All Topics

Top

All Topics

In System Center dashboard, only *NIX system data is available, not Windows system. I've already install Splunk Add-on for Microsoft Windows and run search with Inventory and Performance data models ... See more...
In System Center dashboard, only *NIX system data is available, not Windows system. I've already install Splunk Add-on for Microsoft Windows and run search with Inventory and Performance data models successfully. When I check the search of the System Center dashboard, it refers to tag All_Inventory.OS.os. When I run this search, it only returns the *NIX system. What can I do to populate the data from Microsoft Windows to System Center dashboard? I've found a link but it seems quite old version https://community.splunk.com/t5/Splunk-Enterprise-Security/Enterprise-Security-System-Center-or-Update-Center-only-have/m-p/136434  All_Inventory.OS.os All_Inventory
May I ask what is causing this?
    We are running Splunk ES and trying to make log search and app interfaces for each company. Let's call them CompanyA, CompanyB and CompanyC.Each company has to see its own data and also n... See more...
    We are running Splunk ES and trying to make log search and app interfaces for each company. Let's call them CompanyA, CompanyB and CompanyC.Each company has to see its own data and also notable events in ES. As a holding company, we need to access and see all data. What is best way to achieve this goal? Please advise.
  How to calculate the centroid of each cluser after using KMeans clustering algorithm? I have tried the following but none of them worked:  1 - | inputlookup iris.csv | fit KMeans k=3 petal* |ev... See more...
  How to calculate the centroid of each cluser after using KMeans clustering algorithm? I have tried the following but none of them worked:  1 - | inputlookup iris.csv | fit KMeans k=3 petal* |eval point_size = 1 | appendpipe [| stats mean(petal*) as petal* by cluster | eval species = "Centroid: ".cluster | eval point_size = 2] | fields species petal* point_size     2- showcentroid = t
WATCH THIS PAGE FOR UPDATES — Click the Options menu above right, then Subscribe Want to receive all monthly Product Updates? Click here, then subscribe to the series In August, v23.8.x enhanc... See more...
WATCH THIS PAGE FOR UPDATES — Click the Options menu above right, then Subscribe Want to receive all monthly Product Updates? Click here, then subscribe to the series In August, v23.8.x enhancements included FSO Platform Developer Support, *Cloud Native Application Observability,  SaaS Controller and Agent enhancements—including SAP Agent updates, and On-premises Controller upgrades. *Now, Cisco Cloud Observability 11/27/2023 In this article…  What new product enhancements are there this month? FSO | Cloud Native Application Observability | Agents | SAP | SaaS Controller | On-premises Controller |  Where can I find additional information about product enhancements?  ADVISORY | Cluster Agent Dockerfiles and Charts Github repositories are moving Resolved and known issues What else should I know about? Essentials What new product enhancements are there this month? In this article, each product enhancement highlights section below will include links to the referenced Release Notes page. Where available, links to the specific version will be included. ENHANCEMENT HIGHLIGHTS FOR: FSO | Cloud Native Application Observability |   | Agent | SaaS Controller | On-premises Controller |  Full-Stack Observability (FSO), Developer Support NOTE | There is no FSO Platform release for August 2023. For Developer Support, see the 23.8 FSO Platform Developer Support Release Notes, which includes details regarding the highlights below. FSO Enhancements  Access Management is live  New expressionVersion field available in the HealthRules template, expression version language 2. See Health Rules Schema in the FSO Developers Documentation.  NOTE | Health Rules language v1 is now deprecated  FSO Query Service API was updated to v1.3.0, and several fields were added    FSOC Updates  NOTE | FSOC has switched to golang v 1.20. If you are building it locally, you must upgrade.  