Why does the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" make excessive connections to the machine? I have run into this issue of it maxing out my license, but would like to know the root cause of excessive connections. ... View more

I am running a linux server and trying to establish a connection to McAfee with the SQL server using kerberos authentication. I have downloaded and installed the correct driver and DB connect recognizes the driver. When trying to create a new connection, I receive the error, "com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId: blah blah". When I look through the dbx_server logs, I find the same error as above, but also another log with an error. The other log states "ClientConnectionId: blah blah cause={} org.ietf.jgss.GSSException: No Valid credentials provided (Mechanism level: Server not found in Kerberos database (7))". Does anyone know what the issue is that is keeping the linux machine from establishing the connection? ... View more

Currently, I have all the syslog data sending to Port 514. I want to be able to better organize this data by its host. We have Splunk ver. 6.6.3. I've read some different answers, and I think the solution is in sourcetype overriding. How do I perform sourcetype overriding within the UI? Everytime I try to edit the input, the port 514 can't be used more than once, and an error is produced. Specifically, this has to do with Fortinet Fortigate App for Splunk. There are data input instructions in the details. The app does not recognize the data. The data is in our indexer through syslog. The NOTE from the app is below. Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on). Through Splunk Web UI: Option1: Adding a UDP input Settings->Data Input->UDP Port: 514 (Example, can be modified according to your own plan) Sourcetype: fgt_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf) --> This won't let me change or add a new input due to the port already being used. Option2: Adding a file input Settings->Data Input->Files & Directories Browse: Select the file directory Select sourcetype: if fgt_log is not created yet, click Save As -> Name:fgt_log Leave others unchanged and save. --> I don't know what file directory needs to be selected. ... View more

I'm running CentOS for Splunk Enterprise and am installing DB Connect to connect to different databases. Why does this install require a restart? Is there a kernel module? I just want to understand the reasoning behind a restart for this add on. ... View more

I am looking into login logs from different Event IDs. Some events have two fields for Account_Name, while other events have only one Account_Name in their log. What would my query be if I needed to compensate for either scenarios? I have performed a query using mvindex(Account_Name, 1) to obtain the second Account_Name in the log. However, I am stuck where if there is no second Account_Name being used. To see if there is an issue, I inserted... | fillnull value=null | My query is as follow: index=main (EventCode=4624 OR EventCode=4647 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4770 OR EventCode=4771 OR EventCode=4774 OR EventCode=4776 OR EventCode=4778 OR EventCode=4779) | eval Account_Name=mvindex(Account_Name,1) | fillnull value=NULL | stats count by Account_Name | sort - count I don't expect to see Null in my results as each Event should have at least one Account_Name. Thank you in advance for any help. ... View more

I have currently a lookup table that consists of Account_Name and Host. This was created from Windows Event 4624 (An Account was successfully logged on) from a search parameter of the last 30 days. I am wanting to use the lookup table to filter the Account_Name and Hosts, and display in the new query the differences that the new search brings. For example, Lookup Table: Account_Name,Host Alpha, comp1 Bravo, comp1,comp3 Charlie, comp5,comp6 Delta, comp4,comp8 New Logons Data: Alpha, comp1,comp2 Bravo, comp2,comp3 Charlie, comp4,comp5,comp6 Delta, comp4,comp8 So the new results should provide me with: Alpha, comp2 Bravo, comp2 Charlie, comp4 So far my query is as follow: index=main EventCode=4624 NOT [ | inputlookup lookuptable.csv ] | Table Account_Name Host This is how I set up lookup tables with one field for filtering, but trying to filter from two fields has got me stuck. Thanks in advance for any help. ... View more