About etoombs

etoombs

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

etoombs

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

etoombs

Hi all! I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e. I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software. To test, find any macro in your environment. Establish baseline: Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC). Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search. `mymacro` Test issue: Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro |makeresults |append [`mymacro`] I appreciate the help from anyone willing to test.

etoombs

Without knowing about your changes, it's hard to say what's happening. If you manually created or changed any .conf files though, I would check ownership and make sure they are owned by the splunk user. I've seen bundle validations fail when something doesn't have proper ownership.

etoombs · ‎11-08-2023

Add this after your time chart: | fieldformat AvgReqPerHour= round(AvgReqPerHour,2) If you don't want the rounding, look at floor or max for the behaviors you want.

etoombs · ‎10-11-2023

Hi. You can convert your time to epoch values and then subtract them. Here's an example: | makeresults | eval start="10/10/23 23:50:00.031 PM", end="11/10/23 00:50:00.031 AM PM" | eval startepoch=strptime('start',"%m/%d/%y %H:%M:%S.%3N") | eval endepoch=strptime('end',"%m/%d/%y %H:%M:%S.%3N") | eval diff=endepoch-startepoch | eval timediff=tostring(diff,"duration")

etoombs · ‎09-20-2023

The Tenable TA only pulls in events with new information ( a new scan date, change in a field or status) each time it accesses the data. Once an item is pulled in, it doesn't pull it a second time. That means if you scan half of your devices on Monday and half of your devices on Tuesday, you need to search looking back 2 days to see all of your current data. Once an individual finding has been pulled in, it doesn't grab the same item again unless there is a change.

etoombs · ‎09-20-2023

You can start out doing this in Splunk. Expand on the configs you want to look for in the search below, and then after you've pulled all of the configs you care about from rest endpoints, run a search for the keyword you're looking for in it. You can find a list of configuration files here: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Listofconfigurationfiles | rest/services/configs/conf-macros | eval config="macros" | append [| rest/services/configs/conf-lookups | eval config="lookups"] | append [| rest/services/configs/conf-savedsearches | eval config="searches"] You can add in views and such using other endpoints, like | rest /services/data/ui/views

etoombs · ‎09-19-2023

Does your new admin account have the admin role associated? If not, did you look at the roles associated and make sure all of the db_connect items are allowed?

etoombs · ‎09-13-2023

In your stats statement, add the other fields you need using evals: count(eval(status="Success")) as Success, count(eval(status="Failed")) as Failed, and remove the status from the by clause. After the stats, do an eval to calculate your percentages.

etoombs · ‎09-06-2023

I don't have ldap search set up, so I can't test - but give this a try: | makeresults | eval relativedate=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z") | map search="| ldapsearch search=\"(&(objectClass=user)(whenChanged>=$relativedate$)(!(objectClass=computer)))\" " | table cn whenChanged whenCreated

etoombs · ‎09-05-2023

You're most of the way there -- In your original search, replace the date you have with [] and put your make results in it. The items in the brackets run before the remainder of the search. | ldapsearch search="(&(objectClass=user)(whenChanged>=[|makeresults |eval whenChanged=strftime(relative_time(now(),"-2d@d"),"%Y%m%d%H%M%S.0Z")|return $whenChanged])(!(objectClass=computer)))" |table cn whenChanged whenCreated

etoombs · ‎08-31-2023

My bad. I didn't look to see what database you were using. You may need quotes around it = "abc:def". Since you're doing this inside a quoted string, you may need to escape them as \" in the string.

etoombs · ‎08-31-2023

Try brackets around the field name - [abc:def]

etoombs · ‎08-25-2023

If you're still having this issue, check your logs for the lag between event time and index time. The Tenable add-on pulls all of your open vulnerability data first, and only pulls in the fixed data after all of the open stuff is complete. If you've got a large lag time, it may not be getting as far as actually pulling in the fixed vulns. Check the /opt/splunk/etc/apps/TA-tenable/default/inputs.conf, (and the local inputs.conf if you have one) and look for the "page_size". Increasing this number may resolve the issue. When I was troubleshooting a similar issue, Tenable indicated the number hadn't been changed - but it was set to 1000 - meaning it ran API calls for 1000 records at a time - and wasn't ever finishing with a large number of vulns. We increased this to 10000, reducing the api calls by a factor of 10 - and allowing the process to complete so all our vulns got pulled in.

