All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Has anyone been successful logging command execution events on RedHat and having them be sent to Splunk via rsyslog? The logs get written to tty but they are not making its way to our HF. We can eas... See more...
Has anyone been successful logging command execution events on RedHat and having them be sent to Splunk via rsyslog? The logs get written to tty but they are not making its way to our HF. We can easily log all of auditd and system events but nothing for command execution. 
@richgalloway , When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern  blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Micros... See more...
@richgalloway , When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern  blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)" https://regex101.com/r/Jq2IKb/1 What changes do we need  here? Thanks..
Hello, Why does long base search not work in drop down list? For example if the base query on id="StudentName" has a long search "Request-URI Too long" the drop down search did not populate, but ... See more...
Hello, Why does long base search not work in drop down list? For example if the base query on id="StudentName" has a long search "Request-URI Too long" the drop down search did not populate, but it worked just fine on the pie chart Please help.  Thank you so much <search id="StudentName"> <query>index=test</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <input type="dropdown" token="StudentTok"> <label>Student Name</label> <fieldForLabel>studentname</fieldForLabel> <fieldForValue>studentname</fieldForValue> <search base="StudentName"> <query>| head 10</query> </search> </input>  
How do I count the number of unique recipients of each type of unique attachment from emails. The same user could receive the same attachment in multiple emails. Using the “dedup” command?
How do I count the number of emails from a search but only get recipients that received ten or more emails?
For daily count > 4 per user, do this index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" us... See more...
For daily count > 4 per user, do this index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | regex user="[^\"]+@[^\"]+" | bucket _time span=1d | stats count by user src _time | where count > 4 | stats sum(count) as count by user | sort – count
I can work from this - this is great thanks = but how can I now only record login attempts > 4 and ignore all others
Were you able to find a solution for it?
Try something like this (assuming this pattern matches your valid user ids!) index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!... See more...
Try something like this (assuming this pattern matches your valid user ids!) index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | regex user="[^\"]+@[^\"]+" | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count  
Also had found about the keyword to be added in transforations.conf max_matches but this has an upper limit of 1000. I need more...   Refer: https://docs.splunk.com/Documentation/Splunk/latest/Ad... See more...
Also had found about the keyword to be added in transforations.conf max_matches but this has an upper limit of 1000. I need more...   Refer: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#Lookup_tables
To give more context: https://dev.splunk.com/enterprise/docs/devtools/externallookups/createexternallookup/
Hi, I am using an external lookup to basically run a Python script which runs an API call to return the results using a csv.dictwriter to the sys.stdout. There are around 1250 rows being written to... See more...
Hi, I am using an external lookup to basically run a Python script which runs an API call to return the results using a csv.dictwriter to the sys.stdout. There are around 1250 rows being written to the console But only the first 100 rows are being shown in Splunk. How can I disable this 100-row limit on external lookups?   Thank you and have a nice day,   Best,
We are configuring for Brute Force login attempts, failures obviously.  Here is the search string we have put together as we are working from TAs coming from Splunkbase.    index=* action=fail* OR a... See more...
We are configuring for Brute Force login attempts, failures obviously.  Here is the search string we have put together as we are working from TAs coming from Splunkbase.    index=* action=fail* OR action=block* (source=win*security OR sourcetype=linux_secure OR tag=authentication) user=* user!="" user!="*@domanname" user!="USX*" user!="sec-gsa-scan" user!="host/WS Authentication" user!=USERNAME | bucket _time span=1d | stats count by user src _time | stats sum(count) as count by user | sort – count The list is coming back with all sorts of combinations as listed already, Im attempting to exclude IDs such as USERNAME or host/* as they dont make any sense.   I cant post much publicly but you get the idea  
Splunk supports none of those directly.  You'd have to use a regex on the Message field to filter on the desired process name.  The most likely candidate is NewProcessName, but that depends on what e... See more...
Splunk supports none of those directly.  You'd have to use a regex on the Message field to filter on the desired process name.  The most likely candidate is NewProcessName, but that depends on what event(s) you're filtering.
Hi at all, I have to ingest logs from securelog and I'm able to take and parse linux logs, but I have an issue when parsing windows logs: how can I connect winlogbeat format to a Splunk_TA_Windows ... See more...
Hi at all, I have to ingest logs from securelog and I'm able to take and parse linux logs, but I have an issue when parsing windows logs: how can I connect winlogbeat format to a Splunk_TA_Windows to correctly parse events? in winlogbeat events format is different from the normal windows logs so te Splunk_TA_windows doesn't reach to parse logs. Is there a connector or must I manually parse winlogbeat logs to reduce them to Splunk_TA_windows logs? Thank you for your help. Ciao. Giuseppe
Hi All, I am trying to do a search to compare 2 different sources. Firstly, I created a lookup to catch some rules hitting my search. In the background, my alert is running and appending results to ... See more...
Hi All, I am trying to do a search to compare 2 different sources. Firstly, I created a lookup to catch some rules hitting my search. In the background, my alert is running and appending results to this csv lookup file. Lookup file has also a field which is called Explanation.  What I am trying is doing a search that provide me to update a row if anything is changed in raw data. However, there is an important point. If there is no change in raw data for the lookup field, the field in lookup file should not change and it should keep the explanation. If not, the row should be deleted. Thank you
For some strange reason, in version 8.2.12 "ui-prefs" is not managed anymore by default. This is not much documented, as it should!!! To get rid of it, and get back with original ui management, ... See more...
For some strange reason, in version 8.2.12 "ui-prefs" is not managed anymore by default. This is not much documented, as it should!!! To get rid of it, and get back with original ui management, we could try to edit a "local/web-features.conf"     [feature:ui_prefs_optimizations] optimize_ui_prefs_performance = false     But it's like playing the lottery, sometimes works, others not, with new apps not at all 🤦‍   I don't think this is a good idea changing the bahaviour of UI so drastically. Above all, it's not documented anywhere, and we had to go around the web to understand it!!!
Hi,  I have this method: public ActionResult MethodEZ(EZDokumentJson dokument) JsonResult: { "Data1": "", "Data2": null, "Data3": null, "Data4": null, "DokumentId": "dvsd-5dsafd-55555-1111-afd... See more...
Hi,  I have this method: public ActionResult MethodEZ(EZDokumentJson dokument) JsonResult: { "Data1": "", "Data2": null, "Data3": null, "Data4": null, "DokumentId": "dvsd-5dsafd-55555-1111-afdfas" } I would like to ask you for help with collecting data from JsonResult.  Here are my last attempts that don't work. My Data Collection look like this: ToString().Split(string/"DokumentId": ).[1].Split(string/,).[0]  toString().split("DokumentId").[1].split(\,).[0] Thanks....
Why are you looking for that TA?  What problem are you trying to solve?  What documentation said to install the UF TA? If you are a Splunk Cloud customer, the UF TA is available from your Splunk Clo... See more...
Why are you looking for that TA?  What problem are you trying to solve?  What documentation said to install the UF TA? If you are a Splunk Cloud customer, the UF TA is available from your Splunk Cloud search head.  Open the "Universal Forwarder" app then click the green Download button.  If you are not a Splunk Cloud customer then you probably don't need the TA, depending on the answers to the above questions.
How are you obtaining the user IDs in the first place?  Is the field not extracted properly?  Is the search not looking for the right thing?  How can Splunk distinguish a valid ID from an invalid one?