All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanking you for replying - I've tried both but throws out a different error.  I was told that splunk-soar version 6.4.0.92 only takes dict { }.  I've attached the error message for the array error..... See more...
Thanking you for replying - I've tried both but throws out a different error.  I was told that splunk-soar version 6.4.0.92 only takes dict { }.  I've attached the error message for the array error... Error message for array [ ]
Can you explain more detail level what you have in this splunk instance? Like it’s role, are there modular inputs, own SPL commands, amount of users, queries, DMA, other accelerations, daily data size... See more...
Can you explain more detail level what you have in this splunk instance? Like it’s role, are there modular inputs, own SPL commands, amount of users, queries, DMA, other accelerations, daily data size etc
Hi All We got this requirement to print the timestamp in mail subject for scheduled report. the timestamp should indicate the time it got sent. for exg, the report runs twice a day so if it runs 6 ... See more...
Hi All We got this requirement to print the timestamp in mail subject for scheduled report. the timestamp should indicate the time it got sent. for exg, the report runs twice a day so if it runs 6 am and 6 pm, the mail subject should indicate dd-mm-yyyy 06:00:00 or 18:00:00 Please help.
@livehybrid  , @PickleRick  , @isoutamo  I need the health status for HF while running the query. There are more than 5 HFs, and when I run the query for each HF individually, I get the results. H... See more...
@livehybrid  , @PickleRick  , @isoutamo  I need the health status for HF while running the query. There are more than 5 HFs, and when I run the query for each HF individually, I get the results. However, I can't create a single alert that covers all HFs and —doing so would result in more than 5 separate alerts, one for each HF. If am running the same query in LM and able to see all components status in a one go can't it be possible for the HF and IHF       
I think changing tag permissions will give me carpal tunnel.  If anyone knows where I can submit my claim let me know.
Through the top command, we found that the Splunkd process is using 100% of the swap space. However, it is impossible to determine the root cause because there is no way to check exactly what kind of... See more...
Through the top command, we found that the Splunkd process is using 100% of the swap space. However, it is impossible to determine the root cause because there is no way to check exactly what kind of operation the swap space is using. Do you know anything about a case that solved the problem of using 100% of the swap space? Thank you.
We have an alert showing users that are authenticating after working hours for security reasons, I'm sure y'all familiar with, but at the same time, we know who leaves their workstations on during th... See more...
We have an alert showing users that are authenticating after working hours for security reasons, I'm sure y'all familiar with, but at the same time, we know who leaves their workstations on during the night. However, we have recently received alerts with "unknown" users reported in the alert. But after checking the host's event viewer (Security Log) and comparing with the timestamps in the alert, the event logs shows the users. Any idea how we can edit our search string, or what may have caused the string to return the unknown value?
I have this in props and transforms. [resource_timestamp] SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = json KV_MODE = none TIME_PREFIX = "timestamp": TIME_FORMAT = %s%3N DATETIME_CONFIG = NO... See more...
I have this in props and transforms. [resource_timestamp] SHOULD_LINEMERGE = false INDEXED_EXTRACTIONS = json KV_MODE = none TIME_PREFIX = "timestamp": TIME_FORMAT = %s%3N DATETIME_CONFIG = NONE TRANSFORMS-overrideTimeStamp = overrideTimeStamp   [overrideTimeStamp] INGEST_EVAL = _raw=json_set(_raw, "timestamp",strftime(json_extract(_raw,"timestamp")/1000,"%m-%d-%Y %H:%M:%S.%3N")) #INGEST_EVAL = _raw=strftime(json_extract(_raw, "timestamp")/1000, "%m-%d-%Y %H:%M:%S.%3N") I can now see the intended timeformat is being updated in the timestamp field but i also see the value of timestamp twice with none and epoch format, how do i eliminate none value.  
Hi @livehybrid, I tried to apply props and transforms like you mentioned earlier but i don't see events are breaking,  the value of the timestamp is still showing the epoch value not the time format ... See more...
