All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The only sure way to control access to data is by index.  Have a separate index for each set of access rules. IOW, sources "123456" and "456789" should be in separate indexes and only roles that nee... See more...
The only sure way to control access to data is by index.  Have a separate index for each set of access rules. IOW, sources "123456" and "456789" should be in separate indexes and only roles that need access to the Source should have access to corresponding index.
I think your whitelist setting should be correctly formatted; try using whitelist = 4624,4625 to ensure proper filtering and, confirm whether renderXml=false is appropriate, as XML-based logs may req... See more...
I think your whitelist setting should be correctly formatted; try using whitelist = 4624,4625 to ensure proper filtering and, confirm whether renderXml=false is appropriate, as XML-based logs may require renderXml=true for accurate extraction. Next, check if Windows is generating these events by running this command in PowerShell. Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 } | Select-Object -First 10  If no events appear, ensure that Windows auditing policies are correctly configured by navigating to gpedit.msc → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff → Audit Logon, and verifying that success and failure logging is enabled. You can also confirm this by running auditpol /get /subcategory:"Logon" in PowerShell. If you see errors like - It could indicate a misconfiguration in inputs.conf ERROR ExecProcessor - message from "WinEventLog" The parameter is incorrect. And, perform a Splunk search to confirm if any relevant events have been indexed by running : index=* sourcetype=Security:AD_Sec_entmon EventCode=4624 OR EventCode=4625. If no results appear, try searching with index=* EventCode=4624 OR EventCode=4625 OR check index metadata with | metadata type=sourcetypes index=wineventlog. If data is still missing, it’s worth testing with the default Splunk sourcetype by modifying inputs.conf to use sourcetype=WinEventLog:Security instead. [WinEventLog://Security] index = wineventlog sourcetype=WinEventLog:Security disabled = 0 start_from = oldest current_only = 1 evt_resolve_ad_obj = 1 checkpointInterval = 300 whitelist = 4624,4625 After making any configuration changes, restart the Splunk Universal Forwarder using splunk restart or Restart-Service SplunkForwarder on Windows. 
 
Hi @livehybrid  Thanks for replay, Yes I did change the app.conf, the only change which I did was update version number of app and yes, previous version of app is not asking for any restart this is... See more...
Hi @livehybrid  Thanks for replay, Yes I did change the app.conf, the only change which I did was update version number of app and yes, previous version of app is not asking for any restart this is my app.conf # this add-on is powered by splunk Add-on builder [install] state_change_requires_restart = false is_configured = 0 state = enabled build = 1 [launcher] author = My_company version = 1.8.3 description = This add-on allows integration for Splunk. [ui] is_visible = 1 label = Add-on for Splunk docs_section_override = AddOns:released [package] id = TA-add-on-for-splunk [triggers] reload.addon_builder = simple reload.ta_entrust_datacard_intellitrust_add_on_for_splunk_account = simple reload.ta_entrust_datacard_intellitrust_add_on_for_splunk_settings = simple reload.passwords = simple
Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, ... See more...
Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, and Job3 within this custom day window. Based on the current time, determine whether a job is PLANNED or EXECUTED. | makeresults count=1 | eval now=relative_time(now(), "@d+17h") # Adjusting the custom day window (5 PM as the start of the day) | append [search index=your_index sourcetype=your_sourcetype earliest=-1d@d+17h latest=@d+17h | eval job_status=if(_time <= now, strftime(_time, "Executed at %H:%M"), "PLANNED") | stats latest(_time) as job_time latest(job_status) as job_status by job_name ] | eval job_status=if(isnull(job_status), "PLANNED", job_status) | table job_name job_status   If _time is stored in epoch format, no need to convert it. Adjust the @d+17h if your business day has different start hours. Note: Please use the above query using your own index and sourcetype name.  
I see. I'd really like option one to work here, and it did work for a user that was using Splunk on-prem: [abuseipdb_control_coll] enforceTypes = true field._key = string field.value = string r... See more...
I see. I'd really like option one to work here, and it did work for a user that was using Splunk on-prem: [abuseipdb_control_coll] enforceTypes = true field._key = string field.value = string replicate = true   But this same configuration was apparently not working for a user on Splunk Cloud Victoria, whatever the reason (see the previous example). I was unsure whether it was a problem with eventual consistency, or what exactly.
@richgalloway then how can I achieve this requirement please let me know. I don't have any coding knowledge at this moment. 
@splunklearner wrote: @richgalloway IOW, if you add "Source=123456" to the search filter with the intention of restricting results from index=A, it also will restrict the results from index=B and... See more...
@splunklearner wrote: @richgalloway IOW, if you add "Source=123456" to the search filter with the intention of restricting results from index=A, it also will restrict the results from index=B and all other indexes. ---> I didn't get this point. I will be creating a role A and selecting index A and then restricting with search filter (source=123456). So ideally user A will be assigned role A and he will have access to index A and source 123456. These source are unique and only one role for this source. This role may be assigned to multiple users. But how index B be involved here? Please clarify. My presumption is that user A may sometimes need to search other indexes than just indexA.  If he chooses to search indexB then the search filter still applies, even though it may not make sense for that index.  This is why I agree with @isoutamo about avoiding search filters.
