Hi @mc210274 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Are you speaking about Linux or Splunk Users? if Linux Users, you have to install on your forwarder a TA-Linux that contains a script to collect Linux users. If you don't want to install the full TA_Linux, you can take only the script to extract users ($SPLUNK_HOME/etc/apps/Splunk_TA_nix/ bin/usersWithLoginPrivs.sh). After you can search them in Splunk with a simple search ( index=os | dedup users | table users ). Cheers. ... View more

You can make it by using the reverse command, this basically reverses the timeline you want to happen, at the end of the search use the below command. |reverse ... View more

I don't see the point in the way you are trying to achieve this, having said that with respect to your question of the limits. Well, there is no limitation in which we can blacklist/whitelist the server and you can add n number of the server names in these filtering fields. To have a better understanding of these two, I would suggest you to check the below link. DOC: https://docs.splunk.com/Documentation/Splunk/7.3.2/Updating/Filterclients#Define_filters_through_serverclass.conf. https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Data/Whitelistorblacklistspecificincomingdata. I would still suggest you to cross-check your implementation. ... View more

You can always build your alerts and when these alers meet the condtion i.e the alert value reaching >1 then these alerts will be triggered and you will get the notifications in the form the email. You can set these alerts, you can reffer to the below document which will help you to understand more. https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/Createcustomalerts And if you are looking out which is the app that can help you for your requirement, I would suggest you to use the Rest API, you can download these in the below link. LINK : https://splunkbase.splunk.com/app/1546/ You can configure it using the below link. https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/ConfigureDataCollection ... View more

You can check the below document which will help you to understand and configure the users and roles. https://docs.splunk.com/Documentation/ES/5.3.1/Install/ConfigureUsersRoles. Let me know if this was helpful. ... View more

Thanks for that response. MacOS Catalina is now generally released and we have users in our organisation that have installed it. We notice that Splunk released v7.3.2 of the Universal Forwarder on October 2nd but unfortunately it is still only available as 32-bit. As such, it appears that Splunk still does not have a Universal Forwarder that is compatible with the current release of MacOS. ... View more

To diable the cipher legacy suits in the Splunk 7.2 and higher you need to follow below process. FIrst, you need to perform it on the indexers, you need to add the [node_auth] in the server.conf restart splunkd services You need to add "legacyCiphers = disabled" below the general stanza and restart the services. You need to comment out the pass4SymmKey in the clustering stanza and add an other pass4SymmKey on the indexers. You need to do the same steps on all the indexers and then you need to perform the same steps in the cluster master. You need to run the command $plunk_home/bin/splunk rotate splunk-secret on the cluster master and the secret key will be distributed to all the indexers. You can follow the same process on the SH as well, and for search head, you need to run the Secret key on the SH Captain. Let me know if you face any difficulties. ... View more

The parameter which helps you define these setting is "max_users_to_precache " in the limits.conf, by default the value will be 1000 and yes the users expire from the LDAP pre-cache. We can increase or decrease the value of the max_users_to_precache by which we can restrict them from the expire of the LDAP pre-cache. ... View more

I would like to send it to 2 different indexers not index. I see that one of the source type is going to production indexer but not on the development indexer. Though I have one of the other source type going to both with the same configuration, So i am little confused with this. ... View more

Hi You can download the Splunk Universal forwarder using the link below, you need to use your login credentials before you download the package. https://www.splunk.com/en_us/download/universal-forwarder.html#tabs/linux You can install it using the wget and download the package and untar the package. Later move it to the /opt folder on your server. Please check for the system requirements before you download the package. You can check for the system requirement using the below link https://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Systemrequirements. https://docs.splunk.com/Documentation/Splunk/6.5.1/Installation/Systemrequirements#Supported_OSes Make sure you are using the equal version or the lower version of the indexer. Thank you ... View more

The is an observed behavior in Splunk 7.x versions, the FIELDALIAS overwrites the null value from the source field to the destination field and is having the values in it, So the final result is null value in the Destination field and because of which the baheviour change the rule field is not getting extracted. So you need to makes these changes in the props.conf Comment below in the $plunkhome/etc/apps/Spunk_TA_cisco-asa/default/props.conf FIELDALIAS-fwsm_acl_for_rule= acl as rule(in cisco:fwsm stanza) ... View more

You need to provide in total three capabilities to view the monitoring console for user privileges. 1).admin_all_objests. 2).dispatch_rest_to_indexers. 3).edit_dist_peer. The dispatch_rest_to_indexers capability will show the resource usage of each instance and edit_dist_peer will fix the instance unreachable error. ... View more

Hi You need to make the changes in the props.conf, under which you need to change the time format and you can see the first timestamp With the sample event you have provided you need to makes these changes if you need the first timestamp to be in the event. TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD =15 ... View more

In Splunk 7.2.x opening an external link in a new tab from the app navigation bar works. Example data/ui/nav/default.xml file including a link to the Splunk Developer Portal: Splunk Developer Portal Please Note:-It works only for 7.2.x versions and above.Tried it with lower versions(for ex.6.5.x) of splunk and it's not working.For 7.2.x it works for pre-defined apps as well as custom apps also. ... View more

Worked like a charm. Thank you @marrette ... View more

Hi You can use the below command to rebuild the buckets, from the raw data file alone. $plunk_home/bin/splunk rebuild You can use the fsck command on the indexers to repair them as well. $plunk_home/bin/splunk fsck repair --all-buckets-all-indexes his will rebuild hot/warm/cold in all indexes. If you require it in a single index, then you can use the below command. $plunk_home/bin/splunk fsck repair --all-buckets-one-index --index-name= Below is the document which will help you to understand better. https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Bucketissues ... View more