All Topics

Top

All Topics

Actually I want to pass the time from first query to second and get results out on basis of first query time. First query index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction J... See more...
Actually I want to pass the time from first query to second and get results out on basis of first query time. First query index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | table _time _raw Second Query index="C" sourcetype="cpu" host="A.local" | eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") | eval Total=(pctSystem+pctUser) | table "firsttime" "host" "secondtime" "Total"   I wanna combine and get the results from first query start and end   
I want to masking data by Role-based on Splunk Cloud.
I created a dashboard in a custom app to display a report that's also in the app. I've made the report and dashboard visible to my work group. When I set the dashboard to be the home dashboard, I f... See more...
I created a dashboard in a custom app to display a report that's also in the app. I've made the report and dashboard visible to my work group. When I set the dashboard to be the home dashboard, I found that it appears not on my app's home page but on Splunk's general Search and Reporting home page. Is that correct? Or should it appear on my app's home page? Also, when I set it as  the home dashboard, does it appear as the home dashboard for everybody or just me? In other words, is "home dashboard" a personal setting, an app-wide setting, or an enterprise-wide setting? (Sure, I can just ask one of my coworkers to check whether they see it on their Splunk home page, but as long as I'm here to ask the previous question I figured I'd also ask this one.)
I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to ... See more...
I had been sharing DM summaries successfully between a pair of standalone SHs. However, I started getting the error below for one of the DM summaries being shared. Other DM summaries don't appear to have this same issue. Nothing in datamodels.conf has changed and the source SH still has the same GUID. Anyone else run into this issue? Running 9.0.4 on all instances in this deployment. Summaries for the data model at the specified source GUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX do not exist. Verify that it is accelerated.
Hello, I am having issues with my splunk universal fowarders. Problem: The Splunk Universal Forwarders are not upgrading from version 7.2.6 to Version 8 using the custom app I developed. However, Th... See more...
Hello, I am having issues with my splunk universal fowarders. Problem: The Splunk Universal Forwarders are not upgrading from version 7.2.6 to Version 8 using the custom app I developed. However, The custom app is a replica of 7.2.6. I created a another app that has the exact same features as version 7.2.6. However, once it shuts down, it does not restart or upgrade the server. Here is  the custom app. #!/bin/bash # set splunk path SPLUNK_HOME=/opt/splunkforwarder # set desired version NVER=8.2.2 # determine current version CVER=`cat $SPLUNK_HOME/etc/splunk.version | grep VERSION | cut -d= -f2` if [ "$NVER" != "$CVER" ] then echo "Upgrading Splunk to $NVER." $SPLUNK_HOME/bin/splunk stop tar -xvf  $SPLUNK_HOME/etc/apps/splunk_upgrade_lin_v8/static/splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz -C /opt $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes fi In the static folder, it has the splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz. In the bin directory, the script above is the upgrade.sh and the wrapper.sh I created points to this upgrade.sh In the local directory, this is what I have listed. [script://./bin/wrapper.sh] disabled = false interval = 3600 sourcetype = upgrade_linuxv8 Once again. This custom apps work completely fine with 7.2.6. Any version after that, splunk just stops once the app is assigned to the client, then the splunkforwarder shuts down and doesn't come back until I force remove the app  (rm -rf) and restart splunk. Does Anyone has a work around with this?
I'm working on a linux machine hardened according to Center of Internet Security (CIS) hardening benchmarks.  This means its critical to determine, when installing a user "splunk" for the splunk univ... See more...
I'm working on a linux machine hardened according to Center of Internet Security (CIS) hardening benchmarks.  This means its critical to determine, when installing a user "splunk" for the splunk universal forwarder,  if the splunk user should be classified as a system user (useradd -r -m) or an interactive user (useradd -m).  Normally user added just to facilitate running software should be a system user - that would be least privilege and would be my best guess at how the splunk user should be configured.   Under the CIS hardening scheme, system users are prohibited from having passwords (the password is locked, and also prohibited from launching an interactive shell (the shell is set to /sbin/nologin).    This is done so that an attacker cannot assume the splunk user (via ssh or otherwise,  and gain interactive shell privileges. I've noted in the splunk documentation that "useradd -m" is specified, without the -r, indicating that the splunk user requires interactive user privileges (password/shell access).   Just checking if this is indeed the case, or if I can safely remove this privilege and make the splunk user a system user (no login or shell permitted).
Is there a bug in the df script that produces the wrong byte size for filesystems greater than 1 TB?  I'm running a search similar to this: index=linux sourcetype=df|dedup host|multikv|search host=... See more...
Is there a bug in the df script that produces the wrong byte size for filesystems greater than 1 TB?  I'm running a search similar to this: index=linux sourcetype=df|dedup host|multikv|search host="xxxxx" AND data4|chart eval(sum(Size)) as x The number that get returns is 2.2.   data4 is a 2.2TB filesystem and I was expecting to see the actually byte count of approximately 200000000 This bug throws off my numbers when I try to calculate the total storage on my systems.
