All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Correct, my environment is currently utilizing services. I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right... See more...
Correct, my environment is currently utilizing services. I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.
Thank you for that heads up. This morning I discovered our ES was lacking the right cert in sslConfig so the splunk-generated cert expired and resulted in https://splunk.my.site.com/customer/s/articl... See more...
Thank you for that heads up. This morning I discovered our ES was lacking the right cert in sslConfig so the splunk-generated cert expired and resulted in https://splunk.my.site.com/customer/s/article/Expired-SSL-certificate-KV-Store-will-not-start-exit-code-14-and-fatal-assertion-28652 The same fix (adding a serverCert to system/local/server.conf for a PEM containing the Server Cert + Encrypted Private Key) also fixed the KV Store on the HF where DB Connect was installed. Looks like I'll be verifying sslConfig everywhere in case of other stealthy dependencies on KV Store.
the apps/addons sometimes makes our lives difficult by doing like this.  please check the internal logs for that servicenow app/addon... it may give you some hints, if you find the issue.. you can u... See more...
the apps/addons sometimes makes our lives difficult by doing like this.  please check the internal logs for that servicenow app/addon... it may give you some hints, if you find the issue.. you can update this post, so in future other users can use your learnings.   karma / upvotes are appreciated by all. thanks. 
Dear @phanTom, we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to up... See more...
Dear @phanTom, we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to updates of the app itself or, equivalently, it means that we must customize every new version of the app. This is something that we do not prefer. For what concerns the use of the HTTP app, if you consider that: it supports OAuth; OAuth is the authentication/authorization method accepted also by Azure/Graph (https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http) We can just translate the problem into: why the HTTP app does not work with OAuth if it says that it is supported? What seems to be missing in the app, is the possibility to specify a payload for the POST request that retrieves the authentication token. In the following screenshot (taken from the URL reported above), you can observe a sample payload and a sample answer: For this reason, the question "why the HTTP app does not work with OAuth if it says that it is supported?" becomes "how to specify the payload for the OAuth POST request in the HTTP app?" or, equivalently, "why there is no possibility to specify a payload for the OAUTH POST request?"   Thank you in advance!
Hello Thank you for the reply!  I tried it but I'm getting an error stating " Error in "search processor" Mismatched quotes and/or parentheses."
I just tried for 4 to 5 alerts it not trigger yesterday But again I tried today I am getting auto cuts now Not sure what happened   
Thanks Rick. | eval account=if(account=="verified","verified","unverified") | stats count by account Although data is there for both "verified" and "unverified" but I am getting result only for "u... See more...
Thanks Rick. | eval account=if(account=="verified","verified","unverified") | stats count by account Although data is there for both "verified" and "unverified" but I am getting result only for "unverified" (whatever is in the ELSE). Any reason that you can think of this behavior?  
@drew19 I think with the complexity of Graph I would avoid using the HTTP app. Instead I would advise to update the Graph app itself as all the authentication etc is already built in the app.  You... See more...
@drew19 I think with the complexity of Graph I would avoid using the HTTP app. Instead I would advise to update the Graph app itself as all the authentication etc is already built in the app.  You can use the IDE to Clone & Update the app to your needs and this would be a lot more future proof.  https://docs.splunk.com/Documentation/SOARonprem/6.1.1/DevelopApps/Overview 
Hi All absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27  I have enabled the Logging in ... See more...
Hi All absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27  I have enabled the Logging in SSMS and can actually see the Events from the SA login.  My inputs.conf looks as follows [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml = true index = "my index" The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated? cheers Oli
Hi, while using Splunk SOAR we have several Apps for several integrations with Azure/Graph. Examples of such apps are: Microsoft 365 Defender, MS Graph for Sharepoint, etc. However, most of such ap... See more...
Hi, while using Splunk SOAR we have several Apps for several integrations with Azure/Graph. Examples of such apps are: Microsoft 365 Defender, MS Graph for Sharepoint, etc. However, most of such apps have limited functionalities (i.e. thay do not have an action for all the possibile APIs that can be used). Hence, in order to use other APIs (not available through the standards Apps) we thought to configure the HTTP app with Graph (where we already have an app registration and several permissions - done via Azure). However when we configure the client_id and the secret_id along with the other parameters we receive the following answer from the app: This is the asset configuration:   Does anyone know what's wrong with my configuration? Did anyone make it to work?   Thank you in advance!
Hi @STancredi!  Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search. /S... See more...
Hi @STancredi!  Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search. /Seb  
My DS doesn't have an explicit stanza to push SplunkUniversalForwarder app. I know that the file the other app the DS pushed did not exist on all hosts the app got pushed to. Is it possible Splunk... See more...
My DS doesn't have an explicit stanza to push SplunkUniversalForwarder app. I know that the file the other app the DS pushed did not exist on all hosts the app got pushed to. Is it possible Splunk automatically decided to create a stanza on one of its input.conf file because it kept finding out that the file did not exist? We now have this file being logged on all hosts so now I have to manually change the input.conf file. I also thought that my other non-default apps took precedence before the default SplunkUniversalForwarder app, but when I ran btool, it told me the file I was looking for was obtaining its configuration from \etc\apps\SplunkUniversalForwarder\local\input.conf instead of anywhere else. What's truely strange is that this behavior is only happening on some hosts and not others.
Where did you learn this?  AFAIK, Splunk Enterprise and Splunk Cloud on all platforms supports null queue.
You are not a new user so what you were told should not apply to you. Questions about specific licenses should be directed to your Splunk account team.
What if we need to communicate with controller via proxy, but not with the monitored services (i.e. when using extensions for kafka etc.)? Are there any parameters like -Dappdynamics.http.nonProxyHos... See more...
What if we need to communicate with controller via proxy, but not with the monitored services (i.e. when using extensions for kafka etc.)? Are there any parameters like -Dappdynamics.http.nonProxyHost to whitelist them? Or how do we solve this problem?
Hi @davesplunk01 ,    I'm having the same senario like this, after the above steps that you had mentioned, I can see the total on the top along with the line,     I don't need line, Can yo... See more...
Hi @davesplunk01 ,    I'm having the same senario like this, after the above steps that you had mentioned, I can see the total on the top along with the line,     I don't need line, Can you please help me in this. Thanks in Advance! Manoj Kumar S
What is EventCode 4624? Is that a log on, a log off or either? If it is either, how do you distinguish between the two? If it is one or the other, which events signify the other event? Essentially, h... See more...
What is EventCode 4624? Is that a log on, a log off or either? If it is either, how do you distinguish between the two? If it is one or the other, which events signify the other event? Essentially, how can you tell from your data when a user logs on and when they log off?
Chris, That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me e... See more...
Chris, That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it. I'll just close out my question and do things the slow way with exports to Excel. Thanks, Kimsey
@Roy_9 - Are you running the search in the same App where you created the lookup definition?
So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?