All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Community, How can I access a TI provider's API from Splunk Cloud if the provider has whitelisted IPs but Splunk Cloud's IP is not static?  
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Descrip... See more...
  Hello, I am following this  to import multiple services along with their dependencies, and below is the sample excel CSV  i am trying to import, utf-8 encoded : Service Title Service Description Dependent Services Splunk   SHC | IND SHC   Server1 IND   server2 server1     server2     But when the upload is finished, the file preview shows 0 total lines as in the below screenshot:     When i tried to do the same file import in another splunk environment, it went well. Given that i am admin in both environments and both environments with versions as below: Splunk Version: 9.0.4.1 ITSI Version: 4.18.1 What could be the issue/missing in the first environment ?
tbh, i tried more than 2 day's to fix this situation i end up with SEDCMD i look at the event field extractions and it's appears good enough i know what are you referring if there is quotes already p... See more...
tbh, i tried more than 2 day's to fix this situation i end up with SEDCMD i look at the event field extractions and it's appears good enough i know what are you referring if there is quotes already persent it will miss with key=value fields    any ways thanks for everything now i'm facing such headche problem batch adding issue with indexers and i think it's because the bandwith of the end-points . @PickleRick 
Thanks dural_yyz that's saying current.backupRestoreStatus = ready current.status=failed so looks it's in use but not happy, and that's probably why the command isn't working. i've found a hit ab... See more...
Thanks dural_yyz that's saying current.backupRestoreStatus = ready current.status=failed so looks it's in use but not happy, and that's probably why the command isn't working. i've found a hit about an old mongod.lock being present, so I'm going to arrange an outage to restart after removing the lock file.   Will report back how this goes.... thanks
Are you trying to use live capture for preview? https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest#Create_a_ruleset_with_the_Ingest_Actions_page
Hi dear Giuseppe, thanks for fast reply. here is what i did. I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-... See more...
Hi dear Giuseppe, thanks for fast reply. here is what i did. I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone". in the new window there are "New Search Label" which i add "- custom"  to the end of it. then i select the App and put it on "SA-AccessProtection". next in "Edit Correlation Search " i  will make any change to the "Search" and click save. Done! this is all i do. The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value. the strange part is that rules that i had created or cloned in the past (about ) are working fine.
Splunk-build Add-ons usually have pretty decent docs. Did you read this one? https://splunk.github.io/splunk-add-on-for-google-cloud-platform/
"Connection timed out" is _not_ a SSL error. It usually signals network-level problems or attempts to connect to a wrong destination. Please share more details - are we talking about a trial instanc... See more...
"Connection timed out" is _not_ a SSL error. It usually signals network-level problems or attempts to connect to a wrong destination. Please share more details - are we talking about a trial instance or a full paid one? Where are you trying to connect to (which port(s))? Are you connecting from home, from work, somewhere else? Do you have any network restrictions in that environment?
You cannot do this. At least not using Splunk's built-in functionality. Splunk handles each event separately and doesn't keep "state" so you cannot conditionally influence ingestion process based on ... See more...
You cannot do this. At least not using Splunk's built-in functionality. Splunk handles each event separately and doesn't keep "state" so you cannot conditionally influence ingestion process based on other events' values/properties. You'd need to use some custom script pre-processing the events before ingesting them to Splunk.
Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just abo... See more...
Yes. I'm not talking about space, I'm talking about quotes. For example, if part of your event was cs4=SVCHOST SUSPICIOUS "PARENT" PROCESS (I don't care if that makes sense as such, it's just about syntax) Your regex will turn it into cs4="SVCHOST SUSPICIOUS "PARENT" PROCESS" And Splunk will extract only the part up to the second or third quote. That's why I don't like CEF - it's troublesome to manipulate. Because if you try to manually extract fields using regex anchoring on the equal sign, you end up trying to make sure it doesn't break if your equal sign is in the value of the field. (I'm not even sure CEF properly handles such situation; don't remember).
if the key=value the value has space it will quote it so splunk can parse it without any issue if there is no space splunk already knows key=value so he will parse the information without any issue .... See more...
if the key=value the value has space it will quote it so splunk can parse it without any issue if there is no space splunk already knows key=value so he will parse the information without any issue .   @PickleRick thanks for your helping now i'm facing big problem regarding batchadding
OK. That's one way to do it. Be aware thought that it probably will break if you get quotes in your field values.
Hello guys, I am quite new on the topic so I really need tyour help ^_^. I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume ... See more...
Hello guys, I am quite new on the topic so I really need tyour help ^_^. I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume is huge, we want to filter logs by limiting logs on following conditions: if one user is logging in one application today, all following logs for this user logging in that application in this specific day (month/date/year) would be discarded and we would start the ingesting next day using the same conditions. I hope this is pretty clear. I know that this can be done in prop.conf and transform.conf but I am not sure on how I should build the string. Thank you in advance. 
Can you share more details on which port you're trying to access?
I did this regex using SEDCMD on HF before sending data to indexers  s/(\w+)=([^\s"][^"\r\n=]*\s[^\r\n=]*)(?=\s|$)/\1="\2"/g    
Interesting approach. Out of sheer curiosity - what SEDCMD did you use?
1. Just because an app reports a particular version of a library, doesn't mean that it's not been patched (see debian and its backporting practice). 2. This particular vulnerability is far from crit... See more...
1. Just because an app reports a particular version of a library, doesn't mean that it's not been patched (see debian and its backporting practice). 2. This particular vulnerability is far from critical. "However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. " Don't believe everything Nessus/Rapid7/OpenVAS/whatever says.
Did you manage to solve this
i fixed the issue by using regex With SEDCMD command on HF to fix the parsing and now everything is good   thanks for help @PickleRick 
Hello @shai, You can find the SplunkCloud root CA from the Universal Forwarder package present on your SplunkCloud search head. It gives you a forwarder package with preconfigured outputs to forward... See more...
Hello @shai, You can find the SplunkCloud root CA from the Universal Forwarder package present on your SplunkCloud search head. It gives you a forwarder package with preconfigured outputs to forward the data to SplunkCloud indexers. Within the same app, you can find the certificates that you need to append your self signed ones with. The package name should go something like this - 100_<<stack_name>>_splunkcloud   Thanks, Tejas.