[WinEventLog://ForwardedEvents] disabled = 0 checkpointInterval = 5 current_only = 0 start_from = oldest index = wineventlog # Filtering can be done with regex on the following field names :  Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User whitelist = EventCode=%^(400|1102|4610|4624|4625|4656|4662|4663|4697|4698|4723|4724|4728|4738|4756|4759|4765|4768|4769|4771|4776|4794|1|2|3|7|11|13|22)$% blacklist01 = User=%^.*\$$% blacklist02 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml = true suppress_text = true suppress_sourcename= true suppress_keywords= true suppress_task = true suppress_opcode = true   ... View more

Hello, not sure this was solved. However, I had the same problem, and managed to remove the link by checking Type "plain text" in the Edit PDF Schedule window. The link desappeared... Hope it helps. BR Nordine ... View more

Hi @doweaver  . @aljohnson_splun  @fulldanad  A newbie question, I posted a thread at https://community.splunk.com/t5/Dashboards-Visualizations/Modified-Sankey-visualization-for-path-analysis/m-p/597420#M48972  regarding (IMHO) the same issue as described above. I would like to replicate the final solution to check if I could apply it to my task but I can't create the dataset (external or inline) required for this search:   sourcetype="access_combined" | table host categoryId product_name | appendpipe [stats count by host categoryId | rename host as source, categoryId as target] | appendpipe [stats count by categoryId product_name | rename categoryId as source, product_name as target] | search source=* | fields source target count could you help re-assemble it with a minimum number of lines to replicate the solution? BTW, Is it working on the sankey 1.6.0 app (the last version)? Thanks a lot   ... View more

I was able to resolve the http tunnel related issue. however i observed a new issue that http calls with requests package is not working and getting 403 forbidden error. the same script was working fine on previous versions. I had rewrite  my script  using http.client method.  ... View more

This was the trick for me :  it worked when I added % arround my regex like follow : %<Data Name='LogonType'>3<\/Data>% ... View more

how can you fix this issue when you have thousands of buckets in pending? I have around 4800 buckets and i cannot go and execute roll command on each and every Index right? Can you give me any solution for this please? Thanks for the answer.   @jbarlow_splunk  ... View more

Apparently it is not possible to use it with proxy autentication ... View more

Yes, it finally worked for me. Initially the default cron time was never used. So I changed it for a number of seconds and it does now work properly. Check this parameter in : - Data Input - Scripts - $SPLUNK_HOME/etc/apps/qualys_splunk_app/bin/qualys_detection_logger.sh Of yourse, you also have need to have the feature api enabled by Qualys which come with a price... Regards ... View more

Hi, I had the same difficulties on a Linux search head. The solution was to modify the inputs.conf as follow [script://.\bin\alert_manager_scheduler.path] changed to [script://./bin/alert_manager_scheduler.path] Also, the index "alerts" was created on the cluster, but it was not enough. It was required to create an empty one on the search head as well, as you would do on heavy forwarders. Rgds Dan ... View more

The CEE TA shouldn't be used with Isilon. Isilon supports sending audit logs directly to syslog. Search for the Isilon add-on and app in splunkbase and install that. There are also instructions on how to configure the cluster to send the logs to a syslog server. ... View more

Hello, I used the following modification in /etc/profile PROMPT_COMMAND='logger -i -p local5.info -t bash "$USER $(tty): $(history 1)"' or trap 'logger -i -p local5.info -t bash "$USER $(tty): $(fc -ln -1)"' DEBUG And rsyslog.d/shell.conf to store it on a common file for all users : local5.* -/var/log/shell.log My only issue is that I can't get sh or ksh commands with this. any suggestions ? Rgds ... View more

sendresuilts would also handle this scenario ... View more