Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About rafamss
rafamss
Contributor
Member since:
08-08-2013
04-09-2025
Community Statistics
| Posts | 133 |
| Solutions | 13 |
| Karma Given | 91 |
| Karma Received | 29 |
| Member Since | 08-08-2013 |
Activity Feed
- Karma Re: Introducing the 2024 Splunk MVPs! for fredclown. 09-17-2024 04:00 PM
- Got Karma for Re: Help with SPL and REX for 2 separate ID's in 1 event. 05-07-2024 04:02 AM
- Got Karma for Re: Deployment Server cannot restart deployment clients after new changes have been downloaded. 05-06-2024 12:37 PM
- Posted Re: Deployment Server cannot restart deployment clients after new changes have been downloaded on Getting Data In. 05-06-2024 12:19 PM
- Got Karma for Re: how to retrive channel code from this json request. 05-05-2024 10:00 PM
- Posted Re: Splunk dashboard ppt ? on Feedback. 05-03-2024 11:52 AM
- Karma Re: Splunk dashboard ppt ? for deepakc. 05-03-2024 11:49 AM
- Posted Re: Help with SPL and REX for 2 separate ID's in 1 event on Splunk Search. 05-03-2024 11:21 AM
- Posted Re: how to retrive channel code from this json request on Splunk Search. 05-03-2024 10:53 AM
- Karma Introducing the 2024 Splunk MVPs! for SplunkCommunity. 04-29-2024 10:01 AM
- Got Karma for Re: Load balancing Splunk UF hosts that are also rsyslog receivers. 02-20-2024 10:28 AM
- Posted Re: Load balancing Splunk UF hosts that are also rsyslog receivers on Splunk Search. 02-16-2024 12:59 PM
- Tagged Re: Index doesn't show event anymore on Splunk Search. 02-16-2024 09:57 AM
- Tagged Re: Index doesn't show event anymore on Splunk Search. 02-16-2024 09:57 AM
- Posted Re: Index doesn't show event anymore on Splunk Search. 02-16-2024 09:42 AM
- Posted Re: Searching for "-" in IIS logs? on Splunk Search. 02-16-2024 09:39 AM
- Karma Re: Searching for "-" in IIS logs? for PickleRick. 02-16-2024 09:34 AM
- Karma Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled? for mcederhage_splu. 11-07-2023 06:32 AM
- Posted Re: How to use the lookup table into a macro with parameters? on Splunk Search. 05-31-2023 10:44 AM
- Karma Re: How to use the lookup table into a macro with parameters? for gcusello. 05-31-2023 09:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
05-06-2024
12:19 PM
1 Karma
Hi @calvinmcelroy, This doc contains a few instructions related to scenarios as you mentioned: Install a Windows universal forwarder - Splunk Documentation About the least-privileged user For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkfwd, which provides only the capabilities necessary to run the universal forwarder. Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues, when you're installing with the installer, the default account is the local system on the domain controller. If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice: If you choose Local System, the universal forwarder runs Windows administrator full privilege. If you choose a domain account with Windows administrator privilege, the universal forwarder runs Windows administrator full privilege. If you choose a domain account without Windows administrator privilege, you select the privilege. Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows. Also, take a look at this point: Permission Function SeBackupPrivilege Check to grant the least privileged user READ(not WRITE) permissions for files. SeSecurityPrivilege Check to allow the user to collect Windows security event logs. SeImpersonatePrivilege Check to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources. Happy Splunking, Rafael Santos Please, don't forget to accept this solution if it fits your needs
... View more
05-03-2024
11:52 AM
Hi @Karthi2018, If the answer provided by @deepakc was the solution, please accept that one. Happy splunking.
