Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About avivfri
avivfri
Explorer
Member since:
06-28-2020
09-04-2024
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 06-28-2020 |
Activity Feed
- Posted How to change Host for AWS cloudtrail input to be Account ID? on Splunk Enterprise. 12-03-2022 11:22 PM
- Karma Re: Frozen storage with $_index_name for PickleRick. 04-18-2022 03:32 AM
- Posted How to fix frozen folder not splitting up by indexes that instead have $_index_name at the root folder on the volume? on Splunk Enterprise. 04-18-2022 12:10 AM
- Posted Re: Splunk indexers max volume size exceeded on Splunk Enterprise. 04-07-2022 04:31 AM
- Posted How to fix Splunk indexers max volume size exceeded? on Splunk Enterprise. 04-07-2022 02:24 AM
- Karma Re: How to Filter out Windows event logs XML format? for PickleRick. 03-27-2022 04:02 AM
- Posted Re: How to Filter out Windows event logs XML format? on Splunk Enterprise. 03-27-2022 12:32 AM
- Posted Re: How to Filter out Windows event logs XML format? on Splunk Enterprise. 03-26-2022 11:19 PM
- Posted How to Filter out Windows event logs XML format? on Splunk Enterprise. 03-24-2022 06:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-03-2022
11:22 PM
Hello
I would like AWS cloudtrail logs "Host" field to be the Account ID per each log (we have multiple AWS accounts). The current value is "$decideOnStartup".
We are using SQS-based S3 to read a bucket containing CloudTrail from several accounts.
Is there any way to do it?
Thank you
... View more
Labels
- Labels:
-
configuration
04-18-2022
12:10 AM
Hello
I noticed that my frozen folder are not splitting up by indexes. Instead I have "$_index_name" at the root folder on the volume.
this is my configuration:
[default]
maxTotalDataSizeMB = 1000000
frozenTimePeriodInSecs = 13824000
homePath = volume:hot/$_index_name/db
coldPath = volume:cold/$_index_name/colddb
tstatsHomePath = volume:hot/$_index_name/datamodel_summary
summaryHomePath = volume:hot/$_index_name/summary
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
coldToFrozenDir = /frozen/$_index_name/frozendb
repFactor=auto
is there a way to fix it?
Thank you
... View more
Labels
- Labels:
-
administration
-
configuration
04-07-2022
04:31 AM
Hi Giuseppe Thank you for the detailed answer! so you are saying that "frozenTimePeriodInSecs" takes priority over "maxVolumeDataSizeMB"? Thank you
... View more
04-07-2022
02:24 AM
Hello
I have 5 indexers managed by Cluster Master.
On the indexes.conf (located as master-app) I have the following configuration:
[default]
maxTotalDataSizeMB = 1000000
frozenTimePeriodInSecs = 13824000
[volume:hot]
path = /hot/splunk_db/
maxVolumeDataSizeMB = 2800000
from my understating, the Hot volume on each indexer should not be more than 2.8TB. but, actually the volume exceeded this limit and reached 2.9TB.
can someone please assist?
Thank you
... View more
Labels
- Labels:
-
administration
-
configuration
03-27-2022
12:32 AM
understood. so it is possible to filter these kind of events?
... View more
03-26-2022
11:19 PM
Hi Thank you for your answer. this is an example for the log I want to filter out: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{GUID}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-03-27T06:12:23.991443700Z'/><EventRecordID>4172712244</EventRecordID><Correlation ActivityID='ID'/><Execution ProcessID='1096' ThreadID='1486900'/><Channel>Security</Channel><Computer>exchange</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>SID</Data><Data Name='SubjectUserName'>exchange$</Data><Data Name='SubjectDomainName'>AD</Data><Data Name='SubjectLogonId'>0x63767d73d</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeDebugPrivilege</Data></EventData></Event> will the field SubjectUserName be mapped to User? Thank you
... View more
03-24-2022
06:59 AM
Hello we are trying to add filter on the input of windows event log. the input conf is:
[WinEventLog://Security]
disabled = 0
index = windows
blacklist1 = 5145,5156
blacklist2 = EventCode=4672 SubjectUserName="exchange\$"
renderXml=true
suppress_text=true
supress_sourcename=true
supress_keywords=true
suppress_task=true
suppress_opcode=true
blacklist1 is working good, but blacklist2 is not working. the target is to filter out the event id 4672 with the SubjectUserName equals to "exchange$".
any ideas?
Thank you
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-04-2024
05:11 PM
|