New commands include:  fsoc config delete deletes a context from the fsoc config file  fsoc optimize servo-logs retrieves logs for currently running Servo agents  fsoc version recognizes locally built versions  fsoc knowledge get supports paginated results  fsoc solution status provides faster, parallel retrieval of status  fsoc melt supports typed attributes  fsoc optimize supports events, recommendations, and solution isolation  fsoc optimize delete offboards a given optimizer from optimizing its target workload, removes the configuration, frees up resources  Some fsoc solution commands have improved solution isolation support through the entype parameter    Back to TOC | To Essentials   Cloud Native Application Observability enhancement highlights NOTE | See the Cloud Native Application Observability Release Notes page for a complete list of enhancements in August 2023.  App root cause analysis with Anomaly Detection  GA 23.8.23  August 25, 2023  For entities related to BTs and Services: When you click the Anomaly Detection event on an entity’s Health Violation timeline, the anomaly call paths are now highlighted on the Flow map.  On the Flow map, easily trace call paths and examine suspected anomaly causes.  Business metrics for Business Transactions  GA 23.8.23  August 25, 2023  Visualize business insights to understand impact   Configure additional metrics—such as Average Cart Value, Total Carts Sold, and Total Cart Value—to visually correlate performance issues to business impacts, and perform segment analysis.  Cloud Services Expansion  GA 23.8.23  August 25, 2023  We now support monitoring the following cloud services   AWS DMS   More Azure services, including MariaDB (single server)  Google Cloud Platform (GCP) App Engine  Create and favorite Business Transactions  GA 23.8.23  August 25, 2023  Now, you designate favorite business transactions and also define your own. Identify and indicate which business transactions are more important to review and monitor based.  Log Collection  GA 23.8.23  August 25, 2023  The Log Collector:  Exports additional self-telemetry metrics from Filebeat, and deprecates others. See the Release Notes for a list of the Filebeat metrics exported by default. Now supports deployment on Google Kubernetes Engine (GKE) platform.  Cisco Secure Application GA 23.8.23  August 25, 2023  Security insights with Business Risk Scores   Use our Business Risk score to proactively prevent security exploits and address vulnerabilities.  Observe service-oriented investigations  GA 23.8.23  August 25, 2023  Share data with other Cloud Native Application Observability users, with specific values (Group View, Filter View, and Time Range) that remain the same when viewed. See Understand the Observe UI.  Kubernetes and App Service Monitoring  GA 23.8.23  August 25, 2023  Now, see when a pod was created for the Kubernetes entities on the Created At column of the entity list view.  Data for specific Kubernetes types are retained for 3 weeks after the entity becomes inactive:  Updates for Collectors and Artifacts  GA 23.8.23  August 25, 2023  Helm charts updated for AppDynamics Collectors and AppDynamics Operator  Orchestration Client Docker image  OTel Docker images for Linux and Windows  Cluster and Infrastructure Collectors Docker image  Back to TOC | To Essentials   Agent enhancement highlights NOTE |See the AppDynamics v23.8 APM Platform (SaaS) Release Notes and SAP Agent v23.8 Release Notes pages for the complete August 2023 enhancements.  Database Agent  GA 23.8.0  August 29, 2023  You can configure policies for the following new database events:   FAILOVER  DB_CONNECTION_DOWN  DB_CONNECTION_UP  REPLICATION_FAILURE  See Database Events Reference.  iOS Agent  GA 23.8.0  August 18, 2023  When you modify the url property of the ADEumHTTPRequestTracker object, the networkRequestCallback method returns the request and response headers.  Use the following fields to view the request and response headers:  allHeaderFields - It returns the response headers.  allRequestHeaderFields` - It returns the request headers.  Java Agent  GA 23.8.0  August 30, 2023  This release includes:  Support for OTel Java Auto-Instrumentation version 1.29.0. See Verified OTLP Open Source Versions.  Support for Apache Kafka Streams. See Java Supported Environments.  Upgrades to the following third-party components. Machine Agent  GA 23.8.0  August 28, 2023  A new option allows you to collect ServiceNow Configuration Management Database (CMDB) server tags. See Server Tagging.  