Hi @DAMAIT, The cisco:ise:syslog source type and its associated knowledge objects have been incorporated into Cisco Catalyst Add-on for Splunk at https://splunkbase.splunk.com/app/7538. ... View more

Hi @LovingSplunk, Building on @inventsekar's answer in a typical native Splunk environment, you can see forwarder connections to receivers with the following search: index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* This is the same base search the monitoring console uses to discover forwarder assets. In a Cribl environment, the flow changes: splunk forwarder -> cribl worker [ source - route - pipeline - destination ] -> splunk receiver You can verify your forwarder output configuration from the host itself. On a typical Linux host: sudo su - splunkfwd -c '/opt/splunkforwarder/bin/splunk btool outputs list' If you have no outputs defined, neither Splunk nor Cribl is receiving data. Tracking sources by connection IP in Cribl may require a custom pipeline and metric rollup by the __srcIpPort field; however, the value of the __srcIpPort field varies by proxy configuration and Cribl source type. In the case of a forwarder sending data to a local Cribl instance, the connection IP may be 127.0.0.1. ... View more

Hi @pruthviraj_k_m, I commented on tracking status changes circa ES 7.0. The searches may still be applicable today. See https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-a-Dashboard-that-will-show-SLA-for-alerts-received/m-p/594780/highlight/true#M10776. ... View more

Hi @splunknoob4, If you have Splunk support, you could ask about enhancement request ENH-6550. I opened it in 2018. Maybe there's been some progress? 😉 ... View more

Hi @duesser, The links in the other responses may cover the detail, but in short, 372998479107735.188677 is outside the precision of a double-precision floating point value when converted to binary: 372998479107735.188677 to binary => 0100001011110101001100111101011110011101100101010110100101110011 back to decimal => 372998479107735.1875 The easiest way to maintain precision is probably to store the value as a string and then at search time, perform calculations using custom search commands that reference, e.g., Python decimal or gmpy modules. ... View more

Hi @mh124, Maps+ uses clustering by default, and each cluster must normally have at least two results. To allow single results to display stylized markers, set the leaflet_maps_app.maps-plus.singleMarkerMode option to 1: <viz type="leaflet_maps_app.maps-plus"> <search> <query>| makeresults format=csv data=" latitude,longitude,bgp_state 37.166111,-119.449444,Down 42.9525,-76.016667,Up 42.9525,-76.016667,Up 42.9525,-76.016667,Up " | eval clusterGroup=coalesce(lower(bgp_state), "up") | table latitude longitude clusterGroup</query> <earliest>0</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="leaflet_maps_app.maps-plus.cluster">1</option> <option name="leaflet_maps_app.maps-plus.clusterGroupColors">down:red, up:green</option> <option name="leaflet_maps_app.maps-plus.singleMarkerMode">1</option> </viz> The singleMarkerMode option is loosely documented in app help: Single Marker Mode Re-style single marker icon to marker cluster style (round) - Requires browser Refresh In the Format visualization interface, navigate to Clustering > Single Marker Mode, and then click Enabled. ... View more

Hi @beataficek, After logging into your search head or search head cluster, browse to https://splunk/en_US/_bump, where "splunk" is your hostname and "en_US" is your locale, and then click the Bump version button. If this doesn't work and you're using a search head cluster with round-robin DNS or a load balancer, replication may be broken, and you may be seeing an older version of your dashboard intermittently. ... View more

There's some grammar weirdness in there. Oops. At least you know a human wrote it. 😉 I do get a kick out of LLMs showing me my own community answers as references, though, even if the LLM hallucinates a goofball interpretaton. ... View more

