Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About sbgoldberg13
sbgoldberg13
Explorer
Member since:
12-14-2018
01-15-2025
Community Statistics
| Posts | 40 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 12-14-2018 |
Activity Feed
- Tagged Re: Converting Bulk evtx files in a folder to csv files for Ingestion on Getting Data In. 01-05-2023 06:53 AM
- Posted Re: Converting Bulk evtx files in a folder to csv files for Ingestion on Getting Data In. 01-05-2023 06:52 AM
- Posted How to convert bulk evtx files in a folder to CSV files for ingestion? on Getting Data In. 01-04-2023 10:55 AM
- Posted How to make presets as default in Splunk Cloud Default Time Picker? on Splunk Search. 03-03-2022 09:07 AM
- Posted Importing CSV field into an existing index field on Getting Data In. 09-14-2021 10:03 AM
- Posted Re: Updating Forwarder Credentials on Getting Data In. 08-02-2021 12:03 PM
- Posted Updating Forwarder Credentials on Getting Data In. 08-01-2021 06:27 AM
- Karma Re: Sharing a Dashboard securely? for richgalloway. 04-26-2021 06:16 AM
- Posted Re: Sharing a Dashboard securely? on Knowledge Management. 04-22-2021 11:00 AM
- Posted Sharing a Dashboard securely? on Knowledge Management. 04-22-2021 06:26 AM
- Got Karma for Splunk Add on for Office O365. 11-20-2020 09:13 AM
- Karma Re: Splunk TA for Windows src field for lakshman239. 06-05-2020 12:50 AM
- Posted Cisco Anyconnect via Syslog on Getting Data In. 03-30-2020 02:43 PM
- Tagged Cisco Anyconnect via Syslog on Getting Data In. 03-30-2020 02:43 PM
- Tagged Cisco Anyconnect via Syslog on Getting Data In. 03-30-2020 02:43 PM
- Posted Re: Correlating two alerts question on Splunk Search. 12-31-2019 01:55 PM
- Posted Re: Correlating two alerts question on Splunk Search. 12-31-2019 01:24 PM
- Posted Correlating two alerts question on Splunk Search. 12-31-2019 11:26 AM
- Tagged Correlating two alerts question on Splunk Search. 12-31-2019 11:26 AM
- Tagged Correlating two alerts question on Splunk Search. 12-31-2019 11:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
01-05-2023
06:52 AM
I tried this command, modified with get-winevent piped to export-csv but no luck. How do I iterate so it changes each xxx.evtx to xxx.csv, yyy.evtx to yyy.csv, etc. Thanks.
... View more
- Tags:
- powershell
01-04-2023
10:55 AM
Hi all. I have a folder with about 200 evtx files. The following command works for 1 file. How can I process/convert all of the evtx files to csv at once? Thanks.
Get-WinEvent -Path C:\somewhere\foo.evtx | Export-CSV C:\somewhere\foo.csv
... View more
Labels
- Labels:
-
data
03-03-2022
09:07 AM
In Splunk Cloud, when I go to change the time picker it brings up relative options. It used to bring up presets. How do I get presets to be the default. PS: nothing I do in Settings, Server Settings, Search Preferences seems to take. It's set to 7 days but Search and Reporting still shows "last 30 minutes". SO I have to change the time picker, then go to presets, then select whatever preset I want.
... View more
09-14-2021
10:03 AM
I've recently installed an add on in my dev instance which created various fields, including user and NormalizedUser. I have a one-time csv file that has a list of users I need imported into one or both of those existing fields. Is this possible? It doesn't seem to do so and I prefer not to have to search against multiple fields (I'd like to do a query against the Add On's index for user or NormalizedUser to only retrieve the entire list of users or NormalizedUser's.) Currently it seems to input the csv data into some other field name and I don't even know where it's grabbing that field name from. The field header on the csv column is NormalizedUser Any help appreciated
... View more
Labels
- Labels:
-
CSV
-
source
-
sourcetype
08-02-2021
12:03 PM
@woodcock Hi Woodcock. Any suggestions you can offer on my post would be appreciated! Thanks.
