It appears to be available here: https://github.com/thaumos/ansible-tower-splunk-framework ... View more

This works for me: <dashboard> <label>bug_repro</label> <row> <panel> <table> <search> <query>|makeresults | eval test="test"</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <drilldown> <link target="_blank">search?q=|makeresults | eval test="$row.test$"| rex field=test "(%3F<testxtract>.*)"&amp;earliest=$earliest$&amp;latest=$latest$</link> </drilldown> </table> </panel> </row> </dashboard> ... View more

You can use SECMD in props.conf on the indexer/heavy forwarder to remove some of the extra text in the logs. Here are some examples. https://answers.splunk.com/answers/44865/remove-out-section-of-log.html https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008-event-logs.html https://gist.github.com/automine/5c8ef5b50e1df38249dfba01a70f2875 [WinEventLog:Security] #Returns most of the space savings XML would provide SEDCMD-clean0-null_sids = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g s/(?m)(\:)(\s+NULL SID)$/\1/g s/(?m)(ID\:)(\s+0x0)$/\1/g SEDCMD-clean1-summary = s/This event is generated[\S\s\r\n]+$//g SEDCMD-clean2-cert_summary = s/Certificate information is only[\S\s\r\n]+$//g SEDCMD-clean3-blank_ipv6 = s/::ffff://g SEDCMD-clean4-token_elevation_summary = s/Token Elevation Type indicates[\S\s\r\n]+$//g SEDCMD-clean5-network_share_summary = s/(?ms)(A network share object was checked to see whether.*$)//g SEDCMD-clean6-authentication_summary = s/(?ms)(The computer attempted to validate the credentials.*$)//g SEDCMD-clean7-local_ipv6 = s/(?ms)(::1)//g # Removed due to issue with Windows Filtering Platform events # SEDCMD-clean8-firewall_summary = s/(?ms)(The Windows Filtering Platform has permitted.*$)//g ... View more

It looks like Bomgar has an integration: https://www.bomgar.com/docs/remote-support/how-to/integrations/splunk/index.htm There is also this: https://github.com/guilhemmarchand/bomgar-for-splunk ... View more

You could use the add-on builder. http://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Createasetuppage https://splunkbase.splunk.com/app/2962/ ... View more

I have this working in 6.6.3. The saved searches are looking for data with a sourcetype of riverbed_steelhead and indexes of main, riverbed_info, and riverbed_notice. If this does not match the sourcetype or index for your steelhead logs, you can edit the saved searches. Try running them manually and changing things until you get them to work. ... View more

Since it is using the machine name it seems like the Splunk service is set to log on as the SYSTEM account. When using the MS Generic Driver With Windows Authentication, DB Connect will connect using the account the Splunk service is using. You could change the Splunk service to log on as a domain user and give that user access to the database. http://docs.splunk.com/Documentation/DBX/3.1.0/DeployDBX/Installdatabasedrivers#Install_the_SQL_Server_using_MS_Generic_driver_with_Windows_authentication ... View more

You could try here: https://github.com/iadgov/Certificate-Authority-Situational-Awareness ... View more

Here are some .conf sessions about SSO. Passwords Are For Chumps: Using Single Sign-on Securing Splunk With Single Sign-On and SAML ... View more

[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = false [WinEventLog://Microsoft-Windows-WinRM/Operational] disabled = false ... View more

You need to put the suppress_text = 1 under [WinEventLog://Security], not under [WinEventLog:Security]. You can use regex in whitelists and blacklists, see here: http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata ... View more

Are you running the ad-repl-stat.ps1 script on Windows Server 2012 R2? http://blogs.splunk.com/2014/01/13/active-directory-replication-and-windows-server-2012-r2/ ... View more

You will need to configure SmartCallHome to get that information. See the documentation for this at https://splunkbase.splunk.com/app/1467/#/documentation ... View more

The EventType filter is for 2003 and earlier. Use Type for 2008 and later. The Microsoft documentation says that the numeric value for Type "Information" is 4. http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata Win32_NTLogEvent class ... View more

There was a presentation at Splunk .conf 2015 that covered EMET. Create a Console for Security Apps That Don't Have One ... View more

Try changing it to: [WinEventLog://Application] instead of: [WinEventLog:Application] ... View more

Try using: [WinEventLog://Security] instead of: [WinEventLog:Security] ... View more

Try using advanced filtering. Create a second whitelist that filters based on EventCode and ComputerName. Set ComputerName to the name of the client that you want to log the event. [WinEventLog://Security] disabled = 0 index = default whitelist=4618,4621,4624,4625,4634,4649,4675,4692,4693,4706,4719,4720,4722-4735,4737,4738,4740,4744-4762,4765-4766,4794,4897,4964,1102,4648,5038,6281 whitelist1=EventCode="2000" ComputerName="insert name of client here" Or you could create a new app that contains whitelist1 for event code 2000, and only apply it to the single client. [WinEventLog://Security] whitelist1=EventCode="2000" ... View more