Hi @livehybrid, I tried to apply props and transforms like you mentioned earlier but i don't see events are breaking,  the value of the timestamp is still showing the epoch value not the time format I needed. it's also showing none value in the results which is not expected, how to eliminate the none in the results.  
I've read through some of the Splunk documentation and previously one of my colleagues already configured the "Windows server health" content pack, but when I check the "OS:Performance.WIN.Memory" I ... See more...
I've read through some of the Splunk documentation and previously one of my colleagues already configured the "Windows server health" content pack, but when I check the "OS:Performance.WIN.Memory" I only see 4 metrics and cannot get the overall % memory utilization because I do not have the total amount to begin with. These are the only metrics I have: Available_MBytes Cache_Bytes Page_Reads/sec Install and configure the Content Pack for Monitoring Microsoft Windows - Splunk Documentation
Hi @Praz_123  As described by @PickleRick  and @isoutamo  - it can sometimes be possible to add these to MC but not always practical, and a bit hacky!  If you are wanting a high level view of a for... See more...
Hi @Praz_123  As described by @PickleRick  and @isoutamo  - it can sometimes be possible to add these to MC but not always practical, and a bit hacky!  If you are wanting a high level view of a forwarder then you can use the health.log using the following SPL index=_internal host=yourFowarderHost source="*/var/log/splunk/health.log" | stats latest(color) as color by feature, node_path, node_type, host   If you have a number of forwarders to monitor then you could adapt this to score the colours and show the worst?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Kenny_splunk  Really the only way to "clean" an index is for the data be aged-out. Running the "| delete" on an index will stop it appearing in searches however it will still be present on the d... See more...
Hi @Kenny_splunk  Really the only way to "clean" an index is for the data be aged-out. Running the "| delete" on an index will stop it appearing in searches however it will still be present on the disks, just with markers that stop it being returned, therefore it wont actually give you any space back if this is what you are looking for. The best thing you can do is control the data arriving in the platform and reduce this as necessary, hopefully over time the older/larger/waste data will age out and free up space.  What is your retention on this index(es)? If its something like 90 days then you wont have too long to wait, but if its 6 years then you might be stuck with that old data for some time!  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @manideepa  Are you referring to service indicators in the glass tables versus notables generated in a table? Please could you share screenshots or sample data so that we can ensure we're giving ... See more...
Hi @manideepa  Are you referring to service indicators in the glass tables versus notables generated in a table? Please could you share screenshots or sample data so that we can ensure we're giving you the best answer.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @dlm  Im not entirely sure what it is you're trying to achieve so this might not be the best way to achieve it, but hoepfully one of the below examples might help!  If you can give us more detai... See more...
Hi @dlm  Im not entirely sure what it is you're trying to achieve so this might not be the best way to achieve it, but hoepfully one of the below examples might help!  If you can give us more details (ideally with examples) then we might be able to give a better specific answer   I started by creating a lookup: The examples work around using a subsearch to get the list from the lookup Option 1: This adds a prefix of my_ to the fields listed in the lookup | makeresults | eval CPU=45, Memory=12.3, Disk=84.4, Network=92 | rename [| inputlookup fields.csv | eval fieldName=fieldName+" AS my_"+fieldName | stats list(fieldName) as search ]   Option 2: This uses "table" to only list the fields in the lookup, with an optional field showing the fields (example of foreach) | makeresults | eval CPU=45, Memory=12.3, Disk=84.4, Network=92 | table [| inputlookup fields.csv | stats list(fieldName) as search] | foreach * [| eval fields=mvappend(fields,"<<FIELD>>")]  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hey, thanks for your answer. After i posted this, i went to investigate the source of the data and any props or transforms set up for it.  I ran the following from our forwarder, the server that has... See more...
