Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tscroggins
tscroggins
Champion
Member since:
08-13-2014
a week ago
Community Statistics
| Posts | 762 |
| Solutions | 126 |
| Karma Given | 102 |
| Karma Received | 288 |
| Member Since | 08-13-2014 |
Activity Feed
- Got Karma for Re: Creating an Interactive Button to run SPL in Dashboard Studio. Monday
- Posted Re: Creating an Interactive Button to run SPL in Dashboard Studio on Dashboards & Visualizations. a week ago
- Got Karma for Re: Help required: Need SPL to extract all Dashboard Queries. 2 weeks ago
- Got Karma for Re: Help required: Need SPL to extract all Dashboard Queries. 2 weeks ago
- Posted Re: Different behavior regarding JSON null on Splunk Search. 2 weeks ago
- Posted Re: Different behavior regarding JSON null on Splunk Search. 2 weeks ago
- Posted Re: Splunk Data Lake support on Deployment Architecture. 2 weeks ago
- Posted Re: Modify Map Colors In Dashboard Studio on Dashboards & Visualizations. 3 weeks ago
- Got Karma for Re: Tips on how to create props.conf on Splunk cloud. 3 weeks ago
- Posted Re: Tips on how to create props.conf on Splunk cloud on Getting Data In. 3 weeks ago
- Posted Re: Modify Map Colors In Dashboard Studio on Dashboards & Visualizations. 3 weeks ago
- Posted Re: Upgrading to 9.4 and later, kvstore issues / Splunk self signed certificates on Splunk Enterprise. 3 weeks ago
- Karma Re: IPInfo app not working properly for max-ipinfo. 3 weeks ago
- Karma Re: Tips on how to create props.conf on Splunk cloud for richgalloway. 3 weeks ago
- Got Karma for Re: Tips on how to create props.conf on Splunk cloud. 3 weeks ago
- Posted Re: Visibility and Monitoring for HEC base Data Ingestion Interruptions on Getting Data In. 3 weeks ago
- Posted Re: Help required: Need SPL to extract all Dashboard Queries on Splunk Search. 3 weeks ago
- Posted Re: Help required: Need SPL to extract all Dashboard Queries on Splunk Search. 3 weeks ago
- Posted Re: Help required: Need SPL to extract all Dashboard Queries on Splunk Search. 3 weeks ago
- Posted Re: Tips on how to create props.conf on Splunk cloud on Getting Data In. 3 weeks ago
Topics I've Started
a week ago
1 Karma
Hi @Ian0706, You can use a button to set lookup field tokens from input tokens and then reference the lookup field tokens in a visualization search. Using two sets of tokens prevents the visualization search from running until the dashboard user has clicked the button. It isn't pretty, but it works. Here's a simple example using inputlookup and outputlookup to prepend a row to a lookup file. By default, the outputlookup command is considered risky, and the user will be prompted to run the command. You can override this behavior for your dashboard by bundling the dashboard in a separate application and modifying the app default/commands.conf [outputlookup] stanza is_risky setting. # $SPLUNK_HOME/etc/apps/Ian0706_dashboard_app/default/commands.conf [outputlookup] is_risky = false {
"title": "Ian0706_lookup_edit",
"description": "",
"inputs": {
"input_AkAODjk5": {
"options": {
"defaultValue": "value3",
"token": "text_field3"
},
"title": "field3",
"type": "input.text"
},
"input_H4MpaoX8": {
"eventHandlers": [
{
"options": {
"tokens": [
{
"token": "field1_value",
"value": "$text_field1$"
},
{
"token": "field2_value",
"value": "$text_field2$"
},
{
"token": "field3_value",
"value": "$text_field3$"
}
]
},
"type": "drilldown.setToken"
}
],
"options": {
"label": "Add Row"
},
"type": "input.button"
},
"input_farf9Mcm": {
"options": {
"defaultValue": "value1",
"token": "text_field1"
},
"title": "field1",
"type": "input.text"
},
"input_m57JMGPh": {
"options": {
"defaultValue": "value2",
"token": "text_field2"
},
"title": "field2",
"type": "input.text"
}
},
"visualizations": {
"viz_rJEtNnZs": {
"containerOptions": {
"visibility": {}
},
"dataSources": {
"primary": "ds_aS8qB1WF"
},
"type": "splunk.table"
}
},
"dataSources": {
"ds_aS8qB1WF": {
"name": "Search_1",
"options": {
"query": "| makeresults\n| eval field1=$field1_value|s$\n| eval field2=$field2_value|s$\n| eval field3=$field3_value|s$\n| inputlookup append=t Ian0706.csv\n| outputlookup Ian0706.csv",
"queryParameters": {
"earliest": "0",
