Not directly, no. Even if the source, e.g. a web server, and the destination, e.g. a Splunk indexer, have perfectly synchronized clocks (they do not), the time (latency) it takes to share information between the source and the destination is greater than zero. That time is composed of reading the source clock, rendering the source event, writing the event to storage, reading the event from storage, serializing the event to the network, transmitting the event across the network, deserializing the event from the network, reading the destination clock, rendering the destination event, and writing the destination event to storage. The preceding list is not exhaustive and may vary. Just note that it takes time to go from A to B. There are delays everywhere! You can search by _indextime instead of _time using _index_earliest and _index_latest and very wide earliest and latest parameters: index=web status=400 earliest=0 latest=+1d _index_earliest=-15m@m _index_latest=@m however, it's still possible to miss events that have been given an _indextime value of T but aren't synchronized to disk until after your search executes. You can use real-time searches to see events as they arrive at indexers (or as they're written to storage, depending on the type of real-time search), but for your use case, time windows are still required, and events may still be missed. ... View more

Hi @Karthikeya, False positive, false negative, etc. have the same definitions in Splunk that they have in statistics. I'm in the United States, and I find NIST/SEMATECH e-Handbook of Statistical Methods, Chapter 6, "Process or Product Monitoring and Control," a useful day-to-day reference: https://www.itl.nist.gov/div898/handbook/index.htm. In your example, you're counting events. For example, a basic search scheduled to run every minute: index=web status=400 earliest=-15m@m latest=@m | status count | where count>5 gives you the count of status=400 events over the prior 15 minutes. In this context, false positive and false negative could relate to the time the events were generated and the delay between that time and the index time. If a status=400 event occurred at 00:14:59 but was indexed by Splunk at 00:15:04, then a search that executes at 00:15:01 for the interval [00:00:00, 00:015:00) would not count the event because it has not been indexed by Splunk. This is a false negative. You can reduce the probability of false negatives by adding a backoff to your search--1 minute in this example: index=web status=400 earliest=-16m@m latest=-1m@m | status count | where count>5 However, that will not eliminate all false negatives because there is still a non-zero probability that an event will be indexed outside your search time range. False positives are more typically associated with measuring against a model. Let's say you've modeled your application's behavior and determined that more than 5 status=400 events over a 15 minute interval likely indicates a client-side code deployment issue as opposed to "normal" client behavior. "More than 5" is associated with a control limit, for example a deviation from a mean; however, the number of status=400 events is a random variable. A bad client-side code deployment may trigger 4 status=400 events, which is a false negative, and a good client-side deployment may trigger 6 status=400 events, which is a false positive. Several Splunk value-added products like Splunk Enterprise Security and Splunk IT Service Intelligence provide ready-to-run modeling and monitoring solutions, but in general, you would model your application's behavior using either traditional methods outside Splunk or statistical functions or an add-on like the Splunk Machine Learning Toolkit inside Splunk. You would then apply your model using custom Splunk searches. ... View more

Ha. I do think splunkd etc. should require it when acting as a server, especially given that it requires it when acting as a client! You're right about lazy CA policies, though. ... View more

Hi @shai, Looking at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsconfspec/, the interval setting should "just work;" however, the use_single_instance scheme parameter controls its behavior. Is use_single_instance set to false in your modular input's scheme? E.g.: <scheme> <!-- ... --> <use_single_instance>false</use_single_instance> <!-- ... --> </scheme>   ... View more

Speaking broadly (and without citing anything--ipse dixit), the consensus is an application (client and server) should require the presence of extended key usages to keep implementers from harming themselves, but it's not required. If you identify a scenario in which Splunk Enterprise/Splunk Universal Forwarder are vulnerable to some attack independent of the implementer's choices, it would be wise to disclose the vulnerability privately to Splunk through https://advisory.splunk.com/report. Otherwise, https://ideas.splunk.com/ is the best place to request new features, i.e. requiring extended key usages. I would upvote such an idea. ... View more

