If I remember correctly, Wazuh is based on OpenSearch. So you need to configure syslog input(s) on Wazuh's side and syslog export on your HF(s) and/or indexer(s) (depending on your particular archite...
See more...
If I remember correctly, Wazuh is based on OpenSearch. So you need to configure syslog input(s) on Wazuh's side and syslog export on your HF(s) and/or indexer(s) (depending on your particular architecture and ingestion process).
OK. Several things here. 1. External lookup is not the same as external command. External lookup is a bit simpler version of an external command. 2. External lookup is _not_ the same as automatic l...
See more...
OK. Several things here. 1. External lookup is not the same as external command. External lookup is a bit simpler version of an external command. 2. External lookup is _not_ the same as automatic lookup. An external lookup is a using SPL lookup command syntax to execute your external script while automatic lookup is a lookup which is automatically invoked on your data without the need of manually invoking the lookup command. The typical application of the automatic lookup is adjusting field values to CIM datamodel. 3. But still the lookup must match its definition so I pointed you to the fact that your stanza was named ucd_category_lookup but you were trying to use ucd_count_chars_lookup - these didn't match. Did you read https://dev.splunk.com/enterprise/docs/devtools/externallookups/ ?
Hi @arjun , you can calculate the License consuption per day using the [Settings > License > License Consuption > Past days > by index ]. using your search you have all the license consuption, you ...
See more...
Hi @arjun , you can calculate the License consuption per day using the [Settings > License > License Consuption > Past days > by index ]. using your search you have all the license consuption, you cannot divide them for customer, as I already said: multitenency isn't a Community topic, it requires a Splunk PS or a Certified Architect that already did this job (like me). Ciao. Giuseppe
OK. Now let's back up a little. Explain in your own words, without using SPL what business problem you're trying to solve here. What are you trying to achieve? You're clearly trying to "implement n...
See more...
OK. Now let's back up a little. Explain in your own words, without using SPL what business problem you're trying to solve here. What are you trying to achieve? You're clearly trying to "implement non-SPL thing in SPL" which is usually not a very good idea. Or at least not a very efficient one. And same things can often be achieved in a different way.
Hi @gcusello i am trying to get data related to usage and billing from splunk, here is query i am using for that
index=_telemetry source=*license_usage_summary.log*
| bin _time span=1d
| stats...
See more...
Hi @gcusello i am trying to get data related to usage and billing from splunk, here is query i am using for that
index=_telemetry source=*license_usage_summary.log*
| bin _time span=1d
| stats sum(b) as TotalBytes by _time
| eval GB=round(TotalBytes / (1024 * 1024 * 1024), 2)
| timechart span=1d values(GB) as "Daily Indexed GB"
And per my research spulnk has few more such index like _internal and _audit
I just want to know if this is correct approach or not
Hi @zksvc , I never used Wazuh, but I can suppose that it's like other third party systems, so you can see at: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Forwarddatatothirdpart...
See more...
Hi @zksvc , I never used Wazuh, but I can suppose that it's like other third party systems, so you can see at: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Forwarddatatothirdpartysystems https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd Ciao. Giuseppe
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc..
try and use this , the max value essentially will do ...
See more...
There are some limitations with what functions you can use with the analytics metrics with only aggregation queries supported min,max avg etc..
try and use this , the max value essentially will do nothing and not change the value, but it allows the metric to be saved as you use an aggregation function
SELECT max(toInt((toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30
SELECT max(toInt((tokenExpirationDateTime - now()) / (24*60*60*1000)))) FROM intune_dep WHERE tokenName = "Wipro-EY-Intune" AND (toInt(tokenExpirationDateTime - now()) / (24*60*60*1000)) >= 30
Let me know if this works
The REST API gives you also globally shared searches back. You could try: 1. filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call t...
See more...
The REST API gives you also globally shared searches back. You could try: 1. filter out all searches with name="sharing">global< 2. filter for name="app">MYAPP< 3. use a different user to call the api
Hey Everyone, i got information if Wazuh can send data to Splunk, i want reverse it. Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send d...
See more...
Hey Everyone, i got information if Wazuh can send data to Splunk, i want reverse it. Because i want to send data from Splunk to Wazuh, in my case because i have TI who have API that can be send data to Splunk, then i want forward it to Wazuh. Maybe if using third party like Logstash / Elastic / etc ? Did anyone know about it? because i never read about it before.. Thanks
Check out: Install on Linux - Splunk Documentation Start Splunk Enterprise for the first time - Splunk Documentation Configure Splunk Enterprise to start at boot time - Splunk Documentation
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange ...
See more...
Hello. I'm getting trouble listing all my SavedSearches from a SHC, using a command line REST API get. I'm asking Splunk to list all savedsearches of user "admin" in "MYAPP" app. For some strange reason, i can't locate, list gets also some other apps Here we are, curl -skL -u 'usr:pwd' 'https://SHC_NODE:8089/servicesNS/admin/MYAPP/saved/searches?count=-1' | egrep 'name="app"' | sort -u ... and here what it came from, <s:key name="app">MYAPP</s:key>
<s:key name="app">MYAPP_backup</s:key>
<s:key name="app">ANOTHER_APP</s:key>
<s:key name="app">search</s:key> I expect only "<s:key name="app">MYAPP</s:key>" entries, or not? What's wrong??? Linux OS SPLUNK ENTERPRISE 8.2.12 SHC 3 Nodes (all nodes reponses the same output) Thanks.
Hi @masakazu , I don't live in US so I never installed Splunk in FIPS Mode, but reading the related documentation ( https://docs.splunk.com/Documentation/Splunk/9.3.2/Security/SecuringSplunkEnterpri...
See more...
Hi @masakazu , I don't live in US so I never installed Splunk in FIPS Mode, but reading the related documentation ( https://docs.splunk.com/Documentation/Splunk/9.3.2/Security/SecuringSplunkEnterprisewithFIPs ), I don't see any known issue on ES or KV-Store. let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors Ciao. Giuseppe
Hi @Thomas2 , conferming what @bowesmana pointed out, let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S...
See more...
Hi @Thomas2 , conferming what @bowesmana pointed out, let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors