I have data something like below.  msg: {       application: test-app      correlationid: 0.59680117.1667864418.7d2b8d5      httpmethod: GET      level: INFO      logMessage: {         apiName: testApi        apiStatus: Success        clientId: testClientId1        error: NA        list_items: [          {             city: PHOENIX            countryCode: USA            locationId: dc5269a4-c043-4381-b757-63950feecac3            matchRank: 1            merchantName: testMerchant1            postalCode: 12345            state: AZ            streetAddress: 4000 E SKY HARBOR BLVD          }          {             city: PHOENIX            countryCode: USA            locationId: c7b97f03-b21b-4c11-aead-1ca3cd03d415            matchRank: 2            merchantName: testMerchant2            postalCode: 56789            state: AZ            streetAddress: 4000 E SKY HARBOR BL          }       ......     ] I have to get a table with clientId and locationId something like below  clientId                     locationId testClientId1         dc5269a4-c043-4381-b757-63950feecac3 testClientId1         c7b97f03-b21b-4c11-aead-1ca3cd03d415 What I tried is | base search | | table "msg.logMessage.clientId", "msg.logMessage.matched_locations{}.locationId"  which resulted in grouping the locationIds for clientId hence one row for even multiple locationIds clientId                     locationId testClientId1         dc5269a4-c043-4381-b757-63950feecac3                                     c7b97f03-b21b-4c11-aead-1ca3cd03d415 Any help is appreciated. 

Hi everyone, I am in the need to find a way to filter data that specific roles access inside an index. For example: Index=servers The index has servers from windows, linux, and ostype3 We want to have the following: roleA has access to index=servers (but just sees windows servers) roleB has access to index=servers (but just see linux servers) roleC has access to index=servers (but just see ostype3 servers) This can be achieved by using search filters and it worked ok. However... If then, I have a role that can: RoleD has access to index=servers (but just see windows servers)  RoleD has access to index=firewalls This then will not work for roleD. RoleD will not be able to search for the index=firewalls, as the search filters takes precedence and limits the user just to see the data in: RoleD has access to index=servers (but just see windows servers)    So, I'm trying to find a new solution that can allow me to do what I need to, and summary index came to the idea. However I'm struggling with something. When my data is sent to the summary index, it's sourcetype is changed to stash. And then my data is not parsed as is in the original index. Lets suppose I change the sourcetype from stash to original sourcetype, that then will make me use a lot more license and double it up. So, that's why I'm asking here for help. What solutions do I have? Am I missing something or doing something wrong? Thanks in advance if someone can help me on this.  

what could be the stanza for monitoring linux directory  /home/cleo/Harmony/script/logs/Harmony_directory_monitor_1hr.conf.20220512.log i tried [monitor:///home/cleo/Harmony/script/logs] with whitelist =*.log but not able to ingest any data. this path has proper permission. 

Hi all, I am working on calculating the response time (for max, PR99, and avg value) from Table 1. I would like to list the detail procedure duration (Procedure-1/-2/-3) and name the ROW1 as max/PR99/AVG, the output would be similar as Table 2. Do anyone have idea about how to implement this to include max response time and the corresponding Procedure time as well, instead of list maximum value in each field?  Moreover, is there any way to include average response time and average Procedure-1/-2/-3 time into the same table as well? Table 1: (in sec) Procedure-1 Procedure-2 Procedure-3 Total Response Time Test-1 111 222 333 666 Test-2 200 100 300 600 Test-3 250 350 150 750 Table 2: (in sec) Total Response Time Procedure-1 Procedure-2 Procedure-3 Max 750 (Test 3) 250 (come from Test 3) 350 (come from Test 3) 150 (come from Test 3) Avg (666+600+750)/3=672 (111+200+250)/3=187 (222+100+350)/3=224 (333+300+150)/3=261   Thank you so much. #table #chart #stats #max  