... View more
05-03-2024
11:21 AM
1 Karma
Hi @LizAndy123, Following the @gcusello understanding, I added a few more context to the results. | rex field=_raw "User-(?<User>\w+)\s+assigned\s+Role-(?<Operation_Type>.+?)\s(?<Where>.+?)\sto\s(?<ToUser>.+?)$" In these case, I'm supposing that you can tell to the stakeholders the following: User= The person who execute the operation Operation_Type= What operation was did Where= The asset that was changed in this operation ToUSer= The user whom received the permission
... View more
05-03-2024
10:53 AM
1 Karma
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel: | makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\"" To get only one result for the channel (the first one) by search: | makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\"" Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0. I hope it helps you. Happy splunking!
... View more
02-16-2024
12:59 PM
1 Karma
As @scelikok pointed out, it's not the scope of the UFs. Maybe you could change from UFs to HFs and have the job done? Because with HFs, you could receive the data from TCP/UDP ports, make some transformations or discards or data, and then, send it to Splunk. Kind regards, Rafael Santos
... View more
02-16-2024
09:42 AM
Hi @MattiaP, Did you validate if your license is active? If no logs are being shown, it could be related to your license. Kind regards, Rafael Santos
... View more
02-16-2024
09:39 AM
As @PickleRick replied, you can avoid this just by using the EVAL or applying filters to look for everything different from null or blank. You can also, create a field extraction using Regex to avoid situations like this, for example: | rex field=_raw cs_username="(?<cs_username>.+?)\"\s https://regex101.com/r/f6booK/1
... View more
05-31-2023
10:44 AM
Thank you all for the help but let me be more specifically. Macro definition: mymacro(1) - Based on the customer name, it should returns some fields, such as index, sourcetype, filters and so on. | eval customer="$arg1$" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields use_case_data_source | head 1 Search: The field returned by the macro, should fill the index field in the search. `mymacro(client_01)`
index=use_case_data_source Using Job Inspector, the eventSearch field is filled like this: search | eval customer="client_01" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields + use_case_data_source | search index=use_case_data_source Maybe, I'm missing something or I'm a little rusty.
... View more
05-30-2023
01:40 PM
I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is there any way to do it?
For example:
index=X
`mymacro(productA)`
mymacro definition should return the values in the lookup table related to the productA. The search above should return all the fields, commands, and so on related to this productA and execute the search.
... View more
01-12-2022
09:01 AM
Hi @inventsekar, Thank you for the response. I'll try it later in a lab and go back here to tell you if it works. Thanks, RS
... View more
01-11-2022
12:37 PM
1 Karma
Is there some way (bulk is better) to update the email field in the alert action trigger through the search/rest?
... View more
Labels
- Labels:
-
alert action
-
alert condition
05-18-2021
06:24 AM
Thank you, @ITWhisperer. It worked fine.
... View more
05-14-2021
02:33 PM
Hi everyone, I have logs like the line below. I want to split the content of the request_headers field during search time. I tried to use spath, mvexpand, and split command, but without success. Could you help me? This log was anonymized using the scrub