From the attached image of JSON, i would like to retrieve three letter ID's(example:- ABC,DEF) which are present inside ID.
Could you please provide me the query.
| spath _attributes.id.??
![alt text][1]
[1]: /storage/temp/217643-123.png
↧
Query to access JSON
↧
Help needed with Search to correlate Windows Event Logs
Hi All,
I have a requirement to write a Splunk query that will alert if windows event logs capture three EventCodes (independent events) within 30 secs
PseudoQuery :
"EventCode= 4624, 4672, 4676 | bucket span=30s _time | fields _time hostname EventCode"
Any leads, please?
↧
↧
How to dynamically show single value caption
I've created a dashboard, and on this dashboard I've got a single value, which shows my value. Inside the search tags I've created a token which is being set when the search has finished:Average: $result.average$ - ChosenWeek: $result.chosenweek$ - Percent: $result.percent$ - Text: $result.text$ My panel title Enable Debug
↧
Regex for multiline
Hi,
I have the following event:
017/09/25 10:58:57 Client logging in as robertE on DB1...
Connect to Oracle failed:
ORA-01017: invalid username/password; logon denied
ERROR:User login failed!
I am ok to extract the username via regex:
` ... | rex field=_raw "Client logging in as "(?\w+)`
but how do I also match the "failed" word in the 2nd line in order to differentiate successful & failed logons?
Thanks! :)
↧
Hello Guys, How to configure Splunk SDK for python . Is there anybody who can help me on this or have documentation available?
Hello Guys, How to configure Splunk SDK for python . Is there anybody who can help me on this or have documentation available?
↧
↧
Splunk Add-on for Microsoft Cloud Services. Inputs error ACTC001.
Hello, All.
I find this [question][1] without answer.
And i have this error too. And may be anyone know how to fix it?
But some logs collect in splunk.
[1]: https://answers.splunk.com/answers/439280/splunk-add-on-for-microsoft-cloud-services-invalid.html
↧
Getting Error from TailReader
Hello,
I am trying to upload a .csv file through my auto-index and I am getting this error " -0400 ERROR TailReader - error from read call from 'G:\Data\SSRS_Subscriptions\It_SNOW_Call_Kiosk_Logs_Weekly\snow data 9-18.csv'"
I have a QA environment with the same inputs.conf and props.conf information and the file uploaded just fine in my QA environment. Below is my inputs.conf and props.conf lines. Can you please help me figure out why I am getting this error?
[monitor://G:\Data\SSRS_Subscriptions\It_SNOW_Call_Kiosk_Logs_Weekly]
whitelist = \.csv$
disabled = false
index = it_snow_call_kiosk_logs_weekly
sourcetype = itcc:snow
initCrcLength = 640
[itcc:snow]
INDEXED_EXTRACTIONS = csv
TRUNCATE = 50000
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = opened_at
TIME_FORMAT = %1m/%1d/%Y %H:%M
↧
How to use K-anonymity with splunk?
Hello,
Let's say i have a csv file that contains sensitive data, I want on index to group multiple lines as one event in a way that it doesnt compromise my data. So let's say:
User - Age
U1 - 12
U2 - 13
U3 - 17
U4 - 15
U5 - 20
How can I group for example each 2 users as one event as so(of course before indexing and not on search time):
U1,U2 - 12,13
U3,U4 - 17-15
...
Thanks in advance
↧
Why am i unable to log in to Splunk Web?
I just installed Splunk enterprise in my laptop but when I am trying to access Splunk web, i goes to a link (http://localhost:8000/) and gives me error 404
The webpage cannot be found
HTTP 404
Most likely causes:
•There might be a typing error in the address.
•If you clicked on a link, it may be out of date.
↧
↧
Controlling search execution via dashboard inputs
We want to be able to save specific dashboard inputs using outputlookup only if the user has selected a control (check box, radio button,??). All other panels should display as normal. Essentially what we want to do is store the timeframes entered in a "valid results" table that we can then use to recall the same dashboard output again at a later time. Any suggestions on the best way to implement this?
