Whitelisting for Wineventlog is a little bit tricky. First of all you can whitelist only with these fields: Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User Then the logic behind differen whitelist rules is like this: whitelist OR whitelist1 OR whitelist2 OR .... OR whitelistN where each whitelist rule logic is like this rule1 AND rule2 AND ... AND ruleN Here a concrete example: whitelist = EventCode="4624|4625" whitelist1 = SourceName="AD FS Auditing" whitelist2 = Keywords="Audit Success" User="Bob Marley" This translates to: EventCode="4624|4625" OR SourceName="AD FS Auditing" OR (Keywords="Audit Success" AND User="Bob Marley") ... View more

This is my solution: If you inspect the navbar you will se that its div element contains a attribute data-view="/views/shared/appbar/Master" Whereas the buttons contains data-view="/views/shared/appbar/Button" Thats it! simply use attribute selector of CSS if you create a dashboard.css file under /appserver/static it will apply to every dashboard (even if it is not html), otherwise if you want to use the css only in some dashboards use the attribute stylesheet=".css" in the form or dashboard element of the xml. To customize the navbar color write the following: [data-view*="views/shared/appbar/Master"]{ background: <YOUR DESIRED COLOR HERE>; } [data-view*="views/shared/appbar/Button"]{ color: <YOUR DESIRED COLOR HERE>; } Simply find the data-view element you want to customize and create a css rule. ... View more

Grazie, sarebbe però una bomba se il processo di riportare le custom apps al deployer fosse una feature di splunk, è un po' una menata doverlo fare a mano, e dover fare il merge nel default di ciò che hai configurato in local. ... View more

Check your escape characters, some working using the rex command does not work in conf files. for example backslashes. Check this post ... View more

Very simple, by default splunk raw events are in UTF-8 format. This means that each character is 8 bits (one byte). So you do this: your initial search | eval eventSize = len(_raw)/1024/1024/1024 the first division by 1024 gives you KiloBytes, the second division MegaBytes and the third GigaBytes and so on Dont forget to upvote if you found this useful ... View more

No, I am talking by experience. As partner you have discounts (using tokens), but the course is not free. Please upvote if you find this answer useful. ... View more

You did the correct think to inherit role can_delete and admin capabilities. Maybe the changes did not go in memory so try this: Go in $SPLUNK_HOME/bin From the terminal/console on the SH: ./splunk reload auth (for windows .\splunk reload auth) pipe the delete command on your search This command reloads the authorizations of splunk. Let me know if that worked, and give me a upvote if you find this ... View more

savage_clowns killed me 😄 nice ... View more

I had a very similar situation andI realized that some collections were HUGE (in the range of 100 GB), this may cause the mongodb to start very slowly. I searched in mongodb.log for errors, especially when mongodb starts. There was not much in there except for some problems while trying to update mongodb to the new version. I believe that due to its huge size, the service takes too long to starts and goes in conflict with its updates or splunk itself and at the end splunk starts anyway without having the KVstore running. This is what worked for me, CAREFUL the data will be DELETED from the kvstore, see point [1] if you want to backup the data, but since you are not using it you can just do the clean: 1) Stop the search head that has the stale KV store member. 2) Run the command splunk clean kvstore --local. 3) Restart the search head. 4) Run the command splunk show kvstore-status to verify. see https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/ResyncKVstore [1] If you have important data and you dont want to lose it, do a backup and restore https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/BackupKVstore I hope this helps ... View more

Open the firewall to the UFs on the new DS On the UFs, change the $SPLUNK_HOME/etc/system/local/deploymentclient.conf to the following: [target-broker:deploymentServer] targetUri=(your new DS REST URI identifier) [deployment-client] clientName=(your UF client name) Restart the UF When you finish, launch splunk reload deploy-server on the DS The best way to do this on many hosts is to use a server automation tool such as bladelogic or to do it directly via global shell or something similar. ... View more

Thank you, this is what I did, i posted this just in case other splunkers are thinking about that. Cheers! ... View more

Are you aliasing those fields later? If you alias fields in the props.conf file and you use for example: FIELDALIAS- = (orig_field_name AS|ASNEW new_field_name) In case you use AS, if the original fieldname is not found splunk deletes the new fieldname, so if for some reason a event does not contain it, it would delete the new, to fix this problem, use ASNEW. When these problem happens my approach is to read the .conf documentation ... View more

In my case what worked is the answer from @somesoni2 your base search | extract reload=t Sometimes things does not update even if you reload splunk. Another fact about field extraction is that it takes some minutes for fields to show up, in this case just wait some minutes until you see the fields. ... View more