"latest": ""
}
},
"type": "ds.search"
}
},
"layout": {
"globalInputs": [
"input_farf9Mcm",
"input_m57JMGPh",
"input_AkAODjk5",
"input_H4MpaoX8"
],
"layoutDefinitions": {
"layout_1": {
"options": {
"height": 960,
"width": 1440
},
"structure": [
{
"item": "viz_rJEtNnZs",
"position": {
"h": 400,
"w": 1440,
"x": 0,
"y": 0
},
"type": "block"
}
],
"type": "grid"
}
},
"options": {},
"tabs": {
"items": [
{
"label": "New tab",
"layoutId": "layout_1"
}
]
}
}
}
... View more
2 weeks ago
It's the Splunk context that's important, though, and a null JSON value would be equivalent to a null/undefined Splunk field. If one is using Splunk as an immutable persistence layer for serialized JSON objects, then the difference is important, but in that case, you're likely just working with _raw and not using Splunk field extractions or SPL. For the relatively brief time Splunk bundled Node.js, this might have been interesting, but Python is king apparently.
... View more
2 weeks ago
INDEXED_EXTRACTIONS and KV_MODE both interpret null values as the string "null." Would I prefer all Splunk JSON extraction methods treat null values as null? Yes! But it would break more than a decade of prior art. If I know my source data does not use "null" in string values, i.e., the following is forbidden: {"foo": "null"} I treat the string "null" as null: index=main foo=* foo!=null index=main
| eval foo=nullif(foo, "null") Having used Splunk before native support for JSON field extractions was added, I'm fine with the workarounds given the convenience. See https://ideas.splunk.com/ideas/EID-I-2311 for another complication! Perhaps a new Splunk Idea advocating for a "strict" extraction mode is warranted? E.g.: # props.conf
[foo]
INDEXED_EXTRACTIONS = JSON
# default JSON_MODE = relaxed
JSON_MODE = strict
[bar]
KV_MODE = json
JSON_MODE = strict | spath input=_raw output=foo path="foo" mode=strict ``` default mode=relaxed ```
| eval foo=json_extract_strict(_raw, "foo") and the opposite for the makeresults command: | makeresults format=json mode=relaxed data="{\"foo\": null}" ``` default mode=strict ``` As a concession to existing code, it could be a new, internal search directive accessible through the noop command: | noop json_mode=strict
... View more
2 weeks ago
Hi @ARC1, If you're not a federal employee or contractor, you'll need to contact Splunk or a Splunk partner for more information re: FedRAMP. If you are a federal employee or contractor, you can work with your agency's FedRAMP approver to request access to FedRAMP security packages from the public FedRAMP marketplace: Splunk Cloud Platform for FedRAMP Moderate Splunk Cloud Platform for FedRAMP High For on-premises deployments, you can review FIPS and Common Criteria compliance at https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/establish-and-maintain-compliance-with-fips-and-common-criteria-in-splunk-enterprise/best-practice-for-maintaining-compliance-with-fips-and-common-criteria-in-your-splunk-enterprise-environment.
... View more
3 weeks ago
Hi @chenfan, I can't reproduce the issue using your layers configuration in Splunk Enterprise 10.0. Which version of Splunk are you using? Can you post a redacted version of your search? You could try appending an eval after geostats to insert zero values when a field is missing, null, or empty: | geostats count by status ``` latfield=lat longfield=lon ```
| eval normal=coalesce(tonumber(trim(normal)), 0), warning=coalesce(tonumber(trim(warning)), 0), critical=coalesce(tonumber(trim(critical)), 0) You can vary the eval command to fit whatever validation logic you prefer, e.g.: | eval normal=if(isnull(nullif(normal, "")) OR NOT isint(normal), 0, normal), warning=if(isnull(nullif(warning, "")) OR NOT isint(warning), 0, warning), critical=if(isnull(nullif(critical, "")) OR NOT isint(critical), 0, critical)
... View more
3 weeks ago
1 Karma
Yes, although be mindful of the (minimal) local overhead. Enabling event breaker will minimize pipeline stalls and improve load balancing if you're sending to multiple receivers. Throughput will still be limited by the limits.conf [thurput] stanza maxKBps setting, ingest pipelines, queues, receiver capacity, etc.