↧
Creating a Root Event Dataset with Geospatial lookup
Using Splunk 6.6, I tried for the first time to create a Data Model.
My Root Event Dataset consists of events which have latitude and longitude fields. I have a geospatial lookup with all the states of Brazil, and I want to use the geospatial lookup to add a State field to my Root Event Dataset.
In the Data Model edit form, I clicked on "Add Field" and saw the option "Lookup". I thought that this would solve the problem. However, I did not find my geospatial lookup listed in the Lookup options. Looking into the Splunk documentation, I found this statement:
> The Datasets listing page displays two categories of lookup datasets: lookup table files and lookup definitions. It lists lookup table files for .csv lookups and lookup definitions for .csv lookups and KV Store lookups. Other types of lookups, such as external lookups and geospatial lookups, are not listed as datasets.
So, my question is: how should I go about using the geospatial lookup to add fields to my root event dataset?
I could include the geospatial lookup in the root event dataset filter; however, since this dataset contains a huge amount of events, including the lookup there doesn't sound very efficient.
Any ideas?
Thank you in advance.
↧
500 Internal server error
After upgrading to latest Splunk enterprise version, i'am getting this error:
https://image.ibb.co/mbpbuQ/1.jpg
btool check --debug:
No spec file for: /opt/splunk/etc/apps/FileServ/default/fileserv.conf
Improper stanza [dhcpd_server_dhcprelease] in /opt/splunk/etc/apps/unix/default/tags.conf, line 30
Invalid key in stanza [email] in /opt/splunk/etc/system/local/alert_actions.conf, line 5: reportServerEnabled (value: 1).
Did you mean 'reportCIDFontList'?
Did you mean 'reportFileName'?
Did you mean 'reportIncludeSplunkLogo'?
Did you mean 'reportPaperOrientation'?
Did you mean 'reportPaperSize'?
Invalid key in stanza [email] in /opt/splunk/etc/system/local/alert_actions.conf, line 6: reportServerURL (value: ).
Did you mean 'reportCIDFontList'?
Did you mean 'reportFileName'?
Did you mean 'reportIncludeSplunkLogo'?
Did you mean 'reportPaperOrientation'?
Did you mean 'reportPaperSize'?
Checking: /opt/splunk/etc/system/local/authentication.conf
Checking: /opt/splunk/etc/system/local/authorize.conf
Checking: /opt/splunk/etc/system/local/distsearch.conf
Checking: /opt/splunk/etc/system/local/eventtypes.conf
Checking: /opt/splunk/etc/system/local/indexes.conf
Checking: /opt/splunk/etc/system/local/inputs.conf
No spec file for: /opt/splunk/etc/system/local/migration.conf
Checking: /opt/splunk/etc/system/local/props.conf
Checking: /opt/splunk/etc/system/local/server.conf
Checking: /opt/splunk/etc/system/local/serverclass.conf
No spec file for: /opt/splunk/etc/system/local/tenants.conf
Checking: /opt/splunk/etc/system/local/transforms.conf
Checking: /opt/splunk/etc/system/local/web.conf
How can i fix that?
↧
Manually Importing Mcafee EPO Data
So, I have been tasked with monitoring our EPO server which is managed by a managed service. Long story short, the only way we can get data from the EPO server is via a once a day CSV file dump. I'm sorry but I'm still learning splunk. What app would be the best way to best to use to ingest the data? I know I will have to manually upload the data.
↧
↧
Search for URL not in Alexa Top 1m
Hi everyone,
I have a log with a field that contains a URL. I would like to perform a Splunk search and find all logs where the resource name is not in the Alexa top 1 million sites list. I want to see what unpopular websites people are visiting by only displaying the sites that are not in the top million list. My URL field is just called "url," and I have the Alexa list in the Threat Intelligence Downloads section. Does anyone have a search query that can get me close to what I'm trying to do? Thanks!
