Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About damode1
damode1
Path Finder
Member since:
03-20-2022
12-14-2023
Community Statistics
| Posts | 20 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 03-20-2022 |
Activity Feed
- Posted When troubleshooting data ingestion on search heads, which SH is best to use ? on Monitoring Splunk. 09-19-2023 06:10 PM
- Tagged When troubleshooting data ingestion on search heads, which SH is best to use ? on Monitoring Splunk. 09-19-2023 06:10 PM
- Posted Re: What capabilities does a REST API only user need? on Security. 08-31-2023 02:16 AM
- Posted Re: How do you create saved search using REST API call? on Getting Data In. 08-30-2023 10:12 PM
- Posted ERROR">Cannot perform action "POST" without a target name to act on on Splunk Enterprise. 08-30-2023 08:00 PM
- Tagged ERROR">Cannot perform action "POST" without a target name to act on on Splunk Enterprise. 08-30-2023 08:00 PM
- Tagged ERROR">Cannot perform action "POST" without a target name to act on on Splunk Enterprise. 08-30-2023 08:00 PM
- Posted Re: Splunk REST API Post route is throwing Cannot perform action "POST" without a target name to act on .net c on Splunk Enterprise. 08-30-2023 07:40 PM
- Posted Re: Why do I keep getting errors when trying to import Pandas with Splunk's python? on All Apps and Add-ons. 07-11-2023 07:34 PM
- Posted Why are indexers unable to start? on Installation. 06-18-2023 07:50 PM
- Tagged Why are indexers unable to start? on Installation. 06-18-2023 07:50 PM
- Tagged Why are indexers unable to start? on Installation. 06-18-2023 07:50 PM
- Got Karma for Re: How to convert nested xml block into json formatted nested block ?. 05-25-2023 12:03 AM
- Posted Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Tagged Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Tagged Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Tagged Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Tagged Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Tagged Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:24 PM
- Posted Re: How to convert nested xml block into json formatted nested block ? on Splunk Search. 05-24-2023 05:22 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-19-2023
06:10 PM
As the title says, when troubleshooting data ingestion on search heads e.g. running an SPL to check if certain data is landing to that index or searching through an addon like aws to check its diagnostic logs on the HF. For tests like these, which search heads are best to use, monitoring console or a regular search head or an SHC ?
... View more
- Tags:
- troubleshooting
Labels
08-30-2023
10:12 PM
Is there a way to pass these values from a file? -d name=firstApiTest \
-d disabled=1 \
-d owner=nobody \
-d description=descritionText \
-d search="index=main" \
-d dispatch.index_earliest=-7d \
-d dispatch.index_latestlatest=now
... View more
08-30-2023
08:00 PM
I need to run a curl command to run various tasks such as creating searches, accessing searches etc. I have the below command which works perfectly curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ \
-d name=test_durable \
-d cron_schedule="*/15 * * * *" \
-d description="This test job is a durable saved search" \
-d dispatch.earliest_time="-15h@h" -d dispatch.latest_time=now \
--data-urlencode search="search index=_audit sourcetype=audittrail | stats count by host" but given that I may have to craft various curl commands with different -d flags, I want to be able to pass values through a file so I used below command curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ --data-binary data.json where data.json looks like this {
"name": "test_durable",
"cron_schedule": "*/15 * * * *",
"description": "This test job is a durable saved search",
"dispatch.earliest_time": "-15h@h",
"dispatch.latest_time": "now",
"search": "search index=_audit sourcetype=audittrail | stats count by host"
} but in doing so I get following error <?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
</messages>
</response> So after going through lot of different posts on this topic, I realised Splunk seems to have problem with json format or mainly extracting the 'name' attribute from json format. Can someone please assist with how I can craft Curl command that uses data from a file like I am using above and get correct response from Splunk ?
... View more
Labels
- Labels:
-
development
08-30-2023
07:40 PM
hi, I am facing same issue. did you end up fixing it?
... View more
07-11-2023
07:34 PM
Were you able to fix this error about no module found 'mmap' If yes, please share solution. Thanks.
... View more
06-18-2023
07:50 PM
My Indexer cluster with smartstore was working fine with the below config
[default]
remotePath = volume:remote_store/$_index_name
repFactor = auto
# Configure the remote volume.
[volume:remote_store]
storageType = remote
path = s3://splunk_data/
However, suddenly now its unable to start and giving the following error on all indexers when Splunk starts due to which Splunk is unable to start
Problem parsing indexes.conf: Cannot load IndexConfig: Unable to load remote volume "remote_store" of scheme "s3" referenced by index "_audit": Could not get s3 region from the metadata endpoint
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
To fix the above issue, I added below attribute to indexes.conf in the hopes that it will get the region
remote.s3.endpoint = https://s3.<region_name>.amazonaws.com
but after that I am getting the below error
Problem parsing indexes.conf: Cannot load IndexConfig: Unable to load remote volume "remote_store" of scheme "s3" referenced by index "_audit": Could not find access_key and/or secret_key in a configuration file, in environment variables or via the AWS metadata endpoint.
Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue
can someone please help fix this issue ?
... View more
- Tags:
- s3
- smartstore
05-24-2023
05:24 PM
1 Karma
After spending hours doing trial and error, I finally was able to craft an SPL that gave me the expected result index=botsv3 sourcetype=xmlwineventlog
| spath
| rename Event.EventData.Data as EventDataData, Event.EventData.Data{@Name} as EventDataName EventID as ID Computer as Hostname TimeCreated as Timestamp
| eval EventData=json_object("EventData",json_object(mvindex(EventDataName,0),mvindex(EventDataData,0)))
| eval count=0
| foreach mode=multivalue EventDataName
[
| eval EventData=json_set(EventData,"EventData."+mvindex(EventDataName,mvcount(<<ITEM>>)+count),mvindex(EventDataData,mvcount(<<ITEM>>)+count)),count=count+1]
| foreach ID Hostname Timestamp
[
| eval EventData=json_set(EventData,"<<FIELD>>",<<FIELD>>)]
| table EventData
... View more
05-24-2023
05:22 PM
Thanks for sharing that, however, those fields still appear as individual json objects. I needed those fields nested in EventData json object
... View more
05-24-2023
12:43 AM
Your query is almost same as what I tried in my second attempt which I mentioned above. As mentioned there, the problem with that/your query is the field names are hardcoded which also leads to fields with null values. We need SPL that will dynamically format the event based on what fields are available.
... View more
05-23-2023
08:46 PM
Apologies. I realised my understanding of the data was incorrect. I have put the requirement and current data format on this new post https://community.splunk.com/t5/Splunk-Search/How-to-convert-nested-xml-block-into-json-formatted-nested-block/td-p/644381
... View more
05-23-2023
08:14 PM
I have the below sample botsv3 sample data set which is sysmon in xml format. I need to convert that into json formatted events. Sample Current XML format - code block :1 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}' />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2023-05-21T13:35:45.561534700Z' />
<EventRecordID>36885</EventRecordID>
<Correlation />
<Execution ProcessID='3204' ThreadID='5508' />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>BGIST-L.froth.ly</Computer>
<Security UserID='S-1-5-18' />
</System>
<EventData>
<Data Name='UtcTime'>2023-05-21 15:17:59.931</Data>
<Data Name='ProcessGuid'>{EBF7A186-1A1C-5B59-0000-0010732E0200}</Data>
<Data Name='ProcessId'>2684</Data>
<Data Name='Image'>C:\Windows\System32\svchost.exe</Data>
<Data Name='FileVersion'>10.0.17134.1 (WinBuild.160101.0800)</Data>
<Data Name='Description'>Host Process for Windows Services</Data>
<Data Name='Product'>Microsoft® Windows® Operating System</Data>
<Data Name='Company'>Microsoft Corporation</Data>
<Data Name='CommandLine'>c:\windows\system32\svchost.exe -k networkservice -p -s CryptSvc</Data>
<Data Name='CurrentDirectory'>C:\Windows\system32\</Data>
<Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data>
<Data Name='LogonGuid'>{EBF7A186-1A19-5B59-0000-0020E4030000}</Data>
<Data Name='LogonId'>0x3e4</Data>
<Data Name='TerminalSessionId'>0</Data>
<Data Name='IntegrityLevel'>System</Data>
<Data Name='Hashes'>
MD5=32569E403279B3FD2EDB7EBD036273FA,SHA256=C9A28DC8004C3E043CBF8E3A194FDA2B756CE90740DF2175488337281B485F69</Data>
<Data Name='ParentProcessGuid'>{EBF7A186-1A18-5B59-0000-0010CEA80000}</Data>
<Data Name='ParentProcessId'>608</Data>
<Data Name='ParentImage'>C:\Windows\System32\services.exe</Data>
<Data Name='ParentCommandLine'>C:\Windows\system32\services.exe</Data>
</EventData>
</Event>" Expected in JSON format as below. I have only included fields that are actually needed. code block : 2 {
"ID": 1,
"Timestamp": "2023-05-18T05:07:59.940594300Z",
"EventData": {
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"Company": "Microsoft Corporation",
"TerminalSessionId": 0,
"UtcTime": "2018-08-20 15:18:59.929",
"Product": "Microsoft® Windows® Operating System",
"LogonId": "0x3e7",
"Description": "Find String (QGREP) Utility",
"OriginalFileName": "findstr.exe",
"Hashes": "MD5=BCC8F29B929DABF5489C9BE6587FF66D,SHA256=40F83CE0B6E1C894AB766591574ABD5B6780028C874410F2EC224300DF443C81",
"ParentProcessId": "5428",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c netstat -nao | findstr /r \"LISTENING\"",
"ProcessGuid": "{EBF7A186-0B7B-5B59-0000-001044A3CD01}",
"ProcessId": "6236",
"Image": "C:\\Windows\\System32\\findstr.exe",
"User": "NT AUTHORITY\\SYSTEM",
"LogonGuid": "{EBF7A186-AB15-5B58-0000-0020E7030000}",
"LogonGuid": "{EBF7A186-AB15-5B58-0000-0020E7030000}",
"IntegrityLevel": "System",
