Hi this is disk space used for user’s search jobs. Unfortunately I couldn’t found any good individual docs for explanations. You could look e.g. https://docs.splunk.com/Documentation/Splunk/9.1.2/Search/ViewsearchjobpropertieswiththeJobInspector https://docs.splunk.com/Documentation/Splunk/9.1.2/Search/Dispatchdirectoryandsearchartifacts r. Ismo

I have the index in both the inputs.conf stanza, and I also added it to the Splunk Enterprise list of indexes. I don't understand why it worked on my Windows 10 Enterprise and my Kali Linux machines (for Kali I configured through command line), but not Windows 10 2015. I am sure that my steps for Windows 10 2015 and Windows 10 Enterprise are the exact same.

Sorry for the late reply, Is there a way to have this automated test done via splunk observability and produce a log then as well that would be ingested into splunk or do I need to find an outside product that would perform my tests and produce a log for me of the successes and failures.

The answer confuses processes with files and the WinEventLog input type with the monitor input type. ChatGPT is a fine a tool, but its output is misleading and incorrect in this context. Human oversight is required.

Hi @AL3Z, Props to @richgalloway for pointing out the difference between my test data with quotes (") and live data with apostrophes ('). We can accommodate both in the regular expression. We can also accommodate multiple Data elements with different Name attributes; however, if the same value is in both elements, we only need to match one to filter the event. If you want match a value in either element, try: blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["'](New|Parent)ProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% (New|Parent)ProcessName matches both NewProcessName and ParentProcessName. If it's easier to read and maintain, you can also use (NewProcessName|ParentProcessName). If you only want to match events that do have the same value in both elements, add an additional $XmlRegex match: blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["']NewProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% $XmlRegex=%<Data Name=["']ParentProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% Technically, the example also matches e.g. <Data Name="NewProcessName'> with different start and end characters, but it's not valid XML, and you shouldn't encounter this case in a live event stream. We can make the regular expression tighter with capture groups and back references, but I don't know if back references are supported in this context. Separate blacklist values will work as well. Combining them or separating them is up to your preference and administrative style.

Hi this is possible and I suppose that quite often used way. Here is one conf presentation about RBAC which could help you https://conf.splunk.com/watch/conf-online.html?search=Pla1169b&search.event=conf23#/ r. Ismo

Hi this error means that you have hard license violation and you cannot run regular searches before you get reset license or your daily ingest is less than your license amount enough long time so you get rid of licensing violation. As you haven’t valid support contract I don’t believe that you get reset license. So your options are try to buy support contract or just wait until your license violation has resolved by indexing less (max 4 violations by 30 days, if I recall right for this version?). Anyhow your version is quite old (dropped out from support already several years ago), that you should update it if it’s still in use. r. Ismo

@AL3Z  In the context of blacklisting Windows events using inputs.conf for a Universal Forwarder, the relevant process name field you would typically use depends on your specific requirements. Let me break down the options you mentioned: CreatorProcessName: This field represents the name of the process that created the new process. If you are interested in events based on the process that initiated the creation of another process, you might use this field. ParentProcessName: This field indicates the name of the parent process that spawned the new process. If you want to blacklist events based on the immediate parent process, you would use this field. NewProcessName: This field represents the name of the new process that was created. If you are looking to blacklist events based on the specific process that is created, this would be the field to use. When configuring blacklisting for Windows events, you may need to consider your specific use case and the level of granularity you require. For instance, if you want to block events based on a certain application being launched, you would use the "NewProcessName." If you want to block events based on a specific process initiating the creation of other processes, you might use "CreatorProcessName" or "ParentProcessName." Here's a basic example of how you might use inputs.conf to blacklist events based on the NewProcessName: [monitor://C:\Path\To\Your\Logs] disabled = false index = your_index sourcetype = your_sourcetype ignoreOlderThan = <your_time_specification> blacklist = \.exe$ ; Adjust this regex pattern based on your needs In the example above, the "blacklist" line uses a regular expression to filter out events where the new process name ends with ".exe". Adjust the regex pattern according to your requirements. Remember to restart the Universal Forwarder after making changes to the inputs.conf file for the changes to take effect. Always test your configurations in a controlled environment to ensure they behave as expected before deploying them in a production setting. Thanks rasad4468

  It seems like your custom search command is being executed twice because of the way Splunk handles the map/reduce phases in a distributed search environment. This behavior is expected in certain scenarios, and it's often related to how Splunk distributes and processes data across different search peers. In your specific case, the key information is found in the search.log: 09-13-2018 11:33:08.462 INFO ParallelReducePolicy - Current Search Head doesn't have any usable peers to use. 09-13-2018 11:33:08.462 INFO PhaseNodeGenerationVisitor - User lacking run_multi_phased_searches, rolling back to 2-phase mode. Splunk is running the map phase twice because it's not able to parallelize the search across multiple search peers. As a result, it falls back to a two-phase execution (map and reduce) on the search head itself. To avoid this behavior, you might want to consider the following: Parallelization: Ensure that your search environment has multiple search peers that can be utilized for parallel processing. This may involve configuring search peer clustering or making adjustments to your distributed environment. run_multi_phased_searches: The log mentions that the user lacks the run_multi_phased_searches capability. This capability allows Splunk to run multiple phases on different search peers simultaneously. You might want to check the user's role and capabilities to ensure it has the necessary permissions. Debugging: Consider adding more logging statements to your custom search command to trace the execution flow and see if it provides additional insights into why it's being called twice. Splunk Documentation: Check the Splunk documentation for custom search commands and distributed search to see if there are any specific guidelines or recommendations for handling distributed environments. Splunk Answers: Search the Splunk Answers community for similar issues or ask a question there. The community is active, and you might find someone who has encountered and resolved a similar problem. Keep in mind that Splunk's distributed search behavior can be complex, and understanding how it distributes and processes data is crucial for developing efficient custom search commands.   I hope this will help Thanks rasad4468