I have a lookup of vulnerability scan data that includes fields such as hostname, IP, OS, CVEs, etc. I would like to put all OSs that are specified as a desktop OS as a field value named Desktop; an...
See more...
I have a lookup of vulnerability scan data that includes fields such as hostname, IP, OS, CVEs, etc. I would like to put all OSs that are specified as a desktop OS as a field value named Desktop; anything that is specified as a server OS as a field value named Server but add an extra layer of specification if it's Unix or Windows; and anything with a network OS specified as Network and then put those field values in a new field called OS_Specified
Here is an example of the OS's I would like to categorize.
Desktop
Windows 10 Enterprise 64 bit Edition Version 1803
Windows 10 Enterprise 64 bit Edition Version 21H1
Windows 10
Server
Red Hat Enterprise Linux 8.7
Windows Server 2012 R2 Datacenter 64 bit Edition
Windows Server 2016 Datacenter Version 1607
Network
Cisco Nexus Switch
CentOS Linux 8.4.2105
I'm assuming eval and/or rex is going to need to be involved, and that is where I would need assistance.
I feel like my ask is similar to This but a little more involved.
The closest document I could find to an Operating System to Universal Forwarder version compatibility is the download site (link below), is there another link that can be used?
https://www.splunk.c...
See more...
The closest document I could find to an Operating System to Universal Forwarder version compatibility is the download site (link below), is there another link that can be used?
https://www.splunk.com/en_us/download/previous-releases-universal-forwarder.html
I am trying to expand multiple fields from specific log lines using mvexpand but for some strange reason some fields are not extracted as expected, see screenshot for an example:
I would also ...
See more...
I am trying to expand multiple fields from specific log lines using mvexpand but for some strange reason some fields are not extracted as expected, see screenshot for an example:
I would also like to have the key/value pairs for col and gantry.
Hello guys,
I will try to describe my problem as good as i can. I want to get some raport/alert when a new exception appears but that never happened before.
let say that i have 15 exceptions that...
See more...
Hello guys,
I will try to describe my problem as good as i can. I want to get some raport/alert when a new exception appears but that never happened before.
let say that i have 15 exceptions that happened before like: java.lang.NullPointer, java.lang.IllegalStateException.. etc.
i want to get an alert when a “new” exception appear that never appeared before.
Is that possible?
We have a simpleXML dashboard that we want to get visible for Splunk Mobile use. The problem is that this dashboard contains a panel with a visualization that isnt Mobile compatible. We dont want...
See more...
We have a simpleXML dashboard that we want to get visible for Splunk Mobile use. The problem is that this dashboard contains a panel with a visualization that isnt Mobile compatible. We dont want to clone this dashboard and remove this single panel just for Mobile use, because this creates a maintenance burden where we need to keep track of the duplicated Mobile dashboards and replicate the changes of the main dashboards over to the Mobile ones. Is there anyway we can "hide" specific panels for the Mobile view only?
Hello everyone I am running into an issue that may be either Splunk or my Kiwi Syslog server, and I am not really sure and the research I am doing is not helping currently. We had a network device...
See more...
Hello everyone I am running into an issue that may be either Splunk or my Kiwi Syslog server, and I am not really sure and the research I am doing is not helping currently. We had a network device that was not communicating and sending logs to syslog server but we fixed that and now whenever we view the RAW logs on the server we can see the specific %Port_Security logs that we are trying to have reported directly to splunk. Whenever I run a search query (that worked before a baseline change) I return 0 results. So what I did was change the way I am trying to retrieve these logs so I run a "sourcetype=syslog" host={switch-name}. The switch pops up and contains a number of logs. However, it seems that the most important log that we want (%Port_Security) does not return as a finding. After, running this search I figured there was maybe a problem with the sourcetype so I ran a search that targets the live syslog data with - source={log location} host={switch-name}. The system pops up again. I did not find the port security report inside this search either. I even added a (%Port_Security) on the back end of it. I reached out to our engineers that provided the tool to us to help fix the issue since they are the ones that provide it and do the back end configuration and troubleshooting but they refuse to help.
