All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Splunk Community I have a python script that checks a certain family of cisco devices that tells me if the Device is UP or DOWN. The script is based on a csv file that has hostname an... See more...
Hello Splunk Community I have a python script that checks a certain family of cisco devices that tells me if the Device is UP or DOWN. The script is based on a csv file that has hostname and IP. The file is not really subject to change, but can be changed easily if required. I wish I could use the Splunk SNMP module, but I need some sort of API key (BaboonBones!??!) I can use the script outside of splunk to create a “log” file then have splunk read the file. Maybe that is the best way, I am wondering if it is worthwhile to try to find the splunk python splunklib.client module and use it to send data, etc. I am open to suggestions. Thanksl, eholz1
What is the difference between the rules engine and aggregation policies in ITSI?
Do you have to switch between products? or can you stick with ITSI the whole way?
Which product(s) would you use to detect, triage, and act on privilege escalation? and how would you then proceed in doing so?
Which product(s) would you use to detect, triage, and act on phishing?
We are creating a custom action when an itsi event happens based on the CustomGroupActionBase as documenten here. However I cant find anywhere what data is expected to be returned when caling the get... See more...
We are creating a custom action when an itsi event happens based on the CustomGroupActionBase as documenten here. However I cant find anywhere what data is expected to be returned when caling the get_group method. When looking at the docs it says:   get_group() Gets the episode that triggered the custom action. This method relies on get_results_file() and expects the returned file path to be a .csv.gz format.   The documentation of get_results_file says: get_results_file() Gets the results file, which is where results are temporarily stored.   We want to make sure the fields we currently see in the dict that is returned by get_group doesnt change, even better if we understand which file/where the data is coming from. We are afraid we use fields that are not always filled which would result in an error in our code.  
Hi, I got an issue configuring alert manager app. The incident posture filter is not working. It does not matter what info I change inside the red box. The alerts that are shown below does n... See more...
Hi, I got an issue configuring alert manager app. The incident posture filter is not working. It does not matter what info I change inside the red box. The alerts that are shown below does not change at all. Any help will be grateful.
Issue:  Phantom Add-on for Splunk – is not saving any changes done on Saved searches and below error is observed in logs internally. Error observed in Internal logs :  2022-11-17 17:19:19,970 +0000 ... See more...
Issue:  Phantom Add-on for Splunk – is not saving any changes done on Saved searches and below error is observed in logs internally. Error observed in Internal logs :  2022-11-17 17:19:19,970 +0000 ERROR phantom_splunk:188 - Traceback (most recent call last): File "/opt/splunk/etc/apps/phantom/bin/phantom_splunk.py", line 182, in rest response, content = splunk.rest.simpleRequest(path, **args) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 648, in simpleRequest raise splunk.AuthorizationFailed(extendedMessages=uri) splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json Observations :   Splunk Prod to phantom integrations are intact and I did successfully push notable to Prod during troubleshooting. Splunk Cloud was recently updated to 9.0 Splunk Enterprise 9.0 is compatible with current Phantom App version 4.1.73 installed. I tested with highest Splunk permissions and still unable to save a forwarding search or edit it.
Hi, Good day to you! I quickly wanted to understand whether the Splunk notables will reflect with delay in timestamp on incident dashboard when they moved from "Dev" to "Prod" stage? I often se... See more...
Hi, Good day to you! I quickly wanted to understand whether the Splunk notables will reflect with delay in timestamp on incident dashboard when they moved from "Dev" to "Prod" stage? I often see bulk notables triggering with lag in time (assume today is 18th, alerts reflect with 17th or before dates) whenever SOC team pushes new use-case to Production queue (status: new) Happy to know some context/knowledge around this Cheers,
異なるソースタイプ[sourcteype=A1]の中に[user]、[sourcetype=B1]の中に[ap_user]というフィールドがあります。 この2つの[user],[ap_user]のユーザ名が同じであるかどうか判定するリアルタイムアラートを作成したいです。 リアルタイムサーチ時にappendやjoinでサブサーチを利用するとうまくいきませんでした。 これを解決できる方法があり... See more...
