Identifying Windows SSO Application logins
Hi, I am currently working on a search that is supposed to tell me whether users went the prescribed CyberARK route or bypassed it for system access. So theoretically I should use for events 4624 and...
View ArticleHow to see only earliest and latest values in a field.
I'm having an issue because I need to show in a report only the first ticket received by an agent and the latest one, so all the other tickets in the middle I have to leave them behind. Here is the...
View Articlehelp on stats by
hi I need to understand why I execute the first search I have much more events in "Number of CPU alerts" count than in the second search? As you can see, the first search stats the data "by host SITE"...
View ArticleAverage page views at a user level for a given page
I have a table: PageID, UserName, Date, count of hits to that page, I would like to find the average daily page hits, per article at a UserID level. (for the top 100 most frequently viewed pages) So...
View Articlehelp on a count which is different in a subsearch versus a search
hi The search below returns me 558 events `CPU` | stats values(SITE) as SITE count(process_cpu_used_percent) as "Number of CPU alerts" by host | rename host as Hostname, SITE as Site | search...
View ArticleIs it possible to configure more than 1 cron for one alert?
Is it possible to configure more than 1 cron for one alert? some thing like `*/2 9-11,11-13 * * 1-4,5-1`, i think the answer is no but wanted reconfirm. The reason i want to know is because alert...
View Article"Addon Metadata - Summarize AWS Inputs" is not enabled on Add-on instance?
Hello, I am running Splunk Add-on for AWS 4.6.1 and Splunk App for AWS 6.0.0. Majority of app panels populated with data, but I also receive this err message on the dashboard: *Some panels may not be...
View ArticleNew field defined by time ranges
I'm trying to create the below search with the following dimensions. I'm struggling to create the 'timephase' column. The 'timephase' field would take the same logic as the date range pickers in the...
View ArticleNeed to extract a JSON value based on a condition
I have payload as below and I need the StartTime and EndTime values where the payload has the first IsAvailable is equal to true> "StatusList": [> {> "date": "2020-03-13T00:00:00Z",>...
View ArticleTime Conversion
Hi, I have time format as: 2019-10-08 15:24:40.132 UTC I used eval to strip it to: 2019-10-08 15:24:40 I need to calculate Age. My eval is below but it is not working. Can someone assist pls? | eval...
View ArticleHelp with Advanced Source Type
I'm trying to create a custom source type which is reading a TSV log file and the 3 column in the file is a JSON payload wrapped in quotes. I can't figure out how to get the source type to parse out...
View ArticleAfter upgrading from version 7.0.1 to 8.0.2, the errors below appear.
After upgrading from version 7.0.1 to 8.0.2, the errors below appear. Splunk is not indexing some internal logs like license_usage.log, and license consumption has increased a lot, but I think it is...
View ArticleI am running an import script for an interval of 5 mins to collect data from...
I have a situation where in the span of 10 mins there could be a possibility that we didn't get any data from one of the sourcetype for one interval but started getting data for next interval, by this...
View ArticleIs there a sort option for the transaction command
I'm working with ForeScout Audit Policy events. Some of them have this in the message, Part (1/n), Part (2/n), and so on. I'm using the transaction command below to join the parts. index=network...
View ArticleReroute events to a different index at the indexer
Hello I'm trying to reroute certain events as it hits my indexer from a particular source. In the inputs.conf on the UF, the index is set to index=tokens for my source path, but I want to catch certain...
View ArticleHow can i include another field into visual?
Im working with dashboards and the goal is to show a bar graph panel that displays the counts for two different fields separately(2 bars per timespan) if possible. The data is from the same index...the...
View ArticleWhy does service.export REST API fail when _raw is not excluded?
Using Java API and requesting a streaming export from Splunk a search like this: search index="client_ndx" sourcetype="client_source" (field1 = "*" ) | regex field1 != "val1|val2|val3" | fields field1,...
View ArticleProblem loading data into aws app panels.
I've gotten both the aws add on and the aws app installed. THey're both installed on the heavy forwarded, and both installed on the search head, and the add on is not visible on the search head. I've...
View ArticleExcluding weekend from alerts
I have created few alerts which need to run only from Monday to Friday, but I have not been able to find a way to exclude Saturday and Sunday. Can anyone assist with this please?
View ArticleHow to include another field into the visual
I'm working with dashboards and the goal is to show a bar graph panel that displays the counts for two different fields separately (2 bars per timespan) if possible. The data is from the same...
View Article