All Topics

Top

All Topics

We are currently tasked at having Splunk monitor an AKS in Azure, and comparing two solutions: - Installing Splunk Connect for Kubernetes in AKS, as per this thread: We are thinking of moving to Az... See more...
We are currently tasked at having Splunk monitor an AKS in Azure, and comparing two solutions: - Installing Splunk Connect for Kubernetes in AKS, as per this thread: We are thinking of moving to Azure Kontainer Servi... - Splunk Community - Another pattern that was done before is to enable Azure Monitor, which in turn ships logs to Event Hub and eventually consumed by Splunk via the Splunk Addon for Microsoft Cloud Services. How does the two solutions compare and what is the preferred solution? 
    August 2022   Track to Log Views within Splunk Observability Custom Dashboards Today! Today, Splunk Observability releases log views, a new feature for users to add their logs data from ... See more...
    August 2022   Track to Log Views within Splunk Observability Custom Dashboards Today! Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log Observer and Log Observer Connect directly to their Observability custom dashboards - all while drawing on existing Splunk instances from a familiar, extensible data platform. Log views combine the easy UI of Log Observer with the flexibility and power of Splunk Observability dashboards. This allows users to complete the troubleshooting journey in one place: metrics-based alerts and trends show what changed and when the problem started, and log views provide full detail of what’s happening and why. Learn more about log views!    Check out our blog, docs, and sign-up for a free trial today.     Visual Feedback on Splunk APM Trace Search With visual feedback on trace search, get immediate feedback on matches and errors, as well as when there are no matches in the trace search results. You can sort your trace search results on timestamp / duration and narrow down the search range on the interactive chart to see relevant traces. Learn more here     Splunk IT Service Intelligence (ITSI) Named Customer Favorite by TrustRadius Splunk is honored to be the recipient of a series of awards from TrustRadius—all based on customer reviews. In the Observability category, Splunk IT Service Intelligence (ITSI) won for Best Feature Set and Best Relationship in the Event Monitoring category. To learn more about the TrustRadius awards, check out the blog. You can also leave your own review here.     Have a Splunk Story to tell? We want to tell it!   If you are interested in sharing your Splunk story and participating in our advocacy program, please fill out the questionnaire below and we’ll be in touch shortly. Get Started     Tech Talks  Platform Edition: Splunk 9.0 - What’s New and How to Migrate / Upgrade Tuesday, August 30 | 10am PT / 1pm ET Register to Attend In June we announced Splunk 9.0 which has a lot of new features and innovations. In this Tech Talk, we will walk you through the new Splunk 9.0 / Splunk Cloud Platform features. These new enhancements help you with end-to-end visibility, rapid investigation and action, and more extensibility. How can you take advantage of these new features? We will show you how to upgrade to Splunk 9.0 and how to upgrade to Splunk Cloud Platform to take advantage of all the new features. Join us August 30th!   Now On Demand  Platform Edition Introducing Ingest Actions: Filter, Mask, Route, Repeat   Watch Now Security Edition Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!  Watch Now Observability Edition DevSecOps: Why You Should Care and How to Get Started   Watch Now         Do More with Lantern  Content is expanding all the time with more ways to help you be successful.         Have you still not checked out Splunk Lantern? Your peers have! From Q2 last year to Q2 this year Page views increased 69% New users increased 423%, and, drumroll please… Returning users increased a whopping 1,475%! Lots of Splunk customers just like you love the content they find on Splunk Lantern that helps them ramp up quickly, work more efficiently, and achieve their use cases. And the content is expanding all the time with more ways to help you be successful. In July, we added a number of new articles to the Security Use Case Explorer (for example, Creating an Incident Response Plan (IRP)), as well as more articles to help you with our cool observability products, like ITSI (for example, Gaining better visibility into ServiceNow instances in ITSI) and Synthetics (for example, Looking into a failed Real Browser Check (RBC) run. Check out those and more, and be sure to log in to leave us comments on the bottom of any article to tell us how we're doing.     Find an App with Splunkbase More app releases and updates since the last newsletter! The popular Splunk Add-on for Microsoft Office 365 delivers audit logs for Azure Active Directory, Sharepoint Online, and Exchange Online as well as historical and current service status, and service messages. The latest Splunk ES Content Update has too many updates to list, so for full details you can visit the GtiHub project release notes! Splunk Add-on for Amazon Web Services (AWS) includes support for the Inspector v2 API ingestion method and Common Information Model (CIM) mappings for Inspector v2 as well as some bug fixes.Are you building apps and add-ons for Splunk Enterprise and Splunk Cloud Platform? The AppInspect App for Splunk makes it easy to submit your app to the     Splunk Training and Certification Announcing an entirely new learning experience. A new landing page, more filters to the course catalog, a way to browse courses by delivery language, an entire page dedicated to free training and more! New site, same url: splunk.com/education Also set to launch this month is the new Learning Rewards program — gaining new skills and new Splunk swag… what could be better? ICYMI we are also offering a variety of Fast Start bundles to streamline your learning and registration experience — this means tons of single-subject learning in a single registration. Unsure of where to start? All new learners should check out these three free, self-paced eLearning courses (What is Splunk?, Intro to Splunk, Using Fields) and pick a Fast Start based on your goals.    Until next month, Happy Splunking!
