All Topics

Top

All Topics

I edited the conf files on my local server before deploying, so I know they are all identical. I have 5 servers. I copied the Splunk_TA_nix folder to apps. 3 of the 5 have data showing up for the ... See more...
I edited the conf files on my local server before deploying, so I know they are all identical. I have 5 servers. I copied the Splunk_TA_nix folder to apps. 3 of the 5 have data showing up for the new "os" index. splunkd.log, in fact the whole splunk/log folder, didn't have any errors. But it also didn't have any mention of "idx=os" on the missing servers. I ran some of the scripts in Splunk_TA_nix/bin in debug mode. No errors. What log file or index do I check to debug the issue?
Hi,   I was waiting on queue for 2 hours to write the exam for Splunk cyber defense analyst certification but on vue got an error/disconnected for some reason. It is no longer allowing me to take t... See more...
Hi,   I was waiting on queue for 2 hours to write the exam for Splunk cyber defense analyst certification but on vue got an error/disconnected for some reason. It is no longer allowing me to take the exam.        
Hello everyone, I'm working on a project ''Splunk Enterprise: An organization's go-to in detecting cyber threats''  please how/where can I get datasets and logs that I will use for my project.
Hi I'm currently working on obtaining Windows Filtering Platform event logs to identify the user responsible for running an application. My goal is to enhance firewall rules by considering both the ... See more...
Hi I'm currently working on obtaining Windows Filtering Platform event logs to identify the user responsible for running an application. My goal is to enhance firewall rules by considering both the application and the specific user. To achieve this, I've set up a system to send all logs to Splunk, which is already operational. However, I've encountered an issue with WFP event logs not displaying the authorized principal user who executed the application. This absence of user information makes it challenging to determine who used what application before I can further refine the firewall rules. If you have any insights or suggestions on how to address this issue, I would greatly appreciate your assistance. I can readily access various details such as destination, source, port, application, and protocol, but the missing username is a crucial piece of information I need. Thank you for any guidance you can provide.
Greetings,   I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month.  Curren... See more...
Greetings,   I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month.  Currently, I am calculating values for each column individually using eventstats and combining the results. However, we have a lot of columns (a,b,c,d.....) and thus the SLP does not preform efficiently.    Looking for a more efficient approach to this.   Thanks in advance!
Hello guys!,   I have a month trying to forward my logs from iMacs using the UF with the following format:       Resources,line,data,process 2023-09-30T06:35:02,"Scanned disks....... " 2023-09-... See more...
Hello guys!,   I have a month trying to forward my logs from iMacs using the UF with the following format:       Resources,line,data,process 2023-09-30T06:35:02,"Scanned disks....... " 2023-09-30T06:35:02,User: ...... 2023-09-30T06:35:02,........... 2023-09-30T06:35:02,............ 2023-09-30T06:35:02,Time of completion: ..........       but when the log get into Splunk it only shows the first row:     Resources,line,data,process       and the rest of the log reaches splunk 6 hours later.   I've added the following rule in props.conf but it still failling. path: /Applications/SplunkForwarder/etc/system/local/props.conf        [name_of_my_sourcetype] CHARSET=UTF-8 TIME_FORMAT=%Y-%m-%dT%H:%M:%S, TIME_PREFIX=^ LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TZ=America/Mexico_City disabled=false     Every change I made I always restart the splunk forwarder using ./splunk restart I have no access to the Splunk server (SSH) but if needed I could try to make some configurations but I do not where.        
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/de... See more...
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from:       <nav> <view name="summary"/> <collection label="NEW"> <view name="summary_new"/> </collection> </nav>       to:       <nav> <view name="summary_new"/> <collection label="OLD"> <view name="summary"/> </collection> </nav>         Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).
How do I migrate Dashboards and alerts from older standalone search head to new standalone search 
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it nee... See more...
Hi all, I try to develop a custom Python script and i want to input parameter from Search to my script. Could i do it? Example my script name is compare (already register on searchhead), and it need 2 parameter to work, like:  | makeresults a=1 | compare file1.csv file2.csv (file1.csv, file2.csv is parameter). Thanks so much.
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on... See more...
I'm in General Settings. I Enabled SSL (HTTPS) in Splunk Web. I restarted Splunk. It reads unable to connect. Warning Potential Security Risk Ahead because it is a self sign certificate. I pressed on Go Back Button(Recommended) when I should of pressed advanced and continue. Now All I get is a window That reads Unable to Connect. The Warning Potential Security Risk Ahead window is no longer available. I can't press advanced and continue. What do I do? I can't access Splunk. The connection was reset it says.
Every day the list of sources Admins are responsible for gets bigger and bigger, often making the task of creating data ingestion plans seem daunting. But with proper implementation of the Splunk Dep... See more...
Every day the list of sources Admins are responsible for gets bigger and bigger, often making the task of creating data ingestion plans seem daunting. But with proper implementation of the Splunk Deployment Server, it doesn’t have to be! Join this Tech Talk to learn the essential knowledge required for ingesting and managing any variety of data sources in Splunk, regardless of its origin or scale. Consider this your “Deployment Server: 101” essentials crash-course. Plan to leave this session with fundamental knowledge that arms you with everything you need to become a Splunk Deployment Server Guru. Key Takeaways: Splunk Deployment Server Setup Foundations of API/HEC, Forwarder, and TCP/UDP Based ingestion Creating and Managing Deployment Server Classes Developing A Scalable and Flexible Data Ingestion Plan Full Tech Talk here:
