All Posts

Top

All Posts

According to the developer, it can be done with HEC: https://infosecwriteups.com/knowbe4-to-splunk-33c5bdd53e29
Hi @ITWhisperer ,  Actually I need the generic rex like the way I posted in the screen shot because this is given in transforms.conf file and i tried the query u provided it's not working
With this kind and quality of screenshot it's very hard to help. Take a look to Fields in settings and there especially for Field extractions and Field transformations
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in th... See more...
Going the route I am inquiring about is not my preference. I have kind of a convoluted internal network. I have requests in with my network team to get ssl passed through to where I need it and in the meantime am just trying to consider other options in case they can't make it work. 
You could try something like this  
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x... See more...
I'm a little suspicious of the formatting after the line: community: "public" Could you try adjusting so it's like this? community: "public" fields: - name: "some_name" oid: "x.x.x.x.x.x.x.x.x.x.x.x.x" If that doesn't help, if you could email me the agent_config.yaml, I'll take a closer look (the pdf kills the indentation). Just add "@splunk.com" to my username if you want to send it. Thanks!
Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat Research Team for the first time. This team of security content experts is dedicated to develo... See more...
Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat Research Team for the first time. This team of security content experts is dedicated to developing out-of-the-box detections to provide comprehensive visibility, empower accurate detection with contextual insights, and enhance operational efficiency. This ensures you can always stay ahead of threats. With our premium security solutions — Splunk Enterprise Security and Splunk SOAR — you can strengthen and unify your security operations, and reduce Mean Time to Respond. We hosted two Office Hour sessions with the threat research experts: The first session focused on Generative AI, where our experts @@James Young and Kumar Sharad discussed Splunk’s best practices for AI and common use cases for Splunk Enterprise Security and SOAR. They explored the integration of AI/ML into Splunk products and offered their recommendations on the approach. They delved into how Gen AI could support SOC processes, including threats, anomaly detection and more. The discussion also covered data privacy and sensitivity, topics of significant interest today! The second session, led by our threat research experts @Jose Hernandez and @Michael Haag, centered on Threat Detection and Response Content. This session highlighted how to leverage the latest security content to automatically monitor your data for findings. Our experts began with the basics, sharing the best approach to getting started with security content, and then answered more specific questions, like the best automation achievable for creating incidents with BMC Remedy Ticketing Tool. @Michael provided a thorough demo on enabling and implementing security content at the session's end, which could be very helpful to optimizing your operational process. To listen to conversations and find the answers for all these questions, feel free to check out our on-demand session recordings:  Generative AI Threat Detection and Content Response  If you have any questions regarding these topics, please join our #office-hours Slack channel for further discussions. You’ll also find links to previous session Q&A decks and live recordings. If you are not yet a member of our splunk-usergroups workspace, you can request access here. Missed the previous events? No worries! Subscribe to the Community Office Hours page to receive notifications for upcoming events, like Detecting Remote Code Executions with the Splunk threat research team on June 5th at 1pm PT/4pm ET! Join us and ask your questions directly to the experts!  Cheers!
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need t... See more...
Below is the regex used, here we want to extract following fields: DIM TID APPLICATION POSITION CORRLATIONID The rex which i used is extraction DIM, TDI, APPLICATION as one field, but we need them separately. We need to write the rex generic so that it should capture the data if there are different field names as well  
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.c... See more...
Hi. Have a look at  https://community.splunk.com/t5/Splunk-Search/Why-is-Lookup-definition-in-transforms-conf-not-returning/td-p/589334 Sounds like there's a lookup definition in a transforms.conf and the corresponding lookup file does not exist. You can use btool on the Splunk head to locate the setting. For example /opt/splunk/bin/splunk btool transforms list --debug | grep file   You can see all the lookup file definitions.
