Activity Feed
- Posted SQL Monitoring - Splunk SPL to alert on the top users running long running SQL queries on my databases on All Apps and Add-ons. 07-09-2024 10:17 AM
- Posted Two different TIME_PREFIX, one includes json formatted events on Getting Data In. 08-21-2023 01:44 PM
- Posted Re: Want to filter dataset within a log index to a metrics index on Getting Data In. 01-13-2023 01:43 PM
- Posted How to filter dataset within a log index to a metrics index? on Getting Data In. 01-13-2023 11:52 AM
- Posted Help adding an interactive Notes dashboard section on Dashboards & Visualizations. 03-06-2021 01:11 PM
- Tagged Help adding an interactive Notes dashboard section on Dashboards & Visualizations. 03-06-2021 01:11 PM
- Posted Filtering mstats data using eventtypes and tags on Splunk Search. 12-03-2020 07:53 PM
- Posted Re: How to get duration between a start and stop event and trigger an alert if duration is greater than 1 week? on Splunk Search. 06-29-2020 07:25 PM
- Karma Re: Help showing the Uptime in days for a Universal Forwarder for niketn. 06-29-2020 11:44 AM
- Karma Re: Help showing the Uptime in days for a Universal Forwarder for niketn. 06-29-2020 11:44 AM
- Posted Re: Splunk query for UPtime and Downtime? on Splunk Search. 06-28-2020 08:37 PM
- Karma How to calculate uptime percentage based on my data? for rakes568. 06-28-2020 02:26 AM
- Posted Re: How to calculate uptime percentage based on my data? on Splunk Search. 06-28-2020 02:12 AM
- Posted Re: Help showing the Uptime in days for a Universal Forwarder on Dashboards & Visualizations. 06-26-2020 01:29 PM
- Posted Re: Help showing the Uptime in days for a Universal Forwarder on Dashboards & Visualizations. 06-25-2020 02:29 PM
- Posted Help showing the Uptime/downtime percentage for a Universal Forwarder on Dashboards & Visualizations. 06-23-2020 05:13 PM
- Tagged Help showing the Uptime/downtime percentage for a Universal Forwarder on Dashboards & Visualizations. 06-23-2020 05:13 PM
- Karma Re: Infosec: Help with drilldowns from app panel that uses a datamodel for igifrin_splunk. 06-05-2020 12:50 AM
- Karma Re: How to mask a field value from raw events that shows in multiple patterns for woodcock. 06-05-2020 12:50 AM
- Got Karma for Infosec: Help with drilldowns from app panel that uses a datamodel. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-29-2019
12:28 PM
I'm trying to mask a field value for a policy number that is present in my raw logs under different patterns. To explain I'm using a field extraction :
EXTRACT-policyNumber = policy.*(-|=)\s(?P\w+)
This extracts the policyNumber value for any word that follows a string in my logs that has the word policy and anything characters after but has either an = sign or - sign followed by a space before the policyNumber value .
I'm trying to add a line in my props.conf to mask any of these values with X , help appreciated. Here's what I've tried so far :
SEDCMD-policyNumber_mask = s/policy.*(-|=)\s(\w+)/policy.*(-|=)\s\"XXXXXXX/g
... View more
08-19-2019
10:17 AM
@niketnilay I've been testing using lookup tables.. I'm trying to build a master lookup table that has the following columns :
index, sourcetype, eventtype, host
I want the lookup table to populate based off a saved search that appends new row data when new sourcetypes are found/added into my Splunk environment. The idea is to build the lookup dynamically. One issue I ran into is that I can't use index=* to build this master lookup efficiently. So I thought to create a separate lookup table that has just a column list of the eventtypes that I want to query index=* against.
Do you have suggestions on how I can use the eventtype lookup to do my index=* search for? This query doesn't seem to be working for me :
| inputlookup auditdash_eventtype_lookup.csv
| append [search index=* | dedup 1 host | eval host=lower(host)
| eval eventtype=lower(eventtype)]
| stats count by index, sourcetype, eventtype, host
| fields - count
| table index, sourcetype, eventtype, host
... View more
08-13-2019
09:07 PM
@niketnilay so I'm working on a Compliance related dashboard and say my dashboard has 6 different categories (each having their own panel) the shows a table of data sources that fall under each category and the number of events for each data source return for the past 24 hrs.
So I'm looking for ideas to I guess set the expected data sources for each category (possibly using a lookup table) and then query a stats count of events by the data source. If there are 0 events found for any of the expected data sources then I need it to show 0.
... View more
08-13-2019
03:16 PM
I'm trying to return an inventory dashboard panel that shows event count by data source for the given custom eventtype. I need to be able to return the data sources in the panel EVEN if they return 0 events per data source. Looking for advice on the best way to accomplish this output and have started to play around with stats(eval solutions but haven't gotten my desired output yet.
