How to match fields from indexed data with CSV lookup
I created a list of known malicious domain names and put that information into a CSV. I named the field "dest_hostname", the same as what it shown in the firewall logs. Ex: Field name: dest_hostname...
View ArticleDetect Tor Traffic
I found this search in ES Content Updates | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND...
View ArticleUsing Standard Deviation to track SSH traffic
I'm looking for a way to traffic the average ssh traffic between two IP addresses (source IP and destination IP) and hopefully find when a host is doing more SSH traffic than usual and alert on it....
View ArticleDisplaying stats count as single value but with sparkline & trend indicator
Hi fellow Splunkers, I've read Single Value support docs and it seems to have distinct application for Stats or Timechart. When I use timechart: sourcetype="error log" severity=ERROR someErrorcode |...
View ArticleHow do you fix this? ERROR TailingProcessor - File will not be read, is too...
Hi All, Currently we got an issue reported by a user -- he is unable to see the current data in Splunk. When checked from Splunk, we could see data being indexed till yesterday at 10:30 AM from the...
View ArticleDisplaying stats count as single value but with sparkline and trend indicator
Hi fellow Splunkers, I've read Single Value support docs and it seems to have distinct application for Stats or Timechart. When I use timechart: sourcetype="error log" severity=ERROR someErrorcode |...
View Article6.6.2 universal forwarder on Windows - Splunk/WIndows compatibility?
I am trying to install the universal forwarder on a windows 2008 R1 server. since there is potentially other splunkd services running I have to use a scripted process that unzips a pre-installed copy...
View Articlehow to calculate the percentage from a dc count?
I have a query as below | metadata type=hosts | search [| inputlookup hosts_test.csv | eval host=lower(my_hostname) | fields host ] | eval host=lower(host) | append [| inputlookup hosts_test.csv | eval...
View ArticleHelp with if statement and complex | search
$execution$ $host$ $user$ |eval moresearch=if(execution=index=index1,"",($authentication$) OR ($configuration$) OR ($EventType$))| search AND moresearch However, every time I issue this search it...
View ArticleHide splunk query when in click through
Is there an option to hide the splunk query that runs in a new tab along with statistics - in the clickthrough ? ( I have a query that plots the list of API's. In that if i click any API, it opens its...
View ArticleWhat does "summariesonly' mean in this Enterprise Security search?
I found this search in ES Content Updates | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND...
View ArticleLookup table to return column value
I am having issues with displaying data based off the results from the lookup table. I am using this search below, which works perfectly fine but the only issue I have is, it does not tell me which IOC...
View ArticleLost log with TCP Appender
Hi, This is my first work with Splunk. I need to send simple logs from a Java program. I installed Splunk both locally and on another machine. I used this guide:...
View ArticlePass time from bar graph to another panel
Hi, I am trying to pass time from a bar graph. for example a user can click any bar on the graph and the earliest and latest time for that bar should be passed to another panel. I tried setting up the...
View ArticleAnonymize data
Hi, How would I anonymize the following example: BankName=South!@Indian!@Bank I want everything to the right of the equal sign to be removed/masked/covered
View ArticleIs it possible to hide a Splunk search when clicking through/ in a new tab?
Is there an option to hide the Splunk search that runs in a new tab along with statistics - in the clickthrough ? ( I have a query that plots the list of API's. In that if i click any API, it opens its...
View ArticleHadoop Data Roll and archiving replicated buckets
I have an indexer cluster with a replication factor of 3. If I were to implement Hadoop Data Roll, would only one copy of each event be archived to Hadoop at freeze time, or would all three bucket...
View ArticleCan a time range picker in a dropdown override an explicit time setting on a...
I have a dashboard and the panels are set to run at different timings as in 15 mins, 30 mins, 4 hrs, 8 hrs and 24 hrs as default - using the explicit time range picker. If I add a dropdown and want to...
View ArticlePass time from bar chart to another panel
Hi, I am trying to pass time from a bar graph. for example a user can click any bar on the graph and the earliest and latest time for that bar should be passed to another panel. I tried setting up the...
View ArticleSplunk Add-on for F5 BIG-IP: linebreaking issues
Background information about my environment: Distributed environment with CM server, clustered indexers(two indexers), two search heads(not clustered) We have the F5 Network Apps that helps with the...
View Article