Good Afternoon, My leadership informed me that CrowdStrike is sending our logs to Splunk. Has anyone done any queries to show when a device is infected with malware? I don't know the CrowdStrike logs, but I'm hoping someone here can give me some guidance to get started. 

Hello All, I am using Splunk as Datasource and trying to build dashboards in Grafana (v10.2.2 on Linux OS). Is there anything in Grafana wherein I do not have to write 10 queries in 10 panels. Just one base query will fetch data from Splunk and then in Grafana I can write additional commands or functions which will be used in each panel on top of the base query, so Splunk load is reduced. Similar to “Post process search” in Splunk. Post Process Searching - How to Optimize Dashboards in Splunk (sp6.io) I followed below instructions and able to fetch data in Splunk but it causes heavy load and stops working next day and all the panels shows “No Data”. Splunk data source | Grafana Enterprise plugins documentation Your help will be greatly Appreciated! Thanks in Advance!

Hi Team  I tried the below search but not getting any result,  index=aws component=Metrics group=per_index_thruput earliest=-1w@d latest=-0d@d | timechart span=1d sum(kb) as Usage by series | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024, 3)]      

I was wondering if anyone knew where I could find it either in the logs or even better the audit REST endpoint if an automation account regenerates it's auth-token.     I've looked through the audit logs but I haven't seen an entry for it.     Any leads or tips would be appreciated.    Thank you

A snippet from strace output seems to indicate that the 30-40 mins may be taken by the ssl certificate generating steps: <<<snipped>>>>> wait4(9855, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9855        stat("/opt/splunkforwarder/etc/auth/server.pem", 0x7ffdec4c4580) = -1 ENOENT (No such file or directory) clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f143df47e50) = 9857 wait4(9857,                                                                                                                                                                                                                                                                                                         < < <  stuck here for 30-40 mins > > > >   0x7ffdec4c45f4, 0, NULL)    = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- wait4(9857, New certs have been generated in '/opt/splunkforwarder/etc/auth'. [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9857 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=9857, si_uid=0, si_status=0, si_utime=11, si_stime=5} --- Strangely, this is only happening on Linux on Azure.  Using openssl, I am able to generate self-sign cert within seconds on the same machine. Our Linux on premises (on vmware) does not experience this performance issue.   Any thoughts on what the issue may be?  How to troubleshoot? Thank you

Thanks in advance for the assistance, I am very new to Splunk it is a great tool but I need some assistance.  I am trying to create a filtered report with the following criteria.  - I am filtering the data down based on phishing, and now I need to grab each of the individual src_ip and count them.  over a 30 day period.  Unfortunately I do not know have a prelist of IP addresses based on all of the examples.   My goal is to go down the list and count the number of occurrences in this list and show the report on a front panel.  Also, any good books or video training for learning how to do advanced filtering in Splunk.  Thanks 

I have another requirement like, I want to show an bar chart which should show the total login count in basis of the time period we submit   for example if we select 2 days it should show the bar chart where y is for login count and x is for time slection (in basis of day interval like 6thfeb  7th feb like this)