@gabo  Java 17 enforces stricter TLS/SSL algorithm constraints than older Java versions. Also your Microsoft JDBC driver 1.3.2 is very old which may not support this. So try upgrade the JDBC Driver and test it or downgrade your java to 11 and test Regards, Prewin 🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks! ... View more

Hi @ankit13, The issue may be on your checkpoint value format. Can you, just for an experimentation purpose, pick another field like a numerical one and use it just to see if the search loads? If it does, then it is all about playing with the datetime format you are passing as initial checkpoint until you can get a format that is working. Also, the second screenshot showing I/O Operation on a closed writer exception may be telling you that the connection died before returning the results and that is probably because, again, Checkpoint Value current format may be causing interpretation issues on the JDBC query against your database. Another option is to run a profiler on the DB side to capture exactly how this request is hitting your DB. That would answer all of those questions. ... View more

Thanks for the advice! I will keep that in mind, when I try it again.  Now I will focus on the application and play with data and visualization 🙌. See You! ... View more

Unfortunately I don't have a ITSI instance at hand and in ordinary DS dashboard the json seems to be located in a bit different place than in ITSI GT ... View more

Hi Victor, And there is the little thing I was missing...understanding that the multi-select was looking for a list and I was sending an array. I would probably never had figured that out. Thank you so much for your quick replies and working solution!  To anyone reading this later, adding that table to the dashboard and duplicating the search results for the multi-select object to visually inspect the format and values of the token being passed was very helpful. I highly recommend it as a troubleshooting step. Final working query: index=_internal earliest=-15m group=queue name=* [ | makeresults | eval host_list="$tok_MultiSelect1$" | makemv delim="," host_list | eval host_list=mvmap(host_list, "\"" . trim(host_list) . "\"") | eval search = "host IN (" . mvjoin(host_list, ",") . ")" | return $search ] | fields name | dedup name sortby name | stats count by name | rename name as Queues | table Queues Regards ... View more

I endorse what the folks shared above. MCD alone does a lot of noise across the board due to its REST searches that comes packaged to make it works on its nature. In my organization, what I did was to get a second MCD box in another datacenter for HA, but splunk service is always stopped there.  In a very high level description, I have an rsync script that keeps both on sync on a given interval, along with a custom automation in place (using SOAR in this case) that checks whenever the main MCD stops responding REST, causing the playbook to check host availability, and in case of failures it then starts the service on the second box. At the load balancer, the health check also monitors REST so if it is not responding it marks the box as offline, so after starting the service in the second the HC will mark it as up and bring it back to live. Everything ends with an email communication so we know that the flip was done and the proper status of each step. Kinda alternative to keep MCD structure alive, but this is just in case you actually need it otherwise it may not worth the stress. ... View more

Oh, I love when simple workarounds do the trick. Well, glad you got that one sorted. If I can help with anything else, even for a brainstorming session, lemme know 🙂 ... View more

Hi @Kyles, What version of DBConnect are you using? The 3.* versions allow you to pass the field named params with values to be passed to the variables in the query/procedure: dbxquery connection=<string> [fetchsize=<int>] [maxrows=<int>] [timeout=<int>] [shortnames=<bool>] query=<string> OR procedure=<string> [params=<string1,string2>] Sample query: dbxquery procedure="{call sakila.test_procedure(?, ?)}" connection="mysql" params="150,BOB"  Please try that out if you are running DBConnect 3.x and let me know how it goes ... View more

You could write it like “/<splunk_home>/bin/splunk btool server list --debug proxyConfig” Which shows what this stanza gets from different conf files. ... View more

Are you trying to install the most recent version of SOAR? If so, upgrade to postgresql 15 if you can. The documentation is unclear but that's essentially required for 6.3. We ran into trouble trying to upgrade with postgresql 12. I can only imagine 11 has problems as well. ... View more

Hi @meshorer,   You can stop that by clicking in your name (top-right) and going to Account Settings. There, you click on Notifications tab and turn off the notifications you won't need, such as Event Reassigned in this example. Once you save it, you won't receive those emails anymore.   ... View more

