All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

was able to figure it out! needed to just use an IF statement.  | eval testuser=if(admin=target,1,0) | where testuser=1
apologies, this will be for windows event logs and Ivanti logs. 
What data are you talking about? Splunk account changes? Windows Event Logs? Some (what) Linux audit logs? If your data is CIM-normalized, you should use Change.Account_Management dataset.
Yes, I haven't used it myself but indeed you need to have your CAs issued properly (with proper path length constraint. I thought you wanted an additional setting for that. As far as I remember subse... See more...
Yes, I haven't used it myself but indeed you need to have your CAs issued properly (with proper path length constraint. I thought you wanted an additional setting for that. As far as I remember subsequent subCAs can redefine the constraint from the "upper" CA by making it "stronger"
I am trying to make a search that will fire only when an admin makes a change to their own account. I want to know if a-johndoe gives multiple permissions to a-johndoe and NOT if a-johndoe gives per... See more...
I am trying to make a search that will fire only when an admin makes a change to their own account. I want to know if a-johndoe gives multiple permissions to a-johndoe and NOT if a-johndoe gives permissions to a-janedoe.  would i use an IF statement for this?   Thank you
Hi @PickleRick  Path length constraint validation is working fine when path length is minimum of 1 on Root CA and path length 0 from intermediate CA onwards. Thanks for your guidance.
The absence of third-party software in the documentation implies no third-party software is used in the add-on. Downloading the add-on and examining the code confirms all modules have a Splunk copyr... See more...
The absence of third-party software in the documentation implies no third-party software is used in the add-on. Downloading the add-on and examining the code confirms all modules have a Splunk copyright notice.
Hey, Thanks again for giving me your insight on this one.  I did come across the bin command but thought the transaction might be better to try in this situation.  As I am still learning the power a... See more...
Hey, Thanks again for giving me your insight on this one.  I did come across the bin command but thought the transaction might be better to try in this situation.  As I am still learning the power and uses of many of the commands that can be used in Splunk, this does help me get a better understanding of how to use and when to use the transaction command.   As you pointed out and is my true problem in this case, there are only two common/semi common variables I have between my two indexes,  that being "_time" and "username".   I have compared the raw logs from both indexes and it appears that at most, the print jobs are separated by 2 secs and I haven't seen any print jobs by the same user that have been closer than 10 seconds apart.  But as to your point, I will make note that there could be some issue with my output if a user prints two jobs seconds apart from each other.  As always, appreciate your input and clarification on my questions. 
Hi @PickleRick , My requirement is on path length validation. I can try with having path length = 1. In this case, only 1 intermediate CA should be allowed. If a 2nd level of intermediate CA issues ... See more...
Hi @PickleRick , My requirement is on path length validation. I can try with having path length = 1. In this case, only 1 intermediate CA should be allowed. If a 2nd level of intermediate CA issues server certificate, it should be failed.
You want the client to accept server's certificate only if it's been issued directly by the RootCA, not by any subCAs? I don't think you can do that. I don't recall I've seen such thing anywhere. Tha... See more...
You want the client to accept server's certificate only if it's been issued directly by the RootCA, not by any subCAs? I don't think you can do that. I don't recall I've seen such thing anywhere. That's how PKI works and that's how it's supposed to work. You don't trust subCA, don't issue a CA cert for it.
  MuS, Thanks for the response.  I am going to take this and work with what I have.  As I put this in my search, found out that my test data is different then what my _raw data actually is.  The ... See more...
  MuS, Thanks for the response.  I am going to take this and work with what I have.  As I put this in my search, found out that my test data is different then what my _raw data actually is.  The username field from  printserver index is "username" but my username field from my printlogs is "User_Name" but has a domain name is front of it.   index=prntserver _time,                                   prnt_name     username   location 2024-11-04 11:05:32    Printer1           jon.doe         Office 2024-11-04 12:20:56    Printer2           tim.allen       FrontDesk   I have an index getting data from our DLP software that contains the following data:    index=printlogs _time                                    Users_Name     directory                          file 2024-11-04 11:05:33    cpn/jon.doe             c:/desktop/prints/     document1.doc 2024-11-04 12:20:58    tim.allen  c:/documents/files/   document2.xlsx I am going ot Rex the User_Name field from my print logs to match it with my printserver logs.  This is what I am going to work with and see if I get the results I need.  Thank you for your insight.  index=printserver OR index=printlogs | rex field="User_Name" "(?<domain>\S)+\\\\(?<username>\S+)" | bin _time span=3s | stats values(*) AS * by _time username | table _time prnt_name username location directory file  
Have you tried to consolidate then via stats command and then configure your alert to trigger for each result and tokenize the email parameter? Try this (adjust to your reality): <your search> ... See more...
