Hello Folks, Good Morning to one and all, I have Trend Micro Cloud one service, and i want to integrate those service with Splunk instance which has been placed on cloud. Kindly suggest the mechanism for this, as i have checked there is no add on available for this. As i know trend Micro Cloud one have the ability to forward the logs via Syslog mechanism & the Splunk instance on cloud, then what will be the Splunk interface for syslog on cloud for this integration. Please share your opinion on this.   Regards, Gautam Khillare(GK)

Splunk seems to have a problem with authenticating a SAML user account using a token. The purpose of using token authentication is to allow an external application to run a search and get the results. A sample script is posted on GitHub as a code gist — the script simply starts a search but does not wait for the results. The problem is that when token authentication is used with a SAML account, it only works when that SAML user is logged in on the Splunk web GUI and while the interactive session is (still) valid. The problem is shown in the internal log:   07-03-2023 19:35:53.931 +0000 ERROR Saml [795668 AttrQueryRequestExecutorWorker-0] - No status code found in SamlResponse, Not a valid status. 07-03-2023 19:35:53.901 +0000 ERROR Saml [795669 AttrQueryRequestExecutorWorker-1] - No status code found in SamlResponse, Not a valid status.   The theory on the failure is: The token authentication works with (within) Splunk; But Splunk needs to perform RBAC after authentication. So it does AQR after the authentication; However, when there is no valid, live SAML session, the AQR fails. (AQR = Attribute Query Request) -- in this case, to get the user's group memberships to map to Splunk roles. I wonder if anyone has been able to get token authentication to work for a SAML account? [Edit]: On the other hand, is it simply impossible to use token authentication with a SAML user account?

Hi    I want to know that what will happen after splunk universal forwarder reached throughput limit, because i found my universal forwarder is stop ingest the data at a certain monment every day, and i don't know waht happend here, and i just set up the thruput in limits.conf, and restart the UF, the remain data will be collected,  although i'm not sure if it will still be effective next time... so the throughput limit reached, the Splunk UF will stop collecting data until next restart?   

I need to run a curl command to run various tasks such as creating searches, accessing searches etc. I have the below command which works perfectly   curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ \ -d name=test_durable \ -d cron_schedule="*/15 * * * *" \ -d description="This test job is a durable saved search" \ -d dispatch.earliest_time="-15h@h" -d dispatch.latest_time=now \ --data-urlencode search="search index=_audit sourcetype=audittrail | stats count by host"   but given that I may have to craft various curl commands with different -d flags, I want to be able to pass values through a file so I used below command   curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ --data-binary data.json   where data.json looks like this { "name": "test_durable", "cron_schedule": "*/15 * * * *", "description": "This test job is a durable saved search", "dispatch.earliest_time": "-15h@h", "dispatch.latest_time": "now", "search": "search index=_audit sourcetype=audittrail | stats count by host" } but in doing so I get following error   <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg> </messages> </response>   So after going through lot of different posts on this topic, I realised Splunk seems to have problem with json format or mainly extracting the 'name' attribute from json format. Can someone please assist with how I can craft Curl command that uses data from a file like I am using above and get correct response from Splunk ?

Hello, I was aware that splunk is very versatile application which allows the users to manipulate the data is many ways.  I have extracted the fields of event_name, task_id , event_id. I am trying to create an alert if there is an increment in the event_id for the same task_id & event_name when latest even arrives in the splunk. For example, event at 3:36:40.395 PM have the task_id which is 3  & event_id which is 1223680  AND  the latest even arrived at 3:52:40.395 PM which have task_id 3 & event_id which is 1223681 I am trying to create an alert because for the same task_id (3), event_name (server_state) there is an increment in event_id. I believe it is only possible if we store the previous event_id in a variable for the same event_name & task_id so that we can compare it with the new event_id. However, we have four different task_id, I am not sure how save the event_id for all those different task_id's. Any help would be appreciated.   Log File Explanation:   8/01/2023 3:52:40.395 PM server_state|3 1123681 5 Date Timestamp event_name|task_id event_id random_number     Sample Log file:   8/01/2023 3:52:40.395 PM server_state|3 1223681 5 8/01/2023 3:50:40.395 PM server_state|2 1201257 3 8/01/2023 3:45:40.395 PM server_state|1 1135465 2 8/01/2023 3:41:40.395 PM server_state|0 1545468 5 8/01/2023 3:36:40.395 PM server_state|3 1223680 0 8/01/2023 3:25:40.395 PM server_state|2 1201256 2 8/01/2023 3:15:40.395 PM server_state|1 1135464 3 8/01/2023 3:10:40.395 PM server_state|0 1545467 8     Thank You