Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About efika
efika
Communicator
Member since:
08-03-2017
03-10-2024
Community Statistics
| Posts | 56 |
| Solutions | 5 |
| Karma Given | 34 |
| Karma Received | 8 |
| Member Since | 08-03-2017 |
Activity Feed
- Karma Re: How to automatically generate shortIDs to link/share notables event on the ES Incident Review dashboard?,How to automatically generate shortIDs to link and share notable events on the ES Incident Review dashboard? for martin_mueller. 11-07-2022 05:32 AM
- Karma Re: How to automatically generate shortIDs to link/share notables event on the ES Incident Review dashboard?,How to automatically generate shortIDs to link and share notable events on the ES Incident Review dashboard? for martin_mueller. 11-07-2022 05:32 AM
- Got Karma for Audit trail for investigations. 09-26-2022 07:28 AM
- Karma Re: Copy Dashboard from one App to another for guarisma. 07-20-2022 04:39 AM
- Karma Re: How to create a custom field at Heavy Forwarder for all sourcetypes ? for woodcock. 03-15-2022 09:00 AM
- Karma Re: How to create a custom field at Heavy Forwarder for all sourcetypes ? for woodcock. 03-15-2022 09:00 AM
- Posted Re: Having trouble establishing connection with Splunk server for McAfee ePO integration. on All Apps and Add-ons. 12-20-2021 05:24 AM
- Karma Re: Having trouble establishing connection with Splunk server for McAfee ePO integration. for PavelP. 12-20-2021 05:15 AM
- Karma Re: Having trouble establishing connection with Splunk server for McAfee ePO integration. for PavelP. 12-20-2021 05:15 AM
- Got Karma for Re: Enterprise Security - Malware Operations - Clients By Product Version. 09-17-2021 01:09 PM
- Karma Re: How to get events around identified event for martin_mueller. 08-24-2021 12:50 AM
- Posted Re: What is a proper way of upgrading over 70 Apps and Add-ons to the new versions in Splunk Enterprise and ES? on All Apps and Add-ons. 07-20-2021 10:19 AM
- Posted Re: How to read an array of fields from a single event and make into different records ? on Splunk Search. 07-20-2021 10:14 AM
- Got Karma for Re: How is it possible to clone Reports from Splunk Ent. to the Splunk ES (Ent. Security). Thank u very much. 07-19-2021 06:42 PM
- Posted Re: How to read an array of fields from a single event and make into different records ? on Splunk Search. 07-19-2021 09:42 AM
- Posted Re: Calculate Transaction Duration on Splunk Search. 07-17-2021 12:15 PM
- Posted Re: Calculate Transaction Duration on Splunk Search. 07-17-2021 07:31 AM
- Posted Re: Need calculate a count of each "Su M Tu W Th F Sa" between two dates on Splunk Search. 07-17-2021 04:02 AM
- Posted Re: Enrichment with sub-search in a certain time period by using index on Splunk Search. 07-17-2021 02:51 AM
- Posted Re: Calculate Transaction Duration on Splunk Search. 07-17-2021 02:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-15-2021
01:38 PM
| rest /services/deployment/server/applications https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTdeploy#deployment.2Fserver.2Fapplications
... View more
07-15-2021
01:33 PM
So it seems that the other application is pointed to the var\run\splunk\csv to read the exported files ? One option to tackle your situation is to point the importing application to a different folder and use a cron/scheduled task to read the splunk CSV files, SED the unneeded quotes and write the files to this new folder.
... View more
07-15-2021
01:02 PM
2 Karma
Use : | where _time>=relative_time(now(), "-3m@m") AND _time<=relative_time(now(), "@m")
... View more
07-15-2021
12:53 PM
This seems to be how CSV is working. Note that the header says that it is recognized as a decimal number. What you are trying to do with the exported CSV ?
