What do you mean by "distribute license"? Licenses are not distributed. They're installed on the LM and the other instances contact the LM. What exactly are you trying to do and how exactly are yo...
See more...
What do you mean by "distribute license"? Licenses are not distributed. They're installed on the LM and the other instances contact the LM. What exactly are you trying to do and how exactly are you trying to do it?
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts. I am trying to add tokens which show me query result in serviceNow ticket descriptio...
See more...
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts. I am trying to add tokens which show me query result in serviceNow ticket description as same as we are getting in email notification when we check Inline Table fields. can you help me to add same in serviceNow ticket as well. so that I can get query result in ticket as well. right now its showing me only title of the alerts. due to which I need to go to splunk every time when alert trigger and need to run alerts search to validate alerts manually.
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see...
See more...
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see 'azure:monitor:aad' logs. Can someone help me understand what changes need to be made on the Azure side to be able to view these logs? Thank you in advance.
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any hel...
See more...
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any help would be greatly appreciated. Thanks -David
Hi @whitecat001, open the Monitoring Console and go in the Search section: [Settings > Monitoring Console > Search] to find what you need. Ciao. Giuseppe
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the log...
See more...
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the logs and found this error. Anyone have an experience with this or know of any fix? TsidxStats - sid:summarize_1591771322.7666 Failed to contact the server endpoint https://127.0.0.1:8089 from touchSummary()
@triva79 How about...
| timechart span=1h limit=50 useother=false dc(userName) as count by userName
or maybe...
| eval session=userName+":"+sessionKey
| timechart span=1h limit=50 use...
See more...
@triva79 How about...
| timechart span=1h limit=50 useother=false dc(userName) as count by userName
or maybe...
| eval session=userName+":"+sessionKey
| timechart span=1h limit=50 useother=false dc(session) as count by session
Sometimes Splunk is forgiving when it comes to data types, sometimes it isn't - this is one of those! | timechart span=1d sum(abc) by xyz
| where strftime(_time,"%w") = "1"
Solved. The issue was related to this configuration sgement: [serverClass:spoke_hf]
whitelist.0 = <HF1_ip_address>, <HF1_ip_address> Searching better into documentation, I found that comma sepa...
See more...
Solved. The issue was related to this configuration sgement: [serverClass:spoke_hf]
whitelist.0 = <HF1_ip_address>, <HF1_ip_address> Searching better into documentation, I found that comma separated IP address list is not supported. After I switched to: whitelist.0 = <HF1 IP Address>
whitelist.1 = <HF2 IP Address> Issue went away.
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv f...
See more...
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv file for Asset and identity management. Once ewe uploaded those files, when we ran a search we got this situation: the search is executed, but erros about inability to load lookups that store merged asset and identity data in Splunk Enterprise Security are collected. Error syntax is the following: [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-_risk_system
[<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dest
[<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dvc
[<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-src
[<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-_risk_system
[<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dest
[<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dvc
[<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-src First think I thought: ok, this is probably a permission issue. BTW, even when I execute the search with admin user that loaded .csv in assent and identity inventory, I got the same error. I can add that we modified some OOT DM, to add some fields needed by our SOC. What could be the root cause?