All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

ThreatConnect SOAR App - How to change Intel Owner on Post Action?

by in Splunk SOAR
‎12-22-2022 04:47 AM
‎12-22-2022 04:47 AM
Hey all, Trying this as a hail mary, as opened a support case last week and had no response on it. We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect ... See more...
Hey all, Trying this as a hail mary, as opened a support case last week and had no response on it. We are trying to use the SOAR ThreatConnect App to send Intel (Domains, URLS) to ThreatConnect via a playbook. From the documentation, there is a function called POST DATA, which allows us to send the data to ThreatConnect. Right now if I send a piece of intel, it gets added in under the API key account. But I need to be able to change the Owner. I can do this in a python script easily, but can't figure it out in this App. The documentation has "attribute_name" and "attribute_value" - which i've tried setting to "owner" and the required owner respectively. But this doesn't work - the app tells me it cannot find the attribute "owner". The documentation is very lacking here. I can't seem to figure it out. Any ideas on how I achieve this? Edit: error message: Indicator created/updated, but failed to update the attribute specified. Please ensure the attribute_name is valid, is applicable to the indicator type and attribute_value is valid I've tried several: "Owner, owner, owner_name, ownerName, etc. etc."

How to get top 20 with 2 conditions?

by in Splunk Search
‎12-22-2022 04:00 AM
‎12-22-2022 04:00 AM
I have some log, and i want get top 20 with 2 conditions:  I user: index="fortinet" |top srcip srcname but in chart don't show srcname. Please help me.   Dec 22 18:55:00 192.168.100.99 date... See more...
I have some log, and i want get top 20 with 2 conditions:  I user: index="fortinet" |top srcip srcname but in chart don't show srcname. Please help me.   Dec 22 18:55:00 192.168.100.99 date=2022-12-22 time=18:54:56 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710096306112037 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.114 srcname="DESKTOP-KOTPUP7" srcport=50113 srcintf="LAN2-6" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640983 proto=17 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="DNS" trandisp="snat" transip=117.2.159.103 transport=50113 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="default" duration=180 sentbyte=76 rcvdbyte=141 sentpkt=1 rcvdpkt=1 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:71:41:ee" srcmac="00:0c:29:71:41:ee" srcserver=0 Dec 22 18:54:59 192.168.100.99 date=2022-12-22 time=18:54:55 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710095776077392 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49177 srcintf="lan" srcintfrole="lan" dstip=172.64.138.25 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641377 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49177 duration=101 sentbyte=1295 rcvdbyte=2390 sentpkt=8 rcvdpkt=7 appcat="unscanned" wanin=2098 wanout=871 lanin=871 lanout=871 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:58 192.168.100.99 date=2022-12-22 time=18:54:54 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710094938835145 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.110 srcname="DESKTOP-ANV" srcport=60294 srcintf="LAN2-6" srcintfrole="lan" dstip=20.198.119.143 dstport=443 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="India" sessionid=22992698 proto=6 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="HTTPS" trandisp="snat" transip=117.2.159.103 transport=60294 appcat="unknown" applist="default" duration=100324 sentbyte=309709 rcvdbyte=429373 sentpkt=3357 rcvdpkt=3357 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 sentdelta=370 rcvddelta=510 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:1e:9b:90" srcmac="00:0c:29:1e:9b:90" srcserver=0 Dec 22 18:54:56 192.168.100.99 date=2022-12-22 time=18:54:52 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710092246081148 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49182 srcintf="lan" srcintfrole="lan" dstip=117.18.232.240 dstport=80 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641463 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTP" trandisp="snat" transip=14.167.188.236 transport=49182 duration=77 sentbyte=659 rcvdbyte=462 sentpkt=7 rcvdpkt=4 appcat="unscanned" wanin=290 wanout=287 lanin=287 lanout=287 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0 Dec 22 18:54:49 192.168.100.99 date=2022-12-22 time=18:54:45 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710085749980099 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=49835 srcintf="lan" srcintfrole="lan" dstip=40.83.240.146 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23151816 proto=6 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49835 duration=69719 sentbyte=19123 rcvdbyte=27448 sentpkt=189 rcvdpkt=189 appcat="unscanned" sentdelta=180 rcvddelta=251 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:44 192.168.100.99 date=2022-12-22 time=18:54:40 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710080306081096 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=61196 srcintf="lan" srcintfrole="lan" dstip=13.35.166.100 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="Taiwan" sessionid=23641845 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=61196 duration=1 sentbyte=1244 rcvdbyte=6581 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=6129 wanout=664 lanin=664 lanout=664 utmaction="allow" countweb=1 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0 Dec 22 18:54:37 192.168.100.99 date=2022-12-22 time=18:54:33 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710072616128264 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.19 srcname="DQ" srcport=59337 srcintf="lan" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640850 proto=17 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="DNS" trandisp="snat" transip=14.167.188.236 transport=59337 duration=180 sentbyte=73 rcvdbyte=175 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" srcfamily="Virtual Machine" osname="Windows" srchwversion="Workstation pro" srcswversion="10" mastersrcmac="00:0c:29:5f:d9:52" srcmac="00:0c:29:5f:d9:52" srcserver=0      
Labels

