Converting extracted information to 12 hour AM/PM format
Hello, I am extract information from logs via rex, and I am currently extra information in military time format. (i.e.: 13:15). I also extract things such as 11:15, but I want it to be consistent in a...
View ArticleCan I set an alert in splunk where the event id is 4663, with this object...
Object: Object Server: Security Object Type: File Object Name: \Device\HarddiskVolume54\Tax\Confidential Handle ID: 0x1110 Resource Attributes: S:AI
View ArticleShould we use SAI 2.0.2 or App For Windows Infrastructure regarding...
Hi, I need to monitor Windows, Linux and AWS resources (multiple AWS accounts). SAI 2.0.2 is no longer compatible with AWS AddOn as stated in Splunkbase. Should I use: 1. App for Windows Infrastructure...
View ArticleHighlight specific string in JSON formatted events
Hello, I have a dashboard where I am displaying events which are JSON formatted (a requirement not to have them in raw format) and I need certain keywords to be highlighted. Since it is JSON formatted,...
View Articlecaptain SHC recommendation
Good afternoon Is there splunk documentation where it is reported that in a SHC the servers must be certified at the hardware level? I ask why, what would be the disadvantage if my captain has 40...
View ArticleNeed to assign ip address to a description
I need to create a new field called ip_address_location and for each IP address perform an if. So like this: if ip = "1.1.1.*" assign "site_abc" in ip_address_location if ip = "1.1.2.*" assign...
View ArticleError: Invalid key stanza
Hi Team, I am getting below error in spluk local insatance : **Error details :** Invalid key in stanza [tcp01] in C:\Program Files\Splunk\etc\app s\XYZ_test_local\default\indexes.conf, line 5:...
View ArticleREST API Modular Input invalid header
I am trying to use the REST API Modular Input app, but I am getting this error: ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" Exception performing request:...
View ArticleSending uncooked data from indexer level
Hi all, I am sending data from intermediate forwarder to indexer and during indexing, I would like to send raw "uncooked data" to 3rd party application. Recently I tried to use CEF app index and...
View ArticleSchedule a custom search command to run for 100+ different variables
We have several searches that we run and have a manual backend process to load that data to each endpoint (100+ endpoints). I want to be able to schedule this custom search command to run daily and be...
View ArticleHow to make an alert for the status of a dashboard panel?
Hi there! I am trying to make an alert that tells me when a particular dashboard panel returns >0. Does anybody know how to reference a particular dashboard panel in the alert? Furthermore, then how...
View ArticleUnable to create inputs for TA-Tenable add on
Hi, I am trying to set up inputs on TA-Tenable add on and it fails with error "Argument validation for scheme=tenable_securitycenter: script running failed (killed by signal 9: Killed).". I installed...
View ArticleHow do I count certain field values by row and covert the total found into...
![alt text][1] I've been plugging away at this for a few days and I'm stuck =0( Above is a lookup csv (insert dummy data) I have from Nessus. I am trying to use Splunk to create totals of vulnerability...
View ArticleHow to find count of occurrences of each IP for the first 15 mins starting...
Say I have an index A which has all the IPs logged during the day. So every event has an IP and the timestamp it was seen. What I need to find is the count of the occurrence of each IP for the first 15...
View ArticleNeed to get JOB.ID per instance per dashboard
Hi I have a list of all the ID RUNNING per dashboard (But if someone else is running the same dashboard i get those ID's as well, how can i reduce it down? ) I run this SPL from the dashboard i want to...
View Articlescheduled reports with zero values
We have 3 search heads and they are in cluster.We are observing scheduled reports with zero values for few reports.zero value reports are generating from search head 3.Issue is not consistent. we have...
View ArticleMicrosoft Azure Sentinel integration with Splunk?
Does anyone know if there is a way to integrate Microsoft Azure Sentinel with Splunk? I'm specifically looking for events of interest/alerts/indicators from Sentinel into Splunk. It appears that the...
View ArticleCrashplan Service Log Date timestamp incorrect
I've looked through a lot of the posts about date timestamp extraction and I think I'm decent enough at it but for the life of me I can't figure out what is going on with my logs for Crashplan. I found...
View ArticleHow to extract the given log into one log using props.conf?
I am trying to extract the below file into single log, but it got breaks into two or more files in splunk Sample file : PING 20.152.32.XXX (20.152.32.XXX) 56(84) bytes of data. 64 bytes from...
View Articlecapability admin all objects
good afternoon I have the following question, there are currently roles in our cluster that have the following restriction srchMaxTime = 3600, but it is validated that certain users are searching...
View Article