@gcusello Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for tha...
See more...
@gcusello Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for that
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You ca...
See more...
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You can check the first choice viewing if someone modified the inputs.conf that should ingest data. For the second choice you should analyze, if you're still receiving data and when the data stopped: index=your_index sourcetype=your_sourcetype
| head 10 Ciao. Giuseppe
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056 We found that it applied hash only ...
See more...
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056 We found that it applied hash only some groups on SentinelOne. Does anyone found this issue before? Please advise.
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win...
See more...
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ]
| dedup ComputerName
| sort ComputerName
| table ComputerName Ciao. Giuseppe
Hi @Sid , where did you located conf files: on Splunk Cloud or on on-premise systems? As I said, they must be located on the first full Splunk instance that data pass through. Ciao. Giuseppe
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exe...
See more...
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121). I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above. Regards,
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. ht...
See more...
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Rex (i copied rex command's link... on the left side you will see a list of commands, alphabetically) 2) this should be from a app or add-on... mostly from a macros.conf file from that app/add-on so, pls try to look into the macros conf files. 3) may we know if this was working previously and just recently it didnt work? was there any app/add-on upgrades? 4) not sure, but, lets try... that error msg got an yellow triangle.. like a splunk warning msg.. are you able to click on it?.. does it give you more details? 5) on the internal logs for that app/add-on, do you see any warnings/errors
I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment serve...
See more...
I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment server for unix clients. Anyway, instead of editing files within the app (I hope you edited the local/ files, not the default/ ones) you can create an app with configs overwriting settings from the app. This way it might be more manageable.
There is no such standard search command as "distance". It must come from an app you have installed. Consult the app's documentation for correct syntax.
Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you mus...
See more...
Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you must resolve the reason why it's here and remove it. Probably you have some hardening etc. on your system which cause this?