From RFC 5280 section 4.2.1.12: If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not recognize all purposes indicated, as long as the intended purpose is present. Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application. "If" and "MAY"--the easy way out. At a glance, OpenSSL's libssl only rejects unsupported certificate purposes if extended key usages are present [https://github.com/openssl/openssl/blob/master/crypto/x509/v3_purp.c] (the implementation may vary by version, of course; I'm making an assumption that earlier versions are similar): /* ... */ #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) != 0 && ((x)->ex_xkusage & (usage)) == 0) /* ... */ /* * Key usage needed for TLS/SSL server: digital signature, encipherment or * key agreement. The ssl code can check this more thoroughly for individual * key types. */ #define KU_TLS \ KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int non_leaf) { if (xku_reject(x, XKU_SSL_SERVER | XKU_SGC)) return 0; if (non_leaf) return check_ssl_ca(x); if (ns_reject(x, NS_SSL_SERVER)) return 0; if (ku_reject(x, KU_TLS)) return 0; return 1; }   ... View more

I just tested forwarder version 9.1.1 on Windows with outputs.conf [tcpout] sslVerifyServerCert = true, and key usage is checked:   11-09-2024 20:57:30.517 -0500 ERROR X509Verify [85708 TcpOutEloop] - Server X509 certificate (CN=splunk.example.com,O=Example,L=Washington,ST=District of Columbia,C=US) failed validation; error=26, reason="unsupported certificate purpose"   Edit: I tested in 9.0.3, and key usage is verified there as well. splunkd, splunkweb, and mongod on Splunk Enterprise 9.3.0 do happily load and use the certificate, though. My last conversation with Splunk on the topic was circa 8.2. I haven't had cause to test this specifically since then. Good to see! ... View more

Hi, When sslVerifyServerCert is true, Splunk verifies the trust chain, disallows self-signed certificates, and checks validity dates.  If you have certificateStatusValidationMethod = crl, Splunk will also verify the certificate against any revocation lists you have configured. Splunk does support OCSP. The most recent common criteria evaluation covers Splunk TLS configuration quite well. See the administrative guide at https://www.niap-ccevs.org/products/11330. As I recall from my last conversation with support/development, key usages are not verified, but you should contact support to confirm. ... View more

Hi @capilarity, You can use jQuery UI's datepicker directly from dashboard JavaScript. I've included two options below, one using a text input with datepicker and the other using a time input with various hidden. The datepicker uses d-M-yy as the dateFormat value, e.g. 9-Nov-2024. The format string is documented at https://api.jqueryui.com/datepicker/#utility-formatDate. See the same page for options to modify the datepicker's appearance. <!-- etc/apps/search/local/data/ui/views/date_picker.xml --> <form version="1.1" theme="light" script="date_picker.js"> <label>Date Picker</label> <init> <eval token="form.date_tok">strftime(relative_time(now(), "@d"), "%e-%b-%Y")</eval> <eval token="form.time_tok.earliest">relative_time(now(), "@d")</eval> <eval token="form.time_tok.latest">relative_time(now(), "+1d@d")</eval> </init> <fieldset submitButton="false"> <input id="input_date" type="text" token="date_tok"> <label>Date 1</label> </input> <input id="input_time" type="time" token="time_tok"> <label>Date 2</label> <default> <earliest>1731128400</earliest> <latest>1731214800</latest> </default> </input> </fieldset> <row depends="$hidden$"> <panel> <html> <style> div[data-test-panel-id="presets"], div[data-test-panel-id="relative"], div[data-test-panel-id="realTime"], div[data-test-panel-id="dateTime"], div[data-test-panel-id="advanced"] { display: none !important; } </style> </html> </panel> </row> <row> <panel> <html> <h2>Date 1: <b>$date_tok$</b> </h2> <h2>Date 2 Eearliest: <b>$time_tok.earliest$</b> </h2> <h2>Date 2 Latest: <b>$time_tok.latest$</b> </h2> </html> </panel> </row> </form> // etc/apps/search/appserver/static/date_picker.js require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { $("#input_date input") .prop("readonly", true) .datepicker({ dateFormat: "d-M-yy", onSelect: function(dateText, inst) { var defaultTokens = mvc.Components.get("default"); if (defaultTokens) { console.log("Setting default token $date_tok$ to " + dateText); defaultTokens.set("date_tok", dateText); } var submittedTokens = mvc.Components.get("submitted"); if (submittedTokens) { console.log("Setting submitted token $date_tok$ to " + dateText); submittedTokens.set("date_tok", dateText); } } }); }); (I actually use the above format in my emails. Less ambiguity. In text data, I use ISO 8601. 'merica!) ... View more

