Thank you for the answer. I have indeed already tried the option you proposed, but believe it will not work because the default retention of the internal logs does not go past 30 days, I believe. Surely Splunk has another way to keep track of this though? Regards, Knut

Thank you for the reply, I missed the "to be installed on a forwarder line" , as it is only 1line in details and not mentioned in installed or anything.   It actually still is strange that it can be installed on Splunkcloud, as you can't use it there. Even when you can configure it, it wants to right the logs it retreives localy, before ingesting.  So a HF it is.    Kind regards,   Richard

@PapaE - You just need to download tgz file (reference - https://community.splunk.com/t5/Installation/Use-WGET-to-download-Splunk/m-p/48090). * Once downloaded, just extract it with tar -xvzf <file-name> command. * Then you can execute ./splunk start to start Splunk service.   I hope this helps!!! Happy Splunking!!!

Hi @tscroggins m this is the solution I tought, that I'd like to avoid: I'll try to persuade the customer to use the Universal Forwarder, otherwise I will create a translator from WinLogBeat to Splunk_TA_Windows, as I did for Linux. Thank you. Ciao. Giuseppe

Hi @vishenps , if the updated apps aren't related, you can wait and restart once. It could be different if you have related apps (e.g. MLTK and Python) that I'd like to follow the proper restart sequence. Ciao. Giuseppe

Hi the easiest way is look from MC (monitoring console). You could found it from Settings -> Monitoring Console. There select Indexing -> Indexes and Volumes -> Index details: Deployment It gives you a dashboard where is Earliest and Latest Event information. Then under Earliest value is magnifying class which you should click to get SPL which have generate that value.  When you want to get that value based on bucket type (warm, cold) you must update that query to calculate those values by fields: bucket_dirs.home.event_min_time and minTime (this should be cold bucket time). r. Ismo

Hi it's hard to say if anyone of those is directly affected to splunk, but usually it's a best practices to keep your OS and also other products up to date to avoid any security issues. You already have found Splunk's own security issue page which also should fulfil as soon as possible. r. Ismo

Hi Have you any document which describes your naming policy? Or should we just guess which part are standard like  (DR) Country-Cisco_Router-<IP>-<content> <IP>-Country-Server type-<host>-<user> etc. r. Ismo

All the other solutions are tricky which needs more time, however for now i settled with SEDCMD which only works with custom sourcetype, while i am still exploring if i find anything which works i will update this post.

Please elaborate on "it is not working".  What results are expecting and what results do you get?  Are you seeing anything at all from the UF in Splunk Cloud or is it just the monitored file that you don't find?  How are you checking for the data?  Have you looked at splunkd.log on the UF for clues? I have edited your last reply to remove information anyone could have used to send random data to your Splunk Cloud instance.

Hi @tscroggins  @richgalloway  @PickleRick , In this below sample event  the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we might need a specialized handling. Would you like help with a xml regex pattern to cover these conditions? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T08:18:13.998467800Z'/><EventRecordID>151265209</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11116'/><Channel>Security</Channel><Computer>xxvy.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3978</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f80</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Can we use like this ? blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>% blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%      

Hi @Ka21, Splunk periodically releases updates to address vulnerabilities in libraries shipped with Splunk products. Browse to <https://advisory.splunk.com/> to review bulletins labeled "Third Party Package Updates in Splunk Enterprise" and "Splunk Universal Forwarder Third-Party Updates." For November 2023: November 2023 Third Party Package updates in Splunk Enterprise November 2023 Splunk Universal Forwarder Third-Party Updates Third Party Package Update in Splunk Add-on for Google Cloud Platform Third Party Package Update in Splunk Add-on for Amazon Web Services Re: Java, you'll need to review individual Java-based apps and add-ons--Splunk ITSI, Splunk DB Connect, etc.--for compatibility and upgrade the JRE as needed.

You can't do this construct | timechart count as totalNumberOfPatches by X | eval a=case(X=bla, 1...) because when you split a timechart by a field, the count AS totalNumberOfPatches does not result in a field called totalNumberOfPatches, but the fields are the names of the values of  the split by clause, in your case Computer_Name. I assume you have a stats rather than timechart, but as @richgalloway says, using dc() is the way to count distinct versions of a field.