cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
caroline_fortun
Explorer
Member since: ‎04-15-2014
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎04-15-2014
Activity Feed
View All

Re: How to filter Windows Security Event Logs cont...

by in Splunk Search
‎07-03-2014 11:24 AM
1 Karma
‎07-03-2014 11:24 AM
1 Karma
Hello Lowell, I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder. I put the files at the heavy forwarder machine and restarted Splunk and it worked. Thanks for your help! Regards, Carol ... View more

Re: How to filter Windows Security Event Logs cont...

by in Splunk Search
‎07-02-2014 01:35 PM
‎07-02-2014 01:35 PM
I placed the files at the indexer too but it didn´t work. I´ll have a look at the post. ... View more

How to filter Windows Security Event Logs containi...

by in Splunk Search
‎07-02-2014 12:39 PM
‎07-02-2014 12:39 PM
Hello everyone, I´m trying to filter some Windows Security Event Logs that contains the machine name as the username. To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local). props.conf [WinEventLog:Security] TRANSFORMS-null = setnull transforms.conf [setnull] REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.* DEST_KEY = queue FORMAT = nullQueue Is there any errors at my regex? Do I have to do something else? I already put the files at the indexer too but I am still getting events. Best Regards, Caroline Fortunato ... View more

Re: Exchange Add-On Duplicated Logs

by in Getting Data In
‎05-28-2014 11:36 AM
‎05-28-2014 11:36 AM
It´s an Exchange Server 2010 SP3 installed on a Windows Server 2008 R2. The universal forwarder is running with System Local account. I have logs like bellow at the source splunkd.log. There is nothing mentioning MailboxAudit. "05-28-2014 15:19:52.474 -0300 WARN DateParserVerbose - Accepted time (Thu May 22 18:22:34 2014) is suspiciously far away from the previous event's time (Fri May 23 16:09:35 2014), but still accepted because it was extracted by the same pattern. Context: source::Powershell|host::maillab|MSExchange:2010:AdminAudit|274" Regards, Caroline Fortunato ... View more

Re: Exchange Add-On Duplicated Logs

by in Getting Data In
‎05-28-2014 05:35 AM
‎05-28-2014 05:35 AM
I´m using Splunk 6.1.1. Universal Forwarder 6.1.1 and Exchange T.A 2.1.2 Regards, Caroline Fortunato ... View more

Exchange Add-On Duplicated Logs

by in Getting Data In
‎05-27-2014 01:44 PM
‎05-27-2014 01:44 PM
Hello, I installed splunk universal forwarder and the Exchange2010-Mailbox app to collect Exchange Auditing data. I noticed that every time Splunk executes the exchange script it´s getting the data over and over again. The data is being duplicated. Is there anything I did wrong? I just installed Universal Forwarder and copied the Exchange add on folder inside splunk app folder. Regards, Caroline Fortunato ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All