All Topics

Top

All Topics

We are pleased to announce that the Splunk Observability Cloud platform will now offer additional Role-Based Access Control roles for more restrictive functional control across the platform.  In ad... See more...
We are pleased to announce that the Splunk Observability Cloud platform will now offer additional Role-Based Access Control roles for more restrictive functional control across the platform.  In addition to existing admin and user roles, we are launching “read_only” and subscription “usage” roles. “Read_only” will provide viewing-only privileges while the “usage” role will grant users the ability to access subscription data without the need to be full-fledged admins. Now you get more flexibility when it comes to choosing the right roles for your users! Key features include: Introducing a new capability-based RBAC framework with new “read_only” and “usage” roles along with existing Admin and User roles New APIs to assign users with roles APIs will honor capabilities based on their role defined to their token; For e.g. User Tokens will inherit individual users' role capabilities and org tokens can be assigned with an available predefined role Both new roles will be automatically available for all Splunk Enterprise customers this week. Along with this release, we wanted to notify our users of a change in our naming nomenclature: we are renaming the existing “User” Role to “Power” Role. The role name change will occur by the end of the February 5th week. You can find more details on this change in our community post here Thank you for being a loyal Splunk customer!
Understanding and navigating the complexities of modern manufacturing, and tracking them with SAP and Cisco AppDynamics Video Length: 2 min 23 seconds  CONTENTS | Introduction | Video |Resource... See more...
Understanding and navigating the complexities of modern manufacturing, and tracking them with SAP and Cisco AppDynamics Video Length: 2 min 23 seconds  CONTENTS | Introduction | Video |Resources | About the presenter  In this Cisco Cloud Observability video, Matt Schuetze delves into the complex challenges that define today's manufacturing business landscape—and how Cisco AppDynamics can integrate with SAP environments to address them. The video offers an essential understanding of the manufacturing industry’s challenges and the role SAP plays in it. Matt explains Cisco AppDynamics’ unique capability to link business process steps and flows to the underlying ABAP code and HANA database calls, providing a direct connection to user experience within the SAP environment.   Additional Resources  AppDynamics Monitoring for SAP® Solutions: Build resiliency into your SAP landscape  Explore SAP Monitoring with AppDynamics in the documentation  About presenter Matt Schuetze Matt Schuetze Field Architect Matt Schuetze is a Field Architect at Cisco on the AppDynamics product. He confers with customers and engineers to assess application tooling choices and helps clients resolve application performance problems. Matt runs the Detroit Java User Group and the AppDynamics Great Lakes User Group. His career includes 10+ years of speaking periodically at user groups and industry trade shows. He has a Master’s degree in Nuclear Engineering from MIT and a Bachelor’s degree in Engineering Physics from the University of Michigan.
A snippet from strace output seems to indicate that the 30-40 mins may be taken by the ssl certificate generating steps: <<<snipped>>>>> wait4(9855, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL... See more...
A snippet from strace output seems to indicate that the 30-40 mins may be taken by the ssl certificate generating steps: <<<snipped>>>>> wait4(9855, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9855        stat("/opt/splunkforwarder/etc/auth/server.pem", 0x7ffdec4c4580) = -1 ENOENT (No such file or directory) clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f143df47e50) = 9857 wait4(9857,                                                                                                                                                                                                                                                                                                         < < <  stuck here for 30-40 mins > > > >   0x7ffdec4c45f4, 0, NULL)    = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGWINCH {si_signo=SIGWINCH, si_code=SI_KERNEL} --- wait4(9857, New certs have been generated in '/opt/splunkforwarder/etc/auth'. [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 9857 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=9857, si_uid=0, si_status=0, si_utime=11, si_stime=5} --- Strangely, this is only happening on Linux on Azure.  Using openssl, I am able to generate self-sign cert within seconds on the same machine. Our Linux on premises (on vmware) does not experience this performance issue.   Any thoughts on what the issue may be?  How to troubleshoot? Thank you
Thanks in advance for the assistance, I am very new to Splunk it is a great tool but I need some assistance.  I am trying to create a filtered report with the following criteria.  - I am filtering ... See more...
Thanks in advance for the assistance, I am very new to Splunk it is a great tool but I need some assistance.  I am trying to create a filtered report with the following criteria.  - I am filtering the data down based on phishing, and now I need to grab each of the individual src_ip and count them.  over a 30 day period.  Unfortunately I do not know have a prelist of IP addresses based on all of the examples.   My goal is to go down the list and count the number of occurrences in this list and show the report on a front panel.  Also, any good books or video training for learning how to do advanced filtering in Splunk.  Thanks 
Last month, the Splunk Threat Research Team had 5 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.19.0., v4.20.0, v4.21.0, v4.22.0, and v.4.23.0). With thes... See more...
