All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentati... See more...
Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentation/page/Splunk_Integration.html Under the "Testing the Event Collector Token" section, when I execute the command as instructed in "Using the values obtained in step 1," I can see the log I sent from my local machine on the Splunk search head. However, logs from other clients, especially JamfPro logs, are not visible. I can confirm that the logs are being captured by using tcpdump on the heavy forwarder, but they are not appearing in search results. What could be the reason for this? Additionally, where can I check error logs from the CLI to investigate this further? Thanks
Thank you for your quick reply, I would like to know if Enterprise security is used at all in our company. So is it used 1-2 times a year or has it only been used 10 times in the last 3 months?
#define <utilisation> please
Well... scrub can work strangely sometimes. For example, scrubbing my firewall logs shows that my firewalls do actions: - allowed - blocked - dropped - mckenzie
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD... See more...
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD works fine and incidents are tally between ES and MC. Unfortunately for DEV, some of the notables from ES are not flowing into MC.  Is this an issue with the latest version of ES? I've looked into the latest release notes of both ES and MC, and it's not listed in the "Known Issues" page. Can't find anything helpful too in the internal logs. Any insights will be highly appreciated. Thank you!
Hello,   is it possible to analyse the utilisation of enterprise security, I assume it is currently not used in our company, but I would like to be able to prove this in statistics   Thanks Pad
Thanks @PickleRick let me check will update.
As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your pro... See more...
As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your problem, what are your needs, what you tried already and so on. This will give you more visibility and higher chance of getting help.
There is no such thing as "merging" events. If you're sending to the /event endpoint, you have to make sure you're sending whole events. I'm not 100% how/if linebreaking works with /raw endpoint.
OK. I'm either overworked or blind. I counted them several times and always came up with the same 8/7 numbers. You're right. They both have 7 fields.
1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verif... See more...
1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verifying: 1) Raw format of the data coming from the source with tcpdump to be sure what's on the wire 2) Settings for the sourcetype - how the timestamp is being parsed/assigned and how the event is modified on ingestion.
@PickleRick Both have 7
Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields,... See more...
Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields, second one has 7.
@manish_singh_77 - did you ever figure this out? I'm having the same problem.
Again - you are very vague about your needs. Also you might have chosen the solution badly - Splunk can do "realtime" but realtime searches have their limitations and are very resource intensive. To... See more...
Again - you are very vague about your needs. Also you might have chosen the solution badly - Splunk can do "realtime" but realtime searches have their limitations and are very resource intensive. To show you an analogy - it is as if you asked "what car should I buy that is most cost-effective? It must be red". We don't know what is it you need to do with that car, whether you need a sports car, a semi-truck or a bus, we don't know what is your reason for owning that car, but you want it to be cost-effective and be painted red. Depending on context, it could be a Mazda MX-5, a city bus or a Caterpillar 797 in red paint.
Setting up the lookup the way you described and using makeresults to generate events (rather than an index search) works for me as expected. So, perhaps your real data or lookup is inconsistent with... See more...
Setting up the lookup the way you described and using makeresults to generate events (rather than an index search) works for me as expected. So, perhaps your real data or lookup is inconsistent with the description you gave, or you have found a bug. Which version of Splunk are you using?
@isoutamo Hi, forgot about elastic, and separated index. need to send raw log via forwarder to splunk and create dashboard that work with metrics that exist in log. what is the most effective perfo... See more...
@isoutamo Hi, forgot about elastic, and separated index. need to send raw log via forwarder to splunk and create dashboard that work with metrics that exist in log. what is the most effective performance solution in splunk that work realtime and historical data? Need to load dashboard quickly and accurately e.g span in timechart is 1s.   FYI:data coming from several servers and it is lots of log lines in each second.    
Hi Ryan, Is it applicable for SAAS Controller as well? Thanks, Sikha
We are due to go line on the following Monday and we wanted to erase all of our Test mission control incidents so we have a clean slate, How is this possible?
"CEF:0|Bitdefender|GravityZone|6.35.1-1|35|Product Modules Status|5|BitdefenderGZModule=modules dvchost=xxx      BitdefenderGZComputerFQDN=xxxxx dvc=x.x.x.x deviceExternalId=xxxxx BitdefenderGZIsCont... See more...
"CEF:0|Bitdefender|GravityZone|6.35.1-1|35|Product Modules Status|5|BitdefenderGZModule=modules dvchost=xxx      BitdefenderGZComputerFQDN=xxxxx dvc=x.x.x.x deviceExternalId=xxxxx BitdefenderGZIsContainerHost=0 BitdefenderGZMalwareModuleStatus=enabled BitdefenderGZBehavioralScanAVCModuleStatus=enabled BitdefenderGZDataLossPreventionModuleStatus=disabled"   The logs are from Bitdefender and they show a time diff of +15 hrs. and there is no timestamp in logs no other source types from same HF show the behavior only bit-defender logs. All the help is appreciated to correct the time.