Do you happen to know if Cisco Meraki syslog, especially Flows and URLs have bytes in and bytes out? We're logging Meraki and there's no field whatsoever for bytes. Is it something that can be configured from Meraki logger console? Or the actual solution itself don't record that? ... View more

Has anybody encountered Windows Security logs that look like this? If so, how did you guys fix it?  Thanks in advance. ... View more

Has anyone experienced this kind of broken UI on Dashboard Studio? I've tried to restart Splunk but it's still happening. ... View more

Hi Linux Experts! Need help on a script that I'm working on to log sudo-enabled users. The script that I'm using is below   #!/bin/sh getent passwd | cut -f1 -d: | xargs -L1 sudo -l -U | grep -v 'not allowed'   It is a `.sh` file that's ran once a day. The corresponding output is then parsed and massaged by some SEDCMD stuff, not relevant here. This way, I can see which users are able to perform sudo on the machine.  Note: I am aware of the `usersWithLoginPrivs.sh` but this includes users that I'm not interested.  Hence the custom script. If there's another solution you can share, that'd be great. But here's my PROBLEM: linux admins are complaining that they're getting messaged because `splunk` user that runs this script is generating messages for them. And they don't want to get the messages. So, they suggested to append this command at the end of the script:   > /dev/null 2>&1   which I did. However, it does not print output anymore for those Splunk UFs that previously were able to.  Yes, the main solution to this problem is to give `splunk` user permission to run the script. But due to the complexity of our organization, we can't request the same thing across the board.  So, basically, of the thousands of linux servers that we have some can run this script, some cannot. That's currently okay. But to those that cannot, I'd like to modify the script in such a way that it will still work the same but will not produce any error. Is there any alternative? ... View more

Hi Community, I'm no Windows expert and just trying to tune an alert that we have in place. It's firing whenever a UF that has `admon` has stopped sending `admon` logs. But I just noticed that `admon` logs can have similar `dcName` in multiple UFs. For example,  a UF that's meta host is "serverA" sends `admon` logs for dcName="serverDC". And UF that's meta host is "serverB" also sends `admon` logs for dcName="serverDC". Would it be reasonable to just replace the host of the UF with the value for dcName under the ActiveDirectory props.conf stanza?   Thanks. ... View more

Hello friends. We are in the process of moving the collection of o365 events which we currently do on an on-prem HF via "Splunk_TA_microsoft-cloudservices" to SplunkCloud IDM using "splunk_ta_o365". Using the same Client ID, Client Secret, and Tenant ID, we seem to be getting similar workloads:  Aip, AzureActiveDirectory, CRM, Exchange, MicrosoftForms, MicrosoftStream, MicrosoftTeams, OneDrive, PowerApps, PowerBI, PublicEndpoint, SecurityComplianceCenter, SharePoint, SkypeForBusiness, Yammer   But if we perform a comparison of number of events, we seem to get lower amount of data using the `splunk_ta_o365` in SplunkCloud versus the `Splunk_TA_microsoft-cloudservices` in on-prem.   What seems to be the problem? ... View more

What does the error below mean and how to remediate it? This is after running `splunk restart splunkweb`   HTTP/1.1 404 Not Found ... View more