About sbollam

sbollam · ‎02-02-2024

Hello Everyone, I have created and alert which uses sendresults command to format the email notification. But the problem i have with this is, It does not have View Splunk Results link to view the splunk results. So i have add addinfo the search to grab search id and appended to the splunk url. https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$." | eval application_name = "<a href=https://<hostname>:8000/en-US/app/search/security_events_dashboard?form.field2=&form.application_name=" . application_name . ">" . application_name . "</a>" | eval email_subj="Security Events Alert", email_body="<p>Hello Everyone,</p><p>You are receiving this notification because the application has one or more security events reported in the last 24 hours..<br></p><p> Please click on the link available in the table to fetch events for specific application.</p> </p><p>To view splunk results <a href=https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$.">Click here</a></p> Iam able to receive the link but this link is not loading. Could someone please assist me on this. I want to receive a link similar to the one which i will receive when an alert is triggered. Regards, Sai

sbollam · ‎01-29-2024

Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned. | dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV" | lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email | lookup policy_details.csv policy_name as eventRule OUTPUT policy_description | eval users_mail = Admin_email.",".Developers_email.",".QA_email | stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity | eval eventMessage=mvindex(eventMessage, 0, 20) | where Total_Events > 10 | table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description | rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?

sbollam · ‎01-15-2024

Hello All, I have created an Scheduled Alert which is tend to run once in every day and alert has a splunk query with sendemail command. I set an alert to send a link to view results and alert details but when the alert is triggered i am receiving an email but only the results that returns from the search but i don't see the link to results even though i configured while setting up the alert. Can someone assist me on this?

sbollam · ‎01-15-2024

Thank you very much @dtburrows3!! I can see the results for each application but looks like the map does not work for me. I also tried to use just sendemail command but it does not work either. When i give the email id manually i can see an email getting triggered but not when i use the field name which has email id's. Can you provide suggestion on this? Thanks in advance!

sbollam · ‎12-17-2023

Hello Everyone, I have created an alert who looks for the security events for few applications and if the condition matches it must notify users related to that specific application. Let's say we have applications A, B and Application A has a field users with values test, test2, test3. and Application B has a field users with values test4, test5, test6, If Application A has any security breach events it must send an email to users. Regards, Sai

sbollam · ‎10-15-2023

Hello All, I have a requirement on the dropdowns, I have a following lookup file which contains application, environment and index details, I need to get the environment details related to each application when i choose app details from the dropdown, similarly with the index dropdown, it must only give the index details based on the values that i choose in the application and environment dropdowns. I could get the desired results while using the lookup file. But how can this be achieved using eval condition in the splunk dashboard rather than using the lookup file. I have the values of the fields in the splunk results. application environment index app_a DEV aws-app_a_npd app_a PPR aws-app_a_ppr app_a TEST aws-app_a_test app_a SUP aws-app_a_sup app_a PROD aws-app_a_prod app_b NPD aws-app_b_npd app_b SUP aws-app_b_sup app_b PROD aws-app_b_prod app_c NPD aws-app_c_npd app_c SUP aws-app_c_sup app_c PROD aws-app_c_prod

sbollam · ‎09-22-2021

@aasabatini , I actually need the dashboard names in the tiles as shown in the attachment. When i click on the tile it has to direct me the respective dashboard. I have to create a dashboard similar the image that i enclosed.

sbollam · ‎09-21-2021

Hi Team, I would need someone's help to accomplish the requirement. I have less knowledge on css. so seeking your help. I have about 7 dashboards created, I would want one dashboard to be created having those dashboard names in the tiles view with the drilldown enabled for the respective dashboards. Here tile view has to be created to the input values. Please find the image attached the way i wanted the dashboard to be shown. Here in the image values shown are item1 item2, .. Note: i need the css and html to be written in the dashboard instead having them in css file.

sbollam · ‎06-09-2021

@ITWhisperer , Thanks a ton!! It worked like a charm.

sbollam · ‎06-09-2021

@ITWhisperer , Thank you for the response!! I was able to retrieve events when i give time range both in text box and the time input. But the problem is when the give time range in the format: %m/%d/%y:%HH:%MM:%SS in the text boxes it's not working. It's throwing me an exception as "Invalid earliest_time". Please find the screenshot attached.