I have data where I am calculating the difference between two timestamps and showing the difference in days:hh:mm:ss ...But in some cases if the the duration is greater than 99 days its not showing 1... See more...
I have data where I am calculating the difference between two timestamps and showing the difference in days:hh:mm:ss ...But in some cases if the the duration is greater than 99 days its not showing 100 .It shows something like 99+04:47:11 I am looking something like...if the duration is 103 days..the it should be 103+04:47:11..Is this possible on Splunk.     Thanks in Ad
Are Venn diagrams possible in Splunk? I did not see as an option, but I didn't know if it  was and add plugin or something of the sort. 
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, the... See more...
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, there are 44 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). Content highlights include:  Detections related to CVE-2023-23397, a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files Detections related to Okta IM2 logs for detecting suspicious authentication-based security attacks  Identifying the use of Silver, an OSS cross-platform adversary emulation/red team framework produced by BishopFox, that has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike An analytic story to hunt for and detect the presence of AwfulShred malware within Linux environments  Detections related to Fortinet ForiNAC CVE-2022-39952  New Analytic Stories:  CVE-2023-21716 Word RTF Heap Corruption CVE-2023-23397 Outlook Elevation of Privilege Sneaky Active Directory Persistence Tricks  BishopFox Silver Adversary Emulation Framework AwfulShred Fortinet FortiNAC CVE-2022-39952 New Detections:  Okta Mismatch Between Source and Response for Okta Verify Push Request Okta Multiple Failed Requests to Access Applications Okta Suspicious Use of a Session Cookie Okta Phishing Detection with FastPass Origin Check Okta ThreatInsight Login Failure with High Unknown users Okta ThreatInsight Suspected PasswordSpray Attack Windows Rundll32 WebDAV Request Windows Rundll32 WebDav With Network Connection Notepad with no Command Line Arguments Windows Process Injection into Notepad Windows AD Same Domain SID History Addition Windows AD Cross Domain SID History Addition Windows AD Replication Request Initiated by User Account Windows AD Replication Request Initiated from Unsanctioned Location Windows AD Domain Replication ACL Addition Windows AD DSRM Account Changes Windows AD DSRM Password Reset Windows AD Short Lived Domain Controller SPN Attribute Windows AD Short Lived Server Object Windows AD SID History Attribute Modified Windows AD AdminSDHolder ACL Modified Windows AD ServicePrincipalName Added To Domain Account Windows AD Short Lived Domain Account ServicePrincipalName Windows AD Rogue Domain Controller Network Activity Windows AD Account SID History Addition Windows AD Replication Service Traffic Windows Unusual Count of Disabled Users Failed Auth Using Kerberos Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows Unusual Count Of Users Fail To Auth With Explicit Credentials Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows Unusual Count Of Users Failed To Authenticate From Process Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows Unusual Count Of Users Remotely Failed To Auth From Host Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Linux Data Destruction Command Linux Hardware Addition SwapOff Linux Impair Defenses Process Kill Linux Indicator Removal Clear Cache Linux Indicator Removal Service File Deletion Linux System Reboot Via System Request Key Linux Unix Shell Enable All SysRq Functions Windows Steal Authentication Certificates CryptoAPI Windows Mimikatz Crypto Export File Extensions For all our tools and security content, please visit research.splunk.com.  The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats: Breaking the Chain: Defending Against Certificate Services Abuse Threat Advisory: SwiftSlicer Wiper STRT-TA03 — The Splunk Threat Research Team
https://splunkbase.splunk.com/app/1724   recently upgraded to the new 4.0.0 version and am seeing a bug w the csvs now. it seems to be adding e and f columns and cannot delete them. which is caus... See more...
https://splunkbase.splunk.com/app/1724   recently upgraded to the new 4.0.0 version and am seeing a bug w the csvs now. it seems to be adding e and f columns and cannot delete them. which is causing an unwanted column in the actual | inputlookup asdf.csv   is this a known bug? is anyone else seeing this?
Hello,   I am trying to enable all file and directory inputs for the Linux add-on, but every time I attempt to save the new configuration I get an error that Splunk encountered an unexpected proble... See more...
Hello,   I am trying to enable all file and directory inputs for the Linux add-on, but every time I attempt to save the new configuration I get an error that Splunk encountered an unexpected problem and can't complete the task and to reload the page. No matter how much I reload or even hard stop and reset the server the result is the same. Any help is appreciated.
Hi, SPlunkers,    How to find out who is using my shared dashboard?   thx.   Kevin
Hi Splunk Community, I need to be able to calculate results based off of a time range picked by the user where the user also needs those events with their time stamps converted to user's time zone ... See more...
Hi Splunk Community, I need to be able to calculate results based off of a time range picked by the user where the user also needs those events with their time stamps converted to user's time zone as such. I have a SUBMITDATE field which needs to fall under the range of the time picker but search query is only picking _time from splunk as the filtering field, how should I filter based on the "SUBMITDATE" field and not _time? Any help is appreciated.
As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of Splunk and the technical training necessary to stay ahead in this exploding digital univ... See more...
