Activity Feed
- Got Karma for Re: KVStore does not start after upgrading to Splunk Enterprise 9.4.0. 2 weeks ago
- Posted Re: KVStore does not start after upgrading to Splunk Enterprise 9.4.0 on Feedback. 3 weeks ago
- Got Karma for Re: Split output of query into separate files. 08-28-2024 12:28 PM
- Posted Re: Split output of query into separate files on Splunk Search. 08-28-2024 08:59 AM
- Posted Re: Macro Expansion - Possible Bug on Splunk Search. 04-11-2024 06:28 AM
- Posted Re: Macro Expansion - Possible Bug on Splunk Search. 04-11-2024 06:25 AM
- Posted Macro Expansion - Possible Bug on Splunk Search. 04-10-2024 02:36 PM
- Posted Re: Splunk Indexer Cluster not identifying new bundle ID when trying to deploy new config to Indexers on Deployment Architecture. 03-20-2024 02:15 PM
- Got Karma for Re: limit timechart with span and per_hour to 2 decimal values. 11-20-2023 09:37 PM
- Posted Re: limit timechart with span and per_hour to 2 decimal values on Splunk Search. 11-08-2023 06:09 AM
- Karma Final Results | Cybersecurity Defense Analyst Certification Beta Exam for cskokos_splunk. 10-18-2023 06:02 AM
- Posted Re: How to calculate time duration between 2 events on Other Usage. 10-11-2023 08:29 AM
- Posted Re: Tenable TA - Historical reporting of remediated vulnerabilities on All Apps and Add-ons. 09-20-2023 05:10 AM
- Posted Re: Recently cluster="*M5*-CLDB" changed this to cluster="*ML*-CLDB" on Splunk Enterprise. 09-20-2023 05:05 AM
- Posted Re: HTTP 400 error in DBConnect due to changing admin username on All Apps and Add-ons. 09-19-2023 08:04 AM
- Posted Re: Splunk create a table using multiple fields on Splunk Search. 09-13-2023 07:14 AM
- Got Karma for Re: ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically.. 09-07-2023 09:57 AM
- Posted Re: ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically. on Splunk Search. 09-06-2023 05:49 PM
- Posted Re: ldapsearch: Trying to search last 2 days in whenChanged attribute dynamically. on Splunk Search. 09-05-2023 04:31 PM
- Got Karma for Re: How to query a field in DBXQuery that contains colon?. 08-31-2023 10:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
1 Karma
We had some issues with the upgrade also. Here are the checks we did: Verify that certificates are valid and you have the full certificate chain (or revert to default splunk certs for the duration of the upgrade) Run btool on server.conf and look for storageEngineMigration under the [kvstore] stanza. If this is present in a local file, comment it out. Try running a test of the kvstore upgrade : /opt/splunk/bin/splunk start-standalone-upgrade kvstore -version 7.0 -dryRun true - this may return errors. Run the actual upgrade (remove the dry run) When you run the upgrade, you can monitor /var/log/splunk/mongod_upgrade.log - You'll be able to see it upgrading through multiple versions from the 4.2 up to 7.
... View more
08-28-2024
08:59 AM
1 Karma
Yes, you can do this. As you chain the outputlookups, put the most broad search first. As you summarize the different items you need, you can write to additional lookup files using append, or even bring in another file, do stats processing, and then write it back out.
<run your initial search, for the daily data>
|outputlookup dailyfile.csv
<add the fully daily info to the weekly file, or do whatever summation is necessary>
|outputlookup append=true weeklyfile.csv
<bring in existing monthly data, and summarize it. then write it back out>
|append
[|inputlookup monthlyfile.csv]
|stats <summarize whatever>
|outputlookup monthlyfile.csv
... View more
04-11-2024
06:28 AM
It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.
... View more
04-11-2024
06:25 AM
Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.
... View more
04-10-2024
02:36 PM
Hi all! I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e. I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software. To test, find any macro in your environment. Establish baseline: Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC). Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search. `mymacro` Test issue: Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro |makeresults |append [`mymacro`] I appreciate the help from anyone willing to test.
... View more
Labels
- Labels:
-
subsearch
03-20-2024
02:15 PM
Without knowing about your changes, it's hard to say what's happening. If you manually created or changed any .conf files though, I would check ownership and make sure they are owned by the splunk user. I've seen bundle validations fail when something doesn't have proper ownership.
... View more
11-08-2023
06:09 AM
1 Karma
Add this after your time chart: | fieldformat AvgReqPerHour= round(AvgReqPerHour,2) If you don't want the rounding, look at floor or max for the behaviors you want.
