All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That makes a lot of sense, thanks for that.  And thank you for the link!
<14> prefix is displayed in splunk logs, what does it mean, why is it displayed? Can anyone answer this question please?
OK. How are you ingesting your events? key/value or XML? Does the other (working) blacklist entry specify just the event code?
Again - there are several different approaches you can have about "using ES" but what I'd do to get a rough idea if the solution is indeed being used: 1. Check if it's configured - are there correla... See more...
Again - there are several different approaches you can have about "using ES" but what I'd do to get a rough idea if the solution is indeed being used: 1. Check if it's configured - are there correlation searches defined, are there user/asset mappings defined/synchronised, are sources decently onboarded (CIM-compliant) 2. Does anyone actually open ES app views in webui (you should be able to find it in internal logs). 3. What is the status of your notables and investigations - do you see any traces of anyone working on them? 4. What is the version of your ESCU app? How long ago it's been updated?
Didnt work. Yes, I have restarted the services after making the changes. 
I am making changes on  opt splunk etc apps splunk_ta_win local  inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration f... See more...
I am making changes on  opt splunk etc apps splunk_ta_win local  inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration file which is working fine with out any issues.
Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentati... See more...
Hi team,  I've completed all the configurations according to the steps provided in the following link for integrating Jamf Protect and Splunk: https://learn.jamf.com/bundle/jamf-protect-documentation/page/Splunk_Integration.html Under the "Testing the Event Collector Token" section, when I execute the command as instructed in "Using the values obtained in step 1," I can see the log I sent from my local machine on the Splunk search head. However, logs from other clients, especially JamfPro logs, are not visible. I can confirm that the logs are being captured by using tcpdump on the heavy forwarder, but they are not appearing in search results. What could be the reason for this? Additionally, where can I check error logs from the CLI to investigate this further? Thanks
Thank you for your quick reply, I would like to know if Enterprise security is used at all in our company. So is it used 1-2 times a year or has it only been used 10 times in the last 3 months?
#define <utilisation> please
Well... scrub can work strangely sometimes. For example, scrubbing my firewall logs shows that my firewalls do actions: - allowed - blocked - dropped - mckenzie
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD... See more...
Hello, We have PROD and DEV instance that are both running Mission Control with the following versions below: PROD - ES v7.1.1, Mission Control v3.0.2 DEV - ES v7.3.0, Mission Control v3.0.2 PROD works fine and incidents are tally between ES and MC. Unfortunately for DEV, some of the notables from ES are not flowing into MC.  Is this an issue with the latest version of ES? I've looked into the latest release notes of both ES and MC, and it's not listed in the "Known Issues" page. Can't find anything helpful too in the internal logs. Any insights will be highly appreciated. Thank you!
Hello,   is it possible to analyse the utilisation of enterprise security, I assume it is currently not used in our company, but I would like to be able to prove this in statistics   Thanks Pad
Thanks @PickleRick let me check will update.
As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your pro... See more...
As you can see, this is a thread from almost 13 years ago. The probability that you'll get a response from people involved in it is very slim. You should rather start a new thread describing your problem, what are your needs, what you tried already and so on. This will give you more visibility and higher chance of getting help.
There is no such thing as "merging" events. If you're sending to the /event endpoint, you have to make sure you're sending whole events. I'm not 100% how/if linebreaking works with /raw endpoint.
OK. I'm either overworked or blind. I counted them several times and always came up with the same 8/7 numbers. You're right. They both have 7 fields.
1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verif... See more...
1. Check the sourcetype props 2. CEF typically comes with a syslog header. You're not showing the header - maybe it's been cut after the time had beed parsed out from it. It all boils down to verifying: 1) Raw format of the data coming from the source with tcpdump to be sure what's on the wire 2) Settings for the sourcetype - how the timestamp is being parsed/assigned and how the event is modified on ingestion.
@PickleRick Both have 7
Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields,... See more...
Department,Vendor,Type,url_domain,user,src_ip,Whitelisted BigData,Material,Google Remote Desktop,Alpha.com,Alice,172.16.28.12,TRUE Are you sure you copy-pasted whole lines? First line has 8 fields, second one has 7.
@manish_singh_77 - did you ever figure this out? I'm having the same problem.