Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rafamss
rafamss
Contributor
Member since:
08-08-2013
a week ago
Community Statistics
| Posts | 126 |
| Solutions | 12 |
| Karma Given | 85 |
| Karma Received | 25 |
| Member Since | 08-08-2013 |
Activity Feed
- Posted Re: How to use the lookup table into a macro with parameters? on Splunk Search. a week ago
- Karma Re: How to use the lookup table into a macro with parameters? for woodcock. a week ago
- Karma Re: How to use the lookup table into a macro with parameters? for isoutamo. a week ago
- Karma Re: How to use the lookup table into a macro with parameters? for gcusello. a week ago
- Karma Re: Use the lookup table into a macro with parameters for richgalloway. a week ago
- Posted How to use the lookup table into a macro with parameters? on Splunk Search. a week ago
- Tagged How to use the lookup table into a macro with parameters? on Splunk Search. a week ago
- Tagged How to use the lookup table into a macro with parameters? on Splunk Search. a week ago
- Posted Re: Bulk update action email trigger on Alerting. 01-12-2022 09:01 AM
- Got Karma for Bulk update action email trigger. 01-11-2022 06:33 PM
- Posted Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Tagged Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Tagged Bulk update action email trigger on Alerting. 01-11-2022 12:37 PM
- Karma Re: How do I change the owner of alerts in splunk web UI or conf file? for acharlieh. 09-22-2021 01:16 PM
- Karma Re: Rex mode=sed diff between replace and substitute for dwaddle. 09-01-2021 07:18 PM
- Karma Re: Is it possible to get a list of available indices? for PickleRick. 09-01-2021 02:23 PM
- Got Karma for Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr. 08-23-2021 04:26 AM
- Posted Re: Split the content of a JSON string that is inside a JSON data log on Getting Data In. 05-18-2021 06:24 AM
- Posted Split the content of a JSON string that is inside a JSON data log on Getting Data In. 05-14-2021 02:33 PM
- Karma Call for Volunteers: Help us Decide What Makes the .conf21 Stage! for bjennewein. 04-27-2021 06:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
a week ago
Thank you all for the help but let me be more specifically. Macro definition: mymacro(1) - Based on the customer name, it should returns some fields, such as index, sourcetype, filters and so on. | eval customer="$arg1$" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields use_case_data_source | head 1 Search: The field returned by the macro, should fill the index field in the search. `mymacro(client_01)`
index=use_case_data_source Using Job Inspector, the eventSearch field is filled like this: search | eval customer="client_01" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields + use_case_data_source | search index=use_case_data_source Maybe, I'm missing something or I'm a little rusty.
... View more
a week ago
I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is there any way to do it?
For example:
index=X
`mymacro(productA)`
mymacro definition should return the values in the lookup table related to the productA. The search above should return all the fields, commands, and so on related to this productA and execute the search.
... View more
01-12-2022
09:01 AM
Hi @inventsekar, Thank you for the response. I'll try it later in a lab and go back here to tell you if it works. Thanks, RS
... View more
01-11-2022
12:37 PM
1 Karma
Is there some way (bulk is better) to update the email field in the alert action trigger through the search/rest?
... View more
Labels
- Labels:
-
alert action
-
alert condition
05-18-2021
06:24 AM
Thank you, @ITWhisperer. It worked fine.