Last month, the Splunk Threat Research Team had 5 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.19.0., v4.20.0, v4.21.0, v4.22.0, and v.4.23.0). With these releases, there are 74 new analytics, 5 new analytic stories, 14 updated analytics, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process. Content highlights include: The new "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring" analytic story includes a range of detections that identify abnormal or unexpected container behavior in Kubernetes environments, using metrics from Splunk Observability Cloud. The new “CISA AA23-347A” analytic story includes a variety of detections that allow you to detect and investigate unusual activities that might be related to SVR cyber activity. The new “Ivanti Connect Secure VPN Vulnerabilities'' analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. The team also published a blog with additional information about these vulnerabilities and how to use this new threat detection content. New Analytics (74) Kubernetes Anomalous Inbound Outbound Network IO Kubernetes Anomalous Inbound to Outbound Network IO Ratio Kubernetes Previously Unseen Container Image Name Kubernetes Previously Unseen Process Kubernetes Process Running From New Path Kubernetes Process with Anomalous Resource Utilisation Kubernetes Process with Resource Ratio Anomalies Kubernetes Shell Running on Worker Node with CPU Activity Kubernetes Shell Running on Worker Node Windows Account Discovery For None Disable User Account Windows Lsa Secrets Nolmhash Registry Windows Modify Registry Disable Restricted Admin Windows Account Discovery For Sam Account Name Windows Account Discovery With Netuser PreauthNotRequire Windows Archive Collected Data Via Powershell Windows Domain Account Discovery Via Get Netcomputer Windows Known Graphicalproton Loaded Modules Windows Process Commandline Discovery Windows System User Privilege Discovery Windows Modify Registry Nochangingwallpaper Windows Rundll32 Apply User Settings Changes Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k) Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k) Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k) Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k) Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k) O365 Concurrent Sessions From Different Ips Splunk ES DoS Investigations Manager via Investigation Creation Splunk ES DoS Through Investigation Attachments Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Ivanti Connect Secure Command Injection Attempts Ivanti Connect Secure System Information Access via Auth Bypass Splunk Enterprise KV Store Incorrect Authorization Splunk Enterprise Windows Deserialization File Partition Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Splunk Information Disclosure in Splunk Add-on Builder Kubernetes Anomalous Inbound Network Activity from Process Kubernetes Anomalous Outbound Network Activity from Process Kubernetes Anomalous Traffic on Network Edge Kubernetes Create or Update Privileged Pod Kubernetes Cron Job Creation Kubernetes DaemonSet Deployed Kubernetes Falco Shell Spawned Kubernetes newly seen TCP edge Kubernetes newly seen UDP edge Kubernetes Node Port Creation Kubernetes Pod Created in Default Namespace Kubernetes Pod With Host Network Attachment Kubernetes Scanning by Unauthenticated IP Address Windows Impair Defense Change Win Defender Health Check Intervals Windows Impair Defense Change Win Defender Quick Scan Interval Windows Impair Defense Change Win Defender Throttle Rate Windows Impair Defense Change Win Defender Tracing Level Windows Impair Defense Configure App Install Control Windows Impair Defense Define Win Defender Threat Action Windows Impair Defense Disable Controlled Folder Access Windows Impair Defense Disable Defender Firewall And Network Windows Impair Defense Disable Defender Protocol Recognition Windows Impair Defense Disable PUA Protection Windows Impair Defense Disable Realtime Signature Delivery Windows Impair Defense Disable Web Evaluation Windows Impair Defense Disable Win Defender App Guard Windows Impair Defense Disable Win Defender Compute File Hashes Windows Impair Defense Disable Win Defender Gen reports Windows Impair Defense Disable Win Defender Network Protection Windows Impair Defense Disable Win Defender Report Infection Windows Impair Defense Disable Win Defender Scan On Update Windows Impair Defense Disable Win Defender Signature Retirement Windows Impair Defense Overide Win Defender Phishing Filter Windows Impair Defense Override SmartScreen Prompt Windows Impair Defense Set Win Defender Smart Screen Level To Warn Windows MsiExec HideWindow Rundll32 Execution Windows Process Injection In Non-Service SearchIndexer Jenkins Arbitrary File Read CVE-2024-23897 New Analytic Stories (5) CISA AA23-347A Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring Ivanti Connect Secure VPN Vulnerabilities Confluence Data Center and Confluence Server Vulnerabilities Jenkins Server Vulnerabilities Updated Analytics (14) GCP Authentication Failed During MFA Challenge GCP Multi-Factor Authentication Disabled GCP Successful Single-Factor Authentication Windows Steal Authentication Certificates - ESC1 Abuse Allow Network Discovery In Firewall Msmpeng Application DLL Side Loading Confluence Data Center and Server Privilege Escalation Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Kubernetes Access Scanning Kubernetes AWS detect suspicious kubectl calls Disable Windows SmartScreen Protection Linux Service Started Or Enabled Unknown Process Using The Kerberos Protocol Windows Excessive Disabled Services Event Updated Analytic Stories (3) Office 365 Account Takeover Office 365 Persistence Mechanisms Splunk Vulnerabilities The team also published the following 6 blogs: Security Insights: Jenkins CVE-2024-23897 RCE Security Insights: Tracking Confluence CVE-2023-22527 Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE Enter the Gates: An Analysis of the DarkGate AutoIt Loader Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors Ghost in the Web Shell: Introducing ShellSweep For all our tools and security content, please visit research.splunk.com.  — The Splunk Threat Research Team
I have another requirement like, I want to show an bar chart which should show the total login count in basis of the time period we submit   for example if we select 2 days it should show the bar c... See more...
