cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
splunkmagu
Explorer
Member since: ‎12-29-2021
‎04-25-2024
Community Statistics
Posts 6
Solutions 1
Karma Given 2
Karma Received 1
Member Since ‎12-29-2021
Activity Feed
View All

Re: AWS Guardduty - Splunk Integration

by in All Apps and Add-ons
‎06-13-2023 01:55 AM
1 Karma
‎06-13-2023 01:55 AM
1 Karma
Thank you @rkantamaneni for that reply. The issue has been 'resolved' some time ago but I believe your solution is the correct one. Additionally your logic confirmed my observations that something 'wrong' happens when events are larger than 4k. I'm just wondering why Splunk Support wasn't able to find it the way you did lol (I took around 6 months and a lot of persistence from my side to fix this :D). At the time of creating this post I didn't know about an admin helper app that would allow us to run btool commands from the search head (we cannot access searchheads and indexers via ssh as this is a cloud deployment managed by Splunk). I think I will submit another ticket regarding this because currently we strip the details 'header' using SEDCMD commands on a sourcetype level and I believe that increasing LOOKAHEAD value won't impact the performance that much as those two additional SEDCMD commands ? 1. SEDCMD-alter1    s/{"[\s\S]*"detail"://g 2. SEDCMD-alter2    s/}}$/}/g ... View more

AWS Guardduty - Splunk Integration

by in All Apps and Add-ons
‎09-08-2022 03:20 AM
‎09-08-2022 03:20 AM
Hello, we have a following integration in place: GuardDuty -> EventBridge (no transformation)-> Firehose (no transformation) -> Splunk (cloud) HEC sourcetype = aws:cloudwatch:guardduty HEC source override = aws_cloudwatchevents_guardduty Despite source override sometimes we see events with aws.guardduty source, and in those cases the message format is different (thus search outputs no results so we do not get an alert). Single source events start with: {"schemaVersion":"2.0","accountId":"<some_account>","region":"<aws_region>","partition":...} Double source events start with (additional header/metadata preceding schemaVersion): {"version":"0","id":"<some_id>","detail-type":"GuardDuty Finding","source":"aws.guardduty","account":"<some_account>","time":"2022-09-07T11:55:02Z","region":"<aws_region>","resources":[],"detail":{"schemaVersion":"2.0","accountId":"<some_account>","region":"<aws_region>","partition":...} AWS has been excluded as the source of the issue. Any ideas on how to have only one message format (Splunk Support ticket has also been submitted) ? ... View more

Splunk search REST API - Is there a way to search ...

by in Splunk Search
‎06-30-2022 02:34 AM
‎06-30-2022 02:34 AM
Hi, I'm using splunk web to check some searches/alerts: 1. | rest /servicesNS/-/-/saved/searches/ splunk_server=local | table title <-- displays a list of saved searches then I pick one from the list and launch: 2. rest /servicesNS/-/-/saved/searches/alert_without_white_spaces splunk_server=local. <-- and it works But when querying for a differently named alert I get an error: 3. rest /servicesNS/-/-/saved/searches/alert with white spaces splunk_server=local. <-- does not work - error message: Error in 'rest' command: Invalid argument: '-' 3a) rest /servicesNS/-/-/saved/searches/'alert with white spaces' splunk_server=local.   <-- does not work - error message: Error in 'rest' command: Invalid argument: '-' 3b) rest /servicesNS/-/-/saved/searches/"alert with white spaces" splunk_server=local.   <-- does not work - error message: Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/-/-/saved/searches/alert with white spaces?count=0 from server=https://127.0.0.1:8089 - Not Found 3d) rest /servicesNS/-/-/saved/searches/alert\ with\ white\ spaces splunk_server=local.  - error message: Error in 'rest' command: Invalid argument: '-\' 3e) | eval alert1="alert with white spaces"          | rest /servicesNS/-/-/saved/searches/alert1 - error message (splunk didn't use the variable value but the variable name) Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/-/-/saved/searches/alert1?count=0 from server=https://127.0.0.1:8089 - Not Found Is there a way to use variables or to query for a search name containing white spaces without getting an error ? ... View more
Labels

Re: Index with one sourcetype - search performance...

by in Splunk Search
‎06-29-2022 11:54 PM
‎06-29-2022 11:54 PM
Thank you everyone for quick replies but special thanks goes to @PickleRick  😃 ... View more

Re: Index with one sourcetype - search performance...

by in Splunk Search
‎06-29-2022 07:13 AM
‎06-29-2022 07:13 AM
Hi @gcusello, some time ago we asked Support about some indexes' creation best practices and they replied (and provided some documentation links) that we should create many indexes if the data that was being ingested differed in "structure". And it does in our case, it's a custom application data that had a custom sourcetype created (majority of cases) because globally available sourcetypes (through add-ons, TAs, etc) didn't extract fields correctly. ... View more

Index with one sourcetype - search performance / b...

by in Splunk Search
‎06-29-2022 05:27 AM
‎06-29-2022 05:27 AM
Hello, I have created a few indexes, each containing data only from one source with one sourcetype. From a search performance point of view - Is it necessary to include the sourcetype in each search if there is only one sourcetype "associated" with a specific index ? Is Splunk's internal "engine" slower when I do not specify that ? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-25-2024 07:04 AM
Karma from
View All
Karma given to
View All