All Topics

Top

All Topics

Hi All, I need to create a Use Case that would detect Admin user/s changing their own password. So far I have: index=XXX EventCode=4724 | where user=src_user AND src_user_category="privileged... See more...
Hi All, I need to create a Use Case that would detect Admin user/s changing their own password. So far I have: index=XXX EventCode=4724 | where user=src_user AND src_user_category="privileged" AND  user_category="privileged" not sure how to go around as this is not doing the search I want. Any help much appreciated! Thanks all
hi I need to filter events in my dashboard from 2 different time picker I use a classic time range picker   <input type="time" token="field1" searchWhenChanged="true"> <label>Période<... See more...
hi I need to filter events in my dashboard from 2 different time picker I use a classic time range picker   <input type="time" token="field1" searchWhenChanged="true"> <label>Période</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input>   and a custom time range picker   <input type="dropdown" token="release" searchWhenChanged="true"> <label>Release</label> <choice value="26-27 Janvier">26-27 Janvier</choice> <choice value="16_17 Février">16-17 Février</choice> <change> <condition label="26-27 Janvier"> <set token="custom_earliest">1643151600</set> <set token="custom_latest">1643324400</set> </condition> <condition label="16-17 Février"> <set token="custom_earliest">1644966000</set> <set token="custom_latest">1645138800</set> </condition> </change> <default>26-27 Janvier</default> <initialValue>26-27 Janvier</initialValue> </input>    now I need to link my search with these 2 different time range picker I added | search release=$release$ in my search but it doesnt works how to do this please?  
we have added below line in the env_file, so that events will be catpured and ease to identifier the sourcetype. SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug In version version 1.110.0, we could see al... See more...
we have added below line in the env_file, so that events will be catpured and ease to identifier the sourcetype. SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug In version version 1.110.0, we could see all the incoming sourcetype on it as below $ ls cisco_asa fortinet_fortios nix_syslog sc4s_events sc4s_fallback vmware_esx zscaler_web But in version 2.0 till 2.28.0, we failed to see any sourcetype listed on it with same configuration in above,  the "debug" folder is not create even after restart the sever [DEV][archive] $ ls [DEV][archive] $ pwd /apps/sc4s/archive Any hints what the change in between the version 1 and version 2 that possible caused the debug mode failed? (events are showing in Splunk) *we just do in place upgrade from version 1 to version 2 on same working servers. IF we moved back to version 1, the debug directories will showed agai
Data looks like  src:10.124.4.151] and i want to remove this bracket and data should look like 10.124.4.151 I am try SED and regex  but unable to solve.  Kindly help
Hello Splunk Admins, What solutions you use to get notified on mobile about internal Splunk issues in out of office hours? I mean when e.g. splunkd goes down on indexers, data is not indexed anym... See more...
Hello Splunk Admins, What solutions you use to get notified on mobile about internal Splunk issues in out of office hours? I mean when e.g. splunkd goes down on indexers, data is not indexed anymore for any reason etc. We need something free of charge. There is no other team except of us who needs to be notified about the issue. I have heard about Splunk On Call solution but seems to be a bit complex. Anyone having any experience with it? Hope to get some inspirations Many greetings, Justyna
Hi Splunkers. I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website: https://www.bitdefender.com/bus... See more...
Hi Splunkers. I'm trying to integrate Bitdefender Gravityzone (Cloud) with Splunk on-premises, I have used the official documentation from the Bitdefender website: https://www.bitdefender.com/business/support/en/77211-171475-splunk.html but I'm stuck in the "Enable the Splunk integration" step; In the beginning, I have tried using the "Enable the Splunk integration manually" method,  I have put everything in place and run the command in the documentation, but ended up with an error stating that "The web server with this URL must support TLS 1.2, at least" as shown in the below screenshot: I have reviewed the documenting again in this link: https://www.bitdefender.com/business/support/en/77209-135319-setpusheventsettings.html Under the "Important" note: "Event Push Service requires the HTTP collector running on the third-party platforms to support SSL with TLS 1.2 or higher, to send events successfully." But here is the thing, I think that HEC by default only supports TLSv1.2 despite sslVersions=*   $ cat /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf [http] disabled=1 port=8088 enableSSL=1 dedicatedIoThreads=2 maxThreads = 0 maxSockets = 0 useDeploymentServer=0 # ssl settings are similar to mgmt server sslVersions=*,-ssl2 allowSslCompression=true allowSslRenegotiation=true ackIdleCleanup=true   I have tried to use: sslVersions=tls1.2 but nothing happened, it still shows the same issue. Can someone please help me figure out how to solve this TLS issue? Afterward, I have tried to use the "Enable the Splunk integration by running a script" method, aging I have put everything in place and run the script, but ended up with an error stating that:   FAIL - server response: <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html>   as shown in the below screenshot: Any Idea why this happens? Much thanks.
