All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you very much Bishida! We tried AWS integration from Splunk's Data Management/Add Integration/AWS, which connected successfully. Anyway, we noted that the ECS widget shown in your image doesn... See more...
Thank you very much Bishida! We tried AWS integration from Splunk's Data Management/Add Integration/AWS, which connected successfully. Anyway, we noted that the ECS widget shown in your image doesn't show unless we have an EC2 ECS cluster, but not for our use case, wich is a Serverless (Fargate) Cluster.   Do you know if theres is any way to poll this kind of cluster information? Thanks!
Well, sometimes you have to work what you have. Nothing shameful about it Just be aware that this format might require you to craft your searches much more thoughtfully if you want them to be rel... See more...
Well, sometimes you have to work what you have. Nothing shameful about it Just be aware that this format might require you to craft your searches much more thoughtfully if you want them to be relatively quick. For example, since you have this whole keyname=something,value=somethingelse setup, you can't do a simple something=somethingelse search because that field isn't extracted and isn't know until you plow through your data with the foreach command. But you can limit your initial search results in that case by simply searching for "somethingelse" as search term regardless of where in the event it is. This can hugely improve your search times.
Hi There   Can you tell me why this is not working, I see both searches in both table depends token are executing I used your logic itself     <input type="dropdown" token="indextypeboss" ... See more...
Hi There   Can you tell me why this is not working, I see both searches in both table depends token are executing I used your logic itself     <input type="dropdown" token="indextypeboss" searchWhenChanged="true"> <label>Select Index</label> <choice value="bexg-reservations-air">Live Index</choice> <choice value="summary-bex-aircpr-details">Summary Index</choice> <prefix>index="</prefix> <suffix>"</suffix> <change> <condition label="Live Index"> <set token="ShowLiveIndexboss"></set> <unset token="ShowSummaryIndexboss"></unset> </condition> <condition label="Summary Index"> <unset token="ShowLiveIndexboss"></unset> <set token="ShowSummaryIndexboss"></set> </condition> </change> <default>summary-bex-aircpr-details</default> </input> <input type="time" token="ctimeairboss" searchWhenChanged="true"> <label>Select Time Range</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <table depends="$ShowLiveIndexboss$"> <title>Success/Fail Ratio on selected TPID, Carrier &amp; GDS (Sorted by Failed Count)</title> <search> <query>$indextypeboss$ my query</query> <earliest>$ctimeairboss.earliest$</earliest> <latest>$ctimeairboss.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> <table depends="$ShowSummaryIndexboss$"> <title>Success/Fail Ratio on selected TPID, Carrier &amp; GDS (Sorted by Failed Count)</title> <search> <query>$indextypeboss$ my query</query> <earliest>$ctimeairboss.earliest$</earliest> <latest>$ctimeairboss.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table>  
Hi there, we're currently migrating to ES 8 and need to see Work Notes (comments) provided by analysts in some dashboards/reports. Previously, the incident_updates_lookup contained the "comment" fie... See more...
Hi there, we're currently migrating to ES 8 and need to see Work Notes (comments) provided by analysts in some dashboards/reports. Previously, the incident_updates_lookup contained the "comment" field, which held this information, and was easy to access in a search. With ES 8, this was obviously mentioned as a limitation - "The Comments feature available in prior versions of Splunk Enterprise Security is now replaced by an enhanced capability to add notes." How can we access those notes (KV Store/Lookup/...) outside of having to click through the Mission Control/Analyst Queue manually? Where are they stored?
Hi Thanks for the answers on this. yes you have some good points that i will look into.  The data is distributed Trace from OTel. I am not sure how much I can change, but I will talk to the Develop... See more...
Hi Thanks for the answers on this. yes you have some good points that i will look into.  The data is distributed Trace from OTel. I am not sure how much I can change, but I will talk to the Developers. Cheers Robert
As we have recently enabled various audit settings on our domain, we now have 4662 events being generated on the DCs. I am now trying to reduce the number of 4662 events being forwarded to our Splun... See more...
