Hi All, Hope you all are doing well. I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow. So we are using ServiceNow Security Operation Integration to manually create incidents in ServiceNow for notables. We have a new ask from SOC to update the notables when the incidents are being created and closed in ServiceNow. We are using Splunk enterprise and wanted to know what endpoints we need to provide so that we can achieve reverse communication. I have created a user in splunk who has access to edit notables but i am not sure what endpoint i need to provide, is it just the url of my instance or do i need to add any services as well. Please let me know if you have any other questions. Thanks in advance. ... View more

Hi Guys, Hope you all the doing good. I have recently started to use Splunk ES and i am trying to create security incidents in ServiceNow for notables. I am using ServiceNow Security Operations Integration addon for this and i have created a workflow action to create incident. I am using below search in the workflow action but i am not able to create any incidents. Please let me know if i am missing any thing. Thanks in advance. | expandtoken rule_title rule_description drilldown_searches | fields title rule_description src dest user file_path file_hash file_name _time source severity event_hash | eval src=coalesce(src, src_ip), dest = coalesce(dest, dest_ip) | fillnull value=N/A dvc src dest user file_path file_hash file_name | eval external_link = xyz | eval md5_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 32, file_hash, "N/A")) | eval sha256_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 64, file_hash, "N/A")) | eval snow_event_ts = strftime(_time, "%m-%d-%Y %H:%M:%S") | eval severity = case(severity=="informational", 0, severity=="low", 4, severity=="medium", 3, severity=="high", 2, severity=="critical", 1) | eval ticket_contents = "short_description \"".title."\"" | eval ticket_contents = ticket_contents." assignment_group \"ABC\"" | eval ticket_contents = ticket_contents." contact_type \"SIEM\"" | eval ticket_contents = ticket_contents." description \"".rule_description."\"" | eval ticket_contents = ticket_contents." source_ip \"".src."\"" | eval ticket_contents = ticket_contents." dest_ip \"".dest."\"" | eval ticket_contents = ticket_contents." u_offence_id \"".event_hash."\"" | eval ticket_contents = ticket_contents." u_source \"".src."\"" | eval ticket_contents = ticket_contents." u_destination \"".dest."\"" | eval ticket_contents = ticket_contents." u_md5_hash \"".md5_hash."\"" | eval ticket_contents = ticket_contents." u_sha256_hash \"".sha256_hash."\"" | eval ticket_contents = ticket_contents." u_event_timestamp \"".snow_event_ts."\"" | eval ticket_contents = ticket_contents." u_event_name \"".source."\"" | eval ticket_contents = ticket_contents." severity \"".severity."\"" | return $ticket_contents   ... View more

Happy New Year to all of you. So I have syslog in which we have details of the devices and switches.  The requirement is to find the old and new ip address for the NetworkName which were recently added to a group.  To get this i have to follow below steps. 1. get the NetworkName which has been recently added to group. 2. than get the latest CallingStation for the NetworkName . # search for step 1 & 2 index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName =USAZSLKRR01FIF0001 |stats latest(CallingStation ) as CallingStation by NetworkName 3. search in the index with the CallingStation  to get IPAddress(it has to ran for last 24 hours) index=na3rc Calling_Station_ID=B0-22-7A-32-32-26 | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New") The problem here is that IPAddress field has both old and new IPAddress. I tried join but it is showing no results as it is being maxout and when i try to use it in same search it is only showing new IPAddress. Thank in Advance 🙂       index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName=USAZSLKRR01FIF0001 | stats latest(CallingStation) as CallingStation by NetworkName | join CallingStation type=left [| search index=xyz | bin span=1d _time | stats latest(IPAddress) as IPAddress by _time CallingStation | eval IP=if(_time<relative_time(now(),"@d"),"Old","New")]       ... View more

Hi All, Hope you all are doing good. I am trying to extract a field which the different types of data. I want to extract the reference number. DATA:- 0561170-0443 :- 0561170 this is reference number 0213_DFS_201021004 :- 201021004 this is reference number 0159_1606766A_191021016 :- 1606766A this is reference number Can you please let me know how i can achieve this, i tried rex but it wont work. Is there any other way to do it?   Thanks in advance 🙂 ... View more

Hi All, Hope you all are doing good. I am trying to read two simple txt files containing just the numeric value . These files get updated twice every day, morning and evening. I have used same props.conf for both the files.  Splunk is able to read the first txt file properly in the morning and evening, but when it comes to 2nd txt file if their is same type of data present in the morning  than splunk ignores that data in the evening. Example. If in morning in 2nd txt file the value is 1 and in evening the value is 15 than splunk only reads 5 in the evening file. [monitor://C:\test.txt] sourcetype = test ignoreOlderThan = 60d disabled = false crcSalt = <SOURCE> [test] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TRUNCATE=100 ... View more

