All Topics

Top

All Topics

Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console ... See more...
Hi All, I am planning to upgrade Splunk Enterprise app in production  Our Splunk Environment has 1 - Cluster master 4 - indexer 1 - deployment server 1- Search Head 1- monitoring console 1- License Master is it possible to have the Search head in 9.0.3 version and the remaining Splunk server to be upgrade to 9.1.0  the search head role is provided to other servers also in our environment
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the value... See more...
Hello Splunkers,    I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields.    Here i can chnage the values that were passed to the search but I weren't unable to change the values that were present in input dropdown. <input type="radio" token="field3" searchWhenChanged="true"> <label>Condition_1</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search" searchWhenChanged="true"> <label>All Fields Search_1</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field4"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field6" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>Condition_2</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search2" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$"> <label>All Fields Search_2</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="field14" depends="$field4$"> <label>Add New Condition</label> <choice value="1">Yes</choice> </input> <input type="dropdown" token="field15" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Expression</label> <choice value="AND">AND</choice> <choice value="OR">OR</choice> <default>AND</default> <initialValue>AND</initialValue> </input> <input type="radio" token="field16" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>Condition_3</label> <choice value="=">Contains</choice> <choice value="!=">Does Not Contain</choice> <default>=</default> <initialValue>=</initialValue> </input> <input type="text" token="search12" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$"> <label>All Fields Search_3</label> <default>*</default> <initialValue>*</initialValue> <prefix>"*</prefix> <suffix>*"</suffix> </input> <input type="checkbox" token="reset_all_field_search" searchWhenChanged="true"> <label>Reset All field search</label> <choice value="reset_all_field_search">Yes</choice> <delimiter> </delimiter> <change> <condition value="reset_all_field_search"> <unset token="search"></unset> <set token="search">*</set> <unset token="search2"></unset> <set token="search2">*</set> <unset token="search12"></unset> <set token="search12">*</set> <unset token="field4"></unset> <set token="field4">*</set> <unset token="field5"></unset> <set token="field5">*</set> </condition> </change> </input> please help me to fix this. Thanks!
i have to get hands on experience on log analysis using home wifi and add it to my resume so this will help me get a job   
Hi there,  I am using Splunk Add-on for Symantec Endpoint Protection, according this documentation   https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Configureinputs when i login Sym... See more...
Hi there,  I am using Splunk Add-on for Symantec Endpoint Protection, according this documentation   https://docs.splunk.com/Documentation/AddOns/released/SymantecEP/Configureinputs when i login Symantec dashboard, it will show Endpoint Status like : Total Endpoints / Up-to-date / Out-of-date / Offline / Disabled / Host Integrity Failed.    Has anyone used Symantec and solved this problem?
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact ma... See more...
Hi,  Im receiving an error in my CM when I go to input   ./splunk edit cluster-config -mode slave -master_uri http://url:8089 -replication_port 8080 -secret xxxxxxx   that says cannot contact master. I've tried everything, reviewed my configurations and still doesnt work. HelP! 
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth... See more...
Is there a reason why the auth-success is excluded from the system_actions.csv lookup file in the Splunk Add-on for palo alto networks TA version 1.0.0 that was just released.  This is breaking auth events as only failures are being parsed.   
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user E... See more...
Hi !   I am stuck for my home lab trying to install phantom on VM . All steps for soar-prep competed fine but then I tried ./soar-install seeing errors like : Error: Cannot run as the root user Error: The install directory (/opt/phantom) is not owned by the installation owner (root) Pre-deploy checks failed with errors   Directory has root access with all folders in it image attched .  {"component": "installation_log", "time": "2024-11-10T02:02:56.071875", "logger": "install.deployments.deployment", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/install/deployments/deployment.py", "line": 175, "message": "Error: The install directory (/opt/phantom) is not owned by the installation owner (root)", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "phase": "pre-deploy", "operation_status": "failed", "time_elapsed_since_start": 1.524704} {"component": "installation_log", "time": "2024-11-10T02:02:56.072144", "logger": "install", "pid": 2005, "level": "ERROR", "file": "/opt/phantom/splunk-soar/./soar-install", "line": 105, "message": "Pre-deploy checks failed with errors", "install_run_uuid": "17e0674c-b035-4696-9f75-acf2297ab325", "start_time": "2024-11-10T02:02:54.547287", "install_mode": "install", "installed_version": null, "proposed_version": "6.3.0.719", "deployment_type": "unpriv", "continue_from": null, "time_elapsed_since_start": 1.525168, "pretty_exc_info": ["Traceback (most recent call last):", " File \"/opt/phantom/splunk-soar/./soar-install\", line 82, in main", " deployment.run()", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 145, in run", " self.run_pre_deploy()", " File \"/opt/phantom/splunk-soar/usr/python39/lib/python3.9/contextlib.py\", line 79, in inner", " return func(*args, **kwds)", " File \"/opt/phantom/splunk-soar/install/deployments/deployment.py\", line 178, in run_pre_deploy", " raise DeploymentChecksFailed(", "install.install_common.DeploymentChecksFailed: Pre-deploy checks failed with errors"]}  
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the E... See more...