There were also Bug Fixes and upgrades to third-party components aws-java-sdk-ec2, okio-jvm, and oshi-core.  .NET Agent  GA 23.8.23  August 25, 2023  Now, you can not only designate favorite business transactions, but you can also define your own. Identify and indicate which business transactions are more important to review and monitor based.  Network Agent  GA 23.8.0  August 11, 2023  Now with support for the IBM AIX operating system. See Install the Network Agent on AIX.  Python Agent  GA 23.8.0  August 11, 2023  Now with support for Open AI API monitoring. See Monitor OpenAI API with Python Agent.  The JRE and proxy libraries were updated.  SAP Agent  Several SAP releases in August were centered on bringing security insights around users, systems, and connections.  AP user login and authorization security monitoring captures and lists potentially problematic user-based security issues such as expired or unchanged passwords.   SAP system security monitoring captures KPIs as metrics (such as changed parameters and dangerous commands) and lists them in OOTB dashboards to quickly remediate.   SAP connection security monitoring identifies core connection metric issues within the ERP system and landscape for remediation.  See the v23.8 SAP Agent Release Notes page for the complete August, 2023 AppDynamics SAP Agent enhancements   And for mor more detail, refer to readme.txt files in the release zip file and individual package folders.  Other Updates  Analytics Agent v23.8.0, August 23, 2023  Apache Web Server Agent v23.8.0, August 30, 2023  C/C++ SDK v23.8 v23.8.0, August 11, 2023  Database Events v23.8.0, August 11, 2023  JavaScript Agent v23.8.0, August 11, 2023  Back to TOC | To Essentials   SaaS Controller enhancement highlights NOTES | See the AppDynamics v23.8 APM Platform SaaS Controller Release Notes page for the complete August 2023 enhancements.  Dash Studio  GA 23.8.0  August 28, 2023  Analytics metrics supported by Time Series and Metric Number widgets.  Analytics health rules supported by Health widget.  See Data Binding.    License usage  GA 23.8.0  August 14, 2023  Application Server Agents maps the number of vCPU count received from Azure App Services to corresponding licenses.  New option allows you to disable Analytics at the node level via Controller UI  See the following ThousandEyes usage information under License > Account Usage > Real User Monitoring Usage:  Tooltip that describes individual ThousandEyes events  Number of completed ThousandEyes measurements    Mutual TLS support  GA 23.8.0  August 14, 2023  AppDynamics Controller now supports the certificate change for mutual TLS authentication. See Configure and Enable Mutual TLS Authentication.    New health rule values for critical or warning criteria  GA 23.8.0  August 14, 2023  New values to define critical or warning criteria in a health rule. See Create and Configure Conditions.    Pagination in License Rule dialogs  GA 23.8.0  August 14, 2023  Listings of applications and servers within Add Rule and Edit Rule dialogs now include pagination. Loading data performance now allows infinite scrolling.    Synthetic Monitoring permission for Credential Vault monitoring  GA 23.8.0  August 28, 2023  Includes a new permission, Manage Credential Vault, to provide granular access control for managing the Credential Vault.   See Credential Vault for Web Monitoring and Credential Vault for API Monitoring    ThousandEyes integration with BRUM  GA 23.8.0  August 14, 2023  You can now manually unlink domains and stop data ingestion from ThousandEyes tests. See ThousandEyes Data Ingestion.    View affected entity name for failed HTTP request actions  GA 23.8.0  August 14, 2023  When an HTTP request action fails, you can now view the affected entity name in the resulting notification.   You can also access the affected entity’s details with the affectedEntities predefined variable in an HTTP request template or an email template. See Predefined Templating Variables.    Other Updates  SaaS Controller bug fixes   v23.8.1 (August 15, 2023), v23.8.2 (August 28, 2023)   Third-party libraries upgraded: v23.8.0 (August 14, 2023)  Jackson Databind, Nodejs, Loadash, JSoup, esapi, owasp-java-html-sanitizer, H2 Database Engine, Velocity, Google OAuth Client Library for Java, protobuf-java, Woodstox, Xstream, Apache commons, fileupload, Logback, Spring Framework    Back to TOC | To Essentials   On-prem enhancement highlights NOTE | See the On-premises Platform Release Notes pages for v23.7 and v23.8  for a complete list of the enhancements listed below.  