Hi, In Splunk Stream app (v7.1.2) there is a panel named Query on the DNS Activity dashboard. For me it is empty, the query its use: index=* source="stream:Splunk_DNSRequestResponse" | rename count as counts query as Query | eval error=if(reply_code!="NoError", counts, 0) | stats sum(counts) as Counts sum(error) as Errors by Query | sort Counts desc If I add | spath query to the query its works: index=* source="stream:Splunk_DNSRequestResponse" | spath query | rename count as counts query as Query | eval error=if(reply_code!="NoError", counts, 0) | stats sum(counts) as Counts sum(error) as Errors by Query | sort Counts desc Question: can I fix this panel without modifying the query? I don't like to create custom confs in a factory app. Its just makes problems during an upgrade... Update: I found a similar problem with the "Resolution Integrity" panel, too. Regards, István ... View more

Hi there, Has anybody experience with Forcepoint (Websense) Email gateway log parsing (in order to process them with ES)? Forcepoint has a docs: https://www.websense.com/content/support/library/email/v85/email_siem/siem_log_map.pdf Currently, I try to use only "Policy" events to get all the field I needed, but it doesn't look perfect. So can help somebody who is familiar with Forcepoint help me to build an addon? Regards, István ... View more

Hi there, I'm building a test Splunk deployment: 3 SH in cluster, 2x2 IX in multi-site cluster, 1 admin node(CM, Deployer, ...) and 1 dedicated Monitoring Console node. I have a problem with the Monitoring Console setup. I tried to follow the documentation (https://docs.splunk.com/Documentation/Splunk/7.2.1/DMC/Deploymentsetupsteps) I've added as Search peer: - all SH server - admin node (incl. Cluster Master role) I've enabled the Distributed Monitor Console, fixed instances' roles if needed. Apply. Results: - Under Overview->Topology there are no Indexers listed. - There are several panels which are empty and have a warning: "Search filters specified using splunk_server/splunk_server_group do not match any search peer." What am I doing wrong? Please help me fix it. Regards, István ... View more

Hi there, What are the possibilities with Splunk to generate and export a complex report with graphical elements, too? I know there is a pdf export, but so far looks like it has several limitations. I know that chart/tables can be exported separately. Can Splunk generate a fancy, well-formatted pdf/docx/etc report? (Scheduled.) Thx, István ... View more

Hi, I am trying to monitor Windows servers BIOS versions using Registry monitoring with UF. For testing, I installed a full Splunk Ent. and used a web GUI to add some Registry input with the baseline. I received several events, but the _time field for the baseline event is weird. Approximately, they are in 3 days late. The create/etc. events look good. _raw _time 09/21/2018 21:59:09.175 event_status="(0)The operation completed successfully." pid=16872 process_image="c:\Windows\regedit.exe" registry_type="DeleteKey" key_path="HKLM\hardware\description\system\bios\új azonosító (#1)" data_type="REG_NONE" data="" 2018-09-21 21:59:09 09/21/2018 21:59:09.175 event_status="(0)The operation completed successfully." pid=16872 process_image="c:\Windows\regedit.exe" registry_type="SetValue" key_path="HKLM\hardware\description\system\bios\test_key" data_type="REG_SZ" data="" 2018-09-21 21:59:09 09/21/2018 21:59:04.570 event_status="(0)The operation completed successfully." pid=16872 process_image="c:\Windows\regedit.exe" registry_type="SetValue" key_path="HKLM\hardware\description\system\bios\új azonosító (#1)" data_type="REG_SZ" data="" 2018-09-21 21:59:04 09/18/2018 10:47:04.786 registry_type="baseline" key_path="\registry\machine\hardware\description\system\bios\SystemVersion" data_type="REG_SZ" data="" 2018-09-18 10:47:04 09/18/2018 10:47:04.786 registry_type="baseline" key_path="\registry\machine\hardware\description\system\bios\SystemVersion" data_type="REG_SZ" data="" 2018-09-18 10:47:04 09/18/2018 10:47:04.786 registry_type="baseline" key_path="\registry\machine\hardware\description\system\bios\SystemVersion" data_type="REG_SZ" data="" 2018-09-18 10:47:04 The upper events are the create/update/etc events created within a few minutes with the baseline events, but baseline shows 18. Sept, update events 21 Sept. (today). How it is possible, what am I doing wrong? The base system is a Win 10, and the system time is ok. Inputs: [WinRegMon://kulcsi01] baseline = 1 disabled = 0 hive = HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM\\BIOS\\?.* proc = C:\\.* type = set|rename|create|delete [WinRegMon://kulcsi02] baseline = 1 disabled = 0 hive = HKEY_LOCAL_MACHINE\\SYSTEM\\HardwareConfig\\Current\\?.* proc = C:\\.* type = create Thx, István ... View more

Hi, I am trying to clean out a little the correlation alerts in ES. Currently focusing on the Completely Inactive Account. Please help me understand the following situation. Why logging Windows this way or why Splunk doesn't recognize this as a false positive, or why am I wrong. So I found several alerts for inactivity which looks like as badly typed account names but logged as successful login. A sample edited event. My problems are: - bad_usename doesn't exist, cannot log in successfully - Splunk fetch this event as a successful event, with user: "bad_user" - and after 90 days ES alert that bad_user inactive... EventCode=4648 EventType=0 TaskCategory=Logon OpCode=Info Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: legal_domain\legal_user Account Name: legal_user Account Domain: legal_domain Account Whose Credentials Were Used: Account Name: bad_user Account Domain: legal_domain Target Server: Target Server Name: legal_server Additional Information: legal_server Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS comman And yes, there is a failed login event with bad_user just before this wired event. Please help me understand this situation and solve somehow. Regards, István ... View more