Hi, It may be little stupid question but for people that are using the Number Viz, how they have manage to do trellis. I see that the menu is gray so I guess there is another way to do it. I ... View more

Good to all, I have a strange behavior of a python script. The specific python script collects some AWS data. if I run it as it is, it works nicely. If I run through Splunk's python (bin/splunk python) it also runs. If I schedule it, I get errors related to access to AWS. Especially with the second try (via Splunk's python) I had the impression that I could "emulate" how it will run when it is going to be enabled but appears that that is not the case. Is there any other way to troubleshoot this? ... View more

Hello to all, I have notice a strange behavior which indicates some kind data limit (I don't know in which side). I'm querying the SecurityEvents of Log Analytics (which has a lot of events) and evaluate the amount by index=log_analytics source="log_analytics://*" |eval _time = _indextime | timechart count span=5m by source When I have the delay value to 5 min and the interval >=5 min then the maximum amount of events will be approx 49k When I decrease the interval to 3min (delay still 5) the maximum amount doubles to approx 95k and when I decrease to 1min the maximum amount goes between 130k and 150k which matches a bit with the number when I'm doing a count (via another input) to the same input for 5min/5min timeframe. Increasing the delay to 10min and the interval to 10 also, the number returns to approx 48k. Querying another table with probably "smaller events" in size (DHCP) I don't see this kind of limit. So.... Any possibility to exists either to the add-on/python or the log analytics (I don't have direct access to check) some kind of data limit? Note 1: Based on some calculations which I have done, interval less than the delay will not cause data loss (and almost sure no data duplication). Only side-effect is that an event which is close to the interval actual date/time may need 2 "cycles" (or more in some other scenario) to appear. Update 1: With delay to 10min and interval to 5 the number is still approx. 48k Update 2: Screenshot 😉 ... View more

Good day to all, Since I didn't find an search results on this topic, does UF do any DNS resolution for the events (windows or whatsoever) that reads ? I believe that doesn't do but I would like some second opinion. thanks! ... View more

Hello, As far as I check the Windows TA from version 5.x+ the sourcetype name will be WinEventLog and XmlWinEventLog and for compatibility reason there is a rename search-time process to name sourcetype that doesn't follow the above to wineventlog and xmlwineventlog (all lower case). The sourcetype naming is not working for nested logs like Powershell/Operational or Sysmon/Operational so they are falling to the search-time rename. I found that the reason is that the stanzas ta-windows-fix-xml-source,ta-windows-fix-sourcetype,ta-windows-fix-classic-source doesn't work when there is nested path. So the question (if someone from Splunk TA Dev team answer will be better): Is there any plan in the future this to be fixed and all sourcetypes will follow the WinEventLog and XmlWinEventLog naming convention or this convention will be applicable only to standard logs (everything not nested)? ... View more

Hi, I'm seeing a very strange behavior in the search after the installation of the addon. Without auditd addon or secure-addon I'm doing a simple search in a strict period ex. 12.7.2019 09:00 to 12.7.2019 10:00 index=linux_sec host=blablabla1 I'm getting from this result 102 events from both /var/log/secure and /var/log/audit/audit.log which is ok. Sourcetypes are linux:audit and linux_secure. Data is get from the official Splunk addon (with sourcetypes there as linux_audit and linux_secure) After I install the addon, for exact same period instead of getting 102 events I'm getting much less (around 32) and the linux_secure sourcetype is missed. Tabling the raw data I'm getting 102. If I remove the addon everything is getting back to normal. The behavior happen with any kind of server in any kind of period. Any ideas? Do I miss something? Thanks ... View more