This is an old topic but I have been able to fix this many times in different environments: What you need to do on the forwarder host is rebuild the counters:   To repair this you take the following steps to repair/rebuild the performance counters. Start-->Run→cmd-->(Run As Administrator) Type the command: C:\Windows\system32>lodctr /R (capital R) ... View more

Please read this: About hosts - Splunk Documentation ... View more

You need to be admin / have delete rights....... ... View more

1. What have you tried yourself? 2. Can you provide the full event so that I can make an example for you. ... View more

index=notable noteableyouwanttodelete | delete OR index=notable rule_title="your_notable_event_title" | delete ... View more

What do you mean? I don't understand your question. Please read this: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Dump ... View more

Hi, The reduction of this can have many different reasons, but you need to pinpoint what exactly changed. - Are all hosts patched and are all reporting and running the UF properly? - Can you pinpoint the reduction to System / Application or Security windows events? (source in splunk) - Do all hosts have the same amount of reduction of event logs sent to splunk? - Look at the windows eventcodes; Do a before and after count of the different eventcodes. Can you pinpoint a difference to a specific eventcode? Just troubleshoot step by step. Happy to help and think with you for next steps. ... View more

Hi, There is no app on splunkbase for Imperva DAM according to me. At least when I search for it I was not able to find it. You can't use the WAF Add-On because that is for a different product. It will not work I assume when reading the documentation. You are telling me that you receive the logs in CEF format in Splunk already? Why not create your own app to parse the fields to your needs? ... View more

Hi, Did you read the following?: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/RESTTUT/RESTandCloud Accessing the Splunk Cloud Platform REST API You might need to take extra steps to access your Splunk Cloud Platform deployment using the Splunk REST API and SDKs. If necessary, you can get access with one of the following options: Use the Admin Config Service (ACS) API search-api/ipallowlists endpoint to add IP addresses to the search-api allow list. For more information about the search-api/ipallowlists endpoint, see Configure IP allow lists for Splunk Cloud Platform. Submit a support case requesting access using the Splunk Support Portal. Splunk Support opens port 8089 for REST access. You can specify a range of IP addresses to control who can access the REST API, so make sure your request includes the IP addresses or CIDR ranges that you want access from. Free trial Splunk Cloud Platform accounts cannot access the REST API. Once you have REST API access, you can make calls with a local account, an LDAP account, or a SAML account. To learn more about setting up authentication with tokens, see Set up authentication with tokens. Use the following URL for Splunk Cloud Platform deployments: https://<deployment-name>.splunkcloud.com:8089   ... View more

Hi, First I would check the prerequisites of the universal forwarder and compatibility of the hardware and software. https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/Deploy Computer Hardware Prerequisites The universal forwarder has the following minimum processing, RAM, and disk space requirements: Processing 1.5Ghz RAM 512MB Free Disk Space 5GB   And the Operating System that is required are listed here: https://docs.splunk.com/Documentation/Splunk/9.0.1/Installation/Systemrequirements Second I would check the clients own policies right? DO they allow a 3rd party agent on an ATM? ... View more

From: https://docs.splunk.com/Documentation/SecureGateway/3.0.9/Admin/SpacebridgeLocation Here's how to change your Spacebridge location: In Splunk Secure Gateway, navigate to the Administration tab. In the Deployment Settings panel, click Configure. In the Spacebridge Location section, click Change Location. Select a Spacebridge location. Splunk Secure Gateway indicates which location provides the fastest response time. Click Continue. ... View more

Hello, Check out the following resources: https://www.splunk.com/en_us/get-started/enterprise.html And the free courses: https://www.splunk.com/en_us/training.html?locale=en_us&filters=filterGroup1FreeCourses   ... View more

