All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I think I would agree with your first statement. But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." e... See more...
I think I would agree with your first statement. But the reason I posted this question is that the phrase "Notable response actions and risk response actions are always triggered for each result." effectively makes "Once" and "For each result" the same thing (at least in my mind). But they are two distinct options, so I feel like they can't be the same. This makes me think I'm misunderstanding something. 
Following advice from developer, I renamed passwords.conf from another addon TA-WALLIX_Bastion/default/passwords.conf and now Configuration finally opening
Thank you!
Capability use is not logged.  Actions performed by users are logged in _audit.  It would be up to you map those actions to the associated capabilities.
What happens if you try this | timechart span=5m count by status_summary usenull=f useother=f
Hi @riyastk , let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Trying to create a search that will show which capabilities a user has used within the last year.
Hi @gcusello  thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So ... See more...
Hi @gcusello  thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So it's evident why those are marked as "Invalid". So the issue must be with the sourcetype, I guess.  Sorry if I didn't mention that the data sets are not the same. I just want to show that the later screenshot has matches for count_httpunk and the first one doesn't have.
this is the below output i got using the command :   /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey = /opt/splunk... See more...
this is the below output i got using the command :   /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey = /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf encrypt_fields = "****" /opt/splunk/etc/system/default/server.conf pass4SymmKey = changeme /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12 /opt/splunk/etc/system/default/server.conf pass4SymmKey_minLength = 12
I have been experimenting with splunk-ui and created an app to make calls from splunk web to the splunk REST API. However, I keep getting errors like this:   The same origin policy prohibits acces... See more...
I have been experimenting with splunk-ui and created an app to make calls from splunk web to the splunk REST API. However, I keep getting errors like this:   The same origin policy prohibits access to external resource at https://localhost:8090/servicesNS/nobody/path_redacted_but_is_valid?output_mode=json. (Reason: CORS-Header 'Access-Control-Allow-Origin' is missing)   This is how the call looks like   const url = `https://localhost:8090/servicesNS/nobody/${eventType.acl.app}/saved/eventtypes/${eventType.title}?output_mode=json` const response = await fetch(url, { credentials: "include", method: "POST", redirect: "follow", body: JSON.stringify({'search': eventType.content.search}) }); return response.json();   This is my server.conf     [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/cert.pem [httpServer] crossOriginSharingPolicy = https://localhost:8090 crossOriginSharingHeaders = *     I can access https://localhost:8090/servicesNS/*  "by it self" in my browser. I am using Firefox 128 and splunk 9.0.5 I can set crossOriginSharingPolicy to "*" (without quotes), but that will cause the browser to reject any requests that require authentication, so this is no solution
Why isn't it listed under "What's new"? https://docs.splunk.com/Documentation/Splunk/9.2.2/ReleaseNotes/MeetSplunk
Hello,  I am running SPLUNK 9.1.2 on Linux and ever since I installed a new internal certificate, I am not able to run SPLUNK. Below are some of the warnings I was about to find in splunkd.log. Woul... See more...
Hello,  I am running SPLUNK 9.1.2 on Linux and ever since I installed a new internal certificate, I am not able to run SPLUNK. Below are some of the warnings I was about to find in splunkd.log. Would anyone have any idea of how this can be addressed and fixed? Thank you for any suggestions!   WARN  SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'. WARN  HttpListener [12196 webui] - Socket error from “…” while idling: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher WARN  HttpListener [12196 webui] - Socket error from “…” while idling: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknow protocol WARN  SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='bad record mac'. WARN  HttpListener [12196 webui] - Socket error from “…” while idling: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac WARN  SSLCommon [12196 webui] - Received fatal SSL3 alert. ssl_state='error', alert_description='decrypt error'. WARN  HttpListener [12196 webui] - Socket error from “…” while idling: error:1408C095:SSL routines:ssl3_get_finished:digest check failed    
@zapping575- This is little-bit complicated topic, as there are many ways to achieve this and also there are many types of Rest endpoints. I prefer to learn from example, some prefer to learn from d... See more...
@zapping575- This is little-bit complicated topic, as there are many ways to achieve this and also there are many types of Rest endpoints. I prefer to learn from example, some prefer to learn from documents. I'm putting both as references here: https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestscript/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestmanageaccess/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customresteai/ https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/creexamples/ https://github.com/splunk/splunk-app-examples/tree/master/custom_endpoints/hello-world   I hope this helps!!!
Hi ITWhisperer,  they are still the same as the default. Admittedly, I am a bit stumped about the the finer details of these properties. At most I could see the entry of  # The number of entries p... See more...
Hi ITWhisperer,  they are still the same as the default. Admittedly, I am a bit stumped about the the finer details of these properties. At most I could see the entry of  # The number of entries per page when paginating Rules Engine searches. internal_search_page_size = 10000 being perhaps the culprit as to why ITSI only indexed around ~10070 events per day.  Or do you know which rule might limit the backfill-size?  
@dkmcclory- There are 2 generic ways Splunk App developer uses to schedule things: Inputs Alerts OR Scheduled Report   Input is usually used when you would like to collect data on scheduled bas... See more...
@dkmcclory- There are 2 generic ways Splunk App developer uses to schedule things: Inputs Alerts OR Scheduled Report   Input is usually used when you would like to collect data on scheduled basis.   For other use-cases you can use Scheduled Report or Alert. And you can schedule alert and report with a Cron Job. If something you do as Splunk query, then you can just write query in this alert or report. If something you need custom Python code, then you can write a Python Custom command which you can call from Splunk query.   Reference for custom Splunk command: https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/ https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/createcustomsearchcmd/ https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/customsearchcmdexamples/   I hope this helps!!! Please upvote if it does!!!
Hi @SplunkExplorer , I usually use user splunk and I don't add it to sudoers, but I enabled ACL. Ciao. Giuseppe
This worked for us. We changed the ChannelAccess of Sysmon to that of Powershell. Run the following on cmd, wevtutil sl "Microsoft-Windows-Sysmon/Operational" /ca:<Powershell ChannelAccess>  
I am looking into developing a custom splunk app that lets us manage our knowledge objects in bulk. The idea is to create custom REST endpoints and call them from a splunk-ui based app in splunk web... See more...
I am looking into developing a custom splunk app that lets us manage our knowledge objects in bulk. The idea is to create custom REST endpoints and call them from a splunk-ui based app in splunk web. Looking into the documentation of custom REST endpoints (https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customrestscript), it strikes me that the sample code imports a splunk module that I can find no documentation for. Am I missing out on something here? Am I just supposed to use splunklib? I would greatly appreciate feedback regarding the plan to use custom REST endpoints with a splunk web based UI.
I was able to do it by some other way but your solution is cleaner and elegant. Thanks for the help