... View more
3 weeks ago
Hi @chenfan, You've used the correct syntax for bubbleSize and seriesColor to select a data frame by series names and match the index of each series name to its corresponding color. Assuming "normal" is the dominant status, the screenshot looks correct. Which part isn't working? As an aside, Splunk's legacy default RGB values for red, yellow/amber, and green are #cba700, #d41f1f, and #118832, respectively.
... View more
3 weeks ago
Hi @splunkreal, Yes, it should. See the product documentation and the following thread for common certificate-related issues and solutions: https://community.splunk.com/t5/Splunk-Enterprise/KV-store-failing-to-start-in-9-4-3/m-p/748407.
... View more
3 weeks ago
Hi @Nraj87, You can probe the services/collector/health endpoint on the HEC port for current service, ack, and token status. See https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/10.0/input-endpoints/input-endpoint-descriptions or your version's documentation for more information. HEC metrics are available in index=_introspection with sourcetype=http_event_collector_metrics, e.g.: index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector_token | tstats latest(data.num_of_events) as num_of_events latest(data.num_of_requests) as num_of_requests where index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector | tstats sum(data.num_of_events) as num_of_events sum(data.num_of_requests) as num_of_requests where index=_introspection sourcetype=http_event_collector_metrics component=HttpEventCollector data.series=http_event_collector_token data.token_name=foo by _time Introspection metrics are relative to the report window, i.e., data.num_of_events is the number of events received over the last 60 seconds using the default limits.conf [http_input] stanza settings. Token-level introspection events are only generated when activity occurs over the report window. See https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.0/get-data-with-http-event-collector/troubleshoot-http-event-collector for more information.
... View more
3 weeks ago
1 Karma
They're usually interested in mapping the business logic to the monitored content, e.g., an audit log entry corresponding to a NIST control and the corresponding design and implementation of transformations, identification rules, human readable elements, etc.
... View more
3 weeks ago
As an aside, this is a common question posed by auditors in compliance and cybersecurity verticals. If you need to track and implement workarounds for the various problems identified across everyone's answers, a script in Python or your language of choice is a better solution. There might be an exposed method to render search strings the same way the internal dashboard code does, but I haven't looked for one.
... View more
3 weeks ago
1 Karma
Hi @satyaallaparthi, Irrespective of the use case--data dictionary, audit artifact, documentation, etc.--see below for a starting point for Simple XML dashboards to run as a user with the admin or sc_admin role. It exposes several problems: 1. Base searches have arbitrary ancestry depth: search -> base1 -> base2 -> base3 -> ... -> baseN You can extended the inner join with additional joins as needed to meet your depth requirements. 2. Base searches may be invalid and require loop detection, although this is moot given problem 1: search -> base1 -> base2 -> base1 (loop) If you extend the inner join, you can track base references and detect loops with creative use of field values and eval logic. 3. Panels may reference prebuilt panels. This was not implemented below, but the logic is similar to the join used to match searches to base searches. The additional logic would match the panel element ref and app attributes to prebuilt panels through another join. 4. Searches may reference saved searches (reports). As above, the additional logic would match the search element ref attribute to saved searches through another join. 5. The mvexpand command has conservative default limits. If you encounter mvexpand errors, see the limits.conf [default] and [mvexpand] stanzas and the max_mem_usage_mb setting for more information. 6. The join command has conservative default limits; however, 50,000 dashboard base search results may meet your requirement. If you have missing or unexpected results, see the limits.conf [join] and [searchresults] stanzas for more information. 7. Not a problem but a warning: Dashboards with the same title (object name) can exist across apps and sharing modes. The search below includes the eai:acl.app, eai:acl.owner, and eai:acl.sharing fields to help differentiate between dashboards. You could also keep the id field as an absolute reference to the object relative to the local search head. 8. The example references the local search head, which should work for standalone search heads, search head clusters, and Splunk Cloud. The logic may not work as-is from a monitoring console with many search head peers and modified splunk_server or splunk_server_group arguments. | rest splunk_server=local /servicesNS/-/-/data/ui/views search="isDashboard=1" search="isVisible=1" search="version!=2"
