sure . Will take this. Thanks for your feedback ... View more

Hi @LizAndy123 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Hi @calvinmcelroy, This doc contains a few instructions related to scenarios as you mentioned: Install a Windows universal forwarder - Splunk Documentation About the least-privileged user For security purposes, avoid running the universal forwarder as a local system account or domain user, as it provides the user with high-risk permissions that aren't needed. When you install version 9.1 or higher of the universal forwarder, the installer creates a virtual account as a "least- privileged" user called splunkfwd, which provides only the capabilities necessary to run the universal forwarder. Since local user groups are not available on the domain controller, the GROUPPERFORMANCEMONITORUSERS flag is unavailable, which might affect WMI/perfmon inputs. To mitigate input issues, when you're installing with the installer, the default account is the local system on the domain controller. If you choose a different account to run the universal forwarder during installation, the universal forwarder service varies based on your choice: If you choose Local System, the universal forwarder runs Windows administrator full privilege. If you choose a domain account with Windows administrator privilege, the universal forwarder runs Windows administrator full privilege. If you choose a domain account without Windows administrator privilege, you select the privilege. Once you choose a non-administrator user to run the universal forwarder, this user becomes a "least privilege user" with limited permissions on Windows. Also, take a look at this point:  Permission Function SeBackupPrivilege Check to grant the least privileged user READ(not WRITE) permissions for files. SeSecurityPrivilege Check to allow the user to collect Windows security event logs. SeImpersonatePrivilege Check to enable the capability to add the least privilege user to new Windows users/groups after the universal forwarder installation. This grants more permissions to the universal forwarder to collect data from secure sources.   Happy Splunking, Rafael Santos Please,  don't forget to accept this solution if it fits your needs ... View more

Hi @Karthi2018, If the answer provided by @deepakc was the solution, please accept that one. Happy splunking. ... View more

Finally got around to reading about SC4S and I'm fairly certain this is the route forward. I got the ok to replace the pair of UF's with a Heavy if needed. But I have a good feeling that the SC4S will be able to handle things very well. ... View more

To be precise, I didn't suggest using evals. This eval is already defined within the TA and it's the reason why the field is empty. ... View more

Depending on how those event should be ingested I'd try to investigate if they are being properly sent to Splunk. As there are many ways of getting the data into Splunk you need to verify the particular way used in your case. Be it verifying UF connectivity, be it checking syslog traffic or whatever else. There are no miracles. If your config didn't change and there are no events, they must have stopped "flowing". ... View more

How about eval's urldecode? | eval decoded=urldecode(yourEncodedField) or | eval decoded=urldecode("yourEncodedString") https://docs.splunk.com/Documentation/SCS/current/SearchReference/TextFunctions#urldecode.28.26lt.3Burl.26gt.3B.29 ... View more

Thank you all for the help but let me be more specifically. Macro definition: mymacro(1) - Based on the customer name, it should returns some fields, such as index, sourcetype, filters and so on. | eval customer="$arg1$" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields use_case_data_source | head 1   Search: The field returned by the macro, should fill the index field in the search. `mymacro(client_01)` index=use_case_data_source Using Job Inspector, the eventSearch field is filled like this: search | eval customer="client_01" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields + use_case_data_source | search index=use_case_data_source   Maybe, I'm missing something or I'm a little rusty. ... View more

What kind of builder are you using for your dashboards? If it's dashboard studio, I believe it is not possible to render any dynamic JS content. With the classic dashboard panel I think it would be possible to do so. In this url you can check differences between both of them. Finally, you got the option with SPLUNK UI, where you can customize everything and in a dynamic way, but it requieres a huge effort for developing the whole solution. ... View more

what if I installed just JRE and not JDK ? ... View more

Hi @inventsekar  When do I find the XML for an alert? Thanks Steve ... View more

I had the same issue and coudn't fix it by following the guidelines above and updating the binaries in: $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools I fixed it this way: 1. I saw that the new SIC certificate was PULLED SUCCESSFULLY from the CheckPoint server regardless the error message "External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request..." The certificate was available in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs" 2. I manually editted the opseclea_connection.conf in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local" and added the new certificate under the problematic connection stanza: [connection_stanza_name] cert_name = connection_1234567890.p12 <-- Put the name of the new certificate here fw_version = R80 lea_app_name = Splunk_Server_LEA lea_server_auth_port = 18184 lea_server_auth_type = sslca lea_server_ip = 10.10.10.10 lea_server_type = primary management_server_ip = 10.10.10.11 opsec_entity_sic_name = CN=***,O=*** opsec_sic_name = CN=Splunk_Server_LEA,O=*** disabled = 0 No need to restart splunkd! The connection started working right away. No error messages anymore. I hope it helps colleagues who had the same issue. ... View more

Thank you, @ITWhisperer. It worked fine. ... View more

First solution work for me fine, thank you both for your help. BR ... View more

The first index contains data from an endpoint security tool that can block outbound/external emails. The second index contains data from another endpoint tool that archives emails (I can see all successful outbound and inbound emails that are not blocked). So essentially, I want to see if user ABC123 gets two email blocks and within 30 minutes of those two blocks (index1), sends a successful email that is not blocked (index2).  ... View more

Your solution works perfectly. Much appreciated! ... View more

I need to validate if the credit card number is valid on search time, but for what I've found, is necessary to use the Luhn algorithm (modulus10) to do this. So I think, that it won't be possible to do just using SPL. ... View more

Hi @inventsekar, Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example: An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run. ... View more

Or index the field and set KVMODE to none. ... View more

I agree to that. There is a confusion about what is "bidirectionnal" here. Any TCP connection, once opened by a source towards a destination on a specified port, will have data flowing in both directions by design: https://tools.ietf.org/html/rfc793#section-1.5. When firewall configuration considerations happen, then the true question to answer is not about flow but rather "who opens that connection ?". Who is the source and who is the destination ? That is what IT staffs asks me all the time : give me your "source + destination + protocol + port involved" (see, this is a one way rule). Now, I think the deployment server never initiates/opens a connection to the FWDers (poll mecanism from fwders to DS), so to agree with the response above and below made by @jkat54 and @jtacy : on the firewall => unidirection/one way rule for tcp traffic (1 firewall rule allowing connection from FWD => DS). Hope it helps and confirms the answers made so far by @jkat54 and @jtacy. ... View more

First, Are you using the trial Enterprise license? Yes. Is it in the period of trial yet? Yes. Wednesday I installed the splunk Enterprise trial. Later I wanted to test the Exchange monitoring. Installing Exchange apps and rebooting splunk kicked out the splunk enterprise trial license. The Exchange App trial license was valid. From your post, I assume that I can only test the Exchange app with a paid splunk Entprise license (not trial). ... View more

Hi koshyk, I've just asked for the same to ansif, but where did you find enough information, docs, pdfs to prepare your exam? Thanks in advance! ... View more