cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
phanichintha
Path Finder
Member since: ‎05-20-2019
‎09-13-2021
Community Statistics
Posts 76
Solutions 1
Karma Given 4
Karma Received 1
Member Since ‎05-20-2019
Activity Feed
Topics I've Started
View All

Re: How to subtract or minus the values

by SplunkTrust in Splunk Enterprise
‎01-31-2024 01:20 AM
1 Karma
‎01-31-2024 01:20 AM
1 Karma
| streamstats count as row current=f last(Value) as previous | eval row=row%2 | eval diff=if(row=1,Value-previous*row,null()) | fields - previous row ... View more

Re: Monitoring inputs not parsing logs to indexers

by in Getting Data In
‎09-13-2021 07:04 AM
‎09-13-2021 07:04 AM
Thanks for the clue @isoutamo I did respective changes, and I got the solution. ... View more

Re: How to set alert to know any alert Script is r...

by SplunkTrust in Alerting
‎07-20-2021 10:25 AM
‎07-20-2021 10:25 AM
Congratulations!  None of your alerts failed to run.  Save that search as an alert and have it trigger when the number of results is not zero.  That will happen when status!=success some time in the future. ... View more

Re: ERROR ending mail and configuration settings i...

by in Security
‎07-19-2021 11:08 AM
‎07-19-2021 11:08 AM
use default port 465 not 25 ... View more

Re: How to extract the required keywords using REG...

by SplunkTrust in Splunk Enterprise
‎06-29-2021 12:19 AM
‎06-29-2021 12:19 AM
Isn't that the issue - that that Message field extraction is not working for all your events? Do you need to extract it in the search? Can you share your current extract configuration? ... View more

Re: Query for exclude words in a raw data

by SplunkTrust in Splunk Search
‎04-06-2021 03:43 AM
‎04-06-2021 03:43 AM
OK, so the key is the rex statement and the regex that extracts the PID and process names from the _raw message. Assuming there will be no space in the process name, then this should work | rex field=_raw max_match=0 "(?<pid>\d+)\s(?<process_name>[\w]*)\s?"  which is saying extract pid = sequence of digits followed by a single whitespace followed by process_name = sequence of word characters followed by optional whitespace If you do a  | table _raw pid process_name after the rex statement without the rest of the query, you can see what the rex is extracting. If that shows the pid and process names as multi values in the field then it's good and the rest of the query will work. ... View more

Re: How many hours required to upgrade 7.2.1 versi...

by SplunkTrust in Splunk Search
‎03-12-2021 05:31 AM
‎03-12-2021 05:31 AM
I tend to measure Splunk upgrade times in minutes rather than hours.  Of course, that's the actual upgrade.  The prep time is much longer and gets longer for each release behind you are. Time is required to read each version of the Release Notes to see what effect that version will have on your environment.  Splunk 8 introduces breaking changes for some apps that use Python so it's important to spend time reading the instructions and preparing for that upgrade. ... View more

Re: Daily License Report not Showing

by in Getting Data In
‎03-11-2021 11:19 PM
‎03-11-2021 11:19 PM
I solved the issue; the issue is in the 9996 port from the CM side. This issue will come when the high usage in License consumes in a day the connection will lose in any way. So here found that 9996 port after enabling in the CM end. Note: All servers are bi-directionally open with 8089 and 9996/9997 ports and also check the Telnet, Ping.  ... View more

Re: Stanza for to ingest logs from specific date

by SplunkTrust in Getting Data In
‎03-05-2021 09:47 AM
‎03-05-2021 09:47 AM
As I said in my original answer, I'm not aware of ANY settings that do what you want. However, ingestion of older events is a one-time happening so why not just let it happen?   ... View more

Re: Splunkd services are not able to run UP.

by SplunkTrust in Splunk Enterprise
‎11-03-2020 07:05 AM
‎11-03-2020 07:05 AM
Have you already put the same plaintext pass4SymmKey to all your node under [clustering] stanza and also check that under [generic] it is same than what is on your LM? r. Ismo ... View more

Re: AWS WAF logs SQL Injection Splunk Query

by in Splunk Enterprise
‎10-19-2020 08:26 PM
‎10-19-2020 08:26 PM
Anyone have an idea, please share. ... View more

Re: Issue while installing SSL certificate

by in Splunk Enterprise
‎10-14-2020 12:40 AM
‎10-14-2020 12:40 AM
Can anyone share your comments... ... View more

Re: Nessus scan shows CVE-2012-4930, CVE-2012-4929...

by SplunkTrust in Splunk Enterprise Security
‎08-24-2020 06:38 AM
‎08-24-2020 06:38 AM
See https://community.splunk.com/t5/Archive/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-Nessus/td-p/29091 ... View more

Re: Splunk ES 7.2.1 SSL Certificates Details

by in Security
‎08-10-2020 02:07 AM
‎08-10-2020 02:07 AM
As suggested above, Splunk docs links above are the best place for updated information for exact version you are on. But the below is very useful for SSL setup across all Splunk components, although some configurations are deprecated now and you will need to use the new config as suggested in Splunk docs for those. https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPractices.pdf ... View more