| fields id eai:acl.app eai:acl.owner eai:acl.sharing title label eai:data
| rename eai:* as *, acl.* as *
| spath input=data "dashboard.row.panel" output=panel
| mvexpand panel
| spath input=panel "title" output=panel_title
| eval panel_title=coalesce(panel_title, "Untitled")
| xpath outfield=search "//search" field=panel
| mvexpand search
| spath input=search "search{@base}" output=base_search_id
| spath input=search "search.query" output=search_query
| join type=left max=0 id base_search_id
[| rest splunk_server=local /servicesNS/-/-/data/ui/views search="isDashboard=1" search="isVisible=1" search="version!=2"
| fields id eai:data
| xpath outfield=base_search "/dashboard/search" field=eai:data
| mvexpand base_search
| spath input=base_search "search{@id}" output=base_search_id
| spath input=base_search "search.query" output=base_search_query
| fields id base_search_id base_search_query ]
| eval spl=replace(coalesce(base_search_query." | ".search_query, search_query), "\\|[\\s]*\\|", "|")
| table app title owner sharing label panel_title spl Dashboard Studio dashboards have base (chain) search ancestry and saved search problems similar to Simple XML but should be self-contained. The required logic is similar to Simple XML but limited to the visualizations and dataSources objects. A join isn't necessary because there are no XML attribute values to match: | rest splunk_server=local /servicesNS/-/-/data/ui/views search="isDashboard=1" search="isVisible=1" search="version=2"
| fields id eai:acl.app eai:acl.owner eai:acl.sharing title label eai:data
| rename eai:* as *, acl.* as *
| spath input=data "dashboard.definition" output=data
| eval panel=json_array_to_mv(json_keys(json_extract(data, "visualizations"))), panel=mvmap(panel, spath(data, "visualizations.".panel))
| mvexpand panel
| spath input=panel "title" output=panel_title
| eval panel_title=coalesce(panel_title, "Untitled")
| spath input=panel "dataSources.primary" output=search_id
| eval search_query=spath(data, "dataSources.".search_id.".options.query")
| eval base_search_id=spath(data, "dataSources.".search_id.".options.extend")
| eval base_search_query=spath(data, "dataSources.".base_search_id.".options.query")
| eval spl=replace(coalesce(base_search_query." | ".search_query, search_query), "\\|[\\s]*\\|", "|")
| table app title owner sharing label panel_title spl Any edits or additions are welcomed.
... View more
3 weeks ago
1 Karma
This will eat/discard "Running," though: LINE_BREAKER = ([\r\n]Running) and the event will be: : Yes
Safe Mode: No
Plugins loaded: Yes
... In my own work with Nessus Agent, with or without Splunk, I take an approach similar to @PrewinThomas's suggestion and convert, e.g., the output of 'nessuscli agent status --local --show-uuid' to a PowerShell object, a JSON object, or whatever format makes sense for the consumer. If I were doing this today in Splunk, I would use JSON and an accelerated data model (not INDEXED_EXTRACTIONS) or field/value transformations like field_name=field_value that work with tstats and PREFIX().
... View more
a month ago
Hi @uagraw01, Edit: Take @richgalloway's advice. My answer is from the perspective of a single instance. If you're forwarding data, the cooked event from INDEXED_EXTRACTIONS will bypass the receiver's parsing, agg, and typing queues. You can combine the two with force_local_processing on a universal forwarder, but it's not necessary here. Timestamps are extracted from _raw during aggregation/merging, so you'll want to use a TIME_PREFIX value relative to the event text: TIME_PREFIX = [+-]\d{2}:\d{2},[^,]+, MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_FORMAT = %F %T%:z The default MAX_DAYS_AGO value is 2000, but if your reports are older than that, you'll want to increase that value as well. If you have a column named "_time" in your CSV file and the value is a Unix epoch time, that value will be the initial value for _time, and a second clean field named "time" without an underscore will be indexed with the original value; however, default timestamp extraction settings will still scan _raw for a timestamp. In your case, 2026-01-16 06:00:00+00:00 would be (or at least should be) extracted absent TIME_PREFIX and TIME_FORMAT settings, overriding any value found by INDEXED_EXTRACTIONS.
