So let's say I have this tag in /opt/splunk/etc/apps/search/local/tags.conf:
[host=x.y.uci.edu]
nac_wsg = disabled
nac_dba = enabled
So now I go into the GUI and under Splunk > Manager &g...
I always saw these "OS" and "Windows" tags on the eventtypes.conf and tags.conf. It's on the production environment and splunkbase applications even we're only using default Splunk CIM. OS- can b...
Hello there,
On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:
"Discovers use of default acco...
I am admin in Splunk 6.6.2 clustered environment. I create 10 tags through the GUI. In my SHC, the 10 tags get distributed to the other search heads. Next, I want to edit tags.conf with my UNIX t...
...ood example were: lookup files, but i guess indexer should not need any lookup files since that job is done be search head, not indexer. The same with other KO objects like tags, event types, macros etc....
Hey everyone,
Summary of the long post: On universal forwarders, I need to add some kind of identifier like a tag or metadata value to all data before it is sent to distinguish the environment it...
...rivate to global
Once you change the permissions the tags are "gone" the tags are not moved to the "global" tags.conf file. If you do the above for a eventtype that does not have a space in the n...
The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unknown" for successful and failed logon events. Where would be a good place to start ...
...nterprise Security.
I created a TA called TA_test with eventtypes.conf and tags.conf in the local folder, the following are how my eventtypes.conf and tags.conf looks like:
eventtypes.conf
[t...