Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About zacksoft_wf
zacksoft_wf
Contributor
Member since:
08-17-2021
01-31-2024
Community Statistics
| Posts | 140 |
| Solutions | 1 |
| Karma Given | 28 |
| Karma Received | 3 |
| Member Since | 08-17-2021 |
Activity Feed
- Karma Re: need help with search logic for ITWhisperer. 07-24-2023 03:26 AM
- Posted need help with search logic on Splunk Search. 07-24-2023 02:00 AM
- Karma Re: How do I determine why a Correlation Search isn't creating a notable event when I expected one? for stroud_bc. 04-20-2023 05:58 AM
- Posted Why are notables not getting created? on Splunk Enterprise Security. 04-20-2023 05:42 AM
- Posted Re: Rex field extraction on Splunk Search. 04-19-2023 04:21 AM
- Posted Rex field extraction on Splunk Search. 04-19-2023 03:50 AM
- Posted Re: Regex Field Extraction on Splunk Search. 02-14-2023 07:34 AM
- Karma Re: Regex Field Extraction for gcusello. 02-14-2023 07:34 AM
- Tagged Re: Regex Field Extraction on Splunk Search. 02-14-2023 07:34 AM
- Posted Re: Regex Field Extraction on Splunk Search. 02-14-2023 06:58 AM
- Tagged Re: Regex Field Extraction on Splunk Search. 02-14-2023 06:58 AM
- Posted How to write a rex to extract values in a field that are delimited by comma? on Splunk Search. 02-14-2023 06:43 AM
- Posted Comparison of field values with a lookup? on Splunk Search. 02-06-2023 12:46 AM
- Posted Re: How to list all the KV stores /collections via SPL Splunk Search? on Getting Data In. 12-04-2022 10:42 PM
- Posted How to list all the KV stores /collections via SPL Splunk Search? on Getting Data In. 12-01-2022 03:12 AM
- Karma Automatic Lookup and indexed_kv_limit limit reached ? for Rodelanuit. 12-01-2022 02:23 AM
- Posted Re: Unable to load the second panel of dashboard on Dashboards & Visualizations. 10-28-2022 03:53 AM
- Tagged Re: Unable to load the second panel of dashboard on Dashboards & Visualizations. 10-28-2022 03:53 AM
- Posted Unable to load the panel of dashboard? on Dashboards & Visualizations. 10-28-2022 02:07 AM
- Posted Re: How to count number of events and length along with the median value ? on Splunk Search. 10-26-2022 05:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-21-2022
03:44 AM
@jamie00171 - Thank Jamie. I am thinking to rerun my query with collect statement and removing the source type from there, so that it will default get saved into 'stash' sourcetype. My concern is, that particular summary-index already collects summary data from other searches. Will my SPL overwrite any of the existing fields ? And after running my current query , how do I know that the data get stored in stash, Will I see the fields (from my SPL) get added into the interesting field side bar, and thats how I know it is now going to stash ?
... View more
06-17-2022
06:46 AM
I am investigating a customer's concern that this particular search is not writing summary to 'stash' sourcetype. This is the SPL we have. I am relatively new to summary index. Any pointers where I should be looking at ? | tstats summariesonly=true count sum(Web.bytes_in) AS total_bytes_in sum(Web.bytes_out) AS total_bytes_out from datamodel=Web where sourcetype="qnet:proxysg:access*" groupby _time span=1d Web.category
| rename Web.category AS category
| eval total_bytes=total_bytes_in + total_bytes_out
| collect index=security_summary source="SavedSearch.Qnet_Daily_Category_Stats" sourcetype="SavedSearch.Qnet_Daily_Category_Stats"
... View more
06-13-2022
04:31 AM
I have a list of products (that i have in a csv lookup) with fields such as prod_name, product_ID, price_tag look up name : myproduct.csv I want to compare all my products from my lookup, if they are "price tagged" or not ? I have an index and sourcetype that contains events of all the products that are "price tagged." index=all sourceype=all_price_tagged_poducts Fields : prod_ID (same as product_ID of the lookup) If the product_ID value from my lookup is present in any of the events in the sourcetype=all_price_tagged_poduct, then I know that all products in my .csv lookup are 'price tagged' Need help to write a query for it.
