I have setup a SC4S and it has been connected to splunk enterprise. Also I have forwarded the logs from fortigate firewall as syslogs via port 514. (I have verified that forti logs are  this via tcpdump) From the Splunk I can see SC4S startup events as only sc4s events (source = sc4s , sourcetype = sc4s:events) which are ingested. Fortigate logs are not ingesting.  following are the current configurations.(I have installed Fortigate app in splunk and it worked properly when I directly forward fortigate logs to splunk) Created a data input(HEC) from Splunk(tested 2 but not worked), 1. index=default source type = default   2. index=netops source type = fgt_event   /opt/sc4s/env_file SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://192.168..3.46:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=4926fe93-4d91-409f-bf23-c6c67c0a880f SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no   splunk_metadata.csv fortinet_fortios_event,index,netops fortinet_fortios_event,source,fgt_event   How can I fix this issue? Appreciate your support on this. Thank You.        

Hello,  As found on "Splunk Security Advisory for Apache Log4j", I could read that "Unless CVE-2021-45105 or CVE-2021-44832 increase in severity, Splunk will address these vulnerabilities as part of the next regular maintenance release of each affected product. Customers also have the option to remove Log4j Version 2 from Splunk Enterprise out of an abundance of caution. " CVE-2021-44832 concerns a vulnerability found in version 2.17. Thus as far as I understand, the vulnerability of Log4j 2.17 will be solved in next maintenance release. I am running Splunk Enterprise 8.1.7.2 and the version of Log4j in it is 2.16.  This version of Log4j has been deleted.  But my management is asking when the version 2.17 will be available. I believe in next maintenance release. Thus can you please tell me when the next maintenance release will be released for Splunk Enterprise 8.1? Thanks

HI, I wanted to see the results for each service in one line. But I see each hour in a different line as per the below screenshot. Can you please let me know what changes need to be done to get the results in one line even though we select multiple hrs in the time while doing the search? My Search query -  index=***** | stats list(service_calls) as service_calls list(service_errors) as service_errors list(service_error_rate) as service_error_rate by service   Thanks, SG 

Can someone please shed some light on how to move a licence server between sites ? Scenario being a new deployment need to be able to failover to a new DC from the original location.  Would additional certs and licences be needed ? Thanks in advance

Hi Everyone, I have created the below query in Splunk to fetch the Error messages index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count I observe that for particular Error message like below: [reactor-http-epoll-4,cd5411f55ef5b309d8c4bc3f558e8af2,269476b43c74118e,01] reactor.core.publisher.Operators - Operator called default onErrorDropped Count is coming as 42.Although the Event with this Error Messages are 13 only. I want to know is this the problem with cluster_count . How the cluster is working in splunk. Is my query taking cluster_count instead of actual counts. Can someone guide me on this.

Sample data [A028 : 00] [F037 : 928323177452] [F038 : 456137] [F039 : 0] The query below is working but i wanted to merge, basically i wanted to use rex field=_raw just once. How to extract multiple fields index=au_axs_common_log sourcetype=anz_axs_auth_core_log "[A028" |rex field=_raw "(\[F039\s*:(?.*?)\])"| rex field=_raw "\[A028\s*:(?.*?)\]" |stats count by axrc,vrc

Hi, I just created an APP in Splunk Cloud and I'd like to create a new read-only role accordingly, which contains capabilities as less as possible. I hope users of this role can only read in-app dashboards. Neither editing searches nor changing settings is welcomed. Which capabilities should I add to it ?   Please help and many thanks!

Hi I just created an APP consists of a couple of dashboards made from Dashboard Studio. I'm new to Splunk dashboard studio so I wonder how can I edit the view to hide the Splunk Bar on top. Many thanks! P.S. When I say "Splunk Bar" I mean this menu bar down below. I understand this been called "Splunk Bar" in Dashboard Classic. Please correct me if is not in Dashboard Studio.

I have elasticsearch database installed on one server. I am trying to pull data from elasticsearch to phantom SOAR. Connectivity between elasticsearch app and phantom is working fine but, I am getting following error while pulling data from elasticsearch.   Loaded action execution configuration Successfully added containers: 0, Successfully added artifacts: 0 1 action failed Unable to load query json. Error: Expecting value: line 1 column 1 (char 0)   Configuration:  

Hi Team, I have installed the .net agent on the windows server and it shows waiting for a connection. When I checked in AgentLog it shows the below error, please help how to fix this issue. 2022-03-15 09:55:34.1093 29580 AppDynamics.Coordinator 1 28 Warn MachineAgentManager Metrics Error sending metric data to controller:System.Net.WebException: The remote name could not be resolved: '[Redacted].saas.appdynamics.com'    at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) ^ Post edited by @Ryan.Paredez to redact Controller name. Please do not share your Controller name or URL for security and privacy purposes. 

Hi I would like to dis play a trend indicator between these 2 different relative time Is it possible?     index=toto sourcetype=tutu earliest=-8d@d+7h latest=-8d@d+19h OR earliest=@d+7h latest=@d+19h | timechart count as "erreurs" span=1d     Thanks

Hello all,  Thank you for taking the time to consider my question, I'm mainly seeking to find if it's possible to better enrich the data that is obtained from Windows hosts running Splunk UF v8.2.5, namely [WinEventLog:Security] and [WinNetMon] capabilities.  Currently we monitor for all new process run, as well as collect logs for unfamiliar IPv4 addresses reached out to by creating a inputs.conf blacklist for internal IPv4s and common websites. I'm curious if we can further enrich this data by using powershell scripts to lookup these IPv4s according to that hosts DNS resolution, (not retroactively resolving them at the point of analysis, which can lead to different results if the endpoint's DNS cache was compromised).  Additionally, I'm wondering if it's possible to use something like a powershell script to retrieve the SHA256 file hash of new processes run with the parsed log. It could be that what I need to do is just run Sysmon and monitor that, and I'm very much for that, but I've heard from more veteran employees at the company I'm currently at that sysmon killed performance and isn't feasible on endpoints. I'm very much a rookie and wasn't in a position to argue otherwise, but as far as I know sysmon has a rather light footprint in comparison to it's robust capabilities.  Any advice on these topics is greatly appreciated, and will be rewarded with karma!

I am trying to fetch data of weekly successful, failed and warning event counts. I want 5 days data to be shown daywise on line chart. I am using this query. I need modification to show it on line chart which represents date and count of successful, failed and warning events. Query: index=outputsolutions host=*dxr22* Error | bin _time span=1d | stats count as dailycount by _time

Hi, I'm unable to compare the result string which is having version(decimal value). While I'm using "If" condition it is not comparing.  In the above required output should be compliant... please help me with this. Thanks.