Hi @BradOH, We'll use a solution similar to the referenced post but adapted to Dashboard Studio's quirks. As a starting point, we'll construct our search programmatically in SPL: | makeresults | eval index="foo" | eval field1="x" | eval field2="y" | eval field3="z" | format This returns a single field named seach with the following value: ( ( field1="x" AND field2="y" AND field3="z" AND index="foo" ) ) Next, we'll define a pseudo-nullable input token with the default value set to a single space. Recall that Dashboard Studio trims whitespace from token values. While then token will indeed have a default value of a single space, it will display as an empty string. Editing the rendered input will remove the space, but clearing the rendered input will leave the (unrendered) space. In this way, the token is always defined and always satisfies implicit token dependencies: "input_nullable": { "options": { "defaultValue": " ", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } Next, we'll translate our base search into a data source that dynamically sets field2 and interprets a single space as null value. Note that we're removing field2 from the search when it's "null." This allows the search to return results whether field2 exists in the event or not. If you want to limit search results to events where field2 exists, using "*" in place null(), e.g., field2 is optional: | makeresults | eval index="foo" | eval field1="x" | eval field2=if($text_field2_nullable|s$==" ", null(), $text_field2_nullable|s$) | eval field3="z" | format or if field2 must exist: | makeresults | eval index="foo" | eval field1="x" | eval field2=if($text_field2_nullable|s$==" ", "*", $text_field2_nullable|s$) | eval field3="z" | format If the format command doesn't produce the SPL you need, you can use the makeresults command and any SPL to define a field named search and construct any value you'd like using whatever SPL you'd like. You don't need to limit yourself to the eval command. You have the full suite of (safe) default and custom SPL commands and any data in your environment available to you: | makeresults | eval search="index=foo field1=x field2=".if($text_field2_nullable|s$==" ", "*", $text_field2_nullable|s$)." field3=z" | fields - _time (Note that the eval search ... example isn't entirely string-safe. Be mindful of token values that contain embedded whitespace. I'll leave that as an exercise for you.) The data source must have the "Access search results or metadata" option enabled ("enableSmartSources": true). We'll reference the result of the format command, the "search" result field, in our visualization elements: "dataSources": { "ds_WKrsc3Ay": { "name": "search_nullable_token", "options": { "enableSmartSources": true, "query": "| makeresults \r\n| eval index=\"foo\" \r\n| eval field1=\"x\" \r\n| eval field2=if($text_field2_nullable|s$==\" \", null(), $text_field2_nullable|s$)\r\n| eval field3=\"z\"\r\n| format", "queryParameters": { "earliest": "0", "latest": "" } }, "type": "ds.search" } } Finally, we'll use the $search_nullable_token:result.search$ token anywhere we need to reference the generated SPL: "visualizations": { "viz_breCVkj9": { "options": { "markdown": "### SPL\n`$search_nullable_token:result.search$`" }, "type": "splunk.markdown" } } Tying it all together: { "title": "Nullable Token (Legacy)", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" }, "input_nullable": { "options": { "defaultValue": " ", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.spl2": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_breCVkj9": { "options": { "markdown": "### SPL\n`$search_nullable_token:result.search$`" }, "type": "splunk.markdown" } }, "dataSources": { "ds_WKrsc3Ay": { "name": "search_nullable_token", "options": { "enableSmartSources": true, "query": "| makeresults \r\n| eval index=\"foo\" \r\n| eval field1=\"x\" \r\n| eval field2=if($text_field2_nullable|s$==\" \", null(), $text_field2_nullable|s$)\r\n| eval field3=\"z\"\r\n| format", "queryParameters": { "earliest": "0", "latest": "" } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_nullable", "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "height": 960, "width": 1440 }, "structure": [ { "item": "viz_breCVkj9", "position": { "h": 400, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }   ... View more

Hi @ra_52194724, Try one of the following EXTRACT settings in props.conf: [your_sourcetype_or_other_spec] EXTRACT-core_key_1 = JOB (?|(?=.+"hostname": "aa01")|..(?=.+"hostname": "bb01"))(?<core_key>...) EXTRACT-core_key_2 = "description": "(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...) The core_key_1 extract uses alternating positive lookaheads to discard leading characters in the job identifier based on a trailing hostname value. If the hostname always appears at the start of the description value, you can use the core_key_2 extract. You can also use both regular expression in SPL: | rex "JOB (?|(?=.+\"hostname\": \"aa01\")|..(?=.+\"hostname\": \"bb01\"))(?<core_key>...)" | rex "\"description\": \"(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...)" If you have an arbitrarily long list of hostnames to match, I might take a different approach. Let us know. ... View more

