All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eva... See more...
Hi community, The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results | makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'> %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384}</Data></EventData></Event>" | rex mode=sed "s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\\1 Computer:\\2 SubjectUserName:\\3 SubjectDomainName:\\4 TargetUserName:\\5 TargetDomainName:\\6 LogonType:\\7/g" ---------------------------------- [XmlWinEventLog: Security] SEDCMD-reduce_4627 = s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\1 Computer:\2 SubjectUserName:\3 SubjectDomainName:\4 TargetUserName:\5 TargetDomainName:\6 LogonType:\7/g Can anyone help me identify where the problem is, please? Thank you.
Hi @danielbb , as also @richgalloway said, there are more parameters that you have to consider: data volume, HA or not HA, number of users and scheduled searches, etc... My first hint is to engage... See more...
Hi @danielbb , as also @richgalloway said, there are more parameters that you have to consider: data volume, HA or not HA, number of users and scheduled searches, etc... My first hint is to engage a Splunk Certified Architect or a Splunk Professional Services to design your architecture. You could find some ideas at https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf E.g.: having only one Indexer, there's no requirements for a Cluster Manager and you can put the License manager on the same Indexer; the Cluster manager is required if you have HA requirements and you have at least two Indexers. About the HF, it depends on many factors: where are located your Meraki servers, on premise or in Cloud? if on-premise it's a best practice to have a concentrator between devices and Indexers, anyway, you could also put (it isn't a best practice) the syslog receiver on the Indexers. Then how Meraki sends logs? if by syslog, you should configure an rsyslog server or SC4S on a dedicated server. As I said, I hint to engare a Splunk Certified Architect. Ciao. Giuseppe
Hi @inessa40408 , Splunk is a search engine, and it takes the available logs. What's the technology you're using to take these logs? maybe the solution is in the integration between your solution a... See more...
Hi @inessa40408 , Splunk is a search engine, and it takes the available logs. What's the technology you're using to take these logs? maybe the solution is in the integration between your solution and Splunk. Ciao. Giuseppe
Hi @Rak , surely append and stats is better than join, but anyway, I hint to analyze my approach and try to use it because is faster and it hasn't the limit of 50,000 results in the subsearch. Cia... See more...
Hi @Rak , surely append and stats is better than join, but anyway, I hint to analyze my approach and try to use it because is faster and it hasn't the limit of 50,000 results in the subsearch. Ciao. Giuseppe
Does it work you run the script using the debugger, but uncheck the checkbox that says "Run as current user"? Also if I understand correctly, you are not using the SOAR winRM (Windows Remote Managem... See more...
Does it work you run the script using the debugger, but uncheck the checkbox that says "Run as current user"? Also if I understand correctly, you are not using the SOAR winRM (Windows Remote Management) app, but you are instead using a different app to trigger a script, or using a custom function that implements WinRM communication?
Probably the cleanest way to do this is as @tscroggins suggested: Make a browser extension that changes the interface. Another workaround would be to ignore the app drop-down menu completely and ins... See more...
Probably the cleanest way to do this is as @tscroggins suggested: Make a browser extension that changes the interface. Another workaround would be to ignore the app drop-down menu completely and instead make a navigation menu in your apps which has links to the various app versions and supports multi-drop-down. It may be cumbersome to maintain but it will look better.
If I understand correctly, you have a windows system with a logfile that does not have a long log retention time, so you cannot use the log file to look back very far, but you need to be able to look... See more...
If I understand correctly, you have a windows system with a logfile that does not have a long log retention time, so you cannot use the log file to look back very far, but you need to be able to look further back in time. This sounds like a straightforward use case for the Splunk forwarder. If you install the forwarder on the machine, then set up an input configuration to monitor that logfile, then the forwarder will send the log data to the Splunk indexers where it will be indexed and stored for longer times.
I don't see why not. From Splunk's perspective it's just a remote storage regardless of where the indexers are. As long as you have network connectivity you should be fine. I suppose it might cost y... See more...
I don't see why not. From Splunk's perspective it's just a remote storage regardless of where the indexers are. As long as you have network connectivity you should be fine. I suppose it might cost you more if you have inter-region traffic instead if intra-region one but I'm not that good on AWS pricing to say somethig definite here. And it's an issue completely outside of Splunk.
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster ... See more...