What and how to check in btool? Please guide me sir
That’s also my understanding for it. Of course you should check what your environment have for it. Btool is good command to check it.
Based on your example and those in vendor’s documentation, your issue is that you are using only streaming commands before abuseipdbcheck and also it is streaming command. This are meaning that all p... See more...
Based on your example and those in vendor’s documentation, your issue is that you are using only streaming commands before abuseipdbcheck and also it is streaming command. This are meaning that all processing are done in indexers (unlike makeresults and vendor’s examples which are running on SH side). In your case your search try to use kvstore lookup on indexers, but unless you have mark it for replication to indexer (default is false), it cannot find it and fail.  Now you have two options: define that collection will replicate to indexers force execution to SH side using non streaming command or use e.g. localop command https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Localop which force execution to SH  
@isoutamo So here default is true right? So will it take OR by default?  When we have roleA and roleB which have srcFilters  roleA: source=A roleB: source=B Then splunk add those in every SPL quer... See more...
@isoutamo So here default is true right? So will it take OR by default?  When we have roleA and roleB which have srcFilters  roleA: source=A roleB: source=B Then splunk add those in every SPL queries which these users do like input: index=a real SPL: index=a source=A  then if user has both roles assigned to him/her  input: index=a real SPL: index=a source=A OR source=B so by default it will be OR right? Please confirm?
info_min_time comes from the addinfo command. The values it provide comes from whatever timeframe you have set your search to run with. Without seeing your complete dashboard, it is hard to say what ... See more...
info_min_time comes from the addinfo command. The values it provide comes from whatever timeframe you have set your search to run with. Without seeing your complete dashboard, it is hard to say what tokens you are using for your search. But since you already appear to have a time selection input, with a token name of field1, why not use field1.earliest as your panel search earliest and field1.latest as your panel search latest?
Yes, the error is: .../apps/abuseipdb_app/bin/splunklib/client.py", line 1384: UrlEncoded('abuseipdb_control_coll') Which is actually a Python KeyError for the UrlEncoded name of the "control_coll"... See more...
Yes, the error is: .../apps/abuseipdb_app/bin/splunklib/client.py", line 1384: UrlEncoded('abuseipdb_control_coll') Which is actually a Python KeyError for the UrlEncoded name of the "control_coll" holding user data (in essence, "collection not found"). The search query causing this is: index=fortianalyzer action="accept" | dedup srcip | eval is_internal=`isInternalIPv4(srcip)` | search is_internal=False | abuseipdbcheck ip=srcip | where abuseConfidenceScore=100 | table srcip, abuseConfidenceScore   Interestingly, directly running the abuseipdbcheck on the search head works: |makeresults |abuseipdbcheck ip=127.0.0.1
The binary is used for verifying the signature of the license key. We have already contacted all vendors listed on VirusTotal. Only the Windows version is affected. If you do not utilize Windows, yo... See more...
The binary is used for verifying the signature of the license key. We have already contacted all vendors listed on VirusTotal. Only the Windows version is affected. If you do not utilize Windows, you can safely remove the binary. Furthermore, if you are a customer of SentinelOne or another vendor, kindly contact them to flag the binary as safe.
I just checking this from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf where you found this. It seems that currently you could select if this operation is AND or OR. This w... See more...
I just checking this from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf where you found this. It seems that currently you could select if this operation is AND or OR. This will helps and maybe these are currently more usable? [default] srchFilterSelecting = <boolean> * Determines whether a role's search filters are used for selecting or eliminating during role inheritance. * If "true", the search filters are used for selecting. The filters are joined with an OR clause when combined. * If "false", the search filters are used for eliminating. The filters are joined with an AND clause when combined. * Example: * role1 srchFilter = sourcetype!=ex1 with selecting=true * role2 srchFilter = sourcetype=ex2 with selecting = false * role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true * role3 inherits from role2 and role 2 inherits from role1 * Resulting srchFilter = ((sourcetype!=ex1) OR (sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2)) * Default: true  
In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forward... See more...
In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel. Search: (assuming that your forwarder IS sending internal logs, but not windows event logs) index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"  
Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a H... See more...
Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a HTTP request to the download page, searches for the <span class="version">9.4.1</span> text, then extracts the value in the middle. You can then set up a scheduled alert if the version does not match your current version which can be retrieved using "| rest services/server/info".
this app is compatible with Splunk enterprise NOT splunk cloud. You will have to open a case with splun and ask if it can be vetted or check github.com if there any.
real SPL: index=a source=A AND source=B AND foobar I am confused here why AND will come. Do we have any documentation on this to prove this to our team mates?