A streaming language generally do not use command branching.  However, SPL has plenty of instruments to obtain the result you want.  So, let me rephrase your requirement. What I want is to extract from events is a vector of three components, field1, field2, field3.  The method of extraction is based on whether the event contains dog or cat. To illustrate, given this dataset _raw a b c |i|j|k| Dog woofs l m n |x|y|z| Cat meows e f g |o|p|q| What does fox say? I want the following results _raw field1 field2 field3 a b c |i|j|k| Dog woofs a b c l m n |x|y|z| Cat meows x y z e f g |o|p|q| What does fox say?       (This is based on reverse engineering your regex.  As I do not know your real data, I have to make the format more rigid to make the illustration simpler.) Let me demonstrate a conventional method to achieve this in SPL.   | rex "(?<field1_dog>\S+)\s(?<field2_dog>\S+)\s(?<field3_dog>\S+)\s" | rex "\|(?<field1_cat>[^\|]+)\|(?<field2_cat>[^|]+)\|(?<field3_cat>[^|]+)\|" | foreach field1 field2 field3 [eval <<FIELD>> = case(searchmatch("Dog"), <<FIELD>>_dog, searchmatch("Cat"), <<FIELD>>_cat)] | fields - *_dog *_cat   As you can see, the idea is to apply both regex's, then use case function to selectively populate the final vector. This idea can be implemented in many ways. Here is the emulation that generates my mock data.  Play with it and compare with real data.   | makeresults format=csv data="_raw a b c |i|j|k| Dog woofs l m n |x|y|z| Cat meows e f g |o|p|q| What does fox say?"   In many traditional languages, the requirement can also be expressed as conditional evaluation. While this is less conventional, you can also do this in SPL, usually with more cumbersome code. ... View more

I have this same problem. If a container has multiple artifacts, for example 10, with the tagging duplicate actions are usually limited to 1-3 instead of 10. I haven't been able to find low level details about how the python scripts are executed at an interpreter/ingestion level, and I don't think it exists publicly, which is unfortunate because the power of the platform lies in being able to use python to efficiently process data.  The VPE makes this clunky. I spent 3-4years on Palo Alto's XSOAR as the primary engineer and for all its quirks, Palo Alto has produced way better documentation on their SOAR than Splunk (Palo Alto overhauled their documentation when they acquired Demisto).  I'm about a year into using Splunk SOAR, and for all the quirks I had to handle using Palo Alto's XSOAR I wish I could go back to it, maybe my opinion/preference will change, but unless Splunk produces better documentation and opens up to the public/community some lower level documentation I'm doubtful it will. Palo Alto's XSOAR has a feature called Pre-Processing rules which allows you to filter/dedup and transform data coming into the SOAR before playbook execution, I wish Splunk SOAR had something similar, that way ingestion/deduplication logic (if you can even call tagging "that") wouldn't be intermingled in the same area as the "OAR" logic of the playbook, and hopefully avoid race conditions. The problem with "Mulit-Value" lists is that it screws up pre-existing logic. Maybe I'm missing something, but that Option should be configurable in the in the Saved Search/Alert +Action  Splunk App for SOAR Export, so that it could be configured on a per alert basis. 6 Years ago I chose Demisto over Phantom working for a Fortune 300, if I could have my way right now I'd probably go with my first choice. P.S. to be fair to Splunk SOAR maybe there's some feature I'm overlooking. ... View more

Okey, so i dont now exactly where the search is. I have the datamodel.   ... View more

Hi @santoshpatil01 , Your request is lacking useful information for anyone to help. It is not clear the query format that will serve as your base search so maybe you'll have to adjust that to your reality. Basically you'll need to have a base query that returns all raw data for the tokens wherever they are, and then you create the panels accordingly. If you don't have the input fields to set the tokens, you'll need to set them as well on each panel OR in the dashboard header depending on the filter active necessity. In each panel, mention the base search making this a linked search, and use as query something like this: Total request number for security token/priority token filtered by partner name | search partner=$token.partner$ | stats count as "Total Requests" by security_token, priority_token Duplicate request number filtered by partner name and customer ID (to check if current expiration time for both tokens are appropriate) | search partner=$token.parner$ AND customerId=$token.customerId$ | stats count by parner, customerId | where count>1 Priority token usage filtered by partner name | search partner=$token.parner$ | stats count by token_name Response time analysis for security token/priority token | stats avg(response_time) as response_time by security_token, priority_token Or if you need 90th percentile instead: | stats p90(response_time) as response_time by security_token, priority_token Again, this is just a scratch in the surface as I don't know your query, field names and additional information, but it should be enough for you to kick this off and play around. ... View more