... View more
08-01-2021
06:27 AM
Hi all. We received a bulletin that our UF certificates were expiring. I downloaded the credentials package and installed them per documentation on my deployment server using <...install app...-update 1...> That appears to have updated the APPS 100_xxxx_splunkcloud folder/files but my question is: 1. Doesn't the DEPLOYMENT-APPS 100_xxxx_splunkcloud folder/files need to be updated to get the updated credentials to all of my UF's? 2. How can I validate the new certificate date on my Window's UF's and on my HF's? Thanks in advance.
... View more
Labels
- Labels:
-
heavy forwarder
-
universal forwarder
04-22-2021
11:00 AM
Hi @richgalloway Rich. So the dashboard is actually a form... I'm not an XML guy so I keep getting various errors. Where and how do I insert the hideChrome="true" attribute? Here's a snippet of the form. THANKS! <form theme="dark"> <label>Steve - AD User Logon Failures Clone</label> <description>Gets logon failure reasons for AD users</description> <fieldset submitButton="true" autoRun="true"> <input type="text" token="user" searchWhenChanged="false"> <label>Logon Account Name</label> <default></default> <initialValue></initialValue> </input> <input type="time" token="timeRange" searchWhenChanged="false"> <label>Time Range</label> ...
... View more
04-22-2021
06:26 AM
Hoping this isn't too basic of a question... How can I share a dashboard without user seeing apps, messages, settings, activity across the top. The dashboard is a search, and users in the role have only search, rtsearch, and rest_get_properties capabilities. We'd prefer users in that role don't see the actual search app but especially not the tabs across the top mentioned above and here... Thanks in advance.
... View more
- Tags:
- knowledge-objects
Labels
- Labels:
-
permissions
03-30-2020
02:43 PM
Greetings. This may be elementary, but I have our Cisco ASA 5516 sending logs via a syslog server to Splunk. I configured a basic inputs.conf file to do so.
The logs get into Splunk but the parsing isn't very good. I seem to have to extract most fields (like I saw in another question re: message_id field.) Shouldn't those fields be parsed automatically? I don't see an AnyConnect TA or app except for NVM which my infrastructure team says we're not using.
Any guidance would be much appreciated.
Thanks!
... View more
12-31-2019
01:55 PM
Understood. I'll test some more and update the answer if it works! Thanks!
... View more
12-31-2019
01:24 PM
@aberkow
I modified your search a bit and with the search below, I get results up until I add in the |where clause. Also, I was able to remove the coalesce as the host field in both searches is the same (no need for ComputerName).
index=wineventlog (EventType=4 EventCode=13 host!=DL*) OR (EventType=4 EventCode=1100 host!=DL*)
| eval EventCodeFromOS=if(EventCode=13, 1, 0)
| eval EventCodeFromLoggingService=if(EventCode=1100, 1, 0)
| stats values(EventCodeFromOS) as EventCodeFromOS, values(EventCodeFromLoggingService) as EventCodeFromLoggingService by host
| where isnotnull(EventCodeFromLoggingService) AND isnull(EventCodeFromOS)
Without the where clause 30 day results of stats look like this:
host EventCodeFromOS EventCodeFromLoggingService
ABC 0 0
1 1
DEF 0 0
1 1
GHI 0 0
1 1
Any thoughts on where clause issue?
Ultimately, if there is a Logging service event but no OS shutdown event, I want to generate an alert.
Thanks.
... View more
12-31-2019
11:26 AM
I have the following 2 alerts and need to correlate them. The first one is looks for an OS reboot. The second one looks for the Event Logging Service Shutdown.
How can I correlate them to alert when Event Logging Service shuts down but NOT related to an OS reboot?
index=wineventlog EventType=4 EventCode=12 OR EventCode=13
| table _time host Message
| index="wineventlog" EventCode=1100 ComputerName!=HD* ComputerName!=HL*
| table _time ComputerName name source
I run Splunk Cloud basic.
