To use the si commands you need to build a search which works with a normal transforming command (stats,timechart etc) first Then you can replace "stats" with "sistats". This will create summarised data in the summary index (index=summary) You can then run the original search (specifying index=summary) in the future. ... View more

Start by running this search and see if it produces the results you require.  If not, be sure to update us with the results you do get and your expectations: index=abc sourcetype=xyz source="/user.log" process-groups | convert timeformat="%Y-%m-%d" ctime(_time) AS Date |rename count as "Request Counts" |rex field=Request_URL "(?<id>[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})" |stats count by Date ADS_Id Request_Type id ClickHere Request_URL |sort - ADS_Id |lookup parent_chains.csv id |search parent_chain=* Also, I note you do a rename [|rename count as "Request Counts" ] which you don't use. Is that intentional?   ... View more

Your requirement is a bit unclear, but try this: Don't join on a lookup, use it as a lookup. index=abc sourcetype=xyz source="/user.log" process-groups | convert timeformat="%Y-%m-%d" ctime(_time) AS Date |rename count as "Request Counts" |rex field=Request_URL "(?<id>[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})" |stats count by Date ADS_Id Request_Type id ClickHere Request_URL |sort - ADS_Id |lookup parent_chains.csv id |search $ckey$ $Teams$ You don't specify where $Teams$ comes from - I assume it's another token and it matches in the lookup file? ... View more

It seems to me that you can simplify your scenario a bit: ( cookies<0 AND cookies>=1) means: unless cookies is exactly 0 then its a failure. If stage is "Not Ready" then your status is "In Progress" Therefore there are only two conditions you need to test: | eval Bakes=case(cookies!=0, "Failure", Stages="NotReady", "In Progress") ... View more

What version of Splunk? Also - are you serving Splunk directly, or is there a load balancer doing SSL offload perhaps? The cookies should be set to secure if Splunk is running with native SSL,  however you can control the response headers separately if you need to. Take a look at https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Webconf in web.conf you should be able to set: [httpServer] replyHeader.X-XSS-Protection=1; mode=block   ... View more

 Are you running Splunk with SSL/HTTPS? ... View more

Untested, but try this in the macro: | eval macroRow=$row$ | lookup test_lookup.csv local=true c1 as macroRow | format | eval search="\"".search."\"" ... View more

Take a look here: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Addandeditusers ... View more

Your question is not totally clear, but I wonder if you mean "Can I also display the vulnerability details"? In which case you could try replacing the last stats with: | stats max(_time) AS latest, count AS Issues by _time, severity, details   or  | stats max(_time) AS latest, count AS Issues by _time, severity, details, file, line if you want all the fields  ... View more

Thanks don't forgot to upvote too if I helped! ... View more

Just because you wrote "user_nm" (and this may be a silly question) do both search results have the field USER_NM in upper case? Fieldnames (in the join) would be case sensitive. From what you are saying, it sounds like the search should work. Are you able to provide a screenshot (with redactions etc) of all the searches? ... View more

Yes that is correct. HEC is "instant" so it will be the source server sending the data weekly.  Your idea about a cron/curl job being scheduled sounds like you are on the right track! Yes you can run HEC on a HF rather than the SearchHead - I would suggest that is a better solution. ... View more

That would suggest the second search is not finding any matches.  Are you sure that USER_NM is the correct field to match on (does it also need renaming perhaps?) If you just run your second search, do you see results for USER_NM and USER_ID in the same rows? ... View more

I'm guessing that you have copied and pasted that example (with redaction) from the event view in search results? (please use the </> code formatter as it helps preserve formatting) If you are applying regex on the _raw field, you will need to account for the json formatting that was in the original event so your regex might need to begin with something like :   "Subject\": ....etc..."     However, if its well formed json (such that it shows nicely in search results) and you are doing the extraction in a search you can use spath to pull out the fields for you, so then you can apply the regex just to the Subject field.   your search...|spath|table Subject   from here, assuming the | delimited fields are consistent, a simple rex command should work   rex field=Subject "(?P<number>[^\|]+)\|(?P<id>[^\|]+)\|(?P<ip>[^\|]+)\|(?P<email>[^\|]+)\|(?P<subject>[^$]+)"     ... View more

