In the props.conf example, when it says "REPORT-file_name = url_domain", what should I replace file_name with? I'll stay tuned, thank you very much. ... View more

Hi @sphiwee, as I said, I don't know very well Powershell, try it. Ciao. Giuseppe ... View more

Hi @mahesh27  As @bowesmana said, this is a classic proving the negative issue and you can find thousands of answers in Community. In this case you have two solutions: if you have a list of hosts to monitor to put in a lookup (called e.g. perimeter.csv with at least one column called host), you could run something like this | tstats count WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total by host | where total<100 If you don't have a lookup or you don't want to manage it, you could run something like this: | tstats count latest(_time) AS _time WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) earliest=-30d@d latest=now BY host | where _time<now()-3600 In this way, you have the hosts that sent logs in the last 30 days but not in the last hour (you eventually can modify the time periods). in addition the command | bin span=1m _time has no sense because you don't use time in your stats. Ciao. Giuseppe ... View more

Thanks for your practical answer, this is not what I asked for but really what I need. Appreciate it very much! ... View more

Could you try this SEDCMD in the props.conf file? (Make sure that the stanza is changed to match the sourcetype of the logs) [your_sourcetype] SEDCMD-maskpasswords = s/password: ([^;]+);cpassword: ([^;]+);/password: ####;cpassword: ####;/g   ... View more

Hi @masakazu , let me understand: do you want to manage the Cluster Manager using the DS or do you want to directly manage the Indexers using the DS? the second option isn't possible. For the first it's always better to deploy to the Cluster Manager apps (e.g. TA_indexes) and not the indexes.conf file in _cluster. Anyway, you have to configure as deployment folder the $SPLUNK_HOME/etc/managed-apps folder. Ciao. Giuseppe ... View more

Hi @Satyams14 , it isn't a good idea adding a new question, even if on the same topic, to another question because with a new question you could have a quicker and probably better answer. Anyway, as I said in the previous answer, you have to install the Fortinet Add-On on the UF/HF that you're using to receive data and on the Search Heads. As I said I hint to use a rsyslog receiver that writes the logs on files that you read using the UF. Ciao. Giuseppe ... View more

"Connection refused" typically indicates that the target server is not listening on the target port. This would make sense if your splunk server is using "localhost" as the mail server hostname and you are not running an email server on your Splunk machine. If you would like to use an external mail server, then yes you should change the mail server hostname in email settings to match the external mail server. ... View more

Hi @maede_yavari , the message means that you have to copy the app.conf from the default folder to the local one. Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses. Ciao. Giuseppe ... View more

Hi @vishwa , if you run your search, have you the table you shared? if yes, using the eval I hinted you sum the values ot the columns in the Total value. You could also use addtotals command that sums all the values for each row: index=app-index source=application.logs | rex field= _raw "RampData :\s(?<RampdataSet>\w+)" | rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)" | chart count over RampdataSet by Message | addtotals But also in this case que question is: does your search extract the value for each column? Ciao. Giuseppe   ... View more

Hi @Satyapv, Hi, Here's another alternative. We'll use internal splunkd components to simulation a field named Transaction. To see event counts over [-300,0], [-600,0], and [-900,0] seconds: index=_internal sourcetype=splunkd component=* earliest=-15m latest=now | rename component as Transaction | addinfo ``` assumes a valid latest value ``` | stats count(eval(_time>=info_max_time-300)) as "Last 5min Vol" count(eval(_time>=info_max_time-600)) as "Last 10min Vol" count as "Last 15min Vol" by Transaction To see event counts over [-300,0], [-600,300), and [-900,600) seconds: index=_internal sourcetype=splunkd component=* earliest=-15m latest=now | rename component as Transaction | addinfo ``` assumes a valid latest value ``` | stats count(eval(_time>=info_max_time-300)) as "Last 5min Vol" count(eval(_time>=info_max_time-600 AND _time<info_max_time-300)) as "Last 10min Vol" count(eval(_time<info_max_time-600)) as "Last 15min Vol" by Transaction You can adjust earliest and latest as needed, but note that the last count will always be inclusive of earliest, i.e. the last 15 minutes for -15m. You adjust the count aggregates to disallow counting events more than 900 seconds (15 minutes) prior to latest: count(eval(_time>=info_max_time-900)) as "Last 15min Vol" or count(eval(_time>=info_max_time-900 AND _time<info_max_time-600)) as "Last 15min Vol"   ... View more

host is same across all the env. i am facing issue when i bind the same value to drop down list saying "Duplicate values causing conflict". But i need dropdown list with TEST/QA/PROD(label) with same host value. - how can i achieve this? ... View more

