All Topics

Top

All Topics

Hi folks,  Happy new year to you all:-) In my org the Splunk deployment is as follows: Heavy forwarders running (HF1, HF2) > Collecting data from directories, HTTP > Sent to Splunk cloud (2 se... See more...
Hi folks,  Happy new year to you all:-) In my org the Splunk deployment is as follows: Heavy forwarders running (HF1, HF2) > Collecting data from directories, HTTP > Sent to Splunk cloud (2 search heads). Case: We have Active Directory add on HF1>which establishes connection to AD> write a CSV file in var/* of the host and > being indexed to the cloud.  admin said we have input which write data to index=asset_identity : I AM NOT SURE WHAT THE ADMIN WAS REFFERING TO? IS IT CONF FILE ON HF? 
Hello all, I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is th... See more...
Hello all, I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is that it is only running on about 30 devices.  Here is the current section in inputs.conf :  [WinEventLog://Security] disabled = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = EventCode=4673 ProcessName="*\\DesktopExtension.exe*" renderXml=false index=oswinsec However even after restarting the splunk forwarder the events still appear. I verified one of the hosts has the correct inputs.conf. I have also tried blacklist3 = EventCode=4673 ProcessName="C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"" Here is an example of the log/event: LogName=Security EventCode=4673 EventType=0 ComputerName=********* SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=10115718 Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called.   Subject: Security ID: ***************** Account Name: **************** Account Domain: *********** Logon ID: ****************   Service: Server: Security Service Name: -   Process: Process ID: 0x6604 Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe   Service Request Information: Any tips?
I am getting the count of each interface, but I need it date wise as example below : please help to modify my query
one for the search query  from splunk AWS  index="aws_cloud" | search eventname="value1" OR "value2" OR "value3"  The above search query is giving the events for the all the above searched one also... See more...
one for the search query  from splunk AWS  index="aws_cloud" | search eventname="value1" OR "value2" OR "value3"  The above search query is giving the events for the all the above searched one also giving one more value which didn't searched  eventName: LookupEvents ==> getting this field and value which didn't search 
I am new to splunk, and need help configuring the log files collected from my honeypot to monitoring VM. They are on the same network and can ping each other. The source is acknowledged via the splun... See more...
I am new to splunk, and need help configuring the log files collected from my honeypot to monitoring VM. They are on the same network and can ping each other. The source is acknowledged via the splunk dashboards, but not sure which VM I am supposed to edit the input and output configuration files and any other edits.
I want to get the list of summary index configured in splunk. Please help me with queries to get the summary index and sourcetype
Hello, When I try to sample data for the WinEventLog sourcetype in Ingest Actions I get an error message:      "No results found. Try expanding the time range." Expanding the query I see Splunk ... See more...
Hello, When I try to sample data for the WinEventLog sourcetype in Ingest Actions I get an error message:      "No results found. Try expanding the time range." Expanding the query I see Splunk using the following and manually running this query does not return any results either:       index=* OR index=_* sourcetype="WinEventLog" | where sourcetype="WinEventLog" | head 100   However, I do get results when I manually run either:     index=* OR index=_* | where sourcetype="WinEventLog" | head 100             OR      index=* OR index=_* sourcetype="WinEventLog" | head 100 Can someone please explain why the first query may not be working? Is there a different way I should be working with the WinEventLog sourcetype in Ingest Actions? Thanks in advance for your help!
Permission Exception while updating rule: User doesn't have CONFIG_TRANSACTION_DETECTION on tier sgh-oaas-broker. I'm getting this error while trying to create a new transaction detection rule [Appdy... See more...
Permission Exception while updating rule: User doesn't have CONFIG_TRANSACTION_DETECTION on tier sgh-oaas-broker. I'm getting this error while trying to create a new transaction detection rule [Appdynamics]. How can i get this permission?
Hi friends, Could anyone pls help me in parsing these event and use case( when ever we launch rdp/proxy from secret server we are seeing some drop in the connection like one for the client and anoth... See more...
Hi friends, Could anyone pls help me in parsing these event and use case( when ever we launch rdp/proxy from secret server we are seeing some drop in the connection like one for the client and another for the user) out of this event. how we can we extract the relevant fields to make a search out of these events ? 1. Sample event : 2024-01-02 10:04:01,420 [CID:] [C:] [TID:151] ERROR Thycotic.RDPProxy.CLI.Session.ProxyConnection - Error encountered in RDP handshake for client xx.xx.xx.xx:53475 - (null) System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 at Thycotic.RDPProxy.ContractSlim.Assert(Boolean condition, String conditionStr, String actualStr) at Thycotic.RDPProxy.Readers.ConnectionRequestProvider.ReadConnectionRequest(Stream stream, AuthenticationState clientState) at Thycotic.RDPProxy.CLI.Session.ProxyConnection.<DoHandshakeAndForward>d__20.MoveNext() 2. Sample event : 2024-01-02 09:27:42,911 [CID:] [C:] [TID:137] ERROR Thycotic.DE.Feature.SS.RdpProxy.EngineRdpProxySessionService - An error was encountered while attempt to fetch proxy credentials for user 'Jhoncena' - (null) Thanks  
Hi all, I am very new to Splunk and trying to avoid sending metrics to Splunk from the sc4s container. Memory consumption is really growing to > 250Mb and we use sc4s only for sending ~100 lines ev... See more...
Hi all, I am very new to Splunk and trying to avoid sending metrics to Splunk from the sc4s container. Memory consumption is really growing to > 250Mb and we use sc4s only for sending ~100 lines every 10m, so  metrics is really not necessary for us. I have tried to set syslog-ng source s_internal  to a null destination but cant make it work. Any advice would be greatly appreciated. Thank you very much Daniel
