All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @securepoint  Unfortunately I cant get any of the Cortex docs to load for me at the moment, however at a previous customer we used Splunk SC4S to receive a syslog feed from Cortex and then sent t... See more...
Hi @securepoint  Unfortunately I cant get any of the Cortex docs to load for me at the moment, however at a previous customer we used Splunk SC4S to receive a syslog feed from Cortex and then sent this to Splunk over HEC. This was the raw data rather than alerts etc.  Are you able to configure any outputs such as syslog from your Cortex XDR configuration? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
I'm using Splunk Cloud version 9.3.2408.107. I checked and it is an IoT Input and made sure there is not a space in "test". The add on version is 1.0.1 Thanks for the help.
Hi @Odnaits  Please can you confirm which Splunk version you are on, and if its an XDR or IoT input you are creating? I tried this locally but it worked for me (for both), is there definately no sp... See more...
Hi @Odnaits  Please can you confirm which Splunk version you are on, and if its an XDR or IoT input you are creating? I tried this locally but it worked for me (for both), is there definately no space before or after the word "test"? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
I am listing the index name using rest query and then checking those index name with audit or internal to to find if how many index used, sourcetype used, and HOW Many index not used in splunk.  A... See more...
I am listing the index name using rest query and then checking those index name with audit or internal to to find if how many index used, sourcetype used, and HOW Many index not used in splunk.  Also i need to identify which indexes and sourcetypes have not received any data for a period exceeding 90 days.
I'm trying to extract endpoint data from Cortex XDR, but I don't want to see just alerts in Splunk—I need all the endpoint data collected by XDR to be replicated in Splunk. Neither Palo Alto nor Splu... See more...
I'm trying to extract endpoint data from Cortex XDR, but I don't want to see just alerts in Splunk—I need all the endpoint data collected by XDR to be replicated in Splunk. Neither Palo Alto nor Splunk support has been able to assist with this. I can't be the first person to ask about it since this is a fundamental requirement—unless it's simply not possible and everyone else already knows that except me. There should be one way calling the APIs through HEC in Splunk, I need to write a script for it, any one tried this approach or any other ? 
1. Main question - how do you define "not used"? 2. While indexes are discrete "bags" for events, sourcetype is just a label. Yes, it bears a significant meaning for Splunk functionalities but you c... See more...
1. Main question - how do you define "not used"? 2. While indexes are discrete "bags" for events, sourcetype is just a label. Yes, it bears a significant meaning for Splunk functionalities but you can even make each event have a separate sourcetype. So why would you want to know what your "unused" sourcetype are?
Greetings,   Every time I try to create a new input on the 1.01 version of Splunk Add On for Palo Alto this error appears, is there a way to solve this? I tried to see if the error was on the o... See more...
Greetings,   Every time I try to create a new input on the 1.01 version of Splunk Add On for Palo Alto this error appears, is there a way to solve this? I tried to see if the error was on the other inputs but it seems that is on the name.    Thanks in advance.
@mohsplunking  Since BeyondTrust Remote Support SaaS is a cloud offering, the integration likely relies on its API capabilities or syslog forwarding features that can be directed to Splunk Cloud.... See more...
@mohsplunking  Since BeyondTrust Remote Support SaaS is a cloud offering, the integration likely relies on its API capabilities or syslog forwarding features that can be directed to Splunk Cloud.   HEC    Splunk Cloud supports HEC, which allows you to send data over HTTPS using a token-based authentication method. If BeyondTrust Remote Support SaaS can send event data (e.g., session logs) to a custom endpoint, HEC could ingest this data directly.   Custom TA for REST API   Check BeyondTrust’s documentation or contact their support to confirm the availability of a REST API for the SaaS version.  Build a Custom TA. Install the “REST API Modular Input” app from Splunkbase (if supported in your Splunk Cloud environment; you may need to request Splunk Support to install it). Configure a REST input with the BeyondTrust API URL, authentication (OAuth or API key), and polling interval (e.g., every 60 seconds). Write props.conf and transforms.conf in the TA to parse the API response (likely JSON) into meaningful fields for Splunk.   Syslog Forwarding with an Intermediary   In the BeyondTrust admin interface, set up syslog forwarding to a server you control (e.g., IP address and port like 514 for UDP or TCP.   Deploy a Splunk Universal Forwarder on a small VM or container. Configure it to listen for syslog data and forward it to Splunk Cloud using outputs.conf.  
interesting approach and thanks for providing it!  I came up with multiple solutions for the deferent scenarios we have.  We have some 9.4.0 right now we are testing and some 9.3.1 which will be upgr... See more...
interesting approach and thanks for providing it!  I came up with multiple solutions for the deferent scenarios we have.  We have some 9.4.0 right now we are testing and some 9.3.1 which will be upgraded to 9.3.2 soon. If there was a single value panel in a row by itself I just updated the CSS to change the width of the entire row vs just the width of the panel by giving the row an id instead of giving the single value panel and id.  #panelid { width: 30% !important;} --this works in 9.3.1 but not in 9.4.1 #rowWithPanel { width: 30% !important;} --this works in 9.4.1 and 9.3.1 If there were two single value panels in a row that we needed to adjust the width of I used the below.  I wrote it two ways so that it would work in all our environments that currently have v9.3.1 and 9.4.0. #panelid1 { width: 15% !important; --this works in 9.3.1 but not 9.4.1 flex-basis: 15% !important; --this works in 9.4.1 but not in 9.3.1 } #panelid2 { width: 25% !important; --this works in 9.3.1 but not 9.4.1 flex-basis: 25% !important; --this works in 9.4.1 but not in 9.3.1 }  
that last one seems to undo the month summarizing  
Correct, I made sure it was not was NOT disabled as a process of elimination in the troubleshooting.   Resolution: Having made sure it was not on the deployer Or in '/opt/splunk/var/run/splunk/de... See more...
Correct, I made sure it was not was NOT disabled as a process of elimination in the troubleshooting.   Resolution: Having made sure it was not on the deployer Or in '/opt/splunk/var/run/splunk/deploy/apps/' I manually deleted the TA folder and undertook a rolling restart on the SHC. This fixed it. Prior to this I had also found WARN in _internal relating to deprecated parameters in limits.conf, planning a change tomorrow to support the updated stanza / autorize params. [auth] enable_install_apps = true I also noted that in the given app under app.conf there was a niche setting: allows_disable = false I'm unclear if this has any impact on deletion (docs don't say).
@mvasquez21  Refer my output:-  
@mvasquez21  Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable fo... See more...
@mvasquez21  Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01"). index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") | chart count over user by month | sort + sort_month
Thanks for your inputs here Kiran, however, it does look like that integration guide is for Beyond Trust Remote Support integration   regards, Mohammed.
the query is not getting expected result,  I need to get the list of index which is not used by anyone
one last thing. this is listing the months alphabetically. any way to do it chronologically?  
perfect! you are a geniius
@mvasquez21  Don't append makeresults in your query:- Use this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval mo... See more...
@mvasquez21  Don't append makeresults in your query:- Use this  index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
OK. So the TA you're trying to remove is disabled or enabled?
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succe... See more...
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month