Hi @dixa0123, SplunkWeb uses hidden field attributes to identify aggregations for trellis mode in Simple XML. (I haven't tried this in Dashboard Studio.) Here's a sample search that summarizes data, calculates a global mean, reformats the results, and then uses the global mean as an overlay in trellis mode: index=_internal | timechart limit=10 span=1m usenull=f useother=f count as x by component | untable _time component x ``` calculate a global mean ``` | eventstats avg(x) as tmp ``` append temporary events to hold the mean as a series ``` | appendpipe [| stats values(tmp) as x by _time | eval component="tmp" ] ``` reformat the results for trellis ``` | xyseries _time component x ``` disassociate the tmp field from aggregations to use as an overlay ``` | eval baseline=tmp ``` remove the tmp field ``` | fields - tmp   ... View more

Hi @catta99, You probably want to start with buttons disabled and then enabled them when the dashboard's async searches are done. You can use SplunkJS to attach search:done event handlers to your searches (see below). A complex dashboard (multiple searches, multiple buttons, etc.) may require a more complex solution. You can find more information in the SplunkJS documentation or more generally, in your favorite web development resources (or AI stack, if you use one). <!-- button_test.xml --> <dashboard version="1.1" theme="light" script="button_test.js"> <label>button_test</label> <search id="search1"> <query>| stats count</query> <earliest>-24h</earliest> <latest>now</latest> </search> <row> <panel> <html> <!-- assign a value to the disabled attribute to pass SplunkWeb's Simple XML validation --> <button id="button1" disabled="disabled">Button 1</button> </html> </panel> </row> </dashboard> // button_test.js require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { search1 = splunkjs.mvc.Components.get("search1"); search1.on("search:done", function(properties) { $("#button1").prop("disabled", false); }); $("#button1").on("click", function() { alert("Button 1 clicked."); }); });   ... View more

Hi @catta99, To clear the server-side cache, restart splunkweb as you have done: $SPLUNK_HOME/splunk/bin/splunk restart splunkweb To clear the client-side cache, use your browser's cache functions or temporarily disable caching in your browser's dev tools. To prevent splunkweb from caching source files during development, you can disable caching in web.conf and restart Splunk:  # $SPLUNK_HOME/etc/system/local/web.conf [settings] cacheBytesLimit = 0 The example I provided can be expanded as needed. If you're still having issues after clearing all caches, reply with a reduced SimpleXML and JavaScript example, and we'll take another look. ... View more

Hi @Pcktech, Do your forwarders synchronize their clocks with an external source? If yes, have you confirmed whether clock synchronization occurred around the time of the first execution? For example: 07:02:00 - scheduler queues task 07:02:01 - clock is synchronized with external source and set to 07:01:57 07:01:58 - scheduler executes task 07:02:00 - scheduler queues task 07:02:01 - scheduler executes task If the forwarder logs do not indicate a step backwards, clock synchronization may still have occurred after the task was queued but before any events were logged. ... View more

Hi @Ethil, As far as I can tell, the et and lt query parameters are only used with input-search and not input-dashboard etc. ... View more

Hi @catta99, In your JavaScript source, you can use jQuery selectors to attach a click event handler to an object. In this example, I define a button with id="button1" in button_test.xml and attach a click event handler in button_test.js: <!-- button_test.xml --> <dashboard version="1.1" theme="light" script="button_test.js"> <label>button_test</label> <row> <panel> <html> <button id="button1">Button 1</button> </html> </panel> </row> </dashboard> // button_test.js require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { $("#button1").on("click", function() { alert("Button 1 clicked."); }); }); When button1 is clicked, the browser displays a dialog box with the message "Button 1 clicked." SplunkJS is documented at https://dev.splunk.com/enterprise/docs/developapps/visualizedata/usewebframework/, where you can find example JavaScript templates. RequireJS is documented at https://requirejs.org/docs/api.html#jsfiles, but its use is limited to the require([...], function(...) {}); shown above. jQuery selectors are documented at https://api.jquery.com/category/selectors/. The jQuery click event is documented at https://api.jquery.com/click/.   ... View more

Hi @TahWee, Just in case: Did you email the address on the contact tab in Splunkbase? They are also active in the community and probably respond to direct messages. They are also easy to locate on LinkedIn by cross-referencing their name with Splunk and recent activity. ... View more

