All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello  yes UFs 
@gcusello  Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for tha... See more...
@gcusello  Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for that 
Hi @Sid, how are you taking these logs, from a Universal Forwarder? Ciao. Giuseppe
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You ca... See more...
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You can check the first choice viewing if someone modified the inputs.conf that should ingest data. For the second choice you should analyze, if you're still receiving data and when the data stopped: index=your_index sourcetype=your_sourcetype | head 10 Ciao. Giuseppe
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056   We found that it applied hash only ... See more...
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056   We found that it applied hash only some groups on SentinelOne. Does anyone found this issue before? Please advise.
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win... See more...
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ] | dedup ComputerName | sort ComputerName | table ComputerName Ciao. Giuseppe
i dont have any HF in my environment, so i kept it as custom app on cloud indexers.
Hi @Sid , where did you located conf files: on Splunk Cloud or on on-premise systems? As I said, they must be located on the first full Splunk instance that data pass through. Ciao. Giuseppe
@gcusello  its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME... See more...
@gcusello  its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME_PREFIX = ^ TRUNCATE = 99999 pulldown_type = 1 TRANSFORMS-null = setnull   transforms- [setnull] REGEX = DEBUG DEST_KEY = queue FORMAT = nullQueue
Bump
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exe... See more...
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121). I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above.   Regards,
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. ht... See more...
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Rex (i copied rex command's link... on the left side you will see a list of commands, alphabetically) 2) this should be from a app or add-on... mostly from a macros.conf file from that app/add-on  so, pls try to look into the macros conf files.  3) may we know if this was working previously and just recently it didnt work? was there any app/add-on upgrades?  4) not sure, but, lets try... that error msg got an yellow triangle.. like a splunk warning msg.. are you able to click on it?.. does it give you more details?  5) on the internal logs for that app/add-on, do you see any warnings/errors   
Will i am seeing the events data is showing but there is sourcetype is missing for last 24 hours. What could be the reason , how to check .
In the process of Splunk Integration with lastPass , we are getting an error like  "Your SIEM refused to connect"   Please 
Hi @Eric.Miller , Can we get this account acces key using any API command instead of getting it from the controller? Regards, Mohammed Saad
I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment serve... See more...
I suppose you unpacked and re-packed the TA on a windows box. That's typical for windows to mess up with unix permissions so it's not a good idea to - for example - run windows-based deployment server for unix clients. Anyway, instead of editing files within the app (I hope you edited the local/ files, not the default/ ones) you can create an app with configs overwriting settings from the app. This way it might be more manageable.
There is no such standard search command as "distance". It must come from an app you have installed. Consult the app's documentation for correct syntax.
Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you mus... See more...
Base on this error message, it haven't removed /etc/init.d/splunk file. You should run again "disable" part and then check if that /etc/init.d/splunk file is there or not. If/when it's there, you must resolve the reason why it's here and remove it. Probably you have some hardening etc. on your system which cause this?
I've tried the commands you suggested. But it still not work yet.  
when I try to start splunk by command "./splunk start", it starts normally