = 1 DATETIME_CONFIG = CURRENT [rapid7:insightvm:asset:vulnerability_finding] FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_1 = asset_hostname AS name FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_2 = asset_ip AS ip FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_3 = asset_ip AS dest SHOULD_LINEMERGE = 0 pulldown_type = 1 TRUNCATE = 50000 DATETIME_CONFIG = CURRENT [rapid7:insightvm:vulnerability_definition] FIELDALIAS-aob_gen_rapid7:insightvm:vulnerability_definition_alias_1 = categories AS category FIELDALIAS-aob_gen_rapid7:insightvm:vulnerability_definition_alias_2 = cves AS cve SHOULD_LINEMERGE = 0 pulldown_type = 1 TRUNCATE = 50000   btool output from SH: /opt/splunk/bin/splunk btool props list rapid7:insightvm:asset --debug /opt/splunk/etc/apps/search/local/props.conf [rapid7:insightvm:asset] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf DATETIME_CONFIG = CURRENT /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_1 = host_name AS name /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_2 = os_description AS version /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_3 = os_description AS os /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_4 = os_architecture AS family /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset_alias_5 = os_system_name AS vendor_product /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/apps/search/local/props.conf REPORT-rapid7 = REPORT-rapid7 /opt/splunk/etc/apps/search/local/props.conf REPORT-vm-cred-check = REPORT-vm-cred-check /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf SHOULD_LINEMERGE = 0 /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf pulldown_type = 1 /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf [rapid7:insightvm:asset:vulnerability_finding] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf DATETIME_CONFIG = CURRENT /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_1 = asset_hostname AS name /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_2 = asset_ip AS ip /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf FIELDALIAS-aob_gen_rapid7:insightvm:asset:vulnerability_finding_alias_3 = asset_ip AS dest /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf SHOULD_LINEMERGE = 0 /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf TRUNCATE = 50000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/apps/TA-rapid7-insightvm/default/props.conf pulldown_type = 1 /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false This appears to only be happening with the rapid7:insightvm:asset sourcetype, however that is the type that I have primarily been focused on while trying to get things working. It may be happening in the other sourcetypes however I have not yet seen it in my limited time experimenting with that data.    Any help is much appreciated, thank you!
Hi All, How do we list out the fields in tabular format.. Eg: hostname  action   windows     allowed                         deny                         accept ---------------->   hostna... See more...
Hi All, How do we list out the fields in tabular format.. Eg: hostname  action   windows     allowed                         deny                         accept ---------------->   hostname    action windows    allowed windows    deny windows    accept in this way I need a search in tabular format  Thanks..  
Hi, User login splunk but not getting data what is the issue.
Hi all, I'm looking for the search how we can seperate the multiple columns in to single column  Ex:  Host         scan time         report time    signature p1                2:50    ... See more...
Hi all, I'm looking for the search how we can seperate the multiple columns in to single column  Ex:  Host         scan time         report time    signature p1                2:50                    3:00                   authenticate                                                                                scanned                                                                                 unmanaged I need like  Host         scan time         report time    signature p1                2:50                    3:00                   authenticate  p1                                                                            scanned    p1                                                                             unmanaged Thanks..  
Hey, I have issues with parsing events, multiple events/records (raw data) are within the same event. Sample data and my props configuration file are giving below. How help will be highly appreciat... See more...
