×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
666Meow
Explorer
Member since: ‎04-08-2025
Thursday
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎04-08-2025
View All

MSSP reporting

by in Monitoring Splunk
Thursday
Thursday
Hi all, I’ve recently encountered several challenges since migrating to Splunk Mission Control (MS) and would appreciate any guidance or insights. Summary of Issues: We had a dashboard set up to pull all the data needed for our monthly report. Since switching to MS, all those dashboards are broken with errors like: "Could not find object id="*. I recreated the dashboard with new searches, which initially worked fine and allowed report creation. However, when revisiting the new dashboard, most searches now fail or return no results within the expected time frame, despite previously working and being used in the latest report. Several items such as charts for "top hosts (consolidated)" and "top hosts" that were available under Security Domain > Network > Exec View are now missing post-migration. Search Aborts and Resource Issues: One major problem is searches being aborted with SVC errors. After contacting the customer, workload restrictions on my account were lifted, but searches still fail due to resource usage. Even limiting searches to a single day results in failures, and this has become quite frustrating. Example Problem with Macros and Searches: The macro sim_licensing_summary_base appears to be missing since moving to MS, and even the customer cannot locate it. The following search, intended to replicate the macro’s function, returns incomplete results after 2025-04-10 without any errors in the job manager:   (host=*.*splunk*.* NOT host=sh*.*splunk*.* index=_telemetry source=*license_usage_summary.log* type="RolloverSummary") | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | timechart span=1d sum(b) AS "volume" fixedrange=true | eval GB=round((volume / 1073741824),3) | fields - b, volume | stats avg/max(GB) Additional Notes: We’ve also noticed missing dashboards and objects that were previously part of Enterprise Security views. Searches aborting due to resource limits remain an issue despite workload adjustments. Has anyone else experienced similar problems after switching to Mission Control? Any advice on troubleshooting these dashboard errors, missing macros, or search aborts would be greatly appreciated.   ... View more

How do I open a support case when one of the requi...

by in Splunk Enterprise Security
2 weeks ago
2 weeks ago
Support Portal is broke and I am unable to submit a case due to one of the required fields being unable to select (see attached image) "Splunk Support access to your company data: --" I've emailed support@splunk.com which was suggested in other community posts, but it has now been 2 months and several chase up emails and still no response from support. ... View more
Labels

Re: Mission Control SPL for incidents

by in Security
‎04-09-2025 03:01 AM
‎04-09-2025 03:01 AM
Thanks @livehybrid  Converted your finding into a case to rename the numbers. Oddly enough, when I use 'mc_incidents', I don't get any results. But I do have a working model that's almost there - it's just a bit noisy because it shows all alerts linked to a case. That's an easy fix, though; I can just export the data and do a quick pivot to tidy it up. | mcincidents | eval CaseNumber=display_id | join display_id [search index=app_servicenow | rex field=description "(?<Priority>(?<=Priority:)\s*[0-9]{1,4}|(?<=P:)\s*[0-9]{1,4})" | rex field=description "(?<CaseNumber>ES-\d{5})" | eval Priority=trim(Priority) | fields display_id CaseNumber Priority | where isnum(Priority)] | eval Priority=coalesce(Priority, Priority) | fieldformat create_time=strftime(create_time, "%c") | eval _time=create_time, id=title | spath output=collaborators input=collaborators path={}.name | sort -create_time | eval age=toString(now()-create_time, "duration") | eval new_time=strftime(create_time,"%Y-%m-%d %H:%M:%S.%N") | eval time=rtrim(new_time,"0") | eval status_name=case( status == "0", "Unassigned", status == "1", "New", status == "2", "In Progress", status == "3", "Pending", status == "4", "Resolved", status == "5", "Closed", true(), "Unknown" ) | table time, age, status_name, CaseNumber, Priority, name, assignee now to battle the constant SVC Limit searches being aborted (customer is aware of these) ... View more

Mission Control SPL for incidents

by in Security
‎04-08-2025 02:52 AM
‎04-08-2025 02:52 AM
Hi all, I'm hoping someone could help assist with refining an SPL query to extract escalation data from Mission Control. The query is largely functional (feel free to steal borrow it), but I am encountering a few issues: Status Name Field: This field, intended to provide the status of the incident (with a default value if not specified), is currently returning blank results. Summary and Notes Fields: These fields are returning incorrect data, displaying random strings instead of the expected information. Escalation Priority: The inclusion of the "status" field was an attempt to retrieve escalation priority, but it is populating with a random field that does not accurately reflect the case priority (1-5). I also tried to use the mc_investigations_lookup table but this too doesn't display current case statue or priority. Any guidance or support in resolving these issues would be greatly appreciated. SPL: | mcincidents | `get_realname(creator)` | fieldformat create_time=strftime(create_time, "%c") | eval _time=create_time, id=title | `investigation_get_current_status` | `investigation_get_collaborator_count` | spath output=collaborators input=collaborators path={}.name | sort -create_time | eval age=toString(now()-create_time, "duration") | eval new_time=strftime(create_time,"%Y-%m-%d %H:%M:%S.%N") | eval time=rtrim(new_time,"0") | table time, age, status, status_name, display_id, name, description, assignee, summary ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma given to