August 2022  Open Cybersecurity Schema Framework (OCSF) Project Splunk is excited to participate in the recently announced Open Cybersecurity Schema Framework (OCSF) project. OCSF is an open-so... See more...
August 2022  Open Cybersecurity Schema Framework (OCSF) Project Splunk is excited to participate in the recently announced Open Cybersecurity Schema Framework (OCSF) project. OCSF is an open-source standard, delivering a common and extensible, vendor-agnostic taxonomy to help all security teams realize better, faster data ingestion and analysis without the time-consuming up-front normalization tasks. Splunk, together with co-founding member AWS, worked together with 16 other leading cybersecurity and technology organizations, including Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. This coalition represents a wide spectrum of security technologies, which aligns with the project’s goal to become the security event standard for any environment, application, or solution provider, and fits with existing security standards and processes. Check out our blog to learn more. Interested in the OCSF project itself or how to become a contributor? Visit the project page at https://github.com/ocsf.     Enterprise Security Content Update v3.46.0 The recent release of Enterprise Security Content Update (ESCU) includes 24 new detections and 5 new analytic stories, which you can find on GitHub, Splunkbase, or via API update in Splunk Security Essentials (SSE). Below are a few release highlights, or you can explore further at research.splunk.com: DarkCrystal RAT analytic story, which has several new detection analytics to identify the unique behavior of this malware. Cloud-based attack research with two new analytic stories, AWS Defense Evasion and Azure Active Directory Account Takeover, to identify suspicious activities in your cloud environment. Linux LOLbins and Linux rootkits analytic stories. The Splunk Threat Research Team also published a blog detailing how to use a pre-trained machine learning (ML) model to identify risky Splunk search commands.     Security Made Stronger with Splunk UBA 5.1 Splunk User Behavior Analytics (UBA) version 5.1 is here. In this new version, Splunk continues to build upon our industry-leading behavioral analytics platform. UBA 5.1 provides new operating system support, installation and configuration upgrades, security vulnerability patches and per data source custom configuration. To learn more, check out the blog.     Splunk Detections: Malicious Payloads and Destructive Software The Splunk Threat Research Team (STRT) actively monitors the emergence of new cyber threats within ongoing events in Eastern Europe, and recently developed several detections to help defend against malicious payloads and destructive software. View our on demand webinar to learn more about: Malicious payloads like AcidRain, Cyclops Blink, CaddyWiper, DoubleZero Destructor and HermeticWiper. Detections to enhance security operations and defense strategies.      Splunk SOAR and Splunk Enterprise Security Named Customer Favorites by TrustRadius Splunk is honored to be the recipient of a series of awards from TrustRadius—all based on customer reviews. In the security category, Splunk SOAR and Splunk Enterprise Security came out on top! Splunk Enterprise Security (ES) won awards for Best Feature Set and Best Relationship in the Security Information and Event Management (SIEM) category. Splunk SOAR won awards for Best Feature Set and Best Relationship in the Security Orchestration, Automation and Response (SOAR) category. Not too shabby! To learn more about the TrustRadius awards, check out the blog. You can also leave your own review here.  
