Because 13 is not a valid month number 😉 Think you need to swap the %d and %m in your time format 🙂 ... View more

I had to make it as generic as possible. I hope it is still helpful. sourcetype alert_metadata: {"alert": "myalertname", "alert_time": "2019-03-19T17:15:11.892+00:00", "app": "search", "entry": [{"content": {"earliestTime": "2019-03-19T16:15:00.000+00:00", "eventCount": 1, "eventSearch": "search (myalertsearchstring)", "keywords": "index::myappindex myapp_msgarea::RRR myapp_msgname::SSS", "latestTime": "2019-03-19T17:15:00.000+00:00" remote_mysplunkserver_scheduler_wilsonvsearchRMD54ae8a1459b8e343f_at_1553015700_10843. "optimizedSearch": "| search (mysearchstring", "resultCount": 1, "searchEarliestTime": 1553012100, "searchLatestTime": 1553015700, "searchProviders": ["mySplunkservers]}, "links": {"alternate": "/services/search/jobs/schedulerwilsonvsearchRMD54ae8a1459b8e343f_at_1553015700_10843"}, "name": "search mysearchstring}], "impact": "high", "incident_id": "23464663-4af1-4073-bf84-6edebfb6c837", "job_id": "schedulerwilsonvsearch_RMD54ae8a1459b8e343f_at_1553015700_10843", "name": "myalertname", "owner": "unassigned", "priority": "critical", "result_id": "0", "title": "myalertname", "ttl": 86400, "urgency": "high"} sourcetype incident_change: time=2019-03-19T17:15:12.245662 event_id="21794f2b4d134d36359eca1115a478b7" severity=INFO origin="alert_handler" user="splunk-system-user" action="create" alert="myalertname" incident_id="23464663-4af1-4073-bf84-6edebfb6c837" job_id="scheduler_wilsonvsearch_RMD54ae8a1459b8e343f_at_1553015700_10843" result_id="0" owner="unassigned" status="new" urgency="high" ttl="86400" alert_time="2019-03-19T17:15:11.892+00:00" example of the actual event that tripped the alert: 2019-03-19 16:44:43 myapp_logversion="2" myapp_msgarea="AU" myapp_msgname="L" myapp_pid="37301" myapp_taskno="00031" myapp_slgttyp="CC" myapp_termname="myterm" myapp_username="userhere" Splunk fields: host, index, sourcetype, source, tag::host I'm trying to figure out how to get the host name where the event occurred, based on the info in Alert Manager (the top two examples). ... View more

Agree to @micahkemp's point, due to two $ signs in the same pipe, it is making Splunk search to treat the same as token in a dashboard. Escaping the $ sign with $$ should work for you. Here is another option for you by breaking the case statement in two parts with a run anywhere example: | makeresults | eval RelativeURI="/identity/enhanced-authentication/tasks/*" | eval HttpMethod="GET" | eval test=case( match(RelativeURI,"/identity/enhanced-authentication/tasks/~/search") AND match (HttpMethod,"POST"), "TASK1", match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"POST"), "TASK2", match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"POST"), "TASK3") | eval test=case(match(RelativeURI,"/identity/enhanced-authentication/tasks$") AND match (HttpMethod,"GET"), "TASK4", match(RelativeURI,"/identity/enhanced-authentication/tasks/*") AND match (HttpMethod,"GET"), "TASK5", true(),test) | table RelativeURI HttpMethod test ... View more

Give this a try index="test" OR index="test" Api=* (EventStreamData.eventName="5000027") | bucket _time span=15m | rename EventStreamData.response.userStatusCode{} as userStatusCode1 | rename EventStreamData.args.customerLoginRequest.signInPlatform as signInPlatform1 | eval PLATFORM=if((Api_Key="SICAPP" AND signInPlatform="Card"),"COS",if((Api_Key="SICAPP" AND signInPlatform="ENTERPRISE"),"EASE Web", if((Api_Key="SICAPP" AND signInPlatform="OLBank"), "OLBR",)) | eval SuccessVolume=if(DISPOSITION="SUCCESS",1,0) | eval PolicyVolume=if(DISPOSITION="POLICY",1,0) | eval DefectVolume=if(DISPOSITION="DEFECT",1,0) | stats sum(SuccessVolume) as Success avg(SuccessVolume) as avg by PLATFORM _time | streamstats current=f window=1 values(avg) as change by PLATFORM | eval change=avg-change | eval change_percent=round(change/avg*100,0) ... View more

This setitng should work. verify by run: splunk btool deploymentclient list deployment-client or check in the deployment server console ... View more

Yes, it finally worked for me. Initially the default cron time was never used. So I changed it for a number of seconds and it does now work properly. Check this parameter in : - Data Input - Scripts - $SPLUNK_HOME/etc/apps/qualys_splunk_app/bin/qualys_detection_logger.sh Of yourse, you also have need to have the feature api enabled by Qualys which come with a price... Regards ... View more

I had a similar issue and found that I had an outputs.conf file in my etc/system/local directory that was being used instead of the outputs.conf in my app directory. I renamed the wrong outputs.conf file and restarted Splunk. You can tell if your outputs.conf file is being used as the sslPassword = testmy123 will be encrypted after it is read the first time. If you have an outputs.conf file in another directory being used first it may be that it is using a different port which is another indication that the wrong outputs.conf file is being used. ... View more

1: No, not unless you enable SSL. 2: No, but that is part of the answer, SSL is on port 9998 instead of 9997 (or maybe the other way around) so you have to change that in each forwarder's deploymentclient.conf file, too. 3: I do not see how outputs.conf fits into Deployment Server technology. ... View more

Thanks acharlieh Your solution worked for me. to make it simpler I modified syslog lookup to use hostip field name instead of Ip. index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" "group=udpin_connections" | fields hostip | dedup hostip | eval reported="yes" | append [inputlookup syslog_lookup | eval known="yes"] | stats first(*) as * by hostip | fillnull value="no" reported known | where reported="no" OR known="no" ... View more

This add-on was very straight forward to setup. I ran into a lot of issues with the AWS Add-on version 3.0.0 and this CWS Add-on saved me a lot of headaches. Highly recommend it. ... View more

This file existed for me... But I still needed to install the pam module. https://answers.splunk.com/answers/108996/error-while-configuring-check-point-opsec-lea-linux-app.html ... View more

I have splunk script below which takes input can you help how to use splunk intersplunk for this script to take input and provide output def base36encode(number): if not isinstance(number, (int, long)): raise TypeError('number must be an integer') if number < 0: raise ValueError('number must be positive') alphabet, base36 = ['0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', ''] while number: number, i = divmod(number, 36) base36 = alphabet[i] + base36 return base36 or alphabet[0] def base36decode(number): return int(number, 36) print(base36encode(1412823931503067241)) print(base36decode('AQF8AA0006EH')) ... View more