Thanks!
... View more
08-01-2019
06:05 AM
1 Karma
I've configured Azure integration app for Office 365 add-on. I've created a secret, added rights, and scope for app. I've added the tenant. And when I go to add an input the tenant and content drop downs look correct and populated. But when I go to save the input it returns "! Not Found" Any ideas would be appreciated.
... View more
05-13-2019
05:45 AM
Can you guide me on one or two?
... View more
05-06-2019
12:37 PM
Is there a good way to monitor for successful backup job completions in the Splunk base package? Does the IT Services add on do it? We've got remote locations and would like to try to ensure they're running successfully. Thanks.
... View more
- Tags:
- splunk-cloud
03-27-2019
01:06 PM
Hey All.
What is the best way to use a Splunk alert to generate a 3rd party helpdesk ticket? The 3rd party ticketing system is Zendesk. I'm not sure if I should be using the Webhook in the alert or the Fields workflow. Or if they have to work together. The thing is the alert is triggered by a search including eval, stats, and where statements.
... View more
02-22-2019
11:01 AM
I'm trying to get this use case going from MS Windows AD Objects, but I can't get any results.
index=wineventlog source=WinEventLog:Security [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User"]
I have a deployment server on prem and a Splunk Cloud instance.
Where should I go to troubleshoot? The lookup definition is present in settings as is the lookup file (in the Cloud.) I even tried creating a stanza in transforms.conf on the deployment server in the \Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_ad\local directory.
**####### Windows Security Event Log ######
Lookups
[AD_Audit_Change_EventCodes]
filename = ms_ad_obj_change_eventcodes.csv**
What am I missing here? Thanks!
... View more
02-20-2019
08:08 AM
I'm testing a modified Security Essentials Basic Brute Force Detection search. When I run the search portion, I get plenty of results with Audit Success. But when I include the stats portion, only Failures are returned. Am I missing something here?
index=wineventlog source=WinEventLog:Security OR tag=authentication Account_Name=* Account_Name!=""
| stats count(eval (Keywords="Audit Success")) as Successes count(eval(Keywords="Audit Failure")) as Failures by Source_Network_Address | where Successes>0 OR Failures>0
Thanks.
... View more
02-15-2019
06:21 AM
@woodcock
Got it. Thanks.
... View more
02-14-2019
01:18 PM
What's your recommendation for wanting to be alerted near real-time on events meeting trigger thresholds? Thanks.
... View more
02-14-2019
10:19 AM
I have an app I created in the cloud with the "hidden link" to create an app. It's called it_dashboard. I'm trying to get our custom logo to appear in the reports from this app. I've copied the .png to (on my deployment server):
the app_name part of the path that I've seen in some docs doesn't exist on my deployment server. I've made an entry in the alert_actions.conf file and restarted the deployment server service, but still no logo.
Any suggestions? Thanks.
... View more
02-14-2019
07:20 AM
Awesome... Thanks!
... View more
02-14-2019
06:16 AM
Is realtime alert a feature with Splunk Cloud? I go to save a search as an alert and it defaults to a scheduled search, and there's no option to select realtime.
Thanks.
... View more
02-08-2019
08:13 AM
@lakshman239
I had CIM add on installed last night and I still receive the error on data source check.
You should have a field called "src" defined in your Windows Security logs. This is provided by the Splunk TA for Windows, and any other common information compliant data. Consider adding that TA to make for a better experience!
... View more
02-07-2019
10:56 AM
I've given read permissions for macro, app, eventtype, everything I can think of, to the role and/or everyone. This search keeps failing for all users in the role. It works fine for me as an admin. It even fails with the same message if I add the user to the power role along with the defined role.
event_sources eventtype=windows_account_created
It returns results for just the event_sources macro. But including eventtype windows_account_created shows no results along with:
I've exhausted any of my ideas. Thoughts?
... View more
- Tags:
- eventtype
- eventtypes
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-15-2025
11:37 AM
|
