Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About PavelP
PavelP
Motivator
Member since:
12-03-2013
05-21-2024
Community Statistics
| Posts | 411 |
| Solutions | 62 |
| Karma Given | 82 |
| Karma Received | 57 |
| Member Since | 12-03-2013 |
Activity Feed
- Got Karma for Re: Splunk Upgradtation tar/rpm. 10-23-2024 01:30 PM
- Posted Re: TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-04-2024 10:01 AM
- Posted Re: TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-03-2024 03:52 AM
- Posted Re: TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-03-2024 03:49 AM
- Posted Re: TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-03-2024 02:53 AM
- Karma Re: TERM and PREFIX cannot find string with two dashes for tscroggins. 03-02-2024 02:18 PM
- Posted Re: TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-02-2024 02:02 PM
- Karma Re: TERM and PREFIX cannot find string with two dashes for PickleRick. 03-02-2024 11:49 AM
- Got Karma for TERM and PREFIX cannot find string with two dashes. 03-02-2024 05:47 AM
- Posted TERM and PREFIX cannot find string with two dashes on Splunk Search. 03-02-2024 01:27 AM
- Karma Re: How come when I send Syslog info via UDP to local universal forwarder, the host is always 127.0.0.1? for FrankVl. 01-31-2024 09:08 AM
- Posted Re: Tracking Field Changes in Events on Splunk Search. 01-30-2024 07:09 AM
- Posted Re: Tracking Field Changes in Events on Splunk Search. 01-30-2024 06:45 AM
- Posted Re: Tracking Field Changes in Events on Splunk Search. 01-30-2024 03:33 AM
- Posted Re: Tracking Field Changes in Events on Splunk Search. 01-29-2024 11:49 AM
- Karma Re: Tracking Field Changes in Events for yuanliu. 01-29-2024 11:38 AM
- Posted Re: Tracking Field Changes in Events on Splunk Search. 01-25-2024 05:44 AM
- Posted Tracking Field Changes in Events on Splunk Search. 01-25-2024 04:13 AM
- Got Karma for Re: Splunk reports first-time run failed!. 12-15-2023 06:49 AM
- Got Karma for Re: parse csv content and header for fields. 12-08-2023 02:56 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
03-04-2024
10:01 AM
please consider upvote a new Splunk idea to get more attention: https://ideas.splunk.com/ideas/EID-I-2226
... View more
03-03-2024
03:52 AM
Affected are tstats/TERM/PREFIX and accelerated DM searches. This isn't limited to punycode domains; any value with continuous hyphens may be affected. Consider usernames, user-agents, URL paths and queries, file names, and file paths – the range of affected fields is extensive. The implications extend to premium apps like Enterprise Security, heavily reliant on accelerated DMs. Virtually every source and sourcetype could be impacted, including commonly used ones like firewall, endpoint, windows, proxy, etc. Here are a couple of examples to illustrate the issue: Working URL: hp--community.force.com Path: /tmp/folder--xyz/test-----123.txt, c:\Windows\Temp\test---abc\abc--123.dat Username: admin--haha User-Agent: Mozilla/5.0--findme
... View more
03-03-2024
03:49 AM
Affected are tstats/TERM/PREFIX and accelerated DM searches. This isn't limited to punycode domains; any domain with continuous hyphens may be affected. Consider usernames, user-agents, URL paths and queries, file names, and file paths – the range of affected fields is extensive. The implications extend to premium apps like Enterprise Security, heavily reliant on accelerated DMs. Virtually every source and sourcetype could be impacted, including commonly used ones like firewall, endpoint, windows, proxy, etc. Here are a couple of examples to illustrate the issue: Working URL: https://hp--community.force.com Path: /tmp/folder--xyz/test-----123.txt, c:\Windows\Temp\test---abc\abc--123.dat Username: admin--haha User-Agent: Mozilla/5.0--findme
... View more
03-03-2024
02:53 AM
