×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
samyool36
Explorer
Member since: ‎09-06-2018
‎06-05-2020
Community Statistics
Posts 6
Solutions 1
Karma Given 3
Karma Received 0
Member Since ‎09-06-2018
Activity Feed
View All

Re: Enable REST API response logging in the Splunk...

by in All Apps and Add-ons
‎05-21-2019 11:08 AM
‎05-21-2019 11:08 AM
I have recently been investigating using the "Splunk Add-on Builder" to ingest data from a REST API, and I had with a similar issue diagnosing the http requests sent from the created add-on app. The Burp Suite Community Edition app (Burp Proxy manual tool) helped troubleshoot the https request from the created add-on app and the https response from the REST API. The created add-on was configured to use the Burp Suite app as a proxy. The https requests from the created add-on are logged in the Burp Suite app, and the responses from the REST API are logged also. Also, the Burp Suite allows the user to intercept the https requests from the created add-on app, and the user can manually modify before forwarding to the REST API. The Burp Suite Community Edition app is free to download at the https://portswigger.net/burp url. ... View more

Re: After running a search which uses a lookup fil...

by in Splunk Enterprise Security
‎09-21-2018 06:30 AM
‎09-21-2018 06:30 AM
I was able to fix this by doing the following: Export the lookup table from Splunk Open this in Notepad++ and select Encoding > Encode in UTF-8 Add the lookup to Splunk ... View more

Re: In Splunk Enterprise Security, why is alert no...

by Splunk Employee in Splunk Enterprise Security
‎09-26-2018 09:00 AM
1 Karma
‎09-26-2018 09:00 AM
1 Karma
Typically when I see this question, it is an issue of indexing latency/lag. The search is on a cron schedule to run every 2 minutes and looks over the last 125 seconds of events. If the event wasn't indexed until it was 200 seconds old, for example, it won't be picked up by the search. We typically recommend adding in a buffer to account for index latency/lag. You could use this eval to determine the time difference between index time and event time: |eval indextime=_indextime |eval bkt=_bkt |eval delay_sec=_indextime-_time |table indextime _time delay_sec bkt | rename _time as Eventtime | convert ctime(*time) If you happen to find the latency for an event is 2 1/2 minutes, for example, you may want to adjust the search to look back 3 to 6 minutes: This takes into account any latency between index time and event time. Basically allowing enough time to pass so that when the search is run you know the data will be there. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM