Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rafamss
rafamss
Contributor
Member since:
08-08-2013
03-23-2022
Community Statistics
| Posts | 124 |
| Solutions | 12 |
| Karma Given | 81 |
| Karma Received | 25 |
| Member Since | 08-08-2013 |
Activity Feed
- Posted Re: Bulk update action email trigger on Alerting. 01-12-2022 09:01 AM
- Got Karma for Bulk update action email trigger. 01-11-2022 06:33 PM
- Posted Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Tagged Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Tagged Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Karma Re: How do I change the owner of alerts in splunk web UI or conf file? for acharlieh. 09-22-2021 01:16 PM
- Karma Re: Rex mode=sed diff between replace and substitute for dwaddle. 09-01-2021 07:18 PM
- Karma Re: Is it possible to get a list of available indices? for PickleRick. 09-01-2021 02:23 PM
- Got Karma for Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr. 08-23-2021 04:26 AM
- Posted Re: Split the content of a JSON string that is inside a JSON data log on Getting Data In. 05-18-2021 06:24 AM
- Posted Split the content of a JSON string that is inside a JSON data log on Getting Data In. 05-14-2021 02:33 PM
- Karma Call for Volunteers: Help us Decide What Makes the .conf21 Stage! for bjennewein. 04-27-2021 06:13 AM
- Karma Re: Is there a numeric alternative to date_month? for lguinn2. 01-04-2021 06:13 AM
- Posted Re: Get the last _raw events - JSON file on Dashboards & Visualizations. 12-18-2020 11:24 AM
- Karma Re: How to show the total size of events from a source for woodcock. 12-15-2020 12:29 PM
- Posted Get the last _raw events - JSON file on Dashboards & Visualizations. 12-11-2020 11:00 AM
- Tagged Get the last _raw events - JSON file on Dashboards & Visualizations. 12-11-2020 11:00 AM
- Tagged Get the last _raw events - JSON file on Dashboards & Visualizations. 12-11-2020 11:00 AM
- Posted Re: How to correlate an event using two different indexes? on Splunk Search. 12-08-2020 12:58 PM
- Karma Re: Extracting new fields from data in another field for squoggle. 12-08-2020 12:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
01-12-2022
09:01 AM
Hi @inventsekar, Thank you for the response. I'll try it later in a lab and go back here to tell you if it works. Thanks, RS
... View more
01-11-2022
12:37 PM
1 Karma
Is there some way (bulk is better) to update the email field in the alert action trigger through the search/rest?
... View more
Labels
- Labels:
-
alert action
-
alert condition
05-18-2021
06:24 AM
Thank you, @ITWhisperer. It worked fine.
... View more
05-14-2021
02:33 PM
Hi everyone, I have logs like the line below. I want to split the content of the request_headers field during search time. I tried to use spath, mvexpand, and split command, but without success. Could you help me? This log was anonymized using the scrub command. {"account_id":"000000000aaaa","audience":"qhau812n","caller":"christopher/logging.az:272","duration_seconds":5.1q-07,"forwarded_for":"43.021.022.16","host":"blue_car.n1l-prod.com","cassaundra":{"annotations":{"irmgard.p2z.coy/wxcmfcoKsdhourfZjjnnoe":"disabled","checksum/margarita":"721637kh01d24w0ww0kum20552n0vuuo0dih06y01061pmbq06223004f30230b1","cluster-marquerite.cassaundra.ws/safe-to-evict":"true","nga.christene.com/role":"aqsmvuyjwazaff-role-zlm912-0a","denisha.cassaundra.ws/guillermiNa":"1010-04-00I03:18:07-04:00","cassaundra.ws/bee":"ena.privileged","reloader.valentin.com/auto":"true"},"container_hash":"205509154532.blue.john.zzabc.christene.com/aqsmvuyjwazaff@rzv013:02vn2k3o301sql10le02ysn1jb42050gt2100k1b112lq72f1243v0601ao8j34x","container_image":"205509154532.eva.ken.zlm912-0a.christene.com/aqsmvuyjwazaff:10123u1","container_name":"aqsmvuyjwazaff","tressa_id":"2w0z641dn0155r0jn0e126ozu0be001uvb1ebz0470g55u11401x0zj1dt000djq","host":"ip-00-116-16-002.js1.internal","labels":{"app":"aqsmvuyjwazaff","app.cassaundra.ws/component":"yolando","app.cassaundra.ws/instance":"aqsmvuyjwazaff","app.cassaundra.ws/managed-by":"Helm","app.cassaundra.ws/name":"aqsmvuyjwazaff","app.cassaundra.ws/version":"10123u1","chart":"yolando-0.11.5","helm.sh/chart":"yolando-0.11.5","helm.sh/timestamp":"10200111020100","heritage":"Helm","pod-template-hash":"543312340d","n1l-architecture":"az-kit","n1l-cluster":"ena-svc","n1l-peter":"true","n1l-https":"true","n1l-yq":"false","n1l-hildegarde":"true","n1l-service-version":"10123u1","n1l-splunk":"true","n1l-tier":"yolando","grocerystore.ami/architecture":"az-kit","grocerystore.ami/cluster":"ena-svc","grocerystore.ami/peter":"true","grocerystore.ami/https":"true","grocerystore.ami/yq":"false","grocerystore.ami/hildegarde":"true","grocerystore.ami/selector-label":"aqsmvuyjwazaff","grocerystore.ami/splunk":"true"},"alexandra_name":"n1l","pod_id":"z50s6323-x5zm-435e-p1m2-tdqr6383m030","pod_name":"aqsmvuyjwazaff-deployment-543312340d-gc0is"},"level":"error","method":"GET","method_name":"AlrYcgwqpofDngmftgihrqpZzmhcWbXnsbhmpl","msg":"completed request","proto":"HTTP/1.1","remote_address":"12.10.21.0:25004","request_headers":"{\"Accept-Encoding\":[\"gzip\"],\"Origin\":[\"www.grocerystore.ami\"],\"User-Agent\":[\"Evelia AufroSuwbg\"],\"Via\":[\"1.1 0010z4437f3bd4031q6cfn0051l0h10b.aufrosuwbg.net (AufroSuwbg)\"],\"X-Bob-Mk-Id\":[\"MlxVFb3Yiob0Qh5l_wPlZf_kmtQiRAkvLSBvxIYQR1NhgR46KuE1ct==\"],\"X-Forwarded-For\":[\"43.021.022.16\",\"12.10.20.14\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Oe-Fingerprint\":[\"y-lue-db-l-x-x-013wj11b-00000000-471uga2k-00000000-p2wcw222-n-x-1.1-u-x-x-n-n\"]}","request_path":"/tad/x-mens/availability/bear/113202/month?start_date=1010-07-00J00:00:00.000H","response_code":400,"response_size":0,"felicitas_body_strings":[],"stacktrace":"*errors.charlEsetta client:query not encoded\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car/shared/helper_functions.az:226 (0n01g02n7)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car-server/rest-blue_car/transport_availability.az:005 (0d02p000c)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.cgmwskbczdos.com/N1L/H0IFrylh/christopher/server_options_http.az:021 (0tkg64ou)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/az-kit/kit/transport/http/server.az:102 (0jo23322)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/lan/lan.az:100 (0m0332102)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/handlers/russ.az:106 (0m602mx7)\n/usr/local/az/src/net/http/server.az:1830 (0y10q110)\n/usr/local/az/src/net/http/server.az:0620 (0e70433a)\n/usr/local/az/src/runtime/rae_qmd51.s:1310 (0t150fa0)","stream":"marlon","time":"1010-04-02B00:59:08.056537201B","transaction_id":"00v0002j-1n7s-3m23-5kw4-264164hj13p0","ts":"1010-04-02B00:59:08.083V","type":"HTTP"} Thanks.
... View more
Labels
- Labels:
-
field extraction
-
JSON
12-18-2020
11:24 AM
Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.
... View more
12-11-2020
11:00 AM
Hi crew, I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction. | rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues by _time, severity
| sort - _time
... View more
Labels
- Labels:
-
table
12-08-2020
12:58 PM
Can you explain more about what you want? What I understood is: The first index have the initial information, like email, user ID, and so on, The second one is the information related to event stats like blocks, success, etc. Is that right?