Affected are tstats/TERM/PREFIX searches and accelerated DM searches. I haven't conducted a thorough check yet, but it seems that searches on accelerated DM may overlook fields with double dashes. This isn't limited to punycode domains; any field value with continuous hyphens may be affected. Consider usernames, user-agents, URL paths and queries, file names, and file paths – the range of affected fields is extensive. The implications extend to premium apps like Enterprise Security, heavily reliant on accelerated DMs. Virtually every source and sourcetype could be impacted, including commonly used ones like firewall, endpoint, windows, proxy, etc. Here are a couple of examples to illustrate the issue: Working URL: https://hp--community.force.com Path: /tmp/back--door/test-----backdoor.txt, c:\Windows\Temp\back--door\test---backdoor.exe Username: admin--backdoor User-Agent: Mozilla/5.0--backdoor
... View more
03-02-2024
02:02 PM
Hey folks, breaking news for the TERM/PREFIX enthusiasts! Brace yourselves – our TERM searches cannot find punycode encoded domains! 🙂 xn--bcher-kva.de https://en.m.wikipedia.org/wiki/Punycode
... View more
03-02-2024
01:27 AM
1 Karma
any ideas on TERM and PREFIX limitations with double dashes? cat /tmp/test.txt
abc//xyz
abc::xyz
abc==xyz
abc@@xyz
abc..xyz
abc--xyz
abc$$xyz
abc##xyz
abc%%xyz
abc\\xyz
abc__xyz search abc--xyz # works
TERM(abc--xyz) # doesn't work
TERM(abc*) # works
| tstats count by PREFIX(abc) # doesn't work for abc--xyz Both TERM and PREFIX work with other minor segmenters like dots or underscores.
... View more
01-30-2024
07:09 AM
that looks great, thank you PickleRick! I modified it to "| foreach val1 val2" to avoid "Failed to parse templatized search for field 'previous_val1'" error. I need some time to adapt it to my real search, I'll get back
... View more
01-30-2024
06:45 AM
something is missing here, there aren't any values in the column "changed"
... View more
01-30-2024
03:33 AM
yes, the _time is not the time of change, I noticed it too. But overall the code reports summarized all changes per id: | table _time id changed The first data point is at 10:20:30, so the reported change at 10:20:56 is correct. I would be very interested in a solution involving "running changes". BTW never heard about the "autoregress" command, thx!
... View more
01-25-2024
05:44 AM
any ideas how can I use foreach to "collect" all changes (using mvappend)? My current attempt works only if I restrict foreach to one specific field (e.g. "a") and even then it shows just one change pro id: | foreach a [ eval changed = if ( previous_<> != <> , mvappend(changed, "<>") , 0) ] | search changed!=0 | stats values(changed) values(id) by _time
... View more
01-25-2024
04:13 AM
Hello, I'm looking of your insights to pinpoint changes in fields over time. Events structured with timestamp, ID, and various fields. Seeking advice on constructing a dynamic timeline to identify altered values and corresponding fields. Example events below: 10:20:30 25/Jan/2024 id=1 a=1534 b=253 c=384 ...
10:20:56 25/Jan/2024 id=1 a=1534 b=253 c=385 ...
10:20:56 25/Jan/2024 id=2 a="something" b=253 c=385 ...
10:21:35 25/Jan/2024 id=2 a="something" b=253 c=385 ...
10:22:56 25/Jan/2024 id=2 a="xyz" b="-" c=385 ... Desired result format: 10:20:56 25/Jan/2024 id=1 changed field "c"
10:22:56 25/Jan/2024 id=2 changed field "a", changed field "b" My pseudo SPL to find changed events: ... | streamstats reset_on_change=true dc(*) AS * by id | foreach * [ ??? ] With hundreds of fields per event, seeking efficient method - considering a combination of streamstats, foreach, transaction or stats. Insights appreciated.
... View more
Labels
- Labels:
-
stats
-
timechart
-
transaction
09-30-2023
08:33 AM
Soon or later the default.xml need to be deleted to allow new menu items from an updated app to appear.
... View more
09-30-2023
06:13 AM
Thank you Giuseppe, just voted for your EID-I-72 idea.. Then I'll stay with modifying menu using UI. The problem is there is no way to delete local/data/ui/nav/default.xml using UI. Or there is a workaround?
