Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-22-2024
12:52 AM
1 Karma
Please copy-paste the search query I gave. Also, put your search query that you are trying to run here, so I can check what's wrong.
02-22-2024
12:50 AM
May I know is there any search query using which I can find "Indexers in license violations" or is there any information I can get regarding this directly from splunk?
Labels
- Labels:
-
administration
-
search
02-21-2024
11:51 PM
At the same time ask PFSense to port its firewall to Ubuntu or other Linux distro.
02-21-2024
11:45 PM
1 Karma
Hi @rbakeredfi , the first thing is to manage all the Forwarders (Universal and Heavy) using a Deployment Server, so you're sure to have the correct configurations on all machines. Then I prefer to...
See more...
Hi @rbakeredfi , the first thing is to manage all the Forwarders (Universal and Heavy) using a Deployment Server, so you're sure to have the correct configurations on all machines. Then I prefer to directly send UFs logs to the Indexers. It's also possible to use HFs as concentrators if you want to reduce the connections between networs. For syslogs, I hint to use two UFs or two HF as receivers, using a Load Balancer to balance traffic and manage fail over. On these servers use rsyslog or syslog-ng to receive syslogs and then read these logs from the files. About the logs from the HFs, you can install on these machines the appropriate add-ons and use them to monitor these machines. Ciao. Giuseppe
02-21-2024
11:44 PM
No. I'm not suggesting to use the free license. It has too many limitations for most production uses. I'm just pointing out that even Free license is relatively "big" compared to the "sublicenses" t...
See more...
No. I'm not suggesting to use the free license. It has too many limitations for most production uses. I'm just pointing out that even Free license is relatively "big" compared to the "sublicenses" the OP wants. Of course simple attaching of multiple environments to a single license master will work but without splitting the license into separate licensing stacks will result in a "shared license" which means that if one node for some reason should exhaust the license, it would violate the license for all nodes.
02-21-2024
11:39 PM
Hi @jovnice , I hint to add index=wineventlog because gives you better performnces that the following solution! anyway, if you don't want this olution, you could add the wineventlog index to the de...
See more...
Hi @jovnice , I hint to add index=wineventlog because gives you better performnces that the following solution! anyway, if you don't want this olution, you could add the wineventlog index to the default search path (in [Settings > Roles> <your_role> > Indexes]. Ciao. Giuseppe
02-21-2024
11:21 PM
Hi Gary
Just to make sure I understand you correctly you have a webpage, with the underlying requests of these pages making ajax calls to different domains correct?
Or are you referring to incomi...
See more...
Hi Gary
Just to make sure I understand you correctly you have a webpage, with the underlying requests of these pages making ajax calls to different domains correct?
Or are you referring to incoming traffic to the web page coming from 2 different domains?
Also 140 api calls in total is relatively small and should easily be manageable, can you possibly explain or provide screenshots of what is becoming too cluttered to better understand the problem you are facing to better answer your question?
Ciao
02-21-2024
11:21 PM
As PickleRick write, why not use the 500MB/day Free license? 5GB/30 = 166MB/day, much less then 500MB Free. The Free license do have some limitation that may give problem. Another solution is to...
See more...
As PickleRick write, why not use the 500MB/day Free license? 5GB/30 = 166MB/day, much less then 500MB Free. The Free license do have some limitation that may give problem. Another solution is to point all the small Splunk setup to the same license. Then they will all use of the same 5GB license.
02-21-2024
11:08 PM
1 Karma
@SplunkUser5 - Yes @jotne is right about transforms.conf issue. But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and ag...
See more...
@SplunkUser5 - Yes @jotne is right about transforms.conf issue. But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes. Try: C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current (try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.) I hope this helps!!! Kindly upvote if it does!!!
02-21-2024
10:50 PM
1 Karma
@AL3Z - Sample reference query | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_p...
See more...
@AL3Z - Sample reference query | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| rename Processes.* as *
| eval firstTime = strftime(firstTime, "%F %T")
| eval lastTime = strftime(lastTime, "%F %T") FYI, this is just one sample example to detect lateral movement in powershell. Lateral Movement is broad topic, so please refer to my original answer. I hope this helps!!! Kindly upvote if it does!!!
02-21-2024
10:46 PM
1 Karma
You regex: REGEX = "Teams\.exe<\/Data>" does not hit your input data due to the quote. Do not quote your regex in transforms.conf REGEX = Teams\.exe<\/Data>
02-21-2024
10:34 PM
1 Karma
@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so. index=* source="*WinEventLog:Application" Try this...
See more...
@jovnice - Please specify index. If you don't know the index, run this search for a longer time range, something like the last 7 days or so. index=* source="*WinEventLog:Application" Try this search and see if you see any results. Once you see any results then you can add more search criteria. I hope this helps!!! Kindly upvote if this helps!!
02-21-2024
09:30 PM
1 Karma
See sort. | sort 0 Score desc is semantically identical to | sort limit=0 Score desc. But | sort - 0 Score is equivalent to | sort 0, Score desc. That is, you are sorting two fields, 0 and Score, i...
See more...
