Hi what would be the best way to check if after a user has been added to a group, they have not been removed from the same group within say 24 hours.  I currently have a search that provides a table that shows group additions and group removals using winevent index. What is the best way to find events where there has been an addition but no removal for the same group and user added within 24 hours. I started to look at | transaction but I don't feel this is correct as I am interested if there has not been a removal after a time period. Failing this if anyone has an alternate solution to alert when a user has been added and not removed from a group within a time period that would be much appreciated. Thanks

I have created a query to detect too much blocked traffic to one single destination.Somehow this doesn't work. Help me to resolve this. bin _time span = 5m as timespan | eval start time = strptime(connection_start_time,"%Y-%m-%d %H:%M:%S") |stats dc(D_IP)as num values (start_time)by src_ip | search num>3 | sort num desc I want to display the src ip,hostname,destination ip, count

One of our client recently performed a vulnerability scan on Splunk Enterprise 8.2.7 and they were found as vulnerable for Apache Spark package and Apache hive package : bin\jars\vendors\spark\3.0.1\lib\spark-core_2.12-3.0.1.jar  and  \bin\jars\thirdparty\hive_3_1\hive-exec-3.1.2.jar I see version 9.0 uses patched version of hive i.e 3.1.3 and does not use spark Did anyone else found this ??  

I am trying to set up anomaly detection based on the number of ModSecurity warnings in the log in real-time to indicate an attack. I set up an experiment in the MLTK with the query below and set up the alerting system. The app is used Mon-Fri, so we tried to account for the low traffic on Sat-Sun in the data model. Unfortunately, the alert is being triggered constantly. Can anyone assist with how to write the query or set up the experiment for my use case?    index="APP_NAME_production" source="<PATH TO LOG>/modsec_audit.log:*" "ModSecurity: Warning" | bin _time span=15m | stats sum(linecount) as total_lines by _time | eval HourofDay=strftime(_time,"%H") | eval DayofWeek=strftime(_time, "%A")

I just installed this app and found it simple to setup...but I must be doing something wrong. I've created Trap information on my two UPS devices and haven't had any luck bringing them into Splunk. I enabled SNMP, all versions and then I added the IPs for the Traps to point to and included my splunk cloud DNS name, Deployment IP, HF and UF and haven't seen anything come in.  It also says the default sourcetype it has is snmp_ta Activation Key * Using 14 day free trial Log Level INFO  SNMP Mode Listen For Traps (I've also tried DEBUG) SNMP Version 2C I left everything else blank except  SNMP Trap listener settings I put the IP address of the UPS I'm trying to get the information from. 

I saw that a new version of this add-on was released to support OAuth. The instructions for setting up the Client ID is truncated: "The Reporting Web Service should now appear in the list of applications that your app requires permissions for <blank" I added ReportingWebService.Read.All to the Client ID I already use for other O365 logs, and configured the new TA but this still gives me a 401 error. Are there additional premissions required?

So I have migrated to Splunk Cloud, but still have a Deployment server, UF, and HF. How do I find out what my IP is for Splunk Cloud?  I'd like to be able to send Trap information directly there. Especially since the UPS keeps saying failed to find DNS name.  Thank you. 

I am trying to build a trending dashboard of the count of tickets we get. With the below query, I am trying to display the increase/decrease in the count of tickets we got for each type for the past two weeks.   index=tickets Status IN ("Open", "Pending") earliest=-14D@w0 latest=@w0 | dedup ticketid | eval ticket_type=case(like(Tags,"%tag1%"),"Type1", like(Tags,"%tag2%") AND !like(Tags,"%tag1%"), "Type2", like(Tags,"%tag3%") AND !like(Tags,"%tag1%") AND !like(Tags,"%tag2%") , "Type3") | timechart usenull=f span=1w count by ticket_type   The problem is whenever we have more count(tickets) for the previous week, it shows the data with a "-" minus sign.  Question: 1. Not able to understand why a "-" would be there for a count.   2. Is there a way to suppress the "-" sign ?

Hi,  I am new to Splunk so I was wondering if somebody could help me with this Problem:  I have deployed Splunk Standalone with the splunk-operator in my Kubernetes-Cluster. Now I would like to connect to a MS SQL Express DB with DB Connect. The installation of DB Connect works fine, but when I want to configure DB Connect, I need to give the Task Server a valid JRE path. The Standalone Version has no Java installed, so there is no path I can refer to. How can I install Java on the Splunk-Standalone? I found this in the docs, but I don't understand quiet how to do it this way ... (https://github.com/splunk/splunk-ansible/blob/develop/docs/advanced/default.yml.spec.md) Best regards 

Is there a way to use multivalue fields in SOAR? I have not been able to find a good article on how to do this. We have a few sets of logs that use multivalue fields. By default the SOAR export app will create individual artifacts with only 1 value in a field if the event has multiple values in a field. I know you can turn on the option in the SOAR export app to send all values as a mutivalue field to SOAR but the issue is when the actions inside of a playbook sees the data in a multivalue field they usually fail.  Here is an example of how an Artifact looks when I send an event as a multi value field to SOAR. md5_hash: ["55df197458234c1b48fed262e1ed2ed9","55df1974e1b8698765fed262e1ed2ed9"] sha1_hash: ["b50e38123456ee77ab562816ab0b81b2ab7e3002","b50e3817d416ee77ab562816ab0b81b2ab7e3002"] sha256_hash:["b8807c0df1ad23c85e42104efbb96bd61d5fba97b7e09a9e73f5e1a48db1e27e","b8807c0df1ad23c81234504efbb96bd61d5fba97b7e09a9e73f5e1a48db1e27e"] domains: ["some1.domain1.com","some.domain.com"] urls:["https://domain.com/uri/uri/picture.png ","https://some1.domain1.com/uri/uri/uri/something.gif ","https://some2.domain2.com/uri/uri/uri/something.gif ","https://some3.domain3.com/uri/uri/uri/something.gif.gif "] Here is an example Error if I were to try and get the IPs of the domains field Error Code: Error code unavailable. Error Message: None of DNS query names exist: ['some1.domain1.com',\032'some.domain.com']., ['some1.domain1.com',\032'some.domain.com'].localdomain. type = A domain = ['some1.domain1.com','some.domain.com'] I believe the playbook is seeing the data in the field as a single set of data and not a list so it is literally querying the A records for "['some1.domain1.com',\032'some.domain.com']" and not "some1.domain1.com" and "some.domain.com" How can I split these multi value fields up so that the playbook runs them as a for loop and outputs the results as one block of data