I'd recommend seeing if your home router/firewall can stream syslog and setting up a forwarder to ingest those logs regularly. Install a forwarder on your PC and monitor your windows/linux/whatever y...
See more...
I'd recommend seeing if your home router/firewall can stream syslog and setting up a forwarder to ingest those logs regularly. Install a forwarder on your PC and monitor your windows/linux/whatever you use logs that way as well. I think that would be a good start for messing around with data, at least. Also, check out https://www.splunk.com/en_us/training/course-catalog.html?sort=Newest&filters=filterGroup1FreeCourses if you haven't. There's lots of good content there for beginners.
A good way to give a service account access to Splunk is to use Authentication Tokens. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/UseAuthTokens Is there anything specific you w...
See more...
A good way to give a service account access to Splunk is to use Authentication Tokens. Ref: https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/UseAuthTokens Is there anything specific you would like the service account to do?
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk ...
See more...
A better way to do this is to use the "Run a Script" alert action (after you create a script to do the copy). Yes, this alert action is deprecated but I use it often and there is no way that Splunk will be removing it from the product.
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be cu...
See more...
The base instructions here should be all you need to follow for that one. Review the rest of the 'planning' and 'securing' sections of that documentation to see any additional details you might be curious about, though.
The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional ...
See more...
The Forwarder Management screen applies only to Deployment Server (DS) instances. A DS is a Splunk instance type that ensures each forwarder has the configuration (apps) it needs. DSs are optional and are unnecessary when you only have a single forwarder. When you installed the forwarder, did you configure it to forward data to the server? If so, then you should be seeing data from the forwarder. Verify that by searching for index=_internal host=f1 Make sure that returns results for continuing further. The next step is telling the forwarder what you want it to forward. By default, it only sends its own logs. Install the Splunk Add-on for Windows (https://splunkbase.splunk.com/app/742) on the forwarder and turn on (set disabled=0) the inputs you desire. Be sure to restart the forwarder after changing inputs.conf settings.
The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modi...
See more...
The current query can't do that because it only looks at failed logins. It will never see a successful login. The solution will entail appending a tstats command that counts successes and then modifying the where command to look for 6 or more failures and at least 1 success. You can find an example in the Basic Brute Force Detection use case in the Splunk Security Essentials apps.
I installed spunk enterprise on a server named s1. I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it....
See more...
I installed spunk enterprise on a server named s1. I installed a forwarder on server f1. Both Windows Server 2019. When I go into Forwarder Management, s1 sees f1, but I can't DO anything with it. There's nothing on the Forwarder Management screen to CONFIGURE. If I go to Settings | Data Inputs and try to configure "Remote Performance monitoring" (just as a test, just to monitor something), it says it's going to use WMI and that I should use a forwarder instead. Yes, please. I want to use a forwarder instead. I want to user my new forwarder, but I just don't see how.
Hi @ITWhisperer , Actually I need the generic rex like the way I posted in the screen shot because this is given in transforms.conf file and i tried the query u provided it's not working
With this kind and quality of screenshot it's very hard to help. Take a look to Fields in settings and there especially for Field extractions and Field transformations
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in th...
See more...
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work.
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public"
fields:
- name: "some_name"
oid: "x.x.x.x.x...
See more...
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public"
fields:
- name: "some_name"
oid: "x.x.x.x.x.x.x.x.x.x.x.x.x" If that doesn't help, if you could email me the agent_config.yaml, I'll take a closer look (the pdf kills the indentation). Just add "@splunk.com" to my username if you want to send it. Thanks!
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need t...
See more...
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well
Hi. Have a look at https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.c...
See more...
Hi. Have a look at https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.conf and the corresponding lookup file does not exist. You can use btool on the Splunk head to locate the setting. For example /opt/splunk/bin/splunk btool transforms list --debug | grep file You can see all the lookup file definitions.
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base. There is nothing under Settings>Data Inputs>Local Inputs to accomplish...
See more...
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base. There is nothing under Settings>Data Inputs>Local Inputs to accomplish this task...which kind of blows my mind. Anyone find a solutions for this or something similar? TIA