We had the same issue and resolved it. The broken clients were all trying to download two versions of an app. I have Splunk_TA_Squid_SiteA and Splunk_TA_Squid_SiteB with competing configurations for the same Squid logs. I didn't realize Server Class SiteA Include was including my SiteB clients. My SiteB clients were downloading both SiteA Squid and SiteB Squid. Once I updated Server Class Site A to only apply to Site A clients and not Site B clients, my Site B clients stopped generating the CheckSum errors. ... View more

For anyone reading this, these functions are  admin.set_proxy and  admin_api.set_proxy You can't fill in your variables in the first section and paste it in the second. ... View more

Move your uniqueKey to be the first field you map. That solved the issue for me for an Oracle connection.   So either rebuild your output via the GUI or edit db_outputs.conf so the uniquekey is listed first.     ... View more

I had the same issue. The uniqueKey has to be the first key you define. Rebuild your connection with the uniqueKey first (or edit db_outputs.conf) and it should work. It at least worked for me with an Oracle database. ... View more

As a head's up, you've got your Splunk server name in your post in two places. You may want to edit the question to remove the server name. [splunk@######### bin]$ ./splunk restart The Splunk web interface is at http://#############:8000 ... View more

That did it. As a note, I had to copy 4 lines total to my swimlane from an existing swimlane: display.page.asset_investigator.0.collection_name = Default display.page.asset_investigator.0.order = 7 is_visible = false request.ui_dispatch_app = SplunkEnterpriseSecuritySuite alert.track = 0 ... View more

I've created a custom swimlane for my Enterprise Security users. I was hoping to add it to the Default collection so they see it by default when they access the dashboard. I'm trying to avoid having users have to configure the dashboard. ... View more

Did you ever resolve this issue? ... View more

Here are some of my use cases. This requires a relatively professional Linux team and you'll likely have to buy them some donuts. Monitor for SSH activity within the same subnet. No one should be moving laterally. They should be connecting from their endpoint or the gateway/jumphost. Build a list of executed commands (./executable) for each system, alert on anything new. Congrats, you've just built application whitelisting via Splunk. Alert on IP addresses at the command line. Everyone should be using DNS entries for connections, right? If you've got any colleagues or peers that have recently taken the CEH or OSCP courses, ask them to sit down and walk you through what they learned the first day. They'll give you the script kiddie / noob commands to watch for. If you're fancy, build profiling for your Linux users. The su people typically only su, the sudo people typically only sudo. ... View more

If you're using Enterprise Security, here is a search for SLA for closing a notable event: `notable` | search NOT `suppression` info_search_time=* (urgency=low OR urgency=medium OR urgency=high OR urgency=critical) | eval review_time=coalesce(review_time, now()) | eval response_time=(review_time-info_search_time)/60/60 | eval metric_count=case(status_group==”Open”,”0”,(urgency=="critical" AND response_time<8),"1",(urgency=="high" AND response_time<24),"1", (urgency=="medium" AND response_time<48),"1",(urgency=="low" AND response_time<96),"1",1=1,"0") | stats count sum(metric_count) as metric_met by urgency | eval "SLA Compliance Percent" =round((metric_met*100/count),2) | rename count as "Total Events", urgency as Urgency | fields Urgency, "Total Events", "SLA Compliance Percent" ... View more

Ever figure out a solution to this? ... View more

Did you ever find a solution to this? ... View more

Your second html tag is missing a / to end the htlm code. ... View more

I've been looking for an elegant solution for this issue as well. I've got two searches that aren't ideal but work. I have saved searches (and correlations) lookingfor any activity in _audit for object="can_delete" and for any search activity that includes "| delete" ... View more

Linux is a little tougher. I've yet to find too many good alerts. This site, Malware Archaeology, has amazing resources for monitoring Windows systems via Splunk. I've implemented a fair number of their use cases. ... View more

I'd recommend against using memberOf for your search. You'll be pulling every account on your domain and churning through the group memberships. You're basically pulling every single account on your domain. The Active Directory team at your site will likely be extremely upset. That second search seems to be preferred by the Active Directory admins I've talked to. ... View more