Hi!
My request take much time to generate the result, how can i accelerate it
| mpreview index=ciusss_vitals_linux_metric | stats latest(_time) as latest1 by host | eval recent = if(latest1 > r...
See more...
Hi!
My request take much time to generate the result, how can i accelerate it
| mpreview index=ciusss_vitals_linux_metric | stats latest(_time) as latest1 by host | eval recent = if(latest1 > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest1,"%c") | search recent=0 | stats values(host) as host | mvexpand host | map search="| ping host=$host$" maxsearches=200
Hi team, I am getting below error for custom command . "Error in 'prtglivedata' command: External search command exited unexpectedly with non-zero error code 1." Can someone help . Below are my...
See more...
Hi team, I am getting below error for custom command . "Error in 'prtglivedata' command: External search command exited unexpectedly with non-zero error code 1." Can someone help . Below are my default and local .conf file . Default . [prtglivedata] filename = prtglivedata.py chunked = true enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true supports_multivalues = true supports_rawargs = true Local conf file [prtglivedata] filename = prtglivedata.py chunked = true enableheader = true outputheader = true requires_srinfo = true supports_getinfo = true supports_multivalues = true supports_rawargs = true
Hello, I'm struggling with a task and would like to ask for your opinion about it. Goal is to set up an alert, which would fire an event in case the last 24h results differ from the one from 24h-48h ...
See more...
Hello, I'm struggling with a task and would like to ask for your opinion about it. Goal is to set up an alert, which would fire an event in case the last 24h results differ from the one from 24h-48h before, and to also show the difference. I was trying to have something like:
| set diff [search message="Connected to system:*" earliest=-24h | rex field=connectedSystemName message="Connected to system: (?<systemName>.+)" | stats values(connectedSystemName) as system_names] [search message="Connected to system:*" earliest=-48h latest=-24h | rex field=connectedSystemName message="Connected to system: (?<systemName>.+)" | stats values(connectedSystemName) as system_names]
My results from this search is one coloumn of a list of the names of the connected systems. How could I reach such comparisment to also show the differences? Thanks a lot in advance! Peter
How to update splunk protocols for Splunk servers and ports in an Splunk Enterprise environment.
Servers Ports
A 8089
B 8089
Only following proto...
See more...
How to update splunk protocols for Splunk servers and ports in an Splunk Enterprise environment.
Servers Ports
A 8089
B 8089
Only following protocols to be updated
TLSv1.3:
0x13,0x01 TLS_
0x13,0x02 TLS_
0x13,0x03 TLS_
TLSv1.2:
0xC0,0x2B ECDHE-
0xC0,0x2F ECDHE-
I created an enhanced timeline that works the way I want but I'm wondering if there is a way to highlight or change the color of the block for certain events. The ones I want to highlight begin with ...
See more...
I created an enhanced timeline that works the way I want but I'm wondering if there is a way to highlight or change the color of the block for certain events. The ones I want to highlight begin with a * so they are easy to identify.
Is there anything I can do in the search?
I'm displaying the graphic on a classic dashboard, is there something I can do to the source code to get this done?
Thanks in advance for any suggestions.
I had the same issue as posted below in my environment. Please update the solution to this problem.
・Microsoft Office 365 Reporting Mail Add-on for Splunk issues identified https://community....
See more...
I had the same issue as posted below in my environment. Please update the solution to this problem.
・Microsoft Office 365 Reporting Mail Add-on for Splunk issues identified https://community.splunk.com/t5/All-Apps-and-Add-ons/Microsoft-Office-365-Reporting-Mail-Add-on-for-Splunk-issues/m-p/582245
Hi!
