@ITWhisperer , I have reposted the sample 2 sample logs with transactionID, Please consider the Channel as a field, the log pattern will be same but only the Channel and Transaction ID will get d...
See more...
@ITWhisperer , I have reposted the sample 2 sample logs with transactionID, Please consider the Channel as a field, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.
Hi @fabiyogo1 , you can enable syslog from the IPS devices to be sent directly to splunk or to an intermediate syslog box and use splunk agents to forward it to an Indexer/HF based on how the set up ...
See more...
Hi @fabiyogo1 , you can enable syslog from the IPS devices to be sent directly to splunk or to an intermediate syslog box and use splunk agents to forward it to an Indexer/HF based on how the set up is.
The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Looku...
See more...
The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store. On the Lookups page, find the “user_realnames_lookup” file and edit it Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed. Ensure that the profiles no longer appear in the investigators section after the lookup update.
Adding the solution to this so that it can help others. The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old in...
See more...
Adding the solution to this so that it can help others. The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store. On the Lookups page, find the “user_realnames_lookup” file and edit it Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed. Ensure that the profiles no longer appear in the investigators section after the lookup update.
So you can connect with another tool but not with nmap? Something's fishy here. EDIT: You wrote "cannot". So if you can connect to 8089 locally and cannot from the soar machine it's something to be ...
See more...
So you can connect with another tool but not with nmap? Something's fishy here. EDIT: You wrote "cannot". So if you can connect to 8089 locally and cannot from the soar machine it's something to be resolved on networking level.
yes, I can not connect to 8089 port from Soar machine to splunk enterprise machine with using CLI(telnet/netcat/curl/openssl). I scanned 8089 port with using nmap and It says refused the connection....
See more...
yes, I can not connect to 8089 port from Soar machine to splunk enterprise machine with using CLI(telnet/netcat/curl/openssl). I scanned 8089 port with using nmap and It says refused the connection. I think it might be an issue with the Azure platform. The Virtual Machine(CentOS) might be refusing to connect to the external network and this might be related to azure. I will contact Azure support team.
I already converted up to this part | tstats count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype=...
See more...
I already converted up to this part | tstats count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions" It works as expected but I stuck to complete now
Actually, it looks like some horribly disfigured json. It's twice escaped "->\"->\\\" It might be smart to look into the ingestion process and try to optimize it.
To be precise, you could use two DS-es in the same environment prior to 9.2 but they would need to serve different DCs (or you'd have to have some huge load-balanced setup but that's clearly not what...
See more...
To be precise, you could use two DS-es in the same environment prior to 9.2 but they would need to serve different DCs (or you'd have to have some huge load-balanced setup but that's clearly not what we're talking about here). Anyway, +1 on that question about setting up the HF. Especially since you can't set a server externally as a DC for a given DS (unless you're using DS to distribute an app updating the DC settings but again - it's almost surely not the case here).
Hi @ITWhisperer , Above is the 2 Sample events with transactionID, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its ge...
See more...
Hi @ITWhisperer , Above is the 2 Sample events with transactionID, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.
I need some clarification. Are the HFs acting as deployment clients (DCs) or deployment servers (DSs)? You can't have 2 DSs in the same environment prior to Splunk 9.2. If the HFs are DCs then wher...
See more...
I need some clarification. Are the HFs acting as deployment clients (DCs) or deployment servers (DSs)? You can't have 2 DSs in the same environment prior to Splunk 9.2. If the HFs are DCs then where is the DS? Is the MC a separate instance? You set up HF2 using "the same method". What exactly was that method? We can't tell where you went wrong without knowing what you did.