I'd like to have a checkbox, which when checked will either show or enable a text field, and when unchecked will hide or disable the text field:     <input type="checkbox" token="reqIdFilter"> <label></label> <choice value="Enable">Enable</choice> <change> <condition match="$reqIdFilter$==&quot;Enable&quot;"> <set token="showReqIdFilter">Y</set> </condition> <condition> <unset token="showReqIdFilter"></unset> </condition> </change> </input> <input type="text" token="RequestId" depends="$showReqIdFilter$"> <label>RequestId</label> </input>     But that doesn't seem to work. Is there something wrong with the above? Second, I'd like the search to use the value of $RequestId$ only if the checkbox is checked, how can I do that? `mySearch $RequestId$` will always inject $RequestId$, how can i make this conditional on the checkbox?

I'm creating a custom application in SOAR and one of the fields this custom application provides is a password information, for obvious reasons, I don't want to store the password in the container, rather I just would like to add it in a parameter that I can use during playbook execution only. is there any way I can do it? Version: Splunk SOAR 5.2.1.78411 What I'm doing today in my custom app is: if secret_value:           self.save_progress("Secret value retrieved successfully")           action_result.add_data({"succeeded": True, "secret_value": secret_value})          return action_result.set_status(phantom.APP_SUCCESS, 'Successfully retrieved secret value') but the secret value is saved in the container.  

Hello everybody, I'm trying to join two different sourcetypes from the same index that both have a field with the same value but different name. i.e: sourcetype 1 - field name=x - value=z | sourcetype 2 - field name=y - value=z I've tried this two queries but had no success at joining these two:   index=rapid7 sourcetype="rapid7:insightvm:asset:vulnerability_finding" finding_status=new | eval date=strftime(now(),"%m-%d") | eval date_first=substr(first_found,6,5) | where date=date_first | join type=outer left=L right=R where L.vulnerability_id=R.id [ search index=rapid7 sourcetype="rapid7:insightvm:vulnerability_definition" ] index=rapid7 sourcetype="rapid7:insightvm:asset:vulnerability_finding" OR sourcetype="rapid7:insightvm:vulnerability_definition" | eval id=vulnerability_id | transaction id   As you can see, I didn't even tried with the transaction one because I haven't finished to understand how it works. The main issue I have is that I want to work with all values so I can build a table or a stats command that displays the most recent vulnerabilities found by the InsightVM dataset, however, I only get the values from the left search. Whenever I add a stats or a table command to the query using the join command I get empty values in my table. i.e:   | table L.asset_hostname, R.title, R.description, L.solution_fix   I have already manually tested to see if the values from the different fields are the same and they are, I'd appreciate if someone would be kind enought to shed some light onto this and help me understand what am I doing wrong. Thanks in advance.

Hello all, I'm trying to install Palo Alto Add-On to integrate Cortex XDR on Splunk. I followed the steps in https://splunk.paloaltonetworks.com/cortex-xdr.html configured Tenant Name, API Key ID and API Key but when tries to retrieve events this error it's logged: File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/adapters.py", line 516, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api-https', port=443): Max retries exceeded with url: //masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/.xdr.masked_tenant_region.paloaltonetworks.com/public_api/v1/incidents/get_incidents/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f1afcb645d0>: Failed to establish a new connection: [Errno -2] Name or service not known')) As you can see, after the message "Max retries exceeded with url:" the URL doesn't contain "https:", well this cannot be the problem. The configuration it's this: Name = DEV_XDR Interval = 60 Index = default Status = false Tenant Namehttps://masked_tenant_name.xdr.masked_tenant_region.paloaltonetworks.com/ Tenant Region = masked_tenant_region API Key ID******** API Key******** I tried "curl" from server with add-on to the tenant URL, and the URL can be reached Before openning a case in Palo Alto, did anyone had this problem or similar before?

