×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Suirand1
Explorer
Member since: ‎07-28-2020
‎10-09-2023
Community Statistics
Posts 9
Solutions 0
Karma Given 4
Karma Received 2
Member Since ‎07-28-2020
Activity Feed
View All

Re: 500 Internal Server Error when I click "Manage...

by in All Apps and Add-ons
‎03-21-2023 05:33 AM
‎03-21-2023 05:33 AM
Hi everyone, I did grep -rl "<dashboard" /opt/splunk/etc/* | grep "\.xml" | xargs grep "<label></label>", found an .xml file with no content inside <label></label>, changed it to <label>Corvil</label>, restarted Splunk -in fact, the whole system-, tried updating an app -any app- and the 500 Error is still there.   Any suggestion? Thanks! ... View more

Re: Getting mutiple issues when enabling ssl on Sp...

by Splunk Employee in Splunk Enterprise Security
‎03-07-2023 07:50 PM
‎03-07-2023 07:50 PM
https://docs.splunk.com/Documentation/Splunk/9.0.0/admin/Webconf sslRootCAPath = <path> * The path to a root certificate authority (CA) certificate, in privacy-enhanced mail (PEM) format, that splunkd is to use to authenticate client certificates under certain specific conditions. * Splunkd uses the certificate specified at the path defined in this setting only when both 'requireClientCert' and 'enableCertBasedUserAuth' have a value of "true". * If this setting has no value, splunkd falls back to the value of the 'sslRootCAPath' setting in server.conf. * If you have already configured 'sslRootCAPath' in server.conf, the value of this setting does not override the setting of the same name in server.conf. * No default.   ... View more

Re: Upload Threat Intelligence not working

by in Splunk Enterprise Security
‎09-20-2021 02:25 AM
1 Karma
‎09-20-2021 02:25 AM
1 Karma
I did manage to get this to work, so I will share my findings with you so you can do the same. There are a few important things you need to take into account. As a test create a csv file like this: description,file_hash,file_name,weight test1,11111hash11111,123.py,5 test2,22222hash22222,123.exe,5 In the Enterprise Security App Go to Configure→Data Enrichment→Threat Intelligence Uploads The most important part of uploading Threat Intel is that you format your csv file properly. One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized. The reference for this can be found here→ https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes Make sure you copy the exact headers and do NOT use whitespaces. Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards. Save this. Next important thing is to wait a few minutes for the upload to be processed by ES. Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:     ... View more

Re: Why is "Threat file_intel" not capturing hash ...

by in Splunk Enterprise Security
‎09-17-2021 06:38 AM
1 Karma
‎09-17-2021 06:38 AM
1 Karma
I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated. ... View more

Re: Fortinet Fortigate App for Splunk Empty Dashbo...

by in All Apps and Add-ons
‎05-31-2021 05:40 AM
‎05-31-2021 05:40 AM
i faces same issue, and i just added the search of each dashboard on the app with index=xxx at the beginning of the search, then all dashboards worked fine ... View more

Re: SSE v3.1.2 CIM compliance check returns only 2...

by in All Apps and Add-ons
‎03-18-2021 04:30 AM
‎03-18-2021 04:30 AM
Hi, did you find any fix about this issue? I've managed to edit the "complete" and "all-done" status within the kvstore, but this can't be the only fix to do. ... View more

Re: Security Essentials CIM Compliance Check error

by in All Apps and Add-ons
‎03-17-2021 08:58 AM
‎03-17-2021 08:58 AM
This ended up being a big within the app, resolved in Version 3.3.1 March 10, 2021 This is a small release with the following bugs fixed: - Local search mapping mapped to wrong field when using Create New from Content Introspection - Fixed a bug where the update would fail based on the data returned - Modified the links to remediate a potential tabnabbing vulnerability - Removed the Highcharts library - Fixed a bug with the sseidenrichment command (Only affects Splunk 8.1) ... View more

Re: Windows Process Name inputs.conf Blacklisting ...

by in All Apps and Add-ons
‎01-25-2021 06:52 AM
‎01-25-2021 06:52 AM
Without creating new topic I will ask here. SSE Docs provides example of "inputs.conf " on onboarding windows logs with a failing regex line which gets discarded by splunkd : "blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"" Could somebody provide some fix for this, and correct an error in the DOCS.? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-09-2023 07:07 AM
Karma from
View All
Karma given to
View All