All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I will look into this. Thank you!
The answer confuses processes with files and the WinEventLog input type with the monitor input type. ChatGPT is a fine a tool, but its output is misleading and incorrect in this context. Human oversi... See more...
The answer confuses processes with files and the WinEventLog input type with the monitor input type. ChatGPT is a fine a tool, but its output is misleading and incorrect in this context. Human oversight is required.
is there a definitive KB article that tells us what exactly makes up a user's disk "Disk Space Limit"? What are activities that count towards this limit? Also, what are things that can help users c... See more...
is there a definitive KB article that tells us what exactly makes up a user's disk "Disk Space Limit"? What are activities that count towards this limit? Also, what are things that can help users clean up their usage? Screenshot attached of which setting I am talking about. appreciate any and all help.    
@tscroggins  Hi Tscroggins! Using a ChatGPT for good cause for example helping another human being then it's yes. If the solution is not working then NO.
Hi @AL3Z, Props to @richgalloway for pointing out the difference between my test data with quotes (") and live data with apostrophes ('). We can accommodate both in the regular expression. We can a... See more...
Hi @AL3Z, Props to @richgalloway for pointing out the difference between my test data with quotes (") and live data with apostrophes ('). We can accommodate both in the regular expression. We can also accommodate multiple Data elements with different Name attributes; however, if the same value is in both elements, we only need to match one to filter the event. If you want match a value in either element, try: blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["'](New|Parent)ProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% (New|Parent)ProcessName matches both NewProcessName and ParentProcessName. If it's easier to read and maintain, you can also use (NewProcessName|ParentProcessName). If you only want to match events that do have the same value in both elements, add an additional $XmlRegex match: blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["']NewProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% $XmlRegex=%<Data Name=["']ParentProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% Technically, the example also matches e.g. <Data Name="NewProcessName'> with different start and end characters, but it's not valid XML, and you shouldn't encounter this case in a live event stream. We can make the regular expression tighter with capture groups and back references, but I don't know if back references are supported in this context. Separate blacklist values will work as well. Combining them or separating them is up to your preference and administrative style.
@rasad4468  Was that written by ChatGPT?
Hi you are probably looking $click.value2$ on https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/DrilldownLinkToSearch r. Ismo
Make sense, thank you!!
Hi this is possible and I suppose that quite often used way. Here is one conf presentation about RBAC which could help you https://conf.splunk.com/watch/conf-online.html?search=Pla1169b&search.even... See more...
Hi this is possible and I suppose that quite often used way. Here is one conf presentation about RBAC which could help you https://conf.splunk.com/watch/conf-online.html?search=Pla1169b&search.event=conf23#/ r. Ismo
Hi this error means that you have hard license violation and you cannot run regular searches before you get reset license or your daily ingest is less than your license amount enough long time so yo... See more...
Hi this error means that you have hard license violation and you cannot run regular searches before you get reset license or your daily ingest is less than your license amount enough long time so you get rid of licensing violation. As you haven’t valid support contract I don’t believe that you get reset license. So your options are try to buy support contract or just wait until your license violation has resolved by indexing less (max 4 violations by 30 days, if I recall right for this version?). Anyhow your version is quite old (dropped out from support already several years ago), that you should update it if it’s still in use. r. Ismo
@AL3Z  In the context of blacklisting Windows events using inputs.conf for a Universal Forwarder, the relevant process name field you would typically use depends on your specific requirements. Let m... See more...
@AL3Z  In the context of blacklisting Windows events using inputs.conf for a Universal Forwarder, the relevant process name field you would typically use depends on your specific requirements. Let me break down the options you mentioned: CreatorProcessName: This field represents the name of the process that created the new process. If you are interested in events based on the process that initiated the creation of another process, you might use this field. ParentProcessName: This field indicates the name of the parent process that spawned the new process. If you want to blacklist events based on the immediate parent process, you would use this field. NewProcessName: This field represents the name of the new process that was created. If you are looking to blacklist events based on the specific process that is created, this would be the field to use. When configuring blacklisting for Windows events, you may need to consider your specific use case and the level of granularity you require. For instance, if you want to block events based on a certain application being launched, you would use the "NewProcessName." If you want to block events based on a specific process initiating the creation of other processes, you might use "CreatorProcessName" or "ParentProcessName." Here's a basic example of how you might use inputs.conf to blacklist events based on the NewProcessName: [monitor://C:\Path\To\Your\Logs] disabled = false index = your_index sourcetype = your_sourcetype ignoreOlderThan = <your_time_specification> blacklist = \.exe$ ; Adjust this regex pattern based on your needs In the example above, the "blacklist" line uses a regular expression to filter out events where the new process name ends with ".exe". Adjust the regex pattern according to your requirements. Remember to restart the Universal Forwarder after making changes to the inputs.conf file for the changes to take effect. Always test your configurations in a controlled environment to ensure they behave as expected before deploying them in a production setting. Thanks rasad4468
Hello @Shohel.Tamboli, Let's see if the Community can jump in and help. In the meantime, I have created a ticket for the Docs team to review the article you referenced to see if it can be updated.