Hi @ra_52194724, N.B.: I posted this answer a moment ago, and the forum lost it. Apologies if it appears twice. You can achieve this using alternating positive lookaheads to discard leading characters in the job identifier based on a trailing hostname value: | makeresults format=csv data=" _raw \"{\"\"group_id\"\": \"\"aa2211-3b22-4263-8fe7-e7ef6c7859ed\"\", \"\"Status\"\": \"\"OPEN\"\", \"\"description\"\": \"\"aa01 : GOT EQQE056I JOB T375P201(JOB91552), OPERATION(0010), OPERATION TEXT( ), ENDED IN ERROR JCL . PRTY=1, APPL = T375P2 , WORK STATION = CPU4, IE= 2603161420, NO E2E RC\"\", \"\"hostname\"\": \"\"aa01\"\", \"\"CI_company\"\": \"\"zzz Group\"\", \"\"CEC_ID\"\": \"\"job-585796313\"\", \"\"ORIGIN_By_Product\"\": \"\"Microsoft\"\"}\" \"{\"\"group_id\"\": \"\"bb2211-3b22-4263-8fe7-e7ef6c7859ed\"\", \"\"Status\"\": \"\"OPEN\"\", \"\"description\"\": \"\"bb01 : GOT EQQE006I JOB T375Q201(JOB91632), OPERATION(0010), OPERATION TEXT( ), ENDED IN ERROR JCL . RTY=1, APPL = T375Q2 , WORK STATION = CPU5, IE= 2606661420, NO E2E RC\"\", \"\"hostname\"\": \"\"bb01\"\", \"\"CI_company\"\": \"\"xxx Group\"\", \"\"CEC_ID\"\": \"\"job-565796313\"\", \"\"ORIGIN_By_Product\"\": \"\"Microsoft\"\"}\" " | rex "JOB (?|(?=.+\"hostname\": \"aa01\")|..(?=.+\"hostname\": \"bb01\"))(?<core_key>...)" | table core_key core_key T37 75Q Using a search-time extraction in props.conf: [your_sourcetype_or_other_spec] EXTRACT-core_key = JOB (?|(?=.+"hostname": "aa01")|..(?=.+"hostname": "bb01"))(?<core_key>...) EDIT: Since the hostname also appears at the beginning of the description, you can simplify the regular expression: "description": "(?:aa01 .+ JOB |bb01 .+ JOB ..)(?<core_key>...) If you have an arbitrarily long list of hostnames to match, I might take a different approach. Let us know. ... View more

Hi @BradOH, In Splunk Enterprise 10.2 and Splunk Cloud Platform 10.1.2507 or later, you can use JSONata expressions to construct predicates. Dashboard Studio's interface with JSONata is not well-documented and may require trial and error. See the expressions object in the source below. Note that Dashboard Studio trims (removes leading and trailing whitespace) tokens, and empty tokens are undefined. When setting an empty value, use a single space as I've done below; otherwise, Dashboard Studio will interpret the $eval:field2$ token as a string literal instead of dereferencing it. If a space conflicts with your solution, devise a compatible placeholder. You can adapt previously discussed methods in earlier versions of Splunk, e.g., this simple solution by @ITWhisperer: https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-studio-How-to-create-search-for-value-that-may-be-null/m-p/657776 JSONata example: { "title": "Nullable Token", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" }, "input_nullable": { "options": { "defaultValue": "", "token": "text_field2_nullable" }, "title": "Nullable Token", "type": "input.text" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } }, "ds.spl2": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_qwzyWlJP": { "options": { "markdown": "### SPL\n`index=foo field1=x $eval:field2$ field3=z`" }, "type": "splunk.markdown" } }, "dataSources": {}, "layout": { "globalInputs": [ "input_nullable", "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "height": 960, "width": 1440 }, "structure": [ { "item": "viz_qwzyWlJP", "position": { "h": 400, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } }, "expressions": { "eval": { "eval_1": { "name": "field2", "value": "$exists($text_field2_nullable$) ? 'field2=\"' & $replace($replace($text_field2_nullable$, '\\\\', '\\\\\\\\'), '\"', '\\\\\"') & '\"' : ' '" } } } }   ... View more

Hi @michael3, Try double-encoding the linefeed and other characters as needed: %0A => %250A ... View more

