App installs, the readme is there and the in browser CyberChef.html works just fine. However, when I try to execute SPL using cyberchef like the example from the documentation:   | makeresults count=3 | streamstats count | eval data=random()/random() | cyberchef infield='data' outfield='convertedData' operation="ToBase64" | table data convertedData   I get an error output from Splunk   Error in 'cyberchef' command: CyberChef chef.bake is not a function   I'm trying to get this running on a single test instance in a VM, all file persmissions looks right.. Am I missing something, or is this a symptom of me trying to test the app using the "free" version of Splunk (I seem to remember enterprise being needed)? Any suggestions and/or feedback appreciated! ... View more

I've been trying to solve this every which way and another and I always come up just short of the target. When searching linux audit log, the type=EXECVE has the most detailed information regarding commands executed. However, if you are interrested in anything other than the command/binary (a0), there will be field unspecific wildcard searches. Depending on the command and number of options there is a dynamic number of "aX"s where the total number equals another field value (argc) minus 1. For an event, argc=3 means that there are fields a0, a1, and a2 (three "arguments") What I wanted was a way to run a base search which returns a large number of events with varying number of "a" fields (a0 ... a(argc-1)) and preferably place these in a table with the correct observed maximum number of argument (aX) fields as columns dynamically. In other words NOT THIS:     index="linux" source="/var/log/audit/audit.log" type="EXECVE" | table a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 ......     This works, though I really don't like having to hardcode exessive values like this. What I would prefer is a way to, based on the fields observed in the base search, generate matching number (maximum) of columns (aX values) in a table. a0 a1 a2 a3 a4 a5 a6 value1 value2 value3 value4 value5 value6 value7   Maybe even merging the values of fields a0 to a(argc-1) into a single new field with the entire command. Command value1 value2 value3 value4 ... value7   I got started like this:     index="linux" source="/var/log/audit/audit.log" type="EXECVE" | eval argc_numeric = tonumber(argc) | eval args = mvrange(0, argc_numeric) | mvexpand args | dedup args | eval arg = "a" + tostring(args)     Which actually produces a field with the correct number of aX values (field names), though it feels like I'm taking a long way to produce something which is already present (field names) in the base search. And I have no idea how to use the "arg" values as input for table (or stats or whatever). I was thinking of something along the lines of     for i in arg: print(arg)     as input for table. Though this may be a horrible way to approach this problem. So, hopefully these chaotic notes is enough to kind of explain what I am trying to achieve and have not idea at all how to approach in a good and effective way. All suggestions are welcome ... View more

I'm trying to use tstats to calculate the daily total number of events for an index per day for one week. Then calculate an averade per day for the entire week, as well as upper and lower bounds +/- 1 standard deviation. Feels like I can get each individual thing to work, either the bar chart with the daily count, OR the statistics. Though I want them all in a single figure. This is my base search:   | tstats count as daily_events where index="index" earliest=-7d latest=-1d by _time span=1d # | timechart span=1d sum(daily_events) as daily_events   Which seems to work just fine by itself, with or without a following "timechart"   Now I figure I'd do something like this:   | stats sum(daily_events) as total_events stdev(daily_events) as std_dev | eval avg_events=round(total_events/7, 0) | eval upper = total_events + std_dev | eval lower = total_events - std_dev    Which by itself seems to work, though I now loose the results from the base search. So how can I combine these things (can I combine?) into something close to what I want to achieve? I'm attaching a crude scetch for clarity. It feels like I somehow need to add three columns just replicating the upper, lower and av_events values for every "daily_events" entry, or something. I just can figure it out. Any feedback is mych appreciated. ... View more

Hello Community I've been looking at the installation process of Splunk CIM and got stuck on a step. After installation there seems to be a need to whitelist indexes for datamodels (or vice versa). I realize this can be done pretty easily through the GUI though normally the configuration is handled centrally. Having come up empty looking through the content of the app/package, is it possible to specify index whitelists for particular datamodels in any conf file that I may have missed? Best regards ... View more

Hello community What is the most efficient way of retrieving a specific search performed or preferably, if possible, to regenerate a file (csv/pdf) export of results? So far I have located the search/job ID and worked my way back to a search string (SPL). Though I am curious, is it possible to “re-run” the SPL snippet and just “re-generate” the file-export for inspection? Otherwise, what is the fastest and easiest way to get from search/job ID to the actual SPL search query used to generate the file export? Best regards // G ... View more