... View more
07-15-2021
12:48 PM
rex "User\:(?<user>.+)\s\|\|\smodule\:(?<module>.+)" (field=_raw is added by default)
... View more
07-15-2021
12:42 PM
see @MuS answer here : https://community.splunk.com/t5/Splunk-Search/When-does-splunk-add-double-quotation-in-outputcsv/td-p/174512
... View more
07-15-2021
12:19 PM
1 Karma
An analyst adds a note to investigation. Another analyst from another shift delete this note. where is the audit trail that allows me to see when and who did what in an investigation ? According to the doc : "Investigation details from investigations created in versions earlier than 4.6.0 of Splunk Enterprise Security are stored in two KV Store collections, investigative_canvas and investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections. So to restore, you may need to restore investigation, investigation_attachment, investigation_event, investigation_lead, investigative_canvas, and investigative_canvas_leads." But except for the investigation KV store (| rest /services/storage/investigation/investigation) I can't access the other KV store . Is it a missing functionality ? Thanks !
... View more
Labels
- Labels:
-
investigation
01-18-2021
03:23 AM
Please assume the below in transforms.conf [send_rawevents]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1
[send_to_null_tcp]
REGEX = CEF\:0\|ids
DEST_KEY = _TCP_ROUTING
FORMAT = nothing
[send_to_syslog]
REGEX = CEF\:0\|ids
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_group The objective here is to send all event to the tcp out unless they match the regex CEF:0|ids in which case events should be sent to the syslog out. What I can't sort out is how to reset the _TCP_ROUTING back to nothing in those events that are routed to syslog (since I don't want to have them duplicated). Anyone has any idea here ? Thanks ! (More details can be found here : https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/)
... View more
Labels
- Labels:
-
heavy forwarder
10-12-2020
10:17 PM
@DEAD_BEEF Here is a way to re-iterate over the props.conf, basically addressing the same issue you've raised: https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/?trackingId=ppRO1LfrmMWuu8U5BCTzdA%3D%3D
... View more
09-17-2020
01:35 AM
Many thanks for the guidance Ismo @isoutamo ! For reference here is what I did to make it work. for example if I want to install a second instance called "SH": 1. Under /opt create a directory called SH 2. Install the 2nd (or n-th) instance in a different location using : tar -zxvf <splunk install tgz file> -C /opt/sh 3. In /opt/sh/splunk/etc duplicate the file splunk-launch.conf.default to splunk-launch.conf 4. edit the file splunk-launch.conf in /opt/sh/splunk/etc to reflect chnages to the SPLUNK_HOME and Splunkd daemon name like so: # Version 8.0.6 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # # SPLUNK_HOME=/opt/splunk-home SPLUNK_HOME=/opt/sh/splunk # By default, Splunk stores its indexes under SPLUNK_HOME in the # var/lib/splunk subdirectory. This can be overridden # here: # # SPLUNK_DB=/opt/splunk-home/var/lib/splunk # Splunkd daemon name #SPLUNK_SERVER_NAME=Splunkd SPLUNK_SERVER_NAME=Splunkdsh 5. switch to the directory /opt/sh/splunk/bin/ and run ./splunk enable boot-start -systemd-managed 1 (see docs here ) You will see that a splunkdsh.service file was added to /etc/systemd/system 6. Accept the LUA, set admin user and password 7 ./splunk start change http port, mgmt port, appserver port, kvstore port to different ports since you are on the same IP 🙂 Enjoy !
... View more
09-16-2020
02:20 PM
Hi, I'm building a simple dev CentOS VM on my PC to try out clustering configuration and other stuff. I've used tar -C to install the splunk tgz into different directories, set the web,mgmt,kv and appserver to different ports but when doing ./splunk start/stop/restart it will only apply to the original splunk install. I've found this old link but it reflects init.d changes and not the new systemd. appreciate any help configuring this to work.