Can we pass main search result value into subsearch as search command?

by in Splunk Search
‎12-22-2022 03:25 AM
‎12-22-2022 03:25 AM
mainsearch| stats count(_raw)  as Cou by hour |join hour [ subsearch| head -$Cou$ ]   Above mentioned command is not working, as main search values can be used as values in subsearch but unable ... See more...
mainsearch| stats count(_raw)  as Cou by hour |join hour [ subsearch| head -$Cou$ ]   Above mentioned command is not working, as main search values can be used as values in subsearch but unable to use it under a command. Any suggestions?
Labels

Why does search return incorrect dc count?

by in Dashboards & Visualizations
‎12-22-2022 02:53 AM
‎12-22-2022 02:53 AM
Hi Team, I noticed that for some hosts search returns incorrect dc count: 1) the query to dc count ids when status is failed index=".." exec_mode="..." host_name="test_host" status="failed" | st... See more...
Hi Team, I noticed that for some hosts search returns incorrect dc count: 1) the query to dc count ids when status is failed index=".." exec_mode="..." host_name="test_host" status="failed" | stats  dc(id) AS failed BY host_name | table host_name failed (returns 1) 2)  the query to dc count ids when status is skipped or passed index="..." exec_mode="..." host_name="test_host" (status="skipped" OR status="passed") | stats  dc(id) AS pass_skip BY host_name | table host_name pass_skip (returns 234) 3) the query to dc count every id  index="..." exec_mode="..." host_name="test_host" | stats dc(id) AS executed BY host_name | table host_name executed (returns 234) but I expect that query #3 returns sum queries 1 (failed) and 2 (skipped and passed) : 1 + 234 = 235 the I try to play with statuses in the query to get the total ids dc count 4) index="..." exec_mode="..." host_name="test_host" (status="failed" OR status!="failed") | stats  dc(id) AS failed BY host_name | table host_name failed ( it returns also 234) Only 10% of hosts have such odd search behavior,  for another 90% total = failed + passed/skipped Thank you in advance!
Labels

Can you help me on this Splunk SH and Shared storage NTP failure?

by in Deployment Architecture
‎12-22-2022 01:17 AM
‎12-22-2022 01:17 AM
Hi team, Can  you please me on this error?  

Need help in integrating Amazon Eventbridge with Splunk through api

by in Getting Data In
‎12-22-2022 12:19 AM
‎12-22-2022 12:19 AM
Hi guys,  We need to get events generated from aws eventbridge to get into splunk. So we tried integrating the eventbridge with the splunk api provided by splunk to send events from eventrbridge to... See more...
Hi guys,  We need to get events generated from aws eventbridge to get into splunk. So we tried integrating the eventbridge with the splunk api provided by splunk to send events from eventrbridge to splunk hec on port 8088. But we are not able to see any logs in the splunk. Can any one help us with this. To debug what is causing the issue.

