Hi, does anyone know how to create a realtime alert which should trigger the alert only from Thursday 6PM to Sunday 6AM and any other day between 6PM to 6 AM ? the search query will be something similar to the below. index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 user="Administrator" I need to get an alert if this particular event occurs between Thursday 6PM to Sunday 6AM and any other day between 6PM to 6 AM. Can this be done in a single alert or do we have to create multiple alerts with different cron schedules. ? Looking forward to your suggestions. Regards Sajin ... View more

Hi, we have Solaris 11.3 and have installed the splunk forwarder. Would like to know if anybody is aware how to get the audit logs from the solaris as the solaris 11 TA does not provide any scripts for the audit logs. ... View more

Hi All, Have a requirement with a client that they are looking at integrating their Existing McAfee ESM with the Splunk ES. The requirement is as below. The network devices/servers/applications will send the logs to ESM. From ESM, the logs have to be forwarded to Splunk. It can either be cooked or raw data which ever is feasible. Have anyone had the chance to do similar integration, please let me know how to take it forward. Regards Sajin ... View more

Hi, We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp. For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015. I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution? ... View more

Hi, We have Cisco IPS for which we use Cisco Security Suite and Splunk add for CIsco IPS to get the events using SDEE. We are getting the intrusions and vulnerabilities events. Is there a way with which we can get the configuration changes in IPS. We would like to get all the user/account changes and other configuration changes in IPS. Regards Sajin ... View more

Hi, Has anyone configured splunk to receive SNMP traps or poll attributes using SNMP? I am trying to configure using the SNMP modular input application without any luck. I have an IPS module on Cisco ASA which supports only SNMP and would like to get the traps to the splunk. If anyone has configured it, please post it here.. Regards Sajin ... View more

Hi, I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sourcetype and index for both. Cisco ASA logs source type has to be changed as cisco:asa and moved to an index called cisco_asa. Cisco ISE logs source type has to be changed to cisco:ise:syslog and moved to an index called cisco_ise. Please help to build the props and transforms for the above. Regards Sajin ... View more

Hi, We have a Cisco ASA which is sending syslog messages to Splunk for VPN traffic. I would like to know how to create a report with the following details. Username, duration of the VPN connection, Source IP(Public IP), Start time and End time. Has anyone created this report already? If yes, please share the search. Regards Sajin ... View more