Example search:
(index=checkpoint sourcetype=opsec) OR index=ids_logs
| eval a=mvfilter(eventtype == "network_ids" OR eventtype== "network_ips")
| search a=*
| stats values(Division) as Division count by a, vendor_product
... View more
08-05-2019
07:29 AM
@woodcock I'm trying to do something very similar to the question for this post. Any ideas how I would be able to return only results for my specific eventtype? https://answers.splunk.com/answers/762805/help-searching-using-eventtype-and-tags.html?childToView=762931#answer-762931
... View more
08-05-2019
06:59 AM
I return 5 different tags even though I'm querying a new eventtype I created that only has the tag "proxy" attached to it..
index=* eventtype="Web_Proxy_Web_Filtering" | search tag="proxy"
... View more
08-02-2019
04:01 PM
I'm trying to tag specific data to a category name and only return data that matches the tag. For example,
index = bcoat_logs eventtype=my_Test_category | search tag=proxy | stats count by tag
I created an eventtype for "my_Test_category" and applied only the tag "proxy" to this but I am showing results for proxy, web, os, mail, usb, etc. Is it possible to use this method or do tag simply get ignored in SPL? Open to other suggestions as well
Thank you
... View more
06-07-2019
10:06 AM
That worked! Thank you, @igifrin_splunk
... View more
06-04-2019
05:25 PM
@igifrin_splunk correct, the built-in dashboard panels do have existing drilldowns but the value they pass gives me more than what I'm looking for. I'm only interested in the action value.. Here's a portion of the XML for the Network Activity dashboard to show the configuration of their drilldown :
<form hideFilters="true" theme="dark">
<label>Network Traffic</label>
<init>
<set token="action">*</set>
</init>
<fieldset submitButton="false">
<input type="time" token="field1" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Blocked Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action=blocked OR All_Traffic.action=dropped)</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf8be34","0xf8be34"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">(All_Traffic.action=blocked OR All_Traffic.action=dropped)</set>
</drilldown>
</single>
</panel>
<panel>
<title>Allowed Connections</title>
<single>
<search>
<query>| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x53a051"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<set token="action">All_Traffic.action=allowed</set>
</drilldown>
</single>
</panel>
<panel>
<title>Traffic Sources</title>
<single>
<search>
<query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.src) from datamodel=Network_Traffic.All_Traffic</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Traffic Destinations</title>
<single>
<search>
<query>| tstats local=false summariesonly=true allow_old_summaries=true dc(All_Traffic.dest) from datamodel=Network_Traffic.All_Traffic</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xdc4e41","0x006d9c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
... View more
05-31-2019
10:44 AM
1 Karma
I'm trying to add a custom drilldown panel to the Infosec app for Splunk's Network Activity dashboard.
I want to be able to click on the Blocked or Allowed single value visualization to populate the logs that match that action.
There's already a drilldown in place for the Blocked Connections and Allowed Connections panels :
Set action = (All_Traffic.action=blocked OR All_Traffic.action=dropped)
Set action = All_Traffic.action=allowed
Here are my attempted queries for my stats panel showing the logs that match the action :
| from datamodel:Network_Traffic.All_Traffic $action$
| table action
*I'm seeing an error in the panel window:
"Error in 'from' command: Invalid argument: 'All_Traffic.action=allowed'"
OR
`infosec-indexes` tag=network tag=communicate action=allowed
| stats count by action, vendor_product, message
| fields - count
I'd believe that being able to just pass the action value that's after the equal sign in this would get me the result I'm looking for
"All_Traffic.action=allowed"
Any ideas?
... View more
05-22-2019
07:24 PM
I'm trying to use a calculated field eval statement like this below :
field : sonicwall_signature
case(like(message,"%Possible TCP Flood%"), "TCP Flood", like(category,"%Network_Scan_Activity%"), "Port Scanning")
Then I have another calculated field to combine an extracted field called threat and the above sonicwall_signature :
field : signature
coalesce(threat,sonicwall_signature)
This all works if I test both evals in a query but it doesn't seem to be working the way I intend it to using calculated fields to combine the threat and sonicwall_signature values. I'm not sure if this is because field extraction precedence but I would welcome a possible solution.
Thank you
... View more
05-17-2019
04:23 PM
@woodcock can I using OR operators inside a given like() statement?
example :
| eval category = case (like(message,"%port scan detected%"), "Network_Port_Scan", like(message,"%Gateway Anti-Virus Alert%" OR "%TCP Flood%"), "Network_Threat_Activity")
... View more
05-17-2019
04:06 PM
I'm trying to create a new field for category based off values in my existing 'message' field.
index=network sourcetype=test
| eval category = case (like(message,"*port scan detected*"), "Network_Port_Scan", like(message,"Gateway Anti-Virus Alert*"), like(message,"*Possible TCP Flood*")), "Network_Threat_Activity", like(message,"*packet dropped*" like(message,"*connection dropped*" like(message,"*protocol dropped*"))), "Network_Wire_Activity")
Does anyone know how I accomplish this?