... View more
10-11-2023
08:29 AM
Hi. You can convert your time to epoch values and then subtract them. Here's an example:
| makeresults
| eval start="10/10/23 23:50:00.031 PM", end="11/10/23 00:50:00.031 AM PM"
| eval startepoch=strptime('start',"%m/%d/%y %H:%M:%S.%3N")
| eval endepoch=strptime('end',"%m/%d/%y %H:%M:%S.%3N")
| eval diff=endepoch-startepoch
| eval timediff=tostring(diff,"duration")
... View more
09-20-2023
05:10 AM
The Tenable TA only pulls in events with new information ( a new scan date, change in a field or status) each time it accesses the data. Once an item is pulled in, it doesn't pull it a second time. That means if you scan half of your devices on Monday and half of your devices on Tuesday, you need to search looking back 2 days to see all of your current data. Once an individual finding has been pulled in, it doesn't grab the same item again unless there is a change.
... View more
09-20-2023
05:05 AM
You can start out doing this in Splunk. Expand on the configs you want to look for in the search below, and then after you've pulled all of the configs you care about from rest endpoints, run a search for the keyword you're looking for in it. You can find a list of configuration files here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Listofconfigurationfiles | rest/services/configs/conf-macros | eval config="macros" | append [| rest/services/configs/conf-lookups | eval config="lookups"] | append [| rest/services/configs/conf-savedsearches | eval config="searches"] You can add in views and such using other endpoints, like | rest /services/data/ui/views
... View more
09-19-2023
08:04 AM
Does your new admin account have the admin role associated? If not, did you look at the roles associated and make sure all of the db_connect items are allowed?
... View more
09-13-2023
07:14 AM
In your stats statement, add the other fields you need using evals: count(eval(status="Success")) as Success, count(eval(status="Failed")) as Failed, and remove the status from the by clause. After the stats, do an eval to calculate your percentages.
... View more
09-06-2023
05:49 PM
1 Karma
I don't have ldap search set up, so I can't test - but give this a try: | makeresults | eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z") | map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" " | table cn whenChanged whenCreated
... View more
09-05-2023
04:31 PM
You're most of the way there -- In your original search, replace the date you have with [] and put your make results in it. The items in the brackets run before the remainder of the search. | ldapsearch search="(&(objectClass=user)(whenChanged>=[|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|return $whenChanged])(!(objectClass=computer)))"
|table cn whenChanged whenCreated
... View more
08-31-2023
08:11 AM
1 Karma
My bad. I didn't look to see what database you were using. You may need quotes around it = "abc:def". Since you're doing this inside a quoted string, you may need to escape them as \" in the string.
... View more
08-31-2023
04:42 AM
1 Karma
Try brackets around the field name - [abc:def]
... View more
08-25-2023
02:34 PM
If you're still having this issue, check your logs for the lag between event time and index time. The Tenable add-on pulls all of your open vulnerability data first, and only pulls in the fixed data after all of the open stuff is complete. If you've got a large lag time, it may not be getting as far as actually pulling in the fixed vulns. Check the /opt/splunk/etc/apps/TA-tenable/default/inputs.conf, (and the local inputs.conf if you have one) and look for the "page_size". Increasing this number may resolve the issue. When I was troubleshooting a similar issue, Tenable indicated the number hadn't been changed - but it was set to 1000 - meaning it ran API calls for 1000 records at a time - and wasn't ever finishing with a large number of vulns. We increased this to 10000, reducing the api calls by a factor of 10 - and allowing the process to complete so all our vulns got pulled in.
... View more
08-25-2023
01:52 PM
1 Karma
I've never tried to make a model name dynamically, but have done it with outputlookup - maybe you can do something similar? | outputlookup [| makeresults | eval filename=strftime(relative_time(relative_time(now(),"-1mon@mon"), "@m"), "filename_%B_%Y.csv") | return $filename] Something like: [ | search partition_number < 90 | fields - partition_number | fit DecisionTreeRegressor "target" from * splitter=best into [|inputlookup xyz output myfieldname|return $myfilename] apply=false ]
... View more
06-26-2023
04:30 AM
Are there any errors in the dbconnect logs? How are you verifying that you have missing records? Identity columns sometimes skip a number, so just having a small gap doesn't necessarily mean a missing record (databases can skip a number in an identity column if an insert is attempted and fails.)
... View more
04-20-2023
01:22 PM
Did you ever figure this out? I'm seeing the same problem.
... View more
05-23-2022
11:46 AM
I neglected to say that the Z is not representative. It is literally the character Z.
... View more
05-23-2022
11:41 AM
Mine is set formatted as: 2021-01-01T01:01:00Z
... View more
05-23-2022
11:30 AM
You should be able to do this using tokens. After the search to add a user completes , use the done event handler to unset the add token, and to set the none token again. Same on your other panels.
... View more
05-23-2022
11:21 AM
I've never seen this field. Which version of the Tenable Add-On are you using? What version of Tenable.sc?
... View more
05-17-2022
08:48 AM
There might be a more graceful way someone will provide, but I generally add something like this to the end, forcing a row with a 0 value, and then doing another quick sum before displaying it. | append
[makeresults |eval count=0]
|stats sum(count) as count
... View more
