Question in the title. Thanks in advance! ... View more

Do you happen to know if Cisco Meraki syslog, especially Flows and URLs have bytes in and bytes out? We're logging Meraki and there's no field whatsoever for bytes. Is it something that can be configured from Meraki logger console? Or the actual solution itself don't record that? ... View more

Has anybody encountered Windows Security logs that look like this? If so, how did you guys fix it?  Thanks in advance. ... View more

Has anyone experienced this kind of broken UI on Dashboard Studio? I've tried to restart Splunk but it's still happening. ... View more

Working on a SplunkCloud environment - we always keep things tidy by re-assigning ownership of KOs to either Nobody or the correct user with correct role. But why can't we do this for Calculated Fields? ... View more

Hi Linux Experts! Need help on a script that I'm working on to log sudo-enabled users. The script that I'm using is below   #!/bin/sh getent passwd | cut -f1 -d: | xargs -L1 sudo -l -U | grep -v 'not allowed'   It is a `.sh` file that's ran once a day. The corresponding output is then parsed and massaged by some SEDCMD stuff, not relevant here. This way, I can see which users are able to perform sudo on the machine.  Note: I am aware of the `usersWithLoginPrivs.sh` but this includes users that I'm not interested.  Hence the custom script. If there's another solution you can share, that'd be great. But here's my PROBLEM: linux admins are complaining that they're getting messaged because `splunk` user that runs this script is generating messages for them. And they don't want to get the messages. So, they suggested to append this command at the end of the script:   > /dev/null 2>&1   which I did. However, it does not print output anymore for those Splunk UFs that previously were able to.  Yes, the main solution to this problem is to give `splunk` user permission to run the script. But due to the complexity of our organization, we can't request the same thing across the board.  So, basically, of the thousands of linux servers that we have some can run this script, some cannot. That's currently okay. But to those that cannot, I'd like to modify the script in such a way that it will still work the same but will not produce any error. Is there any alternative? ... View more

The SplunkWorks-built TA called Splunk Add-on for Cisco FireSIGHT said in the description that it is able to parse NGIPS logs. But upon inspection of the `props.conf`, it doesn't have sourcetype for NGIPS. Which should I use? I tried the `cisco:sourcefire` but it's not working. ... View more

Hi Community, I'm no Windows expert and just trying to tune an alert that we have in place. It's firing whenever a UF that has `admon` has stopped sending `admon` logs. But I just noticed that `admon` logs can have similar `dcName` in multiple UFs. For example,  a UF that's meta host is "serverA" sends `admon` logs for dcName="serverDC". And UF that's meta host is "serverB" also sends `admon` logs for dcName="serverDC". Would it be reasonable to just replace the host of the UF with the value for dcName under the ActiveDirectory props.conf stanza?   Thanks. ... View more