Eval a macro in search query does not make sense....   When you press CTRL-SHIFT-E in the spl search bar the macro will expand to this: (index=notable source="*") | eval indexer_guid=replace('_bkt',".*~(.+)","\\1"), event_hash=md5(('_time' . '_raw')), event_id=((((indexer_guid . "@@") . index) . "@@") . event_hash), rule_id=event_id | search event_id="*" | fields - "host_*" | tags outputfield=tag | eval tag=mvdedup(mvappend(tag,NULL,orig_tag)) | dedup rule_id | lookup update=true notable_xref_lookup event_id OUTPUTNEW xref_name as notable_xref_name,xref_id as notable_xref_id | eval notable_xref=mvzip(notable_xref_name,notable_xref_id,":") | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW annotations, security_domain, severity, rule_name, description as savedsearch_description, rule_title, rule_description, drilldown_name, drilldown_search, drilldown_earliest_offset, drilldown_latest_offset, default_status, default_owner, default_disposition, next_steps, investigation_profiles, extract_artifacts, recommended_actions | eval rule_name=if(isnull(rule_name),source,rule_name), rule_title=if(isnull(rule_title),rule_name,rule_title), drilldown_earliest=case(isint(drilldown_earliest_offset),('_time' - drilldown_earliest_offset),(drilldown_earliest_offset == "$info_min_time$"),info_min_time,true(),null()), drilldown_latest=case(isint(drilldown_latest_offset),('_time' + drilldown_latest_offset),(drilldown_latest_offset == "$info_max_time$"),info_max_time,true(),null()), security_domain=if(isnull(security_domain),"threat",lower(security_domain)), rule_description=case(isnotnull(rule_description),rule_description,isnotnull(savedsearch_description),savedsearch_description,true(),"unknown"), governance_lookup_type="default" | lookup update=true governance_lookup savedsearch as source, lookup_type as governance_lookup_type OUTPUT governance, control | eval governance_lookup_type="tag" | lookup update=true governance_lookup savedsearch as source, tag, lookup_type as governance_lookup_type OUTPUT governance as governance_tag, control as control_tag | eval governance=mvappend(governance,NULL,governance_tag), control=mvappend(control,NULL,control_tag) | fields - governance_lookup_type, governance_tag, control_tag | eval temp_time=(time() + 86400) | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT owner as new_owner, urgency as new_urgency, status as new_status, disposition as new_disposition | lookup update=true event_time_field=temp_time incident_review_comment_lookup rule_id OUTPUT time as review_time,user as reviewer,comment | eval owner=if(isnotnull(new_owner),new_owner,owner), status=case(isnotnull(new_status),new_status,isnotnull(status),status,true(),default_status), urgency=if(isnotnull(new_urgency),new_urgency,urgency), disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) | fields - temp_time, new_owner, new_status, new_urgency, new_disposition | eval temp_status=if(isnull(status),-1,status) | lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end | eval status=if(isnull(status_label),0,status), status_label=if(isnull(status_label),"Unassigned",status_label), status_description=if(isnull(status_description),"unknown",status_description), status_default=case(match(status_default,"1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match(status_default,"0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",true(),status_default), status_end=case(match(status_end,"1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match(status_end,"0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",true(),status_end), status_group=case((status_default == "true"),"New",(status_end == "true"),"Closed",(status == 0),"New",true(),"Open") | fields - temp_status | eval temp_disposition=if(isnull(disposition),-3,disposition) | lookup update=true disposition_lookup _key as temp_disposition OUTPUT status as disposition,label as disposition_label,description as disposition_description,default as disposition_default | eval disposition=if(isnull(disposition),"disposition:0",disposition), disposition_label=if(isnull(disposition_label),"Unassigned",disposition_label), disposition_description=if(isnull(disposition_description),"An error is preventing the event from having a valid disposition.",disposition_description), disposition_default=case(match(disposition_default,"1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match(disposition_default,"0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",true(),disposition_default) | fields - temp_disposition | eval owner=case(isnotnull(owner),owner,isnotnull(default_owner),default_owner,true(),"unassigned") | lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname" | eval owner_realname=if(isnull(owner_realname),owner,owner_realname) | lookup update=true user_realnames_lookup user as "creator" OUTPUTNEW realname as "creator_realname" | eval creator_realname=if(isnull(creator_realname),creator,creator_realname), severities=if(in(lower(severity),"critical","high","medium","low","informational"),lower(severity),"unknown"), severity=case((severities == "critical"),"critical",(severities == "high"),"high",(severities == "medium"),"medium",(severities == "low"),"low",(severities == "informational"),"informational",true(),"unknown"), priorities=lower(mvappend(priority,host_priority,orig_host_priority,src_priority,dest_priority,dvc_priority,src_user_priority,user_priority,host_owner_priority,orig_host_owner_priority,src_owner_priority,dest_owner_priority,dvc_owner_priority)), priority=case((priorities == "critical"),"critical",(priorities == "high"),"high",(priorities == "medium"),"medium",(priorities == "low"),"low",(priorities == "informational"),"informational",true(),"unknown") | lookup local=true urgency_lookup priority,severity OUTPUTNEW urgency | eval urgency=if(in(lower(urgency),"critical","high","medium","low","informational"),lower(urgency),"unknown") | typer | tags outputfield=tag | eval tag=mvdedup(mvappend(tag,NULL,orig_tag)) | rex field=eventtype "notable_suppression-(?<suppression>.+)" | lookup update=true risk_correlation_by_system_lookup risk_object as "orig_host" OUTPUT risk_score as "_orig_host_risk_score" | eval orig_host_risk_score=if(isnotnull(orig_host_risk_score),orig_host_risk_score,'_orig_host_risk_score') | fields - _orig_host_risk_score | lookup update=true risk_correlation_by_system_lookup risk_object as "dvc" OUTPUT risk_score as "_dvc_risk_score" | eval dvc_risk_score=if(isnotnull(dvc_risk_score),dvc_risk_score,'_dvc_risk_score') | fields - _dvc_risk_score | lookup update=true risk_correlation_by_system_lookup risk_object as "src" OUTPUT risk_score as "_src_risk_score" | eval src_risk_score=if(isnotnull(src_risk_score),src_risk_score,'_src_risk_score') | fields - _src_risk_score | lookup update=true risk_correlation_by_system_lookup risk_object as "dest" OUTPUT risk_score as "_dest_risk_score" | eval dest_risk_score=if(isnotnull(dest_risk_score),dest_risk_score,'_dest_risk_score') | fields - _dest_risk_score | lookup update=true risk_correlation_by_user_lookup risk_object as "src_user" OUTPUT risk_score as "_src_user_risk_score" | eval src_user_risk_score=if(isnotnull(src_user_risk_score),src_user_risk_score,'_src_user_risk_score') | fields - _src_user_risk_score | lookup update=true risk_correlation_by_user_lookup risk_object as "user" OUTPUT risk_score as "_user_risk_score" | search (eventtype=notable_suppression-* OR suppression=*) | eval user_risk_score=if(isnotnull(user_risk_score),user_risk_score,'_user_risk_score') | fields - _user_risk_score | eval host_risk_object_type=if(isnotnull(host_risk_score),"system",null()), orig_host_risk_object_type=if(isnotnull(orig_host_risk_score),"system",null()), dvc_risk_object_type=if(isnotnull(dvc_risk_score),"system",null()), src_risk_object_type=if(isnotnull(src_risk_score),"system",null()), dest_risk_object_type=if(isnotnull(dest_risk_score),"system",null()), src_user_risk_object_type=if(isnotnull(src_user_risk_score),"user",null()), user_risk_object_type=if(isnotnull(user_risk_score),"user",null()), risk_score=if(isnotnull(risk_score),risk_score,max(orig_host_risk_score,dvc_risk_score,src_risk_score,dest_risk_score,src_user_risk_score,user_risk_score)), notable_type=if((isnotnull(risk_object) AND isnotnull(risk_object_type)),"risk_event","notable") | stats c by rule_name ... View more

I believe this is because the tstats command performs statistical queries on indexed fields in tsidx files. Some time ago the Windows TA was changed in version 5.0.1 of the Windows TA. See: Sourcetype changes for WinEventLog data  This means all old sourcetypes that used to exist (and where indexed!) where named for example WinEventLog:System or WinEventLog:Application or WinEventLog:Security. They all have been renamed to WinEventLog by the newer version of Windows TA. But since they where indexed in the past they still exists in the metadata. And since tstats only looks at the indexed metadata you see these old sourcetypes appear. ... View more

That is correct. An admin is able to run these macro's or they need to give you access to run them and or access to the notable index too. Then you can run:   `suppressed_notables` | stats c by rule_name   This will give you a count of the amount of suppressions per rule name / colleration search. ... View more

I really don't understand you? I just gave you the answer on a silver platter wrapped in a gold bow tie.... Do you actually understand my answer or are you trolling me? The following spl command will extract the secureToken value and create a field called secureToken. | rex "secureToken=(?<secureToken>\d+)"  If you still don't understand I suggest you take the splunk course: https://www.splunk.com/en_us/training/courses/using-fields.html ... View more

To make it more clear how a regular expression field extractions works: The rex syntax:   rex field=<field> <PCRE named capture group>   The PCRE named capture group works the following way: (?<name>regex) The above expression captures the text matched by regex into the group name. If you don’t specify the field name, rex applies to _raw (which is the entire event). Another example to make it more clear: My example event is:   Thu Jan 16 2018 00:15:06 mailsv1 sshd[5258]: Failed password for invalid user borisjohnson from 194.8.74.23 port 3626 ssh2   I want to extract the username from this: I do that with:   index=test sourcetype=demo_events | rex user\s(?<username>\w+)\s   This will create the field name username with the extracted value of borisjohnson From regex101:     ... View more

I did exactly that in my reply with the part: | rex "secureToken=(?<secureToken>\d+)"   ... View more

This works as a basic example: | makeresults | eval _raw="Connection: close Set-Cookie: secureToken=11111112222233333445; Path=/; Secure; HttpOnly Server-Timing: cdn-cache; desc=MISS Server-Timing: edge; dur=164 Server-Timing: origin; dur=158 Strict-Transport-Security: max-age=15768000" | rex "secureToken=(?<secureToken>\d+)"   ... View more

Please provide a couple of sample events. ... View more