See sort. | sort 0 Score desc is semantically identical to | sort limit=0 Score desc. But | sort - 0 Score is equivalent to | sort 0, Score desc. That is, you are sorting two fields, 0 and Score, in descending order and without using limit. Sort is memory hungry. Setting 10,000 by default is a sensible choice.
02-21-2024
09:18 PM
@bowesmana thanks, Chart is slow on my data, after several try and error find solution. first using “stats” to extract count, then use “xyseries”.
02-21-2024
08:50 PM
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) wh...
See more...
We have configured different services (cyberflows-sre,cybersec,cybervault...) in our server, in AppD metric browser those services are visible as no's (342,343,345,...) how to know (where to find) which number resembles which service?
Labels
- Labels:
-
Infrastructure
02-21-2024
05:43 PM
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0. Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1....
See more...
Hello, We're using PAN-OS 10.1.11 and Palo Alto Networks Add-on version 6.5.0. Wants to upgrade Add-on to 8.1.1. Would like to know the PAN-OS supported by Palo Alto Networks Add-on version 8.1.1. Unable to locate this information from the Add-On release note or installation guide. Thanks and Rgds
Labels
- Labels:
-
installation
02-21-2024
03:29 PM
1 Karma
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may ...
See more...
Hi All, I found this https://community.splunk.com/t5/Dashboards-Visualizations/9-0-5-ui-prefs-conf-Why-my-default-search-mode-in-search-page-on/m-p/652793 and in there is this. SplunkWeb users may experience different behaviors for the UI preferences that used to persist and show latest preferences by updating ui-prefs.conf on the fly. Now after upgrade to 9.0.5+ or 9.1.0+ its behavior changed and no longer uses ui-prefs.conf to remember the user's UI level preferences, but instead, uses the url in the request or localStorage/Web Storage. In Firefox I found this webappsstore.sqlite in my ../Library/Application Support/Firefox/Profiles/e0fxb1hs.default-release which is similar to the above. Is this where the ui-prefs.conf information was moved to? I've had a request from a user that wants to set the 'Selected fields', but after the upgrade to 9.1.2 the changes would be stored in a sqlite DB. Is this correct? Is there any way of changing the 'Selected fields' other than using the backend? Does this work for other apps beyond Search? TIA, Joe
Labels
- Labels:
-
using Splunk Enterprise
02-21-2024
02:51 PM
Hi Folks,
I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it.
I've l...
See more...
Hi Folks,
I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it.
I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far:
_____inputs.conf_____
blacklist3 = EventCode="4688" new_process_name=".*Teams.exe"
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"
blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>"
None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well:
_____props.conf_____
[WinEventLog:Security]
TRANSFORMS-null = 4688cleanup
_____transforms.conf_____
[4688cleanup]
REGEX = "Teams\.exe<\/Data>"
DEST_KEY = queue
FORMAT = nullQueue
And this:
_____transforms.conf_____
[4688cleanup]
REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>
DEST_KEY = queue
FORMAT = nullQueue
None of these have worked so far and I'd appreciate any input y'all have.
Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process):
<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>
And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process):
<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>
Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks!
-SplunkUser5
Labels
- Labels:
-
inputs.conf
-
props.conf
-
transforms.conf
02-21-2024
02:18 PM
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I use...
See more...
Hello, I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000) If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I used "| sort 0 Score desc", it will give me 50,000 rows. What is the different between using sort - and sort desc? Why doesn't sort - only limit to 10,000? Thank you so much index=test | sort - 0 Score ==> only 10,000 rows I need to use "| sort Score desc" Name Score Name1 5 Name2 0 Name3 7 Name4 0 …. Name50000 9
02-21-2024
01:56 PM
Sure.. So, here it goes.. I have a dashboard that is tracking 'jobs'... Completed jobs and this particular widget is tracking 'running' jobs (start but no end). I might be tracking around 80 jobs ...
See more...
Sure.. So, here it goes.. I have a dashboard that is tracking 'jobs'... Completed jobs and this particular widget is tracking 'running' jobs (start but no end). I might be tracking around 80 jobs but there should not be more than 5 or 6 'running' at any particular time. So, not creating 80 transactions.
Everything is working as designed but this one job that starts and ends at the same time showed up in my 'running' jobs widget and then is missing from my completed jobs widget.
Once I run my initial 'search' for log events here is what im doing.
index=anIndex sourcetype=aSourcetype (aJob1 OR aJob2 OR aJob3) AND ("START of script" OR "COMPLETED OK" OR "ABORTED, exiting with status" )
| rex field=_raw "Batch::(?<aJobName>[^\s]*)"
| transaction keeporphans=true host aJobName startswith=("START of script") endswith=("COMPLETED OK" OR "ABORTED, exiting with status")
| eval closed_txn = if ( isnull(closed_txn),0,closed_txn)
| search closed_txn=0
| sort _time
| eval aDay = strftime(_time, "%a. %b. %e, %Y")
| eval aStartTime=strftime(_time, "%H:%M:%S %p")
| eval aDuration=tostring((now()-_time), "duration")
| eval aEndTime = "--- Running ---"
| table aHostName aDay aJobName aStartTime aEndTime aDuration
But, this one job is causing me issues as Transaction is not picking up the start/end that have the same _time