I have another requirement like, I want to show an bar chart which should show the total login count in basis of the time period we submit   for example if we select 2 days it should show the bar chart where y is for login count and x is for time slection (in basis of day interval like 6thfeb  7th feb like this)
Hello, is it possible to install SA-cim_vladiator on clustered search heads? Thanks.  
Is there any efficient way to block queries without the sourcetype? Educating users is not working and we wanted to block it so that there is no degradation of the environment
I am attempting to identify when Splunk users are running searches against historic data (over 180 days old). Additionally, as part of the same request, looking to identify where users have recovered... See more...
I am attempting to identify when Splunk users are running searches against historic data (over 180 days old). Additionally, as part of the same request, looking to identify where users have recovered data from DDAA to DDAS to run searches against that. This is to build a greater understanding of how often historic data is accessed to help guide data retention requirements in Splunk Cloud (i.e. is retention set appropriately or can we extend/reduce retention periods based on the frequency of data access).
Hi Team, Looking for help on configuring the statuspage.io addon to ingest incidents/Collect all scheduled maintenance from statuspage.io.  
Search Query 1   Search Query 2 Would like to join search query 1 and 2 and get the results, but no results found. index=imdc_gold_hadoopmon_metrics sourcetype=hadoop_resourcemanager "All... See more...
Search Query 1   Search Query 2 Would like to join search query 1 and 2 and get the results, but no results found. index=imdc_gold_hadoopmon_metrics sourcetype=hadoop_resourcemanager "Allocated new applicationId" | rex field=_raw "^(?:[^ \n]* ){4}(?P<App1>.+)" | eval _time=strftime(_time,"%Y-%m-%d %H:%M") | table _time, App1 | rename _time as Time1 | join type=inner App1 [ search index=imdc_gold_hadoopmon_metrics sourcetype=hadoop_resourcemanager "OPERATION=Submit Application Request" | rex field=_raw "^(?:[^=\n]*=){6}\w+_\d+_(?P<App2>.+)" | eval _time=strftime(_time,"%Y-%m-%d %H:%M") | table _time, App2 | search App2=App1 | rename _time as Time2] | table Time1, App1, Time2, App2  
Good morning, Let me tell you about my situation. We have a forwarder inside a Docker container python:3.11-slim-bullseye. We've noticed that when we deploy an application from the deployment server... See more...
Good morning, Let me tell you about my situation. We have a forwarder inside a Docker container python:3.11-slim-bullseye. We've noticed that when we deploy an application from the deployment server to the forwarder by adding a stanza to the inputs.conf file, the forwarder's ExecProcessor doesn't detect the change. Could you please help me understand why? Thank you very much, regards.
Hi All, How we can modify the below search to get to see only the status enabled list of correlation searches which did not trigger a notable in past X days. | rest /services/saved/searches | sear... See more...
Hi All, How we can modify the below search to get to see only the status enabled list of correlation searches which did not trigger a notable in past X days. | rest /services/saved/searches | search title="*Rule" action.notable=1 | fields title | eval has_triggered_notables = "false" | join type=outer title [ search index=notable search_name="*Rule" orig_action_name=notable | stats count by search_name | fields - count | rename search_name as title | eval has_triggered_notables = "true" ] Thanks..  
Good morning, Let me tell you about my case. In my company, we have five indexers, one for development and the other four for production. We have an inputs.conf in a forwarder inside a Docker contai... See more...
