All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yea, smae same but different.   yesterday i applied this  and it started working too. s/(\\")/"/g   on the data but now i do not see it in the sourcetype advance option, if i add it again the l... See more...
Yea, smae same but different.   yesterday i applied this  and it started working too. s/(\\")/"/g   on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.
Hi @Dyrock , as you can see in https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html and read at https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Forwarddata and ... See more...
Hi @Dyrock , as you can see in https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html and read at https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Forwarddata and https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Forwarding/Aboutforwardingandreceivingdata You have to: configure the Indexer to receive logs from UFs (I suppose that 997 is a mistyping because the default port is 9997); configure the outputs.conf on your UF to send data to the indexers on the same port. configure the inputs on the UF. At this point you will see your logs in the Indexer. Ciao. Giuseppe
Hi @y71855872 , are you indexing pcap logs from a wireshark, as described in the instructions at https://splunkbase.splunk.com/app/2748 ? Then if you use a custom index, you have to put it in the d... See more...
Hi @y71855872 , are you indexing pcap logs from a wireshark, as described in the instructions at https://splunkbase.splunk.com/app/2748 ? Then if you use a custom index, you have to put it in the default search path or add it to all the dashboards as described in the instructions. Ciao. Giuseppe  
Is there any benefits to move "UNPSEC" back to null()? I usually just gave it "N/A" for string, and 0 for numeric. None whatsoever.  This is purely for people who want non-existent values to sh... See more...
Is there any benefits to move "UNPSEC" back to null()? I usually just gave it "N/A" for string, and 0 for numeric. None whatsoever.  This is purely for people who want non-existent values to show blank.
Yes, Your understanding is correct.
I am confused as to how to get this app to work. Can anyone provide me with a instruction sheet telling me what needs to be done? I have downloaded and installed the pcap analyzer app but can't seem ... See more...
I am confused as to how to get this app to work. Can anyone provide me with a instruction sheet telling me what needs to be done? I have downloaded and installed the pcap analyzer app but can't seem to get it to analyze. Can anyone help me?
What happens if the amount of data exceeds the daily limit in Splunk Cloud? 「Total ingest limit of your ingest-based subscription」 ・Data ingestion stops  or ・Splunk contacts you to discuss addi... See more...
What happens if the amount of data exceeds the daily limit in Splunk Cloud? 「Total ingest limit of your ingest-based subscription」 ・Data ingestion stops  or ・Splunk contacts you to discuss adding a license, but ingestion does not stop
Hello, This is my first experience with Splunk as I am setting up a lab. in VirtualBox I have: VM1: Act as server: Ubuntu desktop 24.04 LTS - IP: 192.168.0.33 - Installed Splunk Enterprise - Added... See more...
Hello, This is my first experience with Splunk as I am setting up a lab. in VirtualBox I have: VM1: Act as server: Ubuntu desktop 24.04 LTS - IP: 192.168.0.33 - Installed Splunk Enterprise - Added port 997 under configure receiving - Added Index, named it Sysmonlog.  VM2: Act as client: Windows 10 IP: 192.168.0.34 - Installed Sysmon - installed Splunk Forwarder - set the developer ip:192.168.0.34 port 8089 - set indexer 192.168.0.33 port 9997. ping result is successful form both VMs When I am about to add the forwarder in my indexer nothing shows up. how should I troubleshoot this to be able to add the forwarder?
Hi @nmohammed  and @goelshruti119 , Please see the following reply for instructions on how to troubleshoot: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highl... See more...
Hi @nmohammed  and @goelshruti119 , Please see the following reply for instructions on how to troubleshoot: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#... Cheers,    - Jo.  
Our vulnerability scan is reporting a critical severity finding affecting several components of Splunk Enterprise related to OpenSSL (1.1.1.x) version that has become EOL/EOS. My researches seem to p... See more...
Our vulnerability scan is reporting a critical severity finding affecting several components of Splunk Enterprise related to OpenSSL (1.1.1.x) version that has become EOL/EOS. My researches seem to point out that this version of OpenSSL may not yet be EOS for Splunk due to a purchase of an extended support contract; however, I have been unsuccessful in finding a documentation to support this. Please help provide this information or suggest how this finding can be addressed. Path : /opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/libcrypto.so Installed version : 1.1.1k Security End of Life : September 11, 2023 Time since Security End of Life (Est.) : >= 6 months  Thank you.
Situation. Search Cluster - 9.2.2 5 nodes running Enterprise Security version 7.3.2 I'm in the process of adding 5 new nodes to the cluster. Part of my localization involves creating /opt/splunk/e... See more...
