Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About VatsalJagani
VatsalJagani
Champion
Member since:
02-15-2018
Community Statistics
| Posts | 987 |
| Solutions | 139 |
| Karma Given | 113 |
| Karma Received | 255 |
| Member Since | 2018-02-15 |
Activity Feed
- Got Karma for Re: /var/log/messages filter null queue not filtering. 2 weeks ago
- Posted Re: How do you show the annotation label on a chart without having to hover over the value? on Dashboards & Visualizations. 2 weeks ago
- Posted Re: Splunk search- How to capitalize the first letter of every filed column? on Splunk Search. 2 weeks ago
- Got Karma for Re: Splunk search- How to capitalize the first letter of every filed column?. 2 weeks ago
- Posted Re: Why is my map command only going back 7 days instead of the set search time? on Splunk Search. 2 weeks ago
- Posted Re: How to resolve error "This XML file does not appear to have any style information associated with it." on Splunk Search. 2 weeks ago
- Posted Re: How do you show the annotation label on a chart without having to hover over the value? on Dashboards & Visualizations. 2 weeks ago
- Posted Re: /var/log/messages filter null queue not filtering on Getting Data In. 2 weeks ago
- Posted Re: Splunk search- How to capitalize the first letter of every filed column? on Splunk Search. 2 weeks ago
- Got Karma for Re: Splunk search- How to capitalize the first letter of every filed column?. 2 weeks ago
- Posted Re: How to setup certification expiry alert? on Alerting. 2 weeks ago
- Posted Re: Splunk search- How to capitalize the first letter of every filed column? on Splunk Search. 2 weeks ago
- Posted Re: Alert doesn't trigger when search conditions are met on Alerting. a month ago
- Got Karma for Re: Alert doesn't trigger when search conditions are met. a month ago
- Karma Re: Microsoft Office 365 Reporting Add-on for Splunk not pulling data - exiting with 403 Client Error? for jconger. 08-29-2022 10:08 AM
- Posted Re: Alert doesn't trigger when search conditions are met on Alerting. 08-25-2022 12:23 AM
- Posted Re: Alert doesn't trigger when search conditions are met on Alerting. 08-24-2022 04:26 AM
- Got Karma for Re: find ip addresses which have both received and sent a message. 08-23-2022 07:46 PM
- Got Karma for Re: Alert doesn't trigger when search conditions are met. 08-23-2022 05:18 PM
- Got Karma for Re: splunk Victoria. 08-22-2022 09:13 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
2 weeks ago
@ichesla1111 - I don't think there is any direct way to do that. Only think you can use it annotation label but it will not be visible all the time.
... View more
2 weeks ago
@uagraw01 - If it answers your question, please mark it as an accepted answer by clicking on "Accept as Solution".
... View more
2 weeks ago
@ichesla1111 - Are you changing UI time-range filter? That will not work as time-range is mentioned as part of search: earliest=\"$start$\" latest=$end$ I hope this helps!!! Karma/upvote the post if it helps!!!
... View more
2 weeks ago
@sh254087 - The error message says "Service Unavailable", meaning you may have some disconnects with Splunk services. If this is happening regularly you may contact Splunk support. I hope this helps!!! Upvote/karma the post if it does!!
... View more
2 weeks ago
@ichesla1111 - Have you tried formatting the chart using Show Data Values? I hope this helps!!!
... View more
2 weeks ago
1 Karma
@youngsuh - Your regex101 link does not seem to be valid anymore. Also, just be sure does your log file name is just message or it message.log, or messages.log or message-2022-09-16.log??? If that's the case then you must specify the wildcard in the props.conf stanza.
... View more
2 weeks ago
1 Karma
@uagraw01 - Here is how you can do that without explicitly specifying the field name. It applies to all the present fields. | foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>] Here is full example: | makeresults | eval vulnerabilities=10, groups=2
| append [| makeresults | eval vulnerabilities=9, groups=4]
| foreach * [
| eval field_<<FIELD>> = "<<FIELD>>"
| eval field_<<FIELD>> = upper(substr(field_<<FIELD>>,1,1)).substr(field_<<FIELD>>,2)
| eval {field_<<FIELD>>} = <<FIELD>>
| fields - field_<<FIELD>>, <<FIELD>>] I hope this helps!!! Please upvote & accept the answer if it answers your question!!!
... View more
2 weeks ago
@Khanu89 - Can you please specify the details of fields you have in your data? And also how you are writing the condition you mentioned? What is the count field in the condition?
