×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aymonfoa
Engager
Member since: ‎10-15-2022
‎12-05-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎10-15-2022
View All

Graphing off Tstats - total mental block

by in Dashboards & Visualizations
‎12-04-2023 08:42 AM
‎12-04-2023 08:42 AM
Got a search like this (I've obfuscated it a bit) | tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") Got a great looking stats table - and Im really pleased with the performance of tstats - awesome. I want to graph the results... easy right?  well no - I cannot for the life of me seem to break down a say, 60 minute span down by host, despite the fact I got this awesome oven ready totally graphable stats table so I am trying  | tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$") | timechart count by host but the count is counting the host, whereas I want to "count the count" ?  Any ideas?  this will be a super simple one I expect - I got a total mental block on this ... View more
Labels

Re: Can the webhook payload for an alert be config...

by in Alerting
‎10-15-2022 08:00 AM
‎10-15-2022 08:00 AM
I dont know if this is a bit overkill but you could write a python app to receive the wehook, and then recompose the json - I've been messing around with this today.  So you'd end up with a gateway - but a stateless one - here's some code - it's a spike, so dont take it too literally: It creates an endpoint http://localhost:5000/splunk were you can take the use in splunk as a webhook target and take the original json payload and change its shape and post it to a discord channel (no cost etc.) from asyncio.log import logger from email import header from urllib import response import requests import json from loguru import logger from flask import Flask, request, json app = Flask(__name__) def discord_message(url, message): headers = { "Accept": "application/json", "Content-Type": "application/json", "X-HTTP-Method-Override": "PUT" } data = { "content": message } payload = json.dumps(data) logger.info(f'Sending webhook message {message}') response = requests.post(url, headers=headers, data=payload) logger.info(f'{response}') @app.route('/splunk',methods=['POST']) def splunk(): data = request.json logger.debug(data) discord_webhook = "https://discordapp.com/api/webhooks/SOME_WEBHOOK!!" message = (f'Attack detected see search: {data["results_link"]}') discord_message(discord_webhook, message) logger.debug(message) return data def main(): app.run(debug=True, host="0.0.0.0") if __name__ == "__main__": main() if there's a better way of doing this Id really be interested 🙂 ... hmm thinking about it an aws have some really interesting event bridge logic you could prob use and plumb it into a lambda ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-05-2023 12:18 AM
Karma given to
View All
Top