Hi  We are planning to decommission splunk enterprise in our environment. We need to stop sending data to splunk . How should we proceed , from where we should start? Can we find any SOP for this d... See more...
Hi  We are planning to decommission splunk enterprise in our environment. We need to stop sending data to splunk . How should we proceed , from where we should start? Can we find any SOP for this decommision process. But we want to store the indexed data for more than 365 days .  This is new task we are handling for the first time , any proper guidance will be much appreciated.   Thanks in advance.
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart. But does not have the permission to raise a support ticket because still in the trial stag... See more...
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart. But does not have the permission to raise a support ticket because still in the trial stage. thanks  
Hello Team, We are having the Splunk  cloud licensed server, How to do rest api request calls to Splunk cloud from postman? management port is already enabled on Splunk. still I am getting timeout... See more...
Hello Team, We are having the Splunk  cloud licensed server, How to do rest api request calls to Splunk cloud from postman? management port is already enabled on Splunk. still I am getting timeout error. Pl
Hi all, This is change condition in 3 inputs       <change> <condition label="Any"> <set token="flag_1">0</set> </condition> <condition> <s... See more...
Hi all, This is change condition in 3 inputs       <change> <condition label="Any"> <set token="flag_1">0</set> </condition> <condition> <set token="flag_1">1</set> <set token="showDetails">true</set> </condition> </change> <change> <condition label="Any"> <set token="flag_2">0</set> </condition> <condition> <set token="flag_2">1</set> <set token="showDetails">true</set> </condition> </change> <change> <condition label="Any"> <set token="flag_3">0</set> </condition> <condition> <set token="flag_3">1</set> <set token="showDetails">true</set> </condition> </change>       This is the drilldown token for setting "showDetails" to "true" to display another table:       <drilldown> <condition field="RuleID"> <set token="form.ruleID_tok">$click.value2$</set> <set token="flag_1">1</set> <set token="showDetails">true</set> </condition> <condition field="RuleDescription"> <set token="form.ruleDescription_tok">$click.value2$</set> <set token="flag_2">1</set> <set token="showDetails">true</set> </condition> <condition field="RuleLevel"> <set token="form.ruleLevel_tok">$click.value2$</set> <set token="flag_3">1</set> <set token="showDetails">true</set> </condition> </drilldown>       And now, I want to unset showDetails when (flag_1, flag_2, flag_3) = 0. To hide the table depends on showDetails token.
I need to exclude events from a timechart only if they fulfill 2 conditions: the field returns 0 for ALL events in the entire day (24hours) AND the days are weekends (Saturday & Sunday) I have ... See more...
I need to exclude events from a timechart only if they fulfill 2 conditions: the field returns 0 for ALL events in the entire day (24hours) AND the days are weekends (Saturday & Sunday) I have tried  | date_wkend = strftime(_time,"%A") | search NOT (date_wkend = "Saturday" AND varA = 0) | search NOT (date_wkend = "Sunday" AND varA = 0) However this also excludes the events from a weekend that has some non-zero results for varA, and since I have to do some further calculations based on a full-day span, my calculations are inaccurate.
I'm a huge fan of the Splunk Docker container. I noticed the 'latest' tag hasn't been updated in a few months and is still Splunk Enterprise 8.2.5 even though Splunk Enterprise 8.2.6 has been release... See more...
I'm a huge fan of the Splunk Docker container. I noticed the 'latest' tag hasn't been updated in a few months and is still Splunk Enterprise 8.2.5 even though Splunk Enterprise 8.2.6 has been released. Then I noticed that even though 'latest' hasn't updated, the image for Splunk Enterprise 8.2.6 has been added to the Docker images list. See splunk/splunk tags. I'm no Docker expert so I'm guessing I am just missing some obvious thing.... Why is the splunk/splunk:latest not pointing to the latest release of splunk/splunk:8.2.6?  