etoombs · ‎08-25-2023

I've never tried to make a model name dynamically, but have done it with outputlookup - maybe you can do something similar? | outputlookup [| makeresults | eval filename=strftime(relative_time(relative_time(now(),"-1mon@mon"), "@m"), "filename_%B_%Y.csv") | return $filename] Something like: [ | search partition_number < 90 | fields - partition_number | fit DecisionTreeRegressor "target" from * splitter=best into [|inputlookup xyz output myfieldname|return $myfilename] apply=false ]

etoombs · ‎06-26-2023

Are there any errors in the dbconnect logs? How are you verifying that you have missing records? Identity columns sometimes skip a number, so just having a small gap doesn't necessarily mean a missing record (databases can skip a number in an identity column if an insert is attempted and fails.)

etoombs · ‎04-20-2023

Did you ever figure this out? I'm seeing the same problem.

etoombs · ‎05-23-2022

I neglected to say that the Z is not representative. It is literally the character Z.

etoombs · ‎05-23-2022

Mine is set formatted as: 2021-01-01T01:01:00Z

etoombs · ‎05-23-2022

You should be able to do this using tokens. After the search to add a user completes , use the done event handler to unset the add token, and to set the none token again. Same on your other panels.

etoombs · ‎05-23-2022

I've never seen this field. Which version of the Tenable Add-On are you using? What version of Tenable.sc?

etoombs · ‎05-17-2022

There might be a more graceful way someone will provide, but I generally add something like this to the end, forcing a row with a 0 value, and then doing another quick sum before displaying it. | append [makeresults |eval count=0] |stats sum(count) as count

etoombs · ‎05-17-2022

It looks like you combined features from the two options. When doing the charting.seriesColors, you don't name the field. Regardless of which you use, the value should be in brackets. <option name="charting.seriesColors">{0xc98b06}</option> or <option name="charting.fieldColors">{"count": 0xc98b06}</option>

etoombs · ‎05-17-2022

Take a look at this question, which was answered by @niketn https://community.splunk.com/t5/Dashboards-Visualizations/Can-you-change-the-colors-in-bar-graph-results-and-make-them/m-p/365027

Posts	32
Solutions	5
Karma Given	2
Karma Received	8
Member Since	‎06-20-2018

Online Status	Offline
Date Last Visited	Thursday

Macro Expansion - Possible Bug

Lookup with wildcard in data, not in lookup table?

Using tokens in XLM dashboard table "fields" tag- ...

Re: Macro Expansion - Possible Bug

Re: Macro Expansion - Possible Bug

Macro Expansion - Possible Bug

Re: Splunk Indexer Cluster not identifying new bun...

Re: limit timechart with span and per_hour to 2 de...

Re: How to calculate time duration between 2 event...

Re: Tenable TA - Historical reporting of remediate...

Re: Recently cluster="M5-CLDB" changed this to ...

Re: HTTP 400 error in DBConnect due to changing ad...

Re: Splunk create a table using multiple fields

Re: ldapsearch: Trying to search last 2 days in wh...

Re: ldapsearch: Trying to search last 2 days in wh...

Re: How to query a field in DBXQuery that contains...

Re: How to query a field in DBXQuery that contains...

Re: Why are we missing data on Tenable Add-On?

Re: How to Dynamically save model name using a col...

Re: DB connect missing events

Re: KV Store status is currently unknown- How to r...

Re: How to provide a valid start time for the Tena...

Re: How to provide a valid start time for the Tena...

Re: After dropdown selection, how to return to the...

Re: Tenable Add-On for Splunk

Re: How to default stats to zero when no rows retu...

Re: How to set bar chart a specific colour?

Re: Unable to set bar chart a specific colour