Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About debjit_k
debjit_k
Path Finder
Member since:
02-18-2022
a month ago
Community Statistics
| Posts | 73 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 02-18-2022 |
Activity Feed
- Posted Re: Splunk Priority on Getting Data In. a month ago
- Posted Splunk Priority on Getting Data In. a month ago
- Posted Splunk Mission Control Issue on Splunk Enterprise. a month ago
- Posted How to Onboard a device in Splunk? on Getting Data In. 08-21-2023 07:44 PM
- Posted Re: How to find EPS/GB? on Getting Data In. 05-25-2023 10:14 AM
- Posted How to find EPS/GB? on Getting Data In. 05-25-2023 04:30 AM
- Posted Re: Splunk Version Query on Getting Data In. 05-17-2023 07:36 AM
- Posted What is the most stable version of Splunk presently? on Getting Data In. 05-17-2023 05:06 AM
- Posted Re: How to convert the data from JSON format to raw logs? on Getting Data In. 12-20-2022 06:38 PM
- Karma Re: How to convert the data from JSON format to raw logs? for gcusello. 12-20-2022 06:28 PM
- Karma Re: How to convert the data from JSON format to raw logs? for m_pham. 12-20-2022 06:28 PM
- Posted Re: How to convert the data from JSON format to raw logs? on Getting Data In. 12-20-2022 08:12 AM
- Posted How to convert the data from JSON format to raw logs? on Getting Data In. 12-19-2022 07:16 PM
- Posted Re: Dropping a subnet at index on Getting Data In. 12-18-2022 05:37 PM
- Karma Re: Dropping a subnet at index for gcusello. 12-18-2022 05:37 PM
- Karma Re: Trend Micro Vision one integration for gcusello. 12-18-2022 05:37 PM
- Posted Re: Trend Micro Vision one integration on All Apps and Add-ons. 12-18-2022 06:00 AM
- Posted Re: Dropping a subnet at index on Getting Data In. 12-18-2022 05:55 AM
- Karma Re: Dropping a subnet at index for gcusello. 12-18-2022 05:55 AM
- Posted How to drop a subnet at index? on Getting Data In. 12-17-2022 07:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-05-2022
09:26 PM
Hi @gcusello Sorry for my inconvenience to you.. I'm looking like If (Last failed login)-(log in) is < 30 min it will triggered Suppose Last fail log in is 10:05 Success full login at 10:25 If the time gap between them is less than 30 mins then it should triggered and alert.. Thank
... View more
09-05-2022
09:09 PM
Hi @gcusello Thank you I have change the query little bit as I was getting no successful attempt also in the table.. But little bit concern with the time span I gave very minimal time to test the query but it is not showing zero events For example index=sdp_siem_win source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | stats count(eval(EventCode="4625")) AS Failed_count count(eval(EventCode="4624")) AS Success_count first(eval(if(EventCode="4624",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Success",""))) AS Success values(eval(if(EventCode="4625",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Failed",""))) AS Failed earliest(_time) AS earliest latest(_time) AS latest by host username | eval alert=if(Failed_count>5, "more_fails", "no_more_fails") | where alert="more_fails" AND Success_count>0 | table username host Failed Failed_count Success alert | search Success!="" The above query showing the result but if I time time function then it is showing 0 result index=sdp_siem_win source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | bin span=2m _time | stats count(eval(EventCode="4625")) AS Failed_count count(eval(EventCode="4624")) AS Success_count first(eval(if(EventCode="4624",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Success",""))) AS Success values(eval(if(EventCode="4625",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Failed",""))) AS Failed earliest(_time) AS earliest latest(_time) AS latest by host username | eval alert=if(Failed_count>5, "more_fails", "no_more_fails") | where alert="more_fails" AND Success_count>0 AND latest-earliest<120 | table username host Failed Failed_count Success alert | search Success!="" Can you please guide me where I get wrong Thanks
... View more
09-05-2022
08:14 AM
Hi @gcusello Thank you so much for your support just one last question I have in my mind.. While searching im getting first success full attempt followed by failed attempt but I want to see my failure followed by success. For example 10:02 failed 10:03 failed... 10:35 success And I want only 1 successful attempt not multiple success but while running im getting Failure 61 success 12 But I want failure 61 and success==1 Thanks
... View more
09-05-2022
06:59 AM
Hi @gcusello I tried your query it is working I have one more question I want to keep like 10 unsuccess login within 30mins and it login Thanks
... View more
09-05-2022
06:12 AM
Hi All,
I want to create a use case where the account is inactive for 60 days and it got enable after 60 days..
I tied to draw ta logic but not sure whether query is correct or not.
Can somebody please modify the query if it required some change
index=wineventlog EventCode=4624 user=”*@xyz.com" earliest= -60d latest = now() | transaction user maxspan=60d search (EventCode!=)
Thank you
... View more
Labels
- Labels:
-
captain
-
search head
-
search peer
-
Windows
09-05-2022
05:46 AM
Hi @gcusello , While running your query im getting the below error Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'count(eval(EventCode="4625"))'. Can you please guide me what's the issue Thanks
... View more
09-05-2022
05:02 AM
Hi
I want to create a splunk use case like a after getting 3 times failure the account again got enable..