"ParentProcessGuid": "{EBF7A186-0B7B-5B59-0000-0010249FCD01}",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"RuleName": "",
"CommandLine": "findstr /r \"LISTENING\"",
"CurrentDirectory": "C:\\Windows\\system32\\"
},
"Hostname": "BGIST-L.froth.ly",
} The key fields are EventID, Computer and entire EventData block What I have tried so far Used | tojson command but it didn't created the nested EventData block. It just extracted all field-value pairs as individual objects then tried the below spl but it has fields hardcoded which is not desirable. We want them to be dynamically added to EventData block. The below SPL also led to lot of fields with null values as not all Event IDs had the same fields for obvious reasons. index=main
| rename EventID as ID Computer as Hostname eventtype as EventType
| fillnull value=""
| eval EventData=json_object("FileVersion", FileVersion, "Company", Company, "TerminalSessionId", TerminalSessionId, "UtcTime", UtcTime, "Product", Product,"LogonId",LogonId,"Description",Description,"Hashes",Hashes,"ParentProcessId",ParentProcessId,"ParentCommandLine",ParentCommandLine,"ProcessGuid",ProcessGuid,"ProcessId",ProcessId,"Image",Image,"User",User,"LogonGuid",LogonGuid,"IntegrityLevel",IntegrityLevel,"ParentProcessGuid",ParentProcessGuid,"ParentImage",ParentImage,"CommandLine",CommandLine,"CurrentDirectory",CurrentDirectory),_raw=json_set_exact(json_object(), "ID", ID, "Hostname", Hostname, "EventData", json_extract(EventData)) I tried the below query as well index=botsv3 sourcetype=xmlwineventlog EventID=1
| spath
| tojson Which gave the following result where Eventdata atleast is still in block but both the fields appear as values in Event.EventData.Data field and values in Event.EventData.Data{@Name}. I need the values in Event.EventData.Data{@Name} field to appear as values of corresponding fields which appear as values in the Event.EventData.Data field and all that as part of EventData nested json block. Basically as shown in code block : 2 Any help on this would be highly appreciated!
... View more
- Tags:
- json
Labels
- Labels:
-
eval
-
field extraction
-
other
05-23-2023
05:07 PM
ya sorry about that. my original post was repeatedly getting tagged as spam post for some unknown reason, hence, unfortunately I had to post it from another account.
... View more
05-21-2023
05:40 PM
getting below error when I tried your spl Failed to parse templatized search for field 'tag::eventtype'
... View more
05-21-2023
04:10 PM
I want to convert some of the below individual json objects in the event into nested single json object like the second example Current Format {
"ID": 1,
"Timestamp": "2023-05-18T05:07:59.940594300Z",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"Company": "Microsoft Corporation",
"TerminalSessionId": 0,
"UtcTime": "2018-08-20 15:18:59.929",
"Product": "Microsoft® Windows® Operating System",
} Expected Format {
"ID": 1,
"Timestamp": "2023-05-18T05:07:59.940594300Z",
"EventData":{
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"Company": "Microsoft Corporation",
"TerminalSessionId": 0,
"UtcTime": "2018-08-20 15:18:59.929",
"Product": "Microsoft® Windows® Operating System",
}
} I have tried to playaround with json functions but unable to figure out how to achieve the above outcome. Can someone please help ?
... View more
- Tags:
- json
Labels
- Labels:
-
other
05-21-2023
03:55 AM
I want to convert some of the below individual json objects in the event into nested single json object like the second example Current Format {
"ID": 1,
"Timestamp": "2023-05-18T05:07:59.940594300Z",
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"Company": "Microsoft Corporation",
"TerminalSessionId": 0,
"UtcTime": "2018-08-20 15:18:59.929",
"Product": "Microsoft® Windows® Operating System",
} Expected Format {
"ID": 1,
"Timestamp": "2023-05-18T05:07:59.940594300Z",
"EventData":{
"FileVersion": "10.0.17134.1 (WinBuild.160101.0800)",
"Company": "Microsoft Corporation",
"TerminalSessionId": 0,
"UtcTime": "2018-08-20 15:18:59.929",
"Product": "Microsoft® Windows® Operating System",
}
} I have tried to playaround with json functions but unable to figure out how to achieve the above outcome. Can someone please help ?
... View more
- Tags:
- json
Labels
- Labels:
-
eval
03-21-2022
03:07 PM
No worries. Will wait for your reply. Thanks!
... View more
03-20-2022
05:29 PM
Even though I registered for the People, Process and Technology Tech Talk, it says "A confirmation email with event details will be sent to you shortly." but I never end up getting any link to the series. @melissap Can you please help ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-14-2023
10:35 PM
|