... View more
05-17-2019
10:29 AM
05-17-2019 00:35:38.768 -0700 WARN CMSlave - Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=clustermaster:8089 rv=0 gotConnectionError=0 gotUnexpectedStatusCode=1 actual_response_code=500 expected_response_code=2xx status_line="Internal Server Error" socket_error="No error" remote_error=Cannot add peer=171.67.54.9 mgmtport=8089 (reason: non-zero pending job count=10, guid=39064DB5-4A78-4111-AB9A-DA5A8B7A886B). [ event=addPeer status=retrying AddPeerRequest: { _id= active_bundle_id=79DE6CD58B53E34AED36B939B94F8E23 add_type=ReAdd-As-Is base_generation_id=9900 batch_serialno=1 batch_size=154 forwarderdata_rcv_port=9997 forwarderdata_use_ssl=0 last_complete_generation_id=10519 latest_bundle_id=79DE6CD58B53E34AED36B939B94F8E23 mgmt_port=8089 name=39064DB5-4A78-4111-AB9A-DA5A8B7A886B register_forwarder_address= register_replication_address= register_search_address= replication_port=8091 replication_use_ssl=0 replications=client_som_irt_unix~480~B040E664-4DDA-4073-8FD5-4A68619C94C3::39064DB5-4A78-4111-AB9A-DA5A8B7A886B::D9480470-6D8A-4D8B-B6A6-5EF0F926676D server_name=splunkidx04.domain.com site=site1 splunk_version=7.2.1 splunkd_build_number=be11b2c46e23 status=Up } ].
Has anyone experienced a similar issue after the upgrading from Splunk Enterprise 6.5.4 to 7.2.1 in a index clustered environment?
... View more
03-13-2019
09:15 AM
I'm having the same issue, please help if anyone knows why
... View more
03-06-2019
06:17 PM
When will there be a new supported version of DECRYPT Commands be released for Splunk Enterprise 7.x*?
... View more
03-06-2019
06:15 PM
3 Karma
@martin_mueller , Will there be a new version of App Exporter be released that is compatible with Splunk Enterprise 7.x?
... View more
03-06-2019
06:12 PM
@carbonblack when is a new version of this app being released that's compatible with Splunk Enterprise 7.x*?
... View more
03-06-2019
06:10 PM
Does anyone know if this app works with Splunk Enterprise 7.x*?
... View more
01-28-2019
10:27 AM
@bawood do you have a link for the github repo?
... View more
01-07-2019
10:09 AM
[Azure_Audit]
account = Azure_App
index = azure
interval = 3600
start_time = 2018-12-06T16:37:05-07:00
subscription_id = [enter subscription_id]
disabled = 0
[Azure_Resource_VM]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_machine
subscription_id = [enter subscription_id]
[Azure_Resource_PublicIP]
account = Azure_App
index = azure
interval = 3600
resource_type = public_ip_address
subscription_id = [enter subscription_id]
[Azure_Resource_NIC]
account = Azure_App
index = azure
interval = 3600
resource_type = network_interface_card
subscription_id = [enter subscription_id]
[Azure_Resource_VirtualNetwork]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_network
subscription_id = [enter subscription_id]
... View more
01-07-2019
10:04 AM
inputs.conf
[mscs_storage_table://Azure_Storage_Table]
disabled = false
account = splunkstorageaccountexample
collection_interval = 3600
index = azure
sourcetype = mscs:storage:table
start_time = 2018-09-29T16:37:05-07:00
table_list = *
[mscs_storage_blob://Azure_Storage_Blob]
disabled = false
account = splunkstorageaccountexample
blob_mode = append
collection_interval = 3600
container_name = splunk
index = azure
sourcetype = mscs:storage:blob
[mscs_storage_table://Azure_VM_Metrics]
disabled = false
account = splunkstorageaccountexample
collection_interval = 60
index = azure
sourcetype = mscs:vm:metrics
start_time = 2018-12-06T16:37:05-07:00
... View more
01-06-2019
09:27 PM
Has anyone else configured the Splunk Add-on for Microsoft Cloud Services and seen issues where the data that's coming in is saving to the _internal index even when you specify an index for the data to send to, e.g. 'azure'??
I'm also getting the following via grep azure /var/log/splunk/splunkd.log
01-06-2019 20:48:11.130 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_audit" in inputs.conf at script (re)start.
01-06-2019 20:48:11.131 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_resource" in inputs.conf at script (re)start.
... View more
01-03-2019
10:47 AM
How do you calculate the totals of each single row of a table and display that value in a new fields, much like addcoltotals but for rows?
... View more
11-24-2018
11:29 AM
Hi @woodcock I'm familiar with summary indexes but can you please elaborate on your idea for this use case?
The data I'm working with is pulled from a database, the daily store inventory has slightly different field names for the data that's being pulled, also from a database, for my hourly transactions that I'm trying to use to calculate. for example :
The daily inventory uses item_id, unitcount
The hourly transactions uses scan_item_id, qty but qty shows as -1 if there was a sale or 1 for return
... View more