Hey, thanks for your answer. After i posted this, i went to investigate the source of the data and any props or transforms set up for it.  I ran the following from our forwarder, the server that has the netskope TA app installed on it.   ./splunk btool props list --debug | grep "netskope:application"   I dont have any transforms with that tag.  Here is the output of the default netskope application inputs: [source::...netskope_file_hash_modalert.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...netskope_url_modalert.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...ta-netskopeappforsplunk*.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [source::...ta_netskopeappforsplunk*.log*] SHOULD_LINEMERGE = true sourcetype = tanetskopeappforsplunk:log TZ = UTC [netskope:event:v2] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 [netskope:alert:v2] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 [netskope:web_transaction] INDEXED_EXTRACTIONS = W3C TIME_FORMAT = %Y-%m-%d %H:%M:%S TZ = Etc/GMT SHOULD_LINEMERGE = 0 TRUNCATE = 999999 EXTRACT-from_source = .*[\\\/](?<input_name>.*)_(?<bucket_name>\d{8})_(?<bucket_file_name>.*) in source EVAL-vendor_product = "Netskope" FIELDALIAS-app = x_cs_app AS app FIELDALIAS-timestamp = _time as timestamp FIELDALIAS-bytes_in = cs_bytes AS bytes_in FIELDALIAS-bytes_out = sc_bytes AS bytes_out FIELDALIAS-category = x_category AS category FIELDALIAS-dest = s_ip AS dest EVAL-http_content_type = coalesce(cs_content_type, sc_content_type) FIELDALIAS-http_method = cs_method AS http_method FIELDALIAS-http_referrer = cs_referer AS http_referrer FIELDALIAS-http_user_agent = cs_user_agent AS http_user_agent FIELDALIAS-response_time = time_taken AS response_time FIELDALIAS-src=c_ip AS src FIELDALIAS-status = sc_status AS status FIELDALIAS-uri_path = cs_uri AS uri_path FIELDALIAS-uri_query = cs_uri_query AS uri_query FIELDALIAS-user = cs_username AS user EVAL-fullurl = cs_uri_scheme . "://" . cs_dns . cs_uri . if(isnull(cs_uri_query), "", "?") . coalesce(cs_uri_query,"") EVAL-x_c_browser=if(isnull(x_c_browser),"N/A",x_c_browser) EVAL-x_c_device=if(isnull(x_c_device),"N/A",x_c_device) FIELDALIAS-dest_port = cs_uri_port AS dest_port EVAL-url = cs_uri_scheme . "://" . cs_dns . cs_uri . if(isnull(cs_uri_query), "", "?") . coalesce(cs_uri_query,"") FIELDALIAS-duration = time_taken AS duration FIELDALIAS-http_referrer_domain = cs_referer AS http_referrer_domain EVAL-site = replace(cs_host, "^([^\.]+).*", "\1") [source::netskope_events_v2_connection] KV_MODE = json sourcetype = netskope:connection TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_page*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:connection TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:connection] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) EVAL-app_session_key = app_session_id . "::" . host EVAL-vendor_product = "Netskope" FIELDALIAS-page_duration = page_duration AS duration FIELDALIAS-bytes = numbytes AS bytes FIELDALIAS-in_bytes = client_bytes AS bytes_in FIELDALIAS-category = appcategory AS category FIELDALIAS-out_bytes = server_bytes AS bytes_out FIELDALIAS-http_referrer = useragent AS http_user_agent EVAL-http_user_agent_length = len(useragent) FIELDALIAS-page = page AS url FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone EVAL-url_length = len(page) # from netskope:web EVAL-action = if(isnotnull(action),action,"isolate") FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user [netskope:audit] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json EVAL-vendor_product = "Netskope" # acl_modified, cleared, created, deleted, modified, read, stopped, updated EVAL-action = case(match(audit_log_event,"create|Create"),"created", match(audit_log_event,"granted"), "acl_modified", match(audit_log_event, "ack|Ack"), "cleared", match(audit_log_event, "delete|Delete"), "deleted", match(audit_log_event,"edit|Edit|Add"),"modified",match(audit_log_event,"Push|push|Reorder|update|Update"),"updated",match(audit_log_event,"Disable|disable"), "stopped",1=1,"unknown") EVAL-status = case(match(audit_log_event,"success|Success"),"success",match(audit_log_event,"fail|Fail"),"failure",1=1,"unknown") FIELDALIAS-severity_id = severity_level AS severity_id FIELDALIAS-data_type = supporting_data.data_type AS object FIELDALIAS-date_type_attr = supporting_data.data_values{} AS object_attrs FIELDALIAS-object_cat = category AS object_category FIELDALIAS-result = audit_log_event AS result [source::netskope_events_v2_application] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:application SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_application*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:application TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:application] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone FIELDALIAS-signature = policy AS signature EVAL-file_hash = coalesce(local_sha256, local_md5) FIELDALIAS-file_name = filename AS file_name EVAL-app_session_key = app_session_id . "::" . host EVAL-vendor_product = "Netskope" FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user [source::netskope_events_v2_network] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:network SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*events_iterator_network*.csv] INDEXED_EXTRACTIONS = CSV sourcetype = netskope:network TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s SHOULD_LINEMERGE = false TRUNCATE = 999999 [netskope:network] FIELDALIAS-src_ip = srcip AS src_ip FIELDALIAS-src=srcip AS src FIELDALIAS-dest_ip = dstip AS dest_ip FIELDALIAS-dest = dstip AS dest EVAL-dvc = coalesce(hostname, device) EVAL-vendor_product = "Netskope" FIELDALIAS-bytes = numbytes AS bytes FIELDALIAS-in_bytes = client_bytes AS bytes_in FIELDALIAS-out_bytes = server_bytes AS bytes_out FIELDALIAS-packets_in = client_packets AS packets_in FIELDALIAS-packets_out = server_packets AS packets_out FIELDALIAS-src_port = srcport AS src_port FIELDALIAS-dest_port = dstport AS dest_port FIELDALIAS-session_id = network_session_id AS session_id FIELDALIAS-duration = session_duration AS duration [netskope:incident] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json FIELDALIAS-signature_id = internal_id AS signature_id FIELDALIAS-action = dlp_match_info{}.dlp_action AS action FIELDALIAS-object_path = url AS object_path FIELDALIAS-object_category = true_obj_category AS object_category FIELDALIAS-signature = title AS signature FIELDALIAS-src=src_location AS src FIELDALIAS-src_user = from_user AS src_user FIELDALIAS-dest = dst_location AS dest # FIELDALIAS-user = to_user AS user EVAL-user = coalesce(user, to_user) EVAL-vendor_product = "Netskope" [source::netskope_alerts_v2] KV_MODE = json TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s sourcetype = netskope:alert SHOULD_LINEMERGE = false TRUNCATE = 999999 [source::...*alerts_iterator*.csv] INDEXED_EXTRACTIONS = CSV SHOULD_LINEMERGE = false TIMESTAMP_FIELDS=timestamp TIME_FORMAT = %s sourcetype = netskope:alert TRUNCATE = 999999 [netskope:alert] EVAL-dvc = coalesce(hostname, device) EVAL-vendor_product = "Netskope" EVAL-severity_id = coalesce(severity_id, severity_level_id) EVAL-severity = coalesce(severity_level, dlp_rule_severity, dlp_severity, mal_sev, malware_severity, severity, severity_level) EVAL-object_path = if(file_path="NA", object, coalesce(file_path, object)) FIELDALIAS-id = internal_id AS id FIELDALIAS-srcip = srcip AS src FIELDALIAS-dstip = dstip AS dest EVAL-file_hash = coalesce(local_sha256, local_md5) FIELDALIAS-signature = alert_name AS signature FIELDALIAS-oc = object_type AS object_category FIELDALIAS-fu = from_user AS src_user FIELDALIAS-src_location = src_location AS src_zone FIELDALIAS-dest_location = dst_location AS dest_zone FIELDALIAS-file_name = filename AS file_name [netskope:infrastructure] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json FIELDALIAS-device = device_name AS device EVAL-app = "Netskope" EVAL-vendor_product = "Netskope" [netskope:endpoint] SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %s TRUNCATE = 999999 KV_MODE = json EVAL-vendor_product = "Netskope" [netskope:clients] KV_MODE = json FIELDALIAS-make = attributes.host_info.device_make AS make FIELDALIAS-model = attributes.host_info.device_model AS model FIELDALIAS-os = attributes.host_info.os AS os FIELDALIAS-ver = attributes.host_info.os_version AS version FIELDALIAS-name = attributes.host_info.hostname AS dest FIELDALIAS-user = attributes.users{}.username AS user EVAL-vendor_product = "Netskope" SHOULD_LINEMERGE = false TIME_PREFIX = "timestamp": MAX_TIMESTAMP_LOOKAHEAD = 35 TIME_FORMAT = %s TRUNCATE = 999999 [netskope:api] KV_MODE = json EVAL-vendor_product = "Netskope" [netskope:alertaction:file_hash] FIELDALIAS-action_status = status AS action_status FIELDALIAS-action_name = orig_action_name AS action_name [netskope:alertaction:url] FIELDALIAS-action_status = status AS action_status FIELDALIAS-action_name = orig_action_name AS action_name # For proper ingestion of Alert action events used in Splunk ES App [source::...stash_common_action_model] sourcetype=stash_common_action_model [stash_common_action_model] TRUNCATE = 0 # only look for ***SPLUNK*** on the first line HEADER_MODE = firstline # we can summary index past data, but rarely future data MAX_DAYS_HENCE = 2 MAX_DAYS_AGO = 10000 # 5 years difference between two events MAX_DIFF_SECS_AGO = 155520000 MAX_DIFF_SECS_HENCE = 155520000 TIME_PREFIX = (?m)^\*{3}Common\sAction\sModel\*{3}.*$ MAX_TIMESTAMP_LOOKAHEAD = 25 LEARN_MODEL = false # break .stash_new custom format into events SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = (\r?\n==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n) TRANSFORMS-0parse_cam_header = orig_action_name_for_stash_cam,orig_sid_for_stash_cam,orig_rid_for_stash_cam,sourcetype_for_stash_cam TRANSFORMS-1sinkhole_cam_header = sinkhole_cam_header     Looking and running your suggested command (Good command btw), i get the following output: I don't see any evidence of us modifying or creating a dlp_rule value. I had specifically mapped the dlp_rule to these values below: These are the values I was seeing. I was using this mapping and values in every other query as well, so i must have seen them.  This is the default netskope app. I also looked at any possible sourcetypes or transforms via the gui, and I didn't see any. I am working on this data with a coworker that has insight into the Netskope portal, and he said that the dlp_role field is blank there as well. If the data had changed, the old data shouldn't have changed. I haven't updated the netskope app.    There are too many fields to paste in here for the logs themselves, but here are the fields we are looking at: dlp_fail_reason: dlp_file: dlp_incident_id: 0 dlp_is_unique_count: dlp_mail_parent_id: dlp_parent_id: 0 dlp_profile: dlp_rule: dlp_rule_count: 0 dlp_rule_severity: dlp_scan_failed: dlp_unique_count: 0 dst_country: US dst_geoip_src: 0 dst_latitude: 7.40594 dst_location: Mow dst_longitude: -1.1551 dst_region: C dst_timezone: America/ dst_zipcode: N/A dsthost: dstip: 1.5.5.5 dstport: 455   With this specific dashboard and use case, I am searching for all time. And the field in general is blank. We only get 3 dlp_rule values, and the rest, 99% are blank.  Not sure how to track down if the data set changed due to me searching for all time right now.    Thanks for any guidance 
Hi @g_cremin  I believe "actions" should be an array of actions, not a dict? This might be affecting things. ... "actions": [ { "action":"test_connectivity", "identifier": "tes... See more...