Good morning, Let me tell you about my case. In my company, we have five indexers, one for development and the other four for production. We have an inputs.conf in a forwarder inside a Docker container python:3.11-slim-bullseye that has three stanzas that execute a script with arguments. One stanza sends the data to development and runs every two minutes, and the other two send the data to production, one running every minute and the other every two minutes. We have noticed that during a period of time last night, we did not receive any data from the forwarder. Regarding the development stanza, it's correct as the machine was being patched, and Splunk was stopped just during that period. We have observed that during those hours, the forwarder did not execute any scripts. During that time frame, we found these traces in the watchdog.log file of the forwarder: 02-05-2024 20:02:18.220 +0000 ERROR Watchdog - No response received from IMonitoredThread=0x7fabb87fec60 within 8000 ms. Looks like thread name='ExecProcessor' tid=1937852 is busy !? Starting to trace with 8000 ms interval.   Could you please help me understand why the forwarder did not execute any scripts during that time frame? Thank you very much. Best regards.
Colleagues. Hi all !! Can you give me some advice on editing dashboards? I have 4 static tables And I need to arrange them so that the first three are on the left and go in order, and stretch the ... See more...
Colleagues. Hi all !! Can you give me some advice on editing dashboards? I have 4 static tables And I need to arrange them so that the first three are on the left and go in order, and stretch the right so that it is large and long and there is no empty space. I tried to play around with xml somehow, but to no avail. The xml itself is in the file. If this can be done at all, if not. So sorry for such a question! Thanks to all!     <form> <label>Testimg</label> <row> <panel depends="$alwaysHideCSS$"> <title>Настройка по ширине</title> <html> <style> #test_1{ width:50% !important; } #test_2{ width:50% !important; } #test_3{ width:50% !important; } #test_4{ width:50% !important; } </style> </html> </panel> </row> <row> <panel id="test_1"> <title>Table 1</title> <table> <search> <query>| makeresults count=10 | eval no=5 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel id="test_2"> <title>Table 2</title> <table> <search> <query>| makeresults count=10 | eval no=6 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="test_3"> <title>Table 4</title> <table> <search> <query>| makeresults count=10 | eval no=20 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel id="test_4"> <title>Table 3</title> <table> <search> <query>| makeresults count=10 | eval no=7 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>
I’m reaching you submitting  this community thread   because we are stuck in deployment premium app IT Service intelligence on Splunk Enterprise on Prem. Below troubles we ran into despite  follow... See more...
I’m reaching you submitting  this community thread   because we are stuck in deployment premium app IT Service intelligence on Splunk Enterprise on Prem. Below troubles we ran into despite  following installation steps: •  I stopped splunk service •  I extracted spl ITSI package in according to documentation •  I ran services but splunkd component wasn’t able to activate appserver and so web server  Digging either into web_service.log  or mainly into splunkd.log I‘ve found these entries 01-26-2024 17:26:50.164 +0000 ERROR UiPythonFallback [115369 WebuiStartup] - Couldn't start any appserver processes, UI will probably no t function correctly! 01-26-2024 17:26:50.164 +0000 ERROR UiHttpListener [115369 WebuiStartup] - No app server is running, stop initializing http server. So I proceeded stopping services , uninstalling app components folders  and its indexes storage repositories (  in according to docs) ; then I ran services again and all components including webservice worked fine . We ‘ve deployed Splunk enterprise on ubuntu server ( relative package is splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb)  And download ITSI app from its splunkbase link https://splunkbase.splunk.com/app/1841 Could you address with some hints about it ? we 'd try to verify some ITSI features as soon as possible   Thanks in advance and regards   Luigi
Hi Team, Our Splunk is hosted in Cloud. And my requirement is that if an index is getting created then i need to get an alert and similarly if an index is getting deleted from the Search head i need... See more...
Hi Team, Our Splunk is hosted in Cloud. And my requirement is that if an index is getting created then i need to get an alert and similarly if an index is getting deleted from the Search head i need to get an alert. So kindly help with the query.  
Hi,  I have a connection on Splunk DB Connect on my HF (connected to my SH and I know connection is stable and other sources reach my SH from the HF)  but data is not populated on my index (I also t... See more...
Hi,  I have a connection on Splunk DB Connect on my HF (connected to my SH and I know connection is stable and other sources reach my SH from the HF)  but data is not populated on my index (I also tried connecting to a new index=database on my SH and HF and restarting and did not work)  
Hi all We get this error: Analytics service unavailable: Host "10.10.240.102" returned code 401 with message 'Status code: [401], Message: HTTP 401 Unauthorized'. Please contact support if this err... See more...
Hi all We get this error: Analytics service unavailable: Host "10.10.240.102" returned code 401 with message 'Status code: [401], Message: HTTP 401 Unauthorized'. Please contact support if this error persists. Even though I make sure that: analytics.accountAccessKey is the same as ad.accountmanager.key.eum is the same as appdynamics.es.eum.key from the admin console.