All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi Community, Please help me.. I have a field Expiration with values having different timezones . Could you please help me convert all the values to a standard  timezone(UTC).  Any help would be ... See more...
Hi Community, Please help me.. I have a field Expiration with values having different timezones . Could you please help me convert all the values to a standard  timezone(UTC).  Any help would be appreciated.  Thanks in advance Expiration 18:02:56 EDT Oct 5 2022 12:02:56 CDT Oct 5 2022 13:02:56 EDT Oct 5 2022 18:02:56 CDT Oct 5 2022 18:59:59 EST Nov 15 2022 19:59:59 EDT Oct 5 2022 17:02:56 UTC Oct 5 2022 18:59:59 CDT Oct 5 2022
I have repeated failed logins listed as "Other" in my pie chart for Failed Logins by Host. How can I find out what those "other" devices or hostnames are? There were 85 Other in Failed logins by host... See more...
I have repeated failed logins listed as "Other" in my pie chart for Failed Logins by Host. How can I find out what those "other" devices or hostnames are? There were 85 Other in Failed logins by host and 9 Other in the successful logins by host. I need help determining what "Other" means in this context.
I created the following correlation alerts in ES with Notable Index=fw (dest_ip=1.2.3.4 OR dest_ip=1.2.3.5) The alerts in with cron for every 1M Example: At 08:00, User A ping 1.2.3.4 At 08:... See more...
I created the following correlation alerts in ES with Notable Index=fw (dest_ip=1.2.3.4 OR dest_ip=1.2.3.5) The alerts in with cron for every 1M Example: At 08:00, User A ping 1.2.3.4 At 08:00, User B ping 1.2.3.3   The problem: If two different users try to get these IPs, I will receive two notable alerts with a drill down. The drill-down will bring the two events from these two different users (mix). What I expect to receive: 2 separate notable alerts with drill down that will receive only one event (and not the events from the other user)
hi I have made an interactive dashboard that allow users to filter our data according the main interesting parameters, however it seems to me that I could do better, here are my questions: 1) all... See more...
hi I have made an interactive dashboard that allow users to filter our data according the main interesting parameters, however it seems to me that I could do better, here are my questions: 1) all the panels in the dashboard use the token from the time range picker. I would like some of the panels (the single values below for example) to re-calculate based on changing the zoom in the time chart above them. how can I implement it? 2) all the panels use the same base search and add on it. for example <base search> | table something, <base search>| get specific single value, etc. how can I save this common base search and use it properly in all the panels? 3) moreover - at the moment, for each panel a new search is being performed, quite a waste... is there a way to optimize it to run once and get the results for each panel from this search? 4) is there an option to add specific "interesting" single value or other data on top of a chart? adding a different panel for each value is annoying, wasting additional searches and in my opinion presents it in a lesser way (GUI-wise) 5) any good way to let users filter out specific anomaly events from the chart?    thanks, noam  
Hello,   i have setup the  MISP42 | Splunkbase app and i want splunk to use the ssl connection to MISP. My certificate is issued by lets encrypt for MISP and SPLUNK.  i have copied the fullch... See more...
Hello,   i have setup the  MISP42 | Splunkbase app and i want splunk to use the ssl connection to MISP. My certificate is issued by lets encrypt for MISP and SPLUNK.  i have copied the fullchain.pem and crt from MISP to SPLUNK But is still get the following error after enabling "check MISP certificate"  External search command 'mispgetevent' returned error code 1. Script output = "error_message=SSLError at "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 514 : HTTPSConnectionPool(host='FQDN', port=443): Max retries exceeded with url: /events/restSearch (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1106)'))) ".  Thanks in advance for your help
Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and... See more...
Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock: index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$) index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*” Where the source for each of the two is as follows: 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event> 2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event> In the inputs.conf I’ve tried the following without any success – yet: [WinEventLog://Security] disabled = 0 whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702 ,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468 ## Blacklisted EventCodes for Exchange and cscad blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$" blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}" blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>" blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>" blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>" blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>" renderXml=true index = wineventlog
  I am new to splunk, and trying to understand what’s the difference between dispatch.earliest_time = "-15m@m" and dispatch.earliest_time = "-15m”. Thanks!
I'm looking at this screen - it says "Data inputs" but lists a bunch of splunk home folders. I thought splunk home would be where the data goes to, not where it comes from. I consider an "input" to ... See more...
I'm looking at this screen - it says "Data inputs" but lists a bunch of splunk home folders. I thought splunk home would be where the data goes to, not where it comes from. I consider an "input" to be a "from", so makes no sense to me for splunk to be there. I was expecting to see a bunch of systems and their log files as inputs, yet so far I cannot find any of (I just got admin and our splunk system seems to have a lot of everything, so it must be hidden in there somewhere).                               I've looked at the "Datasets" - 168 of them and none seem to be what I am looking for.