The console lines just print diagnostic messages. All modern browsers have a console object, so you can leave them if you want. If you do remove them, an empty catch block won't cause any problems. The rest of the sample code just responds to click events. Looking at the custom_token_links dashboard example, you can see how this is done:   <a href="#" class="btn-pill" data-set-token="show_chart" data-value="show" data-unset-token="show_table"> Show Chart </a>   When you click on Show Chart, the click event hander is called, explicitly passing the data-set-token and data-unset-token values. In this example, data-unset-token is set to show_table, and the click handler sets the show_table token value to undefined. Because the table has a dependency on $show_table$, the table is hidden when show_table is undefined. If you can post a representative copy of the broken dashboard, we can probably fix it. ... View more

Hi @roblreid, It's a span element background color style defined and applied in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/build/pages/dark/search.js applied when the event data is rendered as HTML. I don't see a way to modify it without editing the code. To my eyes, it's a golden brown color, like an extra dark golden rod. I don't have turquoise text in Splunk Enterprise 9.3, though. The text is white. ... View more

Hi @LY, The MIME type error should have been preceded by a status 404. console.js has been removed (technically, quarantined) from current versions of Splunk Enterprise. All modern browsers should have a native console object, and you can remove the util/console requirement from tokenlinks.js: --- tokenlinks.js.original 2024-09-23 19:40:34.985325558 -0400 +++ tokenlinks.js 2024-09-23 19:40:59.456196826 -0400 @@ -1,10 +1,9 @@ requirejs([ '../app/simple_xml_examples/libs/jquery-3.6.0-umd-min', '../app/simple_xml_examples/libs/underscore-1.6.0-umd-min', - 'util/console', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' -], function($, _, console, mvc) { +], function($, _, mvc) { function setToken(name, value) { console.log('Setting Token %o=%o', name, value); @@ -51,4 +50,4 @@ } } }); -}); \ No newline at end of file +});  You can also remove the console.log() and console.warn() lines if you don't need them. ... View more

Here's an alternative that uses a few helper macros to replace the bitwise eval functions. Bit rotate functions would be a nice addition to Splunk, as would a parameter on all bitwise functions to specify width. | makeresults | eval HEX_Code="0002" ``` convert to number ``` | eval x=tonumber(HEX_Code, 16) ``` swap bytes ``` | eval t=`bitshl(x, 8)`, x=`bitshr(x, 8)`+`bitand_16(t, 65280)` ``` calculate number of trailing zeros (ntz) ``` | eval t=65535-x+1, y=`bitand_16(x, t)` | eval bz=if(y>0, 0, 1), b3=if(`bitand_16(y, 255)`>0, 0, 8), b2=if(`bitand_16(y, 3855)`>0, 0, 4), b1=if(`bitand_16(y, 13107)`>0, 0, 2), b0=if(`bitand_16(y, 21845)`>0, 0, 1) | eval ntz=bz+b3+b2+b1+b0 ``` ntz=9 ``` # macros.conf [bitand_16(2)] args = x, y definition = sum(1 * (floor($x$ / 1) % 2) * (floor($y$ / 1) % 2), 2 * (floor($x$ / 2) % 2) * (floor($y$ / 2) % 2), 4 * (floor($x$ / 4) % 2) * (floor($y$ / 4) % 2), 8 * (floor($x$ / 😎 % 2) * (floor($y$ / 😎 % 2), 16 * (floor($x$ / 16) % 2) * (floor($y$ / 16) % 2), 32 * (floor($x$ / 32) % 2) * (floor($y$ / 32) % 2), 64 * (floor($x$ / 64) % 2) * (floor($y$ / 64) % 2), 128 * (floor($x$ / 128) % 2) * (floor($y$ / 128) % 2), 256 * (floor($x$ / 256) % 2) * (floor($y$ / 256) % 2), 512 * (floor($x$ / 512) % 2) * (floor($y$ / 512) % 2), 1024 * (floor($x$ / 1024) % 2) * (floor($y$ / 1024) % 2), 2048 * (floor($x$ / 2048) % 2) * (floor($y$ / 2048) % 2), 4096 * (floor($x$ / 4096) % 2) * (floor($y$ / 4096) % 2), 8192 * (floor($x$ / 8192) % 2) * (floor($y$ / 8192) % 2), 16384 * (floor($x$ / 16384) % 2) * (floor($y$ / 16384) % 2), 32768 * (floor($x$ / 32768) % 2) * (floor($y$ / 32768) % 2)) iseval = 0 [bitshl(2)] args = x, k definition = floor(pow(2, $k$) * $x$) iseval = 0 [bitshr(2)] args = x, k definition = floor(pow(2, -$k$) * $x$) iseval = 0   ... View more

