Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About adamblock2
adamblock2
Path Finder
Member since:
08-26-2015
05-11-2022
Community Statistics
| Posts | 52 |
| Solutions | 4 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 08-26-2015 |
Activity Feed
- Posted Subsearch using time from lookup in main search on Splunk Search. 05-10-2022 04:37 PM
- Posted What is this Add-on for Microsoft Office 365 error? on Getting Data In. 03-22-2022 02:14 PM
- Got Karma for Azure AD Add-on for MS Office 365 questions. 03-08-2022 09:02 PM
- Posted Re: Add-on for MS Office 365 question on Getting Data In. 12-08-2021 02:47 PM
- Posted Azure AD Add-on for MS Office 365 questions on Getting Data In. 11-30-2021 02:02 PM
- Posted Re: Setting $job.earliestTime$ and $job.latestTime$ tokens for the date range of a dashboard? on Dashboards & Visualizations. 03-01-2021 09:12 AM
- Karma Re: Running one of two searches based on time picker selection for niketn. 06-05-2020 12:49 AM
- Karma Re: Can I run Splunk DB Connect versions 1 and 2 side by side? for dshpritz. 06-05-2020 12:48 AM
- Got Karma for Splunk Add-on for Cisco ASA 3.2.4: How to configure transforms.conf to properly extract the host field?. 06-05-2020 12:47 AM
- Posted Using lookup table matches to limit Web datamodel results on Splunk Search. 08-14-2019 04:07 PM
- Posted Re: How to use tstats to show unique list of hosts for a specified index? on Splunk Search. 07-12-2019 09:19 AM
- Posted How can I prevent adding duplicate events when indexing via scheduled reports to a summary index? on Knowledge Management. 12-05-2017 04:47 PM
- Posted Re: Drilldown with column value when clicking on any row. on Dashboards & Visualizations. 10-25-2017 12:02 PM
- Posted Re: Running one of two searches based on time picker selection on Dashboards & Visualizations. 10-17-2017 01:59 PM
- Posted Re: Running one of two searches based on time picker selection on Dashboards & Visualizations. 10-17-2017 01:58 PM
- Posted Re: Running one of two searches based on time picker selection on Dashboards & Visualizations. 10-03-2017 09:43 AM
- Posted Running one of two searches based on time picker selection on Dashboards & Visualizations. 10-02-2017 10:25 PM
- Posted Can a token value from one dropdown input be used as part of the choice value statements in a second dropdown? on Dashboards & Visualizations. 06-08-2017 11:21 AM
- Posted Re: How to select dashboard panel query based on dropdown input selection on Dashboards & Visualizations. 04-28-2017 09:01 AM
- Posted How to select dashboard panel query based on dropdown input selection on Dashboards & Visualizations. 04-27-2017 03:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-10-2022
04:37 PM
I am performing a lookup in a main search which returns earliest_event and latest_event timestamp values. I would like to use these timestamp values as parameters for a subsearch. The search would be similar to the following: index=foo
...........
| lookup lookuptable.csv session_id OUTPUTNEW session_id, earliest_event, latest_event
...........
| append
[ search index=bar earliest=earliest_event latest=latest_event
...........] The time parameters for the subsearch are not being accepted, though. Is there a different way that this can be accomplished?
... View more
Labels
- Labels:
-
subsearch
03-22-2022
02:14 PM
I am trying to configure a new input in the Splunk Add-on for Microsoft Office 365. I am receiving errors which I have not been able to fix. Assistance would be greatly appreciated.
Input Name: AuditLogs.Signins
Input Type: Graph API
2022-03-22 12:24:38,005 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 235, in run
2022-03-22 12:24:38,004 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Error retrieving Cloud Application Security messages." exception='NoneType' object is not iterable
2022-03-22 12:24:37,999 level=ERROR pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:476 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="There was an exception processing the response from Microsoft Graph API" exception=401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}}
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 467, in get
raise O365PortalError(response)
splunk_ta_o365.common.portal.O365PortalError: 401:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2022-03-22T16:24:37","request-id":"","client-request-id":""}}}
2022-03-22 12:24:37,814 level=INFO pid=3126388 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'AuditLogsSignins' start_time=1647966277 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.us/v1.0/auditLogs/signIns' params=None
... View more
Labels
- Labels:
-
other
12-08-2021
02:47 PM
We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain, and Tenant Data Center values may not be required. I have not had an opportunity to test this yet, but I would suggest giving that a try.