This Tech Talk features demos around our latest release of Splunk Enterprise Security 7.2! We’ll walk through our new capabilities that deliver an improved workflow experience for simplified investig... See more...
This Tech Talk features demos around our latest release of Splunk Enterprise Security 7.2! We’ll walk through our new capabilities that deliver an improved workflow experience for simplified investigations; enhanced visibility and reduced manual workload; and customized investigation workflows for faster decision-making. You’ll also hear from the Splunk Threat Research Team who will discuss the latest security content updates that make Splunk Enterprise Security more powerful and protect you from the latest threats. Highlights: Learn about the new improvements and features requested directly from Splunk Enterprise Security users, submitted through the Splunk Ideas portal Simplify your workflow experience while reducing manual workloads and increasing the speed of investigation and response Integrate top-tier detections and defenses into your security operations using the latest security content to find and remediate threats faster Watch the full Tech Talk here:
Hi Team , In my Splunk Environment(Universal Forwarder) after updating SSL certificate I'm getting these error in Splunk UI how can I overcome this error. I'm attaching screenshots here please cou... See more...
Hi Team , In my Splunk Environment(Universal Forwarder) after updating SSL certificate I'm getting these error in Splunk UI how can I overcome this error. I'm attaching screenshots here please could you help on this ?    
We ran into this known issue with the AD servers having indexing delays of a couple of days when enabling evt_resolve_ad_obj. What confuses us is the fact that a UF restart backfills days of missing ... See more...
We ran into this known issue with the AD servers having indexing delays of a couple of days when enabling evt_resolve_ad_obj. What confuses us is the fact that a UF restart backfills days of missing security data, and since the restart, we can have a week where there are no delays. Why does the restart manage to do this backfill?
Hi, and sorry if this question was already answered in any other thread.   Thanks in advance for the help. I had an index in which the current size was over 10 GB,  for deleting the data I tried t... See more...
Hi, and sorry if this question was already answered in any other thread.   Thanks in advance for the help. I had an index in which the current size was over 10 GB,  for deleting the data I tried to reduce it's max size and searchable retention. My question is what is going to happen with the data? Will it be deleted from the servers or archived? I am confused because I am seeing the event counts stuck with the same value as it was before changing the retention config. Previous index config: Current Size 10 GB, Max Size: 0, Event Count: 10M, Earliest Event: 5 Months, Latest Event: 1 day, Searchable Retention: 365 days,  Archive Retention: blank, Self Storage: blank, Status: enabled Then, I changed the parameters  "Max Size" to  "200 MB" and "Searchable Retention" to "1 Day". Besides, when running the following query,  I see the warm storage size pretty much with the same size (bouncing a few mbs).     |dbinspect index=_internal *<index-name>* | stats sum(sizeOnDiskMB) by state       Any help greatly appreciated.  
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm workin... See more...
Hello, my name is Richie Martinez. I'm in my last year of undergrad school studying computer science. I currently work as a CSOC cyber analyst intern at Pacific Northwest National labs and I'm working on a project to create discreet alerts for EC2-VMs, IAM-identity findings and S3-storage buckets. AWS organizes Findings into three categories: EC2 - VMs IAM - identity findings S3 - storage buckets Eventually, the PNNL CSOC may create additional discreet alerts for each of those categories, but for now, a single "catch-all" alert is utilized to fold in the Findings to the CSOC's workflow. Any help for this project would be greatly appreciated. Thank you, Richie Martinez richie.martinez@pnnl.gov
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(countr... See more...
Query to output missing data in lookup file. I have a lookup file with below data country_name -------------------- Brazil Norway My index search returns below data for field(country_name) Brazil Norway Spain ------------------------------------------------------------------ How do I write a query (using join or append)- to output  only "Spain" in the results. Thanks!
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id... See more...
I have error logs like the below. How can I write a Rex query to match both the logs and only extract the message after the first colon (:)? Thanks.   Sample Log lines: Script exception for job id 'ABc12345' : Too many rows: 500. Script exception for job id 'XyZ78943' : Too many DMLs: 20.   Results should be: Too many rows: 500. Too many DMLs: 20.
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as i... See more...
Need to create a dashboard which will be update the data or fields values to csv or lookup file , as we have more  fields name with dynamic values and also empty values .   so what we need as in dashboard if we make any changes it should be reflect in lookup table and the fields will be dynamic here , and in dashboard we could have text box to update the fileds  
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rL... See more...
Hi all,   I have two jobs in different applications, both jobs get results in splunk search BUT on of the jobs always show the field resultCount=0. | rest /services/search/jobs/xx__xx_c3BsdW5rLWRhc2hib2FyZC1hcHAtMg__getter_1695998843.535512 splunk_server=local | fields resultCount   Do I need to do something in my app in order to see the resultCount field? The jobs are generated by javascript, very similar script between apps, just change the search. I'm running version 9.0.6, in last version 8.2.8 I always see the resultCount