Dash Studio  v23.7  GA July 28, 2023  Enhancements in late July 2023 provided more dashboarding capabilities and customization, including Metric Function, iFrame widget, and nested variables for tiers.  Enterprise Console  Enterprise Console v23.8 includes a new version of the Events Service, 23.7.0  EUM Server  v23.7  GA July 28, 2023  EUM Server 23.8 includes new versions of Open SSL and MySQL, now versions 3.0 and 8.x, respectively.  Private Synthetic Agent  v23.7  GA July 28, 2023  This Kubernetes container-based Private Synthetic Agent reduces infrastructure requirements by eliminating the need for an external Postgres dB. See Install the Private Synthetic Agent (Web and API monitoring)  Server action suppression  Server action suppression helps prevent alert storms when you put servers in maintenance mode.  Infrastructure-based license (IBL)  v23.7  GA July 28, 2023  New license packages confer new options to save operating costs and ease administration. See Observe License Usage and use this information to estimate your license needs.   Database visibility v23.7  GA July 28, 2023  See the extensive list of new database visibility features released in July 2023, extending: Database Monitoring Metrics, IBM dB 2, Microsoft SQL Server metrics, MySQL, Oracle Server metrics, SSL-enabled PostgresSQL dB, and more.  Fetch the audit log for the Remove literal flag in the Controller Audit Report.  In addition to changes to the UI.  Where can I find additional information about product enhancements?  In Documentation, each product category has a Release Notes page where enhancements are described in detail on an ongoing basis. Links to the most recent versions are:  Cisco Full Stack Observability  Cloud Native Application Observability  AppDynamics APM Platform 23.x  On-premises AppDynamics APM Platform  Accounts Administration AppDynamics SAP Agent  Back to TOC | To Essentials Resolved issues DID YOU KNOW? You can find ongoing lists of Resolved Issues on each Release Notes page by version. Sort the list on each page by headings, including key, product, severity, or affected version(s). Find Resolved Issues by Product here:  • Cisco Full Stack Observability (FSO) Release Notes  • Cloud Native Application Observability Release Notes  • AppDynamics APM Platform, Resolved Issues for Agents and SaaS Controller  • On-premises AppDynamics APM Platform  • Release Notes for Accounts and Licensing  • AppDynamics SAP Agent Release Notes Back to TOC | To Essentials ADVISORY | Cluster Agent Dockerfiles and Charts Github repositories are moving The AppDynamics Cluster Agent Dockerfiles and Charts Github repositories will receive maintenance support until October 31, 2023. Subsequently, the files in these repositories will be accessible through the AppDynamics download portal and the AppDynamics production artifactory, respectively.   Read more on the deprecation notices corresponding to these two Github repositories.  Back to TOC | To Essentials What else should I know about? Community Updates | University Updates |  Webinars  Community Updates  August brought a few updates to the Community. Our new site structure lays the foundation for a clearer information hierarchy. We hope it gives you a more intuitive way to find what you need in the Community.   We also launched new avatars—a better fit for the look of the site and (we hope) a pleasing change.   This Product Update series is seeing an evolution in the content layout. We’d like to make sure you can comfortably find the highlights and related resources you need.   More developments are underway! The coming weeks will bring more updates, so stay tuned on News & Announcements. So please let us know what’s working for you and what could improve! Back to TOC | To Essentials   University News Access these new self-paced courses  Sign in to AppDynamics University to access these and other courses: View License Utilization and Add Users in Cloud Observability  AppDynamics Synthetic Monitoring Overview  IoT Application Monitoring Overview  Customize AppDynamics IoT Dashboards    New Uni Updates Video Series The new Uni Updates video series will be a one-stop shop for all the latest AppDynamics education news and course offerings. Quick and engaging, you can see the first one here. Back to TOC | To Essentials   Webinars in September Improving app performance with deep database visibility    LIVE | While more than half of application performance issues originate in the database, most application teams have little or no visibility into database performance. Our upcoming webinar shows how modern DevOps teams can get that database visibility to optimize app performance.  APAC | September 27 at 8:30am IST, 11 am SGT, 2pm AEST  AMER | September 28 at 11am PST,2pm EST  Register here.  Embark on your OTel-based full‑stack observability journey    ON DEMAND | Watch our on-demand webinar to discover strategies for achieving full-stack observability across containerized, virtual, hybrid cloud native and enterprise applications with an OpenTelemetry-based solution.   Watch now!  Mitigate Business Risk with Application Security   LIVE | Learn how AppDynamics Business Risk observability helps teams stay ahead of growing security attacks, gaining security and exposure intelligence with Kenna’s vulnerability scoring and Cisco AppDynamics business transactions to detect, prioritize, and block risks from multiple sources.  Register here  Essentials ADVISORY | Customers are advised to check backward compatibility in the Agent and Controller Compatibility documentation. Download Essential Components (Agents, Enterprise Console, Controller (on-prem), Events Service, EUM Components) Download Additional Components (SDKs, Plugins, etc.) How do I get started upgrading my AppDynamics components for any release? Product Announcements, Alerts, and Hot Fixes Open Source Extensions License Entitlements and Restrictions CAN'T FIND WHAT YOU'RE LOOKING FOR? NEED ASSISTANCE? Connect in the Forums
I have configure a splunk alert with alert condition to Trigger for each result. But every time I only get the alert for only one of those results. Any idea why? Below is the screenshot of the aler... See more...
I have configure a splunk alert with alert condition to Trigger for each result. But every time I only get the alert for only one of those results. Any idea why? Below is the screenshot of the alert: And below is a sample result from the alert query  
Hello Splunk Family, I am looking for help on making a graph in Splunk. I am trying to monitor the amount of transactions by different methods names with different objects and separate that by da... See more...
Hello Splunk Family, I am looking for help on making a graph in Splunk. I am trying to monitor the amount of transactions by different methods names with different objects and separate that by date. Here is an example of the data I have Date Object Type Object Name Total Transactions Aug 1 LibPush Root 15 Aug 1 LibPush ProcessQueue 12 Aug 1 LibPush Failed 2 Aug 1 Company ChangeConfigSet 34 Aug 1 Company CleanUpMsg 15 Aug 1 Company GetMsg 32 Aug 1 Company SendMSG 13 Aug 2 LibPush Root 15 Aug 2 LibPush ProcessQueue 12 Aug 2 LibPush Failed 2 Aug 2 Company ChangeConfigSet 34 Aug 2 Company CleanUpMsg 15 Aug 2 Company GetMsg 32 Aug 2 Company SendMSG 45 Aug 3 LibPush Root 15 Aug 3 LibPush ProcessQueue 12 Aug 3 LibPush Failed 2 Aug 3 Company ChangeConfigSet 34 Aug 3 Company CleanUpMsg 15 Aug 3 Company GetMsg 32 Aug 3 Company SendMSG 45   The only thing is that there are a lot of Object Types and Object Names so maybe the top 10 object types per day. Here is a lame attempt at a drawing of what I want. Here is the code I got so far [mycode] | bin _time span=1d| chart count(indexid) over actionelementname by actionelementtype but it is missing the date and it is not stacked.   Any help would be deeply appreciated!     
I have a csv file which has data like this and i am using  | inputlookup abc.csv | search _time >= '2023-09-10" but its is not showing any data _time client noclient 2023-09-10 i... See more...
I have a csv file which has data like this and i am using  | inputlookup abc.csv | search _time >= '2023-09-10" but its is not showing any data _time client noclient 2023-09-10 iphone airpord 2023-09-11 samsung earbud   how do i get the data only for the selected date like from the above query
How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for you, Splunk believes in human-in-the-loop, extensible, and domain-specific AI so you can f... See more...