Hey, I have issues with parsing events, multiple events/records (raw data) are within the same event. Sample data and my props configuration file are giving below. How help will be highly appreciated. Thank you so much in advance for your help: Sample Events May 9, 2023 5:46:00 AM com.vontu.messaging.chainData.PremiseMessageChainTracer beginChain FINER: Message chain #5: Begin processing message [0C369823455-7843-44D7-89E3-SAB21BF361F24F] from [Request]. May 9, 2023 5:46:00 AM com.vontu.messaging.chainData.ComponentProcessor$PerMessageProcessor processMessageComponents FINER: Processing of message [0C369823655-7843-44D7-89E3-B21BF361F24F]:[Unknown] took: 0 ms May 9, 2023 5:46:00 AM com.vontu.messaging.chain.ComponentProcessor$PerMessageProcessor processMessageComponents FINER: Processing of message [0C369823-7843-44D7-89E3-B21BF361F24F]:[Unknown] took: 0 ms May 9, 2023 5:46:00 AM com.vontu.messaging.chain.ComponentProcessor$PerMessageProcessor processMessageComponents FINER: Processing of message [0C3698sdss23-7843-44D7-89E3-B21BF361F24F]:[attached-email-body.txt] took: 11 ms May 9, 2023 5:46:00 AM com.vontu.messaging.chain.ComponentProcessorr$PerMessageProcessor processMessageComponents FINER: Processing of message [0C3698saaa23-7843-44D7-89E3-B21BF361566F24F]:[Unknown] took: 10 ms May 9, 2023 5:46:00 AM com.vontu.messaging.chain.ComponentProcessor$PerMessageProcessor processMessageComponents FINER: Processing of message [0C3698sdaa23-7843-44D7-89E3-B21BF361F24F]:[[EXT] [LibraryLink] Library Link of the Day for 2023-05-09_attached-email-body] took: 9 ms May 9, 2023 5:46:00 AM com.vontu.messaging.chain.imagepreclassifier.ImagePreclassifierManager applyPrefiltersOnImages INFO: Skipping component: unknown for image filtering as required component.   PROPS.CONF [auditrdata] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\w+\s\d{2},\s\d{4} NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false TIME_PREFIX=^ TIME_FORMAT=%b %d, %Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=30 TRUNCATE=5000
Hi what is requirement for onboard logs into splunk
Hello team, Please help me out for this, i made one view-only role & attached to user. My requirement is when that user will open splunk that he can see only search & reporting not apps or "Apps" i... See more...
Hello team, Please help me out for this, i made one view-only role & attached to user. My requirement is when that user will open splunk that he can see only search & reporting not apps or "Apps" icon. How prevent to see "Apps" to user in splunk enterprise 9.0.2?    
As we known, DMA is applied to indexes that configured in data model conf.  When we instruct to rebuild/refresh the data model. It will apply all related indexes. In some situations, we found that ... See more...
As we known, DMA is applied to indexes that configured in data model conf.  When we instruct to rebuild/refresh the data model. It will apply all related indexes. In some situations, we found that data is not synced (raw data is not null but data model is null) on a specific index. We're not clear what's the problem. But just curious if we can enforce DMA apply an index first? 
Hi All, I have a requirement where I need to group count of methods responsetime into different time intervals. Below is what I tried  basesearch | eval ResponseTime=if(uri=="/api/auth",null(),re... See more...
Hi All, I have a requirement where I need to group count of methods responsetime into different time intervals. Below is what I tried  basesearch | eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) | rex field=gwrequesturi "(?<prefix>\S+)/locations/(?<method>\w+[^/?])" | table ResponseTime method This is resulted in below output ResponseTime Method 330 A 1627 B 1025 B 3126 A 2034 B .......................... ............... I have two possibilities for method (Say for ex: A and B) I want to get results something like below (Responsetime and count of each method falling in that interval) ResponseTime A B <=1000 4 8 >1000 and <=3000 11 25 >3000 and <=5000 35 23 >5000 2 4   Can someone help me with the query!  Thanks in advance!
Hi, Is there a way to setup view-only_settings for dashboards in Dashboard Studio for Splunk Enterprise? For Splunk Cloud this simple option is available:  https://docs.splunk.com/Documentation/S... See more...
Hi, Is there a way to setup view-only_settings for dashboards in Dashboard Studio for Splunk Enterprise? For Splunk Cloud this simple option is available:  https://docs.splunk.com/Documentation/Splunk/9.0.4/DashStudio/setUpDashboard#Apply_view-only_settings_for_dashboards but not for the Splunk Enterprise Dashboard Studio (I'm using the 9.0.4 version). Thank you for the attention, have a nice day! Fabrizio
In the below chart if u can see i have used round and avg to first_response and closure time. But my values are not accurate, i want the values like if its 1.3 or 1.9  also it should display 2 but ... See more...
In the below chart if u can see i have used round and avg to first_response and closure time. But my values are not accurate, i want the values like if its 1.3 or 1.9  also it should display 2 but mine is shown as 1.3 is 1 and 1.9 is 2. But to perform the above function ceil isnt working what to do ?  
I'm trying to determine the order of precedence when a user has two roles that both assign a default app (i.e., user-prefs.conf, default_namespace). For example, user "bob" has the following roles:... See more...
I'm trying to determine the order of precedence when a user has two roles that both assign a default app (i.e., user-prefs.conf, default_namespace). For example, user "bob" has the following roles: workspace_default and workspace_engineering. On the search head, in the acme_zglobal_ta app: user-prefs.conf [role_workspace_default] default_namespace = global_app In the acme_engineering_ta app: [role_workspace_engineering] default_namespace = engineering_app The lexicographical sorting of the apps doesn't seem to play into it, since the global_app is given to Bob. Any insights?