Re: Local host URL to Public URL

by in Splunk Enterprise
‎07-30-2020 02:18 AM
‎07-30-2020 02:18 AM
Hello, As suggested in my previous answer, no changes are required on your end, untill explicity requested from your network team. Here are the steps for you to follow: Changes needed on AWS end 1. You, as the SIEM admin and owner of the tool, will consult your sysops network team, putting the requirement in front of them about exposing your application URL to public. (Basically the team which manages the networking part of your organization) 2. Based on your requirements, they'll decide the best way to expose the URL public. (will either be VPC peering, or Privatelinks over ALB etc, based upon the architecture of your organization). Please note, none of these changes are to be made by you. Network team will do it. 3. Once the step up will be done. You'll get a private URL, which you can share with your customers to use Splunk over the internet. Changes needed on Splunk end: 1. Depends upon the requirements of the network team and the architecture of your organization. Whatever path they choose to expose the Splunk's URL to public, they'll give you specific instructions to perform on Splunk server, if required. Till then, all you need to do is contact them and have them do the work for you. Summary: Please contant your sysops network team and put the request to them about exposing a URL for splunk in public with your decided name for it. They are the ones, who will fulfill your requirement. Since this requires changes on VPC and ALB. Hope this helps 🙂 ... View more

Re: inputs.conf

by in Splunk Enterprise Security
‎07-27-2020 04:13 AM
‎07-27-2020 04:13 AM
HI, after i set for only one stanza i got my results, problem solved. ... View more

Re: How to write a query to detect Brute-force att...

by SplunkTrust in Splunk Enterprise
‎07-21-2020 01:51 AM
‎07-21-2020 01:51 AM
Hi @phanichintha, as you did for Windows (index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-"), you have to find an eventtype for Linux and ForgeRock. For Linux, you could use these eventtypes: [Linux_Audit] search = index=os sourcetype=linux_secure NOT disconnect [Linux_Logfail] search = eventtype=Linux_Audit "failed password" [Linux_Login] search = eventtype=Linux_Audit "accepted password" [Linux_Logout] search = eventtype=Linux_Audit "session closed" For ForgeRock I cannot help you because I don't know it, but you can follow my approach. Ciao. Giuseppe ... View more

Re: Splunk Query for Search Query/Alert

by in Splunk Enterprise
‎07-19-2020 10:12 PM
‎07-19-2020 10:12 PM
@phanichintha here is an example of how it can be achieved using the transaction command. | makeresults | eval _raw = "time, userID, eventName 20/07/2020 09:00:00, 1, AM-LOGIN-COMPLETED 20/07/2020 09:01:00, 2, AM-LOGIN-COMPLETED 20/07/2020 09:10:00, 2, AM-LOGOUT 20/07/2020 09:06:00, 1, AM-LOGOUT 20/07/2020 09:00:00, 3, AM-LOGIN-COMPLETED 20/07/2020 10:06:00, 3, AM-LOGOUT" | multikv forceheader=1 | eval _time = strptime(time,"%d/%m/%Y %H:%M:%S") | transaction userID maxspan=1d | stats avg(duration) as AverageTimeSpentOnThePlatform   Here is the link to the command  https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction You can make it more robust by using the startswith and endwith arguments Hope this helps ... View more

Re: Splunk Query for Dashboard/Search Query/Alert

by Splunk Employee in Splunk Enterprise
‎07-17-2020 01:37 PM
‎07-17-2020 01:37 PM
Hi phanichintha, This question has been answered and is marked as solved. If you need help with a separate issue, please post a brand new question so your issue can get more visibility. ... View more

Re: Old Data in Hot Buckets

by in Splunk Enterprise
‎07-15-2020 11:52 PM
‎07-15-2020 11:52 PM
Thank you, Rich, After i restarted the Indexer the changes happen. ... View more

SMTP errors and reply codes

by in Security
‎05-19-2020 07:23 AM
‎05-19-2020 07:23 AM
How to monitor and alerting the "SMTP errors and reply codes" in Splunk. I need to monitor the list of Error Codes given in the link below. https://serversmtp.com/smtp-error/ ... View more

Re: Indexer Splunkd services are not able to run

by SplunkTrust in Deployment Architecture
‎05-18-2020 07:20 AM
‎05-18-2020 07:20 AM
Check the ownership and permissions on D:\Splunk\etc\slave-apps.old ... View more

Re: Indexer Splunkd services are not able to run

by in Getting Data In
‎05-18-2020 08:26 AM
‎05-18-2020 08:26 AM
please press "accept " link, it is located just after my answer in the same line with "Add comment · award points · accept". Thank you. ... View more

Re: Bundle reload is in progress. Waiting for all ...

by in Splunk Search
‎05-07-2020 01:53 PM
‎05-07-2020 01:53 PM
Also, the value you posted for repFactor is not valid.. You provided "repFactor = auto***" The asterisks are not needed nor correct. The value should be simply "repFactor = auto" Worth noting as well, a two node indexer cluster is not good practice (though not the cause of your current issues). With only two nodes the cluster can never reach a quorum, so you're introducing a split-brain scenario. ... View more

Re: I cant understand the buckets segrigation in I...

by SplunkTrust in Getting Data In
‎05-07-2020 05:42 AM
‎05-07-2020 05:42 AM
So you have an indexer cluster. I'll assume your deployment server is also functioning as a Cluster Master. One key setting for managing how much disk space is used is frozenTimePeriodInSecs. Set it to a value no larger than 31536000 to limit data to 1 year or less. Do this in $SPLUNK_HOME\etc\master-app_cluster\indexes.conf and then run splunk apply cluster-bundle to send the change to the indexers. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-13-2021 10:35 AM
Karma from
View All
Karma given to
View All