All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

https://www.splunk.com/en_us/about-splunk/splunk-data-security-and-privacy/compliance-at-splunk.html?locale=en_us
Having a lot of indexes can work against you.  It means the UI can take longer to load.  It also means indexers have to open and unzip more files.  It may also lead to more buckets for the Cluster Ma... See more...
Having a lot of indexes can work against you.  It means the UI can take longer to load.  It also means indexers have to open and unzip more files.  It may also lead to more buckets for the Cluster Manager to track. Some are tempted to create a new index for each data source.  Resist that temptation.  A new index is needed if: 1) New access requirements are needed for some data 2) New retention requirements are needed for some data 3) Data volume is high enough that searches for low-volume data in the same index is affected
Same , I see that there are missing models also. When I event went to the ONNX github I still can't find the models that the splunk query is using for the mltk.    ``` | tstats `summariesonly` dc(... See more...
Same , I see that there are missing models also. When I event went to the ONNX github I still can't find the models that the splunk query is using for the mltk.    ``` | tstats `summariesonly` dc(All_Traffic.src) as src_count,count as total_count from datamodel=Network_Traffic.All_Traffic | apply app:network_traffic_src_count_30m [|`get_qualitative_upper_threshold(extreme)`] | apply app:network_traffic_count_30m [|`get_qualitative_upper_threshold(extreme)`] | search "IsOutlier(src_count)"=1 OR "IsOutlier(total_count)"=1 ``` Where is this located  ? 
I have this small Splunk Enterprise deployment in a lab that's air gapped. So I setup this deployment about 18 months ago. Recently I noticed, I am not rolling any data. I want to set retention peri... See more...
I have this small Splunk Enterprise deployment in a lab that's air gapped. So I setup this deployment about 18 months ago. Recently I noticed, I am not rolling any data. I want to set retention period of 1 year for all the data. After checking the configuration, looks like I have # of Hot buckets set to auto (which is 3 by default, I assume) but I don't find any Warm buckets. So, everything is in Hot buckets. I am looking at few settings maxHotSpanSecs, frozenTimePeriodInSecs and maxVolumeDataSizeMB, that should roll data to warm and then cold buckets eventually.  Under /opt/splunk/etc/system/local/indexes.conf maxHotSpanSecs is set to 7776000 frozenTimePeriodInSecs 31536000 maxVolumeDataSizeMB (not set) Under /opt/splunk/etc/apps/search/indexs.conf maxHotSpanSecs not set frozenTimePeriodInSecs 31536000 (for all the indexes) maxVolumeDataSizeMB (not set) Shouldn't frozenTimePeriodInSecs take precedent? Maybe, my maxVolumeDataSizeMB is set to too high. Do I need to change it? How do frozenTimePeriodInSecs and maxVolumeDataSizeMB affect each other? I thought frozenTimePeriodInSecs would override maxVolumeDataSizeMB
@PickleRick ok got it. So the secure one will be creating seperate index for application wise. But we have nearly 500 indexes to come in overall scope and as of now we have created 100+ indexes which... See more...
@PickleRick ok got it. So the secure one will be creating seperate index for application wise. But we have nearly 500 indexes to come in overall scope and as of now we have created 100+ indexes which means 50 apps (non-prod and prod 2 indexes per app).. if I create summary indexes for these it would be more indexes again. Ideally how many indexes should be there in an environment? However we are using volumes and smartstore as well. Is it very difficult to manage these indexes in future?
They are logging in daily but still can't able to see their name and title
Ok. As I said - you will only see the groups directly assigned by group mappings - no inherited roles. That's one thing. Another thing - as far as I remember, the user is assigned roles from LDAP ma... See more...
Ok. As I said - you will only see the groups directly assigned by group mappings - no inherited roles. That's one thing. Another thing - as far as I remember, the user is assigned roles from LDAP mapping at the time they are logging in. After that the provisioned user stays the way it is until the user logs in again, LDAP gets contacted and then user's roles are synchronized to LDAP groups. So if - for example - your users last logged in a month ago but you added them to various LDAP groups last week, you won't see that in Splunk until they log in.
