All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@tuts Hey, please check this: https://github.com/OpenCTI-Platform/connectors/tree/master/stream/splunk  If this reply helps you, Karma would be appreciated. 
@sivakrishna Hello Siva, Refer the below documents  https://community.splunk.com/t5/Security/Why-does-Saml-response-not-contain-group-information/m-p/417492  https://community.splunk.com/t5/Securit... See more...
@sivakrishna Hello Siva, Refer the below documents  https://community.splunk.com/t5/Security/Why-does-Saml-response-not-contain-group-information/m-p/417492  https://community.splunk.com/t5/Security/quot-Saml-response-does-not-contain-group-information-quot-SSO/m-p/484498 
hi kiran, appreciate for the quick reply. with the first link i tried the 1st query as he mentioned but no search results. with the second link you shared me i could only see (screenshot for... See more...
hi kiran, appreciate for the quick reply. with the first link i tried the 1st query as he mentioned but no search results. with the second link you shared me i could only see (screenshot for reference) how do i query it for particular dashboard i am looking for?  
When upgrading to 9.2.1 Getting "Waiting for web server at https://xxxx.443 to be available..................WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslCo... See more...
When upgrading to 9.2.1 Getting "Waiting for web server at https://xxxx.443 to be available..................WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details."   Splunk is starting but Webserver is not starting and front end is not accessble
@Cuongnh05  Splunk licenses are typically specific to the environment in which they were purchased. If your current license is for your on-premises SOC, it may not automatically cover usage in a pri... See more...
@Cuongnh05  Splunk licenses are typically specific to the environment in which they were purchased. If your current license is for your on-premises SOC, it may not automatically cover usage in a private cloud environment.  I recommend reaching out to Splunk’s sales team directly. They can provide accurate information based on your specific situation. Explain your use case, data volume, and the transition to a private cloud. They’ll guide you on the necessary steps and any potential licensing adjustments.
@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the n... See more...
@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the notable events? such as unsuccessful login attempts and bruteforce attacks.
@Keerthi Hello Keerthi, Please refer the below link.  https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-the-number-of-users-who-visited-the-Dashboards/m-p/533846  https://splun... See more...
@Keerthi Hello Keerthi, Please refer the below link.  https://community.splunk.com/t5/Dashboards-Visualizations/How-to-check-the-number-of-users-who-visited-the-Dashboards/m-p/533846  https://splunkonbigdata.com/how-to-create-splunk-user-analysis-and-monitoring-dashboard/ 
Hello, I have recently started working with SPLUNK Enterprise and I would like to use it as a SIEM for my network. I have successfully integrated data into SPLUNK from my server and created an alert... See more...
Hello, I have recently started working with SPLUNK Enterprise and I would like to use it as a SIEM for my network. I have successfully integrated data into SPLUNK from my server and created an alert if certain conditions are met. In order to send an email when an alert is triggered, I created an SMTP connector using the "Exchange Admin Center". I then configured the mail server on SPLUNK, but when an alert is created on SPLUNK, I do not receive any emails. I am wondering if the issue is with the connector I created or if it could be something else. What is the procedure to create an SMTP connector and ensure that the email can be sent from SPLUNK? Thank you for reading.
"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" Yes - that would be my question. I assume splunk should know that it would exceed some length. So i... See more...
"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply
The audit log exceeds the limit because Splunk wrote a very long event to the log.  Why that happened is impossible to say without knowing more about the event itself. Or is the question more like "... See more...
The audit log exceeds the limit because Splunk wrote a very long event to the log.  Why that happened is impossible to say without knowing more about the event itself. Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"  If so, I don't disagree, but prefer Splunk give me the option (by increasing TRUNCATE) to log all of the event rather than cut off what might otherwise be important data.
Hi @JoshuaJJ , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @MartyJ , it isn't so immediate, I developed a solution with JS and a solution without, this is the solution without: Obviously you can only modify a field in a lookup and not in an index, and u... See more...