Situation. Search Cluster - 9.2.2 5 nodes running Enterprise Security version 7.3.2 I'm in the process of adding 5 new nodes to the cluster. Part of my localization involves creating /opt/splunk/etc/system/local/inputs.conf with the following contents. ( the reason I do this is to make sure the host field for forwarded internal logs doesn't contain the FQDN like hostname in server.conf [default] host = <name of this host> When I get to the step where I run: splunk add cluster-member -current_member_uri https://current_member_name:8089 It works, but /opt/splunk/etc/system/local/inputs.conf is replicated from the current_member_name And, if I run something like: splunk set default-hostname <name of this host> ... it modifies inputs.conf on EVERY node of the cluster. Diving into this I believe this is happening because of the Domain Add-On DA-ESS-ThreatIntelligence which contains a server.conf file in it's default directory. (why this would be, I've no idea) contents of /opt/splunk/etc/shcluster/apps/DA-ESS-ThreatIntelligence/default/server.conf on our Cluster Deployer - which is now delivered to all cluster members. [shclustering] conf_replication_include.inputs = true It seems to me that it's this stanza that is causing the issue. Am I on the right track? And why would DA-ESS-ThreatIntelligence be delivered with this particular config? Thank you.
Actually I did what you said. I asked this question to the community to make sure I was doing it right, maybe I was missing something. SOAR is installed on centos 8.5 operating system. I couldn't ins... See more...
Actually I did what you said. I asked this question to the community to make sure I was doing it right, maybe I was missing something. SOAR is installed on centos 8.5 operating system. I couldn't install openvpn on this OS. I rented another virtual machine and installed openvpn on it. VPN machine and SOAR were on different networks again, I peered them over azure. CentOS 8.5 machine and openvpn machine were on the same network. When I connect to VPN from my computer, I can ping the centOS private IP address from my computer and get a response, there is no problem here. But Splunk SOAR still refuses to connect
It's not just "because they are in different networks" but because your internal network is organized the way it is. You might try to set up a VPN to your Azure environment to allow for connectivity ... See more...
It's not just "because they are in different networks" but because your internal network is organized the way it is. You might try to set up a VPN to your Azure environment to allow for connectivity or try to do some DNATs in your home network but as you're asking a kind of very basic network-related questions, you'd better not do that without fully understanding the risks.
@richgalloway  yeah the only reason I'm splitting it into two sections is because when I did the logs for 1 month. the exported excel sheet was missing data for some reason. but when I split it in ... See more...
@richgalloway  yeah the only reason I'm splitting it into two sections is because when I did the logs for 1 month. the exported excel sheet was missing data for some reason. but when I split it in half in the search query the data is able to populate. I guess the search query might have been too messy, much and adding on 1 month for it might have caused it to use to much resource or something. Thank you
Not searching in fast mode. I am going to assume that I did not installed it in all the required places, I inherited this from another employee. I have it deployed from the DS to my endpoints and th... See more...
Not searching in fast mode. I am going to assume that I did not installed it in all the required places, I inherited this from another employee. I have it deployed from the DS to my endpoints and the local conf are configured there. I have it also installed via Manage Apps in the Cloud search head.   
First of all, hello everyone. I have a mac computer. I installed Splunk enterprise security on this Mac M1 computer. Then I wanted to install Splunk SOAR, but I could not install it due to centos/RHE... See more...
First of all, hello everyone. I have a mac computer. I installed Splunk enterprise security on this Mac M1 computer. Then I wanted to install Splunk SOAR, but I could not install it due to centos/RHEL arm incompatibility installed on the virtual machine. Then I rented a virtual machine from azure and installed Splunk SOAR there. Splunk enterprise is installed on my local network. First, I connected Splunk Enterprise to SOAR by following the instructions in this video (https://www.youtube.com/watch?v=36RjwmJ_Ee4&list=PLFF93FRoUwXH_7yitxQiSUhJlZE7Ybmfu&index=2) and test connectivity gave successful results. Then I tried to connect SOAR to Splunk Enterprise by following the instructions in this video (https://www.youtube.com/watch?v=phxiwtfFsEA&list=PLFF93FRoUwXH_7yitxQiSUhJlZE7Ybmfu&index=3), but I had trouble connecting soar to Splunk because Splunk SOAR and Splunk Enterprise Security are on different networks. In the most common example I came across, SOAR and Splunk Enterprise Security are on the same network, but they are on different networks. What should I write to the host ip here when trying to connect SOAR? What is the solution? Thanks for your help.
can you create searches using the REST API in splunk cloud
| eval previous_time=relative_time(now(),"-".months."mon") You would have to be careful around leap years and if the months is not a multiple of 12. If you know the months is always going to be a m... See more...
| eval previous_time=relative_time(now(),"-".months."mon") You would have to be careful around leap years and if the months is not a multiple of 12. If you know the months is always going to be a multiple of 12, you could do this instead | eval previous_time=relative_time(now(),"-".floor(months/12)."y")
Please clarify what you expect - your example shows policy_3 and policy_4 changing in the last 24 hours by the removal of (X) not the addition, and they don't appear prior to today, so what is it tha... See more...
Please clarify what you expect - your example shows policy_3 and policy_4 changing in the last 24 hours by the removal of (X) not the addition, and they don't appear prior to today, so what is it that you are trying to compare. Similarly, policy_1 and policy_2 do not appear today, although they do appear to have changed by the removal of (X) within the 48 hours prior to today.
@manuelostertagI'm having the same issue. Any luck with this?