As I said before - you _can_ use search-time fields but your users can bypass it if they know about it and know how.
Hello,     I see there are lots of Cisco event based detections and not many palo alto or checkpoint (fw, ids/ips, threats) events.    Is everyone just creating their own event based detections fo... See more...
Hello,     I see there are lots of Cisco event based detections and not many palo alto or checkpoint (fw, ids/ips, threats) events.    Is everyone just creating their own event based detections for these two vendors? I do have all the TA apps installed and connectors for both vendors.  Just not seeing any event based detections that have already been setup. 
I'm going to have to go down the Regex path as the Networking team doesn't want to change how their side is set up. I want to double check, this would go on the indexer, correct? I missed the "on ... See more...
I'm going to have to go down the Regex path as the Networking team doesn't want to change how their side is set up. I want to double check, this would go on the indexer, correct? I missed the "on the first HF/Indexer"
@PickleRick will this work for me? What @splunklearner given... 
I mean we have 100 roles already assigned to the users (AD groups) and we can see only 5 roles when giving that search... We want to see all roles assigned to each user... AD group consists of many m... See more...
I mean we have 100 roles already assigned to the users (AD groups) and we can see only 5 roles when giving that search... We want to see all roles assigned to each user... AD group consists of many members
1. It's an old thread. It's often that people aren't even active on Answers after several years. 2. An index is just a place for events "storage". Whether props/transforms work or not is not index-s... See more...
1. It's an old thread. It's often that people aren't even active on Answers after several years. 2. An index is just a place for events "storage". Whether props/transforms work or not is not index-specific (ok, it _can_ be made index-specific but you have to work to explicitly make it so; you can safely assume that it's a very very unlikely case). So if your index-time mechanism doesn't work, it's either defined in a wrong place (where do you have your settings defined?) or is not written properly.
Why would you create indexed fields in the first place? You have a nice space-delimited entries, if you just want performance, use TERM() in your searches.
Wait. Are you saying that you're getting only a handful of results meaning that you don't see all users? (because that's usually the case @livehybrid  described - problematic setting in role definiti... See more...
Wait. Are you saying that you're getting only a handful of results meaning that you don't see all users? (because that's usually the case @livehybrid  described - problematic setting in role definitions cause users to not show up properly in some places). Or do you mean that you have 100 roles defined in your system and ony see 5 roles assigned to the users? This case is acctually normal because Splunk doesn't expand inherited roles. You can see all effective capabilities per user, but you can't see any "intermediate" roles - just the ones explicitly assigned to a user.
You can cheat a bit using normal line chart by selecting to not fill gaps and possibly generating empty rows with no value between valid data points. But there should be better ways to do it.
| eval row=mvrange(0,2) | mvexpand row | eval tmp=if(row==0,tmp,null()) | eval min_w=if(row==0,min_w,null()) | eval max_w=if(row==0,max_w,null()) | fields - row Use line chart with no joining for nu... See more...
| eval row=mvrange(0,2) | mvexpand row | eval tmp=if(row==0,tmp,null()) | eval min_w=if(row==0,min_w,null()) | eval max_w=if(row==0,max_w,null()) | fields - row Use line chart with no joining for nulls
No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will al... See more...
No, the question wasn't for the logs from the Trellix solution. The question is whether you're geting any Splunk forwarder's own events into your _internal index from the hosts from which you will also want to pull Trellix events. Also - where and how are you putting those inputs.conf settings?
I want to configure Federated Search so that Deployment A can search Deployment B, and Deployment B can also search Deployment A. I understand that Federated Search is typically unidirectional (local... See more...
I want to configure Federated Search so that Deployment A can search Deployment B, and Deployment B can also search Deployment A. I understand that Federated Search is typically unidirectional (local search head → remote provider). Is it possible to configure it for true bidirectional searches in a single architecture (create two separate unidirectional configurations (A→B and B→A))? Has anyone implemented this setup successfully? Any best practices or caveats would be appreciated. Also, have anyone implemented this along with ITSI - what are the takeaways and do & don'ts?
Team, do you know where I can find information about certifications like ISO 27001 that apply to our agents as Hotel Collector (Splunk Distribution) UF, HF?