How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for you, Splunk believes in human-in-the-loop, extensible, and domain-specific AI so you can feel reassured that you will stay in the driver’s seat in terms of how AI is applied to your data and that it is done in a flexible and practical way. You can use Splunk AI to unlock new potential for your organization with comprehensive context and interpretation, rapid event detection, greater productivity with human-assisted automation, and so much more. In this session, discover how you can use Splunk AI to proactively accelerate detection, investigation, and response. You will learn about Splunk’s rich history with machine learning and array of AI-powered offerings. With embedded capabilities, assistive intelligence experiences, and customizable ML, you will be able to find the best AI tool for your needs whether you are just getting started or a seasoned expert. Tune in to learn about Splunk’s AI approach and offerings: Splunk’s principles and vision for AI Where you can use AI in Splunk products and apps A demo of the Splunk AI Assistant and Splunk App for Anomaly Detection
  Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to access corporate resources. This usage explosion has brought browser security front and center. ... See more...
  Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to access corporate resources. This usage explosion has brought browser security front and center. Google Chrome is one of the largest browsers and includes several security controls. Now, Chrome and Splunk are partnering to enhance browser security. Join this tech talk to see an overview and demo of a joint solution that delivers security use case visibility and uses the Splunk platform to automate Google Chrome control response. Key Takeaways: Dangers of malware, extensions, and data exfiltration Why it’s important to protect your organization against these threats How to use the end to end solution
In my organizational environment, there are a few alerts in the enabled state. I would like to create an inventory of all the enabled alerts and their important fields on GitHub. Is there a way to au... See more...
In my organizational environment, there are a few alerts in the enabled state. I would like to create an inventory of all the enabled alerts and their important fields on GitHub. Is there a way to automate the transfer to GitHub without requiring manual effort? All the alerts on Splunk Cloud.
So I'm working to implement a clear buttons filter on a simple XML dashboard. I'm unable to do any custom java script so I've been doing all of it within the XML. I have the functionally I'm looking ... See more...
So I'm working to implement a clear buttons filter on a simple XML dashboard. I'm unable to do any custom java script so I've been doing all of it within the XML. I have the functionally I'm looking for utilizing a link list input with condition changes to unset the tokens to the default but having issues with my submit button lining back up. No matter what I seem to do I can't get the submit button to come in line with the Clear Filters "button". If anyone could help me with getting the Submit button in line with my link list input that would be grealtly appreciated. I've have some instance agnostic XML code below so you can see what I'm talking about. Thanks!       <form theme="dark"> <label>Clear Filters</label> <fieldset submitButton="true"> <input type="multiselect" token="Choice"> <label>Choices</label> <choice value="*">All</choice> <choice value="Choice 1">Choice 1</choice> <choice value="Choice 2">Choice 2</choice> <choice value="Choice 3">Choice 3</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="link" token="Clearer" searchWhenChanged="true" id="list"> <label></label> <choice value="Clear">Clear Filters</choice> <change> <condition value="Clear"> <unset token="form.Choice"></unset> <unset token="form.Clearer"></unset> </condition> </change> </input> <html> <style> #list button{ color: white; background: green; width:50%; display: inline-block; } </style> </html> </fieldset> <row> <panel> <single> <search> <query>| makeresults | eval Message="Thanks for the help!" | table Message</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> </panel> </row> </form>      
Hello All, I need to monitor MongoDB Replica set for its status. For this I have to run rs.status command in admin DB for MongoDB, this will give me JSON output and i need to look for status for ... See more...
Hello All, I need to monitor MongoDB Replica set for its status. For this I have to run rs.status command in admin DB for MongoDB, this will give me JSON output and i need to look for status for replica set in that out and trigger the alert. Appreciate any pointers on this and if someone could take a look at below code provide the feedback that will be helpful, this one is for triggering the alert based on condition, I am trying to use case for this. index =XXXX | eval rs_status=case(status == "Primary", "OK", status =="ARBITER", "OK", status == "SECONDARY", "OK", status == "STARTUP", "KO", status == "RECOVERING", "KO" status == "STARTUP2", "KO", status == "UNKNOWN", "KO", status == "DOWN", "KO", status == "ROLLBACK", "KO", status == "REMOVED", "KO") | sort - _time | where status="KO"   Let me know if you see any issues here.   Regards Amit
I am looking for a Splunk Query which gives me all the enabled & disabled state use-cases. 