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
lookup
06-09-2022
01:50 AM
index="secue" sourcetype="sec:json" attributes.meaningful_name!="" | rename "context_attributes.submitter.country" AS country | eval match_risk="Extreme" | lookup riskyNation.csv country_code AS country, Risk AS match_risk OUTPUTNEW Country AS risk_country | fillnull value=" " risk_country | rename "attributes.popular_threat_classification.popular_threat_name{}.value" AS threat_name | lookup flagged_threats.csv threat_name AS threat_name OUTPUTNEW flagged_threat | fillnull value=" " flagged_threat | stats sum("attributes.times_submitted") AS times_submitted, dc("attributes.md5") AS md5_count, values("attributes.md5") AS md5_value, values(risk_country) as risk_country, values(flagged_threat) AS flagged_threat by "attributes.meaningful_name", "context_attributes.submitter.id" | search md5_count > 1 | rename "context_attributes.submitter.id" AS submitter_id | rename "attributes.meaningful_name" AS meaningful_name | stats values(risk_country) AS extreme_risk_country, list(flagged_threat) AS flagged_threat, list(times_submitted) AS times_submitted, list(md5_count) AS unique_md5, list(meaningful_name) AS file_name, list(md5_value) as md5 by submitter_id
... View more
06-09-2022
01:05 AM
The objective is to display multiple modifications done by the Submitter, And to show number of modifications, respective filenames and hash names. Example : Submitter John did 15 modifications, 3 modification to file app.exe 2 modifications to gap.exe 10 modifications to rap.exe. So the display should show 15 hash files . And my SPL does the job. The SPL ends with | stats values(risk_country) AS extreme_risk_country, list(flagged_threat) AS flagged_threat, list(times_submitted) AS times_submitted, list(md5_count) AS unique_md5, list(meaningful_name) AS file_name, list(md5_value) as md5 by submitter_id I do see the results, but I am unable to easily eye-ball where the hash file of one filename ends and other one begins. especially when there are lots of hashes. Please check the attachment of the output I am getting. I want to easily see/distinguish where one set of hashes finish for a file and other one starts. I am looking for suggestions to achieve it in some way to look it visually separate . Thank you.
... View more
Labels
- Labels:
-
panel
05-31-2022
06:07 AM
Search job won't finish and causing resource drain on shared indexers and ES. I am suspecting I might not be using 'tstats ' efficiently. Perhaps the two tstats are the culprit Any pointers on how to use append with two tstats output?
... View more
Labels
- Labels:
-
tstats
04-29-2022
04:44 AM
I am trying to remove warning from my dashboard. Because 'Advanced XML isn't supported and it has to be replaced with Simple XML'. I am stuck at this code where the error says, Unknown Option name = 'displayRowNumbers' for node 'table' Unknown Option name = 'linkFields' for node 'table' Unknown Option name = 'linkView' for node 'table' The code is, <title>Base search</title> <option name="count">10</option> <option name="displayRowNumbers">false</option> <option name="linkFields">result</option> <option name="linkView">flashtimeline</option> Any suggestion what to replace my code with ?
... View more
Labels
- Labels:
-
simple XML
04-20-2022
06:47 AM
I noticed something, In my query if I write like this I get wrong iplocation data index=palo_alto_networks TERM(112.196.162.127) | table _time, sourcetype, src, local_ip Country user_name | iplocation src But if, I change the iplocation comands position to the middle , it gives the correct country data like this index=palo_alto_networks TERM(112.196.162.127) | iplocation src | table _time, sourcetype, src, local_ip Country user_name
... View more
04-19-2022
10:33 PM
In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src ip 112.196.162.127. Using 'iplocation' command in SPL it shows as Turkey. But in whoisdomaintools it shows as India. 112.196.162.127 IP Address Whois | DomainTools.com Any suggestion why this is the case ?
... View more
04-14-2022
02:46 AM
I meant I can't open the file system in the standard way by using a command prompt and typing btool debug command. Lets say I want to see if there is any custom override for the TA Symantec. I write this in the splunk search bar to get the btool info. index=splunk_admin sourcetype="an:1SPLK:config_file_btool_output_debug:txt" host="aws3e-bullcp0135.anz.net" "/opt/splunk/etc/apps/Splunk_TA_symantec-ep" and I see output like, /opt/splunk/etc/apps/Splunk_TA_symantec-ep/default/transforms.conf [symantec_ep_severity_lookup] /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE = /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/transforms.conf DEST_KEY = /opt/splunk/etc/system/default/transforms.conf FORMAT = /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096 /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/transforms.conf MV_ADD = False /opt/splunk/etc/system/default/transforms.conf REGEX = /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw Just because there is no etc/system/local above and all are etc/system/default Can I say that there is no custom changes done to Symantec app? Note : my admin said something like, "all our apps are installed in ES(Enterprise Security) search head. and when updated are pushed from deployer it flattens both default as wells as local." (I don't exactly understand what he meant.)
... View more
04-13-2022
07:35 AM
I am checking the upgrade readiness of my Splunk Apps under ES search-head. (we have SearchHead cluster and changes are pushed from there, and I am told the changed once pushed flattens both local and default folder) While checking I also want to know if there are any custom changes made to any app. If any custom changes I need to inform the respective owner to fix it before updating the app to make it py2 and py3 compatible. Now, I don't have access to any file system. I am told by looking at btool debug logs, I can find out if any custom changes are applied to any app. I just don't know what specific in btool log will give it away if any custom change is done ? What exactly to look for in btool to know that ? Any assistance here ?
... View more
Labels
- Labels:
-
upgrade
04-07-2022
05:59 AM
@Stefanie Would you happen to know if "Splunk Add-on for UEBA " app comes pre-installed with Splunk and whether it is active or deprecated ?