Hi @_joe , As a baseline, verify the limits.conf [thruput] stanza maxKBps setting. The value should be 0 on a heavy forwarder: $ /opt/splunk/bin/splunk btool limits list thruput [thruput] maxKBps = 0 syslog outputs have a fixed maximum queue size of 97 KiB (99,328 bytes). The maximum theoretical thruput per syslog output is bound by the queue size and the round-trip time (RTT) to the destination. For example, if the one-way latency between the Splunk Enterprise sender and the Owl data diode is 1 ms, the RTT is 2 ms, and the the maximum thruput is 99,328 * 8 bits / 0.002 seconds = 397,312,000 bps / 8 bits = 49,664,000 Bps or ~47.363 MBps. You can verify whether your syslog output and the internal indexing queue are blocked by looking at metrics.log. The internal indexing queue sits in front of both outputs and indexes. In the case of a heavy forwarder, the indexing queue may be blocked if one or more outputs are blocked: index=_internal source=*metrics.log* group=queue name IN (indexqueue diode-syslog-tcp diode-syslog-udp) blocked=true or optimized using the TERM operator: index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) TERM(blocked=true) You can return statistics quickly using the tstats command: | tstats prestats=t max(PREFIX(max_size_kb=)) max(PREFIX(largest_size=)) where index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) TERM(blocked=true) by PREFIX(name=) or over time: | tstats prestats=t max(PREFIX(max_size_kb=)) avg(PREFIX(largest_size=)) where index=_internal source=*metrics.log* TERM(group=queue) (TERM(name=indexqueue) OR TERM(name=diode-syslog-tcp) OR TERM(name=diode-syslog-udp)) by _time PREFIX(name=) | timechart max(max_size_kb=) avg(largest_size=) by "name=" If metrics.log isn't available in _internal log, you can search the log file locally in $SPLUNK_HOME/var/log/splunk/, e.g.: $ grep blocked=true /opt/splunk/var/log/splunk/metrics.log* If a queue is blocked, largest_size will exceed max_size_kb and provide hints for optimization. If your Owl data diode has 1 Gbps available bandwidth, you need a queue size of 1,000,000,000 bps * 0.002 seconds / 8 bits = 250,000 bytes. Queue sizes, like TCP RWIN values, should be an even multiple of the end-to-end TCP MSS. I can't find a documented value from Owl, so we'll assume 1,460 bytes for standard ethernet. 250,000 / 1,460 = ~171, so we'll round up to 172 and use a starting queue size of 172 * 1,460 = 251,120 bytes. MSS values are larger if jumbo frames are used and may be smaller if another medium or encapsulation is used. Actual thruput is less than available bandwidth. Standard 1 GbE, for example, has an actual theoretical maximum thruput of ~126,646,610 Bps or ~120.780 MBps. If your source generates data more quickly than your interface can transmit it, your source must queue. If your average thruput exceeds 120.780 MBps, then your source will queue to infinity. If your average thruput is less than 120.780 MBps, you will introduce queueing delay, but the data will arrive eventually. Since syslog outputs have a fixed queue size, we can't modify the queue size directly as we can for other queues. Instead, we can scale the local pipeline horizontally by increasing the value of the server.conf [general] stanza parallelIngestionPipelines setting. To saturate a 1 Gbps link with a RTT of 2 ms, we need a queue size of 251,120 bytes as shown above. 251,120 / 99,328 ~= 2.528, so we'll need at least ceiling(2.528) = 3 parallel ingestion pipelines. In server.conf: [general] parallelIngestionPipelines = 3 The default maxQueueSize value for the indexing queue is 500 KB per parallel ingestion pipeline. We shouldn't need to modify it for this example. This is a good starting point for syslog output over 1 GbE with a RTT of 2 ms. If you know your actual bandwidth and RTT values, we can adjust the settings as needed. As a side note, the maximum datagram size for UDPv4 is 65,507 bytes. If you're using UDP and the Owl data diode itself doesn't have a smaller limit, you can set maxEventSize directly in $SPLUNK_HOME/etc/apps/owl_diode_sender/local/outputs.conf and forget about it: [syslog:diode-syslog-udp] maxEventSize = 65507 If the size of your source events exceed this limit or there are other limits between the sender and the Owl data diode, use TCP and an appropriately configured line breaker on the receiver. Without access to an Owl data diode, I'm making assumptions about MTUs, packet ordering, etc. that may be invalidated by an actual device. ... View more

Hi @spl_aficionado, Best (or better) practices depend on your organization's standards. Start with established benchmarks, e.g., CIS, for Microsoft Windows Server, Microsoft SQL Server, or whatever technologies your implementation uses. These benchmarks will cover authentication, authorization, TLS configuration, etc. Prefer a custom configuration using the latest Microsoft JDBC Driver for SQL Server--currently 13.2.1-- over Splunk DBX Add-on for Microsoft SQL Server JDBC. The latter is out of date and uses a version of the JDBC driver with known vulnerabilities. DB Connect should correctly configure the JDBC driver for TLS based on the options you select. If you need to edit the JDBC URL directly, connection properties for authentication, TLS/SSL, etc. are documented at https://learn.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties?view=sql-server-ver17. If you're trying a specific configuration, and it isn't working, post a redacted copy of your connection string here alongside a summary of your SQL Server configuration, and we can debug it as needed. ... View more