... View more
2 weeks ago
1 Karma
@uagraw01 - In your search, it seems the easiest option to do that is to just write field names the way you want in the stats command itself. Like, | stats dc(falcon.vul.cve.id) as Vulnerabilities, dc(host.info.id) as Groups ..... I hope this helps!!!
... View more
a month ago
@freddy_Guo - Indeed an odd issue. I'm glad you are able to figure out and resolve it.!!!
... View more
08-25-2022
12:23 AM
1 Karma
@freddy_Guo - This data source has a delay, but following in your query should be able to handle it properly. _index_earliest=-5m earliest=-7d Please also look at other areas which could have issues: Check whether the alert is triggering or not. index=_internal sourcetype=scheduler "<alert name or some keywords>" result_count=* If the alert has results and triggered an email or other alert action, please check whether there was any issue sending an email or notification. index=_internal (source=*splunkd.log OR source=*python.log) I hope this helps!!!
... View more
08-24-2022
04:26 AM
@freddy_Guo - Run this to find out the largest time diff: index=[Index]
(host=[Hostname]) AND (level=ERR OR tag IN (error) OR ERR)
| eval indextime=strftime(_indextime, "%F %T")
| eval diff_in_min=round((indextime-_time)/60, 2)
| table _time, indextime, diff_in_min
| sort - diff_in_min Run this in last 24 hours.
... View more
08-22-2022
04:40 AM
1 Karma
I would suggest updating the query like this to handle ingestion delay: index=[Index] _index_earliest=-15m earliest=-1h
(host=[Hostname]) AND (level=ERR OR tag IN (error) OR ERR) I hope this helps!!! Upvote would be appreciated!!
... View more
08-21-2022
10:30 PM
2 Karma
@balcv - I do not see any reason why it should not collect the logs but I can give you a few pointers for troubleshooting. Make sure you are deploying this on a forwarder where the log files exist (as I can see inputs.conf file is under deployment-apps.) Make sure you have UF splunkd restart enabled for Splunk_TA_nix App on Forwarder management. On that forwarder make sure you got the latest deployed inputs.conf file under $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf. Look at any errors in splunkd.log file for the forwarder machine. I hope this helps!!! Upvote would be appreciated!!!
... View more
08-21-2022
10:23 PM
1 Karma
@masoud - This would be the simplest mathematical way to do it. (In Splunk though there could be a better way of doing depending on the data.) | set intersect [<your-search> | dedup src_ip | table src_ip] [<your-search> | dedup dest_ip | table dest_ip] I hope this helps!!! Karma would be appreciated!!!
... View more
08-21-2022
10:18 PM
@freddy_Guo - One of the reasons that I could think of an incorrectly extracted time or difference in timestamp and ingest time. index=[Index] _index_earliest=-15m
| eval indextime=strftime(_indextime, "%F %T")
| eval diff_in_min=round((indextime-_time)/60, 2)
| table _time, indextime, diff_in_min Run the above search to find out how much diff there is between indexed time and timestamp. I hope this helps!!! Upvote would be appreciated!!
... View more
08-21-2022
10:13 PM
@pagnihot - By adding CSS to your dashboard. How to add CSS to your dashboard: <dashboard stylesheet="my_styles.css" version="1.1"> Example style where I made panel titles bold: .dashboard-row .dashboard-panel h2.panel-title {
font-weight: bold;
} I hope this example helps you to achieve what you want.
... View more
08-16-2022
06:43 AM
Following is the approach I would choose in the order given here. Try upgrading Add-on and check. Contact the Add-on developer about the issue. Resolving the indentation issue yourself, requires Python expertise. I hope this helps!!!
... View more
08-15-2022
09:03 AM
@nyuad - It seems the following file from TA-servicelink Add-on has a Python indentation error. /data/splunk/etc/apps/TA-servicelink/bin/servicelink.py Generally, the Indentation error is not related Python version. In any case, this is an Add-on code issue and not a Splunk issue, just to clarify. I hope this helps!!
... View more
08-15-2022
08:55 AM
@KleeJean - I don't know if there is any better way to do this, but here is what will work for sure. Install DB Connect on the same search head as Enterprise Security. - https://splunkbase.splunk.com/app/2686/ Create a scheduled report (keep intervals according to how often you think data in the database is getting changed.) | dbxquery query="<write-your-query-here>" connection="<dbx-connection>"
| outputlookup my_sql_data.csv Use my_sql_data.csv file as an Enterprise Security asset file. I hope this helps!!!
... View more
Contact Me
