Hello all,   when I specified multiple sourcetype explicitly, I am getting some extra data  in my cim mapping charts however for corresponding query I am getting expected data only  for default single source type data was coming fine. So if there is any suggestion from any one it will be helpful.

We are using rapid7 for vulnerability scanner and it is detecting vuln in Cipher negotiation. It says Splunk is negotiating below Ciphers: PORT STATE SERVICE VERSION 8443/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A As per Rapid7 solution, below negotiation should not be used. | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A How can we resolve this issue?

I am using the Splunk Add-on for Microsoft Cloud Services to pull data from an Azure Event Hub.  What I would like to know is whether there are any known limitations that anyone has run into   * How many events can be pulled when the API call is made? The default is 300 per API connection * Whether these are any limits on how often it can be pulled? The default is 300 seconds, but can you say pull every 15 seconds or 30 seconds etc. * Whether there is a limit between how many events can be pulled based on the how often it is pulled?  Can I pull 3000 events every 10 seconds or is there a hard limit/

Hello,   I have a requirement where i need to extract part of JSON code from splunk log and assign that field to spath for further results My regex is working in regex101 but not in splunk  below is log snippet --looking to grab the JSON code starting from {"unique_appcodes to end of line..i have shown the expected output below in the post     cwmessage: 2021-08-26 17:14:10 araeapp INFO MRC: Unique AppCodes Report requested. 2021-08-26 17:14:10 araeapp INFO MRC_ARAE_I_042: (local) requesting uniq_appcodes report for KKA 2021-08-26 17:14:10 araeapp INFO {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}           Rex using: | rex field=_raw (?msi)(?<json_field>\{\"unique_appcodes\".+\}$)     and this perfectly working in regex101.com which is extracting  the below required part but when i use this in SPlunk its not giving any results im thinking its the spaces between the JSON attributes Please let me know your thoughts      {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}              

Hi I've previously used imdsv1 on my EC2 instances to provide role credentials to allow my EC2 Splunk instance to reach across accounts to grab files.  I'm interested to find out if Splunk supports imdsv2 for credentials?  I haven't been able to find anything (nor get this to work).   Thanks!

I have a healthcare client that is using Epic.  I want to understand if Splunk has any recommendations or best practice documents for how logs/alerts from Epic should be monitored.  I'd like to understand if there are any rules that exist and what is the best way to get logs from Epic to Splunk.  Thanks.

Per this the app is end of life in 2 months.  https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastructure Is there a migration path to the "content pack in Data Integrations" ?

I'm trying to extract fields out of the winevent IIS logs. My regex works in regex101 perfectly. Also I can do something very similar with the rex command, so I feel like the regex should be ok. Here is the regex: Message=.*s-sitename\s(?<s_sitename>\w+)\ss-computername\s(?<s_computername>\w+)\ss-ip\s(?<s_ip>\d+\.\d+\.\d+\.\d+|\-)\scs-method\s(?<cs_method>\w+)\scs-uri-stem\s(?<cs_uri_stem>.*)\scs-uri-query\s(?<cs_uri_query>.*)\ss-port\s(?<s_port>.*)\scs-username\s(?<cs_username>.*)\sc-ip\s(?<c_ip>.*)\scs-version\s(?<cs_version>.*)\scs\(User-Agent\)\s(?<cs_User_Agent>.*)\scs\(Cookie\)\s(?<cs_Cookie>.*)\scs\(Referer\)\s(?<cs_Referer>.*)\scs-host\s(?<cs_host>.*)\ssc-status\s(?<sc_status>.*)\ssc-substatus\s(?<sc_substatus>.*)\ssc-win32-status\s(?<sc_win32_status>.*)\ssc-bytes\s(?<sc_bytes>.*)\scs-bytes\s(?<cs_bytes>.*)\stime\-taken\s(?<time_taken>\d+)\s(?<additional_info_1>.*)\s(?:x-forwarded-for|X-Forwarded-For) (?<x_forwarded_for>\d+\.\d+\.\d+\.\d+|\-)\s(?<additional_info_2>.*) An example that I'm trying to match to with data changed obviously: Message=date 2021-07-26 time 11:40:00 s-sitename XXX1 s-computername Name1 s-ip 0.0.0.0 cs-method GET cs-uri-stem /xxx/xx.dll cs-uri-query - s-port 000 cs-username - c-ip 000.0.0. cs-version HTTP/1.1 cs(User-Agent) AGENT cs(Cookie) - cs(Referer) - cs-host host sc-status 300 sc-substatus 0 sc-win32-status 0 sc-bytes 000 cs-bytes 000 time-taken 000 Connection Keep-Alive Warning - HTTP_CONNECTION Keep-Alive WORD - X-Forwarded-For 00.00.000.0 X-SSL-Client-Cert - HTTP_USER_AGENT AGENT User-Agent AGENT Authorization - Content-Type - Unfortunately, when I put the regex in the "New Field Extraction" not a single field shows up. Appreciate any help in either the regex, or maybe I'm just doing it wrong somehow.

  Hello there, I have Splunk Enterprise installed and one of my clients has asked me to implement threat intelligence. When searching I have found several APPs but I would like you to inform me which ones you recommend and what does threat intelligence do.   https://apps.splunk.com/apps/#/order/popular/search/threat%20intelligence  

I need some help understanding how to send data from an api to splunk enterprise so that I can create a dashboard about the information. The api is open source and located at https://ghibliapi.herokuapp.com/#. I understand that I can get the information using the curl command, but how do I input this information directly into my splunk instance? I don't have the option to use REST API as an data source for 'Add Data'. So far I've tried to print the output to a txt file and monitor that file using the universal forwarder, but I can't split the data into events properly, as the data is ingested line by line and backwards, regardless of the settings to props.conf. These are the current settings in my props file: [apiver2] EVENT_BREAKER_ENABLE = true EVENT_BREAKER = "(/{)" SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = ^/{ MUST_BREAK_AFTER = ^/}, MUST_NOT_BREAK_AFTER = ^"id.+ MUST_NOT_BREAK_BEFORE = ^"url.+ And it always displays like this:  So I'm thinking that maybe this is because of the data format of the request. What are my options for ingesting this data? A lot of this is new to me, so would HTTP Event Collector work, or is there something else I should do? Thanks in advance!

The PAVO  Splunk app  Source Profile & Destination Profile dashboards appear to  be missing a macro.  This is the error. A search for the macro was unsuccessful. Error in 'SearchParser': The search specifies a macro 'apl_aut_tstats' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information. Can anyone who has this Splunk app installed check and see if it does exist in their installation? Thanks Robert  

Hi ,   I have to calculate the time difference between first event and last event for a particular flow in log I have used earliest (_time) and latest(_time) which gave me correct data. Index= * | stats earliest(_time) as Earliest and latest (_time) as Latest  Gave output in epoch Times but I need difference of Earliest and Latest,tried using diff and eval diff to strf time but no luck.   Can someone help me with the query please