command. {"account_id":"000000000aaaa","audience":"qhau812n","caller":"christopher/logging.az:272","duration_seconds":5.1q-07,"forwarded_for":"43.021.022.16","host":"blue_car.n1l-prod.com","cassaundra":{"annotations":{"irmgard.p2z.coy/wxcmfcoKsdhourfZjjnnoe":"disabled","checksum/margarita":"721637kh01d24w0ww0kum20552n0vuuo0dih06y01061pmbq06223004f30230b1","cluster-marquerite.cassaundra.ws/safe-to-evict":"true","nga.christene.com/role":"aqsmvuyjwazaff-role-zlm912-0a","denisha.cassaundra.ws/guillermiNa":"1010-04-00I03:18:07-04:00","cassaundra.ws/bee":"ena.privileged","reloader.valentin.com/auto":"true"},"container_hash":"205509154532.blue.john.zzabc.christene.com/aqsmvuyjwazaff@rzv013:02vn2k3o301sql10le02ysn1jb42050gt2100k1b112lq72f1243v0601ao8j34x","container_image":"205509154532.eva.ken.zlm912-0a.christene.com/aqsmvuyjwazaff:10123u1","container_name":"aqsmvuyjwazaff","tressa_id":"2w0z641dn0155r0jn0e126ozu0be001uvb1ebz0470g55u11401x0zj1dt000djq","host":"ip-00-116-16-002.js1.internal","labels":{"app":"aqsmvuyjwazaff","app.cassaundra.ws/component":"yolando","app.cassaundra.ws/instance":"aqsmvuyjwazaff","app.cassaundra.ws/managed-by":"Helm","app.cassaundra.ws/name":"aqsmvuyjwazaff","app.cassaundra.ws/version":"10123u1","chart":"yolando-0.11.5","helm.sh/chart":"yolando-0.11.5","helm.sh/timestamp":"10200111020100","heritage":"Helm","pod-template-hash":"543312340d","n1l-architecture":"az-kit","n1l-cluster":"ena-svc","n1l-peter":"true","n1l-https":"true","n1l-yq":"false","n1l-hildegarde":"true","n1l-service-version":"10123u1","n1l-splunk":"true","n1l-tier":"yolando","grocerystore.ami/architecture":"az-kit","grocerystore.ami/cluster":"ena-svc","grocerystore.ami/peter":"true","grocerystore.ami/https":"true","grocerystore.ami/yq":"false","grocerystore.ami/hildegarde":"true","grocerystore.ami/selector-label":"aqsmvuyjwazaff","grocerystore.ami/splunk":"true"},"alexandra_name":"n1l","pod_id":"z50s6323-x5zm-435e-p1m2-tdqr6383m030","pod_name":"aqsmvuyjwazaff-deployment-543312340d-gc0is"},"level":"error","method":"GET","method_name":"AlrYcgwqpofDngmftgihrqpZzmhcWbXnsbhmpl","msg":"completed request","proto":"HTTP/1.1","remote_address":"12.10.21.0:25004","request_headers":"{\"Accept-Encoding\":[\"gzip\"],\"Origin\":[\"www.grocerystore.ami\"],\"User-Agent\":[\"Evelia AufroSuwbg\"],\"Via\":[\"1.1 0010z4437f3bd4031q6cfn0051l0h10b.aufrosuwbg.net (AufroSuwbg)\"],\"X-Bob-Mk-Id\":[\"MlxVFb3Yiob0Qh5l_wPlZf_kmtQiRAkvLSBvxIYQR1NhgR46KuE1ct==\"],\"X-Forwarded-For\":[\"43.021.022.16\",\"12.10.20.14\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Oe-Fingerprint\":[\"y-lue-db-l-x-x-013wj11b-00000000-471uga2k-00000000-p2wcw222-n-x-1.1-u-x-x-n-n\"]}","request_path":"/tad/x-mens/availability/bear/113202/month?start_date=1010-07-00J00:00:00.000H","response_code":400,"response_size":0,"felicitas_body_strings":[],"stacktrace":"*errors.charlEsetta client:query not encoded\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car/shared/helper_functions.az:226 (0n01g02n7)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car-server/rest-blue_car/transport_availability.az:005 (0d02p000c)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.cgmwskbczdos.com/N1L/H0IFrylh/christopher/server_options_http.az:021 (0tkg64ou)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/az-kit/kit/transport/http/server.az:102 (0jo23322)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/lan/lan.az:100 (0m0332102)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/handlers/russ.az:106 (0m602mx7)\n/usr/local/az/src/net/http/server.az:1830 (0y10q110)\n/usr/local/az/src/net/http/server.az:0620 (0e70433a)\n/usr/local/az/src/runtime/rae_qmd51.s:1310 (0t150fa0)","stream":"marlon","time":"1010-04-02B00:59:08.056537201B","transaction_id":"00v0002j-1n7s-3m23-5kw4-264164hj13p0","ts":"1010-04-02B00:59:08.083V","type":"HTTP"} Thanks.
... View more
Labels
- Labels:
-
field extraction
-
JSON
12-18-2020
11:24 AM
Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.
... View more
12-11-2020
11:00 AM
Hi crew, I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction. | rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues by _time, severity
| sort - _time
... View more
Labels
- Labels:
-
table
12-08-2020
12:58 PM
Can you explain more about what you want? What I understood is: The first index have the initial information, like email, user ID, and so on, The second one is the information related to event stats like blocks, success, etc. Is that right?