Hi @MartyJ , it isn't so immediate, I developed a solution with JS and a solution without, this is the solution without: Obviously you can only modify a field in a lookup and not in an index, and use a KV-Store: <form version="1.1"> <label>Manage All Cases</label> <fieldset submitButton="false" autoRun="false"> <input type="radio" token="resetTokens" searchWhenChanged="true"> <label/> <choice value="reset">Reset Inputs</choice> <choice value="retain">Retain</choice> <default>reset</default> <change> <condition value="reset"> <unset token="_key"/> <unset token="timestamp"/> <unset token="User_Name"/> <unset token="Status"/> <set token="resetTokens">retain</set> </condition> </change> </input> </fieldset> <row> <panel> <input type="dropdown" token="User_Name"> <label>User Name</label> <choice value="*&quot; OR NOT User_Name=&quot;*">All</choice> <prefix>User_Name="</prefix> <suffix>"</suffix> <fieldForLabel>User_Name</fieldForLabel> <fieldForValue>User_Name</fieldForValue> <search> <query> | inputlookup open_cases | dedup User_Name | sort User_Name | table User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*" OR NOT User_Name="*</default> </input> <input type="dropdown" token="Status"> <label>Status</label> <choice value="*">All</choice> <prefix>Status="</prefix> <suffix>"</suffix> <fieldForLabel>Status</fieldForLabel> <fieldForValue>Status</fieldForValue> <search> <query> | inputlookup open_cases WHERE Status!="Escalation" | dedup Status | sort Status | table Status </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <table id="master"> <title>Total All Cases = $server_count$</title> <search> <query> | inputlookup my_lookup WHERE $User_Name$ $Status$ | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time Status User_Name TimeStamp </query> <sampleRatio>1</sampleRatio> <progress> <set token="server_count">$job.resultCount$</set> </progress> <cancelled> <unset token="server_count"/> </cancelled> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <fields>["_key","Time","Status","Notes","User_Name"]</fields> <drilldown> <set token="key">$row.key$</set> <set token="timestamp">$row.TimeStamp$</set> <set token="alertname">$row.Alert_Name$</set> <set token="description">$row.Description$</set> <set token="status">$row.Status$</set> <set token="notes">$row.Notes$</set> <set token="username">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Modify Row</title> <input type="dropdown" token="status_to_update"> <label>Status</label> <default>$status$</default> <search> <query/> </search> <choice value="Closed">Closed</choice> <choice value="Work-in-progress">Work-in-progress</choice> <choice value="Escalation">Escalation</choice> <choice value="Stand-By">Stand-By</choice> </input> <input type="text" token="notes_to_update"> <label>Add Notes</label> <default>$notes$</default> </input> <table id="detail" depends="$key$"> <title>Row to modify</title> <search> <query> | makeresults 1 | eval key="$key$", TimeStamp="$timestamp$", Status="$status_to_update$", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S") | rename username AS User_Name | fields User_Name] | table key Time TimeStamp Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="status_updated">$row.Status$</set> <set token="notes_updated">$row.Notes$</set> <set token="username_updated">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <table id="detail2" depends="$status_to_update$"> <title>Modified Lookup row</title> <search> <query> | inputlookup my_lookup | eval Status=if(_key="$key$","$status_updated$",Status), Notes=if(_key="$key$","$notes_updated$",Notes), User_Name=if(_key="$key$","$username_updated$",User_Name) | search _key="$key$" | outputlookup open_cases append=true | eval key=_key | collect addtime=true index=summary_alerts | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> Don't copy my dashboard but see the approach and adapt it to your real case. Ciao. Giuseppe
Thank you so much for the help. I always forget to add fields to the Data Model  
How to map mitre attack content in Splunk Security Essentials? I want to map mitre attack for all of my created alert inside of splunk entreprise
https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/PropagateSHCconfigurationchanges Regarding the etc/passwd changes, my guess would be "don't do it".  I think the encryption of the passw... See more...
https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/PropagateSHCconfigurationchanges Regarding the etc/passwd changes, my guess would be "don't do it".  I think the encryption of the passwords must be redone.  Use the UI for password changes so it replicates across the cluster.
Hi @JoshuaJJ , two topics: is tag a field of your DataModel? You can check this in your DataModel definition. if not, you cannot use it or you have to modify your DataModel fields. if yes, you h... See more...
Hi @JoshuaJJ , two topics: is tag a field of your DataModel? You can check this in your DataModel definition. if not, you cannot use it or you have to modify your DataModel fields. if yes, you have to use the <your_datamodel> prefix befor tag in the WHERE condition: | tstats count FROM datamodel=<data_model>.<root_event> WHERE <data_model>.tag=CA BY _time host Ciao. Giuseppe
Hi @Gil, maybe did ingestion run fine until the 31st of may and stop at the 1st of June? if this is true, check the TIME_FORMAT of your logs: probably you are using an european date format (dd/mm/y... See more...
Hi @Gil, maybe did ingestion run fine until the 31st of may and stop at the 1st of June? if this is true, check the TIME_FORMAT of your logs: probably you are using an european date format (dd/mm/yyyy) and you didn't defined a TIME_FORMAT for your timestamps, so Splunk (that's america!) by default uses the american format (mm/dd/yyyy). This means that you indexed todays log (5th of June) as logs of the 6th of May.. You should force the TIME_FORMAT for that sourcetype in props.conf. Ciao. Giuseppe
Hi @tuts , I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that y... See more...
Hi @tuts , I’m a Community Moderator in the Splunk Community. This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
I want to link OpenCTI with Splunk ES to be on top of the threats