異なるソースタイプ[sourcteype=A1]の中に[user]、[sourcetype=B1]の中に[ap_user]というフィールドがあります。 この2つの[user],[ap_user]のユーザ名が同じであるかどうか判定するリアルタイムアラートを作成したいです。 リアルタイムサーチ時にappendやjoinでサブサーチを利用するとうまくいきませんでした。 これを解決できる方法がありましたら、ご教授下さい。 sourcetype="A1" |fields user |join [ |search sourcetype="B1" |fields ap_user ] |table user,ap_user |eval match=if(user==ap_user, "〇", "×")
Hi, I'm currently tring to connect splunk with zscaler nss cloud, which are in different networks. I've typed in the public IP of my firewall and opened port 8089 in the zscaler admin portal and a... See more...
Hi, I'm currently tring to connect splunk with zscaler nss cloud, which are in different networks. I've typed in the public IP of my firewall and opened port 8089 in the zscaler admin portal and an error popped up saying : Test Connectivity failed : SSL Certs missing for SIEM Host (0). Where do I get/make this cert and where do I upload it? Thanks!
Hi Everyone  I am trying to create an investigation in ES using SPL. Since ES is most work as lookup/kvstore, so I try to run the following SPL | makeresult... See more...
Hi Everyone  I am trying to create an investigation in ES using SPL. Since ES is most work as lookup/kvstore, so I try to run the following SPL | makeresults | eval class_name="investigation", collaborators="[{\"name\": \"AAAAAA\", \"write\": true}, {\"name\": \"BBBBBB\", \"write\": true}]", create_time=1668731443, creator="CCCCCC", description="DDDDDDD", mod_time=1668731608, status="[{\"name\": \"In Progress\", \"time\": 1668739809, \"id\": \"investigation:2\"}]", title="EEEEEEE", version=1, comments="[]", tags="[]" | table class_name, collaborators, create_time, creator, description, mod_time, status, title, version, comments, tags | outputlookup append=true investigation I am able to add an entry in the KV store, but when I load the investigation tab in ES is breaks and appear Error as "Expect an array" and not able to load the page   Has anyone done this before?   Is that the right way, or is there another way to use SPL to create an investigation?           
Hi, I'm trying to get the audit logs from github cloud into splunk instance which has limited network access. the problem is that ip of github that sends the data to splunk often changes.  Instea... See more...
Hi, I'm trying to get the audit logs from github cloud into splunk instance which has limited network access. the problem is that ip of github that sends the data to splunk often changes.  Instead of granting access to the changed ip, which takes some time to get the approval, I'd like to install another splunk instance in the DMZ environment, where there are no limit to the network, and send or forward the data in to the splunk instance in the limited network. GitHub needs Splunk http event collector in order to verify before sending data. So I'm guessing that only heavy forwarder(full splunk instance to my knowledge, right?) is available. Is this something that can be done? If so, could you please let me know the steps or docs that I could reference? Thank you in advance.
We use a custom app in our Splunk Cloud instance to segregate dashboards and searches from other teams. With the recent update to allow dark theme compatibility in Splunk 9 to the search view in "Sea... See more...
We use a custom app in our Splunk Cloud instance to segregate dashboards and searches from other teams. With the recent update to allow dark theme compatibility in Splunk 9 to the search view in "Searching and Reporting" I was wondering if there was a way we could enable that in our custom app as well? Currently while in this custom app and trying to switch the them to dark I get this error message: "The Theme setting is not supported by your current app context."
I'd like to build a search targeting media transfers and add it to my dashboard. Using the index of the security logs, I'd like to pick up all users create data transfers like CD burns, USB access,... See more...
I'd like to build a search targeting media transfers and add it to my dashboard. Using the index of the security logs, I'd like to pick up all users create data transfers like CD burns, USB access, etc. My client, requires data transfer accounts to have a specific suffix such as "-xxx". What's the best search for these requirements? 
Hi, Splunkers,    I  want to search string like abc/efg in my log using  multiselect field.  I directly defined this  search value  abc/efg in multiselect field , token  name "keyword" in my ... See more...
Hi, Splunkers,    I  want to search string like abc/efg in my log using  multiselect field.  I directly defined this  search value  abc/efg in multiselect field , token  name "keyword" in my query, I use $keyword" to search,  it doesn't' work,  I also try  abc\/efg, it doesn't work either,  but other normal string works here.   any ideas?    thx in advance.   Kevin    
I am trying to add a field to a search using a lookup table. However, my key field  is sometimes blank and I get an error the lookup table does not exist or is not available.  ... search with an ou... See more...
I am trying to add a field to a search using a lookup table. However, my key field  is sometimes blank and I get an error the lookup table does not exist or is not available.  ... search with an output field of user | lookup userList.csv id as user OUTPUT title There are a few lines rows where id is blank and I do not have permissions to edit the table.
I was able to deploy Otel collector into our AKS cluster to send logs to our splunk cloud instance.  I´m able to see application pod logs successfully.  I also was able to use the  option to add en... See more...
I was able to deploy Otel collector into our AKS cluster to send logs to our splunk cloud instance.  I´m able to see application pod logs successfully.  I also was able to use the  option to add environment in the values.yaml  and after I configured it,  i´m able to see environment name  into our splunk instance logs.  Now I would like to know if there is a way to add extra attributes ,the same way as environment, to have more filtering while searching into splunk, as we have multiple aks clusters  I would like to add the  same way as environment , other values as: aksvale1, myvalue2, myvalue3 so that those values are also created and are able to be usable into splunk cloud queries. I notice that in values.yaml there is this extra atribute option , but that is for adding tag in pods apps or namespaces.   Is there a native way to achieve this with same approach as environments?   Thank you.
I am VERY new to splunk so please bear with me.  I have a search, index=vulnerability "list of packages installed on the remote" myserver.com | rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>... See more...
I am VERY new to splunk so please bear with me.  I have a search, index=vulnerability "list of packages installed on the remote" myserver.com | rex field=output "\n{1,3}\s{2,4}(?<ProgramNameOutput>[^|]+)" max_match=5000 | table ProgramNameOutput Which produces the following fictional output: libhangul-0.1.0-8.el7 intltool-0.50.2-7.el7 libvert-7.6.1-120.el7 at-spi2-core-2.28.0-1.el7 spice-gtk3-0.35-5.el7_9.1 perl-Digest-MD5-2.52-3.el7 mesa-libvert-18.3.4-12.el7_9 hyperv-daemons-license-0-0.34.20180415git.el7 libsysfs-2.1.0-16.el7 openldap-clients-2.4.44-25.el7_9 libvirt-gconfig-1.0.0-1.el7 libpeas-gtk-1.22.0-1.el7 NetworkManager-adsl-1.18.8-2.el7_9 perl-Locale-Maketext-1.23-3.el7   So what I'd like to do is to pair that ProgramNameOutput down to only output that has "libvert" in it.   The output field looks similar to this, it's basically one big text block:   "output:  Here is the list of packages installed on the remote CentOS Linux system :   libhangul-0.1.0-8.el7|(none) Mon 01 Nov 2021 12:06:47 PM EDT intltool-0.50.2-7.el7|(none) Mon 01 Nov 2021 12:10:13 PM EDT gdb-7.6.1-120.el7|(none) Mon 01 Nov 2021 12:06:15 PM EDT at-spi2-core-2.28.0-1.el7|(none) Mon 01 Nov 2021 12:08:53 PM EDT spice-gtk3-0.35-5.el7_9.1|(none) Mon 01 Nov 2021 12:40:05 PM EDT perl-Digest-MD5-2.52-3.el7|(none) Mon 01 Nov 2021 12:05:15 PM EDT mesa-filesystem-18.3.4-12.el7_9|(none) Mon 01 Nov 2021 12:38:01 PM EDT"