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog] LINE_BREAKER = ([\r\n... See more...
I've read the documentation for inline field extractions and I don't see what I'm doing wrong here. I've added a props.conf file to my test app with the following: [emm_syslog] LINE_BREAKER = ([\r\n]+) category = Application disabled = false EXTRACT-emm_syslog = <(?<priority>[\d]+)>\d (?<timestamp>\S+) (?<hostname>\S+) (?<app_name>\S+) (?<proc_id>\S+) (?<msg_id>\S+) \[(?<sd_id>\S+) auditType=\"(?<audit_type>\S+)\" tenantId=\"(?<tenant_id>\S+)\"\] (?<message>.*)   This regex matches my test event on regex101.com: <135>1 2024-01-02T14:34:51.429Z TestServer EMM_Console 9176 FULL [emmAudit@18060 auditType="Console" tenantId="EMM"] "Console","2024-01-02T14:34:51.429+00:00","username","127.0.0.1","","CCON0030","Admin Login",,"Info","SUCCESS","0",,"Admin User Login Success (HTTPS)"   Within the Search app, however, none of these capture groups are extracted. Am I doing something obviously wrong here, or how should I proceed with troubleshooting ?
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it a... See more...
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it and import it to a Test and Development Install. Is this possible? @js15  Regards Robert
On our Monitoring Console on the "Overview", it does not display any metrics under "Resource Usage" for each of the categories "Indexers", "Search Heads", etc.  Not the browser, have tried from diffe... See more...
On our Monitoring Console on the "Overview", it does not display any metrics under "Resource Usage" for each of the categories "Indexers", "Search Heads", etc.  Not the browser, have tried from different computers, same problem.  No WARN or ERROR messages on the host, no errors in the "Setup" page, and CPU/RAM utilization is extremely low. Anybody else experienced this?
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done... See more...
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done). However, on this top 10, I am asked for a graph to show the evolution of the number of errors in this top per week (in order to see for example when a fix has been deployed). And this is where I encounter a problem: in my query, I have my top 10 but I have an OTHER which brings together everything that is after the top 10: Here is the query that causes this graph: index=oncall_prod | search routingKey != "routingdynatrace_cluster" | dedup incidentNumber | rename entityDisplayName as Service | timechart span=1w count by Service | sort - count limit=10   I tried to use "head" or "top" to force the display of the first 10 results only but in the case of "head", it doesn't change anything, and in the case of "top", my screen remains empty. I've searched the forum and it's often these two answers that come up but in my case, it doesn't work. Do you know how to remove the OTHER to only have the first 10 results in my graph? Sincerely, Rajaion
Hello Everyone, I'm attempting to search for queries in Splunk Free Edition. However, it worked well for some time, and then I got the error "Search has been terminated." This is most likely due to ... See more...
Hello Everyone, I'm attempting to search for queries in Splunk Free Edition. However, it worked well for some time, and then I got the error "Search has been terminated." This is most likely due to a lack of recollection." This occurs rather frequently. I created a free AWS instance using the Linux platform. Please suggest any solutions for these problems. (I've included a screenshot for reference.)  
We are trying to create a dashboard to understand the usage of our application version something like shown below Application Name Version sgs 1.0.18   When we search for particular ind... See more...
We are trying to create a dashboard to understand the usage of our application version something like shown below Application Name Version sgs 1.0.18   When we search for particular index ""sgs1.0.18*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" we get below result. << uri="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", SERVICE_PREFIX="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", path="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", resourceMethod="get", HTTP_METHOD="get", resourceUri="api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106" Could you please help us to give sample splunk query to achieve the results .   Thanks    
Hello Splunk Members, Need some help on below queries, -How many calls(read/writing) can we make in Splunk in a given time period(per second)? (Default setting in Splunk. Is it configurable? Max/Mi... See more...
Hello Splunk Members, Need some help on below queries, -How many calls(read/writing) can we make in Splunk in a given time period(per second)? (Default setting in Splunk. Is it configurable? Max/Min value and how is it caluculated) -How much data in a given time period? MB/GB? Is it changeable? Min/Max value -How fast we can make the next insertion? Is there a delay or is it simultaneous? Would this be causing any data loss if there is any connectivity failure or downtime? when using the Splunk enterprise in general and by using HEC method Is there any difference.   Thanks in Advance for
Good morning, I explain my casuistry, I have a Splunk tenant that belongs to a big company with sucusarles in three zones. Each branch should only see the data of its zone. The indexes are construct... See more...
Good morning, I explain my casuistry, I have a Splunk tenant that belongs to a big company with sucusarles in three zones. Each branch should only see the data of its zone. The indexes are constructed in the form, zone_technology, for example, eu_meraki. Knowing this, I have created a series of alerts, which are shared for all the areas, and search in all the indexes. How could I make that the warning email when the alert is triggered, only reaches the contacts of an area?   Thank you
I am using a single universal forwarder on my windows machine to send a log file to my Splunk host machine deployed on Ubuntu.  The problem is that there were 3 logs events initially in the file, ... See more...
I am using a single universal forwarder on my windows machine to send a log file to my Splunk host machine deployed on Ubuntu.  The problem is that there were 3 logs events initially in the file, and splunk read those events and displayed on the dashboard. But when I appended the same file and added 10 more events manually, the dashboard is giving out 16 log events when there are only 13 events in the log file. its is reading the first three logs twice. How to resolve this issue?