All Topics

Top

All Topics

I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all dri... See more...
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all drives on both windows and Unix Application Crashes. System or Service Failures. Windows Update Errors. Windows Firewall. Clearing Event Logs. Software and Service Installation. Account Usage Kernel Driver Signing.
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick ... See more...
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick fix? Cheers Andy  
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered en... See more...
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me.   Thanks in advance 
https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Listcorrelationsearches Hi, I'm using the searches mentioned in the documentation. There is a field named triggered_alert_count which gives me wh... See more...
https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Listcorrelationsearches Hi, I'm using the searches mentioned in the documentation. There is a field named triggered_alert_count which gives me what I want but it returns the same number of alerts across all time ranges.    | rest splunk_server=local count=0 /services/saved/searches | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain, triggered_alert_count as number_of_alerts | search app="SplunkEnterpriseSecuritySuite" | table number_of_alerts, csearch_label, app, security_domain, description   Ideally I would like to see the total number of alerts as far back as Splunk remembers. Thanks.
Hi, Seems like this link below is no longer working. https://splunk-sizing.appspot.com/   Does Splunk have online splunk sizing that we can use to do capacity planning estimates?
Hi Splunk experts, I have made a dashboard which show my App's service status in Dashboard Studio and I want to display color based on value as show below. This was achieved in Dashboard classic by... See more...
Hi Splunk experts, I have made a dashboard which show my App's service status in Dashboard Studio and I want to display color based on value as show below. This was achieved in Dashboard classic by editing the source and appending the format as below.   </format> <format type="color" field="Requester"> <colorPalette type="expression">case (match(value,"DOWN"), "#E34234",match(value,"NA"), "#F8BE34",match(value,"UP"),"#4F7942")</colorPalette> <format type="color" field="Stripping"> <colorPalette type="expression">case (match(value,"DOWN"), "#E34234",match(value,"NA"), "#F8BE34",match(value,"UP"),"#4F7942")</colorPalette> </format>   Can the same be achieved in Dashboard studio as well ? If so how it can be done. Can you guys please help me out on this.TIA      
Hello, is there a way to use a rest api and search for containers that contain the word  computer or the word process in the container name? I only manage to filter for “contains” or the filter “in”... See more...
Hello, is there a way to use a rest api and search for containers that contain the word  computer or the word process in the container name? I only manage to filter for “contains” or the filter “in”, , but i failed to use both. 
Hello everyone, I have a question. is it possible to use opentelemetry to send traces, metrics from a javascript application (not containerized), to my splunk enterprise? If so, what are the steps... See more...
Hello everyone, I have a question. is it possible to use opentelemetry to send traces, metrics from a javascript application (not containerized), to my splunk enterprise? If so, what are the steps? Is there any documentation or tutorial to try? Thanks!
Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Than... See more...
Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Thank You
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire ... See more...
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire after 24 hours. it will show me the search has probably expired or deleted. How can i set to 7 days  to prevent expired?
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team applicat... See more...
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team application. I want to restrict write access (but allow read access) to "Test" dashboard from any users outside "App1"  I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard. If I set the following setting (see below),  users from outside App1 can go inside the App1 and edit the dashboard. Please suggest.  Thank you!!  
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field ... See more...
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field into past data in a summary index? If it's not possible ,  How to move summary index to another summary index with updated fields? Thank you Below is an example  index=summary   report="test_1" _time Order Customer 05/01/2024 Pizza Customer1 05/01/2024 Hamburger Customer2 05/02/2024 Spaghetti Customer3 05/02/2024 Pizza Customer4 05/03/2024 Noodle Customer1 05/03/2024 Rice Customer2 index=summary   report="test_2" _time Order Customer Phone 05/01/2024 Pizza Customer1 1111 05/01/2024 Hamburger Customer2 2222 05/02/2024 Spaghetti Customer3 3333 05/02/2024 Pizza Customer4 4444 05/03/2024 Noodle Customer1 1111 05/03/2024 Rice Customer2 2222
Register here  . This thread is for the Community Office Hours session with the Security topic: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) on Wed, Aug 21, 2024 ... See more...