thanks it worked
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish... See more...
So I'm trying to use #splunkcloud to make calls to a Restful API for which there is no add-on or app available on Splunk Base.   There is nothing under Settings>Data Inputs>Local Inputs to accomplish this task...which kind of blows my mind.  Anyone find a solutions for this or something similar?  TIA
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to re... See more...
Thank you, config is attached ... I've obscured the ip...    Here's the log    Apr 11 16:44:00  otelcol[142312]: 2024/04/11 16:44:00 main.go:89: application run finished with error: failed to resolve config: cannot resolve the configuration: cannot retrieve the configuration: configsource provider failed retrieving: yaml: line 91 : did not find expected key Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Main process exited, code=exited, status=1/FAILURE Apr 11 16:44:00 systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Scheduled restart job, restart counter is at 5. Apr 11 16:44:01 systemd[1]: Stopped Splunk OpenTelemetry Collector. Apr 11 16:44:01 systemd[1]: splunk-otel-collector.service: Start request repeated too quickly. Apr 11 16:44:01  systemd[1]: splunk-otel-collector.service: Failed with result 'exit-code'. Apr 11 16:44:01 systemd[1]: Failed to start Splunk OpenTelemetry Collector.
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in mod... See more...
Hi, We get the following exceptions while trying to load APM agent 24.3 in WebLogic 14.1: java.lang.IllegalAccessError: class jdk.jfr.internal.SecuritySupport$$Lambda$225/0x0000000800979c40 (in module jdk.jfr) cannot access class com.singularity.ee.agent.appagent.entrypoint.bciengine.FastMethodInterceptorDelegatorBoot (in unnamed module @0x2205a05d) because module jdk.jfr does not read unnamed module @0x2205a05d  java.lang.IllegalStateException: Unable to perform operation: create on weblogic.diagnostics.instrumentation.InstrumentationManager The WebLogic managed server won't start after throwing these exceptions. Any insights on what might be causing these errors? Thanks, Roberto
I don't see checkbox as part of the inputs list. It is possible in simple xml but would like to know how it can be achieved using dashboard studio?    
Please provide more details, for example, what do you mean by tag? how do you set it up? how do you use it in your search? in what way doesn't it work? do you have any errors reported? etc.
HI  If I replace, for example, src=10.0.0.1 with my tag containing src=10.0.0.1 in the query, it doesn't work. Please help.
HI, I need to upgrade my correlation search for Excessive Failed Logins with Username, | tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",... See more...
HI, I need to upgrade my correlation search for Excessive Failed Logins with Username, | tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",values("Authentication.user") as "usernames", dc("Authentication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6 I would like the query to trigger only when there is a Successful Authentication after 6 failed authentication     thank youu
Hello there,  Here I am writing to see my use case for integration of Splunk cloud/enterprise features on my website.  I am looking for web services regarding integration with Splunk cloud or Splun... See more...
Hello there,  Here I am writing to see my use case for integration of Splunk cloud/enterprise features on my website.  I am looking for web services regarding integration with Splunk cloud or Splunk enterprise. My aim is to render Splunk cloud /enterprise dashboards, reports on my website. I have, Splunk cloud admin account (trial) Splunk enterprise admin account (trial) I want to, Get list of apps of Splunk cloud/enterprise programmatically. After that I will be able to see list of dashboards, reports on desired app. Further, I can select a dashboard, report which I want to embed on my website. This will allow me to easily visualize up-to-date Splunk data on my website. Thank you in advance to consider on my query.
I am unable to find REST API Postman collection for Splunk Enterprise. Can anyone please provide a link to export or download Postman collection for Enterprise ?
Hi @Marcie.Sirbaugh, I see you have an open ticket with the same error you asked Sajo about  agentregistrationmodule.go:352 Perhaps you can continue to share any outcomes from that interactio... See more...
Hi @Marcie.Sirbaugh, I see you have an open ticket with the same error you asked Sajo about  agentregistrationmodule.go:352 Perhaps you can continue to share any outcomes from that interaction with your ticket here with Sajo.