When will Splunk Essentials for Cloud and Enterprise 9.0 be compatible with jQuery 3.5?

by in Splunk Enterprise
‎12-22-2022 12:07 AM
3 Karma
‎12-22-2022 12:07 AM
3 Karma
Every week the Upgrade Readiness Scan says that Splunk Essentials for Cloud and Enterprise 9.0 is incompatible with jQuery 3.5.  When I go on Splunkbase to see if it has an update, I see no mention o... See more...
Every week the Upgrade Readiness Scan says that Splunk Essentials for Cloud and Enterprise 9.0 is incompatible with jQuery 3.5.  When I go on Splunkbase to see if it has an update, I see no mention of Splunk Essentials for Cloud and Enterprise 9.0 at all. Should I just delete the app?

Field extraction regex issues

by in Splunk Search
‎12-21-2022 11:30 PM
‎12-21-2022 11:30 PM
Having some issue with extraction. source: SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC https://regex101.com/ shows that ^[^... See more...
Having some issue with extraction. source: SESSION: Session closed Client address: 123.CCCCCCC Client name: CC222C22[123.123.12.123] User interface: CCCCCCC https://regex101.com/ shows that ^[^\.\n]*SESSION:(?P<Session>.*) will work. Splunk when trying returns almost the complete message. Almost like it does not see the new line   Basically I want from SESSION: to the end of line and if Splunk cannot do that to Client.    
Labels

How to remove source on data summary?

by in Monitoring Splunk
‎12-21-2022 10:51 PM
‎12-21-2022 10:51 PM
Hi, I have the following problem:  Is there any way to remove these garbage sources, after one wrong log push, I had a lot of these garbage sources
Labels

How does anomalousvalue work in my search?

by in Splunk Search
‎12-21-2022 10:33 PM
‎12-21-2022 10:33 PM
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc... See more...
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time       And this gives me a table containing fields like catAnoFreq% , numAnoFreq%, stdev, etc I looked the documentation https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue but didn't understand how exactly it works.  so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range.

How can I format field with relative fieldname ?

by in Splunk Search
‎12-21-2022 08:31 PM
‎12-21-2022 08:31 PM
My task is format field "app" with relative fieldname How can I use format command to format as example: (app=*app1* OR  app=*app2* OR *app3* OR ...) please help me, thanks
Labels

How to query for basic malware outbreak?

by in Splunk Search
‎12-21-2022 06:27 PM
‎12-21-2022 06:27 PM
I need a query for basic malware outbreak   Need query with server IP and server name from this raw logs.
Labels

Why am I unable to append to lookup table in scheduled report?

by in Splunk Enterprise
‎12-21-2022 12:43 PM
‎12-21-2022 12:43 PM
Hello,  I've got a report that generates roughly 300k entries whenever it runs and want to append the results into a lookup table.   In a different post, it looked like lookup tables could hol... See more...
Hello,  I've got a report that generates roughly 300k entries whenever it runs and want to append the results into a lookup table.   In a different post, it looked like lookup tables could hold large amounts of rows, but I'm observing that there is a cap at 50,000 entries. Is it possible to remove this cap, and if so how?

How to move multi select dashboard items all at once?

by in Dashboards & Visualizations
‎12-21-2022 12:09 PM
1 Karma
‎12-21-2022 12:09 PM
1 Karma
I have multiple parts on my dashboard, how do I select mutiple parts at same time to move them all at once?
Labels

How to set tiername in clusteragent to split reporting by cluster/namespace

by in Splunk AppDynamics
‎12-21-2022 11:37 AM
‎12-21-2022 11:37 AM
My current cluster-agent.yaml has appName repeated 3 times. I hope there is a way for setting a tiername such that on the report, I can separate the results by cluster, or even better, by namespace. ... See more...
My current cluster-agent.yaml has appName repeated 3 times. I hope there is a way for setting a tiername such that on the report, I can separate the results by cluster, or even better, by namespace. I can put the same k8s deployment in either different k8s namespaces (cheaper) or clusters, and need appd to report on them separately. ========= cluster-agent.yaml ======= spec: appName: "EPOCH-svc" image: "docker.io/appdynamics/cluster-agent:latest" serviceAccountName: appdynamics-cluster-agent nsToMonitor: [nodejs,dev1,dev2,perf1] stdoutLogging: "true" instrumentationMethod: Env nsToInstrumentRegex: nodejs defaultAppName: EPOCH-svc logLevel: "DEBUG" instrumentationRules: - namespaceRegex: nodejs instrumentContainer: select containerMatchString: epoch-awsmw-offerms-dcp language: nodejs appName: EPOCH-svc imageInfo: image: "docker.io/appdynamics/nodejs-agent:22.7.0-16-stretch-slim"
Labels

