In the Gui >  Data > Data availability - Click on the Green Base Line Search Button, that will generate the look up, you can then go back to the Data availability and it should display results.    ... View more

Splunk has to pull data from somewhere, logs or API,  if you missed the scan, then the data should reside somewhere in the Nessus system.   You would need to look at the inputs configuration and see if there's an option based on the inputs to collect historical data from the Nessus system.  I would start by referring the the  documentation and see if that can help you.  https://docs.tenable.com/integrations/Splunk/Content/Splunk2/CreateInput.htm   ... View more

I suspect that they have made some changes to the TA add-on code and python scripts  universal_session.py I would contact them directly and see if you can get any further information. Disabling comes with security risks,  and most likely done within the python code. But I understand you have self signed ones,  and should have options, so seeking their advise might be the best cause of action, hopefully they can get the TA developer to give you further help.   support@nozominetworks.com.     ... View more

If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.  Also check if there's another lookup with that name, sometimes I have seen another same name  #this should point to most of the sysmon TA code (transforms) or show another. /opt/splunk/bin/splunk cmd btool transforms list eventcode --debug   ... View more

Sound like a case for dedup, based on that you can optionally also place the devices into a lookup file and also use that. (You can then use that SPL in your drop down menu which is what I suspect you want to do) See the examples and if that meets what you want to do. https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Dedup#Examples  ... View more

Mixing OS types is not recommended, that said CentOS and RHEL are mostly aligned and it should work, and you want to ensure the kernel level is supported.  BUT if you don’t follow best practices, you then take the risk, in terms of something not working due to OS specific configuration/libraries, package management/file systems/performance etc. Most Enterprise’s standardise, so they have baseline OS config as standard, and ensure that the hardware and software requirements are met for Splunk. There is a table here of the kernels level support https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/Systemrequirements#Supported_Operating_Systems  ... View more

What you can do is to monitor process or service types of events from Windows or Linux systems and monitor if it’s being run. You can't check what the packets directly into Splunk from the Wireshark app, unless the user left behind pcap files, which can be collected and read by Splunk Stream app.   You will need to first look at your systems and run Wireshark and analyse the processes or services that are running and then and look at the various TA's to help ingest the data and monitor using the various fields that contain the data. To Monitor Process and Services you need to look at the Windows Sysmon Or Windows TA and the Splunk Nix TA for Linux based systems. (These will also show users logged on, what commands run etc and use SPL to analyse) Look at the  below and explore the various options available to you. #Sysmonlog https://splunkbase.splunk.com/app/5709    #Windows TA https://splunkbase.splunk.com/app/742    #Nix TA https://splunkbase.splunk.com/app/3412    #Stream App + Pcap https://docs.splunk.com/Documentation/StreamApp/8.1.1/DeployStreamApp/UseStreamtoparsePCAPfiles ... View more

Good its working and yes lots of moving parts / configs and scenarios with Splunk.  ... View more

It's most likely some config setting under the hood as you should be able to use the SH as licence manager.  Not saying you did this, but did you set the distsearch.conf manually ?  If you look here it states  You must specify the non-clustered search peers through either Splunk Web or the CLI. Due to authentication issues, you cannot specify the search peers by directly editing distsearch.conf. When you add a search peer with Splunk Web or the CLI, the search head prompts you for public key credentials. It has no way of obtaining those credentials when you add a search peer by directly editing distsearch.conf https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Configureclusteredandnonclusteredsearch      ... View more

It sounds like you have: 1. You have a SH (Can't Search Data) 2. You have an Indexer 3. A UF which is sending eventgen data to the indexer to your index and you have verified this is working and can see data via CLI I suspect. 4. The SH is also acting a License Manager (Therefore the indexer must point to the License manager) Try the below steps and see if that fixes it. #Add the Indexer to your SH On the SH via the GUI Go to Settings- Distributed search » Search peers » Add new Normally its something like https://MY_INDEXER:8089 Add your admin and password Restart Splunk #Add the Indexer to the Licence Manager as a Licence Peer From the Indexer GUI > Settings > Licensing > Change to Peer Point to the Licence Manager https://MY_LICENCE_MANAGER:8089 (This is also your SH) Restart Splunk ... View more

