Hi socverne, The docs of the apps https://splunkbase.splunk.com/app/3435/#/details tell you this: The searches rely on tools included in Splunk platform to perform anomaly detection, such as the URL toolbox to detect Shannon entropy in URLs So you need to install https://splunkbase.splunk.com/app/2734/ to be able to use the macro. BUT, and some greeting to the BOTS 2019 Team here ;), be aware that this macro returns wrong 2nd level domains for some URL's! The only way to get around this is to actually use a regex and get the 2nd level domains this way. I ended up with this regex to get the correct 2nd level domains: (?<my2ndLevelDomain>[^.]+)\.(?:(?:com|net|org|edu|gov|asn|id|csiro|)\.au|co\.(?:bb|ck|cr|in|id|il|jp|nz|za|kr|th|uk)|[\w\s]{2,})$ Hope this helps ... cheers, MuS PS: @eliasit, yes you still can install the app on Splunk 7.2.x and use it with the above mentioned issues/problems 😉 ... View more

hi Hiroshi - are you suggesting we have a lookup with all emails in ? i don't think thats possible to get a list of all potentially tens of thousands of emails ? ... View more

There is a document about tokens. The search statement is an experience. Please enjoy Splunk. https://docs.splunk.com/Documentation/Splunk/7.2.5/Alert/EmailNotificationTokens ... View more

Documentation from Palo now breaks out each sourcetype into it's intended CIM datamodel. ... View more

Hi @deepashri , Thanks for your reply and help. I was using dedup already but I was missing a command which was advised by @HiroshiSatoh and that worked really well. Thanks once again! ... View more

I'm running a single search head, indexer cluster, and syslog-ng. What is the recommendation? 1) PA -> syslog-ng+HF -> idx_cluster 2) PA -> syslog-ng+UF -> idx_cluster Mike ... View more

Otherwise you can change splunkd port via Web UI or by CLI as mentioned in this answer: https://answers.splunk.com/answers/67/how-do-i-change-the-ports-that-splunk-listens-on.html NOTE: The way you change Management Port by Web UI has changed: - Log in as Admin - Go to Settings - Go to Server settings - Look for Management port and change it - Save your work! ... View more

This is a very helpful tool: https://splunk-sizing.appspot.com/ ... View more

limits.confに以下の設定をしたら、うまく動きました。 [lookup] max_memtable_bytes = 20000000 仕様なんですかね…。 ... View more

Thank you for Answer. I hope that this limit value will be expanded someday... For now, I will consider another way to calculate. ... View more

Is it like this? (your search)|top 3 country by platform | append [search (your search)|top 3 content by platform] | append [search (your search)|top 3 subscriptionTypeby platform] | fields - count percent |stats list(*) as * by platform ... View more

You were correct. I removed the NOT Cisco_ASA_action=teardown NOT transport=icmp and started seeing results. Apparently, my whitelist excluded every alert and there were no other matching record. I appreciate you taking the time to help. ... View more

thanks for the inputs . i would look at your options.. i do have crcsalt source and max days ago, but we are not purging the files. i will use the batch mode to purge them. i believe that should resolve my problem. ... View more

Like this: index="mail" host="outlook.office365.com" last_applied=* last_received=* | where abs(last_applied - last_received) >= 10 ... View more

I do aim to please! Whenever you are mixing AND and OR , you must use parentheses appropriately or you will go off track quickly. ... View more

ご回答ありがとうございます。 また返答が遅くなり申し訳ございません。 使用しているforwarderのバージョンは6.4.3です。 一時的に現象が収まっていたのですが、また再現したため今は6.6.2を使用しています。 トラブルシューティングを確認しますが、これで収まってくれることを願ってます。 ... View more

Thank you all for your advice. In the end the answer was so much easier than expected. No need for lookups. Just leaving out the URL brought up all the events. Sort them alphabetically and by time. dedup to the latest two to get the last score for autoregress to look at, then dedup again at the end to remove second event for the same requestedUrl (which is not accurate because it was copied from the previous line which is not the same URL). That leaves one event row with all the correct values. Then as @nagarjuna280 said, use "each result" option in the Alert. That runs it on every row. Easy peasy and I don't need to maintain a lookup file or definition. host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl=* | sort requestedUrl, _time | dedup 2 myRequestedUrl | reverse | autoregress current_a11y_score AS old_a11y_score p=1 | eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False") | sort _time | dedup requestedUrl | reverse | table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed This answer works. If you have any hints on how to make the query more efficient, please let me know. ... View more

Is not it easier to make by drop down etc? <input type="dropdown" token="Time_Picke"> <label>Time Picke</label> <choice value="-24h@h">Last 24 hours</choice> <choice value="-3d@d">Last 3 days</choice> <choice value="-7d@d">Last 7 days</choice> </input> <query>index=XXX earliest=$Time_Picke$ latest=now</query> ... View more

Although it is possible to index a file as a log and join it, it is not much different from using LOOKUP. After that, I think that you can do anything by creating a custom command, but I can not recommend it. ... View more

Since grammar is not wrong, I do not understand just by looking at this search sentence. Is it executed right before the LOOKUP command and the correct value is set for UserDisplayName? Also check whether it matches the name of the lookup file. Execute the search so far | eval UserDisplayName=mvindex(split(UserDisplayName,"\"),-1) Confirm lookup file | inputlookup AD_User_LDAP_list ... View more

I would like you to explain the situation more concretely As a general story… The way to combine the fields of another event into the event is below. (Efficient method) sourcetype=sourcetype_a OR sourcetype=sourcetype_b | stats latest(*) AS * BY your_key (Easy way) sourcetype=sourcetype_a | join type=inner your_key [search sourcetype=sourcetype_b | dedup your_key| table your_key, fields_1, ields_2,fields_other] ... View more

Thanks @HiroshiSatoh . Will try in indexer. ... View more

i just want to round of the time now to the earliest 30min, example the time now is 12:45, the time that it will get is 12:30. can this be done on the time range picker itself ... View more