A direct answer to the question using join:   index=14 search_name="Daily Counts" |rename A_USER_NM as USER_NM |table Date USER_NM FILE_ID FILE_NM filecount | join type=left max=0 USER_NM [ search index=14 earliest=-24h@h latest=now sourcetype=user source=O 001 | dedup USER_NM | table USER_NM USER_ID indicator ]   I am unclear if  the dedup in the subsearch is necessary if you are missing results? However, there are normally better/more efficient ways of obtaining the same results with stats, but it might help to see some sample data to provide you with a stats example ... View more

An alternative approach is to run your original (or one from @renjith_nair ) regex, and then coalesce that value with "host". In that way, you can be sure of always getting one value in your final field, even if the regex fails because you have hosts with unusual names.   index="myindex" | rex field=host "(?<hostname>\w+)\." | eval hostname=coalesce(hostname, host)|table hostname     ... View more

The Analytics Workspace is part of Splunk Core (in much the same way as "search")  When you install apps such as SAI, these apps leverage the same tools but bring them into the apps context, albeit sometimes with a bit of "priming or focus" such that you are immediately looking at the relevant data for that app. You can think of it as just another instance of the same Analytics Workspace rather than something separate.   ... View more

If I understand the question, I think the issue is that you are using ! which means "state_desc (IS NOT) = "ONLINE" in all of the case statements try this, and see if it addresses your needs:   |eval short_description=case(short_desc="OFFLINE","system is offline", short_desc="SUSPECT","system is suspect", short_desc="Recovery pending", "system is recovering", 1=1, "System is Online") |eval isAlert=if(short_desc!="ONLINE",1,0)   The fist eval populates "short_description" with a description of each state. The second eval creates a new field called "isAlert". For any condition where the short_desc does not contain "ONLINE" it will return a 1, but for a normal online condition it will contain a 0   If your aim is to fire an alert for an abnormal condition, you only need to worry about results in which isAlert=1, so adding   |search isAlert=1   at the end will only show you results which indicate the system was not reporting "ONLINE" ... View more

I agree with @richgalloway for a text book example, but you are totally on the right track! If it was me, my lookup file would contain a list of terminated uses with at least the following fields: username, terminatedDate (in epoch). You can then run a search:  sourcetype=myAuthenticationSourcetype |inputlookup terminatedusers.csv username |eval terminatedUserAccess=if(terminatedDate<now(),1,0)  This approach means that you can add users to the lookup before they have actually been terminated (meaning you can be proactive for users who have a known departure date) you can then search/filter for events that have a value of 1 for terminatedUserAccess and build a report/alert as required. If you don't want to fuss with epoch dates in the lookup, you can use a date string in the lookup, and do the conversion in the search: |eval terminatedUserAccess=if(strftime(terminatedDate,"%d-%m-%Y")<now(),1,0) ... View more

I'm not quite clear that I understand your issue. Is there a reason you are using ! and CASE? If there are only two options for the value of state_desc you could use "IF" and avoid the ! |eval state_description=if(state_desc="ONLINE", "system is online","system is offline")   ... View more

How you use these fields is determined by your own internal approaches to your assets. In the past I have also included my own fields like "should_vuln" which calls out in some correlation searches for hosts that have escaped a recent vulnerability scan. Whilst every environment differs, the general (anticipated) approach is that all systems should update time, os and have malware protection - unless there is a specific use case not to. For this reason, you can build your asset lookup which sets a default value of "true" for these values and then a smaller lookup which excludes (eval requires_av=false) any systems which you don't expect to run AV. This means you only have to manage a list of exception assets (maybe with wildcards on hostnames, or specific categories) that should NOT have these flags set which should be a much smaller list to manage The "is_expected" flag is to help identify rouge or surprise assets that are sending logs. If you have a CMDB providing a "master" list of assets, you can use this as a source to which you `|eval is_expected=true` ... View more

Is your proxy doing SSL inspection? If so, this will break the certificate chain that SpaceBridge uses to communicate. In environments I have worked on in the past we have requested a bypass for inspection (along with business case justification).  This is the simplest route forwards, the alternative is to configure Splunk to trust your Proxies CA cert. ... View more