Hi @wp-uk-36, The commands are similar when searching accelerated data models. For example, the following seaches have nearly identical execution paths: | datamodel Authentication Authentication search summariesonly=t | stats count | tstats prestats=t summariesonly=t count from datamodel=Authentication.Authentication | stats count tstats edges out datamodel when used without the prestats argument: | tstats summariesonly=t count from datamodel=Authentication.Authentication Your use cases imply summariesonly=false: | datamodel Authentication Authentication search summariesonly=f | stats count | tstats prestats=t summariesonly=f count from datamodel=Authentication.Authentication | stats count Once again, with prestats=true, the execution paths are the same. You can verify this with the job inspector. Find and compare the optimized litsearch and fallback lispy. For example, in my test environment using the Authentication data model and the _audit index: datamodel litsearch (index=_audit ((index=_audit sourcetype=audittrailv2* category=authn) OR (index=_audit "action=login attempt" NOT "action=search")) (NOT action=success OR NOT user=*$) (index=* OR index=_*)) DIRECTIVES(REQUIRED_TAGS(intersect="t" tags="cleartext,cloud,default,insecure,multifactor,pci,privileged")) | addinfo type=count label=prereport_events track_fieldmeta_events=true | prestats count [ AND [ OR [ AND sourcetype::audittrailv2* [ OR authn category::authn ] ] [ AND action attempt login ] ] ] tstats litsearch (index=_audit ((index=_audit sourcetype=audittrailv2* category=authn) OR (index=_audit "action=login attempt" NOT "action=search")) (NOT action=success OR NOT user=*$) (index=* OR index=_*)) DIRECTIVES(REQUIRED_TAGS(intersect="t" tags="cleartext,cloud,default,insecure,multifactor,pci,privileged")) | addinfo type=count label=prereport_events track_fieldmeta_events=true | prestats count [ AND [ OR [ AND sourcetype::audittrailv2* [ OR authn category::authn ] ] [ AND action attempt login ] ] ] As expected, they are the same. The actual searches will vary by configuration, hot bucket state, etc. I'm testing with Splunk Enterprise 10.2, and results in earlier versions of Splunk may differ. When in doubt, run semantically identical datamodel and tstats searches and compare the execution plans and search logs in the job inspector. For a deeper dive, explore archived .conf content. In Google: site:conf.splunk.com tstats datamodel ... View more

Hi @wp-uk-36, This solution also disables pagination, but you can pre-sort your data source search, set the visualization count option to the desired number of rows, and then set the visualization paginateDataSourceKey option to an empty string: { ..., "visualizations": { "viz_xxx": { "dataSources": { "primary": "ds_xxx" }, "options": { "count": 100, "paginateDataSourceKey": "" }, "type": "splunk.table" } }, ... } The sort indicators are still visible, but clicking a header cell will have no effect. ... View more

Hi @STCK, Building on @livehybrid's example, specify the minimum allowable width (30px) for all columns except message, and Dashboard Studio will fit all columns to content until the table width requires wrapping: { ..., "visualizations": { "viz_xxx": { "dataSources": { "primary": "ds_xxx" }, "options": { "columnFormat": { "date": { "width": 30 }, "status": { "width": 30 }, "データソース": { "width": 30 } } }, "type": "splunk.table" } }, ... } Tested in Splunk Enterprise 10.2.0. ... View more

Hi @nabeel652, Here's an alternative using a single eval, which you can implement as a macro: wildcard_domains.csv domain *.example.com transforms.conf [wildcard_domains] batch_index_query = 0 case_sensitive_match = 0 filename = wildcard_domains.csv match_type = WILDCARD(domain) max_matches = 1 min_matches = 0 SPL | makeresults format=csv data=" domain foo.example.com bar.example.com bar.baz.example.com " | eval wildcard_domain_match=if(match(domain, replace(replace(spath(lookup("wildcard_domains", json_object("domain", domain), json_array("domain")), "domain"), "\\.", "\\."), "^\\*", "^[^.]+")), 1, 0) Result domain wildcard_domain_match foo.example.com 1 bar.example.com 1 bar.baz.example.com 0 As @PickleRick noted, the order of the entries in wildcard_domains.csv is important. The first match "wins." If I were doing this for myself, I would write an external lookup and use a standard or reference library for wildcard label matching rules relative to the use case: DNS, TLS, X.509, etc. Those examples follow the same general rules for leftmost label matching, but you may have other requirements. (Edited to remove mvmap. I started writing a response with max_matches >= 1. I can provide an example if you need one.) ... View more

