Activity Feed
- Posted Re: $result.<field>$ Not Showing in Email Alert on Alerting. 4 weeks ago
- Posted $result.<field>$ Not Showing in Email Alert on Alerting. 4 weeks ago
- Posted Re: Cloud Monitoring Console - Rebuild forwarder assets on Splunk Cloud Platform. 08-22-2024 11:50 AM
- Posted Re: Splunk Security Essential - MITRE ATT&CK Matrix on Splunk Search. 08-08-2024 09:36 AM
- Posted Re: Splunk Security Essential - MITRE ATT&CK Matrix on Splunk Search. 08-07-2024 09:24 AM
- Posted Cloud Monitoring Console - Rebuild forwarder assets on Splunk Cloud Platform. 01-30-2024 02:46 PM
- Karma Re: Cooked Connection for xpac. 05-24-2023 07:52 AM
- Posted Palo Alto Networks App Python 3 Compatibility on All Apps and Add-ons. 05-15-2023 07:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
4 weeks ago
From what I can tell it's just a straightforward field and single value from a json feed. Here's an event example from the search: { [-]
action: Block
asset: { [-]
id: xxxxx-xxxx-xxxxx-xxxx-xxxxxxxx
kind: Endpoint
name: Vxxxxx3
}
dataType: Event
guid: 0xxxxxx
id: 7c332exxxxb24e
kind: TrustDowngrade
occurredAt: 2025-03-18T14:56:13.748Z
primaryProcess: { [+]
}
processes: [ [+]
]
summary: { [+]
}
tenantId: xxxx-xxxxx-xxxx-xxxx-xxxxxxxx It's json data so the field format on the thing I want ends up being asset.name and the data does show Vxxxxx3. I thought maybe it was a search timing thing, like the field wasn't there when the search was run in the alert (seemed unlikely, but I'm having no luck so far in figuring this out) so I did a rex on the raw data to pull the data I wanted using: | rex field=_raw "\"name\":\"(?<hostname>[^\"]*)\"" and again, I now see a hostname field with the Vxxxxx3 data in it like I'd expect. But when I put $result.hostname$ into the message of the alert, all I get is a blank email.
... View more
4 weeks ago
I have an alert saved that is straight forward. The search is: index=mydata action=block I have it on a cron schedule and I get results from it when manually running the searching. I can see the field asset.name is returned and it has the expected data I want in it. I configure my alert action to email me and in the body I put in $result.asset.name$. When the email is received, it is a blank email. For troubleshooting, I tried a different field named 'id', and put in $result.id$ and $result.asset.name$ in the body of the email alert action. The id data shows up but not the asset.name. I changed my search to have |table asset.name at the end and I again see the data I want in a manual search. I tried adding an |eval dvc='asset.name' to my search and again I see dvc now has the data I want in it. But if I put $result.dvc$ in the email body, I again get a blank email. Please help me to understand what I'm doing wrong. Thanks
... View more
Labels
- Labels:
-
alert action
-
email
08-22-2024
11:50 AM
Hey, thanks for taking the time to reply, bwheel, but I think you might have misread my post. I stated that I was clicking the "Rebuild forwarder Assets..." button. I'm not sure what you're referring to with the "regular 'update'" you mention. I also couldn't find any mention of an "update" option in the document you linked. Maybe I'm misunderstanding what you're saying, but either way please don't spend any further time on it. I opened a support case about the fact it didn't work, and they said it was a bug and provided me with a search to update the lookup table manually. I think they might have fixed it at this point. I seem to recall using it not too long ago.
... View more
08-08-2024
09:36 AM
I created a support ticket, and they confirmed that this is a bug that will be fixed in the next release of SSE. However, they could not provide a date for the update and recommended that I downgrade back to 3.7.1. I did so and that worked. I've asked that they update the "Known Issues" list with this bug info.
... View more
08-07-2024
09:24 AM
I have the same issue. We use Splunk Cloud, and the permissions are fine. I did not uninstall and reinstall, as I'm not sure of the full ramifications of that. I don't know if it's related or not, but I noticed it after I installed the latest version from Splunkbase.
... View more
01-30-2024
02:46 PM
When going to CMC -> Forwarders -> Forwarders: deployment, I see that we have 19k+ forwarders, which is completely inaccurate. We have more like 900. It shows 18k+ as missing, and the list has instances decommissioned years ago. I thought I could fix this by telling it to rebuild the forwarder assets via the button under VMC -> Forwarders -> Forwarder monitor setup, but when I click on this, it processes for about a minute, and then nothing changes. The description makes me think it is supposed to clear out the sim_forwarder_assets.csv lookup and rebuild it using only data it sees within the time frame I selected (24 hours). If I open up the lookup, all the entries it had previously are still there. Am I misunderstanding how this works, or is something broken?
... View more
Labels
- Labels:
-
administration
-
troubleshooting
05-15-2023
07:39 AM
The Upgrade Readiness App tells me that version 8.0.2 of my Palo Alto Networks and Palo Alto Networks Add-On apps are incompatible with Python version 3. The Splunkbase page shows it's Splunk Cloud 9.0 compatible, so is it safe to assume this is a false positive?
... View more
Labels
- Labels:
-
upgrade
