In my organizational environment, there are a few alerts in the enabled state. I would like to create an inventory of all the enabled alerts and their important fields on GitHub. Is there a way to automate the transfer to GitHub without requiring manual effort? All the alerts on Splunk Cloud.

Hello All, I need to monitor MongoDB Replica set for its status. For this I have to run rs.status command in admin DB for MongoDB, this will give me JSON output and i need to look for status for replica set in that out and trigger the alert. Appreciate any pointers on this and if someone could take a look at below code provide the feedback that will be helpful, this one is for triggering the alert based on condition, I am trying to use case for this. index =XXXX | eval rs_status=case(status == "Primary", "OK", status =="ARBITER", "OK", status == "SECONDARY", "OK", status == "STARTUP", "KO", status == "RECOVERING", "KO" status == "STARTUP2", "KO", status == "UNKNOWN", "KO", status == "DOWN", "KO", status == "ROLLBACK", "KO", status == "REMOVED", "KO") | sort - _time | where status="KO"   Let me know if you see any issues here.   Regards Amit

Hi, I just deployed the latest version 2 of SC4S and I sent syslog events from our firewall Stormshield. I checked and I didn't see a specific source for this firewall brand The box is capable of sending logs in the format RFC5424, UDP/514. I did not configure a custom filter for it and the logs are automatically recognized as UNIX OS syslog events which is wrong, they are indexed in the osnix instead of netfw. I would like to create a filter based on the source host but I don't find any examples in the official github documentation.  for version 1 there is some but I am not sure if it applies to version 2. https://splunk.github.io/splunk-connect-for-syslog/1.110.1/configuration/#override-index-or-metadata-based-on-host-ip-or-subnet-compliance-overrides any suggestion? many thanks  

Hello,   Our security team has had a need of a asset management tool to keep track of our hardware and software inventory with respect to our security processes and security controls. Our support team already maintains a CMDB but it doesn't do a great job and provides almost no value as a master list or a way to audit for gaps in security control coverage.  Our team deploys a variety of tools that use agents or network discovery scans to give a partial list of asset inventories. When we do comparisons, none of them are complete enough not to have some variance from between different tools. We would like a CMDB that allows us to track our assets and our security control coverage. You cannot secure what you don't know about! One idea has been to grab asset information from all the tools using custom api input scripts and aggregate it into splunk into one kvstore table. Then we could use this table as a master list. We have the splunk deployment clients and the asset_discovery scan results, but we also have cloud delivered solutions for vuln mgmt, edr, av, mdm, etc.  I wanted to reach out to the community to see if anybody else has came across this use-case and if there are any resources anybody has to share or guidance to make this idea a reality. 

Running the SCMA app pre-migration checks in preparation for moving our environment to Cloud, we were notified of a number of old dashboards floating around using deprecated 'Advanced XML'. As most or all of these are no longer needed, I made the decision to delete these. However, it appears that the Search and Reporting app (where most of these dashboards reside) is not managed by our SHC deployer, and the old dashboards themselves cannot be deleted from the GUI settings > user interface > views. As shown below, most dashboards (top) have a Delete option, but none of the AXML dashboards allow this action.      Other than manually 'rm -rf'ing on the backend for all our search heads, is there another way I can easily delete these dashboards?

  Hello, Has anyone experienced parsing Windows Event Logs using a KVstore for all of the generic verbiage?  For example - red text (general/static text associated with EventCode number and other values  - this will mostly be the Message/body fields) will be entered into a KVstore; green text (values within the event) will be indexed. In the below example, there are 2,150 characters, of which, 214 characters are dynamic, and need to be indexed. The red(undant) text contains over 1,930 characters.  These are just logon (4624) events. With over 11.5 million logon events per day across our environment, this is ~23 GB. If what I am asking can be/has been accomplished, we could reduce this to 2.3 GB. Thanks and God bless, Genesius   09/11/2023 12:00:00AM LogName=Security EventCode=4624 EventType=0 ComputerName=<computer name> SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=9696969696 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on.   Subject:                 Security ID:                         NT AUTHORITY\SYSTEM                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x000   Logon Information:                 Logon Type:                        3                 Restricted Admin Mode:               -                 Virtual Account:                No                 Elevated Token:                 Yes   Impersonation Level:                      Identification   New Logon:                 Security ID:                         <security id>                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x0000000000                 Linked Logon ID:                               0x0                 Network Account Name:               -                 Network Account Domain:           -                 Logon GUID:                       <login guid>   Process Information:                 Process ID:                          0x000                 Process Name:                   D:\Program Files\Microsoft System Center\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe   Network Information:                 Workstation Name:         <workstation name>                 Source Network Address:             -                 Source Port:                        -   Detailed Authentication Information:                 Logon Process:                  <login process>                 Authentication Package: <authentication package>                 Transited Services:           -                 Package Name (NTLM only):        -                 Key Length:                         0   This event is generated when a logon session is created. It is generated on the computer that was accessed.   The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.   The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).   The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.   The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.   The impersonation level field indicates the extent to which a process in the logon session can impersonate.   The authentication information fields provide detailed information about this specific logon request.                 - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.                 - Transited services indicate which intermediate services have participated in this logon request.                 - Package name indicates which sub-protocol was used among the NTLM protocols.                 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.