@gcusello I have used below commands to generate various certificates and adjust web.conf also. But still the connection is not secure. D:\Splunk\bin\splunk" cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048 "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key "D:\Splunk\bin\splunk" cmd openssl rsa -in mySplunkWebPrivateKey.key -text "D:\Splunk\bin\splunk" cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 "D:\Splunk\bin\splunk" cmd openssl x509 -req -in mySplunkWebCert.csr -CA myCACertificate.pem -CAkey myCAPrivateKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095 type mySplunkWebCert.pem myCACertificate.pem > mySplunkWebCertificate.pem   web.conf [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/mySplunkWebPrivateKey.key serverCert = /opt/splunk/etc/auth/mycerts/mySplunkWebCertificate.pem ... View more

Hi you said “due to a recent release”. What is this? A new splunk version, a new software realease of your business app or something else?  r. Ismo ... View more

Hi @gcusello  did you get answer from @woodcock regarding applying on all etc/system/local/authorize.conf search head nodes (preferably from GUI if possible) ? Thanks.   ... View more

Apart from all the valid remarks from @gcusello and @richgalloway , think about what you need. If you want to build on the search shown by @gcusello notice that yours groups login attempts by source (which means that it will show multiple attempts to log in using different usernames but from the same IP as one result) whereas the other one groups by username which means that it will aggregate login attempts to the same account launched from different IPs but split different account login attempts from the same IP as separate results. So it's a question of what you are looking for. ... View more

Hi @toporagno , let me understand: you have an eventtyle like "index=my_index src=10.0.0.1" that tags these events with a tag like "MY_TAG", you have a search that uses the above src and it runs, you want to replace the condition "src=10.0.0.1" with the condition tag=MY_TAG, and it doesn't run, is it correct? If this is your use case, as also @ITWhisperer asked, the first thing is sharing the search and the eventtype associated to the tag. Then, tag is the only field case sensitive, are you sure that the tag value is correct? Second check: did you tried to replace the condition "src=10.0.0.1" with the eventtype associated to the tag? maybe the two conditions aren't compatible. Ciao. Giuseppe ... View more

I left the Frozen drive to point to $SPLUNK_DB on the indexer's drive, but I'm not trying to employ frozen buckets at all. I'm trying to use the volumes on external drives for hot and cold, that's how our current instance is set up. The difference being the current is on Windows, and this new one is going to be on RHEL8. ... View more

Hi @Millowster , this (and many others) is the reason because I don't use Dashboad Studio: not all the functions of Classic Dashboard are still implemented. Ciao. Giuseppe ... View more

Hi @NReddy12, I never experienced this behavior on a Linux server. The only hint is to open a case to Splunk Support, sending them a diag of your Universal Forwarder. Ciao. Giuseppe ... View more

Hi @phanikumarcs  good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @gcusello  I checked the macros again and they contain the same values you listed earlier. Unless we've missed something, very basic they look in order. I've attached the screenshots of the macro configs. I believe they are correct? They were all self populated when the App was installed. There are no details about special settings for the index which I created via the WebUI with the suggested default index name. Thanks again   ... View more

Hi @CarolinaHB, there are two solutions that depend on the  location of the monitoring perimeter: if you have a lookup containing the list of each app that should be present in each host (called e.g. app_perimeter.csv and containing at least two fields: host and application), you could run something like this: <your_search> | stats count BY host application | append [ | inputlookup app_perimeter.csv | eval count=0 | fields host application count ] | stats sum(count) AS total BY host application | eval status=if(total=0,"Missing","Present") | table host application status If instead you don't have this lookup and you want to compare results e.g. of the last 24 hours with the results of the last 30 days, you could run something like this: <your_search> earliest=30d latest=now | eval period=if(_time>now()-86400,"Last day","Previous days") | stats dc(period) AS period_count values(period) AS period BY host application | eval status=if(period_count=1 AND period="Previous days","Missing","Present") | table host application status Ciao. Giuseppe   ... View more

You already had some sugestions which are OK but the question is what are your limitations on this search. How many events do you expect from each of those data sets, how long is the search supposed to take - these can warrant a different approach to the problem. For example, since you're dealing with email data, it's a relatively valid question why aren't you using CIM datamodel (and have it accelerated). ... View more

Hi @KingUs80 , see in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435), or, if you already have, in Enterprise Security Premium App. The feature in ES is Threat Intelligence: you must have an internal list of malicious sites of a list downloaded from free or payment services. Other apps that you could use are MISP42 (https://splunkbase.splunk.com/app/4335) or https://splunkbase.splunk.com/apps?keyword=threat+intelligence  Ciao. Giuseppe ... View more