All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@phamanh1652  Have you created the index called "trellix"? and also check the splunk internal logs on your Splunk Cloud Search head.  You can use this add-on to integrate your Trellix MVISION. It s... See more...
@phamanh1652  Have you created the index called "trellix"? and also check the splunk internal logs on your Splunk Cloud Search head.  You can use this add-on to integrate your Trellix MVISION. It supports both Splunk Cloud and Splunk Enterprise. https://splunkbase.splunk.com/app/7022   
The allowedDomainList setting can be in any alert_actions.conf file on your search head(s).  Precedence rules apply, however.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofind... See more...
The allowedDomainList setting can be in any alert_actions.conf file on your search head(s).  Precedence rules apply, however.  See https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles
@ws  In that case mainly you need to update these .confs what i remember, -server.conf -Update serverName = splunk.test2.com -inputs.conf -Update host=splunk.test2.com if it were set with old name... See more...
@ws  In that case mainly you need to update these .confs what i remember, -server.conf -Update serverName = splunk.test2.com -inputs.conf -Update host=splunk.test2.com if it were set with old name -web.conf -Update mgmtHostPort if it reference old name -SSL certs -Regenerate certs with new hostname if HTTPS is used Also check network devices configured with this new hostname/IP and update DNS records,Firewall rules if applcicable. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Based on my current understanding, the following: - The domain name will be changed from splunk.test1.com to splunk.test2.com. - Splunk is installed on a RHEL (Red Hat Enterprise Linux) operating s... See more...
Based on my current understanding, the following: - The domain name will be changed from splunk.test1.com to splunk.test2.com. - Splunk is installed on a RHEL (Red Hat Enterprise Linux) operating system. - Network devices are forwarding data directly to the Splunk All-in-One (AIO) instance. - There are currently no deployment clients connected. - No API calls are being utilized at this time.
As you probably already noticed, I'm not a big fan of the TA_nix app. But - to be fair - ingesting logs (let's leave aside the scripts for now) from multitude of different sources, usually all writin... See more...
As you probably already noticed, I'm not a big fan of the TA_nix app. But - to be fair - ingesting logs (let's leave aside the scripts for now) from multitude of different sources, usually all writing to the same file in completely unrelated formats is a difficult task and ingesting "general Linux" logs is usually a huge PITA. Reporting a bug doesn't hurt. To be honest, I don't remember what TA_nix does with the auditd logs. I remember that the addon I pointed you to had a counterpart in form of an app https://splunkbase.splunk.com/app/2642 That's why I used the addon in the first place.  
OK. Let me be a bit more precise. SDK as such is not a "method". It's a Software Development Kit which can help you in writing your code but it still has to use one of the available methods. In Spl... See more...
OK. Let me be a bit more precise. SDK as such is not a "method". It's a Software Development Kit which can help you in writing your code but it still has to use one of the available methods. In Splunk's case the ways to get data to Splunk are: 1) Pushing from remote via HEC (or generally, other inputs used by Splunk out of the box - writing to files and monitor them, sending via syslog and so on) 2) Writing own moduar inputs (that's generally where SDK helps). Both of these methods need an input on Splunk's side. And the main point here is that you cannot go without a forwarder, unless you create an input directly on indexer(s) which is not advisable. OK, technically, you could go via the "let's craft a search which will do something and call collect at the end" but it's an even worse idea so I will not even acknowledge that it exists. There is no other way than through inputs to "get something into Splunk". And SDK is not a "method of getting the data in". It's just a component which helps you write Splunk-related code. It's a completely different layer.
@ws  It will be very helpful if you can share more details on your architecture and setup. Changing the Windows domain membership affects things like -Domain-based authentication (LDAP/SSO) -Grou... See more...
@ws  It will be very helpful if you can share more details on your architecture and setup. Changing the Windows domain membership affects things like -Domain-based authentication (LDAP/SSO) -Group policies -Firewall rules etc.. Changing the FQDN affects: -Internal hostname resolution -SSL cert identity -Forwarder and peer configurations if they reference FQDN directly -REST API calls, HEC endpoints, scripted inputs if there's any -And yes, if deployment clients connect to this instance. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @mm185429  were you able to find the solution,  I too facing the issue the same but mine is a Splunk report we have custom alert action for mailing purpose and made it pull mail contacts from a lo... See more...
Hi @mm185429  were you able to find the solution,  I too facing the issue the same but mine is a Splunk report we have custom alert action for mailing purpose and made it pull mail contacts from a lookup and lookup contained two DLs.  I re-run the report with my email it received once only for now I have cloned the report and ask user to check if they are receiving again since the actual report should once a day.   I checked in the intenal logs can see two mail were sent out at same time but there is only one report which is scheduled to run once a day.
@Na_Kang_Lim  Normally, Using multiple | search NOT -Forces Splunk to post-process results after initial retrieval -Doesn’t leverage indexed fields for early filtering -Can be slower, especially... See more...