I have this request to build a report   7am - 1900 Monday-Friday  CST Sat 7am - noon   CST   Splunk is running on UTC - depending on the season the daylight savings 1 hour shift is 6hours o... See more...
I have this request to build a report   7am - 1900 Monday-Friday  CST Sat 7am - noon   CST   Splunk is running on UTC - depending on the season the daylight savings 1 hour shift is 6hours or 5hours. what is the best way to compensate the hour shift as the daylight savings time comes and goes yearly ?
We wish to upgrade from 8.1.3 to the latest (9.0.1 at this time). We have: Search Head Manager Node 1  Index Cluster (2 nodes) Heavy forwarder 1(1 node) Manager Node 2 Index Cluster (2 nodes)... See more...
We wish to upgrade from 8.1.3 to the latest (9.0.1 at this time). We have: Search Head Manager Node 1  Index Cluster (2 nodes) Heavy forwarder 1(1 node) Manager Node 2 Index Cluster (2 nodes) Heavy forwarder 2 (1 node) From my reading of: https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Upgradeacluster#Upgrade_each_tier_separately it looks like we can follow below path:  HF1, HF2 Manager Node 1  Manager Node 2  Search Head Indexer Cluster 1 (2 nodes) indexer cluster 2 (2 nodes) Please advise if this will work correctly? 
As in previous posts I am talking about using variables or tokens in the Contributing Events part of enterprise security.   1. When I use $host$ it substitutes the actual Splunk Host instead of t... See more...
As in previous posts I am talking about using variables or tokens in the Contributing Events part of enterprise security.   1. When I use $host$ it substitutes the actual Splunk Host instead of the host returned from the correlation search.  2. Can someone provide Splunk documentation links for creating or using Variables in the Drilldown search or contributing events search? 3. I am requesting and have requested in Splunk Ideas "TO MAKE THE **bleep** DRILL DOWN SEARCH WINDOW A MULTI-LINED TEXT BOX" since Splunk Enterprise Security version 6.0 and none of the GUI issues were not addressed!  HELP ME OBI-WAN!!! 
[Filter: smut] lugoon's post body matched "damn", board "security-splunk-enterprise-security". Post Subject: More Enterprise Security Correlation Search Variable Substitution for Contributi... See more...
[Filter: smut] lugoon's post body matched "damn", board "security-splunk-enterprise-security". Post Subject: More Enterprise Security Correlation Search Variable Substitution for Contributing Events Post Body: As in previous posts I am talking about using variables or tokens in the Contributing Events part of enterprise security.   1. When I use $host$ it substitutes the actual Splunk Host instead of the host returned from the correlation search.  2. Can someone provide Splunk documentation links for creating or using Variables in the Drilldown search or contributing events search? 3. I am requesting and have requested in Splunk Ideas "TO MAKE THE DAMN DRILL DOWN SEARCH WINDOW A MULTI-LINED TEXT BOX" since Splunk Enterprise Security version 6.0 and none of the GUI issues were not addressed!  HELP ME OBI-WAN!!!  Body text "DAMN" matched filter pattern "damn". Post by User[id=199398,login=lugoon] was rejected for the following end-user facing error(s): This board requires at least one label for each message.
I am still getting information from all of the servers that have the universal forwarders on them and verified the service is running, but am still getting "missing forwarders" alert setup from initi... See more...
I am still getting information from all of the servers that have the universal forwarders on them and verified the service is running, but am still getting "missing forwarders" alert setup from initial setup search. Not sure what is going on. Also, looking at splunk logs for errors, found on each server the powershell script was failing inside: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\bin\powershell\dns-zoneinfo.ps1 Get-WMIObject : Invalid namespace "root\MicrosoftDNS" At C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\bin\powershell\dns-zoneinfo.ps1:75 char:10 + $Zones = Get-WMIObject -Computer $ServerName -Namespace "root\Microso ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
  Microsoft Office 365 Reporting Web Service works fine with an "Index Once" config where Start date/time & End date/time are defined. Set this to Continuously Monitor and it appears to fail...  T... See more...
  Microsoft Office 365 Reporting Web Service works fine with an "Index Once" config where Start date/time & End date/time are defined. Set this to Continuously Monitor and it appears to fail...  This connector is defaults with empty start or end date/time fields 2022-10-21 13:36:54,969 INFO pid=15262 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling 2022-10-21 13:36:54,970 DEBUG pid=15262 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/TA_MS_O365_Reporting_checkpointer (body: {}) 2022-10-21 13:36:54,971 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_new_conn:941 | Starting new HTTPS connection (1): 127.0.0.1:8089 2022-10-21 13:36:54,973 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_make_request:442 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/TA_MS_O365_Reporting_checkpointer HTTP/1.1" 200 5564 2022-10-21 13:36:54,974 DEBUG pid=15262 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/ (body: {'count': -1, 'offset': 0, 'search': 'TA_MS_O365_Reporting_checkpointer'}) 2022-10-21 13:36:54,974 DEBUG pid=15262 tid=MainThread file=binding.py:new_f:74 | Operation took 0:00:00.003694 2022-10-21 13:36:54,976 DEBUG pid=15262 tid=MainThread file=binding.py:new_f:74 | Operation took 0:00:00.002273 2022-10-21 13:36:54,976 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_make_request:442 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/config/?count=-1&offset=0&search=TA_MS_O365_Reporting_checkpointer HTTP/1.1" 200 4716 2022-10-21 13:36:54,978 DEBUG pid=15262 tid=MainThread file=binding.py:get:695 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/O365_Message_Trace_obj_checkpoint_oauth (body: {}) 2022-10-21 13:36:54,979 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_make_request:442 | https://127.0.0.1:8089 "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/O365_Message_Trace_obj_checkpoint_oauth HTTP/1.1" 404 140 2022-10-21 13:36:54,980 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_new_conn:941 | Starting new HTTPS connection (1): login.windows.net:443 2022-10-21 13:36:54,980 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Proxy is enabled: web:8080 2022-10-21 13:36:54,980 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Getting proxy server. 2022-10-21 13:36:54,980 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ message trace URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'2022-10-16T13:36:54.979985Z' and EndDate eq datetime'2022-10-16T14:36:54.979985Z' 2022-10-21 13:36:54,980 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Start date: 2022-10-16 13:36:54.979985, End date: 2022-10-16 14:36:54.979985 2022-10-21 13:36:55,142 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_make_request:442 | https://login.windows.net:443 "POST /2445612c-659f-4f0e-a8b2-51087c624102/oauth2/token HTTP/1.1" 200 1815 2022-10-21 13:36:55,144 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Proxy is enabled: web:8080 2022-10-21 13:36:55,144 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Getting proxy server. 2022-10-21 13:36:55,145 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_new_conn:941 | Starting new HTTPS connection (1): reports.office365.com:443 2022-10-21 13:36:59,928 DEBUG pid=15262 tid=MainThread file=connectionpool.py:_make_request:442 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-10-16T13:36:54.979985Z'%20and%20EndDate%20eq%20datetime'2022-10-16T14:36:54.979985Z' HTTP/1.1" 200 216 2022-10-21 13:36:59,930 DEBUG pid=15262 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ max date before getting message: 2022-10-16 13:36:54.979985 I changed the Start date/time 2022-10-19 00:00:00 2 full days ago, so I don't bump against the 7 day boundary. 2022-10-21 13:40:31,102 DEBUG pid=15810 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ message trace URL: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'2022-10-19T00:00:00Z' and EndDate eq datetime'2022-10-19T01:00:00Z' 2022-10-21 13:40:31,102 DEBUG pid=15810 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Start date: 2022-10-19 00:00:00, End date: 2022-10-19 01:00:00 2022-10-21 13:40:31,103 DEBUG pid=15810 tid=MainThread file=connectionpool.py:_new_conn:941 | Starting new HTTPS connection (1): login.windows.net:443 2022-10-21 13:40:31,339 DEBUG pid=15810 tid=MainThread file=connectionpool.py:_make_request:442 | https://login.windows.net:443 "POST /2445612c-659f-4f0e-a8b2-51087c624102/oauth2/token HTTP/1.1" 200 1815 2022-10-21 13:40:31,341 DEBUG pid=15810 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Proxy is enabled: web:8080 2022-10-21 13:40:31,341 DEBUG pid=15810 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ Getting proxy server. 2022-10-21 13:40:31,342 DEBUG pid=15810 tid=MainThread file=connectionpool.py:_new_conn:941 | Starting new HTTPS connection (1): reports.office365.com:443 2022-10-21 13:40:34,302 DEBUG pid=15810 tid=MainThread file=connectionpool.py:_make_request:442 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2022-10-19T00:00:00Z'%20and%20EndDate%20eq%20datetime'2022-10-19T01:00:00Z' HTTP/1.1" 200 122 2022-10-21 13:40:34,303 DEBUG pid=15810 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ max date before getting message: 2022-10-19 00:00:00 I've not been able to determine what the comment "_Splunk_ max date before getting message: <2022-10-19 00:00:00>" The lookup TA_MS_O365_Reporting_checkpointer shows a row with _key <nameofinput>_once_checkpoint_oauth which looks to be from when I did the Index Once. Would some who's running Continuously Monitor please take a look into lookup TA_MS_O365_Reporting_checkpointer & let me know what _key name & state columns indicate for where _key = *_checkpoint_* Of course, if someone has experienced the same & figured this out, I'd appreciate any words of wisdom.  
