All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's ... See more...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's for reporting as below.  It all works fine however after restarting the Splunk UF when the issue occurs \etc\apps\inputs_oswin_secevtlog\local\inputs.conf [WinEventLog://Security] \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\inputs_oswin_secevtlog\local\inputs.conf checkpointInterval = 5 \etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf disabled = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf evt_resolve_ad_obj = 1 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf index = win-securityeventlog \etc\system\default\inputs.conf interval = 60 \etc\apps\Splunk_TA_windows\default\inputs.conf renderXml = true \etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist1 = EventCode=%^(104|1102)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist2 = EventCode=%^(2004|2006|2033)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist3 = EventCode=%^(33205)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist4 = EventCode=%^(4170|4624|4625|4634|4647|4648|4663|4673|4688|4719|4720|4722|4723|4724|4725|4726|4728|4732|4735|4738|4740|4742|4743|4756|4767|4768|4771|4778|4779|4781|4820)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist5 = EventCode=%^(517|528|529|538|540|551|552|592|5152|5157)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist6 = EventCode=%^(624|627|628|642|644|680|6279)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist7 = EventCode=%^(7045)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist8 = TaskCategory=%^Network Policy Server$%
@wwangsa_splunk Thanks very much for the update, but AFAICT the current release is already 9.3.0 Is it also incorporated in that branch?
Morning Giuseppe  Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party inclu... See more...
Morning Giuseppe  Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party including custom TA's) 2 The 3 party managed SH must not be able to alter the roles (so no access to the Full Admin) Hence the need for a isolated setup where the roles are set on the Peer site.  
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customizat... See more...
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customization isn't useful!). Then, you give to this role the grants to see only a part of indexes. Ciao. Giuseppe
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I ... See more...
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation. Ciao. Giuseppe
Hi  I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head ca... See more...
Hi  I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do" Do anybody know if this is somehow available or doable in 2024? My case is that I need a Standalone Searchhead with access to a subset of all indexes in the Cluster. But at the same time full control of the Searchhead (Splunk Admin capabilities except changes to the searchable index list)  The aim is to separate the SH to be managed by a 3 party.
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all t... See more...
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all the time. If I set "too high", it would seem weird. I want to solve two problem. 1. Don't show the "web scroll", meaning that can have a automatic size to accommodate my column data no matter how much data I have. 2. I want my every column averagely share the space. Question 2 : If my event exists too short, it seems like too small and narrow. It's also not aesthetic. Can I make a "minimum bar chart or a circle" defined by myself. (like what I draw on the image)
Thanks all team i am using simple xml classic dasboard
@ITWhisperer is asking which paradigm is used in your dashboard.  Splunk has two very different ones. "Simple XML" is also called "Classic Dashboard" or "Dashboard Classic".  If you click "Dashboards... See more...
@ITWhisperer is asking which paradigm is used in your dashboard.  Splunk has two very different ones. "Simple XML" is also called "Classic Dashboard" or "Dashboard Classic".  If you click "Dashboards" tab in search app in 9.3, you'll see three panels like these Examples for Dashboard Studio Browse examples of dashboards & visualizations. Visit Example Hub Intro to Dashboard Studio Learn how to build dashboards with Dashboard Studio. Learn More   Intro to Classic Dashboards Learn how to build traditional Simple XML dashboards. Learn More Follow the links to learn about their respective capabilities and programming/learning costs. (Both provide some visual design tools, although some advanced features still require editing underlying codes.) If you are modifying an existing dashboard, search for your dashboard in this tab and look at "Type" column.
As I said above, the answer is no.  Splunk's interactions (better known in dashboard classic as "drilldowns") are based on selected row only.  If a transposed table suits your need, you can transpose... See more...
As I said above, the answer is no.  Splunk's interactions (better known in dashboard classic as "drilldowns") are based on selected row only.  If a transposed table suits your need, you can transpose, then interact with row.
Hi  Can anyone please advice the search query to find out overall health status of VMware using metric log. index - vmware_metric SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"=... See more...
