Hi, I have been tasked to investigate what is needed to receive SAP logs in Splunk. The first thing I find when I make my first queries on google is that there is a connector called "SAP PowerConnect for Splunk" but when I enter https://splunkbase.splunk.com/app/3153 and try to download it I get a message saying that the download is restricted.   I also found this step by step and I would like to know what you think if the information is current because as we know about Splunk we find information on the internet but in many cases it is very old and perhaps obsolete information. https://www.wallsec.de/blog/siem-your-sap-security-audit-log-with-splunk#h.p_2Y3sy8TDSHCy   and in this last link I see a process and the truth is that the matter is complex. Solved: How to Splunk the SAP Security Audit Log - Splunk Community   ... View more

Hello, I currently have an intake that is exceeding 100GB per day and I would like to know what are the best practice recommendations to support this intake without affecting performance. How many servers or indexers are needed and their minimum and recommended specifications? ... View more

I find myself using Splunk Cloud and I see that the licensing is being exceeded on daily. In the Cloud Monitoring Console APP there is no option that allows me to see what the sourcetype is and this would help me to know exactly which source has increased usage. ... View more

A question, When we talk about correlation, is it necessarily because a query is being made in 2 or more sources? Or is it also considered correlation when certain criteria are searched in a source to try to find a possible event or security incident? For you what is correlation in Splunk? ... View more

Hello, When I run a query I get the results as I need them in a table from Splunk but when I download the .csv file, the timestamp field changes to an incorrect date and year. Does anyone know how I can fix it?         ... View more

Hello, "The ingestion certificates on xxxx Splunk Cloud environment xxx Universal Forwarder certificate package, will be expiring on x/xx/2022. In order to ensure that ingestion is not disrupted, we have rolled out an updated Universal Forwarder (UF) package to your customer’s Splunk Cloud Platform stack. The operational contacts have been informed of this information via xxxx. They will need to install this updated package on all forwarders connecting to their Splunk Cloud Stack as soon as possible. We are asking you to please reach out to your customer and verify they are aware that they are responsible for rolling out this package and should do so immediately." I have received a message from splunk and I would like you to please confirm if what I must do is related to this link https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/ConfigSCUFCredentials?ref=hk#HowtoforwarddatatoSplunkCloud#How_to_forward_data_to_Splunk_Cloud       ... View more

Hello, Sorry for the translation. Currently with the help of the DBconnect APP I am receiving the logs from an aurora database without any problem. My client is telling me that he needs to upgrade from version 11.6 to 11.15. At the driver level, should I make any adjustments or can I tell them that you can update your database without any problem?   tnx ... View more

Hello everyone With some embarrassment I confess that I do not know how to use the lookup command and although I have read the documentation I have not been able to. I have an index called antivirus and one of the fields is "application" from which I have obtained a list of all the programs installed on the users' computers. Now my client has returned a response with the list of programs that are authorized and I must add an exception to them.   this is the SPL code that I currently use index=antivirus event=KLNAG_EV_INV_APP_INSTALLED |search Aplicacion!="*teams*" Aplicacion!="*Adobe*" Aplicacion!="*java*" Aplicacion!="*skype*" Aplicacion!="*365*" Aplicacion!="*kaspersky*" Aplicacion!="*chrome*" Aplicacion!="*SAP*" Aplicacion!="*SQL*" Aplicacion!="*visual studio*" Aplicacion!="*office*" Aplicacion!="*Microsoft OneDrive*" Aplicacion!="Microsoft Edge" Aplicacion!="WebView2 Runtime de Microsoft Edge" Aplicacion!="zoom" Aplicacion!="Hyland Unity Client [Unity_Prod]" Aplicacion!="Microsoft Windows QFE" Aplicacion!="Offimizer" (here i need use lookup command) | stats count by Aplicacion IP message |sort - count   now, I know that I have the lookup editor plugin, I suppose that from there I can upload the file, my question is if it can be in .xlsx or if it has to be .csv   and 100 more ... View more

I need to get the list of the IPs that have generated the most outgoing traffic. When the query is generated I find that there are multiple records for the same IP. Is there any way to get a total of GB for each IP? Thank you   ... View more

Hello, I see that there is a new vulnerability that affects Splunk and I have a couple of doubts https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html Excuse me if the question is silly but what is not clear to me is if I should update the version of Splunk Enterprise as SIEM or if I should update only the agents on the endpoints. Or both? Thank you for your answers     " Description Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.  The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.   Solution Upgrade Splunk Enterprise deployment servers to version 9.0 or higher " ... View more

Hi I need to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute. I would appreciate your help   Right now I have the alert set to report any down events and then manually check which ones last longer than 1 minute. index=paloalto |search EventID=tunnel-status-down OR EventID=tunnel-status-up ... View more

Sorry for the bad translation. I have a Cloud client. The license is 50GB by day Additional DDAA has been contracted about what is not very clear to me, the shared documentation seems to be outdated or not available. https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/User/DataArchiver https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Storage https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Search When I go to "Settings" - "Indexes" I can see the indexes used by this client and the others that are internal to splunk from what I see.   I see that one of the indexes has already reached the maximum size of 500GB and I don't know if it has the DDAA active. According to this image I understand that the DDAA is active? I must do something? I am worried if information is being lost since the client needs to retain that data for a long time     ... View more