Hi @smanojkumar, This is a 16-bit adaptation of Gaudet's algorithm from Hacker's Delight Second Edition (Warren, 2013): | makeresults | eval HEX_Code="0002" ``` convert to number ``` | eval x=tonumber(HEX_Code, 16) ``` swap bytes ``` | eval x=bit_shift_right(x, 8)+bit_and(bit_shift_left(x, 8), 65280) ``` calculate number of trailing zeros (ntz) ``` | eval y=bit_and(x, 65535-x+1) | eval bz=if(y>0, 0, 1), b3=if(bit_and(y, 255)>0, 0, 8), b2=if(bit_and(y, 3855)>0, 0, 4), b1=if(bit_and(y, 13107)>0, 0, 2), b0=if(bit_and(y, 21845)>0, 0, 1) | eval ntz=bz+b3+b2+b1+b0 ``` ntz=9 ```   ... View more

Hi @Jakfarh, How did you identify the corruption? The rebuild command regenerates tsidx and metadata files from a valid rawdata directory. By default, metrics indexes have metric.stubOutRawdataJournal = true, and the rawdata journal is truncated when the bucket rolls from hot to warm. The documentation stresses this point: Caution: Because setting this attribute to "true" eliminates the data in the rawdata files, those files can no longer be used in bucket repair operations. After this occurs, the metrics index bucket is comprised of only the tsidx and metadata files, the loss of which should be mitigated by an appropriate clustering configuration (which disables metric.stubOutRawdataJournal) or a backup solution. If the tsidx or metadata files are corrupt, you'll need to either address the corruption at the file system or disk level or restore a copy from a backup. ... View more

Hi @beano501, From the ES documentation at https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Uploadthreatfile: Parsing STIX documents of version 2.0 and version 2.1 parses STIX observable objects such as type: "observed-data" from the threat intelligence document as outlined in the collections.conf configuration file. The STIX pattern syntax used in STIX "indicator" objects and elsewhere is not currently supported. It's implied the parser expects observed-data objects and then reads observable-container objects from the child objects property. It's explicitly stated that pattern syntax is not supported. This is confirmed in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/bin/parsers/stix2_parser.py (not shown), where we can see the parser expects the deprecated objects property inside an observed-data object in both STIX 2.0 and STIX 2.1 documents. We probably want something like this: { "type": "bundle", "id": "bundle--50ea61e5-7cce-4a72-a876-bfe45793d235", "spec_version": "2.0", "objects": [ { "type": "threat-actor", "id": "threat-actor--840bb5cd-af46-4c45-9489-43f7bfe612b8", "created": "2023-09-08T00:02:39.000Z", "modified": "2023-09-08T00:02:39.000Z", "name": "Bad Guys", "description": "No, really. They are bad guys.", "labels": [ "uncategorized" ] }, { "type": "observed-data", "id": "observed-data--110847c9-a492-4491-883f-0cea407bb6b1", "created": "2023-09-08T00:02:39.000Z", "modified": "2023-09-08T00:02:39.000Z", "first_observed": "2023-09-08T00:02:39.000Z", "last_observed": "2023-09-08T00:02:39.000Z", "number_observed": 1, "objects": { "0": { "type": "ipv4-addr", "value": "101.38.159.17" } } } ] } For more information about which properties are mapped from the nested object to the ip_intel collection, see the cited collections.conf file at $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/default/collections.conf: # STIX2 Mappings to ip_intel # * <collection_field> : <observable-type>.<observable-object-field> - <observable-reference-type>.<reference-object-field> # # * ip : ipv4-addr.value # * : ipv6-addr.value # * domain : domain-name.value # * address : None # * city : None # * country : None # * postal_code : None # * state_prov : None # * oranization_name : None # * organization_id : None # * registration_time : None # * description : None # * threat_key : <id of root element>|<simple filename> # * time : source_processed_time from threat_group_intel # * weight : Parsed from the stanza if downloaded, or required input from user when uploaded # * updated : None # * disabled : false The full list of supported STIX 2.x observed-data objects is: email-message => email_intel ipv4-addr => ip_intel ipv6-addr => ip_intel domain-name => ip_intel file => file_intel network-traffic (with http-request-ext extension) => http_intel process => process_intel process (with windows-service-ext extension) => service_intel windows-registry-key => registry_intel user-account => user_intel x509-certificate => certificate_intel ... View more