Hi, We have upgraded from version 8.1.6 to version 9.0.1 recently and have discovered a new problem not seen before. Each time I push the apps from the deployer to the SHC all apps get pushed regardless if they are old, modified or new. This results in each apply shcluster bundle takes 5-6 hours to complete. Before the upgrade a push took a couple of minutes. Each push also generates a default.old.<DATE> for all apps. Is there a way to remove this behaviour? We prefer not to have a lot of default.old.<DATA> files and that the pushes become much faster. Thanks!

Hello,      | transaction RRN keepevicted=t | search date_hour <6 If I execute this search with a specific date(10-10-2022) I get 5 events.  If I execute this search with preset "all-time" I get no results. If I execute this search with preset "last 30 days"  I get no results. All searches done in verbose mode. Why don't I get results with preset "all-time" and/or " last 30 days" Thanks

Hi All The Windows Splunk UF has a process splunk-winevtlog.exe that reads the eventlog. I am seeing on a small subset of servers that this process is consuming 100% of a virtual machine CPU (vCPU) on a small subset of servers. In many cases this behaviour can go on for days/weeks until noticed (i.e. it is not burst-type usage). Splunk UF is v8.2.1 In some cases I see this behaviour where of two servers built at the same time and identically configured, one is fine and one is using 100% CPU. Attempting to set a current_only=1 value in inputs.conf stanzas does not resolve the issue. Restart service does not resolve issue - it manifests again after a few mins Restart host does not resolve issue - it manifests again after a few mins I would be keen to hear if anyone has had similar experiences and how they have remediated the issue. Cheers!

Hi All, I have a UF installed on a syslog server. Already network clients are sending data to syslog server and UF forwards/taking it to indexer 1. Now another application want to send data to the same syslog sever on which UF is installed. But this application data has to go to different indexer [Example: indexer_new]. {Note: Both these indexers (indexer 1 and indexer_new are not in same cluster. They are placed separately]. This network data is coming on  tcp port 1515 and application data is coming on tcp port 1517. I have seen some answers to route it with _TCP_ROUTING_ to two different indexers based on data input. But in this case this is not based on file or log path. This is based on TCP input [for TCP input we don't have any path for log]. Existing input [Under /opt/splunk-fwd/etc/apps/syslog_3n/default/inputs.conf]: ---------- [tcp://localhost:1515] queueSize = 512MB connection_host = ip sourcetype = network_syslog index = network_sys   "Now i want to know how to route the new application data coming to UF on port 1517 to the indexer_new and existing network data should continues to go to indexer 1"? Thanks for you reply in Advance !!  

I have repeated failed logins listed as "Other" in my pie chart for Failed Logins by Host. How can I find out what those "other" devices or hostnames are? There were 85 Other in Failed logins by host and 9 Other in the successful logins by host. I need help determining what "Other" means in this context.

I created the following correlation alerts in ES with Notable Index=fw (dest_ip=1.2.3.4 OR dest_ip=1.2.3.5) The alerts in with cron for every 1M Example: At 08:00, User A ping 1.2.3.4 At 08:00, User B ping 1.2.3.3   The problem: If two different users try to get these IPs, I will receive two notable alerts with a drill down. The drill-down will bring the two events from these two different users (mix). What I expect to receive: 2 separate notable alerts with drill down that will receive only one event (and not the events from the other user)

hi I have made an interactive dashboard that allow users to filter our data according the main interesting parameters, however it seems to me that I could do better, here are my questions: 1) all the panels in the dashboard use the token from the time range picker. I would like some of the panels (the single values below for example) to re-calculate based on changing the zoom in the time chart above them. how can I implement it? 2) all the panels use the same base search and add on it. for example <base search> | table something, <base search>| get specific single value, etc. how can I save this common base search and use it properly in all the panels? 3) moreover - at the moment, for each panel a new search is being performed, quite a waste... is there a way to optimize it to run once and get the results for each panel from this search? 4) is there an option to add specific "interesting" single value or other data on top of a chart? adding a different panel for each value is annoying, wasting additional searches and in my opinion presents it in a lesser way (GUI-wise) 5) any good way to let users filter out specific anomaly events from the chart?    thanks, noam  

Hello,   i have setup the  MISP42 | Splunkbase app and i want splunk to use the ssl connection to MISP. My certificate is issued by lets encrypt for MISP and SPLUNK.  i have copied the fullchain.pem and crt from MISP to SPLUNK But is still get the following error after enabling "check MISP certificate"  External search command 'mispgetevent' returned error code 1. Script output = "error_message=SSLError at "/opt/splunk/lib/python3.7/site-packages/requests/adapters.py", line 514 : HTTPSConnectionPool(host='FQDN', port=443): Max retries exceeded with url: /events/restSearch (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1106)'))) ".  Thanks in advance for your help

Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock: index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$) index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*” Where the source for each of the two is as follows: 1. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event> 2. <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event> In the inputs.conf I’ve tried the following without any success – yet: [WinEventLog://Security] disabled = 0 whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702 ,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468 ## Blacklisted EventCodes for Exchange and cscad blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$" blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}" blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>" blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>" blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>" blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>" renderXml=true index = wineventlog

I have this request to build a report   7am - 1900 Monday-Friday  CST Sat 7am - noon   CST   Splunk is running on UTC - depending on the season the daylight savings 1 hour shift is 6hours or 5hours. what is the best way to compensate the hour shift as the daylight savings time comes and goes yearly ?