All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A good way to give a service account access to Splunk is to use Authentication Tokens. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/UseAuthTokens Is there anything specific you w... See more...
A good way to give a service account access to Splunk is to use Authentication Tokens. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/UseAuthTokens Is there anything specific you would like the service account to do?
I don't believe it is enabled for Cloud Trials: https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/RESTTUT/RESTandCloud
I haven't tried this yet but it sounds very helpful.  I'm going to try it later this afternoon. Thank you!  
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy).  Yes, this alert action is deprecated but I use it often and there is no way that Splunk ... See more...
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy).  Yes, this alert action is deprecated but I use it often and there is no way that Splunk will be removing it from the product.
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be cu... See more...
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be curious about, though.
The Forwarder Management screen applies only to Deployment Server (DS) instances.  A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs.  DSs are optional ... See more...
The Forwarder Management screen applies only to Deployment Server (DS) instances.  A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs.  DSs are optional and are unnecessary when you only have a single forwarder. When you installed the forwarder, did you configure it to forward data to the server?  If so, then you should be seeing data from the forwarder.  Verify that by searching for index=_internal host=f1 Make sure that returns results for continuing further. The next step is telling the forwarder what you want it to forward.  By default, it only sends its own logs.  Install the Splunk Add-on for Windows (https://splunkbase.splunk.com/app/742) on the forwarder and turn on (set disabled=0) the inputs you desire.  Be sure to restart the forwarder after changing inputs.conf settings.  
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
The current query can't do that because it only looks at failed logins.  It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modi... See more...
The current query can't do that because it only looks at failed logins.  It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modifying the where command to look for 6 or more failures and at least 1 success. You can find an example in the Basic Brute Force Detection use case in the Splunk Security Essentials apps.
I installed spunk enterprise on a server named s1.  I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it.... See more...
I installed spunk enterprise on a server named s1.  I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it.  There's nothing on the Forwarder Management screen to CONFIGURE.   If I go to Settings | Data Inputs and try to configure "Remote Performance monitoring" (just as a test, just to monitor something), it says it's going to use WMI and that I should use a forwarder instead. Yes, please.  I want to use a forwarder instead.  I want to user my new forwarder, but I just don't see how.  
According to the developer, it can be done with HEC: https://infosecwriteups.com/knowbe4-to-splunk-33c5bdd53e29
Hi @ITWhisperer ,  Actually I need the generic rex like the way I posted in the screen shot because this is given in transforms.conf file and i tried the query u provided it's not working
With this kind and quality of screenshot it's very hard to help. Take a look to Fields in settings and there especially for Field extractions and Field transformations
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in th... See more...
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work. 
You could try something like this  
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x... See more...
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x.x.x.x.x.x.x.x.x" If that doesn't help, if you could email me the agent_config.yaml, I'll take a closer look (the pdf kills the indentation). Just add "@splunk.com" to my username if you want to send it. Thanks!
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need t... See more...
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well  
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.c... See more...
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.conf and the corresponding lookup file does not exist. You can use btool on the Splunk head to locate the setting. For example /opt/splunk/bin/splunk btool transforms list --debug | grep file   You can see all the lookup file definitions.
thanks it worked
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish... See more...
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish this task...which kind of blows my mind.  Anyone find a solutions for this or something similar?  TIA
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to re... See more...
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to resolve config: cannot resolve the configuration: cannot retrieve the configuration: configsource provider failed retrieving: yaml: line 91 : did not find expected key Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Main process exited, code=exited, status=1/FAILURE Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Scheduled restart job, restart counter is at 5. Apr 11 16:44:01 systemd[1]: Stopped Splunk OpenTelemetry Collector. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Start request repeated too quickly. Apr 11 16:44:01  systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: Failed to start Splunk OpenTelemetry Collector.