×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Omarop
Loves-to-Learn Lots
Member since: ‎05-22-2019
‎12-06-2021
Community Statistics
Posts 17
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-22-2019
Activity Feed
View All

Re: SPL QUERY

by in Training + Certification Discussions
‎12-06-2021 06:20 PM
1 Karma
‎12-06-2021 06:20 PM
1 Karma
I think the issue is that you are adding fields with null values and the result becomes null. Try this before adding the values: | fillnull value=0 low medium high critical | eval total=low+medium+high+critical Here's a different way to skin the cat. | eval {severity}=1 | eventstats sum(low) AS low sum(medium) AS medium sum(high) AS high sum(critical) AS critical by ip,hostname, plugin_id | fillnull value=0 low medium high critical | eval total=low+medium+high+critical | where total>4 ... View more

Re: SPL query that will provide a good or bad cred...

by in Knowledge Management
‎11-18-2021 09:55 AM
‎11-18-2021 09:55 AM
So I ran another query to check for credentialed_Scan:true") and the severity level scores are not accurate.  I am only getting a low severity level = 1.  Can someone please tell me how I can get a good count of the severity levels? earliest=7d@d index=acas sourcetype="tenable:sc:vuln"  |where match(pluginText, "credentialed_Scan:true") | rex field=operatingSystem "^(?P<OS_Type>\w+)\.(?P<OS_Version>.*)$" | rex field=dnsName "^(?P<hostname>\w+)\.(?P<domain>.*)$" | rex field=system "^(?P<manufacture>\w+)\.(?P<serialnumber>.*)$" | eval AWS=if(like(dnsName,"clou%"),"TRUE","FALSE") | iplocation ip | eventstats count(eval(severity="informational")) as informational, count(eval(severity="low")) as low, count(eval(severity="medium")) as medium, count(eval(severity="high")) as high, count(eval(severity="critical")) as critical by ip | dedup ip | eval total = low+medium+high+critical | table ip, repositiory.dtatFormat, netbiosName, dnsName, AWS, hostname, macAddress, OS_Type, OS_Version, operatingSystem, SystemManufacture, SystemSerialNumber, SystemModel, AWSAccountNumber, AWSINstanceID, AWSENI, passFail, plugin_id, pluginName, repository.name, cpe, low, medium, high, critical, total, Country, lat, lon ... View more

Re: Creating a search query in Splunk

by SplunkTrust in Splunk Search
‎11-04-2021 08:11 AM
‎11-04-2021 08:11 AM
If the field names have embedded spaces or other special characters, they should be in single quotes. ... View more

Re: HEC Token/AWS lambda error

by in All Apps and Add-ons
‎06-07-2019 12:04 PM
‎06-07-2019 12:04 PM
Hmm, json is not a programming language, rereading your original error I believe it's NodeJS. So he could do the following in his code: Add process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0; in code, before calling https.request() https://stackoverflow.com/questions/10888610/ignore-invalid-self-signed-ssl-certificate-in-node-js-with-https-request ... View more

Re: Why does my Splunk web keep auto-refreshing?

by in Splunk Cloud Platform
‎01-01-2020 02:04 PM
‎01-01-2020 02:04 PM
Seems like a Splunk bug with SSO when the dashboard has panels configured for auto-refresh. Just clear your browser cached cookies and all Splunk tabs will stop auto-refreshing ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-06-2021 03:22 PM