Have you tried to consolidate then via stats command and then configure your alert to trigger for each result and tokenize the email parameter? Try this (adjust to your reality): <your search> | stats values(event_field) as events by user, email Then in your alert configuration, set trigger conditions: Number of results > 0 Trigger: For each result And add the email action with To with token $result.email$ That will make each email receive their group of events Give it a try and let me know 
Hi @hazem., Is this [DDMMYYYY] just a placeholder for an actual date in this example or this is the literal string being monitored in the monitor stanza and also the literal text in the filename? ... See more...
Hi @hazem., Is this [DDMMYYYY] just a placeholder for an actual date in this example or this is the literal string being monitored in the monitor stanza and also the literal text in the filename? I ask that because if what you wanna do is to monitor C:\Program Files (x86)\dir1\log\name_CRT_<any date>.log then you can use * at that part like: C:\Program Files (x86)\dir1\log\name_CRT_*.log This way the monitor stanza will know what to do. Anyways, always make sure that in order for the forwarder to proper monitor something, that file must have the right read permissions to be read. Usually some applications under Program Files may be locked to administrators and that may cause SplunkForwarder service not to have the right permission to read the particular log. A good indication for that is to check the _internal index for logs related to that and see if they are logging Access Denied somewhere. The below search may give you some heads up on hits; Restart splunk forwarder and keep eyes on that log for last 5 min range or something as forwarder will evaluate the monitors at the startup and you'll find it easier. index=_internal host=<my_forwarder_host> "C:\Program Files (x86)\dir1\log\"
Hey,  i am looking for the third-party notice for the Splunk Add-on for Palo Alto Networks 1.0.0. Unfortunately, i cannot find them in the documentation, since the corresponting section in Release n... See more...
Hey,  i am looking for the third-party notice for the Splunk Add-on for Palo Alto Networks 1.0.0. Unfortunately, i cannot find them in the documentation, since the corresponting section in Release notes - Splunk Add-on for Palo Alto Networks is empty. Anyone here to help me out with this and provide the 3rd party notice information? Best regards! Matthias
hello, trying to monitor below path from the host gas UF installed: C:\Program Files (x86)\dir1\log\name_CRT_[DDMMYYYY].log   I have inserted below stanza but I have not received any logs  ... See more...
hello, trying to monitor below path from the host gas UF installed: C:\Program Files (x86)\dir1\log\name_CRT_[DDMMYYYY].log   I have inserted below stanza but I have not received any logs  [monitor://C:\Program Files (x86)\dir1\log\name_CRT_[DDMMYYYY].log sourcetype = mylog:auditlog disabled = 0 index=test   any help please
We are using Splunk forwarder v9.0.3. We would like to have Splunk forwarder to reject the TLS server certificate if path length basic constraint condition fails. We generated the TLS server certifi... See more...
We are using Splunk forwarder v9.0.3. We would like to have Splunk forwarder to reject the TLS server certificate if path length basic constraint condition fails. We generated the TLS server certificate with pathlen as 0 in "root CA" and chain is "root CA -> intermediate CA -> server certificate".  As "root CA" pathlen is 0, no intermediate CA should be present. But, forwarder accepting the chain "root CA -> intermediate CA -> server certificate". Is this a known limitation or does it require a configuration change to basic constraint validation on path length? Please advise. Below is our outputs.conf contents. [tcpout-server://host:port] clientCert = /<..>/clientCert.pem sslPassword = <..> sslRootCAPath = /<..>/ca.pem sslVerifyServerCert = true sslVerifyServerName = true  
I feel if we can first group the events on email and then use the email as a token in the email recipient , we can do it . But Im not getting how we can do that.
I don't understand. You want to send different set of results to different people as a single alert action? No can do. You could try using https://splunkbase.splunk.com/app/1794
Hi @smanojkumar   Then you can solve it with that query ? if it helpful maybe you can mark as solve and will be appreciate if give me karma. because if you mark it as solve, it will help for ano... See more...
Hi @smanojkumar   Then you can solve it with that query ? if it helpful maybe you can mark as solve and will be appreciate if give me karma. because if you mark it as solve, it will help for another user who have same problem
PLEASE stop regurgitating LLM responses without checking. It's not helpful.