    August 2022    Welcome to the Future of Data Search & Exploration Working with numerous customers and drawing upon 20+ years of historical feedback, Splunk is pleased to announce the Pub... See more...
    August 2022    Welcome to the Future of Data Search & Exploration Working with numerous customers and drawing upon 20+ years of historical feedback, Splunk is pleased to announce the Public Preview of a complete redesign of its core Search experience, accelerating the data-to-insight workflow, and bringing the power of Splunk to everyone. Learn more about our reimagined investigative experience and how it will help every Splunk user in your organization. Admin Config Service (ACS) Enhancements We are excited to announce that with the new Splunk Cloud Product 9.0.2205 release, it is easier to create, manage, and use private apps. Although Splunk is great by itself, we can all agree that the real value of Splunk comes from all the applications that Developers, Splunk Trust members and all members of the Splunk community build. To make private cloud apps even more useful we are introducing optional architecture-specific AppInspect tags to let more private apps be self-serviceable for both Classic and Victoria Experience Cloud stacks. Introducing Splunk Operator for Kubernetes 2.0 The Splunk Operator for Kubernetes team is extremely pleased to announce the release of version 2.0! The showcase feature for this release — and the reason we bumped the version to 2.0 — is the evolution of our Splunk Operator App Framework. Instead of Administering Splunk through direct manipulation of the App filesystems, you can now acquire Apps and configuration externally via S3. Read more about it in this blog post.   The Convergence of Security and Observability: Top 5 Platform Principles Businesses compete on data. All else being equal, businesses that thrive are the ones who use data most effectively and consolidate islands of data. Bringing together security and observability into one holistic platform helps raise the technical focus of ITOps, DevOps and cybersecurity personnel to a broader business concern for managing risk. Explore the five principles to look for in a platform: unified platform, pervasive across use cases, extensible, open, and powerful search performance at scale.   Tech Talks  Platform Edition: Splunk 9.0 - What’s New and How to Migrate / Upgrade Tuesday, August 30 | 10am PT / 1pm ET Register to Attend In June we announced Splunk 9.0 which has a lot of new features and innovations. In this Tech Talk, we will walk you through the new Splunk 9.0 / Splunk Cloud Platform features. These new enhancements help you with end-to-end visibility, rapid investigation and action, and more extensibility. How can you take advantage of these new features? We will show you how to upgrade to Splunk 9.0 and how to upgrade to Splunk Cloud Platform to take advantage of all the new features. Join us August 30th! Now On Demand  Platform Edition Introducing Ingest Actions: Filter, Mask, Route, Repeat   Watch Now Security Edition Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!  Watch Now Observability Edition DevSecOps: Why You Should Care and How to Get Started   Watch Now     Do More with Lantern  Content is expanding all the time with more ways to help you be successful. Have you still not checked out Splunk Lantern? Your peers have! From Q2 last year to Q2 this year Page views increased 69% New users increased 423%, and, drumroll please… Returning users increased a whopping 1,475%! Lots of Splunk customers just like you love the content they find on Splunk Lantern that helps them ramp up quickly, work more efficiently, and achieve their use cases. And the content is expanding all the time with more ways to help you be successful. In July, we added a number of new articles to the Security Use Case Explorer (for example, Creating an Incident Response Plan (IRP)), as well as more articles to help you with our cool observability products, like ITSI (for example, Gaining better visibility into ServiceNow instances in ITSI) and Synthetics (for example, Looking into a failed Real Browser Check (RBC) run. Check out those and more, and be sure to log in to leave us comments on the bottom of any article to tell us how we're doing.     Find an App with Splunkbase More app releases and updates since the last newsletter! The popular Splunk Add-on for Microsoft Office 365 delivers audit logs for Azure Active Directory, Sharepoint Online, and Exchange Online as well as historical and current service status, and service messages. The latest Splunk ES Content Update has too many updates to list, so for full details you can visit the GtiHub project release notes! Splunk Add-on for Amazon Web Services (AWS) includes support for the Inspector v2 API ingestion method and Common Information Model (CIM) mappings for Inspector v2 as well as some bug fixes.Are you building apps and add-ons for Splunk Enterprise and Splunk Cloud Platform? The AppInspect App for Splunk makes it easy to submit your app to the     Splunk Training and Certification Announcing an entirely new learning experience. A new landing page, more filters to the course catalog, a way to browse courses by delivery language, an entire page dedicated to free training and more! New site, same url: splunk.com/education Also set to launch this month is the new Learning Rewards program — gaining new skills and new Splunk swag… what could be better? ICYMI we are also offering a variety of Fast Start bundles to streamline your learning and registration experience — this means tons of single-subject learning in a single registration. Unsure of where to start? All new learners should check out these three free, self-paced eLearning courses (What is Splunk?, Intro to Splunk, Using Fields) and pick a Fast Start based on your goals.    Until next month, Happy Splunking!