... View more
Labels
- Labels:
-
configuration
-
development
09-06-2020
05:53 AM
1 Karma
Getting back to this question just to let you know that I've found the right solution. There is away to tell the second indexer to take the events back to parsing queue. What you need to do is to add the following line in the inputs.conf of the receiving side. route=has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue; Link to the blog post where I've first learned about it : https://splunkes.wordpress.com/2019/09/02/re-parsing-queue On splunk docs (search for "Data distribution: ") https://docs.splunk.com/Documentation/Splunk/7.3.5/Admin/Inputsconf
... View more
09-03-2020
10:23 AM
Good idea, Thanks !
... View more
09-03-2020
10:17 AM
@isoutamo , so basically what you are saying that if the data was already indexed on the first instance it goes straight to the indexQ and I can't manipulate it any further ?
... View more
09-03-2020
09:18 AM
Hello, I'm setting a new splunk instance that is supposed to replace an old one. For the sake of validating that all is working correctly I used the "Forwarding and receiving" option to send that data from splunk 1 to splunk 2 - and it is working correctly. Now since I need in splunk 2 only the data that is sent to splunk 1 I want to filter it. I've tried to use the nullQueue/indexQueue techniques in indexer 2 props/transforms (configurations like this I've already uses hundreds times in with heavy forwarders) but it is not working in this case. Appreciate your help !
... View more
Labels
- Labels:
-
indexer
06-04-2020
06:59 AM
Try this in the subsearch:
| inputlookup
| fields Used*
| transpose
| rename "row 1" as eventtype
| fields eventtype
... View more
06-04-2020
12:21 AM
The end result of the subsearch should be a table with a column that is named "eventtype" and values that should be what you are searching for.
based on what you are describing you might need to transpose the results of the inputlookup
... View more
06-03-2020
07:46 AM
Is it possible that you didn't do a proper error handling in the py scripts themselves ?
Are you trying to read some data in the python scripts and they will abort not in a graceful way while not being able to read the data ?
... View more
06-03-2020
07:23 AM
Hi Sarit,
Do a subsearch, get all the lookup values into a Multi Value field (MV) and compare the eventtype in the outer search to this MV.
... View more
06-03-2020
07:17 AM
Just like the error message suggests. event suppression are just simple eventtypes in the form of notable_suppression-. And you can't use pipelines in eventtypes search.
You can simply use NOT(user).
... View more
05-07-2020
03:56 AM
Thanks @woodcock !
Although they say in the blog post that the issue was resolved post version 4.3 I've just faced it with version 6.6.3.
Adding the fields.conf resolved the problem.
... View more
11-08-2019
11:26 AM
Did you manage to find a solution other than writing your own props/transforms ?
... View more
07-18-2018
10:20 AM
I don't know if it helps now but I had the same problem with the simple table_row_highlighting example in the dashboard_examples app.
I couldn't get it to render properly the first time on the first page. Going to the next page of results everything worked correctly as well as going back to the first page.
After looking at https://answers.splunk.com/answers/562155/javascript-executing-two-times-why.html, I changed the main of the code as follows and it is working now :
mvc.Components.get('highlight').getVisualization(function(tableView) {
tableView.on('rendered', function() {
// Apply class of the cells to the parent row in order to color the whole row
tableView.$el.find('td.range-cell').each(function() {
$(this).parents('tr').addClass(this.className);
});
});
// Add custom cell renderer, the table will re-render automatically.
tableView.addCellRenderer(new CustomRangeRenderer());
tableView.table.render();
... View more
07-18-2018
10:15 AM
Thanks, I had the same issue and adding that line solved it !
... View more
11-27-2017
06:20 AM
Another thing to look after when wishing to accelerate Data Models is that the data model and all dependencies are shared globally:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels
You can only accelerate data models that you have shared to all users of an app or shared globally to all users of your Splunk deployment. You cannot accelerate data models that are private. This prevents individual users from taking up disk space with private data model acceleration summaries.
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-10-2024
12:04 PM
|
Karma from
Karma given to