... View more
11-30-2021
02:02 PM
1 Karma
I am in the process of trying to configure a Tenant in this add-on. Some of the required values are available in the Azure AD integration application. There are a number of others that I have not been able to find values for.
The first 3 items I have values for, the last 3 I do not. Assistance with this would be appreciated.
Tenant ID is the Directory ID from Azure Active Directory.
Client ID is the Application ID from the registered application within the Azure Active Directory.
Client Secret is the registered application key for the corresponding application.
Cloud Application Security Token is the registered application key for the corresponding tenant.
Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
... View more
- Tags:
- MS Office 365
03-01-2021
09:12 AM
I have a modified version of this which has been functioning in a dashboard for more than the past 12 months. We just upgraded to version 8, and instead of displaying the date/time range, I am receiving "Invalid date to Invalid date". Any ideas/suggestions? <table>
<title>Click use_case to drill down.</title>
<search>
<!-- 20190627 BEGIN -->
<progress>
<!-- Parse ISO time from the search job -->
<eval token="parsed.earliest">strptime($job.earliestTime$, "%Y-%m-%dT:%H:%M:%S.%Q%z")</eval>
<eval token="parsed.latest">strptime($job.latestTime$, "%Y-%m-%dT:%H:%M:%S.%Q%z")</eval>
<!-- Pretty print the parsed time -->
<eval token="formatted.earliest">strftime($parsed.earliest$, "%c")</eval>
<eval token="formatted.latest">if(isnull($job.latestTime$), "the end of time", strftime($parsed.latest$, "%c"))</eval>
<!-- Create time window message -->
<eval token="timewindow.formatted">if(isnull($formatted.earliest$), "...", $formatted.earliest$ + " to " + $formatted.latest$) + if($job.isRealTimeSearch$, " (real-time)", "")</eval>
</progress>
<!-- Clear time window message when the search gets cancelled or fails -->
<cancelled>
<unset token="timewindow.formatted"></unset>
</cancelled>
<error>
<unset token="timewindow.formatted"></unset>
</error>
<fail>
<unset token="timewindow.formatted"></unset>
</fail>
<!-- 20190627 END -->
<query>
...
</query>
<earliest>$i_time.earliest$</earliest>
<latest>$i_time.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>
... View more
08-14-2019
04:07 PM
I have created a lookup table which contains iocs, a subset of which are IPv4 addresses. I am trying to use events from the Web datamodel to alert on matches in the lookup table. The following is part of a search which I created that does return results. Unfortunately, it loads full number of datamodel events before attempting to match records in the lookup.
| tstats summariesonly=true earliest(_time) AS firstEvent latest(_time) AS lastEvent values(Web.action) AS action values(Web.http_method) AS http_method values(Web.http_user_agent) AS http_user_agent count from datamodel=Web where nodename=Web.Proxy by Web.app Web.src Web.dest
| rename Web.* AS *
| lookup ioc_entries_lookup ioc_string AS src
| table firstEvent lastEvent action src app http_method http_user_agent dest url
| convert ctime(*Event) timeformat="%m/%d/%Y %H:%M:%S"
I am looking for a way to include the lookup as one of the "where" clauses in the tstats command. I tried using inputlookup as a kind of subsearch. Being that there are close to 200,000 records in the lookup, it failed.
| tstats summariesonly=true earliest(_time) AS firstEvent latest(_time) AS lastEvent values(Web.action) AS action values(Web.http_method) AS http_method values(Web.http_user_agent) AS http_user_agent count from datamodel=Web where [|inputlookup ioc_entries_lookup
| fields ioc_string
| rename ioc_string AS Web.src
| table Web.src]
Is there another way that this can be done? Is there a way that this can be done using the "lookup" command?
Thank you.
... View more
- Tags:
- splunk-enterprise
07-12-2019
09:19 AM
Try the following: | tstats count where index="wineventlog" by host .
... View more
12-05-2017
04:47 PM
I currently have a saved search configured to write its results to a summary index. This search is scheduled to run at 02:00 every night. The search starts with the following code: starthoursago=26 endhoursago=2 index=mail .... It is my understanding that the starthoursago/endhoursago commands set the time range of the search to 00:00 - 24:00 of the previous day.
I am thinking that there must be a better way to schedule this search so to avoid writing duplicate events to the summary index. If possible, I would like the search to run more frequently - every hour if possible.