I have two independent/unrelated queries (same index, though) , and I want to create a timechart where there are two bars in each time bucket, one for each of the two queries. Is this possible? Tha... See more...
I have two independent/unrelated queries (same index, though) , and I want to create a timechart where there are two bars in each time bucket, one for each of the two queries. Is this possible? Thanks! Jonathan
Our application logs for each method: when it begins, when it ends, and the thread it is on.  We are wanting to visualize how long each method takes.  The logging structure is as follows:  [T... See more...
Our application logs for each method: when it begins, when it ends, and the thread it is on.  We are wanting to visualize how long each method takes.  The logging structure is as follows:  [Thread #] Timestamp Begin/End MethodName Example:  [Thread-13569 (ActiveMQ-client-global-threads)] Fri Oct 21 14:29:00 EDT 2022 Begin purgeHistory(Connection, String) [Thread-13569 (ActiveMQ-client-global-threads)] Fri Oct 21 14:29:00 EDT 2022 End purgeHistory(Connection, String) So we need a way to match every method "Begin" with every method "End" that's on the same thread, to be able to calculate and display how long each method took to execute. Is there any way we could get some help tackling this query? 
Hello, I'm currently trying to update our Splunk environment, but one problem I'm having is getting our server classes named correctly to make them future-proof and easy to use. Currently my server... See more...
Hello, I'm currently trying to update our Splunk environment, but one problem I'm having is getting our server classes named correctly to make them future-proof and easy to use. Currently my server class naming convention looks something like this: <name> (general serverclass) <name>_<location>(location based) <name>_<machine type> (machine type based) <name>_<machine type>_<location> (location and machine type based) Example: clients clients_munich clients_berlin clients_linux clients_linux_munich clients_linux_berlin clients_windows clients_windows_munich clients_windows_berlin   I would also use this convention for all other "groups" that need server classes. Server, Services, Appliances, Network, ... If you need examples for them just ask me
Hello there! I've been ingesting data from Azure Storage Explorer via the Splunk Add-On for Microsoft Cloud Services app, however, I now wish to ingest data from an Azure Event Hub.  I know I can... See more...
Hello there! I've been ingesting data from Azure Storage Explorer via the Splunk Add-On for Microsoft Cloud Services app, however, I now wish to ingest data from an Azure Event Hub.  I know I can either create an input in the same app or use the Microsoft Azure Add-on for Splunk app.  Is there a way to specify which partition to collect data from?  Furthermore, is there a way to send data to different indexes and sourcetypes from 1 Event Hub? I'm working on Splunk Cloud, so I currently don't have access to config files. Thanks in advance!
    const splunkjs = require('splunk-sdk'); const service = new splunkjs.Service({ host: "xxxxxx", port: xxxx, username: "administrator", password: "xxxxxx", scheme: "https",... See more...
    const splunkjs = require('splunk-sdk'); const service = new splunkjs.Service({ host: "xxxxxx", port: xxxx, username: "administrator", password: "xxxxxx", scheme: "https", version: "default" } ); const init = new splunkjs.Service service.login(function(err, success) { if (err) { throw err; } else { console.log('Logged in successfully'); } } );         Hey,  I was trying to use the SDK to login remotely however the server keeps returning an error message as shown below. I even tried using postman on the local splunk server but it gives the same error as well.      { response: { headers: {}, statusCode: 600 }, status: 600, data: undefined, error: Error: write EPROTO 22680:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:c:\ws\deps\openssl\openssl\ssl\record\ssl3_record.c:332: at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) { errno: -4046, code: 'EPROTO', syscall: 'write' } }        However on the local server I am able to login just fine with the code shown below however I really don't want to do development on the splunk server directly as its quite a pain     const service = new splunkjs.Service({ username: "xxx", password: "xxx" } );      
Hello Splunkers!! As per my requirement my current results are as below : severity Vulnablities Critical 3 Medium  4 Low 6   But my expected results are ... See more...
Hello Splunkers!! As per my requirement my current results are as below : severity Vulnablities Critical 3 Medium  4 Low 6   But my expected results are like: Critical Medium Low 3 4 6   Please help me how can I achieve the expected results.