We have several devices that perform endpoint and network device scanning.  As intended, they are scanning prohibited ports to verify they are not open, however the ESCU correlation searches , specif... See more...
We have several devices that perform endpoint and network device scanning.  As intended, they are scanning prohibited ports to verify they are not open, however the ESCU correlation searches , specifically the "Prohibited network Traffic Allowed" rule, is detecting thousands of these events each day. How can I prevent notable events from being created in Enterprise Security when the source is one of the scanning devices? Thank you.
I'm trying to create a playbook that uses the Windows Remote Management app to take a file saved locally on a server and move it to a location on a network share. I've tried using different command a... See more...
I'm trying to create a playbook that uses the Windows Remote Management app to take a file saved locally on a server and move it to a location on a network share. I've tried using different command and Powershell options and the WRM app's built-in action 'copy-item' and none of them work.  I can run these commands and scripts locally on the server logged-in as the user that would be performing these actions through SOAR and everything works fine. I can also have SOAR move the file from a local folder to another local folder and everything works fine. It's only when I ask SOAR to move it to a network share it will not work. Examples of what I'm doing:      Move-Item -Path C:\folder\file.txt -Destination \\servername\sharename  This script will work fine locally, but will not through SOAR.    Move-Item -Path C:\folder\file.txt -Destination C:\differentfolder\file.txt This script will work fine both locally and through SOAR. I've tried mapping the drive so I can use M:\file.txt and it still fails. I've asked SOAR to run the commands directly and also have tried letting SOAR run a script that uses these commands and it will not work. It doesn't seem to be a permission issue since I'm able to do all of this locally.  I'm lost at what else I can try or what else to look for as possible issues. Thanks for any help.
I recently have taken my splunk core use
I have a message thread, these messages are coming on splunk. The chain consists of ten different messages: five messages from one system, five messages from another (backup) system. Messages from... See more...
I have a message thread, these messages are coming on splunk. The chain consists of ten different messages: five messages from one system, five messages from another (backup) system. Messages from the primary system use the same SrcMsgId value, and messages from the backup system are combined with a common SrcMsgId. Messages from the standby system also have a Mainsys_srcMsgId value - this value is identical to the main system's SrcMsgId value. The message chain from the backup system enters the splunk immediately after the messages from the main system. Tell me how can I display a chain of all ten messages? Perhaps first messages from the first system (main), then from the second (backup) with the display of the time of arrival at the server. With time, I understand, I will include _time in the request. I got a little familiar with the syntax of queries, but still I still have a lot of difficulties with creating queries. Please help me with an example of the correct request. Thank you in advance!
Good morning. We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows p... See more...
Good morning. We have been tracking a recent reduction in our log ingest rate. After a myriad of searching, it appears that the reduction in xml Win Event Logs occurred the same week that windows patching occurred in July of 2022. We are down by approximately 10%, maybe a little less than that. We have noted that the xml wineventlogs appears to be the only index affected. I'm concerned because this could indicate: Patching broke logging on the windows systems and we aren't getting everything we used to or should Patching made logging more efficient and we are getting the same or better/more data with less overall size Something else could be broken within Splunk itself and this is the only indication We opened an on-demand case and they found nothing wrong. We opened a support case and they told us what we could see for ourselves in the cloud monitoring console. We've continued to search and investigate, and our working theory is that patching affected the logging. We now need to know if it's a good thing (number 2) or a bad thing (number 1). My question is - has anyone else noticed a drop in xmlwineventlog volume over the last few months? Thanks in advance.
