Greetings! I am writing a python script to create a custom search command that goes out and reaches out to an API to get some data back based on what is passed to it. Whenever I run the script via `/opt/splunk/bin/splunk cmd python splunk.py`, I get the following import error:
Traceback (most recent call last):
File "splunk.py", line 2, in
import splunk.Intersplunk
File "/opt/splunk/etc/apps/duoSearch/bin/splunk.py", line 2, in
import splunk.Intersplunk
ImportError: No module named Intersplunk
When I open up the interpreter via `/opt/splunk/bin/splunk cmd python` and try to import it there via `import splunk.Intersplunk` I do not get an error.
↧
splunk.Intersplunk is missing from import
↧
How can I add the "act*" and "target*" fields to this table with "Host" being the primary field?
Hello everyone,
This search is designed to alert on potential password spraying attempts on servers in my environment. I have this search working when I leave out "| appendpipe [table act* target*]", but I am trying to figure out how to add those fields to the results while keeping my created "Server" field intact. Any ideas are greatly appreciated.
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| eval event=_raw
| rex mode=sed field=event "s/[\n\r]//g"
| rex field=event "Subject:.*Security ID:\t*(?.*?)\tAccount Name:(?.*?)\t*Account Domain:\t*(?.*?)Logon ID:\t*(?.*?)Logon Type"
| rex field=event "Account For Which Logon Failed:\tSecurity ID:\t*(?.*?)\tAccount Name:(?.*?)\t*Account Domain:\t*(?.*?)Failure Information"
| bin _time span=1m
| stats dc(user) as EvtCounts by src
| rename src as server
| where EvtCounts >50
| eval Server = server." (".EvtCounts.")"
| table Server
| appendpipe [table act* target*]
↧
↧
I am getting this error "Error while deploying apps to first member: Error while fetching apps baseline on target=https://:8089: Network-layer error: Connect Timeout" while pushing the bundle from deployer
First time I am trying to push the configuration bundle from Deployer to search heads by using below command
splunk apply shcluster-bundle -target https://:8089
I am facing below issue after running that above command
Error while deploying apps to first member: Error while fetching apps baseline on target=https://:8089: Network-layer error: Connect Timeout
Please anyone can help me to fix this issue
Thanks&Regards,
Manikanth
↧
Free Training #1 has the bug
Cannot launch 4 Step of education.
Cannot ask for techsupport, cuz **NO BUTTON FOR ASK TECHSUPP**
*Something seems to have gone wrong
Please try again. If this issue persists, please notify us with the steps taken to recreate the issue.*
Thats insane, i even cannot post link for my trouble
*You don't have enough karma points to post links; if you post any link they won't be shown to other users.
*
↧
indexing issue
we have license 20 GB and I index csv or txt files around 13 GB , but the issue when I check the license usage I find it 1 GB or 2 GB only that is meaning I losing some indexing data !
↧
↧
custom notification triggers
Is there a way i can create custom notification triggers in Splunk?
For example, if a restart of the server is initiated or a software is installed on the servers etc.
And it would send an email automatically informing the same. Please help
Thanks & Regards,
Siraj
↧
Need to remove a field data before indexing
Hi Team,
I need to remove a field data before the data get indexed to splunk.
The field need to be removed is in between the log and it has several lines.
sample data:
dv_u_business_duration_in_seconds="",closed_by="",sys_created_by="***",sys_domain_path="/",dv_business_duration="",dv_work_notes="2018-08-05 09:46:09 - **********
******************
**************
active="true",dv_made_sla="true",additional_assignee_list="",delivery_task=""
field name in work_Notes
Note: I tried the null
In Props.conf
[sourcetype:test_task]
TRANSFORMS-null= tasknull
transforms.conf
[tasknull]
FIELDS = work_Notes
DEST_KEY = queue
FORMAT = nullQueue
Thanks in advance.
↧
Looks like current Splunk apps for AWS does not support cn-northwest-1 region in China
Looks like current Splunk apps for AWS does not support cn-northwest-1 region in China, I tried deployed current splunk apps for aws.
looks like can't support Ningxia Region. Can someone double check current version ?
↧
File upload trick
Hello
I can upload an ASCII file from my computer and save it in the indexer.
=> This is not a problem.
But below there is a problem.
You can still upload files by changing the extension of the file name.
All I want to know is..
Is it possible to upload another way, such as when a file is uploaded with a changed file extension?
I am looking for a document on this question.
Do you know anyone?
↧
↧
Single Splunk command to generate dummy data that can be run in the search bar
Can someone advise on a single Splunk command that can be run in the search bar that will display dummy data? This was demonstrated by an instructor in the past but I can't remember what the command was
↧
How to calculate moving average based on 2 fields?