... View more
04-07-2022
05:39 AM
Thanks @Stefanie for the response. Splunk_RapidDiag and Extreme Search are built into Splunk. But when I see my Splunk Enterprise version it is 8.1.4, but RapidDiag and Extreme Search has version 1.4.0 and 2.4.4 respectively.
... View more
04-07-2022
04:59 AM
I have some doubts about Updating Splunk Apps. 1. The Splunk Apps that comes pre-built/packed with Enterprise Security such as Extreme Search, RapidDiag, Splunk AddOn for UEBA etc.... Do they automatically get updated to newer version. Also I can't find them on Splunkbase. 2. The apps that come packaged with Splunk , do they show like regular apps when searched under the 'Manage App' option? Is there any way by looking at it to know, if the app is built into Splunk Or downloaded separately from Splunkbase Or developed by in-house team ?
... View more
Labels
- Labels:
-
upgrade
03-23-2022
05:03 AM
Changing the cron expression to what you suggested sorted out my problem.
... View more
03-22-2022
06:29 AM
I have a scheduled report that runs once every 12 hour. But once it runs , it generates same email alerts multiple times during the scheduled time, Is there any way to compress / throttle to just one report/email ?
| tstats min(_time) as first_time max(_time) as last_time values(sourcetype) where TERM(121.121.1.165) OR TERM(876.234.11.214) OR TERM(192.176.30.196) by index
| convert ctime(first_time) ctime(last_time)
... View more
Labels
- Labels:
-
scheduled search
03-22-2022
06:10 AM
I am really sorry for the confusion. I couldn't see the "throttle" option, then I realized, what I am looking at is not an 'Alert', but a "Scheduled Report". Is there a way to suppress the email alerts from a 'Scheduled Report', please ? But I wonder why did I get so many triggered email for a ScheduledReport. I should get just one at the end of every 12 hour ! Is it because of the 'Scheduling Window' =5 min option that is messing it up ?
... View more
03-22-2022
06:02 AM
Apart from changing the Cron Expression to 30 9,21 * * * and turning on throttle suppress triggering to 11 hours, Is there anything else I have to change ? I am particularly thinking about Schedule Window = 5 Minutes. Should I change it to anything ? What does the Schedule Window option do ?
... View more
- Tags:
- oart
03-21-2022
11:05 PM
My requirement, is to run this alert with a time range of 12 hours and send email twice a day (every 12 hour) based on what it finds. Here is my configuration, Cron Expression : * */12 * * * Time Range: Last 12 hours Schedule Priority : Default Schedule Window : 5 minutes In my local time it runs between 9:30 AM - 10:30 AM and 9:30 PM - 10:30 PM. But, Between those (say between 9:30 AM to 10:30 AM), it triggers multiple emails alerts, like one alert in every 2 min kind of frequency. What I want is, It should send one email during each run. (i.e. One email after every 12 hours). Can anyone guide what to change in the scheduling options to achieve this ?
... View more
- Tags:
- splunk-alert
Labels
- Labels:
-
cron
03-14-2022
05:50 AM
That was brilliant . Thank you @ITWhisperer for such lucid explanation.
... View more
03-14-2022
04:58 AM
index=web_short NOT uco_id=UCOAF NOT uco_id=HRX [ search index=phutan uco_id=PALTO source_zone=isp transport=tcp sourcetype="pan:threat" (source_location="Pacific" OR src_location="Stars Fed") (dest_ip!="179.45.143.47" threat_name!="TVS Vulneribility") severity!="informational" severity!="low" | eval source_ip_type=case( cidrmatch("184.31.77.0/24",source_ip),"UCO_src", true(),"unknown") | where source_ip_type="unknown" | stats count by source_ip | table source_ip | rename source_ip as search | format] The timestamp of the resulting events are between 7 Am to 8 Am 3/13/2022. But I don't see the events when I search with in the time rage 3/13/2022 6 Am to 10 Am I only see when I change the date time range between 3/13 to 3/14 OR 3/12 to 3/13
... View more
03-14-2022
03:57 AM
I see a strange behaviour in Splunk. There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM). But when I re-run the same SPL between 3/13/2022 6:00 AM to 3/13/2011 8:00 AM , hoping to see the same set of events, But I see ZERO events !! This is very strange !! Am I missing something simple here..? Why this weird behaviour ? Additional Observation : When I change the time range between 2/12 to 3/13 - the events shows, But when I keep the same date 3/13 7 AM to 3/13 10 AM - It doesn't show. It works when the time range is more that 24 hours
... View more
03-03-2022
06:12 AM
@SanjayReddy Thanks Sanjay, this helps. About the earliest=-1d written in the inner SPL, does it mean , it will force both the inner and outer query to run in the -1d time range , irrespective of the time range chosen in the search-bar ?
... View more
03-03-2022
05:52 AM
@SanjayReddy The field name is C_NAME in one SPL and comp_name is another SPL, In that case will, | join type=left C_NAME truly join the two data sets ? Just curious, my understanding could be wrong here !
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-31-2024
08:03 AM
|
Karma given to