Business risk observability expands security visibility for cloud environments — now available on Cisco FSO platform exchange Available today — Cisco Secure Application brings real-time discovery ... See more...
Business risk observability expands security visibility for cloud environments — now available on Cisco FSO platform exchange Available today — Cisco Secure Application brings real-time discovery and remediation of security threats, based on business risk scoring. With it, cross-functional teams will be able to understand the potential impact of a given risk to your business’s specific environment.   What does it do?  Correlate security vulnerabilities with application entities—quickly and easily  Use business risk scoring to prioritize security issues   Speed up response with prescriptive remediation guidance  Facilitates cross-functional response    Where can I learn more about Secure Application?  Get the background on the AppDynamics Blog at Protect cloud native application environments faster— based on business risk with Cisco Secure Application. You can also check out the Cisco Secure Application product page and download the Cisco Secure Application Datasheet   For all the “how-to” details, see Cisco Secure Application in the documentation. You'll find prerequisites, licensing and entitlements, configuration, navigation, and more. Where can I get it?  Cisco Secure Application is available on the Cisco Full-Stack Observability Platform Exchange. 
Hi, I just deployed the latest version 2 of SC4S and I sent syslog events from our firewall Stormshield. I checked and I didn't see a specific source for this firewall brand The box is capable of s... See more...
Hi, I just deployed the latest version 2 of SC4S and I sent syslog events from our firewall Stormshield. I checked and I didn't see a specific source for this firewall brand The box is capable of sending logs in the format RFC5424, UDP/514. I did not configure a custom filter for it and the logs are automatically recognized as UNIX OS syslog events which is wrong, they are indexed in the osnix instead of netfw. I would like to create a filter based on the source host but I don't find any examples in the official github documentation.  for version 1 there is some but I am not sure if it applies to version 2. https://splunk.github.io/splunk-connect-for-syslog/1.110.1/configuration/#override-index-or-metadata-based-on-host-ip-or-subnet-compliance-overrides any suggestion? many thanks  
Hello,   Our security team has had a need of a asset management tool to keep track of our hardware and software inventory with respect to our security processes and security controls. Our support... See more...
Hello,   Our security team has had a need of a asset management tool to keep track of our hardware and software inventory with respect to our security processes and security controls. Our support team already maintains a CMDB but it doesn't do a great job and provides almost no value as a master list or a way to audit for gaps in security control coverage.  Our team deploys a variety of tools that use agents or network discovery scans to give a partial list of asset inventories. When we do comparisons, none of them are complete enough not to have some variance from between different tools. We would like a CMDB that allows us to track our assets and our security control coverage. You cannot secure what you don't know about! One idea has been to grab asset information from all the tools using custom api input scripts and aggregate it into splunk into one kvstore table. Then we could use this table as a master list. We have the splunk deployment clients and the asset_discovery scan results, but we also have cloud delivered solutions for vuln mgmt, edr, av, mdm, etc.  I wanted to reach out to the community to see if anybody else has came across this use-case and if there are any resources anybody has to share or guidance to make this idea a reality. 
Running the SCMA app pre-migration checks in preparation for moving our environment to Cloud, we were notified of a number of old dashboards floating around using deprecated 'Advanced XML'. As most o... See more...
Running the SCMA app pre-migration checks in preparation for moving our environment to Cloud, we were notified of a number of old dashboards floating around using deprecated 'Advanced XML'. As most or all of these are no longer needed, I made the decision to delete these. However, it appears that the Search and Reporting app (where most of these dashboards reside) is not managed by our SHC deployer, and the old dashboards themselves cannot be deleted from the GUI settings > user interface > views. As shown below, most dashboards (top) have a Delete option, but none of the AXML dashboards allow this action.      Other than manually 'rm -rf'ing on the backend for all our search heads, is there another way I can easily delete these dashboards?
