Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About samyool36
samyool36
Explorer
Member since:
09-06-2018
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 09-06-2018 |
Activity Feed
- Karma Re: How to include Current Date to Email Subject and Body for Scheduled PDF Delivery? for efavreau. 06-05-2020 12:51 AM
- Karma Re: SEP 14.2 RU1 log format change for csperry_splunk. 06-05-2020 12:50 AM
- Karma Re: In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? for jcrabb_splunk. 06-05-2020 12:49 AM
- Posted Re: Enable REST API response logging in the Splunk Add-on Builder on All Apps and Add-ons. 03-19-2019 02:32 AM
- Posted Enable REST API response logging in the Splunk Add-on Builder on All Apps and Add-ons. 03-18-2019 04:17 AM
- Tagged Enable REST API response logging in the Splunk Add-on Builder on All Apps and Add-ons. 03-18-2019 04:17 AM
- Tagged Enable REST API response logging in the Splunk Add-on Builder on All Apps and Add-ons. 03-18-2019 04:17 AM
- Tagged Enable REST API response logging in the Splunk Add-on Builder on All Apps and Add-ons. 03-18-2019 04:17 AM
- Posted Re: After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-21-2018 06:30 AM
- Posted Re: In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-21-2018 06:28 AM
- Posted After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-20-2018 04:45 AM
- Tagged After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-20-2018 04:45 AM
- Tagged After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-20-2018 04:45 AM
- Tagged After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-20-2018 04:45 AM
- Tagged After running a search which uses a lookup file to whitelist certain domains, I'm receiving the following error: "Regex: UTF-8 error: byte 2 top bits not 0x80" on Splunk Enterprise Security. 09-20-2018 04:45 AM
- Posted In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-17-2018 02:55 AM
- Tagged In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-17-2018 02:55 AM
- Tagged In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-17-2018 02:55 AM
- Tagged In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-17-2018 02:55 AM
- Tagged In Splunk Enterprise Security, why is alert not triggering despite manually being able to find the results? on Splunk Enterprise Security. 09-17-2018 02:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-19-2019
02:32 AM
Thanks for the response. I don't have any proxy enabled and the only header being sent is the API token. I also am not aware of any default license files.
Would you be able to advise where to set this log level in the global settings? Would this allow me to see the full response from the server?
... View more
03-18-2019
04:17 AM
I am currently using the Splunk Add-On Builder app to connect to an external REST API in an attempt to ingest data into Splunk. I have configured the token as a REST request header in the Data Input Definition section and also defined a URL. When I attempt to test this connection I receive the following message in the output window:
2019-03-18 11:11:24,600 - test_name - [ERROR] - [test] The response status=500 for request which url=https://myresturl.com/input and method=GET.
I have tested the connection using Postman and a simple curl command and both of these return the required data. Is it possible to turn on response logging for the Splunk Add-On Builder app to determine why the server is returning a 500 error? If so, which files need to be updated for this to happen?
... View more
09-21-2018
06:30 AM
I was able to fix this by doing the following:
Export the lookup table from Splunk
Open this in Notepad++ and select Encoding > Encode in UTF-8
Add the lookup to Splunk
... View more
09-21-2018
06:28 AM
I can confirm the alert was not run. It was not in triggered alerts and I can see that no results were found in the internal logs when the saved search was run.
I cannot change the cron expression as this is a production system, but this alert has worked in the past. No changes have been made which would have effected this.
... View more
09-20-2018
04:45 AM
I am attempting to run a search which matches specific domain names. In this search, I am using a lookup file to whitelist certain domains. When I am running this search, I am getting the error: Regex: UTF-8 error: byte 2 top bits not 0x80
My search is as follows:
| tstats `summariesonly` values(Web.dest) as domain min(_time) as firstTime from datamodel=Web by Web.src
| `drop_dm_object_name("Web")`
| `ctime(firstTime)`
| mvexpand domain
| search NOT (domain="exampledomain.com")
| rex field=domain "www.(?<domain>\S+)"
| search NOT
[| inputlookup whitelisted_domains.csv
| rename "Domain Name" as domain
| fields domain]
I believe the issue appears to be with the lookup file itself. It works if I extract certain fields but not the Domain Name field. Are there limitations in what characters can be included in a lookup like this? Is there something else that may be causing this issue?
... View more
09-17-2018
02:55 AM
I have an alert set up in my Splunk Enterprise Security environment that is set to trigger when we receive a notable that is marked as either high or critical urgency. This search has worked in the past but did not trigger over the weekend even though a high urgency notable was created.
When I run the search manually over the time range, I can see that it returns results, so this does not appear to be an issue with the search logic. There is also no throttling configured. The search is on a cron schedule to run every 2 minutes and looks over the last 125 seconds of events.
Looking through the audit logs, I can see the following events to confirm that the saved search completed running:
Audit:[timestamp=09-16-2018 13:50:24.206, user=XXXX, action=search, info=completed, search_id='scheduler__admin_YWFtX2FsbF9jdXN0b20tc2VhcmNoZXM__RMD571711d067188a19b_at_1537102200_43245_2C5B5B40-2FE3-4255-A621-60A171C4E9C0', total_run_time=2.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1537102203, api_et=1537102075.000000000, api_lt=1537102200.000000000, search_et=1537102075.000000000, search_lt=1537102200.000000000, is_realtime=0, savedsearch_name="New Notable - Alert", search_startup_time="2235", searched_buckets=11, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][n/a]
Audit:[timestamp=09-16-2018 13:50:34.832, user=XXXX, action=search, info=completed, search_id='rsa_scheduler__admin_YWFtX2FsbF9jdXN0b20tc2VhcmNoZXM__RMD571711d067188a19b_at_1537102200_43245_2C5B5B40-2FE3-4255-A621-60A171C4E9C0', total_run_time=2.63, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1537102203, api_et=1537102075.000000000, api_lt=1537102200.000000000, search_et=1537102075.000000000, search_lt=1537102200.000000000, is_realtime=0, savedsearch_name="New Notable - Alert", search_startup_time="2235", searched_buckets=11, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][n/a]
The event that should have triggered an alert occurred at 13:50:31PM on 09-16-18. The second event in the audit log shows that the search was completed three seconds later at 13:50:34PM. Is it possible that these overlapped which prevented the alert from being triggered? The next scheduled search was run at 1:52:24PM so this should have triggered an alert as well.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