How to search by specific date and time range and compare with other date and time stats?

by in Splunk Search
‎12-21-2022 10:04 AM
‎12-21-2022 10:04 AM
I am trying to search with specific date and time. Is it possible to search and compare? for example, i want to get stats from 2022-12-20 14:00:00 to  2022-12-20 15:00:00 and compare it with other ... See more...
I am trying to search with specific date and time. Is it possible to search and compare? for example, i want to get stats from 2022-12-20 14:00:00 to  2022-12-20 15:00:00 and compare it with other dates like 12/16, 12/10/, 12/5 with same time range. is there a way to get stats compared side by side with other dates  OR  just have the all mentioned dates and time (2p-3p) there in search query ?

How to set up Alert Throttle for multiple hosts?

by in Alerting
‎12-21-2022 09:45 AM
‎12-21-2022 09:45 AM
Hi All, We are trying to setup CPU alerts for few servers and we are looking to throttle the alerts to reduce the noise. Option 1:  Trigger = Once Throttle = Checked  Suppress trigger fo... See more...
Hi All, We are trying to setup CPU alerts for few servers and we are looking to throttle the alerts to reduce the noise. Option 1:  Trigger = Once Throttle = Checked  Suppress trigger for = 4 hours If I select this option then suppose there is an issue for one host and alert is triggered. it won't generate another alert for 4 hrs. but I think we are going to miss if there is an issue with another host during that 4 hrs.  is it ? Option 2: Trigger = For Each Results Throttle = Checked  Suppress results containing field value = host Suppress trigger for = 4 hours If we choose this option issue is it there are 10 host it will generate 10 separate alert for each host.   Can some one guide what will be the better way to setup this alert ? Thanks

What is the recommended method to ingest exported sysmon logs?

by in Getting Data In
‎12-21-2022 07:05 AM
‎12-21-2022 07:05 AM
Context: I have an external client that uses Arctic Wolf for sysmon logs on their endpoints and need to ingest those logs into our Splunk environment. I'm not to install UFs on their endpoints. I kn... See more...
Context: I have an external client that uses Arctic Wolf for sysmon logs on their endpoints and need to ingest those logs into our Splunk environment. I'm not to install UFs on their endpoints. I know normally we'd want to install UFs on Windows endpoints and have sysmon logs sent to the indexers while utilizing Splunk's add-on for Sysmon for CIM compliance, extraction, etc. Since I can't take the normal approach, what's best practice for receiving a client's external sysmon logs (without installing UFs on their endpoints) and ingesting those logs?
Labels

InfraViz support for Openshift 4.x

by in Splunk AppDynamics
‎12-21-2022 06:58 AM
‎12-21-2022 06:58 AM
Any updates as to when will InfraViz will be supported by AppDynamics for OpenShift 4.x clusters as it has moved container runtime default to CRI-O. Upstream K8 already removed dockershim. Any pla... See more...
Any updates as to when will InfraViz will be supported by AppDynamics for OpenShift 4.x clusters as it has moved container runtime default to CRI-O. Upstream K8 already removed dockershim. Any plans to support CRI-O?
Labels

How to spath or rename commands not extracting field / values?

by in Splunk Search
‎12-21-2022 06:57 AM
‎12-21-2022 06:57 AM
I have a field called properties.requestbody.  I would like to have this field broken out based on the field and values paired.  I've tried with spath and no luck.  I've used and am using rename to e... See more...
I have a field called properties.requestbody.  I would like to have this field broken out based on the field and values paired.  I've tried with spath and no luck.  I've used and am using rename to extract the field / values in other parts of the logged events.  Not having luck with this field.  I think it has to do with the quotes but I'm not certain.  Thanks as always for the help and guidance. "properties": {"requestbody": "{\"properties\":{\"description\":\"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. \",\"displayName\":\"COMP-015N-Disk access resources should use private link-AuditIfNotExists-BUL\",\"metadata\":\"******\",\"mode\":\"Indexed\",\"parameters\":\"******\",\"policyRule\":\"******\",\"policyType\":\"Custom\"}}"
Labels