... View more
12-08-2020
12:16 PM
1 Karma
Hi, I think this search could resolve what you need. It's important to analyze how this output field presents the data. Look at the end of each rex extraction, if the line ends after the value changes from \s to $ or from \s to \n . | makeresults
| eval output="Subject : C=US, ST=California, L=San Jose, O=Jimmy's Bar & Grill, OU=Kitchen, CN=jimmysbarandgrill.com
Issuer : C=US, O=DigiCert Inc, CN=DigiCert Global CA G2
Not valid before : Jan 29 00:00:00 2019 GMT
Not valid after : Jan 29 12:00:00 2021 GMT"
| rex field=output "Subject.*CN\=(?<CommonName>.+?)\s"
| rex field=output "Issuer.*CN\=(?<Issuer>.+?)\n"
| rex field=output "before\s\:\s(?<Before>.+?)\n"
| rex field=output "after.*\:\s(?<After>.+?)$"
... View more
12-08-2020
11:45 AM
I used these two commands below to perform what you are doing. You can use your personal rule to trigger an alert or just monitor it in a Dashboard for example. #01 - Monitor the incoming data from hosts
| metadata type=hosts
| convert ctime(lastTime), cTime(recentTime)
#02 - Monitor the incoming data from sourcetypes
| metadata type=sourcetypes
| convert ctime(lastTime), cTime(recentTime)
#03 - Monitor the incoming data from an specific index
| metadata type=sourcetypes index=_internal
| convert ctime(lastTime), cTime(recentTime) And take a look at this post on Splunk' Blog: https://www.splunk.com/en_us/blog/tips-and-tricks/metadata-metalore.html
... View more
12-08-2020
11:37 AM
Hey, Did you see this topic: https://community.splunk.com/t5/Splunk-Search/Timecharts-and-how-to-avoid-quot-no-results-found-inspect-quot/m-p/162563 They resolved the same problem that you are facing.
... View more
12-08-2020
11:26 AM
I used your example, and it worked for me. Did you try this way? | makeresults
| eval ua = "Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f70.0.3538.77%20Safari%2f537.36"
| eval uadecoded = urldecode(ua)
... View more
11-11-2020
06:36 AM
I need to validate if the credit card number is valid on search time, but for what I've found, is necessary to use the Luhn algorithm (modulus10) to do this. So I think, that it won't be possible to do just using SPL.
... View more
11-10-2020
02:08 PM
Hello everyone, I'm using the SPL to get credit card numbers on search time (I would like to maintain this on search time) : | rex field=_raw "(?<firstStep_CC>(?:\d[ -]*?){13,30})"
| eval secondStep_CC=replace(firstStep_CC, "\-|\s|\.", "")
| rex field=secondStep_CC "(?<creditcard>^4[0-9]{12}(?:[0-9]{3})?)|(^5[1-5][0-9]{14})|(^6(?:011|5[0-9][0-9])[0-9]{12})|(^3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11})|((?:2131|1800|35\d{3})\d{11})" With this SPL I get possible credit card numbers, but invalid numbers as well. Do you need a way to get only valid numbers? I thought to split each digit from creditcard and do a mod10 verification, but I don't know if it's efficient. I read a lot of posts like these: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-luhn-How-to-use-the-luhn-command-and-how-to-apply-a-regex-to/m-p/221518 https://wiki.splunk.com/Community:Credit_card_masking_regex Tks!
... View more
10-20-2020
01:21 PM
Hi @inventsekar, Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example: An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.
... View more
10-20-2020
11:24 AM
1 Karma
Hello everyone, I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do? Regards, Rafael Santos
... View more
Labels
- Labels:
-
alert condition
09-22-2020
02:48 PM
1 Karma
I've had the same problem and I updated the add-on with this patch from Checkpoint. You could try this @junedec21 . https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=50832
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-09-2025
07:59 AM
|
Karma given to
