Can someone please help me with the below Query  1. Account lockouts(4740) and then go back in time one hour to find login failures(4625) for the blocked user. 2. Login failure(4625) and then go back in time 2 hour to find account lockout(4740) for the same failed login user.   SOURCE LOG BELOW : 4740 EVENT <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4740</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:40:45.252885800Z'/><EventRecordID>774430877</EventRecordID><Correlation/><Execution ProcessID='568' ThreadID='1856'/><Channel>Security</Channel><Computer>TESTDC1.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>HOSTNAME123</Data><Data Name='TargetSid'>S-1-5-21-2467427501-1309223053-903455979-12974</Data><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>TESTDC1$</Data><Data Name='SubjectDomainName'>TESTDOMAIN123</Data><Data Name='SubjectLogonId'>0x3e7</Data></EventData></Event> 4625 EVENT <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2021-11-18T12:44:43.074155100Z'/><EventRecordID>74779349</EventRecordID><Correlation ActivityID='{6527FA3B-D06B-4A13-A997-3F44717DF05B}'/><Execution ProcessID='716' ThreadID='1712'/><Channel>Security</Channel><Computer>TESTHOST123.TESTDOMAIN123.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>TESTUSER123</Data><Data Name='TargetDomainName'>.</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TESTHOST123</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.19.19.19</Data><Data Name='IpPort'>53972</Data></EventData></Event>

Hi  In our organisation we are in the process of implementing Splunk and there are some domains which do not have access to internet. For these domains can we use proxy server? It seems that preferred way is to use heavy forwarder but I am curious to know if proxy server can be used. What are the advantages/disadvantages of using proxy server? Thank you

Hi Everyone I've been tasked with looking into using ITSI for my company.  Very new to Splunk so I appreciate it's a big ask. Doing as much of the online training as is humanly possible atm. We had a workshop last week with the new new observability model, lovely stuff. My question around ITSI revolves around it's need to use the following app. https://docs.splunk.com/Documentation/InfraApp/2.2.4/Install/About The blurb there states it's going EOL 22/08/22 Have I read this all wrong, and ITSI doesn't need the Splunk app for Infrastructure? I'm just conscious that I may be assessing something that is about to go EOL, and I should concentrate on the new obvservability stuff(signalFX) Any help or advice, greatly appreciated.

How to import (*) wildcard or root certificate into the controller and to which keysore to use keystore.jks or cacert.jks.  I want to secure the controller which is running on http on port 8090 and want to secure this conroller and i have * certificate with me please any one can share with me the steps and after importing the * certificate will the controller will be secure to https. please

I'm trying to put a host in a host field before indexing the csv file below. 【CSV file】 #ServerName001 #JobName,Start time,End time,Elapsed time,Status JobName_01,11/05/21 19:08:07,11/05/21 19:08:41,00:00:34,Succeeded JobName_02,11/05/21 20:49:53,11/05/21 21:19:06,00:29:13,Succeeded JobName_03,11/05/21 21:53:10,11/05/21 21:53:15,00:00:05,Succeeded I set TRANSFORMS in props.conf with changeHost and set the contents of changeHost in transfoms.conf as follows. 【changeHost】 [changeHost] SOURCE_KEY = _raw REGEX = \#(\S+)\s\#: DEST_KEY = MetaData:Host FORMAT = host::$1 I want to set host field as ServerName001, but it doesn't work. Can anyone give me some advice?

Hi Team, I want to automate my AD auditing process with splunk. Currently I have a powershell script and a free tool Pingcastle, which I uses for the process.   Is there any way I can integrate both with Splunk? Thanks Shivi

Hello Splunkers,  I'm working on Splunk dashboard and I got one problem. but I don't know it is problem or advice xD.  My point is need to add an action button to our statistic table and link to alert sounds like a beep or something. when alerts are triggered the will sound play, and when I clicked the action button disables the beeping sound.  How can I solve this any ref or advice?

there is raw data :  [{}]  parameters="[{"Name":"request","Type":"WithdrawalRequestedRequest","Value":{"BrandName":"Bumer","TransactionReference":"111403471","CustomerId":"00e9bc22-96ac-412f-90aa-a240dc03daf9","PaymentDetails":{"Created":"2021-11-18T06:56:54.377Z","Changed":"2021-11-18T06:56:54.393Z","Amount":25.0000,"Fee":0.2500,"CurrencyCode":"GEL","BaseAmount":7.0200,"BaseFee":0.0700,"BaseCurrencyCode":"EUR","PaymentMethodName":"BOG","PublicPaymentId":"t8185jta7fEBBOG","PaymentReference":"bf28bf9e-5caa-4faa-ba4f-c1422080f83e","ExternalData":null,"AdditionalParameters":null}}]"    are we able to pick up everything between an open  [{ and  a close }] the main Fields which I need mostly are: Amount , Base Amount  are you able to help me Please

I have been trying to integrate Splunk with OCI for data collection and the Add-On provided is not working. Error: Private key provided is incorrect or passphrase is not correct.   Does anyone have documentation reference for building Custom Add-On for troubleshooting the existing Add-On?

Dear Friends I have installed a universal forwarder on Free_PBX to forward call queue logs to Splunk enterprise, everything works probably. I  monitored the folder of logs which is located on  /var/log/asterisk  I can monitor all log files while they are updating events daily but PBX generates a new log file every day these newly generated logs I can't find on Splunk enterprise. unless I restart universal forwarder then new log files appears on the data summary ! note: FREE_PBX is a Linux CentOS Based VOIP Server Logs on Splunk   Logs on server  

i am not able differentiate which sourcetype the Name belongs too after outer join.This is needed becoz when the Name is available in a sourcetype the other sourcetypes Agent should be changed as "Not in Scope" based on the sourcetype with which the Name belongs too. my query is like , index=A sourcetype=Compare| fillnull value="" | join type=outer ITAM_sysid [ search index=A sourcetype=Fire| fillnull value=""] | fillnull value="" | stats values(*) as * values(sourcetype) as sourcetype by Name | eval Status=if(Fire_Agent_Version = "" AND Compare_Agent_Version = "","Not Covered","Covered") | eval Compare_Agent_Version=if(Status="Not Covered","Not installed",Compare_Agent_Version) | eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Agent_Version) | eval Fire_Agent_Version=if(Status="Not Covered" AND Compare_Agent_Version="Not installed","Not in Scope",Fire_Agent_Version) | table sourcetype Name, Fire_Agent_Version, Compare_Agent_Version, Status