About scelikok

scelikok · ‎02-13-2023

@AL3Z, Could you please share sample events?

scelikok · ‎02-12-2023

Hi @AL3Z, You can use below eval to create asset_found field. | eval asset_found=coalesce(hostname, mac_address,"")

scelikok · ‎02-11-2023

Hi @Pjyoti, Can you please share a few log lines? Because it seems user and API return values should be extracted before analysis.

scelikok · ‎02-11-2023

Hi @AL3Z , @yuanliu's solution should work but I think your field name is "labels" not "Labels". Field names are case sensitive. Please try below; | fillnull labels value=manage

scelikok · ‎02-09-2023

evt_resolve_ad_obj = 0 will stop SID resolution. You will not able to see usernames in the logs. Please test only use_old_eventlog_api = true

scelikok · ‎02-09-2023

Hi @Pjyoti, You can use streamstats to count successful downloads by resetting on fail. https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Streamstats#The_reset_on_change_argument Please try below sample; index=ty_ss | streamstats count as success_count by http_response reset_after=(http_response=500)

scelikok · ‎02-09-2023

Hi @poojithavasanth, I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting.

scelikok · ‎02-09-2023

Hi @corti77, Could you please try below. (Another usage of join ) index="pan_logs" dns sourcetype="pan:threat" dest_zone=External dest_port=53 action=dropped OR action=blocked vendor_action=sinkhole | dedup file_name | table _time file_name | rename file_name as domain | join max=0 type=left domain [ search index="msad" sourcetype="MSAD:NT6:DNS" | eval host_querying=src_ip | fields domain, host_querying] | table _time domain host_querying

scelikok · ‎02-09-2023

Hi @poojithavasanth, Below should work; [xxx:xxx:audit:xml] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true KV_MODE=xml TIME_FORMAT=%Y-%m-%dT%H:%M:%S TIME_PREFIX=EventDateTime=" MAX_TIMESTAMP_LOOKAHEAD=19

scelikok · ‎02-09-2023

Hi @HX, It seems either your disk (/mnt/splunk_index_hot) is full or not accessible.

scelikok · ‎02-09-2023

Hi @taldavita, Splunk does not resolve system variables on server.conf other than $HOSTNAME. That is why you should think of a script to get $HOST_EXTERNAL value and update server.conf.

scelikok · ‎02-09-2023

Hi @chimbudp, This is just a notice. UF changes the indexer connection every 30 seconds as a default. It selects the next indexer randomly. This log shows that the next selected indexer is the same as the current one, which is why changed with another one which is on the last in the list.

scelikok · ‎02-08-2023

Hi @cooprco, Please try accessing setup page from Manage Apps page and click Save. Using this method should set the app as configured. You should be able to access dashboards.

scelikok · ‎02-08-2023

Hi @dionrivera, Splunk Universal Frowarder resolves SID to username for WinEventLog:Security logs by querying the nearest DC. If your DCs are busy, this resolution takes more time and causes delays. If you check the logs they should be coming but are delayed. If this is the case you can try adding below parameter to use old event log API for resolution. [WinEventLog://Security] use_old_eventlog_api = true

scelikok · ‎02-08-2023

Hİ @jeremyhagand61, It seems pass4SymmKey is set on your deployment server. Please try adding pass4SymmKey like below server.conf setting on your deployment clients. server.conf [deployment] pass4SymmKey = yourpasssymkey

scelikok · ‎02-08-2023

Hi @Namanthakur, Please confirm your input configuration has pan:log as sourcetype. And be sure Palo Alto Networks Add-on for Splunk is installed where your syslog first hits, if you are using Heavy Forwarder you should install add-on on Heavy Forwarder. That add-on will overwrite sourcetype by looking events contents THREAT, SYSTEM etc.

scelikok · ‎02-08-2023

scelikok · ‎02-08-2023

Hi @boxmetal, You can try below; <my search> | timechart span=1mon dc(UserID) as "Number of Users" | filldown

scelikok · ‎02-07-2023

Hi @Raymond2T, Are these sub searches totally different? If you can share your searches (anonymized) we can find another way to achieve your goal.

scelikok · ‎02-06-2023

Hi @SplunkDash, These are drivers provided by IBM, you should be able to download them using IBM id. And yes they will work with Splunk DB Connect.

scelikok · ‎02-03-2023

Hi @AL3Z, You can try below; | stats latest(Labels) as Labels by profile | where isnull(Labels) or Lables="lostinterface"

scelikok · ‎02-03-2023

Hi @SplunkDash, You can download the supported driver file and copy or move the db2jcc4.jar file to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers directory, reload the driver under Settings>Drivers. https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/Installdatabasedrivers#IBM_DB2

scelikok · ‎02-03-2023

Hi @FPERVIL, You can create two csv lookup files like below; legit_hosts.csv (field name is dst_host) dst_host google.com webex.com *.zoom.us legit_ips.csv (field name is dst_ip) dst_ip 1.2.3.4 And use below query; index=* sourcetype=websense* (http_method="POST" OR http_method="PUT" OR http_method="CONNECT") bytes_out>50000000 NOT [| inputlookup legit_hosts.csv ] NOT [|inputlookup legit_ips.csv ] If you need to add/remove legit hostnames or IP addresses you can just update related lookup files.

scelikok · ‎02-01-2023

Hi @super_edition, Actually because of timechart ... by openshift_cluster you should see different time series for each openshift_cluster. Also there is no sum function. Could you please check and confirm if you used the search as it is? Including by openshift_cluster?

scelikok · ‎02-01-2023

Hi @ilhwan, You hit 10000 rows limit that @gcusello mentioned if you are using lookups as a subsearch with inputlookup command. This is subsearch results limit. Please use lookup command for searching inside lookup, lookup command has no limit.

Posts	1167
Solutions	283
Karma Given	31
Karma Received	535
Member Since	‎14-12-2016

Online Status	Offline
Date Last Visited	yesterday

Splunk DB Connect 3: How to resolve "HTTP Error 50...

Enterprise Security Indexer Sizing for High Capaci...

Re: How to filter out events to make a search out ...

Re: How to filter out events to make a search out ...

Re: How to get count of successful events after fa...

Re: How to filter out events to make a search out ...

Re: Why are we missing Windows "WinEventLog:Secu...

Re: Need help with getting count of successful eve...

Re: How to parse XML and props.conf?

Re: Detect host connecting to malicious domains - ...

Re: How to parse XML and props.conf?

Re: How to fix a full Splunk indexer queue?

Re: How to use server.conf delivered to a series o...

Re: Splunk logs : After randomization, current is ...

Re: Asset Discovery- Why won't the app return any ...

Re: Why are we missing Windows "WinEventLog:Secu...

Re: Brand new Deployment client will not connect. ...

Re: Logs from other Sourcetype not coming from Pal...

Re: How to stop searching when first result was fo...

Re: Fill count number of previous month when there...

Re: How to stop searching when first result was fo...

Re: How to get dbConnect Driver to resolve issue f...

Re: Need to filter out events to make a search out...

Re: How to get dbConnect Driver to resolve issue f...

Re: Need assistance creating a file that can be up...

Re: How to plot two sets of data in line chart whe...

Re: Is there a row limit to lookup tables?

Join the Conversation