All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I have a modular input that is connected to CIM through eventtypes and tags as follows: default/eventtypes.conf [my_event_type] search = sourcetype=my_default_source_type default/tags... See more...
Hi, I have a modular input that is connected to CIM through eventtypes and tags as follows: default/eventtypes.conf [my_event_type] search = sourcetype=my_default_source_type default/tags.conf [eventtype=my_event_type] alert = enabled This generally works up until a user decides to reconfigure the default sourcetype and index. When the sourcetype is altered the eventtype stanza breaks. How to go about this? What is the best practive to allow a user to reconfigure sourcetype while ensuring the CIM integration works.  Should I relay on other fields that I create?  Can this damage the efficiency of the query?  Thanks
Hi @gcusello , created the add-on using addon builder and uploaded it on splunkcloud SH. in classic experience it is deployed on the indexers as well.
Hi @Praz_123, you should create an alert when data flow stopped and immediately see if there something that blocked it. then, if the data flow arrives from text files, you could see if in the files... See more...
Hi @Praz_123, you should create an alert when data flow stopped and immediately see if there something that blocked it. then, if the data flow arrives from text files, you could see if in the files there are data in the missing periods. Ciao. Giuseppe
How to import Beautifulsoup file in splunk python to get the python script work.
Hi @Sid , how did you passed the two conf files to Splunk Cloud? The conf files are correct. Ciao. Giuseppe  
Hi @gcusello  yes UFs 
@gcusello  Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for tha... See more...
@gcusello  Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa . what could be solution for that 
Hi @Sid, how are you taking these logs, from a Universal Forwarder? Ciao. Giuseppe
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You ca... See more...
Hi @Praz_123, if one sourcetype was present and noy it's missing, there could be two reasons: you modified the inputs.conf assigning the sourcetype to a data flow, the data flow stopped. You can check the first choice viewing if someone modified the inputs.conf that should ingest data. For the second choice you should analyze, if you're still receiving data and when the data stopped: index=your_index sourcetype=your_sourcetype | head 10 Ciao. Giuseppe
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056   We found that it applied hash only ... See more...
Hi All, We tried to use SentinelOne SOAR app to implement playbook to block hash on SentinelOne. SentinelOne SOAR App: https://splunkbase.splunk.com/app/6056   We found that it applied hash only some groups on SentinelOne. Does anyone found this issue before? Please advise.
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win... See more...
Hi @karimossl, let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else? if this is your requirement, you could run: index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ] | dedup ComputerName | sort ComputerName | table ComputerName Ciao. Giuseppe
i dont have any HF in my environment, so i kept it as custom app on cloud indexers.
Hi @Sid , where did you located conf files: on Splunk Cloud or on on-premise systems? As I said, they must be located on the first full Splunk instance that data pass through. Ciao. Giuseppe
@gcusello  its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME... See more...
@gcusello  its not dropping those DEBUG ones props- [risktrac_log] LINE_BREAKER = ([\r\n]+)\[\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d{2}.\d+.\w+ MAX_TIMESTAMP_LOOKAHEAD = 35 SHOULD_LINEMERGE = 0 TIME_PREFIX = ^ TRUNCATE = 99999 pulldown_type = 1 TRANSFORMS-null = setnull   transforms- [setnull] REGEX = DEBUG DEST_KEY = queue FORMAT = nullQueue
Bump
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exe... See more...
Hello, I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121). I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above.   Regards,
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. ht... See more...
Hi @syazwani ... As said by PickleRick, there is no Splunk command as "distance" 1) For other new Splunker's info about Splunk's Search Commands.. pls check the Splunk search reference document.. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Rex (i copied rex command's link... on the left side you will see a list of commands, alphabetically) 2) this should be from a app or add-on... mostly from a macros.conf file from that app/add-on  so, pls try to look into the macros conf files.  3) may we know if this was working previously and just recently it didnt work? was there any app/add-on upgrades?  4) not sure, but, lets try... that error msg got an yellow triangle.. like a splunk warning msg.. are you able to click on it?.. does it give you more details?  5) on the internal logs for that app/add-on, do you see any warnings/errors   
Will i am seeing the events data is showing but there is sourcetype is missing for last 24 hours. What could be the reason , how to check .
In the process of Splunk Integration with lastPass , we are getting an error like  "Your SIEM refused to connect"   Please 
Hi @Eric.Miller , Can we get this account acces key using any API command instead of getting it from the controller? Regards, Mohammed Saad