lookup error in splunk threathunting app
Error in 'lookup' command: Could not construct lookup 'dns_whitelist, mitre_technique_id, host_fqdn, process_path, query_name, output, reason'. See search.log for more details. I get this error in...
View Articlesendemail via SMTP relay server
Hi, I'm trying to send emails via a SMTP relay server. No authentication is needed and no encryption is supported. I added the following **[sendemail]** command to my...
View ArticleAnonymize clear text credentials in Powershell logs using SEDCMD
I am attempting to anonymize clear-text credentials passed via PowerShell referring to the splunk documentation to Anonymize_data_with_a_sed_script In the inputs.conf I have... sourcetype =...
View ArticleIs savedsearchjobload faster then querying index?
Is accessing results from a savedsearch via loadjob and timefilter faster or slower than from an index and what are limits?
View ArticleDedup performance 1 field vs multiple fields vs concatenated field
Which one would be faster or better in general: 1. | dedup fieldA fieldB --> I would assume that Splunk does a concatenation in the background 2. | eval fieldAB = fieldA.fieldB | dedup fieldAB
View Articlecrcsalt query
I have some CSV files indexed via splunk. I have noticed that files are getting indexed daily even though there is no changes made in the file. for example I have a file which is indexed on 27th July...
View ArticleGetting Error as 'TsidxStats': WHERE clause is not an exact query in Cisco...
I am facing Error in 'TsidxStats': WHERE clause is not an exact query on Cisco Network Networks App.
View ArticleOutlookup not working intermittently
I am trying to output the results of the SPL query to lookup file via OUTPUTLOOKUP command in query itself using SPLUNK Alerts. (I am not using the alert function to send the data to CSV as I have...
View Articleusing eval to calculate time between events not working
I am trying to use eval to calculate the time between events. Those events have a unique ID. This is the sarch that I have now: | eval Test =if(message.information=="some_data",_time,null()) | eval...
View ArticleOS Patching Process
Will the following process work for allowing our SPLUNK environment to be patched (Linux patching and not SPLUNK patching). We have an Indexing Cluster with a CM and a single search head and deployment...
View ArticleServer Error on Login from a remote machine
HI, I have a splunk enterprise out of box installed on win 10. I can login using localhost no problem, but if I try to connect from a remote machine I get a Red Server Error Message. This is my...
View ArticleError on Real time searches "Dispatch Command: Unknown error for indexer: xxxxx"
I have 34 realtime searches on a dashboard, whenever i open that dashboard on another user i get the error : "Dispatch Command: Unknown error for indexer: Yggdrasil. Search Results might be incomplete!...
View ArticleHow to apply calculated fields depending on used index?
I have 5 different apps with different index on each apps and with same sourcetypes every apps. I have different calculated fields every apps that has only "per app" permission and my 6th app will be...
View ArticleWhy can't I use tokens ($result.host$) in my custom alert
The custom alert is build with the "Splunk Add-On Builder". The alert is calling a custom command which is sending a message to the central event management. I want to use the $result.host$ token in...
View ArticleXml logs event separation
Hi. I have 10000 xml log output. like : {LOG DATE.../DATE TIME.../TIME CC.../CC AMOUNT.../AMOUNT /LOG} I need to break event after every .each event should like that between two tag. I am trying to...
View ArticleCisco ISe add-on is not CIM compliant
I'm facing two issues because of lack proper support for CIM compliance. 1) Field `user` is not properly extracted. App provides two aliases for fields `User_Name` and `UserName`. But I found also...
View ArticleHow to expand rows without mvexpand command
I am basically dealing with huge set of records where i am ending in mvexpand memory limit error. I want to extract data from below table without using mvexpand command. if you notice the below table i...
View ArticleHow I migrate all data from an on-prem Splunk Enterprise to Azure Marketplace...
I have a Splunk Enterprise on-prem instance with about 700 gb of data. I need to migrate to Azure. I created an instance using Azure Marketplace but there is no guidance there on how to migrate the...
View ArticleLDAP pre-cache
If we have multiple users in our organization and do these users expire from the LDAP pre-cache?
View ArticleHow can we integrate AWS logs to SPLUNK on-premise solution (Data center)?
How can we integrate AWS logs to SPLUNK on-premise solution (Data center)? We are hosted some of the NON-CRITICAL aplications in AWS and Azure cloud platforms. We are using on-premise SPLUNK solution....
View Article