Hi @Nraj87, I'm not AI. Did you read the referenced documentation and experiment with health checks and thresholds? In general: 1. Model your system's behavior in a controlled environment. What are its principal components (metrics)? What are the shapes/distributions of the metrics? 2. Measure your system's activity. What are the current values of the metrics? 3. Monitor (compare) your measurements to your model. Is the current metric value outside the range of acceptable values based on your model? ... View more

Hi @loganallen, See the following threads for past discussions: https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-a-Dashboard-that-will-show-SLA-for-alerts-received/m-p/594780 https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-calculate-MTTD-in-ES/m-p/698232 You'll note that most correlation searches do not store the original event _time in the notable. If MTTD is a key statistic for your organization, you may need to redesign your correlation searches to store the relevant source event fields in your notables. ... View more

Hi @ws, Is there a reason you're opposed to port redirection/forwarding? It's the least intrusive way to manage the traffic and works with SELinux etc. If you're using Linux with firewalld, run Splunk as a non-root user and configure a UDP input on any available port above 1023, e.g., 9514/udp. You can then configure firewalld to locally forward 514/udp traffic to 9514/udp: # add the forwarding rule sudo firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=9514:toaddr= # enable the syslog service; see /usr/lib/firewalld/services/syslog.xml sudo firewall-cmd --permanent --add-service syslog # reload firewalld sudo firewall-cmd --reload Adapt the firewall-cmd arguments to zones if needed. ... View more

Hi @munang, Splunk is aware of fields through fields.conf, props.conf, and other settings. Search A can be optimized with the TERM() function: index=main TERM(192.168.172.10) [ AND 192.168.172.10 index::main ] All events with 192.168.1.172.10 as an indexed term will be returned. If src_ip is an indexed field, search B can be optimized using the :: operator or by modifying fields.conf (see fields.conf.spec for more information): index=main src_ip::192.168.172.10 [ AND index::main src_ip::192.168.172.10 ] If src_ip is not an indexed field but 192.168.172.10 is an indexed term, you can optimize by combining the = operator and the TERM() function: index=main src_ip=192.168.172.10 TERM(192.168.172.10) The lispy will vary with your configured field extractions, field aliases, etc., but it will begin with the IP address as an indexed term: [ AND 192.168.172.10 index::main [ ... ] ] If the IP address is an indexed term but src_ip is not equal to the IP address, the event will be scanned but not returned. Search terms are segmented similarly to indexed terms. See segmenters.conf.spec, https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.2/search-primer/event-segmentation-and-searching, and https://help.splunk.com/en/splunk-enterprise/administer/manage-indexers-and-indexer-clusters/10.2/indexing-overview/index-time-versus-search-time for more information. ... View more

Hi @BradOH, You may find this app useful as a starting point for exploring other algorithms: https://github.com/groktrev/abydos Abydos is GPLv3, so the app is necessarily GPLv3 as well. To install the app, download and extract the repo to $SPLUNK_HOME/etc/apps/abydos/ or run the following command from the $SPLUNK_HOME/etc/apps/ directory: git clone https://github.com/groktrev/abydos.git After that, restart Splunk. I haven't packaged the app for Splunkbase. From the README I just drafted: Introduction Community App for Abydos is a Splunk wrapper for the Abydos library. The abydos streaming search command provides access to the abydos.distance, abydos.fingerprint, abydos.phonetic, abydos.stemmer, and abydos.tokenizer modules using default class parameters and the dist_abs(), fingerprint(), enocde_alpha() or encode(), stem(), and tokenize() functions, respectively. See the Abydos documentation for available algorithms. Algorithms requiring SyllabiPy, NLTK, PyLZSS, or paq are not implemented. Requirements Community App for Abydos requires a non-EOL version of Splunk Enterprise and Python for Scientific Computing: Python for Scientific Computing (for Linux 64-bit) Python for Scientific Computing (for Mac Apple Silicon) Python for Scientific Computing (for Mac Intel) Python for Scientific Computing (for Windows 64-bit) Examples Return the Levenshtein distance between two field values: | abydos module=distance algorithm=Levenshtein field1 field2 Return the skeleton key string fingerprint of a single field value: | abydos module=fingerprint algorithm=SkeletonKey field1 Return the Beider-Morse encodings of a single field value: | abydos module=phonetic algorithm=BeiderMorse field1 Return the English stem of a single field value: | abydos module=stemmer algorithm=Porter field1 Return the q-grams of a single field value: | abydos module=tokenizer algorithm=QGrams field1 ... View more