As we have recently enabled various audit settings on our domain, we now have 4662 events being generated on the DCs. I am now trying to reduce the number of 4662 events being forwarded to our Splunk backend on the "front end" by tuning the inputs.conf on the DCs. The desired situation is that only events that contain one of the GUIDs that indicate a potential DCSync attack are being forwarded to Splunk: "Replicating Directory Changes all", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" , "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"or "9923a32a+-3607-11d2-b9be-0000f87a36b2". (from https://www.praetorian.com/blog/active-directory-visualization-for-blue-teams-and-threat-hunters/) So dropping all 4662 events, except if they match any of these GUIDs. I've been playing with the existing blacklist line for events 4662 to fulfil this purpose, but can't seem to get it to work. Not even for one of these GUIDs like for example the below: blacklist1 = EventCode="4662" Message="Properties:\sControl\sAccess\s^(?!.*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2})" Obviously I've restarted the Splunk forwarder after every tweak. Anybody that can help with compiling a proper blacklist entry?
That is a wonderful answer, and thanks very much. I did find another issue where I have multiple lines on the same line, so I have accepted another answer - but that very much
Wow, what a great answer to my issues! I am using this, and I want to thank you very much again. Thanks. I did not spot the mr_batchID as unique - so i am using it now.
Hi @Hemant_h  The reply=1 suggests that the token is disabled (see https://docs.splunk.com/Documentation/Splunk/9.4.1/Data/TroubleshootHTTPEventCollector#:~:text=Forbidden-,Token%20disabled,-2)  Pl... See more...
Hi @Hemant_h  The reply=1 suggests that the token is disabled (see https://docs.splunk.com/Documentation/Splunk/9.4.1/Data/TroubleshootHTTPEventCollector#:~:text=Forbidden-,Token%20disabled,-2)  Please can you confirm that the token is enabled on your destination? You can also validate the token is working using https://<yourHECEndpoint>/services/collector/health?token=<yourToken> which should reply  {"text":"HEC is healthy","code":17}  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Short documentation reminder: https://docs.splunk.com/Documentation/DBX/3.18.2/DeployDBX/Prerequisites "KV store must also be active and working properly as of DB Connect version 3.10.0 and higher"
is your issue resolved? Getting the same error on HF for hec tokens
ERROR HttpInputDataHandler [3996076 HttpDedicatedIoThread-0] - Failed processing http input, token name=cnollc-cnoiwf-stg3.pegacloud.net, channel=n/a, source_IP=192.168.11.39, reply=1, events_process... See more...
ERROR HttpInputDataHandler [3996076 HttpDedicatedIoThread-0] - Failed processing http input, token name=cnollc-cnoiwf-stg3.pegacloud.net, channel=n/a, source_IP=192.168.11.39, reply=1, events_processed=0, http_input_body_size=524, parsing_err=""   Getting this error , we have done configuration for dual ingestion . The same Server is sending logs to both On-prem and Cloud env. How to fix these error
Hi @Xiaorq  It looks like you have a regular ingest license, plus the ITSI Internal license (this is for sourcetype=itsi_* - Used for internal ITSI metadata etc) however it doesnt look like you have... See more...
Hi @Xiaorq  It looks like you have a regular ingest license, plus the ITSI Internal license (this is for sourcetype=itsi_* - Used for internal ITSI metadata etc) however it doesnt look like you have the actual ITSI License which unlocks ITSI to be used. I see you are on a Sales Trial license - did the sales team provide you an additional ITSI license? I would recommend reaching out to them to check they've given you the correct license(s) to run ITSI. Check out https://www.youtube.com/watch?v=SUQpN8Re66g which might help too.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
same issue for me i have 3 panels with 22 servernames each that i want to have per 1 page.. splunk should expand the trelis and single value visualization options like add pages per view.. please let... See more...
same issue for me i have 3 panels with 22 servernames each that i want to have per 1 page.. splunk should expand the trelis and single value visualization options like add pages per view.. please let me know if there is an XML option in the panel or html code to increase the default 20 units per page
Hi, Limey, Use the '.dashboard-body' and add inside the properties you want: .dashboard-body{ background-image: url('/static/app/AppName/images/image.png'); background-repeat: no-repeat !impo... See more...