Hi @g_cremin  I believe "actions" should be an array of actions, not a dict? This might be affecting things. ... "actions": [ { "action":"test_connectivity", "identifier": "test_connectivity", "description": "Tests connectivity to Wazuh", "type": "test", "read_only": true, "parameters": [], "output": [] } ], ... For more detail on the app.json schema check out https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/Metadata  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi To reset the admin password ensure you are stopping Splunk completely before deleting the passwd file. # Stop Splunk Enterprise cd $SPLUNK_HOME/bin ./splunk stop # Remove the password file rm $... See more...
Hi To reset the admin password ensure you are stopping Splunk completely before deleting the passwd file. # Stop Splunk Enterprise cd $SPLUNK_HOME/bin ./splunk stop # Remove the password file rm $SPLUNK_HOME/etc/passwd Now create a user-seed file ($SPLUNK_HOME/etc/user-seed.conf [user_info] USERNAME = admin PASSWORD = YourPassword Once done, start Splunk $SPLUNK_HOME/bin/splunk start You should now be able to login with the user/password set in the user-seed.conf file  For more info check the following docs page: https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount#Reset_the_administrator_password Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Abass42  You're right in that editing historic data in Splunk isnt really possible. (You can delete data if you have the can_delete capability though).  What I'm wondering is that one of 2 thin... See more...
Hi @Abass42  You're right in that editing historic data in Splunk isnt really possible. (You can delete data if you have the can_delete capability though).  What I'm wondering is that one of 2 things may have happened. 1) The data has changed 2) Your field extractions have changed. They ultimately boil down to the same question - How does the "dlp_rule" field get defined? Is this an actual value in the _raw data (such as [time] - component=something dlp_rule=ABC user=Bob host=BobsLaptop ) OR is dlp_rule actually determined/eval/extracted from other data in the event such as a status code, or maybe a regular expression? If this is the case then the questions become, has the data format changed slightly? This could be something simple as an additional space or field in the raw data which has stopped the field extraction working, or, has the field extraction been changed at all? If you're able to provide a sample event then it might help - redacted of course. Another thing which you could do if you are unsure on what fields are extracted etc is run a btool on your SearchHead (if you are running onprem) such as: /opt/splunk/bin/splunk cmd btool props list netskope:application  Are you able to look at a raw historical event where you go a match you expected and compare to a recent event to see if there are any differences in the event?   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @T2  The Cisco Security Cloud app does have a Duo Overview (Dashboard Studio) dashboard but this is only high level  and not the same as the 7 (Classic XML) dashboards in the Duo app. The Duo app... See more...
Hi @T2  The Cisco Security Cloud app does have a Duo Overview (Dashboard Studio) dashboard but this is only high level  and not the same as the 7 (Classic XML) dashboards in the Duo app. The Duo app uses a static source=duo and a macro to define the Duo index, whereas the Cisco Security Cloud app uses sourcetypes such as "cisco:duo:authentication" and also a Data Model for consuming the data via the overview dashboard. Ultimately I think the answer is Yes - If you have dashboards/searches built on the existing Duo app feed then you are likely going to need to update these to reflect the data coming in via the new app. I would recommend running the Cisco app in development environment or locally, if possible, so that you can compare the data side-by-side and work to retain parity between the apps before migrating your production environment.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, all i am fairly new to the Splunk community and I'm attempting to reset my Splunk admin password and for whatever reason it does not work i go and delete the "etc/passwd" and restart my Splunk... See more...
Hello, all i am fairly new to the Splunk community and I'm attempting to reset my Splunk admin password and for whatever reason it does not work i go and delete the "etc/passwd" and restart my Splunk instance and attempt to login to the web interface, but it never prompts me for a reset. I have even tried commands to do it manually, but nothing works. Has anyone else had a problem like this?