... View more
a month ago
Hi @shashankk, Choropleth maps use arrays of latitude and longitude vertices to draw polygons. The Splunk geom search command uses lookups to map feature identifiers to shapes, typically aligned to something represented by the underlying map data. For example: | makeresults format=csv data="src_ip 8.8.8.8 8.8.4.4" | iplocation src_ip | stats count by Region | geom geo_us_states featureIdField="Region" will produce geometry for the state of California: In your example, choose a feature representing your normalized magnitude (count, density, etc.) and then use the geom command with an appropriate lookup: | stats count as total_events by country | geom geo_countries allFeatures=true featureIdField="country" If you want to display multiple statistics, use the geostats search command with the Cluster Map visualization: | geostats globallimit=0 latfield=latitude longfield=longitude count as total_events, count(eval(Priority="High")) as high_count, count(eval(Priority="Medium")) as medium_count The General visualization settings allow you to set the map center using directly entered latitude and longitude values. To center on Switzerland, for example, use latitude 46.801 and longitude 8.227:
... View more
12-18-2025
07:41 PM
1 Karma
Hi @darrfang, You can use CSS to manipulate cell foreground and background colors. This example uses the duration_diff field's style as a key, changes the duration1 and duration2 cell colors, and then hides the duration_diff field's associated th and td elements: <dashboard version="1.1" theme="light">
<label>range_table</label>
<row>
<panel>
<html id="my_html">
<style>
#my_table td:not([data-cell-index="0"]):has(~ .color-formatted[style="color: rgb(255, 255, 255); background-color: rgb(212, 31, 31);"]) {
color: rgb(255, 255, 255);
background-color: rgb(212, 31, 31);
}
#my_table td.color-formatted {
display: none !important;
}
#my_table th[data-sort-key="duration_diff"] {
display: none !important;
}
#my_html {
display: none !important;
}
</style>
</html>
<table id="my_table">
<search>
<query>| makeresults
| eval data="ABC,10,15;DEF,12,13;GHI,11,14"
| makemv delim=";" data
| mvexpand data
| eval label=mvindex(split(data,","),0)
| eval duration1=tonumber(mvindex(split(data,","),1))
| eval duration2=tonumber(mvindex(split(data,","),2))
| eval duration_diff=abs(duration1 - duration2)
| table _time duration1 duration2 duration_diff</query>
<earliest>0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<format type="color" field="duration_diff">
<colorPalette type="list">[#FFFFFF,#D41F1F]</colorPalette>
<scale type="threshold">2</scale>
</format>
</table>
</panel>
</row>
</dashboard>
... View more
12-17-2025
05:38 PM
* Except, unfortunately, (presumably US) customers with DoD IL5 or FedRAMP Moderate Splunk Cloud subscriptions or Splunk Enterprise running in FIPS mode.
... View more
12-17-2025
03:35 PM
1 Karma
Hi @JohnEGones, An analysis of week-over-week change over the last 30 days probably requires 44 days of data: 30 days of recent data, 7 days of additional historical data for week-over-week coverage, and another 7 days of historical data for moving averages. The trendline and autoregress commands are sometimes easier to manage than streamstats. Try: index=firewall sourcetype=firewall_traffic earliest=-44d@d latest=@d
| timechart span=1d sum(bytes_out) as daily_bytes
| trendline sma7(daily_bytes) as week_avg
| autoregress week_avg p=7
| where _time>=relative_time(now(), "-30d@d") AND _time<relative_time(now(), "@d")
| eval w_o_w_change=100*(week_avg-week_avg_p7)/week_avg_p7
| eval state=case(
w_o_w_change > 50, "CRITICAL - 50%+ increase",
w_o_w_change > 30, "HIGH - 30%+ increase",
w_o_w_change > 20, "MED - 20%+ increase",
1=1, "LOW")
| table _time daily_bytes week_avg w_o_w_change state
| sort - w_o_w_change
... View more
12-14-2025
08:49 AM
The "autowrap" functionality was introduced (according to documentation) in 9.2.0 <https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.2/evaluation-functions/json-functions>. I just tested in 9.2.0.1, and the behavior is the same as 10.0. I'm not going to test every maintenance release between then and now, but I'd guess it's never worked as documented.
... View more
12-14-2025
06:17 AM
So much feedback for the new documentation SPA. 😉 Edit: I've posted feedback. Pre-Cisco, feedback was very effective; I've not submitted anything since the acquisition, so we'll see! Grammar and syntax have taken a downturn over the last year or so.
