Hi, I've searched the forums and found one thread about getting Intune data in to Splunk which set me on a path, hopefully, to getting the data in. I'm working through the guidance here - Splunk Add-on for Microsoft Cloud Services - Splunk Documentation I have requested and got an Event Hub from the team that look after Azure infrastructure. I've created the Azure app registration, set the API permissions, Access control on the Event Hub, and can see this is being successfully signed in to having configured the Splunk add-on side as well.  I'm not seeing any data come in to the index though. The one thing I'm unclear on and I haven't been able to work out the definitive answer to is whether I need an Azure storage account in order to store the date. My reading of the Event Hub configuration options suggested to me that it was capable of some form of retention to allow streaming elsewhere (e.g. setting the retention time) but perhaps that is me misinterpreting it.  Has anyone successfully got this working and if so, are you using a storage account with this? 

Dear all, I have a list of latitude and longitude pairs from my observed events and try to get the corresponding street/city from latitude and longitude. I found this website  https://nominatim.org/release-docs/develop/api/Reverse/ and the URL it provides to map from latitude and longitude to street/building: https://nominatim.openstreetmap.org/reverse?format=xml&lat=<my_lat>&lon=<my_lon>&zoom=18 ex. https://nominatim.openstreetmap.org/reverse?format=xml&lat=39.982302&lon=116.484438&zoom=18 => output is: 360building, xx streat, xx road, xx village, xx district, Beijing, 100015, China However, here is my raw data, more than 1000 records so it's impossible to input to URL manually:  log id Lat Lon 1 39.982302 116.484438 2 30.608684 114.418229   Does anyone know is there a way to treat the Lat and Lon as input parameter in the URL link by code ? Thank you.

Hi all, I'm attempting to exclude specific undesired data from the security logs. Is there a way to minimize the number of items on the exclusion list, considering that we can only add up to 10 items to the blacklist due to limitations. Is there a possibility of consolidating the blacklist by, for example, appending a "|" (pipe) at the end of each blacklisted item, thereby reducing the total number of entries in the blacklist while still achieving the desired exclusion? blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))" blacklist2 = EventCode="4648|5145|4799|5447|4634|5156|4663|4656|5152|5157|4658|4673|4661|4690|4932|4933|5158|4957|5136|4674|4660|4670|5058|5061|4985|4965" blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\btool.exe)" blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk-winprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-powershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-regmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-admon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-perfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk\-winhostinfo\.exe)" blacklist5 = EventCode="4688" Message="(?:Process Command Line:).+(?:system32\\SearchFilterHost.exe)|.+(?:find/i)|.+(?:WINDOWS\\system32\\conhost.exe)" renderXml=true

I am trying to configure SAML SSO for my Splunk Heavy Forwarders. When I upload and save SP Metadata file and remaining details. Its showing the below message on top, but configuration not getting saved in the backend and its not working.  "SAML has already been configured, Cannot add a new SAML configuration.saml" Your help is greatly appreciated.

Hi, I am working on a POC project. I need to add timestmap command to use predict algorithm. My dataset however has the below fields. MonthYear Year Quarter Month Subscription ID Subscription name   I was looking for a solution to randomly add timestamps for a period of one year. I have data from March2023 till May2023.   March 2023   Qtr 1 March 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EU-EDLCONTACTS March 2023   Qtr 1 March 020b3b0c-5b0a-41a1-8cd7-90cbd63e06 SUB-PRD-EU-EDLCONTACTS  

Hi, I am trying to look up data related to EventCode="4662", but it does not show in Splunk. Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = wineventlog renderXml=false I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results. so what i want to see is the event code 4662 that in it's message contain Object Type: user Here i will provide the event viewer logs that i want splunk to show An operation was performed on an object. Subject :   Security ID:       CIMBNIAGA\YT91504X   Account Name:      YT91504X   Account Domain:    CIMBNIAGA   Logon ID:          0xC2D9E1AC Object:   Object Server: DS   Object Type:   user   Object Name:   CN=ADJOINADMIN,OU=Functional   ID,OU=Special_OU,DC=cimbniaga,DC=co,DC=id   Handle ID:     0x0 Operation:   Operation Type:  Object Access   Accesses:      READ_CONTROL   Access Mask:   0x20000   Properties:    READ_CONTROL {bf967aba-0de6-11d0-a285-00aa003049e2} Additional Information:   Parameter 1:    -   Parameter 2:   Please help me i really got stuck i already try to delete the blacklist filtering but it's still not give me  the log that i want just like in the top @kheo_splunk