Need to monitor a website which when gets hit shows a popup with Username and Password. Tried below possibilities till now. 1. Used Website input App but in "Enter Credentials" page , it throws "Username and Password field name not detected" Error. 2. Tried passing credentials using below but getting unauthorized error. https://URL/insecurelogin?loginType=splunk&username=EMEA\abc&password=XYZ https://URL/insecurelogin?username=EMEA\abc&password=XYZ Any one has done such monitoring , please share your valuable inputs. Thanks

Hi all, i am creating a custom app which require PYTHON - Pandas module.  Can you please let me know how i can install pandas on Splunk enterprise and leverage that on my custom application.  will this cause any issue on the splunk overall?   

How do I set a "Trigger Condition" on a Splunk report like you would  when creating an alert? My issue is that I have created a report that I want to generate an email from when Number of Results = 0 ie, when no file has been uploaded/detected. Some people would argue why don't I just create an alert instead? My dilemma is, with an alert it won’t let you add a "Time Range" as I want my daily report to track the previous 7 day time range  My search string looks like this: index=it_sts_xfer_prod_us xferPath="*GIDM*" OR xferPath="*sailpnt*" OR xferPath="*identity*" OR xferPath="*InternalAudit*" xferFile="FILENAME.csv" | eval _time=_time-xferSecs | convert ctime(_time) as Time timeformat=%m/%d/%y

Hello, I have xml source files in a location where SPLUNK HF installed on it...these files are updated with new data...that means no new files are created .....when new data comes in... existing files are appended, and new data added at the end of the existing files. I know SPLUNK has CRC to check duplicate entries based on the Hash Function. My question is.... will SPLUNK UF/HF be able to read only new data that is added at the end of existing file without any errors (or missing info) and send to the indexer.  Any recommendations/thoughts would be highly appreciated. Thank you so much for your support.

I am using Kali Linux and when I try to install the Splunk App for AWS the system keeps telling that the username and/or password are incorrect even though I am using the exact same credentials that I used to log in. I have tried using "admin" as username, changing the password and many other things but it keeps giving me this error. I tried it with the Cloud instance and it gives me the same error. I would really appreciate some help on this, because I will not be able to make the most of Splunk without apps.

Hello Team,                           We are using Enterprise security in our environment and we have created correlation searches to trigger an alerts. Out of those there is one particular use case which is related to Process injection, We are receiving maximum number of incidents on this due to one Here I am not giving the name of the exe file due to security concerns: I will be using it as ___.exe Shellcode Injection activity detected. Process "___e.exe" has injected itself into ___.exe, ***.exe, +++.exe, ^^^.exe like this we are receiving many incidents. I have some doubts on this: 1. What is this Process injection and why the process are getting injected to others? , 2. How could we stop this to getting injected to others in Splunk  (Or from Endgame), 3. We want to fine tune this use case, Is there any alternative to suppress these alerts from Endgame, 4. We have whitelisted some of these alerts with Source process path and Target process path, But still ___.exe still it getting triggered with new target paths. Its always injecting into some other targets. Can anyone please explain in clear cut, I am a rookie in cyber security. Not exactly getting many things. But out of those this is one which is hunting me. Thanking you in advance. 

I have apis which has params in between and trying to  match the api from csv but it doesnt show when using lookup. eg : /serviceName/api/127364/api   which is shown in access logs  i have /serviceName/api/*/api in my csv file.  Any idea how this works?

Hi,   I created a splunk server on AWS and using the UI I constructed an HEC to listen for some logs. I am using docker's splunk logging driver to send the logs. If I leave the config the same on both servers, I receive the error: "Error response from daemon: Options "https://<IP>:8088/services/collector/event/1.0": x509: certificate relies on legacy Common Name field, use SANs instead" So I tried to change splunk config so that it will work with my self signed certificate (which uses SANs). I did this by changing the inputs.conf (in which the HEC was configured, bizarrely enough under" $SPLUNK_HOME/etc/apps/search/...") to have the [http] stanza with the path of the self signed cert:       [root@machine introspection]# cat $SPLUNK_HOME/etc/apps/search/local/inputs.conf [http] serverCert = /opt/splunk/etc/auth/certs/root.pem [http://test] disabled = 0 host = <ip> sourcetype = generic_single_line token = <token>       I then moved the relevant [http] stanza to where I believe it should be, (.../apps/splunk_httpinputs/...) but this didn't help. In fact, what happened was as soon as I put this stanza in, connections via SSL to the ip of splunk with the relevant port do not complete, for example:       openssl s_client -connect <ip>:8088         I would appreciate assistance with either fixing the original SANs issue (as it's splunk logging driver on docker), or with the issue of using self-signed on HEC. Thanks!

Hi A team has asked me that they need to keep 3 months' Data. I have told them that we have limited space on the discs and it is a function of Data, not Time. (I know an index gets full and data will drop off at the back) But how do I know how far my data goes back, so I can judge if I need to get more Disk space, or increase the size of the index. Below is a screen show taken from 1 of the indexes, however, I don't believe the reading. I know that I keep up to 3-6 months of data but not years. So  If I try running a search like this I don't think it will end. Also, I don't believe the data in 2017, I think somehow it got back dated Anu help would be great - cheers

We get a weekly ingest of a data set for our vulnerability management. Each line contains a unique value matching a vulnerability with a server I want to be able to report on: a. how many new vulnerabilities are in this weeks report compared to last week and b. how many vulnerabilities have been fixed (so are not reported) in this weeks list compared to last week I'm looking for splunk to tell me whats new and whats missing week by week but also track these over the long term.  Cant seem to get any meaningful results with a 'set diff' search   Any help gratefully received!!