Hi, Limey, Use the '.dashboard-body' and add inside the properties you want: .dashboard-body{ background-image: url('/static/app/AppName/images/image.png'); background-repeat: no-repeat !important; background-size: cover !important; } The result will be a stretched image on the whole dashboard as a background Kind regards, Boryana
Hi @mshakeb , I suppose that you're ingesting logs using a Universal Forwarder. If there isn't any issue /that you can search in _internal) UF read all the wineventlogs from the Domain Controller, ... See more...
Hi @mshakeb , I suppose that you're ingesting logs using a Universal Forwarder. If there isn't any issue /that you can search in _internal) UF read all the wineventlogs from the Domain Controller, so if some event is missed, you should check, if it was generated in WinEventLog. Ciao. Giuseppe
Hi Data loss or intermittent event visibility can occur at several points: source generation, forwarder collection/sending, network transport, or indexer processing/filtering. Verify Event Genera... See more...
Hi Data loss or intermittent event visibility can occur at several points: source generation, forwarder collection/sending, network transport, or indexer processing/filtering. Verify Event Generation: First, confirm the Event ID 4724 is consistently generated in the Windows Security Event Log on the Domain Controller itself using the native Event Viewer during your tests. If it's not logged there reliably, the issue lies with Windows auditing configuration, not Splunk. Check Forwarder Configuration: Ensure the inputs.conf on the Universal Forwarder monitoring the Domain Controller has the correct stanza ([WinEventLog://Security]) and is enabled (disabled = false). Verify no blacklist or whitelist settings within this stanza or related props.conf/transforms.conf are unintentionally filtering Event ID 4724. Check Forwarder Status & Connectivity: Verify the Splunk forwarder service is running on the DC and can connect to the indexers. Check for errors in the forwarder's internal logs. Check Indexer Processing: Ensure no index-time filtering rules (props.conf/transforms.conf on indexers) are discarding these events (e.g., routing to nullQueue). Multiple Domain Controllers: Do you have multiple domain controllers? It could be that one/more of them are not configured correctly to send data to Splunk and therefore when this event is actioned against that particular DC then you do not get the logs in Splunk. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Kalyan_N  There is an example at https://github.com/livehybrid/dashpub/blob/master/template/src/pages/api/data/%5Bdsid%5D.js which I use to run Splunk queries for publishing dashboards externall... See more...
Hi @Kalyan_N  There is an example at https://github.com/livehybrid/dashpub/blob/master/template/src/pages/api/data/%5Bdsid%5D.js which I use to run Splunk queries for publishing dashboards externally. Basically you just hit the relevant REST API Endpoint for whatever action you want to carry out.  For more info on the search endpoints check out https://docs.splunk.com/Documentation/Splunk/9.4.1/RESTREF/RESTsearch  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
We have noticed that some Windows Domain Controller server event logs are not appearing in the Splunk search. For example, we conducted testing on Event ID 4724, and what we noticed is that the even... See more...
We have noticed that some Windows Domain Controller server event logs are not appearing in the Splunk search. For example, we conducted testing on Event ID 4724, and what we noticed is that the event is logged sometimes and sometimes it isn't. what could be the issue? Has anyone faced this before
Hi @mshakeb , please, don't attach your request to another one, even if on the same topic, open a new question. In this way, you'll have more choices to describe your requirements and to receive an... See more...
Hi @mshakeb , please, don't attach your request to another one, even if on the same topic, open a new question. In this way, you'll have more choices to describe your requirements and to receive an answer. ciao. Giuseppe