Have you tried to consolidate then via stats command and then configure your alert to trigger for each result and tokenize the email parameter? Try this (adjust to your reality): <your search> | stats values(event_field) as events by user, email Then in your alert configuration, set trigger conditions: Number of results > 0 Trigger: For each result And add the email action with To with token $result.email$ That will make each email receive their group of events Give it a try and let me know  ... View more

Hi @hazem., Is this [DDMMYYYY] just a placeholder for an actual date in this example or this is the literal string being monitored in the monitor stanza and also the literal text in the filename? I ask that because if what you wanna do is to monitor C:\Program Files (x86)\dir1\log\name_CRT_<any date>.log then you can use * at that part like: C:\Program Files (x86)\dir1\log\name_CRT_*.log This way the monitor stanza will know what to do. Anyways, always make sure that in order for the forwarder to proper monitor something, that file must have the right read permissions to be read. Usually some applications under Program Files may be locked to administrators and that may cause SplunkForwarder service not to have the right permission to read the particular log. A good indication for that is to check the _internal index for logs related to that and see if they are logging Access Denied somewhere. The below search may give you some heads up on hits; Restart splunk forwarder and keep eyes on that log for last 5 min range or something as forwarder will evaluate the monitors at the startup and you'll find it easier. index=_internal host=<my_forwarder_host> "C:\Program Files (x86)\dir1\log\" ... View more

Same results I get the IP address but no country in the Geo Location. I have noticed that I have a space at the end of the IP address using this REX command.  Ended up using the following command to remove the ending space and that resolved my problem. | eval ip_address=trim(ip_address) ... View more

Hi @abi2023 , It is not so clear to me if you want to apply color to the cells in the "user" column only if in a specific format and shape, so if you can clarify it would be nice. You can apply that to the table section in your XML code by adding the Format tag with type color. Under that, you specify the type of coloring logic that can be dynamic, range, scale, etc... For example, for a rule that will color the cells of User column whenever there is a value with a light green cell color: <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> Green will be valid values, red will be empty/null value cells. Is something like that you're looking for? Full sample: <dashboard version="1.1" theme="dark"> <label>My Dashboard</label> <row> <panel> <table> <search> <query>MySearchString</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="user"> <colorPalette type="expression">if (isnotnull(value), "#00ff3c", "#f24949") </colorPalette> </format> </table> </panel> </row> </dashboard>   ... View more

Thank you so much Victor!! ... View more

Hey @tread_splunk , Not gonna lie, it seems a bit confuse to understand your goal here. Both actions search and GET_PASSWORD only resides in _audit index, while internal index will have other kind of information. IF what you want is just use the internal logs to get the source clientip for that user (not exactly related to the action calls though) you can try something like this: index=_audit (action=search OR action=GET_PASSWORD) | stats count as audit_count by user | join user [ search index=_internal sourcetype=splunkd_access user=* clientip=* | stats count as internal_count by user clientip] | table user clientip audit_count internal_count The counts on audit and internal is the part that doesn't make much sense to me unless you want to filter the URI in the internal logs to something that is triggered during action=search or action=GET_PASSWORD, so you can customize my query a bit more. If I'm tripping, please help me understanding your goal so I can try to give you more insights if any. ... View more

Hi I have always Makefile which generates deployment ready xxx.spl files from current clients all apps into one directory + combined tar file. Those are easy to transfer and use where they are needed. r. Ismo ... View more

Yep, you'll have to have separated calls for that. Filters on SOAR REST can be appended but they will work as "AND" condition as "OR" is not supported in that sense as a limitation on Django querysets 😞 So the easiest way would be to combine the results of https://<your_soar_instance>/rest/container?_filter_name__icontains="computer" and the ones from https://<your_soar_instance>/rest/container?_filter_name__icontains="process" and finally process then accordingly.   ... View more

Hey @meshorer ,   Have you tried to ssh to your Phantom/SOAR server and run this? phenv set_preference --indicators yes This should be enough to reenable the indicators for you. Once executed please allow it up to 5 minutes for the system to start the indicators again. ... View more