Is there an API available or some other SPL searchable way to find the Index Cluster replication factor?  I would like to create some dashboards and searches for monitoring our indexers and would lik... See more...
Is there an API available or some other SPL searchable way to find the Index Cluster replication factor?  I would like to create some dashboards and searches for monitoring our indexers and would like to be able to display replication factor.  I have been using  "/services/search/distributed/peers "  for some information but is there an API available that will tell me what the replication factor is?  This is going to be  "run anywhere" as it will be deployed to at least 5 separate environments so hard coding wont suffice.
Hi, SPlunkers,   I have a multiselect dropdown field in my splunk dashboard.    I want to select 2 options from it,  I noticed it's previewed as "value1 "  "value2",   since there is no resul... See more...
Hi, SPlunkers,   I have a multiselect dropdown field in my splunk dashboard.    I want to select 2 options from it,  I noticed it's previewed as "value1 "  "value2",   since there is no result returned. I assumed it worked as value1 AND values,  but I expected it works as value1  OR  value2. how to configure it?    Kevin
Hi,   I am running below query, however I am getting error saying relation "analytics_hca_change_indicator_event doesn't exist" even if table doesn't exist in any one of the schema | koogledime... See more...
Hi,   I am running below query, however I am getting error saying relation "analytics_hca_change_indicator_event doesn't exist" even if table doesn't exist in any one of the schema | koogledimen service=TenantPPASQuery action=AdhocQuery targetGroup="keng03-dev01-ins08-wfm19-dbs" app="Unknown_App/ppas_dheeraj_r9int" schema="_ALL_" query="select date(createdtm), count(*) from analytics_hca_change_indicator_event group by createdtm " | eval envstatus=if(like(scope, "%dev01%"), 1, 0)| eval wfmstatus=if(like(scope, "%wfm19%"), 1, 0) | where envstatus=1 and wfmstatus=1 | eval wfm_schemaname = mvindex(split(scope, "-"), -1).schemaname| eval wfm_schemaname = mvindex(split(scope, "-"), -1)."_".schema_name | chart sum(count) by date,wfm_schemaname   How to handle this scenario please?
Hi, I created a new Correlation Search that needs to generate notable, so in the "Adaptive Response Actions" I added the "Notable" with all information. Doing a manual search with the same time s... See more...
Hi, I created a new Correlation Search that needs to generate notable, so in the "Adaptive Response Actions" I added the "Notable" with all information. Doing a manual search with the same time span as the correlation search, I've got the expected outputs. The problem is that the correlation search doesn't create the same number of notables. For example: in a range time of 4 hours, the correlation search has generated 4 notables, instead, doing the manual search I've got 28 events. Doing the search "index=_internal sourcetype=scheduler" in the same time range, I found the 28 events generated by the correlation search, of which, 24 with these parameters: result_count=0 alert_actions="" suppressed=0 status=success and 4 with these parameters: result_count=1 alert_actions="notable,risk" suppressed=0 status=success Why, if I do the manual search (the same as the correlation search) I've got 28 results, instead the correlation search generated only 4 notables?   Thank you
This gives me the following warnings: PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool --check --debug Unrecognized argument: --check PS C:\Program Files> .\SplunkUniversalFo... See more...