... View more
12-08-2020
12:16 PM
1 Karma
Hi, I think this search could resolve what you need. It's important to analyze how this output field presents the data. Look at the end of each rex extraction, if the line ends after the value changes from \s to $ or from \s to \n . | makeresults
| eval output="Subject : C=US, ST=California, L=San Jose, O=Jimmy's Bar & Grill, OU=Kitchen, CN=jimmysbarandgrill.com
Issuer : C=US, O=DigiCert Inc, CN=DigiCert Global CA G2
Not valid before : Jan 29 00:00:00 2019 GMT
Not valid after : Jan 29 12:00:00 2021 GMT"
| rex field=output "Subject.*CN\=(?<CommonName>.+?)\s"
| rex field=output "Issuer.*CN\=(?<Issuer>.+?)\n"
| rex field=output "before\s\:\s(?<Before>.+?)\n"
| rex field=output "after.*\:\s(?<After>.+?)$"
... View more
12-08-2020
11:45 AM
I used these two commands below to perform what you are doing. You can use your personal rule to trigger an alert or just monitor it in a Dashboard for example. #01 - Monitor the incoming data from hosts
| metadata type=hosts
| convert ctime(lastTime), cTime(recentTime)
#02 - Monitor the incoming data from sourcetypes
| metadata type=sourcetypes
| convert ctime(lastTime), cTime(recentTime)
#03 - Monitor the incoming data from an specific index
| metadata type=sourcetypes index=_internal
| convert ctime(lastTime), cTime(recentTime) And take a look at this post on Splunk' Blog: https://www.splunk.com/en_us/blog/tips-and-tricks/metadata-metalore.html
... View more
12-08-2020
11:37 AM
Hey, Did you see this topic: https://community.splunk.com/t5/Splunk-Search/Timecharts-and-how-to-avoid-quot-no-results-found-inspect-quot/m-p/162563 They resolved the same problem that you are facing.
... View more
12-08-2020
11:26 AM
I used your example, and it worked for me. Did you try this way? | makeresults
| eval ua = "Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f70.0.3538.77%20Safari%2f537.36"
| eval uadecoded = urldecode(ua)
... View more
11-11-2020
06:36 AM
I need to validate if the credit card number is valid on search time, but for what I've found, is necessary to use the Luhn algorithm (modulus10) to do this. So I think, that it won't be possible to do just using SPL.
... View more
11-10-2020
02:08 PM
Hello everyone, I'm using the SPL to get credit card numbers on search time (I would like to maintain this on search time) : | rex field=_raw "(?<firstStep_CC>(?:\d[ -]*?){13,30})"
| eval secondStep_CC=replace(firstStep_CC, "\-|\s|\.", "")
| rex field=secondStep_CC "(?<creditcard>^4[0-9]{12}(?:[0-9]{3})?)|(^5[1-5][0-9]{14})|(^6(?:011|5[0-9][0-9])[0-9]{12})|(^3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11})|((?:2131|1800|35\d{3})\d{11})" With this SPL I get possible credit card numbers, but invalid numbers as well. Do you need a way to get only valid numbers? I thought to split each digit from creditcard and do a mod10 verification, but I don't know if it's efficient. I read a lot of posts like these: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-luhn-How-to-use-the-luhn-command-and-how-to-apply-a-regex-to/m-p/221518 https://wiki.splunk.com/Community:Credit_card_masking_regex Tks!
... View more
10-20-2020
01:21 PM
Hi @inventsekar, Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example: An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.
... View more
10-20-2020
11:24 AM
1 Karma
Hello everyone, I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do? Regards, Rafael Santos
... View more
Labels
- Labels:
-
alert condition
09-22-2020
02:48 PM
1 Karma
I've had the same problem and I updated the add-on with this patch from Checkpoint. You could try this @junedec21 . https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=50832
... View more
09-12-2019
05:26 PM
Hi @lbhkshueler ,
First, Are you using the trial Enterprise license? Is it in the period of trial yet? If yes, see this: https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/Permissionschecklist
https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/WhataSplunkforMicrosoftExchangedeploymentlookslike
Otherwise, please look at this documents:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/TypesofSplunklicenses#Compare_Splunk_Enterprise_license_behavior
https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/Platformandhardwarerequirements
Note: A Splunk App for Microsoft Exchange license The Splunk App for Microsoft Exchange requires a license for indexing volume in addition to the license you get for Splunk Enterprise. See Install a license.
... View more
09-02-2019
12:52 PM
@ashikuma,
Do you have Monitoring Console deployed in your environment? In affirmative case, I suggest to you see the Indexer reports to see some important information like indexing pipeline, indexing receiving queue, forwarding issues and the use of hardware resources. Beside that, please see the role assigned to each one of your indexers.
RM
... View more
09-02-2019
09:45 AM
@koskyk, I did the architect re-certification at the last Saturday and here is what I did to achieve this:
I studied hard for almost two weeks (lectures);
Developed a simulated exam with exactly 90 questions (using the official training materials I had);
I did the simulated exam in a clean and quite place with the same rules of the official exam - 90 minutes to 90 questions;
This steps helped me to achieve the re-certification - I didn't do nothing beside this but I'm currently work like an Architect and Admin and it's help as well.
The exam have questions about use of commands, scenarios, types of clustering, components, basically what is described in the Blueprint document: https://www.splunk.com/pdfs/training/Splunk-Test-Blueprint-Architect-v.1.1.pdf
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-23-2022
05:07 PM
|