(This may be Vague because what its on so sorry ) I have lets say 2 servers. The "Splunk" server, and then the "Target" server. There are certain logs on the Target server that im trying to get to report to splunk. And for some reason they just arent going. Tried editing the inputs a few times. I get 2 of the 3 files reporting to splunk but for some reason it wont capture the other one.  Ive tried a few variations on the Inputs.conf file to capture these logs. Not sure if i need to specify the log type in the conf file or if im just being dumb. This is one of those things ive been working on for a while so my mind is mush. So here i am.  There is a "Banner.LogTypeHere" "Host.LogTypeHere" and a "UserDAC.LogTypeHere" I get the Banner and Host to show up but for some reason the UserDAC doesnt populate.  Just some dumb variations ive tried in inputs.  [monitor: %ProgramData%\XXX\XXX\Logs] [monitor: %ProgramData%\XXX\XXX\Logs\*.LogTypeHere] [monitor: c:\ProgramData\XXX\XXX\Log]

After upgrading Splunk Enterprise to 9.0.2 we are encountering the following error on every restart on CLI:   Checking conf files for problems... Invalid key in stanza [instrumentation.usage.tlsBestPractices] in /opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf, line 451: | append [| rest /services/configs/conf-pythonSslClientConfig | eval sslVerifyServerCert (value: if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as python_configuredApp values(sslVerifyServerCert) as python_sslVerifyServerCert by splunk_server | eval python_configuredSystem=if(python_configuredApp="system","true","false") | fields python_sslVerifyServerCert, splunk_server, python_configuredSystem] | append [| rest /services/configs/conf-web/settings | eval mgmtHostPort=if(isnull(mgmtHostPort),"unset",mgmtHostPort), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as fwdrMgmtHostPort_configuredApp values(mgmtHostPort) as fwdr_mgmtHostPort by splunk_server | eval fwdrMgmtHostPort_configuredSystem=if(fwdrMgmtHostPort_configuredApp="system","true","false") | fields fwdrMgmtHostPort_sslVerifyServerCert, splunk_server, fwdrMgmtHostPort_configuredSystem] | append [| rest /services/configs/conf-server/sslConfig | eval cliVerifyServerName=if(isnull(cliVerifyServerName),"feature",cliVerifyServerName), splunk_server=sha256(splunk_server) | stats values(cliVerifyServerName) as servername_cliVerifyServerName values(eai:acl.app) as servername_configuredApp by splunk_server | eval cli_configuredSystem=if(cli_configuredApp="system","true","false") | fields cli_sslVerifyServerCert, splunk_server, cli_configuredSystem] | stats values(*) as * by splunk_server | eval date=now() | makejson output=data | eval _time=date, date=strftime(date,"%Y-%m-%d") | fields data date _time). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'   This was not happening on 9.0.1 so we checked the 'savedsearches.conf' of the splunk_instrumentation app in the 9.0.1 tar and we found that the 9.0.2 'savedsearches.conf' is actually older and different than the 9.0.1 version.   ~/Downloads$ diff savedsearches.conf.901 savedsearches.conf.902 | cat -A 447c447$ < | append [| rest /services/configs/conf-server/sslConfig | eval sslVerifyServerCert=if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as global_configuredApp values(sslVerifyServerCert) as global_sslVerifyServerCert by splunk_server | eval global_configuredSystem=if(global_configuredApp="system","true","false") | fields global_sslVerifyServerCert, splunk_server, global_configuredSystem] \$ ---$ > | append [| rest /services/configs/conf-server/sslConfig | eval sslVerifyServerCert=if(isnull(sslVerifyServerCert),"unset",sslVerifyServerCert), splunk_server=sha256(splunk_server) | stats values(eai:acl.app) as global_configuredApp values(sslVerifyServerCert) as global_sslVerifyServerCert by splunk_server | eval global_configuredSystem=if(global_configuredApp="system","true","false") | fields global_sslVerifyServerCert, splunk_server, global_configuredSystem] \ $   The difference lies in the scaped end of line character at the end. We also tried to run this search from the GUI and it raises an error confirming that the search is indeed broken: We "solved" it by using the 9.0.1 version in the local folder of the app splunk_instrumentation. Has anyone found out if this broken search is affecting Splunk Enterprise usage in anyway?