MOST VALUABLE TECH TALKS  Splunk Mobile: Empower Organizations on the Go TECH TALK: Platform Edition PRACTITIONER LEVEL: Good for All AUDIENCE: Splunk Administrators, Analysts, NOC, and SOC Manag... See more...
MOST VALUABLE TECH TALKS  Splunk Mobile: Empower Organizations on the Go TECH TALK: Platform Edition PRACTITIONER LEVEL: Good for All AUDIENCE: Splunk Administrators, Analysts, NOC, and SOC Managers CLICK ON VIDEO TO WATCH Tune in to learn more about Splunk Mobile: It’s really easy to get a mobile device connected to Splunk Building dashboards and configuring alerts for mobile is simple Take comfort in knowing that your data is secure
MOST VALUABLE TECH TALKS  Get in Command of Splunk Resources with Workload Management TECH TALK:  Admin Edition PRACTITIONER LEVEL: Good for All AUDIENCE: Splunk Administrators, Analysts CLI... See more...
MOST VALUABLE TECH TALKS  Get in Command of Splunk Resources with Workload Management TECH TALK:  Admin Edition PRACTITIONER LEVEL: Good for All AUDIENCE: Splunk Administrators, Analysts CLICK ON VIDEO TO WATCH Tune in to learn about: How to manage workloads at scale How to prioritize business critical searches How to prevent poorly written searches from impacting other users or apps  
MOST VALUABLE TECH TALKS  Anomaly Detection with Splunk Machine Learning TECH TALK: Platform Edition PRACTITIONER LEVEL: Advanced AUDIENCE: Splunk Administrators, Analysts CLICK ON VIDEO ... See more...
MOST VALUABLE TECH TALKS  Anomaly Detection with Splunk Machine Learning TECH TALK: Platform Edition PRACTITIONER LEVEL: Advanced AUDIENCE: Splunk Administrators, Analysts CLICK ON VIDEO TO WATCH Tune in to: Learn how to a build model with your Splunk data using machine learning Understand how Splunk can help detect anomalies in your IT and security data See a demo of the Smart Outlier Assistant in the Splunk Machine Learning Toolkit Get access to the latest resources on Machine Learning in Splunk
MOST VALUABLE TECH TALKS  Empowering Business Users with Pre-structured Data TECH TALK: Platform Edition PRACTITIONER LEVEL: Novice AUDIENCE: Splunk Administrators, IT, Data, Business Analysts  ... See more...
MOST VALUABLE TECH TALKS  Empowering Business Users with Pre-structured Data TECH TALK: Platform Edition PRACTITIONER LEVEL: Novice AUDIENCE: Splunk Administrators, IT, Data, Business Analysts  CLICK ON VIDEO TO WATCH Watch the Tech Talk to learn about: Indexing and Enriching data with known source types and lookups, so that all business information is easily searchable for your users Building data models to structure your Splunk data, to enable pivot tables for your business users Exploring, analyzing, and pivoting your Splunk data with no-code features
MOST VALUABLE TECH TALKS Awesome Admins: Getting Data In TECH TALK: Platform Edition PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Analysts   CLICK ON VIDEO TO WATCH Tu... See more...
MOST VALUABLE TECH TALKS Awesome Admins: Getting Data In TECH TALK: Platform Edition PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Analysts   CLICK ON VIDEO TO WATCH Tune in to learn about: The ability to gather data from any Linux or Windows hosts. The best practices to create lossless syslog ingress from practically any number of sources. How to create TCP data ingress over any port from any custom application or use case. Using APIs to send or receive data, including data collection over HTTPS Event Collector (HEC).
Best Practices for Maturing Your SOC from Splunk Professional Services TECH TALK: Security Edition PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Security Analysts, SOC Manager ... See more...
Best Practices for Maturing Your SOC from Splunk Professional Services TECH TALK: Security Edition PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Security Analysts, SOC Manager Part 1: Technology      
Best Practices for Maturing Your SOC from Splunk Professional Services PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Security Analysts, SOC Manager Part 2: People
Best Practices for Maturing Your SOC from Splunk Professional Services PRACTITIONER LEVEL: Intermediate AUDIENCE: Splunk Administrators, Security Analysts, SOC Manager Part 3: Process