Eventtypes are for search specific events/data your interested in (quick way to get some results from data that has already been indexed.  1. If you are only interested in some specific eventtypes, and want to discard the rest, you could copy each of the eventtypes stanzas names into the /local/eventtypes.conf and disable them, but not sure why you want to do that as many of these also use tags for future use case such as Splunk Data models etc.  2. If you want to tune some of these, by adding your index name, then also do that into the local/eventtypes.conf Example disable an eventype /local/eventtypes.conf  [windows_event_signature] disabled = [1|0] (1 = disabled - 0 = enabled) or tune an eventtype with my index example /local/eventtypes.conf  [windows_event_signature] search = index=my_windows_index sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog More on eventtypes concepts  https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Abouteventtypes  ... View more

What ever do you mean? A Splunk Admin manages and maintains Splunk Environments and the platform overall and other aspects.  What are you trying to achieve, for this community to help you, please details what objectives you want meet?  ... View more

That app is not Splunk Cloud Supported - hence you can't install it. It might be worth contacting the Developers of this app (Not splunk Developed) and see what options they offer  you.  ... View more

You will need to use the Splunk DB connect application - it mentions that Mongo DB atlas is supported - you will need to install the drivers etc.  https://docs.splunk.com/Documentation/DBX/3.17.1/DeployDBX/AboutSplunkDBConnect  There are many steps so work through them slowly  and not miss any steps.  This is a good link to get an overview of DB connect, but you will have to set-up for Mongo db as you go along https://lantern.splunk.com/Splunk_Platform/Product_Tips/Extending_the_Platform/Configuring_Splunk_DB_Connect    ... View more

That's correct, the behaviour of Splunk is that any code(props/trans) in local will override the app default settings.  As long as you use the same sourcetype name that's in the Windows TA and use that in your custom TA, and they live side by side and the local will override. Note: The other Windows TA settings will still kick in but yours will override.     ... View more

I forgot to mention in terms of pre-reqs:  1. Newrelic should have some way of using API calls, you can use Splunk Tokens for API use and as a way of authentication  - see below link for info  https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/CreateAuthTokens   ... View more

Hi @shocko  yes precisely that (the code is then in another separate custom add-on TA) that you control for custom code changes, it lives side by side with the Splunkbase TA and this is optional,  so example, App called my_windows_sidecar_ta and add local there and push out, but you need to know the app structure for this some people do it others don't,  main thing is local. example of creating your own TA  https://dev.splunk.com/enterprise/tutorials/quickstart_old/createyourfirstapp/         ... View more

These would come to mind first - there's plenty more, you can explore the others and use them as you as you see fit.  1. Check the overall health /services/cluster/manager/health 2. Check Cluster Status of the peers (Indexers /services/cluster/manager/peers 3. Check the indexing status /services/cluster/manager/indexes 4. Check the Replication and Search Factor status /services/cluster/manager/status You can also check the CM's resources (CPU/MEM etc) 5. Check Resource Utilisation on the CM /services/server/status/resource-usage/hostwide   ... View more

This requires some discovery work from your organisation or network engineer, Splunk can't magically work out a network's connections unless you have data that states so.  An option might be to ingest the data from these components and ensure the source_ip and destination_ip data is ingested and that may help you see the traffic flow  and you can use a Splunk app with the discovery work.  like https://splunkbase.splunk.com/app/6876    Or you might want to look at, other third-party tools for that and perhaps then create a look up file that contains this information, so its then presented to Splunk and to help you with your use case.       ... View more

You can continue to use the props/transforms from the Splunk Windows TA BUT you need to use the /local/props.conf and /local/transforms.conf So, create a local folder within the TA and add the two files, if you change the default props and trans, they will get overwritten during upgrades in the future.    So, configure as per below example, you will need to work out what events you want to discard, so some regex, and this is the better way, the rest will get logged into Splunk.     props.conf [MSAD:NT6:Netlogon] TRANSFORMS-send_to_null_events = send_null_netlogin_events   # transforms.conf [send_null_netlogin_events] REGEX = <YOUR REGEX FOR LINES YOU DONT WANT> DEST_KEY = queue FORMAT = nullQueue   The above code then needs to placed on the Indexers or Heavy forwarder - if the data is sent here first (Splunk Full Instances), so deploy the Windows TA that contains your new code. Note: The UF will not do it) Another way is to create your own side car TA and have the code there and run it alongside the Windows TA. ... View more