Hi All, Hope you all are doing good. I have to check 2 table from different sources and get a new table where its says match or not match. Column1 Column2 One abc abc match pqr xyz not match I tried to use a query to get the details but still it is not working reason maybe due to logs coming on different time. My query index=main source="Replicationlogs_*.txt" AND sourcetype=replication Store.* | rex field=source Replicationlogs_(?<store_number>\d{4}).txt | search store_number=* | dedup SCD | stats count by SCD store_number | rename SCD as SCD1 | appendcols [search index=main source=*.log sourcetype=nitrogen_logs (SCD!=: AND SCD!=-) | rex field=source (?<store_number>\d{4}).log | search store_number=* | dedup SCD | stats count by SCD store_number ] | eval Match=if(match(SCD1,SCD),"Yes","No") | fillnull value=0 | fields - count And the values i get are like this:- STORE.brand 0010 No STORE.c-lens-fit STORE.bridge-size 0010 No STORE.c-lens-issue-history STORE.c-lens-fit 0010 No STORE.c-lens-payment-history STORE.c-lens-issue-history 0010 No STORE.contact-detail STORE.c-lens-payment-history 0010 No STORE.cust-c-lens-contract STORE.c-lens-status-history 0010 No STORE.cust-c-lens-scheme 17 matches should appear but as they not in same row so the match is not displaying. Please help me resolve this issue. Thanks in advance ... View more

Hi All, Hope you all are doing well. I was trying to setup email alert and event creation using Splunk and it was working fine. But i got a new condition in the existing alert. The condition is to avoid 2 alerts and event creation when there is a specific alert. In my case when there is ABC alert then i have to ignore XYZ and PQR. Logic seems to be simple, when ABC comes avoid XYZ and PQR.... But i am unable to execute it on Splunk. I tried below query but i think it will yield a null when there are any other alerts apart from the ABC. index="myindex" sourcetype="mysourcetype" lab_hub_name="XYZ Hub" rag_status="0" ( lab_hub_tag="LKJ" OR lab_hub_tag="ABC" OR lab_hub_tag="PQR" OR lab_hub_tag="XYZ" OR lab_hub_tag="QWE" OR lab_hub_tag="ERT" OR lab_hub_tag="FGH") earliest=-7m latest=now | stats latest(_time) as latest_tim, count by lab_hub_tag | rename count as rag_count | join type=left lab_hub_tag [search index="myservicenow" sourcetype="snow:incident" short_description="Splunk Alert - XYZ*" state!="7" earliest=-1d latest=now | rex field=short_description "Splunk Alert - XYZ - (?[\S ]+$)" | stats latest(state) as state, count by lab_hub_tag short_description | fields - count] | eval one=if(lab_hub_tag="ABC" AND rag_count>0,"yes","Null") | search one= yes | fillnull state short_description | eval temp_count=if(rag_count>0 AND state="6" OR state="0",1,0) | eval correlation_id=latest_tim.lab_hub_tag | where temp_count=1 Please let me know how i can achieve this one. Thanks for your help. ... View more

Hi All, Hope you all are doing good. I am stuck with 2 questions may be due to my Splunk query knowledge, hope you allcan help me in resolving the same. Question 1:- I have to dynamically remove a Responsetime field from a search when ComponentName is XYZ. I treid using if command splunk fields is not supported in it i believe. We are getting the ComponentName from drilldown via a token. Question 2:- I have to dynamically change the color of a panel based on the threshold value from a lookup table. Example:- for ComponentName=xyz the threshold is 900 than the color should should be changed when threshold > 900 to red and threshold <900 to green. Please do let me know if you any questions. Thanks for your help 🙂 ... View more

Hi All, Hope you all are doing well. Recently i was ingesting data to Splunk from a server and i had to get the file names under the inbox folder. I used below mentioned config file. [monitor:///export/mail/inbox] sourcetype = inbox index = global-app-compiere ignoreOlderThan = 60d disabled = false After the restarting splunk i was getting details of each files as events and file name as source. So inside inbox folder we have files like this:- /export/mail/inbox/1243156.PSV /export/mail/inbox/3575838.PSV /export/mail/inbox/1253489.CSE /export/mail/inbox/processed/2473580.CSE /export/mail/inbox/qw648385.CSE /export/mail/inbox/processed/12354675.CSE I wanted to just get the file names under the sourcetype inbox but i am getting the details of each file and the file is stored as source. Can anyone please help me to get the details. Thanks in advance 🙂 ... View more

Hi All, Hope you are doing good. I wanted to a add a mouse hover option for different panels which will display the details for the panel. I have used the below code to add a mouse hover which adds an extra text "Details" and hovering over it we can get the details. But i want to that when a user hovers over the panel title than the details should be displayed also i want to use css and js within the XML as i have some credential issues for the servers. Thanks for your help 🙂 .custom-tooltip{ display: inline; position: absolute; } .custom-tooltip:hover:after{ background: #333 ; background: rgba(0,0,0,.8) ; border-radius: 5px ; bottom: 26px ; color: #fff ; content: attr(title) ; left: 20% ; padding: 5px 15px ; position: absolute ; z-index: 98; width: 220px; ... View more

Hi all, I have no idea about webhook and how it works but have seen threads were an alert action is done by webhook. I was unable to find out if we can use webhook to send data to Splunk cloud. If anyone has idea regarding this please let me know the steps to follow for the same. Thanks in advance ... View more

Hello, I am currently working is on one use case where i have to display store number on the basis of avg cpu, avg ram and avg iowait. I have used stats command and created a table and used eval command to put threshold. I want to display only the color in the column based on the value of avg cpu, avg ram and avg iowait but not there values in the column. Is there any way which i can use to display only colors. Secondly i was trying to add a 4th column which will display number of days the store's are in red(threshold above 90). Thanks in advance. ... View more