Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About General_Talos
General_Talos
Path Finder
Member since:
01-10-2021
03-01-2023
Community Statistics
| Posts | 37 |
| Solutions | 10 |
| Karma Given | 2 |
| