Hi, Is anyone syncing detection content (searches) on SIEM Rules (https://www.siemrules.com/) to their Splunk instance? I'm looking at using their API to build an integration (https://docs.siemrules.com/developers/api-intro), but wondering if anything already existed? No apps on Splunkbase.

This code import splunklib.client as client host = "127.0.0.1" port = "8000" username = "---" password = "----" service = client.connect(username=username,password=password,host=host,port=port,scheme = https) for app in service.apps: print(app.name) produces  SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1125)  

Hi All, I am completely newbie into this splunk I wanted to know how to create reports in splunk that will provide daily log sources  Reporting and events count in a perticular time frame or last 24 hours please help me here thank you for your support   

Hi everyone, I have an error on my splunk with the below description: "The lookup table '*' does not exist or is not available." The lookup name is not mentioned, and the only thing I have is the '*'. Can you please help me with ways to troubleshoot this, so I will be able to know the name of the lookup and try to figure out where it is used?  I have looked both in the _internal and the _audit indexes but couldn't find much. Thanks 

I have a CSV file placed in a UF and the CSV data is as follows '"Name" "userid" "use location" "userdesignation"' Raj raj-123 Argentina Consultant  Now  I have written props and transforms as below but still the header is being ingested    Props: [Sourcetype] Should_linemerge=false  Line_Breaker=([\r\n]+) NO_BINARY_CHECK=true  CHARSET= UTF-8  INDEXED_EXTRACTIONS=CSV  category=structured  description=Comma-separated value format. Set header and other settings in "Delimited Settings" disabled=false TRUNCATE=99999 DATETIME_CONFIG=CURRENT KV_MODE=none  HEADER_FIELD_LINE_NUMBER=1  TRANSFORMS-set=setnull      Transforms.conf  [setnull] REGEX=(^"NAME".*$) |(^\'\"NAME\".$) DEST_KEY=queue  FORMAT=nullQueue  Please let me know what changes has to be made so that header is not being ingested                                     

Dear Splunk team   I hope everything is well with you   I am writing this post to inform you that I tried to sign up at Splunk [hosam.shafik@lxt.ai ], to download Splunk SOAR community edition, but I did not receive any download link or verification email, although I registered 3 days ago   Can you please assist me with this problem?

I'm getting a bit confused about onboarding "csv" files. The files are _mostly_ csv - they have a header with field names, they have comma-delimited fields, but they also have a kind of a footer consisting of a line full of dashes followed by a line with "Total: number" in it. With "normal" input I'd just set a normal props/transform on HF which would route those lines into nullqueue and be done with it. I'm not sure though how it works with indexed extractions after reading https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Extractfieldsfromfileswithstructureddata#Caveats_to_extracting_fields_from_structured_data_files Can I simply do transforms for my sourcetype just as with any other sourcetype? And the other question is - the props.conf that I generated from my stand-alone instance that seems to parse the file properly looks like this: [ mycsv ] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=csv KV_MODE=none category=Structured disabled=false pulldown_type=true TIME_FORMAT=%s TIMESTAMP_FIELDS=Time HEADER_FIELD_LINE_NUMBER=1  But in the production environment the file will be read by UF, then the data will be sent to HF and then to the indexers. Do I put all those settings into props.conf on UF or HF? Or do I split them between those two? I must admit that this whole indexed extraction thing is tricky and IMHO not described well enough.

  Stage(Field name) Capa Capa_india north_Capa checkcapaend NET net_east southNETregion showmeNET us_net   From the field Stage, if the value contains capa 0r Capa I need to color the bar chart as Blue. Otherwise need to show the bar chart color as Orange.   Thanks in advance.

Hi, We are using Splunk Cloud.   We have installed symantec endpoint protection version 14.3 RU3 build 5413. We are not using symanted endpoint protection manager. We are using symantec cloud hybrid to manage all SEP clients. Can you please help how can I send symantec endpoint protection client logs from all windows servers to splunk cloud ?  How can I configure data inputs for the same. Sorry I am new to splunk and cannot find any document for symantec endpoint protection to splunk cloud. 

Hello everyone, I'm trying to config SSL to indexer cluster's replication port. I have followed this link to create my SSL cert. https://community.splunk.com/t5/Security/How-do-I-set-up-SSL-forwarding-with-new-self-signed-certificates/td-p/57046 But it wasn't working when I config on my 2 indexers. I'm using Splunk 8.2.4 version and my configuration in file server.conf of indexer 01 same like as: [general] serverName = indexer01 pass4SymmKey = $7$HQ2TzhHg23gLrg+/+ScnhxM9sWIunYIUH07h6YVnt48KdK+zxDO75w== [sslConfig] sslPassword = $7$ok1uDkFNGR57BNpNpzjg7wMPWc6uAng9lvIQPj3YX5MZwhccbVOZWw== [replication_port-ssl://8080] acceptFrom = IP's indexer02 rootCA = /opt/splunk/etc/certs/cacert.pem serverCert = /opt/splunk/etc/certs/indexer.pem sslPassword = P@ssw0rd sslCommonNameToCheck = indexer requireClientCert = true So I would like to ask our community to the correct configuration when I want to enable SSL to Replication Port between Indexers Server ? Please help me  Thanks for your concerns !

Hi everyone,  I would like to retrieve all the column names and the field values for each row and put them in an alert, without manually doing it.    Could you let me know if it is possible to iterate through each column name in splunk? My desired output looks like this:  ① [This is for Row labeled ①] journal.status_id.old_value: 90 journal.status_id.new_value: 95 ②[This is for Row labeled ②] journal.assigned_to_id.old_value: 113 journal.assigned_to_id.new_value: 99 ③[This is for Row labeled ③] journal.status_id.old_value: 73 journal.status_id.new_value: 90 journal.assigned_to_id.old_value: null journal.assigned_to_id.new_value: 113 It is possible for other columns to be present so I would like to do it via a loop. 

I was trying to get DaemonSet up and running got below errors while getting pods ready [error]: #0 unexpected error error_class=Errno::EACCES error="Permission denied @ rb_sysopen - /var/log/splunk-fluentd-kube-audit.pos" 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/plugin/in_tail.rb:241:in `initialize' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/plugin/in_tail.rb:241:in `open' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/plugin/in_tail.rb:241:in `start' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:203:in `block in start' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:192:in `block (2 levels) in lifecycle' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:191:in `each' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:191:in `block in lifecycle' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:178:in `each' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:178:in `lifecycle' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/root_agent.rb:202:in `start' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/engine.rb:248:in `start' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/engine.rb:147:in `run' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/supervisor.rb:717:in `block in run_worker' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/supervisor.rb:968:in `main_process' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/supervisor.rb:708:in `run_worker' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/lib/fluent/command/fluentd.rb:372:in `<top (required)>' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/bin/fluentd:15:in `require' 0 [error]: #0 /usr/share/gems/gems/fluentd-1.14.2/bin/fluentd:15:in `<top (required)>' 0 [error]: #0 /usr/bin/fluentd:23:in `load' 0 [error]: #0 /usr/bin/fluentd:23:in `<main>' [error]: #0 unexpected error error_class=Errno::EACCES error="Permission denied @ rb_sysopen - /var/log/splunk-fluentd-kube-audit.pos" 0 [error]: #0 suppressed same stacktrace