... View more
05-14-2021
02:33 PM
Hi everyone, I have logs like the line below. I want to split the content of the request_headers field during search time. I tried to use spath, mvexpand, and split command, but without success. Could you help me? This log was anonymized using the scrub command. {"account_id":"000000000aaaa","audience":"qhau812n","caller":"christopher/logging.az:272","duration_seconds":5.1q-07,"forwarded_for":"43.021.022.16","host":"blue_car.n1l-prod.com","cassaundra":{"annotations":{"irmgard.p2z.coy/wxcmfcoKsdhourfZjjnnoe":"disabled","checksum/margarita":"721637kh01d24w0ww0kum20552n0vuuo0dih06y01061pmbq06223004f30230b1","cluster-marquerite.cassaundra.ws/safe-to-evict":"true","nga.christene.com/role":"aqsmvuyjwazaff-role-zlm912-0a","denisha.cassaundra.ws/guillermiNa":"1010-04-00I03:18:07-04:00","cassaundra.ws/bee":"ena.privileged","reloader.valentin.com/auto":"true"},"container_hash":"205509154532.blue.john.zzabc.christene.com/aqsmvuyjwazaff@rzv013:02vn2k3o301sql10le02ysn1jb42050gt2100k1b112lq72f1243v0601ao8j34x","container_image":"205509154532.eva.ken.zlm912-0a.christene.com/aqsmvuyjwazaff:10123u1","container_name":"aqsmvuyjwazaff","tressa_id":"2w0z641dn0155r0jn0e126ozu0be001uvb1ebz0470g55u11401x0zj1dt000djq","host":"ip-00-116-16-002.js1.internal","labels":{"app":"aqsmvuyjwazaff","app.cassaundra.ws/component":"yolando","app.cassaundra.ws/instance":"aqsmvuyjwazaff","app.cassaundra.ws/managed-by":"Helm","app.cassaundra.ws/name":"aqsmvuyjwazaff","app.cassaundra.ws/version":"10123u1","chart":"yolando-0.11.5","helm.sh/chart":"yolando-0.11.5","helm.sh/timestamp":"10200111020100","heritage":"Helm","pod-template-hash":"543312340d","n1l-architecture":"az-kit","n1l-cluster":"ena-svc","n1l-peter":"true","n1l-https":"true","n1l-yq":"false","n1l-hildegarde":"true","n1l-service-version":"10123u1","n1l-splunk":"true","n1l-tier":"yolando","grocerystore.ami/architecture":"az-kit","grocerystore.ami/cluster":"ena-svc","grocerystore.ami/peter":"true","grocerystore.ami/https":"true","grocerystore.ami/yq":"false","grocerystore.ami/hildegarde":"true","grocerystore.ami/selector-label":"aqsmvuyjwazaff","grocerystore.ami/splunk":"true"},"alexandra_name":"n1l","pod_id":"z50s6323-x5zm-435e-p1m2-tdqr6383m030","pod_name":"aqsmvuyjwazaff-deployment-543312340d-gc0is"},"level":"error","method":"GET","method_name":"AlrYcgwqpofDngmftgihrqpZzmhcWbXnsbhmpl","msg":"completed request","proto":"HTTP/1.1","remote_address":"12.10.21.0:25004","request_headers":"{\"Accept-Encoding\":[\"gzip\"],\"Origin\":[\"www.grocerystore.ami\"],\"User-Agent\":[\"Evelia AufroSuwbg\"],\"Via\":[\"1.1 0010z4437f3bd4031q6cfn0051l0h10b.aufrosuwbg.net (AufroSuwbg)\"],\"X-Bob-Mk-Id\":[\"MlxVFb3Yiob0Qh5l_wPlZf_kmtQiRAkvLSBvxIYQR1NhgR46KuE1ct==\"],\"X-Forwarded-For\":[\"43.021.022.16\",\"12.10.20.14\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Oe-Fingerprint\":[\"y-lue-db-l-x-x-013wj11b-00000000-471uga2k-00000000-p2wcw222-n-x-1.1-u-x-x-n-n\"]}","request_path":"/tad/x-mens/availability/bear/113202/month?start_date=1010-07-00J00:00:00.000H","response_code":400,"response_size":0,"felicitas_body_strings":[],"stacktrace":"*errors.charlEsetta client:query not encoded\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car/shared/helper_functions.az:226 (0n01g02n7)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/blue_car-server/rest-blue_car/transport_availability.az:005 (0d02p000c)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.cgmwskbczdos.com/N1L/H0IFrylh/christopher/server_options_http.az:021 (0tkg64ou)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/az-kit/kit/transport/http/server.az:102 (0jo23322)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/lan/lan.az:100 (0m0332102)\n/az/src/barbie.cgmwskbczdos.com/N1L/AqsmvuyJwazaff/vendor/barbie.com/azrilla/handlers/russ.az:106 (0m602mx7)\n/usr/local/az/src/net/http/server.az:1830 (0y10q110)\n/usr/local/az/src/net/http/server.az:0620 (0e70433a)\n/usr/local/az/src/runtime/rae_qmd51.s:1310 (0t150fa0)","stream":"marlon","time":"1010-04-02B00:59:08.056537201B","transaction_id":"00v0002j-1n7s-3m23-5kw4-264164hj13p0","ts":"1010-04-02B00:59:08.083V","type":"HTTP"} Thanks.
... View more
Labels
- Labels:
-
field extraction
-
JSON
12-18-2020
11:24 AM
Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.
... View more
12-11-2020
11:00 AM
Hi crew, I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction. | rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues by _time, severity
| sort - _time
... View more
Labels
- Labels:
-
table
12-08-2020
12:58 PM
Can you explain more about what you want? What I understood is: The first index have the initial information, like email, user ID, and so on, The second one is the information related to event stats like blocks, success, etc. Is that right?