So I have an Index with working alerts thanks to your guys help. I have a question on 2 separate events at the same time. 1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event) 2nd Event :  GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.   How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath Example User xxxxxx put in an invalid password for Project 1234. Thinking it is easier to get my team to write it all in 1 event for another release.  
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we... See more...
So for our graduation project, we've decided to use splunk SIEM as our base app to build on. However, on further inspection, it turns out that splunk enterprise security has a lot of features that we need. Is there any chance that Splunk would give us the chance to use it without pay?
Hi Guys, Syslog is sent to forwarder IP through TCP 9523 port. I am unable to receive those syslog in forwarder or indexer. How to check whether syslog is received in forwarder ? How to receive th... See more...
Hi Guys, Syslog is sent to forwarder IP through TCP 9523 port. I am unable to receive those syslog in forwarder or indexer. How to check whether syslog is received in forwarder ? How to receive those syslog in indexer? Getting those logs from network device.
Hello ES Splunker,   I want to know if any applications can be installed to enhance the security posture alongside with Enterprise Security. is ITSI App added value for the security posture?  
Dear Sir/Madam We have installed the on-premise version of AppDynamics with various agents in operational environment. We decided to update the controller (not agents). During the controller update,... See more...
Dear Sir/Madam We have installed the on-premise version of AppDynamics with various agents in operational environment. We decided to update the controller (not agents). During the controller update, we encountered with a problem and we had to reinstall the controller. So, the controller access key was changed. It takes much time to coordinate and  update the agents in operational environment and so we have not changed the agents. According to the link 'Change Account Access Key', we changed the new account access key (for Customer1 in single tenant mode) to the old account access key (without changing any config in agent side, including the access keys). Now, every agent is OK (e.g, app agents , db agents, etc.) but database collectors does not work. Although, database agent is registered but we can't add any database collector. I have checked the controller log and found the following exception: "dbmon config ... doesn't exist". It seems that the instructions mentioned in the link above are not enough for database agent and collector, namely some extra steps are needed. Thanks for your attention Best regards.
hello everyone I ran into a problem with Splunk UBA that I need help with. Thank you for guiding me. I have more than one domain in Splunk UBA and it mistakenly recognizes some users as the same use... See more...
hello everyone I ran into a problem with Splunk UBA that I need help with. Thank you for guiding me. I have more than one domain in Splunk UBA and it mistakenly recognizes some users as the same user due to name similarity. While these users are not the same person and only have name similarities in the login ids field. How can I solve this problem and have users with the same login ids but not have false positive anomalies? Thank you for your guidance.
Hi, I am new to Splunk admin. We have a syslog server in our environment to collect logs from our network device. Our clients asked us to install LTM (Local Traffic Manager) load balancer on syslog s... See more...
Hi, I am new to Splunk admin. We have a syslog server in our environment to collect logs from our network device. Our clients asked us to install LTM (Local Traffic Manager) load balancer on syslog server. I have no idea about what load balancer do and how to install it and is it a component of splunk(full package or light weight package). Please suggest how to setup this environment?  And also what is suggested for network logs... UDP or TCP?  I want to learn completely about syslog server and it's end to end configuration with Splunk. Please provide the latest doc link. (I am not asking about add-on). Please note.
I have dashboard in Splunk Cloud which uses a dropdown input to determine the index for all of the searches on the page, with a value like "A-suffix", "B-suffix", etc. However, now I want to add anot... See more...
I have dashboard in Splunk Cloud which uses a dropdown input to determine the index for all of the searches on the page, with a value like "A-suffix", "B-suffix", etc. However, now I want to add another search which uses a different index but has `WHERE "column"="A"`, with A being the same value selected in the dropdown, but without the suffix. I tried using eval to replace the suffix with an empty string, and I tried changing the dropdown to remove the suffix and do `index=$token$."-suffix"` in the other queries, but I can't get anything to work. It seems like I might be able to use `<eval token="token">` if I could edit the XML, but I can only find the JSON source in the web editor and don't know how to edit the XML with Dashboard Studio.    
Our apps send data to the Splunk HEC via HTTP POSTS. The apps are configured to use a connection pool, but after sending data to Splunk (via HTTP POSTS), the Splunk server responds with a Status 200 ... See more...
Our apps send data to the Splunk HEC via HTTP POSTS. The apps are configured to use a connection pool, but after sending data to Splunk (via HTTP POSTS), the Splunk server responds with a Status 200 and the "Connection: Close" header. This instructs our apps to close their connection instead of reusing the connection. How can I stop this behavior? Right now it's constantly re-creating a connection thousands of times instead of just re-using the same connection.
Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ever-evolving threat landscape and an expanding attack surface, Splunk’s SIEM solution- Enterp... See more...
Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ever-evolving threat landscape and an expanding attack surface, Splunk’s SIEM solution- Enterprise Security is always here to enhance your security posture, saving you time and effort with its unified workflow for threat detection, investigation, and response. Check out this newly launched video to see how the market-leading SIEM - Enterprise Security can empower your SOC efficiency. Want to see Splunk ES in action? Join us for the Unlocking the Power of Splunk Enterprise Security Hands-on Workshop on Nov 13th at 9AM PST! We’ll cover the basics and show you how Splunk ES can level up your alert detection, prioritization, and response. Oh, and did we mention? Lunch is on us! Come and have some fun with us! After the workshop, if you have any specific questions about Enterprise Security, we’ve got you covered with a Community Office Hour at 1 PM PST on the same day, where you can connect directly with our experts. Can’t wait to connect with you soon! Best, Team Splunk 
Hello. I'm setting up a new Splunk Enterprise environment - just a single indexer with forwarders. There are two volumes on the server, one is on SSD for hot/warm buckets, and the other volume is H... See more...
Hello. I'm setting up a new Splunk Enterprise environment - just a single indexer with forwarders. There are two volumes on the server, one is on SSD for hot/warm buckets, and the other volume is HDD for cold buckets. I'm trying to configure Splunk such at that an index ("test-index") will only consume, say, 10 MB of the SSD volume. After it hits that threshold, the oldest hot/warm bucket should roll over to the slower HDD volume. I've done various tests, but when the index's 10 MB SSD threshold is reached, all of the buckets are rolled over to the cold storage, leaving SSD empty. Here is how indexes.conf is set now:   [volume:hot_buckets] path = /srv/ssd maxVolumeDataSizeMB = 430000 [volume:cold_buckets] path = /srv/hdd maxVolumeDataSizeMB = 11000000 [test-index] homePath = volume:hot_buckets/test-index/db coldPath = volume:cold_buckets/test-index/colddb thawedPath = /srv/hdd/test-index/thaweddb homePath.maxDataSizeMB = 10   When the 10 MB threshold is reached, why is everything in hot/warm rolling over to cold storage? I had expected 10 MB of data to remain in hot/warm, with only the older buckets rolling over to cold. I've poked around and found a other articles related to maxDataSizeMB, but those questions do not align with what I'm experiencing. Any guidance is appreciated. Thank you!
In October, the Splunk Threat Research Team had one release of new security content via the Enterprise Security Content Update (ESCU) app (v4.42.0). With this release, there are 10 new analytics, 15 ... See more...
In October, the Splunk Threat Research Team had one release of new security content via the Enterprise Security Content Update (ESCU) app (v4.42.0). With this release, there are 10 new analytics, 15 updated analytics, and 1 updated analytic story now available in Splunk Enterprise Security via the ESCU application update process. Content highlights include: The CISA AA24-241A analytic story was updated with detections tailored to identify malicious usage of PowerShell Web Access in Windows environments. The new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access. The Splunk Threat Research Team also updated the security content repository on research.splunk.com to better help security teams find the most relevant content for their organizations, understand how individual detections operate, and stay up-to-date on the latest releases. For more details, check out this blog: Fueling the SOC of the Future with Built-in Threat Research and Detections in Splunk Enterprise Security. New Analytics (10) Splunk Disable KVStore via CSRF Enabling Maintenance Mode Splunk Image File Disclosure via PDF Export in Classic Dashboard Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App Splunk Persistent XSS via Props Conf Splunk Persistent XSS via Scheduled Views Splunk RCE Through Arbitrary File Write to Windows System Root Splunk SG Information Disclosure for Low Privs User Splunk Sensitive Information Disclosure in DEBUG Logging Channels Windows IIS Server PSWA Console Access Windows Identify PowerShell Web Access IIS Pool Updated Analytics (15) Create Remote Thread into LSASS Detect Regsvcs with Network Connection Linux Auditd Change File Owner To Root Possible Lateral Movement PowerShell Spawn Suspicious Process DNS Query Known Abuse Web Services Windows AdFind Exe Windows DISM Install PowerShell Web Access Windows Enable PowerShell Web Access Windows Impair Defenses Disable AV AutoStart via Registry Windows Modify Registry Utilize ProgIDs Windows Modify Registry ValleyRAT C2 Config Windows Modify Registry ValleyRat PWN Reg Entry Windows Privileged Group Modification Windows Scheduled Task DLL Module Loaded Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Updated Analytic Stories (1) CISA AA24-241A The team also published the following 4 blogs: ValleyRAT Insights: Tactics, Techniques, and Detection Methods Introducing Splunk Attack Range v3.1 PowerShell Web Access: Your Network's Backdoor in Plain Sight My CUPS Runneth Over (with CVEs) For all our tools and security content, please visit research.splunk.com. — The Splunk Threat Research Team
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i c... See more...
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice? SPLQ .............. | rex field=_raw "(?<domain>\w+\.\w+)\/" | rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?" | fillnull value=n/a | stats count by domain domain2 MessageURLs _raw