Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About vr2312
vr2312
Builder
Member since:
03-10-2015
Tuesday
Community Statistics
| Posts | 139 |
| Solutions | 15 |
| Karma Given | 46 |
| Karma Received | 15 |
| Member Since | 03-10-2015 |
Activity Feed
- Karma Re: Splunk Admin Password for wrangler2x. Tuesday
- Got Karma for Re: How can I completely delete a user in Splunk ES?. 09-07-2024 04:15 AM
- Got Karma for Re: How can I completely delete a user in Splunk ES?. 09-07-2024 02:40 AM
- Posted Re: How do I index data from a Cisco IPS? on All Apps and Add-ons. 09-01-2024 08:57 PM
- Posted Re: How can I completely delete a user in Splunk ES? on Splunk Search. 09-01-2024 06:38 PM
- Posted Re: Disabled/Deleted users are appearing in Investigators Panel in Enterpriser Security on Splunk Enterprise. 09-01-2024 06:13 PM
- Posted Re: Disabled/Deleted users are appearing in Investigators Panel in Enterpriser Security on Splunk Enterprise. 09-01-2024 06:12 PM
- Posted Re: Cant see export csv on my dashboard stiudio(splunk 9.2.1) on Installation. 08-22-2024 12:32 AM
- Posted Re: Cant see export csv on my dashboard stiudio(splunk 9.2.1) on Installation. 08-22-2024 12:00 AM
- Posted Disabled/Deleted users are appearing in Investigators Panel in Enterpriser Security on Splunk Enterprise. 08-21-2024 11:58 PM
- Tagged Disabled/Deleted users are appearing in Investigators Panel in Enterpriser Security on Splunk Enterprise. 08-21-2024 11:58 PM
- Posted Re: Configure and Use Enterprise Security Configuration Explorer on Installation. 06-10-2024 07:31 PM
- Posted Re: How to observe EPS for particular datasource from a Splunk UBA CLI? on Splunk User Behavior Analytics. 06-03-2024 09:25 PM
- Karma Re: How to get Splunk sendemail command to send multiple emails based on search results? for sirajnp. 06-03-2024 09:03 PM
- Posted How to observe EPS for particular datasource from a Splunk UBA CLI? on Splunk User Behavior Analytics. 09-21-2023 10:34 PM
- Tagged How to observe EPS for particular datasource from a Splunk UBA CLI? on Splunk User Behavior Analytics. 09-21-2023 10:34 PM
- Tagged How to observe EPS for particular datasource from a Splunk UBA CLI? on Splunk User Behavior Analytics. 09-21-2023 10:34 PM
- Posted Re: What defines an asset priority? on Splunk Enterprise Security. 09-04-2023 07:19 PM
- Tagged Re: What defines an asset priority? on Splunk Enterprise Security. 09-04-2023 07:19 PM
- Got Karma for Re: Why is one search head no longer communicating with indexers? Getting error "failed_because_BUNDLE_DATA_TRANSMIT_FAILURE". 06-29-2023 03:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
09-01-2024
08:57 PM
Hi @fabiyogo1 , you can enable syslog from the IPS devices to be sent directly to splunk or to an intermediate syslog box and use splunk agents to forward it to an Indexer/HF based on how the set up is.
... View more
09-01-2024
06:38 PM
2 Karma
The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store. On the Lookups page, find the “user_realnames_lookup” file and edit it Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed. Ensure that the profiles no longer appear in the investigators section after the lookup update.
... View more
09-01-2024
06:13 PM
Hi @fahimeh , i just added the solution to this on to the post. Please upvote for more reach 🙂
... View more
09-01-2024
06:12 PM
Adding the solution to this so that it can help others. The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store. On the Lookups page, find the “user_realnames_lookup” file and edit it Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed. Ensure that the profiles no longer appear in the investigators section after the lookup update.
... View more
08-22-2024
12:32 AM
If you see the option, but its greyed out, you may want to check this link https://community.splunk.com/t5/Dashboards-Visualizations/Is-there-an-option-to-export-CSV-or-PDF-in-Splunk-Dashboard/m-p/558071/highlight/true
... View more
08-22-2024
12:00 AM
Hi @hv64 , you may need to check if you have the role/privilege to view that option. Are you by any chance a Splunk admin or just an end user of Splunk ?
... View more
08-21-2024
11:58 PM
Currently on Splunk ES 7.3.2 Splunk Enterprise Security where i can see users, who used to be part of the organisation, but are now deleted/disabled (in Splunk) are still populating when i try to assign new investigations to other current members of the organisation For instance, Incident Review -> Notable -> Create Investigation In the investigation panel, when i try to assign the investigation to other members of the team, i can also see disabled/deleted accounts/users/members as an option to assign the investigation to. Any way we can remove these members from populating so that the list of investigators replicate the current numbers we have in the team.