... View more
12-08-2020
12:16 PM
1 Karma
Hi, I think this search could resolve what you need. It's important to analyze how this output field presents the data. Look at the end of each rex extraction, if the line ends after the value changes from \s to $ or from \s to \n . | makeresults
| eval output="Subject : C=US, ST=California, L=San Jose, O=Jimmy's Bar & Grill, OU=Kitchen, CN=jimmysbarandgrill.com
Issuer : C=US, O=DigiCert Inc, CN=DigiCert Global CA G2
Not valid before : Jan 29 00:00:00 2019 GMT
Not valid after : Jan 29 12:00:00 2021 GMT"
| rex field=output "Subject.*CN\=(?<CommonName>.+?)\s"
| rex field=output "Issuer.*CN\=(?<Issuer>.+?)\n"
| rex field=output "before\s\:\s(?<Before>.+?)\n"
| rex field=output "after.*\:\s(?<After>.+?)$"
... View more
12-08-2020
11:45 AM
I used these two commands below to perform what you are doing. You can use your personal rule to trigger an alert or just monitor it in a Dashboard for example. #01 - Monitor the incoming data from hosts
| metadata type=hosts
| convert ctime(lastTime), cTime(recentTime)
#02 - Monitor the incoming data from sourcetypes
| metadata type=sourcetypes
| convert ctime(lastTime), cTime(recentTime)
#03 - Monitor the incoming data from an specific index
| metadata type=sourcetypes index=_internal
| convert ctime(lastTime), cTime(recentTime) And take a look at this post on Splunk' Blog: https://www.splunk.com/en_us/blog/tips-and-tricks/metadata-metalore.html
... View more
12-08-2020
11:37 AM
Hey, Did you see this topic: https://community.splunk.com/t5/Splunk-Search/Timecharts-and-how-to-avoid-quot-no-results-found-inspect-quot/m-p/162563 They resolved the same problem that you are facing.
... View more
12-08-2020
11:26 AM
I used your example, and it worked for me. Did you try this way? | makeresults
| eval ua = "Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML,%20like%20Gecko)%20Chrome%2f70.0.3538.77%20Safari%2f537.36"
| eval uadecoded = urldecode(ua)
... View more
11-11-2020
06:36 AM
I need to validate if the credit card number is valid on search time, but for what I've found, is necessary to use the Luhn algorithm (modulus10) to do this. So I think, that it won't be possible to do just using SPL.
... View more
11-10-2020
02:08 PM
Hello everyone, I'm using the SPL to get credit card numbers on search time (I would like to maintain this on search time) : | rex field=_raw "(?<firstStep_CC>(?:\d[ -]*?){13,30})"
| eval secondStep_CC=replace(firstStep_CC, "\-|\s|\.", "")
| rex field=secondStep_CC "(?<creditcard>^4[0-9]{12}(?:[0-9]{3})?)|(^5[1-5][0-9]{14})|(^6(?:011|5[0-9][0-9])[0-9]{12})|(^3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11})|((?:2131|1800|35\d{3})\d{11})" With this SPL I get possible credit card numbers, but invalid numbers as well. Do you need a way to get only valid numbers? I thought to split each digit from creditcard and do a mod10 verification, but I don't know if it's efficient. I read a lot of posts like these: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-luhn-How-to-use-the-luhn-command-and-how-to-apply-a-regex-to/m-p/221518 https://wiki.splunk.com/Community:Credit_card_masking_regex Tks!
... View more
10-20-2020
01:21 PM
Hi @inventsekar, Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example: An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.
... View more
10-20-2020
11:24 AM
1 Karma
Hello everyone, I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do? Regards, Rafael Santos
... View more
Labels
- Labels:
-
alert condition
09-22-2020
02:48 PM
1 Karma
I've had the same problem and I updated the add-on with this patch from Checkpoint. You could try this @junedec21 . https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=50832
... View more
09-12-2019
05:26 PM
Hi @lbhkshueler ,
First, Are you using the trial Enterprise license? Is it in the period of trial yet? If yes, see this: https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/Permissionschecklist
https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/WhataSplunkforMicrosoftExchangedeploymentlookslike
Otherwise, please look at this documents:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/TypesofSplunklicenses#Compare_Splunk_Enterprise_license_behavior
https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/Platformandhardwarerequirements
Note: A Splunk App for Microsoft Exchange license The Splunk App for Microsoft Exchange requires a license for indexing volume in addition to the license you get for Splunk Enterprise. See Install a license.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