Hi Splunkers,
Suppose I have 2 values in my seach:
Date, **# of items purchased, UnitPrice**
Day1, **4, 0.12**
Day2, **10, 0.10**
Day3, **25, 0.19**
Day4, **100, 0.15**
I want to calculate the average item price throughout time. I hope this question makes sense.
Cheers,
↧
lookup error in Splunk Essentials App
Getting the below error in **In-Scope Device with Outdated Anti-Malware Found** use case of Splunk Security Essentials app,
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
Can someone please advise how to fix it ?
Thanks.
↧
splunk 6.6.x user password reset
splunk version 6.6.3 입니다.
사용자 계정이 admin, test_admin이 있습니다.
admin password를 reset 시 test_admin 계정이 delete 됩니다.
문의) admin password 만 reset 할 수는 없나요?
↧
↧
FireEye Add-on for Splunk Enterprise Syslog Issue
Hi,
The splunk setup in my environment contains Heavy Forwarder (HF) before search time. I'm currently using version 3.0.9 Fireeye Add-on from Splunkbase in the below URL and have it installed in HF & Search Head (SH) to help parse those Fireeye Syslog Events:
https://splunkbase.splunk.com/app/1904/
However, some of the raw events - their header got stripped off and only ingest those in { } as the "_raw" events in Splunk when i search for events in the GUI. This resulted Splunk to not ingesting the complete set of raw events (from header till the end of string). Was looking through the stanzas in transforms.conf and observed this particular regex which is trying to extract those in the { }.
**Version 3.0.9**
REGEX = (?s).*?fenotify.*?(?\{.*\})
FORMAT = $1
DEST_KEY = _raw
**Version 3.1.1**
REGEX = (?s).*?fenotify.*?({.*})
FORMAT = $1
DEST_KEY = _raw
Apparently both versions seems to have this "stripping header" stanza which may be the main cause of why my Fireeye Syslog events got truncated. Any recommendation to solve this issue? Does upgrading to the latest version (from 3.0.9 to 3.1.1) helps to resolve the issue? Or can i just remove those stanzas in my current version but will there be any implications?
Thanks is advance!
↧
Selecting first and second match separately using Rex
Hello,
I have 1 field in Splunk which contains 2 short email headers in plain-text, for example:
**From**: Me (me@me.com)
**Sent**: 28 September 2018 17:42
**To**: You (you@you.com)
**Subject**: This is the first email
**From**: Me (me@me.com)
**Sent**: 28 September 2018 18:42
**To**: You-aswell (you-aswell@you.com)
**Subject**: This is the second email
There is more text after the 2 short email headers.
I would like to use Rex to select the 2 Sent times, i.e:
rex field=output "Sent: (?.*)"
rex field=output "Sent: (?.*)"
How do I select in the rex function which match to select? As an FYI, there may be text before the headers so selecting the line number wouldn't be an option.
Thanks,
↧
How do you set alert severity?
I've created a custom alert action and I want to include alert severity as one of its parameters, with a UI element to select it. So far I have found two solutions, neither of which is exactly what I want.
Solution 1 is to simply have my own parameter, let's call it my_severity, which is totally independent of anything else. This works, but means if you have other actions triggered on the same alert you can have multiple severity settings to manage.
Solution 2 is to use alert.severity, which can bet set by including the "Add to Triggered Alerts" action in your alert, and using the drop down menu in that alert to set the severity. This also isn't ideal as it means you can't use my custom alert action on its own.
Is it possible to replicate the alert severity drop-down menu in my own action's UI, so that both are based on the same parameter?
↧
i have a join query which i need to optimize Stats
index="index1" sourcetype=sourcetype1
| join commonfield [ search index="index2" sourcetype=sourcetype2 ]
| sort _time
| stats last(index1field1) as state by index2field1, index1field2, index1field3
| where index1field1 != "UP"
| dedup index2field1
| stats count
i want to optimize this query with without join using stats and OR, can anyone help me?
↧
↧
how to use Netscaler nitro API to fetch license and serialno values
Hi,
I need some help in understanding the Nitro API query to fetch values for serialno and id (license)!
metriccategory/metric/value
metriccategory/metric?param=value
I have tried above combinations, but they don't seem to be working, does anyone have a working Endpoint String?
Thanks,
↧
Query a DateTime field in the SQL query inside the splunk log
I need to query the DateTime field value which has a value greater than 3months duration.
The DateTime field is inside the SQL query where condition (for eg: DateTime >= "2018-06-28T08:15:12.712Z").
How can I do this?
↧
How to collect logs from Openstack cloud and forward to Splunk in-premise Splunk Enterprise?
I have a requirement where I need to collect logs from Openstack cloud and forward them to in-premise Splunk Enterprise instance. What is the procedure? Do I need to install forwarders in cloud? If yes how and where?
↧