Hi @proficio_ajk , you should ask this to the deveoper: SailPoint Identity Plus Alliance at https://www.sailpoint.com/partners/technology-alliance-partners Ciao. Giuseppe ... View more

Hi @Darkvader , usually CIM compliance is used to populate CIM Data Models and this is a Search Time activity executed on the Search Heads. Ciao. Giuseppe ... View more

Hi @cjharmening , I don't know how deep your knowledge of Splunk and ES is. In general, I recommend finding a trusted Splunk partner and relying on them. Otherwise, you risk wasting a lot of time or thinking that ES implementation is science fiction, when in reality it's just a standard integration job. Otherwise, contact Splunk Sales to have the support of a Splunk Sales Engineer. Anyway, in few points: use only CIM compliant logs, stricktly follow the documentation, use Splunk Security Essential App to understand which Detection implement, Ciao. Giuseppe ... View more

Hi @spulivarthi700 , the most field extractions are at search time, so the pressure is on Search Heads, not Indexers. Anyway, in general, you can reduce jobs on Indexers, using one or more intermediate Heavy Forwarders that will parse your data, instead indexers. but the question is: which Add-On are you using to parse cribl data? because if you're using the Cribl Decrypt Add-On for Splunk, it hasn't any parsing rule. Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 P.S.: Sign in to the Splunk Italia User group: https://usergroups.splunk.com/italia-splunk-user-group/ ... View more

Hi @imsidrai , your question isn't so clear for me, let me understand: you don't need dbconnect to extract data from Splunk Cloud also because Splunk isn't a Database so you cannot use db-connect; but only a federated Search Head connected to Splunk Cloud. Then to load these data from the on-premise SH to an external Database, you can use a script using the DB APIs that read an extraction from Splunk or also DB-Connect. Answering to your questions: 1) can federated search be setup one-way from onprem to cloud? yes, but you don't use db-connect. 2) you don't need db-connect, you can use a script that uses Splunk Cloud APIs to extract data: this is another way, but the other is easier. Ciao. Giuseppe ... View more

Hi @detrue , by default, a Search Head cannot see the indexers on remote indexers. For this reason, it's a PS best practice that the org_all_indexes app, containing the indexes.conf file, will be deployed both to Indexers and Search Heads, even if on the SHs there isn't any active index. In this way, you can see on the SHs all the active indexes. Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , it isn't a best practice to run Splunk as root for security reasons. Anyway, as I said, remember to setup splunkd retart for your app. Only for test, try to restart Splunk on your UF to see if that is the issue. Ciao. Giuseppe ... View more

Hi @LovingSplunk . as @isoutamo said: with 300 IOPS the only way is maintaining your ten IDXs! Otherwise the performces of your system will be too low to support your system. Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , Did you directly checked if the add-on was updated on the client? did you tried to restart Splunk on the UF? what's the owner of the files in ./etc/apps/<appname> location ? Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , checking in the DS, do you see that apps are all deployed to the client? please manually check if the updates are present on the UF and try to manually restart the UF. Are you speaking of w Windows or Linux DS and Client? Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , let me understand: was the app not deployed to the client or was it deployed but it doesn't run? in the second case, did you remember to add the restart of splunkd on the UF? Anyway, if you have many clients, each one has to wait for more than 60 seconds. Ciao. Giuseppe ... View more

Hi @Alberto_Astolf1 , in the file deploymentclient.conf, you can find all the configurations of the connection between the client and the Deployment Server, for more infos see at https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.4/configuration-file-reference/9.4.0-configuration-file-reference/deploymentclient.conf Anyway: phoneHomeIntervalInSecs = <decimal> * How frequently, in seconds, this deployment client should check for new content. * Fractional seconds are allowed. * Default: 60. At least, you can find connection information on the _dsclient index. What's your issue? Ciao. Giuseppe ... View more

Hi @acisac , you can install ES on a stand_alone Splunk instance (I'd avoid Windows!). But Forwarders should be in another VM connected with the other VM. Ciao. Giuseppe ... View more

Hi @MJ_27 , I don't think that's possible this! It's only possible to have versioning (so also the creation dates) of the Detections (the old Correlation Searches) using ES from the 8.4 verion. Ciao. Giuseppe ... View more

Hi @LovingSplunk , you can measure IOPS, stopping Splunk on one Indexer and running a tool like Bonnie++, don't use MC. You must have at least 800 IOPS, better 1200 or more. Ciao. Giuseppe ... View more

Hi @LovingSplunk , as I said, the hardware specifications require a detailed design activity by a Splunk Architect with experience on ES implementation. Anyway, at https://help.splunk.com/en/splunk-enterprise-security-8/install/8.4/planning/minimum-specifications-for-a-production-deployment you can find the minimum hardware requirements for on-premise installations, but they are related to the number of Detections to enable and active user. Only one very important point of attention: be sure to use a very performant storage, with at least 800 IOPS, otherwise your infrastructure will be your first problem! Check this point using Bonnie++ or another tool before installing Splunk! Ciao. Giuseppe ... View more

Hi @LovingSplunk , it depends on many factors: have you ES or ITSI? have you a multisite architecture and each site must be able to ingest all the load? how many scheduled searches are running on your indexers? in general you could use one Indexer every 200 GB/day without ES or ITSI and one indexer every 100/150 GB/day with ES or ITSI, but, as I said, it depends on the above factors. Ciao. Giuseppe ... View more

Hi @RSS_STT , please try this: \"resource_id\":\s+\".*\/(?<splunk_entity>[^\"]+)\",\s+\"metric_name that you can test at https://regex101.com/r/Am82qD/2 Ciao. Giuseppe ... View more

Hi @RSS_STT , please try this regex: \"resource_id\":\s+\".*\/(?<splunk_entity>[^\"]+) that you can test at https://regex101.com/r/Am82qD/1 Ciao. Giuseppe ... View more

Hi @spl_aficionado , separating inpus and props is a recommended PS best practices even if I don't understand why to use two different add-ons. As @PickleRick said, I use two custom apps only on UFs, on HFs I use to create a custom app for inputs and I use standard (from Splunkbase) TAs for the props, so I can easily upgrade them. Ciao. Giuseppe ... View more

Hi @Jayhawker1610 , to book an exam on PersonVue, you must use the email that you used to register to Splunk Portal.  Ciao. Giuseppe ... View more

Hi @miguelmail1314 , could you better describe your requirements? what do you mean with "display a procedure (KB)? Anyway, if you don't have a SOAR or ES, you can associate to an alert a response action to choose from a list. Ciao. Giuseppe ... View more

Hi @zapping575 , as you said, using two sourcetypes you can correctly parse both the data sources and using a similar name for the sourcetypes you can use both of them using asterisk: sourcetype=eventlog* or (better) creating an eventtype sourcetype IN (eventlog, eventlogger) Ciao. Giuseppe ... View more