... View more
Splunk Enterprise Security
Splunk Enterprise Security
06-10-2024
07:31 PM
So this apps works with the conjunction of the saved Search. Risk Factors - Lookup Gen -check if the search is running as expected and see if the lookup contents are being populated. Also, for the visualizations to be populated, you would need to install the following 2 apps * Treemap: https://splunkbase.splunk.com/app/3118 * SanKey: https://splunkbase.splunk.com/app/3112
... View more
06-03-2024
09:25 PM
So after much thought and deliberation, this is how you can see the real-time EPS and the trends around it on UBA. 1. You would need to add the parameter ?system in the url right before the # values. 2. Once done, proceed to Manage -> Data Sources -> Select Data Source to reveal the real-time EPS and trends associated with it.
... View more
09-21-2023
10:34 PM
As the title suggests, i am trying to onboard multiple data sources in Splunk UBA. I would like to see if there is a way i can see from the CLI on the EPS per each data source ingested. The EPS fluctuates when we run data sources to ingest data from Specific time window even if the data exists within Splunk Enterprise as compared to AllTime.
... View more
Labels
- Labels:
-
using UBA
09-04-2023
07:19 PM
You can do that by clicking the Assets and Identity lookups and follow the hyperlink under the source tab. That will redirect it to the contents of the lookup where you can click on the field and edit it.
... View more
09-15-2021
05:30 PM
Hi @CarolinaHB , As you have installed the application as root and also started the service as root, there might be a chance if the port 8000 is being utilized by another application or blocked by the firewall. Could you please check if 1. Port 8000 is open 2. If port 800 is being used by another application netstat -tulpn | grep :8000
... View more
09-15-2021
05:24 PM
Yes, that was all done and it failed. There were more than just files that needed to be renamed and the linkages created the app resulted in the app breaking down after the rename. Sadly with the current version of the App Builder that is in, there are only two workarounds that can be implemented : 1. Download the older version of the add-on builder, rename the app, export the app and import it after installing the new version of the add-on builder. 2. Rebuild the app from scratch.
... View more
- Tags:
- yes
09-15-2021
05:22 PM
I had the same issue for this. What i did was exported the TA built from the home page of the add-on-builder as a tgz, then reimported the package. Once reimported, i browsed through the app that was built; then moved to validation and package where the download button was no longer greyed out and i was able to download a SPL.
... View more
09-02-2021
08:31 PM
After building a project/add-on based on the Standard naming convention of Splunk, i am facing the issue where i have to remove the prefix set by the app. Renaming it via the add on builder fails and renaming it outside of the app breaks the whole app as it runs based on complex scripts within. Any guidance will be hepful
... View more
02-18-2021
06:04 PM
The current Duo-Splunk connector suggests that it can be used for Splunk running v7 and v8. However, when running the app from Splunk v7; the script does not seem to run as expected due to the six.py version being 1.9.0 and the module expects 1.12 to run. Any inputs to how this can be addressed ?
... View more
Labels
- Labels:
-
configuration
-
installation
02-27-2019
03:38 PM
Tweak the query as stated. It would help, there is not fixed answer for this as the query is different w.r.t. data ingested.
... View more
12-17-2018
07:32 PM
Weird. Could you try clearing the cache and stuff, make sure you are not VPN. try searching google and redirecting to the site than going directly ? @Leo_Yong
Not sure if you have tried all these
... View more
12-16-2018
05:37 PM
Are you trying on a personal N/W or on a professional N/W ?
Try using hotspot (mobile data as Wifi) to connect and see if it works .
... View more
12-09-2018
10:06 PM
You do not need to ignore that, but i do not find them to be the cause of the infrastructure issue you are facing.
http://docs.splunk.com/Documentation/Splunk/6.3.3/data/Configurecharactersetencoding#Comprehensive_list_of_supported_character_sets
Check this for looking at failed_stat and binary errors.
These are certain things that needs to be addressed, but you must pay attention to the bigger issue,
... View more
12-09-2018
09:56 PM
These are basic errors that has been there for a long time. That is not the cause of the issue. Also
12-10-2018 00:50:21.998 -0500 WARN AdminManager - Handler 'summarization' has not performed any capability checks for this operation (requestedAction=list, customAction="", item=""). This may be a bug.
Raise a ticket with Splunk for this.
Also it might be due to some new services running, do you run crowdstrike or something ?
I remember one of my instances when a new product was installed and it took our indexers down.
Check top in the IDX and see what is being populated.
... View more
12-09-2018
09:08 PM
Could you post any error messages from the IDX ? Are all IDXs functioning well ?
Are search results returning ?
... View more
12-09-2018
08:37 PM
Hello @prathapkcsc
From the UF, the data to HF/IDX is blocked cause of queues majorly. You might need to see why the queues are blocked at the IDX end. Probably due to low disk or probably due to an extensive search being run or network connectivity
... View more
12-09-2018
07:43 PM
Okay, if these are from the Cluster Master, can you share the log files of one of the Indexers ? If the Master is unable to forward its data to the IDX, we would need to identify if its an IDX issue.
... View more
12-09-2018
06:46 PM
You can use chef to create an automated process.
https://github.com/chef-cookbooks/chef-splunk
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
Karma given to