This gives me the following warnings: PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool --check --debug Unrecognized argument: --check PS C:\Program Files> .\SplunkUniversalForwarder\bin\splunk.exe btool check --debug No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\learned\local\props.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\default-mode.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\health.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\limits.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\web.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\introspection_generator_addon\default\server.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\restmap.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\search\default\transforms.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_internal_metrics\default\transforms.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\manager-apps\_cluster\default\indexes.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 22 9: enable_allowlist (value: false). No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\app.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\audit.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\authentication.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\authorize.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\conf.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\default-mode.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\federated.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\global-banner.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\health.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\limits.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\livetail.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\messages.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\metric_alerts.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\metric_rollups.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\procmon-filters.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\props.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\restmap.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\source-classifier.conf No spec file for: C:\Program Files\SplunkUniversalForwarder\etc\system\default\telemetry.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\transforms.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\visualizations.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\web-features.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\web.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_policy.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_pools.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\default\workload_rules.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\authentication.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\migration.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\server.conf Checking: C:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf PS C:\Program Files> When I try to upgrade the Universal installer to splunkforwarder-9.0.1-82c987350fde-x64-release.msi the install process hangs. But finally it went on. Iám looking for a workaround for tese warnings on my Windows Forwarder.
I have a dashboard that gets its base query from a dropdown option and that to run that base query takes the values from other dropdown and populate it and then run the search. this is a part of the... See more...
I have a dashboard that gets its base query from a dropdown option and that to run that base query takes the values from other dropdown and populate it and then run the search. this is a part of the query: <input type="dropdown" token="tokSearchOption1" searchWhenChanged="true"> <label>Select Query</label> <choice value="Orginal">Original</choice> <choice value="Filtered">Filtered</choice> <change> <condition value="Orginal"> <set token="tokSearchQuery">index=pos  | fields host,_raw | rex field=host "REG(?&lt;store_id&gt;\d{1,4})(?&lt;register_id&gt;\d{1,2})"| search store_id="$store_id$" AND register_id="$register_id$" where store_id and register_id values are rendered from another dropdown.  But when we 1st time hit the submit in the dashboard the query shows no result and this is due to the fact that it is not able to render the dropdown values from other ie. it is not taking the value from the store_id dropdown  and the register id dropdown. This happens just for the 1st time the dashboard is loaded but then after on it works fine! How to fix the issue?  
Hi, I am having some troubles to merge two searches and I am looking for the best way to do this.  We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify t... See more...
Hi, I am having some troubles to merge two searches and I am looking for the best way to do this.  We have firewall traffic with NAT that is made on two levels. My goal is to be able to identify the flow with original and nated ip addresses. I explain : FW1 : src1,dst1,xlatesrc1,xlatedst1 FW2 : src2 (=xlatescr1), dst2 (=xlatedst1), xlatedst2 goal = table : src1,dst1,xlatesrc1,xlatedst1 (=xlatedst2 if it exists, xlatedst1 instead) I have made something like: search_FW1 | stats by src1,dst1,xlatesrc1,xlatedst1 | join left=[ search search_FW2 | stats values(xlatedst2) as xlatedst1 by src2] | rename src2 as xlatesrc1 | table src1,dst1,xlatesrc1,xlatedst1 But I have noticed that if src2 does not exist in search_FW1, I loose the event from my main search (search_FW1) :(. I thought that the "left" parameter of "join" should solve the issue, but it does not...  Any idea how to avoid it (and maybe optimize my search as I have seen that "join" has poor performance)? Thanks
Hi, is it possible to hide the values of the chart overlay on Dashboard Studio, to simulate a trend line?
Hi all, How do I get two fileds "ip numbers" in an timechart? I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip. index=firewall dest_ip=* src=* d... See more...
Hi all, How do I get two fileds "ip numbers" in an timechart? I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip. index=firewall dest_ip=* src=* dest_port=8090 action=blocked | eval dstsrc=dest_ip . src | timechart count by dstsrc Regards Jan
Hi Team, I am unable to open my splunk cloud rest-api URL's in my local machine. Do we need to enable something in my local machine. Please find the error below.   Thanks, Venkata Krishna
Hello,   Is there any App or Add-on for Imperva DAM logs, currently I'm getting logs in CEF format. If no, can I use Imperva Add-on for WAF logs instead? Does it work? IF so, how would be the c... See more...
Hello,   Is there any App or Add-on for Imperva DAM logs, currently I'm getting logs in CEF format. If no, can I use Imperva Add-on for WAF logs instead? Does it work? IF so, how would be the configuration required?