Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About NatSec
NatSec
Explorer
Member since:
06-16-2020
11-05-2024
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 06-16-2020 |
Activity Feed
- Posted Re: Using a single variable as a value to multiple fields in SPL on Splunk Search. 11-05-2024 07:39 AM
- Posted Using a single variable as a value to multiple fields in SPL on Splunk Search. 11-04-2024 12:05 PM
- Posted Splunk Addon for Unix cannot decode auditd logs on Getting Data In. 07-31-2024 01:31 PM
- Tagged Splunk Addon for Unix cannot decode auditd logs on Getting Data In. 07-31-2024 01:31 PM
- Tagged Splunk Addon for Unix cannot decode auditd logs on Getting Data In. 07-31-2024 01:31 PM
- Posted Re: How to search for DR string ../../../../ ?? on Splunk Search. 12-16-2021 05:00 AM
- Karma Re: Trigger an alert after comparing two search results for gcusello. 02-23-2021 09:36 AM
- Posted Re: Trigger an alert after comparing two search results on Splunk Search. 02-23-2021 09:35 AM
- Posted Trigger an alert after comparing two search results on Splunk Search. 02-23-2021 01:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
11-05-2024
07:39 AM
Let me add more context. In this example, "userid" is not a field but a variable that I intend to use as a search value from the four fields. The four fields are: member_dn, member_id, Member_Security_ID, member_user_name
... View more
11-04-2024
12:05 PM
I have a working dashboard where a token is used as a variable. But now I am trying to use the same concept when making a direct search within "Search & Reporting app". I have Windows events that have multiple fields that produce a common value. In this example, the following search will give me usernames. ...base search (member_dn=* OR member_id=* OR Member_Security_ID=* OR member_user_name=*) I would like to declare a variable that I can use as a value to search all four aforementioned fields. I tried the following with no luck: index=windows_logs | eval userid=johnsmith | where $userid$ IN (member_dn, member_id, Member_Security_ID, member_user_name)
... View more
07-31-2024
01:31 PM
Good day, I have installed Splunk ES v9.2.1 on a Linux server (CentOS 7.9). On Splunk ES server, I have installed Splunk Addon for Unix and Linux with all scripts including rlog.sh enabled. I have also configured Splunk Forwarder v9.2.1 a Linux client (CentOS-7.9). Splunk ES server is receiving logs from client as per normal. But I still have a problem with auditd logs coming from client. The USER_CMD part of auditd logs still appear as HEX format, instead of ASCII. For example, part of the log reads USER_CMD=636174202F6574632F736861646F77 where I expect a decoded value to be ASCII as in: USER_CMD=cat /etc/shadow What am I doing wrong? And what can I do to view auditd logs in Splunk without me as an analyst decode each log entry one at a time?
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
02-23-2021
09:35 AM
@gcusello This is perfect.
... View more
02-23-2021
01:52 AM
I have two search conditions that I need to trigger alerts from. I have a hundred hosts on a HA cluster. Sometimes host(s) happen to leave an HA cluster and come back online, due to network issues or during a production changes by engineers. When a host leaves the HA cluster, I get a single message in Splunk that reads "serverX has gone out-of-sync". When the host joins back the HA cluster, I get a single message in Splunk that reads "serverX has gone in-sync". This means I have two search results to play with. My Goal: When a host leaves the HA cluster and comes back within an hour, do not send any alerts. But if a host leaves an HA cluster, but does not come back online after an hour, trigger an alert. Here is what I have done so far (search period =1hr): index=test sync_status="out-of-sync" [search index=test sync_status="in-sync" | dedup server | table server] I get undesired results. I expect to see only the host that went offline but did not join back the cluster (of which I can see results when I do simple searches). Am I in the right direction, from a search and logic perspective? Are they better search methods of doing it?
... View more