As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of Splunk and the technical training necessary to stay ahead in this exploding digital universe.  It’s probably safe to say that many of you are likely reading this because you really appreciate learning Splunk and getting certified to show your expertise. And, it’s not for nothing. According to the experts on the Power of Tech Education Podcast, your continued training and upskilling in tech education is just what the industry needs. You see, there’s a growing skills gap as we move into a more digital world – and people like you are few and far between.  At Splunk, we’ve been tracking the tech education trends and have started 'turning up the volume' on all-things Splunk Education. We are committed to ensuring everyone, everywhere has access to Splunk technical training.  Take a listen to what an industry influencer, a Splunk thought leader, and an actual Splunk user/expert have to say about bridging the skills gap through continuous education and training in this new 3-part podcast series. We hope you feel even more confident in your learning journey now that the experts have weighed in.  Happy Splunking! Callie Skokos on behalf of the Splunk Education Crew
(Running v9.0.2208 of Splunk Cloud) When I load a dashboard with external URLs in they throw up an external content warning - how do I get rid of these? In the version we're running, I cannot updat... See more...
(Running v9.0.2208 of Splunk Cloud) When I load a dashboard with external URLs in they throw up an external content warning - how do I get rid of these? In the version we're running, I cannot update 'Settings > Server settings > Dashboards Trusted Domains List' as I believe that is only available in v9.0.2209. I'm also unable to enable automatic UI updates which is the fix in the current version. I've tried to create a web-features.conf but not having any luck. Thanks! this is my web-features.conf - I've also updated app.conf with a [triggers] stanza to manage web-features restarts [settings] # Allowing hyperlinks to load from trusted domains in Dashboard Studio [features:dashboards_csp] dashboards_trusted_domain.everything=*teams.microsoft.com
Hi, I have a dashboard where I have a dropdown with three values A, B and C, now if I click on value A it should set panel A, and If I choose value B it should load panel B and same for C also. now... See more...
Hi, I have a dashboard where I have a dropdown with three values A, B and C, now if I click on value A it should set panel A, and If I choose value B it should load panel B and same for C also. now that code I have developed but in the dashboard added a submit button and disabled searchwhenchange but still prior to click on submit button panels load automatically after choosing values from the dropdown. I need help on the submit button it should load panels only after clinking on the submit button. please find the code below which I have developed.     <form> <label>My Dashboard</label> <fieldset submitButton="true"> <input type="dropdown" token="dropdown_token" searchWhenChanged="false"> <label>dropdown_token</label> <default>A</default> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <change> <condition match="'value'==&quot;A&quot;"> <set token="panelA">true</set> <unset token="panelB">false</unset> <unset token="panelC">false</unset> </condition> <condition match="'value'==&quot;B&quot;"> <unset token="panelA">true</unset> <set token="panelB">false</set> <unset token="panelC">false</unset> </condition> <condition match="'value'==&quot;C&quot;"> <unset token="panelA">true</unset> <unset token="panelB">false</unset> <set token="panelC">false</set> </condition> </change> </input> </fieldset> <row> <panel depends="$panelA$"> <table> <title>Panel A</title> <search> <query>index=a |table a b c</query> </search> </table> </panel> <panel depends="$panelB$"> <table> <title>Panel B</title> <search> <query>index=a |table a b c</query> </search> </table> </panel> <panel depends="$panelC$"> <table> <title>Panel C</title> <search> <query>index=a |table a b c</query> </search> </table> </panel> </row> </form>    
We currently have a multi-tier Splunk Enterprise instance with search-head clustering and indexer clustering. All of our data comes in from Universal Forwarders on remote VMs (thousands of them) fr... See more...
We currently have a multi-tier Splunk Enterprise instance with search-head clustering and indexer clustering. All of our data comes in from Universal Forwarders on remote VMs (thousands of them) from different customers. Our inputs.conf on all of the forwarders are set to send to only a couple of indexes in our indexer cluster.   We are planning a project to split these indexes on a per-customer basis. For example, index "main" would become "main-cust1", "main-cust2", etc.   The point behind this is to allow RBAC on a per-customer basis (by limited access to customer specific indexes).   Are there any additional storage or performance considerations that should be evaluated before pursuing this change?
Hi,  I am working with the Splunk Add on for Microsoft Azure and im trying to get the Secure Score working with it, has anyone had any luck with getting it working?  At the moment it looks like I... See more...
Hi,  I am working with the Splunk Add on for Microsoft Azure and im trying to get the Secure Score working with it, has anyone had any luck with getting it working?  At the moment it looks like I need to do it s the input being a resource graph, but it doesn't seem to be pulling that data through. It has been set up with the reader IAM role for the correct subscription (as suggested by their documentation)  The error I seem to be getting in splunk is as follows:      File "/opt/splunk/etc/apps/TA-MS-AAD/lib/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01     Any help or advice would be appreciated. 
Data field  "FW: [ DOC 45 ] DTP: DEMO XXX CCC | 20147" from this I need to extract  "DEMO XXX CCC" output subject field "DEMO XXX CCC"