sbollam · ‎06-09-2021

I have created a time input and also two text boxes to pass earliest and latest values to the searches. When I select the time range from the time input, earliest and latest needs to be ignored. index=_internal sourcetype=splunkd | stats count --> This is for last seven days. when i pass earliest and latest to the search, time input should be ignored. earliest=06/01/2021:00:00:00 latest=06/02/00:00:00 index=_internal sourcetype=splunk | stats count I have this code: <fieldset submitButton="true"> <input type="dropdown" token="choose"> <label>choose</label> <choice value="timeRange">timeRange</choice> <choice value="specificWindow">specificWindow</choice> <change> <condition label="timeRange"> <set token="timeRange">true</set> <unset token="earliestLatest"></unset> </condition> <condition label="specificWindow"> <unset token="timeRange"></unset> <set token="earliestLatest">true</set> </condition> </change> <default>specificWindow</default> </input> <input type="time" token="timerange" depends="$timeRange$"> <label>Time</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="text" token="earliestTime" depends="$earliestLatest$"> <label>StartDate</label> <default></default> </input> <input type="text" token="latestTime" depends="$earliestLatest$"> <label>EndDate</label> <default></default> </input> How can i do this?

sbollam · ‎03-17-2021

How to adjust trellis to the center of the panel with equal sizes of three trellis? I have trellis with three fields and it's showing at the beginning of the panel and I tried to increase the width and height but of no use. Would you help me on this?

sbollam · ‎03-09-2021

@tscroggins, Thank you I can go with this approach and it looks good. But the problem here is when I update the trellis, all the three pie charts are aligned to the left side of the panel, Also I cannot increase the size the of the trellis to adjust to the entire panel, I mean size of the pie chart. I tried options medium, small, large but it did not work. How can I increase size of the trellis and adjust the float to the center using style

sbollam · ‎03-05-2021

I have following query to display the results in pie chart. Problem here is I could not see the all the values in the pie chart index=dummy ticket_number="*" sourcetype="tickets" | eval status= "incident_" + status | stats first(opened_at) as ticket_openedAt latest(status) as ticketStatus by ticket_number | where NOT ticketStatus IN("ticket_Resolved", "ticket_Canceled", "ticket_Closed") | eval openTime = strptime(ticket_openedAt, "%Y-%m-%d %H:%M:%S"), currentTime=now(), days = round((currentTime - openTime)/86400, 0) | where days > 5 | stats count as ticket_count by ticketStatus | appendcols [ search index=dummy problem_number="*" sourcetype="problem" | eval status = "problem_" + status | stats first(opened_at) as problemOpenedAt latest(status) as problemStatus by problem_number | where NOT problemStatus IN("problem_Resolved", "request_Closed") | eval openTime = strptime(requestOpenedAt, "%Y-%m-%d %H:%M:%S"), currentTime=now(), days = round((currentTime - openTime)/86400, 0) | where days > 5 | stats count as request_count by problemStatus ] | appendcols [ search index=dummy issue_number="*" sourcetype="issue" | eval status= "problem_" + status | stats first(opened_at) as issueOpenedAt latest(status) as issueStatus by issue_number | where NOT issueStatus IN("problem_Resolved", "problem_Closed Complete") | eval openTime = strptime(problemOpenedAt, "%Y-%m-%d %H:%M:%S"), currentTime=now(), days = round((currentTime - openTime)/86400, 0) | where days > 5 | stats count as problem_count by issueStatus ] | transpose I would require your help in displaying the incident_count by incidentStatus, problem_count by problemStatus and issue_count by issueStatus in the pie chart. Also, is there a way to optimize this search

sbollam · ‎09-03-2020

Hello, I have dashboard which contains three inputs and a single panel which one search. input 1: It's a dropdown with following name and values: a: 1 b: 2 input2: It's a dropdown with following name and values: Jan: "earliest=01/01/2020 00:00:00" latest=01/01/2020 24:00:00" Feb: "earliest=01/02/2020 00:00:00" latest=01/02/2020 24:00:00" input3: it's time when i choose input1 as 1, input2 should be shown and input3 needs to be hidden and whatever the value i choose from input2(month) need to be passed to the search. when i choose input1 as 2, input3 should be shown and input2 needs to be hidden and whatever the value i choose from input3(time) need to be passed to the search.

Posts	15
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎09-03-2020

Online Status	Offline
Date Last Visited	‎02-02-2024 09:52 AM

How to fetch the search id from the triggered aler...

Splunk Alert email is not working

Unable to see link to results in the email

How to send an email to users present the results ...

Need to fetch the results dynamically from the dro...

How to create tiles view to the input values for t...

How to pass earliest/latest and time input to the ...

How to adjust trellis to the center of the panel w...

how to display multiple field values from differen...

How to dynamically send the token value to the sea...