How to choose the Log events option as alert actions in the Schedule Report
Hi, I am working on creating Reports in Splunk Search & Reporting app 6.4.1. When I schedule for a report, it gave me alert actions choice and only with two options as Send Email and Run a Script....
View ArticleURLParser: url_domain not showing up for web proxy logs
Hi, I've started using this app, but I'm unable to get url_domain to show up for any of my web proxy logs. Am I doing something wrong? | urlparser field=url url...
View ArticleHow to choose log events for alert actions in a scheduled report?
Hi, I am working on creating Reports in Splunk Search & Reporting app 6.4.1. When I schedule for a report, it gave me alert actions choice and only with two options as Send Email and Run a Script....
View ArticleProblem routing to 3rd party system using sourcetype
I need to take all of a sourcetype and index it into Splunk and send a sub-set of that sourcetype to a 3rd party system. I can't even get it to write anything using props, transforms and outputs....
View ArticleWhen I remove a LDAP user- what kind of objects do I need to remove their...
Hello, I am doing a clean-up of our users and need to remove a large number of users and many of those users own all different kinds of objects. I know that I need to change the owner of these objects...
View ArticleHow to configure Data Model Acceleration when there are multiple search heads
TL;DR: In a site with multiple search heads; do I need to configure Data Model Acceleration on each and every search head? IF the answer is yes, then can someone ELI5 how the jobs governing DMA run...
View ArticleDrilldown with column value when clicking on any row.
Hello, I want to mimic a cell click even if we click anywhere in the row. my query: ----- | table type, operationOrURI, status, channel, flow, deviceId, workflowId, identifier, timeStamp...
View ArticleOnly able to extract the first value of a comma separated list for a given...
I have data in the following format: GenericHostName1=vm1,vm2,vm3,vm4; GenericHostName2=vm5,vm6,vm7; When I search for GenericHostName1, the only associated value with that field is 'vm1' instead of...
View ArticleHow can I determine TLS version of hosts using Splunk Stream?
All, I want to scan a PCI zone off a network tap. Determine what TLS version is flowing and alert on anything less than 1.2. I don't need the body of the bits. Anyone have a talk through on how I might...
View ArticleHow can we fetch only 8 rows from a lookup?
Our top user ended up with the following query - | inputlookup WHERE [ | makeresults count=8 | streamstats count | eval WEEKSTART=relative_time($MYWEEKPICKER$,"-" + tostring(count - 1) + "w@w0") |...
View ArticleSplunk Stream: How can I determine TLS version of hosts?
All, I want to scan a PCI zone off a network tap. Determine what TLS version is flowing and alert on anything less than 1.2. I don't need the body of the bits. Anyone have a talk through on how I might...
View ArticleWhy do we get errors for a REST call?
We run from the UI the command - `| rest /servicesNS/-//data/transforms/lookups/`. We get the results but also an error for each indexer saying - `REST Processor: Failed to fetch REST endpoint...
View ArticleMissle Map: How do I map multiple Haversine results?
I am posting this as a question, but I have already gotten the answer for myself. I just want others to be able to find this solution themselves. Using the search given in bbosearch for "Auth Anomalies...
View Articleprefixing a field with "cim:" documentation?
Can anyone point me to any guides on the impact of prefixing CIM: in front of your field name? Search is failing me here.
View ArticleCVE 2017 -- Importing XML input to spunk
Hi, I uploaded an XML file downloaded from CVE https://cve.mitre.org/data/downloads/allitems-cvrf-year-2017.xml However the result/output of the chart that I created are not helpful at all and only...
View Articlesubsearch with inputlookup
| inputlookup clusName.csv | fields cluster ----works in a dropdown and has around 10 entries Now, I need to use the values in the cluster field to display rest of the information. index = *...
View ArticleProblem routing to third party system using sourcetype
I need to take all of a sourcetype and index it into Splunk and send a sub-set of that sourcetype to a third party system. I can't even get it to write anything using props, transforms and outputs....
View ArticleCVE 2017 -- Importing XML input to Splunk
Hi, I uploaded an XML file downloaded from CVE https://cve.mitre.org/data/downloads/allitems-cvrf-year-2017.xml However the result/output of the chart that I created are not helpful at all and only...
View ArticleOkta app fails to pull in information: "rate limit violation"
Splunk Enterprise v6.6.3 Splunk Add-on for Okta v1.3.0 (https://splunkbase.splunk.com/app/2806/) I have the Splunk add-on for Okta set up in the following way: * Metric: Application * Interval: 21600 *...
View ArticleChanging local.meta to maintenance user or deleting local.meta lines?
I am removing a large group of users that own things in my Splunk and I am wondering if there is a best approach to changing object ownership? Are there any disadvantages to just removing the...
View Article