... View more
12-14-2025
06:03 AM
This is for me, not a customer; I only have a dev license.
... View more
12-13-2025
07:42 AM
Hi Splunkers! In the current json_extend documentation <https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/evaluation-functions/json-functions>, if <path> specifies "a scalar or object value," the value should be "[autowrapped] ... within an array;" however, this doesn't appear to be the case: | makeresults | eval obj=json_object("foo", "bar") ``` or obj="{\"foo\":\"bar\"}" ``` | eval arr=json_extend(obj, "foo", json_array("baz")) ``` or arr=json_extend(obj, "foo", "[\"baz\"]") ``` If I understand the documentation correctly, "bar" should be coerced to the array ["bar"] and then extended to ["bar","baz"], but it is not. The original object is returned unmodified. json_extend works correctly when the input value is already an array: | makeresults | eval obj=json_object("foo", json_array("bar", "baz")) | eval arr=json_extend(obj, "foo", json_array("qux")) The example was contrived to illustrate the issue. In practice, the value of foo may be either an array or a scalar. For example, the lookup eval function returns a scaler on a single match and an array on multiple matches. json_extract is similarly inconsistent when it returns a Splunk native type for scalars and a string for arrays: | makeresults | eval obj=json_object("foo", "bar") | eval val=json_extract(obj, "foo") ``` ==> foo ``` | eval obj=json_object("foo", json_array("bar", "baz")) | eval val=json_extract(obj, "foo") ``` ==> ["bar","baz"] ``` If scalars can be coerced into arrays, values that may be either scalars or arrays can be parsed by json_array_to_mv or other functions without custom wrappers using if, case, replace, etc. Have you encountered this issue? How have you solved it?
... View more
12-09-2025
04:37 AM
1 Karma
Hi @mfleitma, If the datamodel command is slower, there's likely something in your environment defeating the READ_SUMMARY directive added by the search optimizer. In my test environment, this: | datamodel Network_Traffic All_Traffic flat summariesonly=true allow_old_summaries=true | search NOT src_ip=1a00:2a60:3000:1::/64 translates to this: | search (index=main NOT src_ip=1a00:2a60:3000:1::/64 tag=communicate tag=network (index=* OR index=_*)) DIRECTIVES(READ_SUMMARY(allow_old_summaries="true" dmid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_DM_Splunk_SA_CIM_Network_Traffic" name="Network_Traffic.All_Traffic" predicate="*" summariesonly="true"),READ_SUMMARY(predicate="NOT \"All_Traffic.src_ip\"=1a00:2a60:3000:1::/64"),REQUIRED_TAGS(intersect="t" tags="cloud,pci")) tstats remains problematic with respect to all CIDR matches. Beyond the limitations described by the documentation, for example, the following addresses are equivalent: 1a00:2a60:3000:1::1 1a00:2a60:3000:0001::1 1a00:2a60:3000:0001:0000:0000:0000:0001 but the following tstats search will only match 1a00:2a60:3000:1::1: | tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.src_ip=1a00:2a60:3000:1::1 If your source normalizes IPv6 addresses to a canonical format, i.e., RFC 5952, that may not be a concern; however, bitwise CIDR matching appears to be defeated by tstats, regardless. It may be worth the effort to figure out why the datamodel command is slow in your environment.