Have you updated version and build numbers on app.conf and then do a _bump to load a new version? If I have understood right just _bump without updating version and build is not enough.
  It seems like your custom search command is being executed twice because of the way Splunk handles the map/reduce phases in a distributed search environment. This behavior is expected in certa... See more...
  It seems like your custom search command is being executed twice because of the way Splunk handles the map/reduce phases in a distributed search environment. This behavior is expected in certain scenarios, and it's often related to how Splunk distributes and processes data across different search peers. In your specific case, the key information is found in the search.log: 09-13-2018 11:33:08.462 INFO ParallelReducePolicy - Current Search Head doesn't have any usable peers to use. 09-13-2018 11:33:08.462 INFO PhaseNodeGenerationVisitor - User lacking run_multi_phased_searches, rolling back to 2-phase mode. Splunk is running the map phase twice because it's not able to parallelize the search across multiple search peers. As a result, it falls back to a two-phase execution (map and reduce) on the search head itself. To avoid this behavior, you might want to consider the following: Parallelization: Ensure that your search environment has multiple search peers that can be utilized for parallel processing. This may involve configuring search peer clustering or making adjustments to your distributed environment. run_multi_phased_searches: The log mentions that the user lacks the run_multi_phased_searches capability. This capability allows Splunk to run multiple phases on different search peers simultaneously. You might want to check the user's role and capabilities to ensure it has the necessary permissions. Debugging: Consider adding more logging statements to your custom search command to trace the execution flow and see if it provides additional insights into why it's being called twice. Splunk Documentation: Check the Splunk documentation for custom search commands and distributed search to see if there are any specific guidelines or recommendations for handling distributed environments. Splunk Answers: Search the Splunk Answers community for similar issues or ask a question there. The community is active, and you might find someone who has encountered and resolved a similar problem. Keep in mind that Splunk's distributed search behavior can be complex, and understanding how it distributes and processes data is crucial for developing efficient custom search commands.   I hope this will help Thanks rasad4468  
So, top does not take NULL into account for total and percentage? IS there a way top can take NULL into consideration? @ITWhisperer 
Hi @Marcin.Kluzek, Just confirming your post is live. Let's see if the Community can jump in and help. You may also reach out to Support if the problem is urgent. How do I submit a Support ticket... See more...
Hi @Marcin.Kluzek, Just confirming your post is live. Let's see if the Community can jump in and help. You may also reach out to Support if the problem is urgent. How do I submit a Support ticket? An FAQ 
Hello, I have a table that shows vulnerabilities by asset name and severity level. For example, I have an asset name that has 3 critical, 2 high, 3 medium, and 1 low. Now what I want to do is be a... See more...
Hello, I have a table that shows vulnerabilities by asset name and severity level. For example, I have an asset name that has 3 critical, 2 high, 3 medium, and 1 low. Now what I want to do is be able to just click on the field critical and just be able to show those critical vulnerabilities for that asset name and so on. I am not sure if that requires a condition and how that is set up or if it just requires a simple drill-down. Can someone please help?  
@ITWhisperer I will try this by tommorow when I am on my machine as a workaround. I am still not figuring out from where two extra stash file created. Please help me to identify those things. What d... See more...
@ITWhisperer I will try this by tommorow when I am on my machine as a workaround. I am still not figuring out from where two extra stash file created. Please help me to identify those things. What do I need to check? I have checked audit index logs and internal index logs but nothing I have found.  
Those two fields have different meanings so use the one that applies to your use case(s).  NewProcessName is more common, IME, but both may useful.