I've created a free trial splunk enterprise and I was trying to run the following:
curl -k -u admin:pass https://localhost:8089/services/messages
But it retu...
See more...
Hi!
I've created a free trial splunk enterprise and I was trying to run the following:
curl -k -u admin:pass https://localhost:8089/services/messages
But it returns :
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>
I didnt change any of the default ports btw
Any idea why?
Hello. Is there a documentation to have a full visual list, how many and which icons, Splunk Enterprise includes in its default installation a user can use in his own Dashboard Panels inside a custo...
See more...
Hello. Is there a documentation to have a full visual list, how many and which icons, Splunk Enterprise includes in its default installation a user can use in his own Dashboard Panels inside a custom html code? Just to know if some icons are useful to make a Dashboard looks better without uploading new images/icons. Thanks.
Hi, How can i write this statement | eval protocolUsed = case( regex consumerkey="[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}","O1", regex consumerkey="^[a-z0-9A-Z]{2,}$", "O2"))
Hi, I'm trying to get logs from rapid7 insightvm into my slpunk server. I have downloaded the Rapidinsightsvm add-on and set it up. I have the index created but no logs are gettting dumped to my in...
See more...
Hi, I'm trying to get logs from rapid7 insightvm into my slpunk server. I have downloaded the Rapidinsightsvm add-on and set it up. I have the index created but no logs are gettting dumped to my index. Is there anything else outside of the add-on setup instructions that I need to do? It is showing the status "false" I have checked the internal logs it is showing the error "pid=30350 thanks
Hello,
Is it possible to do conditional In Line field extraction in SPLUNK for the following sample data:
Sample Data (3 Events)
tR3225256009BMFTH77770977DF74S58628201804533FGRT
fR6225256009B...
See more...
Hello,
Is it possible to do conditional In Line field extraction in SPLUNK for the following sample data:
Sample Data (3 Events)
tR3225256009BMFTH77770977DF74S58628201804533FGRT
fR6225256009BMFFT77779977TG76S58628201804633TSRD
gR1225256004BMGHL7090997YJK66S58628201804833EDAR
I have done:
(^)(?i)(?<DeprtCode>.{1})(?i)(?<mode_no>.{2})(?i)(?<StudentId>.{9})(?i)(?<BuildingCode>.{5})(?i)(?<Code>.{2})(?i)
Help Needed to Extract Field under following conditions:
If from character # 20-25 (6 Characters) are all Numerics then extract those 6 characters as Account_no, if those 6 characters are not all Numerics (like sample event 3) then extract all characters from 20-46 as no_Account
Is it possible? Any recommendations will be highly appreciated. Thank you!
When I manually run a Splunk search via the API as follows:
curl "https://host:8089/services/search/v2/jobs" -d search='search query...' -d max_count=0 -d earliest_time=xxx -d latest_time=now
cu...
See more...
When I manually run a Splunk search via the API as follows:
curl "https://host:8089/services/search/v2/jobs" -d search='search query...' -d max_count=0 -d earliest_time=xxx -d latest_time=now
curl "https://host:8089/services/search/v2/jobs/jobid/results/" --get -d output_mode=csv -d count=0
I get timestamps like this for the _time column
"2023-02-02T00:06:34.000-08:00"
When I run the same query, just as a saved search:
curl "https://host:8089/servicesNS/nobody/search/search/v2/jobs/export?output_mode=csv -d search='savedsearch "Saved Search"'
I get timestamps like this for the _time column
"2023-02-06 00:00:00.000 PST"
How can I make the latter look like the former so Excel can ingest it properly?
Hi I have a key named ick=2c27194g-af5e-4f7d-9847-07cd5c4c70af Want to search all the ick using regex I tried regex ick="="([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})"" ...
See more...
Hi I have a key named ick=2c27194g-af5e-4f7d-9847-07cd5c4c70af Want to search all the ick using regex I tried regex ick="="([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})"" It is not giving any results. Can some one help?