The above referenced procedure was accurate to add Exchange Online.  Note, by default, it queries one week back and only grabs one hour at a time every query interval, meaning it takes a while to catch up to current mail messages. ... View more

Working with the Exchange administrator, it isn't clear even with the documentation how to assign the Exchange Admin role for Oauth since there isn't a clear username to assign that role.  Any one figure this one out?   ... View more

git + POSIX sh + ssh forced commands Each app is its own repo in git.  If I'm lucky, I'm using gitlab which allows me to have folder hierarchy to identify apps by function (e.g. apps for the CM, apps for the SHD, apps for the DS to push to the UFs).  Then, I built a shell script that is attached to a forced command in ~splunk/.ssh/authorized_keys so when you authenticate to that account, you pass the name of a repo.  It validates that is a valid repo, git pulls the main branch of that repo, then uses a token attached to a local Splunk user that only has the deployment permissions to deploy the update (e.g. `splunk reload deploy-server` or the SHD deployment command sequence). Repos intended to be updated by non-admins, I lock the repo so it can't get administrative config files (e.g. authentication.conf) by push rules. ... View more

Regarding the look and feel, may I suggest a custom stylesheet, using a browser extension like Stylus?  If you come up with one you like, maybe even post it somewhere others can grab it. ... View more

With a moderate number of workstations like that, the downside of a forwarder is you know when they stop reporting in. The upside is you know when they stop reporting in. VDI are typically considered more transitory, less permanent, so a forwarder does make less sense. You may need to consider a different solution for each technology type. Some have had luck with a syslog daemon on Windows to forward log events. There really is not a single best answer in my view. Each technology has advantages. Forwarders are easier to monitor, harder to deal with systems that are expected to come up and down regularly, but also deal surprisingly well with network disconnects. Event forwarders are simple, but as you've seen, not well known for reliability. Some use syslog or other protocols to introduce more answers. ... View more

The approach I'd at least consider would be to construct an alert that determines if the lookup table needs modifying. Run that alert periodically, keep that alert query simple. To make this alert work, you need some kind of time column or similar method to know "here's how recently updated this lookup table is". If you can use the lookup table to return a timestamp, you could even have that construct an earliest= field specification for your main search for data, so that the search starts at the time of the lookup table update timestamp. Then, you'd need a custom alert action that executes a non-scheduled saved search to perform the lookup table update. Since a custom alert action could be a script, it could be used to trigger the saved search that does the update. ... View more

I typically recommend the UF on Windows servers. It makes monitoring for problems much easier, such as systems that have stopped sending any data. As for workstations, that may be a bit stickier, but if your number of workstations is small, a UF is hardly outrageous compared to many other agents I've seen on workstations. The major question to ask yourself is what happens when that workstation (which includes laptops presumably) goes home and then is brought online? ... View more

The app for parsing PAN logs does not share the field extractions. You can use the search category of the app to construct your arbitrary app. Sounds like you are not necessarily searching from within the Palo Alto Networks app. ... View more

Look at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket There are examples of almost exactly what you want. ... View more

That's the point. You're capturing the sourcetypes into a field. A transform to define a new field with the reduced portion allows you to clump them according to the pattern you identified into a new field. rex field=sourcetype "^[^:]+:(?<newsrctyp>.*)" would strip out the portion up to and including the first colon for you and place into the field newsrctyp, which is now grouped. ... View more

Just for sanity's sake, see if that token works for you in the alert body. $result.host$ means insert from the results, the value of the field named host. There are some oddities for some cases in that token, but source and host should just work. ... View more

Run a rex to create a new field based on the sourcetype to capture the portion of the sourcetype you care about. Use that new transformed sourcetype field instead. ... View more