Register here  . This thread is for the Community Office Hours session with the Security topic: Get More Out of Your Security Practice with a SIEM - Part II (Advanced Use Cases) on Wed, Aug 21, 2024 at 1pm PT / 4pm ET.    This is your opportunity to connect with technical Splunk experts, who will guide you through solutions to your security use case questions and engage in live discussions about how to best leverage Splunk Enterprise Security as your SIEM solution. This session, Part II, will focus on adding context to your detections to fuel more meaningful investigations. We will focus on key use cases such as Risk-Based Alerting to prioritize alerts for faster response to more critical tasks, enriching threat context with threat intelligence, leveraging cyber frameworks to manage risks, and more. These use cases will help improve mean time to detect (MTTD) and mean time to response (MTTR).   In the session, you can discuss with our experts for What is the best approach to implementing the use cases in Enterprise Security? Best practices for proper creation of risk rules, modifiers, adaptive actions etc. Enhancing notable events and proactive threat hunting Suggested approaches to mapping cyber frameworks such as MITRE. Recommended Splunkbase apps Anything else you’d like to learn!    Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).   Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.   Look forward to connecting!
Register here  . This thread is for the Community Office Hours session with the Security topic: Get More Out of Your Security Practice with a SIEM - Part I (Foundational Use Cases) on Wed, Aug 7, 202... See more...
Register here  . This thread is for the Community Office Hours session with the Security topic: Get More Out of Your Security Practice with a SIEM - Part I (Foundational Use Cases) on Wed, Aug 7, 2024 at 1pm PT / 4pm ET.    This is your opportunity to connect with technical Splunk experts, who will guide you through solutions to your security use case questions and engage in live discussions about how to best leverage Splunk Enterprise Security as your SIEM solution. This session, Part 1, will focus on foundational use cases that provide the necessary visibility to understand your attack surface coverage and build greater digital resilience. These use cases include optimizing your data sources, centralizing data visibility for real-time monitoring, getting full context of your incidents, building well-configured dashboards and visualizations to help make data intelligible, and more.   In the session, you can discuss with our experts for What are the prerequisites of implementing these use cases in Enterprise Security? What is the best approach to implementing the use cases in Enterprise Security? Troubleshooting and optimizing your environment for successful implementation Recommended Splunkbase apps Anything else you’d like to learn!   Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).   Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.   Look forward to connecting!
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain wor... See more...
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain words in the path for example (source="*dev-ksm*" OR source="*int-ksm*" OR source="*qa-ksm*" OR source="*amq-*-ksm*") For this scenario I'd like to route events that their source contains the above matching sources to an index2 Was thinking in something like this: props.conf [index::current_index] TRANSFORMS-routing=filter-to-new_index   transforms.conf [filter-to-new_index] DEST_KEY = _MetaData:Index SOURCE_KEY = MetaData:Source REGEX = (?i)(.*dev-ksm.*|.*int-ksm.*|.*qa-ksm.*|.*amq-.*-ksm.*) FORMAT = new_index   Does not seem to be currently working. Hence the question if its possible to do something like this.   Thanks in advance.    
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains... See more...
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains their team is responsible for. Is this something that can be done from the app configuration itself in SOAR? Or would this be something done in the Microsoft tenant? Or are there any other options?
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | AD... See more...
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | ADAudit Plus (manageengine.com) Also contacted ManageEngine support which has not be able to figure out the issue.  I searched the forum and found this old thread but no one had a response. How to get audit plus manager logs into splunk ent... - Splunk Community Any help is appreciated, thanks.
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like th... See more...
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like the host name to be FQDN  (server1.x.xx)instead of it's current version (server1). It doesn't seem to pull from any Splunk .conf files that I can see located on any Windows UF. For reference, this only applies to Windows servers running Splunk UF agent. I have already modified the inputs.conf (host = $decideOnStartup) and server.conf (hostnameOption = fullyqualifiedname) to no avail. Any help will be greatly appreciated.
what command can i run if am not sure where an index for a data associated with a sourcetype is stored in splunk
We’ve streamlined the troubleshooting experience for database-related service issues by adding a database performance metrics panel to the sidebar on the APM Service Map and Database Query Performanc... See more...
We’ve streamlined the troubleshooting experience for database-related service issues by adding a database performance metrics panel to the sidebar on the APM Service Map and Database Query Performance pages. Before this release, engineering teams who discovered database issues when troubleshooting their service with APM would need to navigate to Infrastructure Monitoring to find the related content for additional insight. This would interrupt the troubleshooting workflow and delay resolution. The new database performance sidebar surfaces the relevant database performance metrics directly on the APM pages and provides a direct link to the related IM navigator for faster in-context triage.  Locating the Database Performance Metrics in APM On the APM Service Map Pages On the APM Database Query Performance Pages Visit our docs to learn more.