Can Splunk SmartStore enabled with single site Indexer clustering which is spanning across two AWS regions?  Ex: One set of Indexer Cluster located in AWS Region A and another Set of Indexer Cluster sitting in Region B, Can one s3  Remote Object Store used with all Indexers from both Clusters?  Thanks.
Hi @robertlynch2020, I'm not aware of a native method, although you could override the Splunk bar's behavior with a browser extension, assuming you control the browser. My preference is to customiz... See more...
Hi @robertlynch2020, I'm not aware of a native method, although you could override the Splunk bar's behavior with a browser extension, assuming you control the browser. My preference is to customize the launcher or provide a default app with customized navigation menus.
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this ... See more...
Hello Splunk community,   We have a device on the windows systeme. I tried to find a LOG file on it that is responsible for the Internet connection and connection quality. But unfortunately, this screen saves a limited amount of information in its LOG files regarding the Internet connection.   I wanted to know, does Splunk have a solution for such situations? Perhaps there is an application that we can install on this device that will allow us to erase the necessary LOGs?   Thank you in advance for you answer  
Can you share a screen cap of the options there but not available to click on? Interim shot in the dark - ask for a rolling restart on the ITSI SH or SHC - assuming you've done this before so shou... See more...
Can you share a screen cap of the options there but not available to click on? Interim shot in the dark - ask for a rolling restart on the ITSI SH or SHC - assuming you've done this before so shouldn't be a permissions/capability issue - perform a log out and clear cache on browsers, I know you've tried more than one already
The apps menu toggle recognizes individual unique apps.  The fact that it appears you have the same app multiple times is an indication the app is not designed per best practices.  Even if the versio... See more...
The apps menu toggle recognizes individual unique apps.  The fact that it appears you have the same app multiple times is an indication the app is not designed per best practices.  Even if the version number is in the title the app should be replacing itself so that you are only ever seeing the most recent install. Options a) Fix app so that it install over itself rather than creating unique instances b) Start removing older versions that serve no purpose anymore
Classic XML dashboards wont let you extend multiple rows.
We need more information.  How data will be ingested each day?  How long will that data be retained?  How much searching will the system perform? If you have a single indexer then there is no need f... See more...
We need more information.  How data will be ingested each day?  How long will that data be retained?  How much searching will the system perform? If you have a single indexer then there is no need for a Cluster Manager (f.k.a. Cluster Master) and the search head can serve as the License Manager on such a small system.  If larger ingest amounts and for better search performance, multiple indexers may be needed, which call for a Cluster Manager. Syslog data should not sent directly to a Splunk process.  Instead, send it to a dedicated syslog server (rsyslog or syslog-ng) and write it to disk.  Have a Splunk Universal Forwarder monitor the disk and forward the data to the indexer(s).
This is easy to do in Dashboard Studio. Either use absolute or grid layouts.
We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Micros... See more...
We are building a small Splunk installation in Azure and I'm not sure what the architecture should look like. The client came up with the idea based on the following link - Deploying Splunk on Microsoft Azure. They created an indexer, a search head, and a license server/cluster master. We do need to ingest syslog data from Meraki devices, so I wonder whether we need a heavy forwarder. Any thoughts?
I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to im... See more...
I want to use HTML on multiple panels in order to create a custom layout of my Splunk Dashboard. I want to use this layout where each rectangle is a panel - Please advise. Is this possible to implement in a Splunk Dashboard?
To be fully honest - I have no idea what you want to do. Please post a sample of your incoming data and tell us where you want it broken into separate events.
The Total on the y-axis comes from the first column listed in your results, so replace that with a column with a space for a name | rex field=message "IamExample(?<total>).*" | rex field=message ".*... See more...
The Total on the y-axis comes from the first column listed in your results, so replace that with a column with a space for a name | rex field=message "IamExample(?<total>).*" | rex field=message ".*ACCOUNT(?<accountreg>.*):" | rex field=message ".*Login(?<login>.*)" | rex field=message ".*Profile(?<profile>)" | rex field=message ".*Card(?<card>)" | rex field=message ".*Online(?<online>) " | stats count(total) as "_Total" count(accountreg) as "Account" count(login) as "Login" count(profile) as "Profile" count(card) as "Card" count(online) as "Online" | foreach * [| eval name="<<FIELD>>: ".round(100*<<FIELD>>/_Total, 2)."%" | eval {name} = <<FIELD>>] | table " " Account:* Login:* Profile:* Card:* Online:*