Hi  Can anyone please advice the search query to find out overall health status of VMware using metric log. index - vmware_metric SPL - | mstats avg("vsphere.usage") prestats=true WHERE "index"="vmware-metrics" AND "host"="system1.local" AND ("host"="system2" OR "uuid"="12457896) span=10s | timechart avg("vsphere.vm.cpu.usage") AS Avg span=10s | fields - _span*  
Hi @Redwood  ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector) may i know why do you use the 8.0.2007 documentation pls.  unless you want a particular doc... See more...
Hi @Redwood  ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector) may i know why do you use the 8.0.2007 documentation pls.  unless you want a particular doc version, maybe pls use - "latest" instead of that version number, so you will get the right documentation  https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Cloud_Platform Regarding the error, pls check the previous reply and let us know if its working or not, then we can troubleshoot further, thanks.    Best Regards Sekar
Hi @gcusello , i thought to test this but not sure how to test. will check the other options replied and update you back, thanks.    Best Regards Sekar
sorry for the lack of clarity. I mean, for example in the display there is a table with 3 columns. from there I can display certain information below the table depending on which table column I click... See more...
sorry for the lack of clarity. I mean, for example in the display there is a table with 3 columns. from there I can display certain information below the table depending on which table column I click. Is it possible?
oh! I see. How do i determine that? I thnik i should be using simple
Thankyou for your information, so i create that csv like this for sse_host_to_country : host,country host1.example.com,Japan host2.example.com,Malaysia host3.example.net,Australia host4.example.... See more...
Thankyou for your information, so i create that csv like this for sse_host_to_country : host,country host1.example.com,Japan host2.example.com,Malaysia host3.example.net,Australia host4.example.org,Singapore   And this for gdpr_user_category : user,category user1@example.com,User user2@example.com,Admin user3@example.com,PowerUser user4@example.com,User
Remove "authorisationheader" from the URL.  That's not a valid HEC URL. If that doesn't help, then please post the exact text of the error message(s) you see and also identify the "it" that tells yo... See more...
Remove "authorisationheader" from the URL.  That's not a valid HEC URL. If that doesn't help, then please post the exact text of the error message(s) you see and also identify the "it" that tells you the URL is incorrect.
@tscroggins Perfect. Worked smoothly. I took a long way as follows: | spath | rename message as _raw | extract | rex "\"sessionId\"\:\"(?<SessionID>.*?)\"\,\"clientTransactionId\"\:\"(?<Client... See more...
@tscroggins Perfect. Worked smoothly. I took a long way as follows: | spath | rename message as _raw | extract | rex "\"sessionId\"\:\"(?<SessionID>.*?)\"\,\"clientTransactionId\"\:\"(?<ClientTransactionId>.*?)\"\,\"transactionId\""
Hi all,  I am a bit of a newbie here, and am trying to setup HEC on splink cloud, however the URL I have created following the event collector documentation ( https://docs.splunk.com/Documentation/S... See more...
Hi all,  I am a bit of a newbie here, and am trying to setup HEC on splink cloud, however the URL I have created following the event collector documentation ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Data/UsetheHTTPEventCollector)  doesn't appear to be working. Looking at the HEC dashboard occasionally there is some activity showing, but it tells me the URL is incorrect. I have tried numerous changes to the URL, and followed tons of advice on here, but nothing appears to be working. I am clearly missing something, and would really appreciate some guidance. https://http-inputs-myhostname.splunkcloud.com:443//services/collector/event/authorisationheader I have tried replacing event for raw, changed the port, although using a Splunk Cloud Platform instance rather then free trial. I have removed SSL and re-enabled. I would be very grateful of any advice and support here. Thank you    
Still the key_value part should be a proper object containing key-value pairs, not an embedded string. That makes no sense. Fix your data. This is incredibly common and in most cases, outside th... See more...
Still the key_value part should be a proper object containing key-value pairs, not an embedded string. That makes no sense. Fix your data. This is incredibly common and in most cases, outside the control of the destination. In the Logstash/Elasticsearch world, I'd parse the message field with a grok filter/processor followed by a json filter/processor to parse key_value into a JSON object. ("Elastic" translates to "overhead," but it's really just a trade-off relative to how Lucene works.) In the Splunk world, I'd leave it as is and use search-time field extractions, field aliases, etc. and accelerated data models.