Looking at an existing alert trigger, I notice the description field includes variables of some sort. e.g. $result.User$ $result.Message$ Where can I find more information about these variables? What other variables are available to include in the alert description? Thanks Steve

I have a server where logs are generated on daily basis in this format- /ABC/DEF/XYZ/xyz17012022.zip      /ABC/DEF/XYZ/xyz16012022.zip            /ABC/DEF/XYZ/xyz15012022.zip OR  /ABC/DEF/RST/rst17012022.gz      /ABC/DEF/RST/rst16012022.gz               /ABC/DEF/RST/rst15012022.gz   I am getting this error , every time when i am indexing the .gz, .tar or .zip  file - "updated less than 10000ms ago, will not read it until it stops changing ; has stopped changing , will read it now." This problem was earlier addressed in this post,  https://community.splunk.com/t5/Developing-for-Splunk-Enterprise/gz-file-not-getting-indexed-in-splunk/td-p/313840 As suggested I have used " crcSalt = <SOURCE> " but I am still facing similar errors.   inputs.conf:  [monitor:///ABC/DEF/XYZ/xyz*.zip] index= log_critical disabled = false sourcetype= Critical_XYZ ignoreOlderThan = 2d crcSalt = <SOURCE>  

Hi Everyone.  I'm expanding my blacklist and i'm having issues with a seemingly simple blacklist line. Here is my current blacklist: blacklist1 = EventCode="4688" Message="%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited" blacklist2 = EventCode="4673|4674|5447|4656|4658|4664|4690|5379|4627" blacklist3 = EventCode="4663|4660|4702|4762|4672|4799|4798|4670" Message="Security\sID:\s+NT\sAUTHORITY\SSYSTEM" blacklist4 = Eventcode="4624" Message="Logon\sType:\s\t5"   So everything seems to work as expected for #1-3.   But when adding blacklist4, the forwarder doesn't seem to filter the event.  Searching in Splunk with the exact same regex is pulling up all the events I want to filter.  And the syntax seems to be exactly like blacklist3 that is working as intended.  Does anyone have any suggestions? Thanks

Dear Team,   Greetings!!   I need your help and guidance on the following issue , i keep getting this error in the notifications message:   Search peer Splunk-idx4 has the following message: The minimum dree disk space (5000MB) reached for opt/splunk/var/run/splunk/dispatch. Problem replicating config (bundle) to search peer '10.10.5.106:8089' , HTTP response code 500 (HTTP/1.1 500 Error writing to /opt/splunk/var/run/searchpeers/Splunksh01-1642302054.bundle.53d7c4e2bfaedd1d.tmp: NO space left on device). Error writing to /opt/splunk/var/run/searchpeers/Splunksh01-1642302054.bundle.fbc779696ccbf76a.tmp: No space left on the device (unknown write error) Even on the search and reporting when i run a query, it gives this error,  2 error occurred while the search was executing. Therefore, search results might be incomplete. Hide errors . [Splunk id-03] Failed to read size=3307 event(s) from raw data in bucket='nsoc_fw_ahnlab~703~B239BEEE-90FA-43C8-ADDA-620D3FACAB66' path ='/opt/splunk_data/indexes/nsoc_fw_ahnlab/db/hot_v1_703. Rawdata may be corrupt, see seach log. Results may be incomplete! . [Splunk id-03] Failed to read size=5030 event(s) from raw data in bucket='nsoc_fw_ahnlab~703~B239BEEE-90FA-43C8-ADDA-620D3FACAB66' path ='/opt/splunk_data/indexes/nsoc_fw_ahnlab/db/hot_v1_703. Rawdata may be corrupt, see seach log. Results may be incomplete!   Kindly help me and guide me on how to fix the above issue.   Thank you in advance!

Hi I'm trying to count the number of times of a specific values "not match" exist in a multi-value field, search for events where this value appears more then once. add an example name Check ID aaa-1 bbb-2 ccc-3 not match match match 6564 ddd-1 eee-2 fff-3 not match match not match 7875   because in the lower row the value "not match" exist more then 1 time (>1). I don't found a suitable command. would appreciate  help:)

Hello Everyone I have a problem with receiving IPFIX flow From NSX-T 3.1. this is a summary of what I do: I checked Firewall things and it doesn't have any problem because I can see IPFIX flow with Wireshark on the Splunk server. I use Splunk_TA_stream and splunk_app_stream 8.0.1 and I can Get IPFix flow with IPFIX Generator( flowalyzer). I change the Splunk Stream configuration for those IPFIX fields that NSX-T sends. because some of IPFIX is not Standard.   I changed the Splunk Stream configuration based on these Link according to this Link: https://emc.extremenetworks.com/content/oneview/docs/analytics/docs/pur_splunk.htm?Highlight=Splunk https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/nsxt_30_admin.pdf Does anybody have experience in Receiving IPFIX flow from NSX-T?

Hello Everyone I have a problem with receiving IPFIX flow From NSX-T 3.1. this is a summary of what I do: I checked Firewall things and it doesn't have any problem because I can see IPFIX flow with Wireshark on the Splunk server. I use Splunk_TA_stream and splunk_app_stream 8.0.1 and I can Get IPFix flow with IPFIX Generator( flowalyzer). I change the Splunk Stream configuration for those IPFIX fields that NSX-T sends. because some of IPFIX is not Standard.   I changed the Splunk Stream configuration based on these Link according to this Link: https://emc.extremenetworks.com/content/oneview/docs/analytics/docs/pur_splunk.htm?Highlight=Splunk https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/nsxt_30_admin.pdf Does anybody have experience in Receiving IPFIX flow from NSX-T?

Hi Spelunker's!. I'm receiving this message from Splunk  "Received event for unconfigured/disabled/deleted index=threathunting with source="source::[T1015] Accessibility Features" host="host::hdc-sec01-siem001" sourcetype="sourcetype::stash". So far received events from 1 missing index(es)" Kindly advice.  Thank you.

We use Palo Alto, Barracuda, and McAfee WGs. All perform some form of Web Filtering / Blocking, which I'm now being asked to produce a report on,  Top 50 blocked categories. The SPL looks something like  Index IN (Palo, Barra, MCWG) vendor_action="Blocked-URL"  earliest=-8d@d latest=-1d@d | top limit=50 category | stats count by category. The problem is - I need to filter out links to a site (for instance type Betfred into google and I get two blocks although the human never actually went to Betfred.  I've also got the dilemma of multiple images being called from a web page each being blocked. So - how do you interpret weblogs to only be unique calls by a human being to a website, rather than google lookups or multiple returns whilst visiting another site.  I've tried using dedup against user and URL, but that removes repeat attempts throughout the week along with all the image download requests, it's not very accurate or scientific. There has to be a way to work out that the web request is a link click or a URL entry rather than a page lookup, but I'm at a loss.