Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf. My search looks like this: | index=abc index=def process=jkl | rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" | rex field=user_activity "(?<user_activity_event>.+?)\;" | fillnull value="null" | search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM | table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event Any help will be appreciated. ... View more

Hi Splunkers, I have a question and I need help from experts, I'm working on creating a heartbeat tracker search that monitor when a host gets span up, and it's a window or Linux it gets generic apps from the server class, so there is a server class built out there that is just looking for any host that isn't already in the server class. So the purpose of the heartbeat tracker is to inform us that there is a brand-new host that isn't in the server class, so the ask is to track the hosts that showing up in the heartbeat index and if these hosts are there for multiple days that means they need to be addressed, as an example every host that get span up whether we know about it or not is going to get the heartbeat initially, so it's going to span up, and it's going to get the heartbeat and once it's get to its real app it's going to stop sending logs to the heartbeat index, so what I really want to know is per host how many days has it been talking to the X index so if I get a host that has been talking to the X index for several days then I know that isn't the initial start up, it's a problem that need to be looked at. | tstats count where index=X by host index span=1d _time ... View more

Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credentialed, I looked at some events, and it indicates the check type: local. Is this means the scan is credential ?  Also tried to look into the events to see if there are anything that indicated that the scan is authenticated. Thanks in advance for any information may help. ... View more

Hi All, I'm working on a project to create some dashboards that display a lot of information and one of the questions that I'm facing is how to know if Nessus scans are credential, I looked at some events, and it indicates the check type: local. Is this means it is credential ?  Thanks in advance for any information may help. ... View more

Hi, I want to display time on my dashboard but all I see just two fields with data any help with the search to populate the rest of the fields would be appreciated. I have attached my dashboard. my search that looks like this: Index=a sourcetype=b earliest=-1d [| inputlookup M003_siem_ass_list where FMA_id=*OS -001* | stats values(ass) as search | eval seaqqrch=mvjoin(search,", OR ")] | fields ip FMA_id _time d_role | stats latest(_time) as _time values(*) by ip ... View more

I have a search that looks like this:  index=dog sourcetype=cat earliest=-30d [| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$* | stats values(mc) as search | eval search="mc=".mvjoin(search," OR mc=")] | stats latest(_time) by ip. what i see is : mc latest(_time) 00.00.01 1715477192 00.00.02 1715477192 00.00.03 1715477192 how to present this in a dashboard with time formatted. Thanks!                                ... View more

Hi, im working on creating a dashboard but I'm not familiar with time formatting is there a way some one can help on how to format time to strftime in this search to show on the dashboard: Index=a sourcetype=b earliest=-30d [|inputlookup LU0_siem_asset_list where f_id=*OS-03* | stats values(asset) as search | eval search=mvjoin(search,", OR ")] | fields src src_ip src_f_id _time | stats latest(_time) values(*) by src_ip. Thanks! ... View more

Hi All, I'm working hard to create a SIEM dashboard that has the AH list: higher priority :1)ab 2)CD 3)if 4)GH rest of the AH: 5)IJ 6)kl 7)MN for each of these systems, I need a list of hosts associated with the AH and what is currently being ingested from the AH.   ... View more

I'm working on splunk data feed outage alert: The following data feed has been detected down: Index=a  sourcetype=splunkd  host=b. Is there someone can point me to the right direction of troubleshooting this issue. Thanks a lot. ... View more

Hi Folks, I can't see what would have caused the false alert to triggered: when I checked this directory I can see plenty of space : Size: 500g   Used: 9.6g   Avail: 491g  use%: 2% the query looks like this: index=a sourcetype=b  MountedON="d" PercentUsedSpace >  90 | stats latest(PercentUsedSpace) as PercentUsedSpace latest(Avail) as Avail latest(Used) as Used latest(UsePct) as UsePct by MountedON | fields MountedON UsePct Used Avail | rename MountedON as "Mount" UsePct as "Percent Used" Used as "Used Space" Avail as "Available Space"   ... View more

Hi Everyone, I run into an issue today in SIT where TIV0 was inaccessible because a similar directory was full. I'm trying to set one alert for DEV and one for SIT and the folder path for each environment is : DEV:/mms/ora1200/u00/oracle. SIT:/mms/ora1201/u00/oracle. this is what i have so far : index=A "/mms/ora1200/u00/oracle" source= B | stats latest(storage_used*) as storage_used* latest(storage_free*) as storage_free* by host mount | where storage_used_percent>90 | eval storage_used=if(storage_used>1000,(storage_used/1000). " GB" ,storage_used+" MB"), storage_free=if(storage_free>1000, (storage_free/1000, (storage_free/1000). " GB", storage_free+" MB") Any feedback will be appreciated.   ... View more

I need to create a Splunk alert that will trigger when storage on /vi/vip_pdh/00d for a host reaches at least 90% capacity. index=A sourcetype=B   /vi/vip_pdh OR /var/log  earliest=-2h | eval UsePct=rtrim(UsePct,"%") | stats latest(UsePct) as UsePct by MountedOn host. Just a Slight correction, I want to monitor both /vi/vip_pdh and /var/log. Thanks! ... View more

Hi Folks,  I'm looking into a blackouts alert that weren't working properly, and the alerts fire for jobs that should be blacked out(ERROR: While inserting Into spm_Delta at line 590 /ERROR DESCRIPTION: ORA-0001 deadlock detected while waiting for resources). Is there anybody can help point me where I should start to fix this problem please. Thanks! ... View more