I was working n below is my query but it is giving me 0 result can you please help me to modify the query
source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") | where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert
Thanks
... View more
08-16-2022
06:42 AM
There is a scenario like one of our trend micro DDA is not reporting to our syslog server.
Why it is not reporting
Previously we use port 514 and now we are using port 6514 but 6514 is not reporting to syslog. And we want both the listening port 514 and 6514.
My question
1. Can we have both the port open on our syslog I.e. 514 and 6514
2. How to enable the port listing on our syslog for the port 6514
Thank you
... View more
Labels
- Labels:
-
Linux
-
universal forwarder
08-01-2022
05:47 AM
Hi @gcusello , We enable the telnet for indexer over the port 9997 but it is not reporting to Splunk. According to you what will cause the issue services are running also Thanks Debjit
... View more
08-01-2022
12:49 AM
Hi @gcusello , But the devices which are reporting to splunk are configure in same way. In output.conf they gave the IP of deployment server IP and yes telnet it working for them but those 3 non reporting server the telnet is not working that's the difference. Thanks Debjit
... View more
07-31-2022
08:55 PM
Hi @gcusello , Just one small doubt I have. On those windows server we can see like it is sending the data to deployment server (because in output.conf it is showing deployment server IP), so why do we need to open the telnet for index server like we can only open it for deployment server It will work? Just a small doubt. Thanks Debjit
... View more
07-31-2022
08:58 AM
Hi @gcusello , Thank you for the help. Will infome you once it is done Thanks Debjit
... View more
07-31-2022
08:19 AM
Hi @gcusello , I guess from firewall end we need to check this connection correct me if im wrong.. Thanks Debjit
... View more
07-31-2022
08:15 AM
Hi @gcusello, Telnet is install but it is not replying to the indexer. So to fix this issue is there anything we can do from client end. Thank you Debjit
... View more
07-31-2022
08:04 AM
Hi @gcusello , Thank you for the support . Yeah I checked the host name on the deployment server and the name is correct only.. I guess telnet is the issue.. So if telnet is not responding to that indexer so what is needed to install on the client-server? Thanks you Debjit
... View more
07-31-2022
07:51 AM
Hi @gcusello , How to check the telnet connection I want to verify it. We gave the deployment server IP 8089 port is this the correct way to do so. Thank you Debjit
... View more
07-31-2022
07:33 AM
Hi @gcusello , Hope you are enjoying your holidays Install from scratched. We have deployment serve and I can see those server. The local Firewall is off if it is on we can't take RDP So not sure what is happening Thank you Debjit.
... View more
07-31-2022
06:01 AM
Hope you are doing great.
Again facing a challenging and seeking some help.
Prob statement
We have 200 windows server out of which 3 devices and not reporting suddenly.
I tried to check the output.conf and server.conf it looks looks fine and I also compare those files with the working server.
Everything is fine.
And yes I check the status of the non reporting server it is showing up and running and while using TTL the server is responding not Im unable to get the data on splunk.
I don't have much idea what could be the root cause it will be great if you could suggest me something..
Note: Splunk installed on on-prem
Thanks
Debjit
... View more
Labels
07-25-2022
01:18 AM
Hi @gcusello Really appropriate for helping me this much to understand the concept of the bucket. Thank Debjit
... View more
07-24-2022
06:32 PM
Hi @gcusello Yeah you are right I should do a defined capacity plan for my storage. One things I was going through the index.conf file and come to know like my maxTotalDataSizeMB=500000 i.e. Equivalent to 500 GB (so this define the total storage of hot+warm+cold) and if the number exceed then splunk will delete the data automatically. Kindly correct me if im wrong. If im write can you please suggest me a query to know how many gb hot+warm+cold bucket is getting consumed by a x index.. Thanks
... View more
07-24-2022
12:52 AM
Hi @gcusello I have a few questions on my mind it would be great if you could address me 1. What is the use of maxTotalDataSizeMBand what will happen if it is set to zero 2. If my log injection is high then data will from hot to warm to cold if hot is full n warm 300 buckets is full, so my current retention policy is set to 6 years that means my no of cold bucket will increase correct me if my understanding is wrong Thanks
... View more
07-24-2022
12:44 AM
Hi @gcusello sure sure. after all it’s a community’s where we share our problems or knowledge to learn more. I’m little bit worried with the concern which I’m having with my environment, if I figure out somehow I will post it here. thanks
... View more
07-23-2022
10:11 AM
Hi @gcusello Please no sorry thank you for everything. if I found something or if I suck anywhere I will come back here again and will update you the same. Is there any luck you have linkdln account if you don’t mind then we connect also connect there thanks
... View more
07-23-2022
06:15 AM
Hi @gcusello Thank you I learn something new today. yes I checked and found that maxdatasizeMB=0 and frozentimeperiodinsec=188697600 which is set to default i.e. 6 years and one yes 1 Custom index has different frozen time but it is not related to that index which I’m taking about. I too check other custom index situation is same but I can see 100+ days of data but it is not happing with that index whose log injection is high all index are confirmed in same way. thinking why there is a discrepancy in data where the data is being drop after 55 days thanks
... View more
- « Previous
-
- 1
- 2
- Next »
