Activity Feed
- Posted Re: Threat Intelligence not correctly parsed and automatically set to STIX parsing? on Splunk Enterprise Security. 01-05-2023 01:40 AM
- Posted Why is Threat Intelligence not correctly parsing and automatically setting to STIX parsing? on Splunk Enterprise Security. 01-04-2023 12:51 AM
- Tagged Why is Threat Intelligence not correctly parsing and automatically setting to STIX parsing? on Splunk Enterprise Security. 01-04-2023 12:51 AM
- Got Karma for Re: ITSI distinct count KPI: 0 vs. NULL values?. 02-10-2022 01:30 PM
- Got Karma for Re: A dropdown menu within a panel and change in the search query based on input selection. 10-13-2021 05:23 AM
- Posted Re: A dropdown menu within a panel and change in the search query based on input selection on Splunk Dev. 10-13-2021 01:17 AM
- Karma Re: How to refresh ITSI glass table every 10 seconds ? for iandrews_splunk. 06-05-2020 12:49 AM
- Posted Re: How do you calculate the health score for three months in IT Service Intelligence (ITSI)? on Splunk ITSI. 11-08-2019 03:06 AM
- Posted Re: ITSI distinct count KPI: 0 vs. NULL values? on Splunk ITSI. 11-08-2019 02:58 AM
- Posted Re: Is it possible for Alerts blackout functionality in Splunk/ITSI? on Splunk ITSI. 08-13-2019 03:36 AM
- Posted Re: ITSI distinct count KPI: 0 vs. NULL values? on Splunk ITSI. 08-13-2019 03:29 AM
- Posted Re: ITSI Predictive Analysis - Failed to train KPI models: The index into SearchResult is invalid. on Splunk ITSI. 08-13-2019 03:24 AM
- Posted Re: Where can I find the service dependencies in Splunk IT Service Intelligence (ITSI)? on Splunk ITSI. 10-24-2018 03:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-05-2023
01:40 AM
It looks like a proxy issue where the proxy is returning a blockpage. This explains why Splunk ES is seeing html elements as a result. Still in investigation.
... View more
01-04-2023
12:51 AM
Hi all,
Within Splunk ES I've configured a test threat intelligence feed with the following settings:
New > Line oriented
Name: Binary Defense Banlist
type: network
url: https://www.binarydefense.com/banlist.txt
weight: 60
interval: 43200
Max Age: -30d
Max Size: 52428800
Checked Threat Intelligence
File parser: line
Delimiting regular exp:
Extracting regex: ^(\d.+)$
Ignoring regex: (^#|^\s*$)
fields: ip$1,description:BinaryDefense_banlist
skip header lines: 0
No encoding, no user agent, sinkhole checked.
Some global parse modifier settings:
Certificate attribute breakout = checked
IDNA encode domains = unchecked
Parse domain from URL = unchecked
In debug mode I see that the file is downloaded and then it says:
<timestamp> INFO pid=1050977 tid:MainThread file=get_parser.oy:_detect_file_type:139 | stanza"binary Defense Banlist" status="Automatically detected STIX parsing for file_path /opt/splunk/var/lib/splunk/modinputs/threatlist/Binary Defense Banlist"
It goes on to parse the file and get the records. However, the records contain HTML elements like <'\div> and <\iframe> as url value. This is strange since it's just a .txt file. Moreover, why is it parsing it like a STIX document when I explicitly stated that the File parser = line?
This happens with other threat feeds as well. I've checked with a colleague at another client and with the exact same settings his works and mine doesn't.
Am I missing something? Do you know where else I can look to troubleshoot?
Some figures:
Splunk: 8.2.9
ES: 7.0.1
Single search head, behind proxy
... View more
Labels
10-13-2021
01:17 AM
1 Karma
<row> <panel> <title>panel_in_dashboard</title> <input type="dropdown" token="hosttoken"> <label>host-token</label> <fieldForLabel>host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats c where index=test by host | table host</query> <earliest>-15m@m</earliest> <latest>now</latest> </search> </input> <chart> <title>test</title> <search> <query>| tstats c where index=test host=$hosttoken$ by host</query> <earliest>-15m@m</earliest> <latest>now</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> ----- Now you have a dropdown menu in your dashboard panel with a token. This token is used in the panel-search. Currently, the dropdown is populated by a search, but you can also include static values.
... View more
11-08-2019
03:06 AM
Something like this?
index=itsi_summary host= sourcetype=stash itsi_service_id== search_name=service_health_monitor itsi_kpi_id="SHKPI-" | timechart span=1mon avg(alert_value) AS AverageHealthScore | transpose header_field=_time
... View more
11-08-2019
02:58 AM
1 Karma
Hi,
If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.
The resulting search is: | stats dc(USER_ID).
Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)
... View more
08-13-2019
03:36 AM
In Splunk ITSI you have something like "Maintenance Schedule" where you set a timeperiod which will "blackout" specific entities or services. Check out this link for more information: https://docs.splunk.com/Documentation/ITSI/4.0.3/Configure/MaintenanceWindows
In Splunk itself you could create a macro or lookup functionality which checks if a maintenance release is active. Then the alert must be configured to check this result. Though it would be more work to set up at first, but when you release often it is quicker.
... View more
08-13-2019
03:29 AM
I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.
Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.
... View more
08-13-2019
03:24 AM
Hi, I had the same issue with Splunk 7.0.3 and ITSI 4.2. Please check the issue ITSI-2309 on https://docs.splunk.com/Documentation/ITSI/4.0.3/ReleaseNotes/Knownissues#Predictive_Analytics. Let us know if that helps.
... View more
10-24-2018
03:39 AM
In the service analyzer you can select the tree view. There you can see the picture you've made. Furthermore, in the service edit window you can select/view the dependencies.
... View more
