Issues with OMS Query Filters
Use case: I want to pull a specific set of security events from OMS into Splunk. Within OMS log search, querying for: SecurityBaseline gives me all events from the set, and filtering for the events I...
View ArticleGetting issue while parsing event which have no timestamp in logs
Getting issue while parsing events which have no timestamp in logs, it should use date\time from last log event timestamp but it is not updating, can you please help...
View Articlehow to filter a table results
Hi all! A have a table as a search result: date Country cs_username 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-14 Mexico mendoza 2018-06-20 Mexico mendoza...
View ArticleHelp Please! Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC;
I've been getting this error: ./splunk add monitor /var/log/*log ERROR: Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC; perhaps one should be set in environment I have the ff structure for reference:...
View ArticleDoes full key value not extract properly if it starts with a number?
I have created a new log message that looks like 2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80",...
View ArticleHow to parse hash code from a raw log into a field
Mail_Log_Splunk: Info: MID 119972447 SHA **ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a** filename Pics meeting pagoda.doc queued for possible file analysis upload What is the regex...
View Articledisplay results in descending order
It shows the result in the below format uri 208 400 ... .... ... I want to show those uri's on top which has maximum responseCodes, I tried using the below query but it is not giving the desired...
View ArticleHow to conditionally display HTML panels with a token, set via a javascript...
I have a fair idea that `depends="$token$"` can be used to display or hide the panel. My requirement is that I get the list of roles for a user, via a Javascript file, and load it onto tokens present...
View ArticleHow do I add time stamp or label onto my timechart to mark a specific...
Hi! I've got a very simple timechart query that pulls up number of user sessions per day. What I want to do is to add a label or a line that marks when a major event occurred so I can see how the user...
View Articledisplay column results in descending order
It shows the result in the below format uri 208 400 ... .... ... I want to show those uri's on top which has maximum responseCodes, I tried using the below query but it is not giving the desired...
View ArticleRegex extraction to grab string1 after the occurrence of string2
In my logs I have something that looks like the following "string1":"string2" I would like to extract string2 as a field using string1 as a reference point for my regex.
View ArticleHow to troubleshoot if splunk is down
one of our search head is down ,and not able to log in into it,what is the quick way to fix it and on which component of splunk this troubleshooting needs to be done
View ArticleNeed a way to split the default savedsearches.conf from the local one?
I am using a search command to find the savedsearches.conf for an alert. I created a search which can list all of the parameters in the savedsearches.conf, however it merges both the default and local...
View ArticleHow to sort by field?
I am trying to get the highest used process percentage by user, however, I am unable to sort by the field I want to. index=os sourcetype=top host=hostname | chart sum(pctCPU) as CPU_USAGE by...
View ArticleHow to filter table results?
Hi all! I have a table as a search result: date Country cs_username 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-12 Mexico mendoza 2018-06-14 Mexico mendoza 2018-06-20 Mexico mendoza...
View ArticleAnyone know where I can find 800-53 Controls Supported by Splunk?
Hello, Trying to find if there is anything like the below, however for Splunk. Trying to see how Splunk fits in and what 800-53 controls are supported by Splunk. Appreciate any guidance....
View ArticleIssue with SAML authentication using OKTA
I'm trying to configure SAML authentication using OKTA for splunk login. Splunk version 7.0.3. I'm getting the below error: Data could not be written: /nobody/system/authentication/userToRoleMap_SAML:...
View Articlerex or regex to extract string and create a new field
I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?...
View ArticleHow to display column results in descending order?
It shows the result in the below format uri 208 400 ... .... ... I want to show those uri's on top which has maximum responseCodes, I tried using the below query but it is not giving the desired...
View ArticleIs there a way to split the default savedsearches.conf from the local one?
I am using a search command to find the savedsearches.conf for an alert. I created a search which can list all of the parameters in the savedsearches.conf, however it merges both the default and local...
View Article