Two different sources returning data in the below format. Source 1 - Determines the time range for a given date based on the execution of a Job, which logically concludes the End of Day in Applicat... See more...
Two different sources returning data in the below format. Source 1 - Determines the time range for a given date based on the execution of a Job, which logically concludes the End of Day in Application. Source 2 – Events generated in real time for various use cases in the application. EventID1 is generated as part of the Job in Source1.   Source 1 DATE Start Time End Time Day 3 2023-09-12 01:12:12.123 2023-09-13 01:13:13.123 Day 2 2023-09-11 01:11:11.123 2023-09-12 01:12:12.123 Day 1 2023-09-10 01:10:10.123 2023-09-11 01:11:11.123   Source 2 Event type Time Others EventID2 2023-09-11 01:20:20.123   EventID1 2023-09-11 01:11:11.123   EventID9 2023-09-10 01:20:30.123   EventID3 2023-09-10 01:20:10.123   EventID5 2023-09-10 01:10:20.123   EventID1 2023-09-10 01:10:10.123     There are no common fields available to join the two sources other than the time at which the job is executed and at which the EventID1 is generated. Expectation is to logically group the events based on Date and derive the stats for each day. I'm new to Splunk and i would really appreciate if you guys can provide suggestions on how to handle this one.   Expected Result Date Events Count Day 1 EventID1 EventID2 EventID3 - - - EventID9 1 15 10 - - 8 Day 2 EventID1 EventID2 - - - EventID9 EventID11 1 2 - - 18 6              
  Hello, Has anyone experienced parsing Windows Event Logs using a KVstore for all of the generic verbiage?  For example - red text (general/static text associated with EventCode number and other ... See more...
  Hello, Has anyone experienced parsing Windows Event Logs using a KVstore for all of the generic verbiage?  For example - red text (general/static text associated with EventCode number and other values  - this will mostly be the Message/body fields) will be entered into a KVstore; green text (values within the event) will be indexed. In the below example, there are 2,150 characters, of which, 214 characters are dynamic, and need to be indexed. The red(undant) text contains over 1,930 characters.  These are just logon (4624) events. With over 11.5 million logon events per day across our environment, this is ~23 GB. If what I am asking can be/has been accomplished, we could reduce this to 2.3 GB. Thanks and God bless, Genesius   09/11/2023 12:00:00AM LogName=Security EventCode=4624 EventType=0 ComputerName=<computer name> SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=9696969696 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on.   Subject:                 Security ID:                         NT AUTHORITY\SYSTEM                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x000   Logon Information:                 Logon Type:                        3                 Restricted Admin Mode:               -                 Virtual Account:                No                 Elevated Token:                 Yes   Impersonation Level:                      Identification   New Logon:                 Security ID:                         <security id>                 Account Name:                 <account name>                 Account Domain:                              <account domain>                 Logon ID:                             0x0000000000                 Linked Logon ID:                               0x0                 Network Account Name:               -                 Network Account Domain:           -                 Logon GUID:                       <login guid>   Process Information:                 Process ID:                          0x000                 Process Name:                   D:\Program Files\Microsoft System Center\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe   Network Information:                 Workstation Name:         <workstation name>                 Source Network Address:             -                 Source Port:                        -   Detailed Authentication Information:                 Logon Process:                  <login process>                 Authentication Package: <authentication package>                 Transited Services:           -                 Package Name (NTLM only):        -                 Key Length:                         0   This event is generated when a logon session is created. It is generated on the computer that was accessed.   The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.   The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).   The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.   The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.   The impersonation level field indicates the extent to which a process in the logon session can impersonate.   The authentication information fields provide detailed information about this specific logon request.                 - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.                 - Transited services indicate which intermediate services have participated in this logon request.                 - Package name indicates which sub-protocol was used among the NTLM protocols.                 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.