↧
Splunk Enterprise 6.6.3 Scheduled PDF Delivery For non-admins
Having a user with a power role that includes schedule_search capability. And When I'm trying to schedule a dashboard to be send as pdf using schedule pdf delivery feature i got this error [ Sending the test email failed: command="sendemail", 'rootCAPath' while sending mail to: < my email > ]. I didnt face this issue using splunk 6.5.1 before upgrading to splunk 6.6.3. I tried to test the feature using an admin role and it's working fine. But, For power role it's not working. I found in the documentation that the user should have the roles [ schedule_search ] and [ admin_all_objeccts : only if the mail host requires login credentials ] and i dont have this requirement for login. Even i tested it and also didnt work with the admin_all_objects role. Another thing to consider that am using a search head cluster.
Documentation Link : [ http://docs.splunk.com/Documentation/Splunk/6.6.3/Report/Schedulereports ]
↧
Use REST API to find and run adaptive response action (Selecting one ) to a notable event
Hi
I was trying to find a way in order to reproduce "http://docs.splunk.com/Documentation/AddonBuilder/2.0.0/UserGuide/CreateAlertActions#Create_an_adaptive_response_action_for_Enterprise_Security" "Create an adaptive response action for Enterprise Security" but using REST API in python
I could not find any info. I've found info to update "notable events" ("https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html"), but not to add/attach/run an adaptive response to a certain Event (I guess with event_id)
I'm trying to automate some Splunk iteration and I would like to use Selenium to it.
Thanks a lot for your help. It will be fully appreciated.
↧
Custom Trigger Condition for alert if not specific destination IP
I am attempting to create a custom trigger condition for the alert below that will only trigger if the dest_ip does not equal a specific IP.
Currently attempting the trigger alert when custom with: search NOT dest_ip=xxx.xxx.xxx.xxx
and have also tried: search dest_ip!=xxx.xxx.xxx.xxx
and I am still seeing email alerts being sent for alerts in which the destination ip is the one that should be omitted.
index=someindex [search index=someindex retro_disposition=3 OR disposition=3 latest=now earliest=-3m | fields sha256] | eval time=strftime(event_sec,"%m/%d/%y %H:%M:%S") | table _time time src_ip src_port dest_ip dest_port file_type file_name file_size retro_disposition disposition sha256 sensor uri | sort sha256 -_time
Any help is greatly appreciated,
Jimmy
↧
↧
Manually Importing McAfee EPO Data
So, I have been tasked with monitoring our EPO server, which is managed by a managed service. Long story short, the only way we can get data from the EPO server is via a once a day CSV file dump. I'm sorry, but I'm still learning Splunk. What app would be the best way to ingest the data? I know I will have to manually upload the data.
↧
How to set earliest_time variable to month/day/year in html format?
I have a html table then the search for the table has the different fields for example:
var search1 = new SearchManager({
"id": "search1",
"cancelOnUnload": true,
"latest_time": "$latest$",
"status_buckets": 0,
"earliest_time": "0",
"search": " | inputlookup kvstore_lookup | eval KeyID = _key | table KeyID, CustID, CustName, CustStreet, CustCity, CustState, CustZip",
"app": utils.getCurrentApp(),
"auto_cancel": 90,
"preview": true,
"runWhenTimeIsUndefined": false
}, {tokens: true});
. and I am wondering if there is a way to set that "earliest_time" field to m/d/y:00:00:00?
I found out that later by changing the search to have the earliest and latest in the search string it works as:
search1.settings.attributes.search = "...earliest="09/18/2017:00:00:00" latest=now | table ..."
and that will work but I don't want to it that way I would rather set the earliest_time variable to be that format but when I try to do that, it says invalid earliest time format.
↧
App Splunk version compatibility identification tool/solution
Dear All,
I have stuck on the following problem regarding an application dependence to the version of Splunk.
Is there a way to know to what versions of Splunk an App is compatible? I mean with some kind of tool and not by testing the app on each Splunk version. As to know that "myApp" is using syntax features deprecated, or not yet introduced. And for example to say that "my App" is compatible from Splunk 6.2 and above - but not below!
I was looking about this into the Splunk AppInspect documentation, but found it not so far.
Is there any possibility on the subject ?
thanks and regards
Altin
↧