@Na_Kang_Lim  Normally, Using multiple | search NOT -Forces Splunk to post-process results after initial retrieval -Doesn’t leverage indexed fields for early filtering -Can be slower, especially on large dataset. Adding to what @gcusello  mentioned, instead of chaining multiple !=, Use NOT process_name IN (a.exe, b.exe) - It's bit faster and clean on larger datasets and complex queries. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
Hi @BoscoBaracus , as I said, you can do it and surely easier than the conf file, but it isn't a best practice, because you must manually configure it, instead using a conf file, managed by the DS, ... See more...
Hi @BoscoBaracus , as I said, you can do it and surely easier than the conf file, but it isn't a best practice, because you must manually configure it, instead using a conf file, managed by the DS, you have a centralized management. About configuration on Windows UF, you cannot use the GUI because UF hasn't any GUI, you must configure inputs using the conf files or a CLI command. In addition, using Splunk Network inputs, when you restart Splunk for maintenance or something else, you lose syslogs, instead using rsyslog, that's a standard Linux component (you don't need to install it!), you can receive logs also when Splunk is down. So I hint, based on Splunk best practices, I hint to use rsyslog, but you're free to use a different solution. Ciao. Giuseppe
Hi @BoscoBaracus , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by al... See more...
Hi @BoscoBaracus , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Good morning gcusello, Aha, makes sense. Will try to move the HF to a deployment server then:-) Much appreciated. Kind Regards, Mike.
Good morning livehybrid, Thank you very much for your suggestion. This sounds exactly something I was looking for. Could you please point me in the right direction on how to create such index defin... See more...
Good morning livehybrid, Thank you very much for your suggestion. This sounds exactly something I was looking for. Could you please point me in the right direction on how to create such index definition? Will also try to research on the subject. Again, much appreciated. Kind Regards, Mike.
Hi @BoscoBaracus , completing this answer: usually HFs are managed by a Deployment Server, so you don't need to use the GUI to configure inputs, and so you can set the correct index in the conf file... See more...
Hi @BoscoBaracus , completing this answer: usually HFs are managed by a Deployment Server, so you don't need to use the GUI to configure inputs, and so you can set the correct index in the conf file. Ciao. Giuseppe
Good morning gcusello, Again, many thanks for your response and suggestion. Not sure why we have to install rsyslog to receive data locally on the HF and then monitor the ingress into a file just t... See more...
Good morning gcusello, Again, many thanks for your response and suggestion. Not sure why we have to install rsyslog to receive data locally on the HF and then monitor the ingress into a file just to forward to indexer group. SPLUNK has built in tons of data inputs options which should easily accommodate this. I can do this on Windoze server in about 5 mins using UF. Not sure why it is so difficult to forward data to dedicated index residing on remote indexer directly from HF. Will keep on digging. Again, many thanks for your time and suggestions. Kidn Regards, Mike.
Hi @BoscoBaracus  The reason that your HF does not allow you to select an index from your Indexer cluster is that it is not aware of what indexes exist on the cluster.  To get around this problem y... See more...
Hi @BoscoBaracus  The reason that your HF does not allow you to select an index from your Indexer cluster is that it is not aware of what indexes exist on the cluster.  To get around this problem you can create the index definition on the HF, not to index the data into, but so that it displays in the available list of indexes that you can select from in the UI. I assume you are not using a Deployment Server here, which is why you are making changes to create the input in the UI?  If you're able to create the inputs.conf directly on the server or via a deployment server then you shouldnt need to create the index. You can either create the index in the UI or via a custom app with an indexes.conf file.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @krishna4murali , check in the triggered alerts dashboard and/or in the alerts dashboards if the wrong date alerts are from that alerts or from another. Ciao. Giuseppe
Is there any possibility that with orphaned alerts or kind of? without index in search params?
Hi @Na_Kang_Lim , you have different results: using "!=" you take all the events with the process_name different than the value, but where the process_name  field is present, Instead using "NOT" y... See more...
Hi @Na_Kang_Lim , you have different results: using "!=" you take all the events with the process_name different than the value, but where the process_name  field is present, Instead using "NOT" you exclude events with process_name=value and include also events without the process_name field. For more information, see at https://docs.splunk.com/Documentation/Splunk/9.4.2/Search/NOTexpressions  Ciao. Giuseppe
Hi @ws  When you refer to changing the domain, do you mean that this is a Windows AIO Splunk instance and you're changing the domain that the server lives in? Or is it the FQDN of the servername etc... See more...
Hi @ws  When you refer to changing the domain, do you mean that this is a Windows AIO Splunk instance and you're changing the domain that the server lives in? Or is it the FQDN of the servername etc that you want to change? Do you have any deployment clients connecting to your Splunk instance?  Please give us a little more detail about your overall architecture so that I can drill down further.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing