Hi there, Have a read here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Knowledge/Usesummaryindexing#Get_started_with_summary_indexing    cheers, MuS ... View more

We haven't seen that error in the past - we use the Splunk Password Storage REST API endpoints to store the credentials in an encrypted manner. Can you send us an email at dev-support@carbonblack.com and we can set up a shared session to try and troubleshoot what may be occurring? Thanks - Jason ... View more

i just used this query: | tstats latest(_time) as lastTime where index=windows* by host _time span=1w | table _time host | stats values(_time) as mytimes by host | eventstats max(mytimes) as maxtime | where mvcount(mytimes)<2 | rename COMMENT as "use this one to get the hosts which disappeared this week" | where mytimes = maxtime However, i still see hosts that are currently logging this week. ... View more

It does work with 6.6.1 if you use localop index=xxx encoded=* |localop | decrypt f=encoded atob emit('decrypted') | rex field=decrypted mode=sed "s/.//g" ... View more

Do i have to configure the inputs.conf on the IDX clusters? This is what i currently have, but there is a communication error between the SH and the IDX_Cluster: [indexAndForward] index = true [tcpout] defaultGroup = idx-indexers forwardedindex.filter.disable = false indexAndForward = 1 [tcpout] forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_internal) [tcpout:idx-indexers] autoLBFrequency = 40 disabled = 0 server = :9997,:9997:9997 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem sslVerifyServerCert = 0 useACK = 1 Anything im doing wrong here? ... View more

The app is designed around SYSCALL events because they're an integral part of auditd, so refining the audit rules to meet your needs is recommended rather than excluding them. If you really need to exclude them, the simplest approach would be to ingest SYSCALL events into a dedicated index, ensure it isn't in the auditd_indicies.csv lookup and disabled the "Update auditd_indicies lookup" scheduled search so the lookup isn't updated. Be sure to also create a local override of the "auditd_events" event type, explicitly specifying the indices you want to be searched instead of index=* (this is used by the data model). ... View more

This REST command does not show history, only the current point in time. So it is not a useful way to see when something happened in the past. From another answer, @AndySplunks said "I have saved searches (and correlations) looking for any activity in _audit for object='can_delete' and for any search activity that includes '| delete'" That is probably a better way to go. ... View more

At a point when all forwarders are reporting, rerun this: Settings -> Monitoring Console -> Settings -> Forwarder Monitoring Setup -> Rebuild forwarder assets ... View more

Yea I have followed those instructions. I Am testing this without ES. ... View more

What would be the best query to monitor SSH logins to the Splunk Server? ... View more

This sounds like you are trying to make something like the investigator timeline from Enterprise Security. Also what you are trying to achieve is not what KV Stores are traditionally used for. Have a look at the Splunk Java SDK. With the java sdk you can write your own dashboards and as it's JS you have a lot of flexibility with the scripting language. ... View more