Hello @MuS, I'm even more late to the party, but am running in somewhat of a similar situation. I have new data coming in via syslog, but no fields are auto extracted. So, I'm using REPORT to extract them. I have the stanza ready, but I placed it in the Heavy forwarder by mistake. Should I place it in the props on the search head or the Indexer for the change to work. Thank you, ... View more

Error messages in Splunkd can help. Also, please check if the certificate that you've specified in web.conf is still valid or not, and the correct path to the certificate is mentioned over there. ... View more

You haven't specified anything in inputs.conf for Splunk to look for. Splunk uses API calls tp monitor these logs, which are in binary format. Adding this stanza in inputs.conf on the UF will help. Please make sure that the Index is already created on your Indexer/s. Also, after pasting this on your inputs.conf, please make sure to restart splunkd on the DC. [WinEventLog://Security] disabled = 0 index = your_index_name I'll also suggest you to use a server as a deployment server for the UFs. That way, you can compartmentalize your UFs according to the types of servers on which they are deployed, example: Domain controllers, any app's database, DHCP servers etc. Also, you can change their inputs.conf anytime from the deployment server, rather than going to the servers to make the changes all the time. Will become increasingly difficult, as your environment grows. ... View more

Yes you can. Splunk has a specific add on for AD. You can check it out. Here's its doc on how to configure and deploy it. I think it'll serve your purpose of bringing those logs into Splunk. Once logs are in, it's very easy to build the required dashboard. https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/ConfiguretheSplunkSupportingAdd-onforActiveDirectory ... View more

If you're trying to do the LDAP query to get the data, then I'd suggest to go for this https://splunkbase.splunk.com/app/3207 / If you are trying to bring the security/directory services or any other type of logs into Splunk from Domain controllers, then you need to make sure that: Your UF is reporting to your deployment server. Inputs.conf and outputs.conf are correctly configured and placed in your domain controllers. There's no firewall restrictions in between (Usually isn't, but you never know) If you can share your inputs and outputs, masking the important details, we can help further. ... View more

You can actually save some licensing too, just by blacklisting the field, along with it's value in inputs.conf itself. blacklist = src_ip = 10.0.0.0/8 Else, routing the data to null queue, as explained by @mguhad, will work too. I find blacklisting the data to be more helpful, when i know I don't need a portion of data at all. Why even bother to ingest it, when it has no use. ... View more

With your condition to move the data, but not stop the in-flight writes, I think the best and the safest bet is to go with the steps that you've described. I don't believe there's an easy way out for you. As always, as the last resort, you can open up a support ticket and ask Splunk directly. But with my experience with them, they'll suggest you to to go with your steps only. ... View more

Well, unless you want to ingest something very specific from a table, from ePO's database, I'd suggest to go with this. Easy integration, and will get you all the required threat logs into Splunk in a hassle free manner. https://splunkbase.splunk.com/app/1819/#/details ... View more

You can do this by writing your spl -> then in Timerange picker, select Date & Time range -> In the dropdown, select Between and the set the exact date, for which you want to see the logs, and in hours, start with 00:00:00.000 -> Set the same date again the second filter and set the time to 23:59:59.000 This should make sure that you only see the logs from that particular date only. ... View more

If you are running on version 7 of Splunk, then you can look into this app: https://splunkbase.splunk.com/app/4040/#/overview A good answer in the Dynatrace community. You can post your question there as well, which will give you a better chance of getting a solution, if mine didn't help. https://answers.dynatrace.com/questions/217422/splunk-integration-with-dynatrace-saas.html ... View more

No worries. If it worked, please accept this as the answer, so that it may help others in the future, should they run into a similar kind of issue. ... View more

Maybe this can help: | rex field=_raw "(?<user_group>^(Con.+ess|Pul.+ole|RSI.+|VPN.+ulse|test|Users)" ... View more

Agreed. Thank you for the correction @jkat54 . I answer via my phone, and auto correct must have changed it. ... View more

@to4kawa, it contains the logs of your Virtual Private Network a.k.a VPN. Like which user is connecting to your organizations network via VPN, how many users are connected. Then VPNs are divided region wise, so you get different VPN usage analysis statistics region wise. ... View more

Try this. It should give you the required data. index=juniper host="XXXXXXX" earliest=-90d latest=now() | timechart span=1w count by user ... View more

I'm assuming you're talking about the forwarders, connecting to your deployment master. Technically speaking, if a forwarder connects to a deployment master, then it means it is sending some sort of Internal data or phoning home. If you want to check which forwarders are reporting and which aren't, then the simplest way is to go to Settings -> Monitoring Console -> Forwarders -> Forwarders - deployment and scroll down to see the status of all of your forwarders, who are and have reported to your deployment master in the past. Those with the status of active are sending at least their Internal logs and those who are missing are not sending anything. If you want the report out of it, in the bottom of the panel, you'll find the Open in search option. You can click that. If your looking at your Indexers, then opening Indexers' CM will give you an insight. If you're looking for something else, then please describe your problem in detail. Hope this helps. ... View more

Splunk HEC comes with your Splunk enterprise package. There's no additional hardware and software requirements for it. Go to settings -> Data inputs -> HTTP Event Collector -> Click on add new and Just follow the documentation mentioned below, and you're all set. https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector ... View more

Can you ask the users to try to search the data from the Index, just by writing index=index_name and see what results do they get. I've seen the issue, where due to multiple roles assigned to the users, sometimes the permissions don't work correctly. ... View more

Agreed. It's a nightmare to do the aggregation of the fields with spaces in it. ... View more

Oh my bad. Please try this: | stats avg(eval(round(duration,2))) AS "booking average time" by hours ... View more

Since there are two different condition, there'll be 2 different SPL, in my opinion. Try these and see if they might help you. In the span part, you can specify the span as per your needs. I also hope that index=* was done for obfuscating the name of the index, if not, then please specify the name of the Index, when you run this search in your environment. First SPL: index=* source="/u01/testing.csv" sourcetype="365csv" | where NOT "Last Login"=NULL AND Disable="YES" | timechart span=1d count by region Second SPL: index=* source="/u01/testing.csv" sourcetype="365csv" | search "Last Login"=NULL AND Disable!="NO" | timechart span=1d count by region ... View more

May be this might help: | stats avg(duration) AS "booking average time" by hours | eval "booking average time"=round(("booking average time"),2) ... View more

Could you please elaborate as to what "Maximum attempts" is? I believe the SPL that you wrote already is giving you the count of all the attempts made for authentication by a src to a dest. Do you want to compare the attempts made in the time frame that you're running the SPL in vs the whole day's time frame or something else. ... View more

Everyone looking for Intune's integration with Splunk, this is one of the ways, with which you can do it. If you don't want to do it via azure monitor, then you can use storage accounts to dump Intune's data and get it from there via REST APIs calls. Step 1: Send you Intune logs to Azure Monitor using this link: https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor Step 2: Start monitoring logs from Azure Monitor into Splunk. You can refer to this link to monitor them: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-splunk Let me know if it helps. ... View more