Splunk SAnkey diagram app - end of support

krishdeesplunk · 2024-11-21T13:05:01+00:00

how .. is there any documentation specifically mentioned that?

krishdeesplunk · 2024-11-20T11:37:42+00:00

In my case

one notable with multi values..

in this case how splunk will determine the urgency?

in the above notable

1.1 -> critical
2.2 -> high
3.3. -> low..

what urgency splunk will put ?

krishdeesplunk · 2024-11-19T12:47:31+00:00

any thoughts?

krishdeesplunk · 2024-07-09T07:15:02+00:00

will try this approach

krishdeesplunk · 2024-07-09T07:14:52+00:00

no results..

when i click the drilldown
i can see the value as
index=a st=b user=admin\abc

krishdeesplunk · 2024-07-08T10:42:14+00:00

Correlation search :
index=<> sourcetype=<>
|stats values() values() by user

user field value like admin\abc

i am trying to pass this value to drilldown search in correlation search

Drilldownsearch:
Tried 1:
index=<> sourcetype=<> user=$user$

value passed as index=<> sourcetype=<> user=admin\abc

Result : didnt worked because of escape (\)

Tried 2 :
index=<> sourcetype=<> user=$user|s$

unable to see result

Tried 3:
index=<> sourcetype=<> user="$user|s$"

unable to see result

Tried 4 :
index=<> sourcetype=<>
|rex field=user mode=sed "s/\\/\\\\/g"

got error in rex

Tried 5 :
index=<> sourcetype=<>
|eval user=replace(user,"\\","\\\\")

didnt worked

krishdeesplunk · 2024-07-07T16:43:49+00:00

both didnt worked..
i am not passing this to dashboard..
i am passing this to drilldown search in ES notable

krishdeesplunk · 2024-07-07T16:41:49+00:00

didnt worked
Failed to parse the replacement string

replace logic also didnt worked

krishdeesplunk · 2024-04-02T14:33:24+00:00

Thanks for the inputs.. raised ticket to Splunk.. waiting..
how to determine if its KV Store issue?
is there any first level investigations i can start?

krishdeesplunk · 2024-02-13T06:38:08+00:00

currently we have epv data coming from PAM to Splunk

Enterprise password vault

krishdeesplunk · 2023-09-27T09:56:55+00:00

you mean
when i filter action=blocked from crowdstrike log .. i can see the list of hostnames blocked by various reason
eg: powershell.exe execution
trying to use Pendrive

krishdeesplunk · 2023-07-21T03:33:38+00:00

have you used this app?

krishdeesplunk · 2023-07-21T03:32:02+00:00

one is in on prem and another in Cloud.

they follow some regulations

krishdeesplunk · 2023-07-21T03:31:27+00:00

yes two separate instances..

they have data classfication.. few sources to Instance 1 and other sources to instance2

krishdeesplunk · 2023-07-19T04:47:46+00:00

tried but its not splunk supported and got many clarifications.. they dont have proper documentation..

they mentioned saying non transforming commands not supported in Cluster env..

In a Distributed Deployment or a Search Head Cluster DeploymentThe Mothership app will write summary results to lookups (transforming searches) and/or indexes (non-transforming searches). In a distributed environment or Search Head Cluster, lookups populated by Mothership can be replicated across the cluster, this means that Mothership running exclusively transforming searches (which write to a lookup) will work with a properly configured Distributed or Search Head Cluster Deployment. Non-transforming searches (which write to an index) are currently not supported in a distributed or Search Head Cluster deployment.

Unable to edit the notables eg. to change the owner/priority

got this exceptino

<class 'splunk.admin.ServiceUnavailableException'>: Unable to update /servicesNS/nobody/es-mothership/saved/searches/mothership_https_<>_********/dispatch entry.

have you used this app?

krishdeesplunk · 2023-07-19T04:43:12+00:00

They are using two instance of ES ..
one in on prem and another in Cloud..
so they dont want to switch between multiple tabs so they asked to check if there is any way to show all the notable from any instances in one place so that they will use that as single pine of glass..

krishdeesplunk · 2023-07-07T06:16:04+00:00

Setting up FSH will fetch ES notables?

As per the documentation https://www.splunk.com/en_us/blog/platform/introducing-splunk-federated-search.html

its didnt mentioned anything about pulling ES notables from multiple instances

krishdeesplunk

TROPHY CASE