About JLopez

JLopez · ‎07-26-2023

Hi Splunkers, I need to show to some stakeholders the correlation searches that we have enabled and are aligned to the mitre att&ck framework. I've tried using the REST command and I can find all the annotations under "action.correlationsearch.annotations" field but I would like to narrow it down to only mitre att&ck. Anyone knows how to get this search?

JLopez · ‎07-03-2023

Hi Guys, We use enterprise security and we have configured asset and identity list. From the global option "Asset and Identity Management" we have enabled merge asset and identities for all sourcetypes. I can see the fields names (email,first,nick etc....) for most of indexers. However for some reason I am unable to view my identity list fields names being populated when I search on a index I created 3 weeks ago. Can someone help me how to troubleshoot this ?

JLopez · ‎04-06-2023

Hi Splunkers, I want to create a search that send results to an "On call" system only for out of hours during monday to Friday from 5:30PM until the next day at 8:30AM and also 24h during the weekend starting on Friday at 5:30PM until Monday at 8:30AM. so basically I don't want to send any results during bussiness hours from 8:30AM till 5:30PM Mon-Friday. I am not sure if it's easier to set this up using cron time scheduler when I have my search ready or using earliest and latest and some eval command within the search. Also wondering if this can be achieve within 1 search or should I create 1 for monday to friday and another one for the weekend given that the time ranges are different? Could Anyone have an idea how to best achieve this? Much appreciate it.

JLopez · ‎02-01-2023

Thanks @scelikok it worked like a charm.

JLopez · ‎02-01-2023

Hi Splunk friends, I'm using windows data for this example. I want to collect in a time range of last 7 days, the numbers of hosts from my windows index with a span of 1d the result I am expecting is that every day I can see in a timechart the total numbers of host on each day increases of decreases to do that I am using this search index=<windows Index> Computer=XYZ* | dedup Computer | timechart count(Computer) as count span=1d The problem I am having is that the search never ends so only show a flat line and a peak from the last day. I have around1000 host. is there is a way to collect this data in a more efficient way? Thank in advance.

JLopez · ‎11-11-2022

thanks @bowesmana this worked for me and the visualization is within the same rows! ( that was my pain ) Appreciate your time and expertise! why are you using the * within the values??

JLopez · ‎11-07-2022

Hi Guys, I'm trying to create a table with the count emails sent and emails received from a given emails addresses Column 1 Column 2 Column 3 Email addresses Emails received email sent bob1@splunk.com <Number> <Number> bob2@splunk.com <Number> <Number> I tried this with append command but the result are shown under one another my search is index=email_index Recipients IN(bob1@splunk.com, bob2@splunk.com, bob3@splunk.com ) |stats count as "Emails received" by Recipients | append [search index=email_index Sender IN(bob1@splunk.com, bob2@splunk.com, bob3@splunk.com ) |stats count as "Emails sent" by Sender] |table "Emails received" "Emails sent" Recipients Sender Anyone can help me please?

JLopez · ‎05-12-2022

Hi Guys, We have an on prem server where the Software run and provide the API URL. I'm testing the API URL with the Splunk add-on builder with a custom app. When I run the API rest url on my browser, I get the warning "you connection isn't private" ERR_CERT_AUTHORITY_INVALID pass that and I get prompt to login. I login and I get the data just fine. BUT when I try to do it with the add-on builder I get the error: File "/opt/splunk/lib/python3.7/ssl.py", line 1139, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106) I pass the user and password on the inputs but I always get the same error. Anyone had this issue and know how to solve it? is it any path I could add the server certificate? Thanks

Posts	8
Solutions	0
Karma Given	4
Karma Received	0
Member Since	‎05-12-2022

Online Status	Offline
Date Last Visited	‎07-28-2023 11:24 AM

How to collect correlation searches that are enabl...

Identity list fields enrichment not showing in a i...

How to have Splunk search to include only events o...

Is there is a way to collect this data in a more e...

How to create a table with emails sent and emails ...

Splunk Add-on Builder Rest API inputs [SSL: CERTIF...