... View more
09-30-2023
03:22 AM
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from: <nav>
<view name="summary"/>
<collection label="NEW">
<view name="summary_new"/>
</collection>
</nav> to: <nav>
<view name="summary_new"/>
<collection label="OLD">
<view name="summary"/>
</collection>
</nav> Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).
... View more
Labels
- Labels:
-
javascript
07-20-2023
07:13 AM
Hello @Berfomet96 double check that your system has both an issuing CA and a mcafee (=trellix) CA: you can download them here: USERTrust RSA Certification Authority https://ssl-tools.net/subjects/cd30d24c343a82ab1f0570158ad7a107762992e9 McAfee OV SSL CA 2: https://ssl-tools.net/subjects/f9e20cf9be7fd75c16fbd6144aca78546e526e06 Google for "add trusted ca certificates linux" to find a step by step instruction depending on your linux distro.
... View more
06-04-2023
10:27 PM
Hello @fmcgheeSplunk truncated logs can by caused by the UDP transport but most common on indexer. Have you installed an add-on also on indexer to apply magic 6 settings for the ingestion? Duplicate proxy log is a common issue for high rate log inputs, when the same url requested by the same user multiple times per second, to confirm it you can add millisecond resolution to the timestamp. Is it cloud or on premise proxy? How you transfer logs from proxy to splunk, using syslog or UF? Have you run through this onboarding checklist: http://proxy-test.com/README.html#onboarding_checklist
... View more
10-21-2022
09:04 AM
if you can define hosts using a wildcard (as in your example hostA to hostZ): | metasearch index=IndexA host=host* | stats values(host) AS host if host* is to broad then you can restrict it with | where host IN or similar
... View more
06-02-2022
08:59 AM
it is a cloud environment, classic experience, so no luck with btool :-(. All what we have is an option to query /servicesNS/-/-/configs/conf-props REST endpoint I have no doubts to solve this problem on CLI if it were on premise setup...
... View more
06-02-2022
08:34 AM
SA-IdentityManagement is a hidden app, there are no way to just "create" KO in it using UI. This app comes with ES (actually a part of ES setup) and should not be modified by user. I can positive confirm there is no other user that could do this intentionally. Any other ideas?
... View more
06-02-2022
07:58 AM
Environment: Splunk ES SH running in cloud (Classic experience). There are two apps for a particular sourcetype (let's call it "sourcetype-x"):
TA-customer-props (the old one)
zzz-customer_props (the new one)
Settings > Sourcetype > sourcetype-x > edit > Advanced > adding some new extractions and evals
When I'm trying to dump all props using REST API call, I see that my settings are merged in a SA-IdentityManagement , how come?
As far I know, the SA-IdentityManagement should contain lookups only.
Is the any way to "de-configure" sourcetype-x from TA-customer-props and SA-IdentityManagement and leave it's configuration in zzz-customer_props only?
... View more
06-04-2020
04:29 AM
Hello @suzyd,
sar files are binary and cannot be read by Splunk as such. You need to use sar or sadf command to convert them into text.
You can convert sar raw files on the source system or push them on the universal or heavy forwarder via rsync/scp/etc. and process there.
I've tried various methods but ended with real time push using scripting input: https://splunkbase.splunk.com/app/1803/#/details
You can modify this app for your need as required.
... View more
06-02-2020
10:40 PM
Hello @joshnetwolf
what are the last lines in the output of ./splunk start?
what does the env variable $INSTANCE_ID contains?
After any environment variables are expanded, the server name
(if not an IPv6 address) can only contain letters, numbers, underscores,
dots, and dashes. The server name must start with a letter, number, or an
underscore.
... View more
05-31-2020
10:09 AM
@vrajshekar the second link is not available: The message you are trying to access is not available.
... View more
05-29-2020
09:08 AM
difficult to say without seeing your data, but seems to be not a splunk issue.
Have you tried ask on McAfee community forum:
ePO: https://community.mcafee.com/t5/ePolicy-Orchestrator/bd-p/epolicy-orchestrator
SIEM: https://community.mcafee.com/t5/Security-Information-and-Event/bd-p/siem
If you post there, please leave a link here, so everybody can benefit.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-21-2024
08:27 AM
|
Karma from