... View more
12-08-2025
11:53 AM
1 Karma
Hi @mfleitma, IPv6 CIDR matching with tstats _should_ work in Splunk Cloud 9.1.2312 and Splunk Enterprise 9.3 or later. Previous versions included this tstats limitation: CIDR matching support for IPv4 and IPv6 addresses The tstats command filters events with CIDR match on fields that contain IPv4 addresses, but not IPv6 addresses. Running tstats searches containing IPv6 addresses might result in the following error indicating that the addresses are treated as non-exact queries: Error in 'TsidxStats': WHERE clause is not an exact query Newer versions include this limitation: Limitations of CIDR matching with tstats As with the search command, you can use the tstats command to filter events with CIDR match on fields that contain IPv4 and IPv6 addresses. However, unlike the search command, the tstats command may not correctly filter strings containing non-numeric wildcard octets. As a result, your searches may return unpredictable results. However, tstats still returns the "exact query" error in Splunk Enterprise 10.0. If your environment is optimized, i.e., you're not using source type renaming or other features that defeat search optimization directives, you may be able to use the datamodel command and achieve performance similar to tstats: | datamodel Intrusion_Detection IDS_Attacks flat summariesonly=true allow_old_summaries=true
| search NOT [ | inputlookup ip_test.csv | fields src ]
| stats values(sourcetype) as sourcetype count as eventcount max(_time) as maxtime min(_time) as mintime
... View more
12-07-2025
10:34 AM
1 Karma
Hi @DaveBunn, Let's start with a publicly available list of compromised packages: https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/shai-hulud-2-packages.csv. The CSV file contains Package and Version fields that we'll correlate to SBOM.Packages objects: Package,Version
02-echo,= 0.0.7
@accordproject/concerto-analysis,= 3.24.1
@accordproject/concerto-linter,= 3.24.1
@accordproject/concerto-linter-default-ruleset,= 3.24.1
@accordproject/concerto-metamodel,= 3.12.5
... Note: I'm not affiliated with Wiz, Inc. We're all about Splunk here, but I don't see anything on https://research.splunk.com/ except for an attack range dataset. Let's also start with three small test cases, two positive and one negative: {"SBOM":{"Packages":[{"name":"@accordproject/concerto-linter","versionInfo":"3.24.1"}]}}
{"SBOM":{"Packages":[{"name":"lodash","versionInfo":"4.17.21"},{"name":"@accordproject/concerto-linter","versionInfo":"3.24.1"}]}}
{"SBOM":{"Packages":[{"name":"lodash","versionInfo":"4.17.21"}]}} I'll assume by your question that you're starting with fields extracted with either KV_MODE = json or spath and not indexed extractions: SBOM.Packages{}.name SBOM.Packages{}.versionInfo @accordproject/concerto-linter 3.24.1 lodash @accordproject/concerto-linter 4.17.21 3.24.1 lodash 4.17.21 As you've found, KV_MODE = json scans only the first 10240 characters of _raw by default. See the limits.conf.spec [kv] stanza maxchars setting for more information. The main challenge is correlating a value in SBOM.Packages{}.name at index i with a value at the same index in SBOM.Packages{}.versionInfo. We can extract and concatenate those values into a single multi-valued field using JSON eval functions: | eval ioc=mvmap(json_array_to_mv(json_extract(_raw, "SBOM.Packages")), spath(_raw, "name").",".spath(_raw, "versionInfo")) We can do the same with shai-hulud-2-packages.csv and use the result as a search filter: | search [| inputlookup shai-hulud-2-packages.csv | eval ioc=Package.",".Version | fields ioc ] Combining them together in a complete example, only the positive test cases are returned: | makeresults format=csv data="_raw
\"{\"\"SBOM\"\":{\"\"Packages\"\":[{\"\"name\"\":\"\"@accordproject/concerto-linter\"\",\"\"versionInfo\"\":\"\"3.24.1\"\"}]}}\"
\"{\"\"SBOM\"\":{\"\"Packages\"\":[{\"\"name\"\":\"\"lodash\"\",\"\"versionInfo\"\":\"\"4.17.21\"\"},{\"\"name\"\":\"\"@accordproject/concerto-linter\"\",\"\"versionInfo\"\":\"\"3.24.1\"\"}]}}\"
\"{\"\"SBOM\"\":{\"\"Packages\"\":[{\"\"name\"\":\"\"lodash\"\",\"\"versionInfo\"\":\"\"4.17.21\"\"}]}}\"
"
| eval ioc=mvmap(json_array_to_mv(json_extract(_raw, "SBOM.Packages")), spath(_raw, "name").",= ".spath(_raw, "versionInfo"))
| search [| inputlookup shai-hulud-2-packages.csv | eval ioc=Package.",".Version | fields ioc ] _raw {"SBOM":{"Packages":[{"name":"@accordproject/concerto-linter","versionInfo":"3.24.1"}]}} {"SBOM":{"Packages":[{"name":"lodash","versionInfo":"4.17.21"},{"name":"@accordproject/concerto-linter","versionInfo":"3.24.1"}]}}
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma from
Karma given to
| User | Karma Count |
|---|---|
| 1 | |
| 4 | |
| 3 | |
| 1 | |
| 1 |
