All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Keerthi, If you have a dashboard named "Your_Dashboard_Name", you can use the following query to see who visited it: index=_internal sourcetype=splunkd_ui_access namespace=* user="*" search="*a... See more...
Hi @Keerthi, If you have a dashboard named "Your_Dashboard_Name", you can use the following query to see who visited it: index=_internal sourcetype=splunkd_ui_access namespace=* user="*" search="*action*view*Your_Dashboard_Name*"   For special fields, you may need to create your own regex to extract the required information. P.S.: Karma points are always appreciated
Yes, I'm using different sourcetype. I would  like to add addtional data that will help distinguish the logs, something like tags or sub category in sourcetype
Hello All,   The question is is IOWAIT mean anything? I am in the process of upgrading Splunk 8.2.12 to 9.1.2, and then 9.2.1.  I have not yet upgraded to 9.1.2. The Health Report is set at defau... See more...
Hello All,   The question is is IOWAIT mean anything? I am in the process of upgrading Splunk 8.2.12 to 9.1.2, and then 9.2.1.  I have not yet upgraded to 9.1.2. The Health Report is set at default settings i.e. 3, etc.I have tried the suggestion of doubling threshold vales, but eventually get a Warning yellow, or sometimes red, etc. I am running Splunk Enterprise 8.2.12 on an Oracle Linux (ver 7.9) with 12 cpu and 64GB memory.  Do these settings have any benefit for the IOWAIT thresholds?   I see where I can disable IOWAIT - or does it make any sense to try to generate some sort if Diag, which has a link when opeing the "Health Report Manager" Any info here? Am I missing something? Thanks as always for a very helpful Splunk community.   EWHOLZ   I
We see cases where warm buckets are not being moved to cold storage for six weeks, and we wonder how to set it up correctly so they move within two or three weeks.
Hi All,   Has anyone explored the https://github.com/splunk/splunk-conf-imt ? We  have splunk cloud, wondering how can I proceed with testing this as the steps are not quite clear to me. Appreciate... See more...
Hi All,   Has anyone explored the https://github.com/splunk/splunk-conf-imt ? We  have splunk cloud, wondering how can I proceed with testing this as the steps are not quite clear to me. Appreciate the help.
You need to follow these steps (its basic SMTP connection) for alerts for Splunk cloud or on premise.  https://docs.splunk.com/Documentation/Splunk/9.2.1/Alert/Emailnotification  There's not that... See more...
You need to follow these steps (its basic SMTP connection) for alerts for Splunk cloud or on premise.  https://docs.splunk.com/Documentation/Splunk/9.2.1/Alert/Emailnotification  There's not that many settings for this in Splunk - so it should work providing your SMTP / Email server allows for this.  We point to an SMTP server as per the config above.  If its not working and you feel your have setup according to the Splunk docs, I would look at your "Exchange Admin Centre" and consult the Admin to ensure Splunk can send to to the SMTP server.  The 
Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype.  For log messages that glob together several pieces of information at run-time ... See more...
Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype.  For log messages that glob together several pieces of information at run-time (like many audit events), the true size of the event won't be known in advance.
@sivakrishnaHave you assigned the user to a group in Azure AD and mapped that group to a role in Splunk?
i wrote this code but no luck index=_internal sourcetype=splunkd_ui_access | rex field=uri_path "app/(?<app>[^/]+)/(?<dashboard>[^/]+)" | search app="dashboards" dashboard="User_Management_Ho... See more...
i wrote this code but no luck index=_internal sourcetype=splunkd_ui_access | rex field=uri_path "app/(?<app>[^/]+)/(?<dashboard>[^/]+)" | search app="dashboards" dashboard="User_Management_Hourra" | stats dc(user) as unique_users
here the EPSF_Infrastructure is the dashboard name?
@tuts Hey, please check this: https://github.com/OpenCTI-Platform/connectors/tree/master/stream/splunk  If this reply helps you, Karma would be appreciated. 
@sivakrishna Hello Siva, Refer the below documents  https://community.splunk.com/t5/Security/Why-does-Saml-response-not-contain-group-information/m-p/417492  https://community.splunk.com/t5/Securit... See more...
@sivakrishna Hello Siva, Refer the below documents  https://community.splunk.com/t5/Security/Why-does-Saml-response-not-contain-group-information/m-p/417492  https://community.splunk.com/t5/Security/quot-Saml-response-does-not-contain-group-information-quot-SSO/m-p/484498 
hi kiran, appreciate for the quick reply. with the first link i tried the 1st query as he mentioned but no search results. with the second link you shared me i could only see (screenshot for... See more...
hi kiran, appreciate for the quick reply. with the first link i tried the 1st query as he mentioned but no search results. with the second link you shared me i could only see (screenshot for reference) how do i query it for particular dashboard i am looking for?  
When upgrading to 9.2.1 Getting "Waiting for web server at https://xxxx.443 to be available..................WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslCo... See more...
When upgrading to 9.2.1 Getting "Waiting for web server at https://xxxx.443 to be available..................WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details."   Splunk is starting but Webserver is not starting and front end is not accessble
@Cuongnh05  Splunk licenses are typically specific to the environment in which they were purchased. If your current license is for your on-premises SOC, it may not automatically cover usage in a pri... See more...
@Cuongnh05  Splunk licenses are typically specific to the environment in which they were purchased. If your current license is for your on-premises SOC, it may not automatically cover usage in a private cloud environment.  I recommend reaching out to Splunk’s sales team directly. They can provide accurate information based on your specific situation. Explain your use case, data volume, and the transition to a private cloud. They’ll guide you on the necessary steps and any potential licensing adjustments.
@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the n... See more...
@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the notable events? such as unsuccessful login attempts and bruteforce attacks.
@Keerthi Hello Keerthi, Please refer the below link.  https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-the-number-of-users-who-visited-the-Dashboards/m-p/533846  https://splun... See more...
@Keerthi Hello Keerthi, Please refer the below link.  https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-the-number-of-users-who-visited-the-Dashboards/m-p/533846  https://splunkonbigdata.com/how-to-create-splunk-user-analysis-and-monitoring-dashboard/ 
Hello, I have recently started working with SPLUNK Enterprise and I would like to use it as a SIEM for my network. I have successfully integrated data into SPLUNK from my server and created an alert... See more...
Hello, I have recently started working with SPLUNK Enterprise and I would like to use it as a SIEM for my network. I have successfully integrated data into SPLUNK from my server and created an alert if certain conditions are met. In order to send an email when an alert is triggered, I created an SMTP connector using the "Exchange Admin Center". I then configured the mail server on SPLUNK, but when an alert is created on SPLUNK, I do not receive any emails. I am wondering if the issue is with the connector I created or if it could be something else. What is the procedure to create an SMTP connector and ensure that the email can be sent from SPLUNK? Thank you for reading.
"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" Yes - that would be my question. I assume splunk should know that it would exceed some length. So i... See more...
"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply