Activity Feed
- Posted Re: Expired key microsoft 365 app on Getting Data In. 01-20-2024 08:11 PM
- Karma Re: Copy windows logs in raw mode for dtburrows3. 01-04-2024 12:57 PM
- Posted Copy windows logs in raw mode on Splunk Search. 01-04-2024 10:09 AM
- Posted Re: Expired key microsoft 365 app on Getting Data In. 12-13-2023 10:16 AM
- Karma Re: Expired key microsoft 365 app for isoutamo. 12-13-2023 10:16 AM
- Posted Expired key microsoft 365 app on Getting Data In. 12-13-2023 08:32 AM
- Got Karma for Re: Alien Vault Check OTX. 11-25-2023 08:17 PM
- Posted Re: Alien Vault Check OTX on Splunk Search. 11-25-2023 08:15 PM
- Karma Re: Alien Vault Check OTX for tscroggins. 11-25-2023 08:11 PM
- Posted Alien Vault Check OTX on Splunk Search. 11-25-2023 04:03 PM
- Posted Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Tagged Splunk ES fortinet new source on Security. 10-18-2023 07:45 AM
- Posted Re: How do I Download and Setup DB Connect? on Getting Data In. 09-05-2023 01:46 PM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Got Karma for Re: The maximum number of concurrent historical searches on this instance has been reached.. 08-02-2023 07:04 AM
- Posted How do I Download and Setup DB Connect? on Getting Data In. 07-20-2023 12:45 PM
- Posted How to show 2 eventcode fields? on Splunk Search. 07-07-2023 04:10 PM
- Karma Re: Upgrading Splunk 8.0.x to 9.0.x for gcusello. 05-19-2023 06:11 AM
- Posted Upgrading Splunk 8.0.x to 9.0.x on Splunk Search. 05-18-2023 08:33 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
02-20-2023
07:30 AM
Hi, I have been tasked to investigate what is needed to receive SAP logs in Splunk. The first thing I find when I make my first queries on google is that there is a connector called "SAP PowerConnect for Splunk" but when I enter https://splunkbase.splunk.com/app/3153 and try to download it I get a message saying that the download is restricted. I also found this step by step and I would like to know what you think if the information is current because as we know about Splunk we find information on the internet but in many cases it is very old and perhaps obsolete information. https://www.wallsec.de/blog/siem-your-sap-security-audit-log-with-splunk#h.p_2Y3sy8TDSHCy and in this last link I see a process and the truth is that the matter is complex. Solved: How to Splunk the SAP Security Audit Log - Splunk Community
... View more
Labels
- Labels:
-
inputs.conf
02-11-2023
09:50 AM
One of the data sources is from a database that is being sent to Splunk is what is collected via the dbconnect plugin.
... View more
- Tags:
- DDAA
02-11-2023
09:08 AM
Our client is asking us for information that is stored in the Splunk cloud, and I am not aware of how to access a copy of the information, either because they simply want to have it or because they want it to be backed up from time to time. The second part of the question is if there is such a way to have a copy of that information how is the restore process?
... View more
Labels
- Labels:
-
Other
-
using Splunk Cloud
02-03-2023
09:49 AM
Hello,
I currently have an intake that is exceeding 100GB per day and I would like to know what are the best practice recommendations to support this intake without affecting performance.
How many servers or indexers are needed and their minimum and recommended specifications?
... View more
Labels
- Labels:
-
eval
02-03-2023
07:53 AM
I find myself using Splunk Cloud and I see that the licensing is being exceeded on daily.
In the Cloud Monitoring Console APP there is no option that allows me to see what the sourcetype is and this would help me to know exactly which source has increased usage.
... View more
Labels
- Labels:
-
search job inspector
-
stats
02-03-2023
07:40 AM
From your point of view and experience, is a multi-source correlation process easy or difficult? Normally when you want to correlate in Splunk and not in Splunk ES, you tend to use subqueries? or combination of tables?
... View more
02-02-2023
09:04 PM
A question,
When we talk about correlation, is it necessarily because a query is being made in 2 or more sources?
Or is it also considered correlation when certain criteria are searched in a source to try to find a possible event or security incident?
For you what is correlation in Splunk?
... View more
Labels
- Labels:
-
Other
10-18-2022
08:41 PM
Hi, thanks for replying, is it possible with a |eval that you suggest me to modify the order of the date in which excel does not generate me that error? I already tried to format it from excel but the problem still persists.
... View more
10-18-2022
07:27 PM
Hello, When I run a query I get the results as I need them in a table from Splunk but when I download the .csv file, the timestamp field changes to an incorrect date and year.
Does anyone know how I can fix it?
... View more
Labels
- Labels:
-
eval
09-20-2022
01:50 PM
Hello Thank you for answering, is it here?
... View more
09-20-2022
12:05 PM
Hello, I have installed the DB Connect add-on, after restarting and logging into the APP, it keeps loading indefinitely until the error message appears. I have gone through all the threads related to this error message but none of them have helped me to solve the problem. root@myhost:/usr# java -version openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-1~deb9u1-b08) OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode) index=_internal sourcetype=dbx*
... View more
Labels
- Labels:
-
Other
08-25-2022
10:28 AM
Hello, I currently have the DB Connect plugin installed to receive the logs from an aurora database.
To date everything works without problem but my client tells me that he needs to go from version 11.6 to version 11.5
I would like to know if I should do something or the fact that it is already working with the current version implies that with a higher version it should not affect anything?
https://docs.splunk.com/Documentation/DBX/3.8.0/JDBCPostgres/About
... View more
Labels
- Labels:
-
configuration
-
upgrade
08-25-2022
10:24 AM
Hello, I am currently receiving ADAudit Plus logs but I have no idea what use cases I can draw from this source.
I also do not see that there is an APP with dashboards that help me
Any suggestion?
... View more
Labels
- Labels:
-
configuration
-
search
08-24-2022
09:36 AM
Thank you very much for the help Sorry for the bad translation I used
... View more
08-24-2022
08:17 AM
It is a heavy forwarder only that points to Splunk Cloud, that is to say that I only have to: 1. Download the splunkclouduf.spl file again from splunk cloud 2. SSH into the Heavy forwarder and put the splunkclouduf.spl file in a temporary folder 3. Enter the splunk bin folder and run this command /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl 4. enter the credentials of the HV and that's it?
... View more
08-24-2022
07:39 AM
Hello,
"The ingestion certificates on xxxx Splunk Cloud environment xxx Universal Forwarder certificate package, will be expiring on x/xx/2022. In order to ensure that ingestion is not disrupted, we have rolled out an updated Universal Forwarder (UF) package to your customer’s Splunk Cloud Platform stack. The operational contacts have been informed of this information via xxxx. They will need to install this updated package on all forwarders connecting to their Splunk Cloud Stack as soon as possible. We are asking you to please reach out to your customer and verify they are aware that they are responsible for rolling out this package and should do so immediately."
I have received a message from splunk and I would like you to please confirm if what I must do is related to this link https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/ConfigSCUFCredentials?ref=hk#HowtoforwarddatatoSplunkCloud#How_to_forward_data_to_Splunk_Cloud
... View more
Labels
- Labels:
-
configuration
-
using Splunk Cloud
08-19-2022
09:03 AM
Hello, Sorry for the translation. Currently with the help of the DBconnect APP I am receiving the logs from an aurora database without any problem. My client is telling me that he needs to upgrade from version 11.6 to 11.15. At the driver level, should I make any adjustments or can I tell them that you can update your database without any problem? tnx
... View more
Labels
- Labels:
-
upgrade
07-22-2022
02:18 PM
Hello everyone With some embarrassment I confess that I do not know how to use the lookup command and although I have read the documentation I have not been able to. I have an index called antivirus and one of the fields is "application" from which I have obtained a list of all the programs installed on the users' computers. Now my client has returned a response with the list of programs that are authorized and I must add an exception to them. this is the SPL code that I currently use index=antivirus event=KLNAG_EV_INV_APP_INSTALLED
|search Aplicacion!="*teams*" Aplicacion!="*Adobe*" Aplicacion!="*java*" Aplicacion!="*skype*" Aplicacion!="*365*" Aplicacion!="*kaspersky*" Aplicacion!="*chrome*" Aplicacion!="*SAP*" Aplicacion!="*SQL*" Aplicacion!="*visual studio*" Aplicacion!="*office*" Aplicacion!="*Microsoft OneDrive*" Aplicacion!="Microsoft Edge" Aplicacion!="WebView2 Runtime de Microsoft Edge" Aplicacion!="zoom" Aplicacion!="Hyland Unity Client [Unity_Prod]" Aplicacion!="Microsoft Windows QFE" Aplicacion!="Offimizer"
(here i need use lookup command)
| stats count by Aplicacion IP message
|sort - count now, I know that I have the lookup editor plugin, I suppose that from there I can upload the file, my question is if it can be in .xlsx or if it has to be .csv and 100 more
... View more
Labels
- Labels:
-
lookup
07-08-2022
03:14 PM
I need to get the list of the IPs that have generated the most outgoing traffic.
When the query is generated I find that there are multiple records for the same IP.
Is there any way to get a total of GB for each IP?
Thank you
... View more
Labels
- Labels:
-
stats
06-16-2022
09:01 AM
I usually download and install Splunk enterprise, then ask my clients to install the agent (Universal forwarder) for log forwarding. In the installation wizard there is a step called "Deployment server" I omit that step, that is, I do not use deployment server. So should I update Splunk? or update the agent on each endpoint? or not update anything because I don't use deployment server?
... View more
06-16-2022
08:50 AM
Hello, I see that there is a new vulnerability that affects Splunk and I have a couple of doubts https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html Excuse me if the question is silly but what is not clear to me is if I should update the version of Splunk Enterprise as SIEM or if I should update only the agents on the endpoints. Or both? Thank you for your answers " Description Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties. Solution Upgrade Splunk Enterprise deployment servers to version 9.0 or higher "
... View more
Labels
- Labels:
-
Other
-
universal forwarder
05-09-2022
08:52 AM
Hello, it did not bring me results. This is the result when I only filter by the EventIDs, how can I calculate the time between the first down and the next up?
... View more
05-09-2022
07:49 AM
Hi
I need to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute.
I would appreciate your help
Right now I have the alert set to report any down events and then manually check which ones last longer than 1 minute.
index=paloalto |search EventID=tunnel-status-down OR EventID=tunnel-status-up
... View more
Labels
- Labels:
-
count
05-05-2022
04:20 PM
Sorry for the bad translation. I have a Cloud client. The license is 50GB by day Additional DDAA has been contracted about what is not very clear to me, the shared documentation seems to be outdated or not available. https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/User/DataArchiver https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Storage https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Search When I go to "Settings" - "Indexes" I can see the indexes used by this client and the others that are internal to splunk from what I see. I see that one of the indexes has already reached the maximum size of 500GB and I don't know if it has the DDAA active. According to this image I understand that the DDAA is active? I must do something? I am worried if information is being lost since the client needs to retain that data for a long time
... View more
- Tags:
- DDAA
Labels
- Labels:
-
Other
-
using Splunk Cloud