Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Treize
Treize
Path Finder
Member since:
06-21-2022
04-02-2025
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 8 |
| Karma Received | 1 |
| Member Since | 06-21-2022 |
Activity Feed
- Got Karma for Re: Issue with SHC and Bundle. 04-02-2025 11:24 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 03:02 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 02:15 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 02:02 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 02:00 AM
- Karma Re: Search in lookup with subsearch- bug ? for ITWhisperer. 04-02-2025 02:00 AM
- Karma Re: Search in lookup with subsearch- bug ? for livehybrid. 04-02-2025 01:52 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 12:18 AM
- Karma Re: Search in lookup with subsearch- bug ? for gcusello. 04-02-2025 12:18 AM
- Karma Re: Search in lookup with subsearch- bug ? for ITWhisperer. 04-02-2025 12:16 AM
- Karma Re: Search in lookup with subsearch- bug ? for livehybrid. 04-02-2025 12:15 AM
- Posted Re: Search in lookup with subsearch- bug ? on Splunk Search. 04-02-2025 12:14 AM
- Posted Search in lookup with subsearch- bug ? on Splunk Search. 04-01-2025 11:39 PM
- Tagged Search in lookup with subsearch- bug ? on Splunk Search. 04-01-2025 11:39 PM
- Tagged Search in lookup with subsearch- bug ? on Splunk Search. 04-01-2025 11:39 PM
- Posted Re: Issue with SHC and Bundle on Monitoring Splunk. 04-01-2025 11:22 PM
- Karma Re: Issue with SHC and Bundle for livehybrid. 03-14-2025 03:23 AM
- Karma Re: Issue with SHC and Bundle for kiran_panchavat. 03-14-2025 03:23 AM
- Posted Re: Issue with SHC and Bundle on Monitoring Splunk. 03-14-2025 02:52 AM
- Posted Issue with SHC and Bundle on Monitoring Splunk. 03-14-2025 01:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
04-02-2025
03:02 AM
I don't understand why a summary index would be better? We use 2 lookups: - 1st because it comes from a third party - 2nd because we need to increment it after treating this IP as an alert
... View more
04-02-2025
02:15 AM
In the meantime, I've come up with a simple idea: a subsearch for the lookup with 1000 lines and a simple "| lookup" command for the lookup with 50,000 lines.
... View more
04-02-2025
02:00 AM
The lookup has already been defined. The variable is not really “ip” so in the definition should we put CIDR(ip) because it's an IP or CIDR() to define the variable it should take into account? In both cases, this solution doesn't work. It can't find the IPs in the lookup's CIDRs...
... View more
04-02-2025
12:18 AM
Thanks, I'll keep the optimization in my mind and implement it as soon as my problem is solved.
... View more
04-02-2025
12:14 AM
Hello and thank you for your suggestion It works pretty well indeed! The only problem, and it's my fault, I forgot to specify that the 1.csv contains CIDRs and not simple IPs... Any ideas? 😃 I'd never have thought of the limits of subsearch. How has it worked all these years when we exceeded 10,000 lines years ago?
... View more
04-01-2025
11:39 PM
Hi, there, I'm simplifying the context: We've had a perfectly working correlation rule for several years now, and for the past 2 days it hasn't been working properly. The command has to list IPs and then check if these IPs are not in a first lookup and then in a second lookup. If the IPs are not in either lookup, an alert is triggered. The IPs are then added to the second lookup, so that they can be ignored for future searches. It looks like this: <my search> | dedup ip | search NOT [ | inputlookup 1.csv ] | search NOT [ | inputlookup 2.csv ] | fields ip | outputlookup append=true override_if_empty=false 2.csv The lookups are both identical: IP ------- 1.1.1.1 2.2.2.2 etc The first lookup has 1000 lines The second lookup has 55000 lines Everything was working fine, but now we have IPs that are triggering alerts despite being in the second lookup. Any ideas? Thanks a lot.
... View more
04-01-2025
11:22 PM
1 Karma
Hi there! We finally found the solution! On the SLM, Settings > General Setup > Edit the node > Disable monitoring then enable him Thanks to all
... View more
03-14-2025
02:52 AM
@kiran_panchavat@jondukehds I've just tried a few commands: - “shcluster status --verbose” doesn't return any useful additional info - No error in splunkd.log - splunk resync shcluster-replicated-config” changes nothing - splunk restart” changes nothing - Switching from dynamic to static captain and back to dynamic + bootstrap, changes nothing apart from changing the captain. Each search head is given the same ID in the cluster as the captain, the shcluster-status or the shclustering stanza. It's really only in the GUI that I see another bundle. I don't get it... Not having done the integration, I don't know if scripts interfere with the built-in Splunk startup but I don't think so, given the rest of the project.
... View more
03-14-2025
01:17 AM
Hello, I have a problem that I can't solve. I have a shcluster with 4 members (including the Captain) and splunk version 7.3.5. We are in a multisite configuration. We wanted to do a test to put a Search Head in stand-alone mode and simulate a power cut with the 3 others. Everything worked, then we returned to normal. ALL CLEAR. But recently we realized that we had a problem (bug?). Our 4 SHC members are in the same cluster, checked on the servers directly in CLI. But on the GUI we have two different SHcluster: the first with 3 members, the second with only 1. show shcluster-status shows the cluster, its 4 members and its ID (starting with EDF6) The [shclustering] stanza in the server.conf file for the 4 search heads has the ID EDF6[...]. I remind you that despite this, everything works normally. We've tried a lot of solutions with no results. Is this a bug or do you have any ideas? Attached are some screenshots, to make things easier. Thank you very much
... View more
Labels
- Labels:
-
search head clustering
06-28-2022
01:02 PM
@VatsalJagani Incredible! You are amazing 😃 I've been searching for 4 days. I am really newbie to this... Thank you very much, besides solving my problem you just taught me a new way to use SPL, I have to redo my logic. Thanks again.
... View more
06-27-2022
07:54 PM
Hi, I am a beginner. I have a correlation rule that : - searches for IP addresses that are port scans - search in the lookup table, if each IP address is not listed - if an IP address is not in the lookup table: make an alert in ES - add this IP in the lookup table (to avoid duplicates)
I have two lookup tables : - scan_port.csv - network_provider.csv
Now I would like to filter the IP addresses by a lookup table (a list of cidr ranges : "network_provider.csv"). If possible, this filter would be first in this correlation rule, to avoid adding a filtered IP in the lookup table "scan_port.csv".
The priority is to: - Find the port scan of the IPs - Filter IPs (by the lookup table "network_provider") - Check for duplicates (by the lookup table "scan_port") - Make an alert - Add the IP in the search table (port scan)
As I said, I have a correlation rule for port scans that has been working for years. I would like to add the filter by cidr range. I have the command (cidrmatch) that works for the filter. But I can't get it to work, between the port scan lookup and the two lookup tables, I can't find a solution.
Any ideas? Thanks in advance
... View more
Labels
- Labels:
-
correlation search
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-02-2025
04:12 AM
|
Karma given to