Assistance with this will be greatly appreciated.
Thank you.
... View more
10-25-2017
12:02 PM
If the condition statement is removed, I believe you will get the functionality you are looking for.
... View more
10-17-2017
01:59 PM
The token values in the search are set in dropdown inputs which are submitted.
... View more
10-17-2017
01:58 PM
I apologize for the delayed response, but I have been out of the office for a number of days. I re-tried the example above, and it worked without issue.
My next question is the actual search that I am submitting. Should I be replacing "yourRealTimeIndex","yourSummaryIndex" with the actual searches? If yes, I am concerned that I have done something wrong, as the form does not appear to submit and the query doesn't run.
<eval token="tokIndex2">if((now()-tokEarliestTime2) <=86400,"index=mail eventtype=pps_filter | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id by internal_message_id, host | fields - _raw | fields + _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id, host| mvexpand file_name | search $i_criteria$=$s_value|s$ AND delivery_status=$d_status$| iplocation infr_ip | rename Country AS country | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id | sort _time","index=summary report=proofpoint_daily_summary | mvexpand file_name | search $i_criteria$=$s_value|s$ AND delivery_status=$d_status$| iplocation infr_ip | rename Country AS country| eval eventtime=strftime(eventtime, "%x, %X") | table eventtime, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, internal_message_id | sort eventtime") </eval>
.
.
.
.
<row>
<panel>
<title>Search Messages</title>
<table>
<search>
<query>$tokIndex2$</query>
<earliest>$i_time.earliest$</earliest>
<latest>$i_time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
... View more
10-03-2017
09:43 AM
I just attempted to copy your code for the first option so to create a test dashboard. When I went to save the dashboard, I received the error "Encountered the following error while trying to save: Error parsing XML on line 16: StartTag: invalid element name"
I believe line 16 corresponds to
if((now()-tokEarliestTime1)<=86400,"yourRealTimeIndex","yourSummaryIndex")
Thoughts? Thank you.
... View more
10-02-2017
10:25 PM
I am trying to create a dashboard panel which will run one of the following email searches. There are a number of inputs which allow a user to filter exactly what he/she wants to search for.
One input allows a user to select the search criteria (sender, recipient, source IP, message id, etc.)
Another input allow the user to input the data being searched for.
The last input is a time picker.
Each input is a separate token. So, if one wants to search for sender=john.doe@xyz.org, for example, those values (sender, john.doe@xyz.org) would each be passed to the search with tokens.
If the time selected from the time picker is within the last 24h, a search based on raw events (including index=, eventtype=, stats, etc.) should be run. If the time selected is historic (ie. more than 24h ago), I want to run a search based on a summary index (index=summary report=x).
I have been working to figure this out, but each attempt has been unsuccessful. Assistance with this will greatly be appreciated.
Thank you.
... View more
- Tags:
- splunk-enterprise
06-08-2017
11:21 AM
I am creating a dashboard panel with multiple inputs. I would like to be able to pass a token variable containing the selection from dropdown (1) for use as a value in dropdown (2). The following are the 2 dropdown inputs that I am working on:
<input type="dropdown" token="i_criteria">
<label>Search Criteria</label>
<choice value="spamscore">Spam Score</choice>
<choice value="malwarescore">Malware Score</choice>
<choice value="phishscore">Phish Score</choice>
</input>
<input type="dropdown" token="i_score">
<label>Criteria Values</label>
<choice value="$i_criteria$=*">all</choice>
<choice value="$i_criteria$>0 $i_criteria$<50">1-49</choice>
<choice value="$i_criteria$>=50 $i_criteria$<100">50-99</choice>
<choice value="$i_criteria$=100">100</choice>
</input>
All of the $i_criteria$ values in the second input are being interpreted literally as opposed its actual value being replaced/inserted.
Is there different way that this can be done?
Thank you.
... View more
04-28-2017
09:01 AM
I think that I might be missing something.
My dashboard contains
A text input which populates the token "s_value"
A dropdown which populates the token "i_criteria"
A dropdown which populates the token "d_status"
I updated my i_criteria dropdown to include the following:
< change>
< condition value="x_mailer">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="message_id">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="from">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< condition value="sender_domain">
< set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
< /condition>
< /change>
I then replaced my query statement with < query>$s_query$< /query>
The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions.
Any ideas?
Thank you.
... View more
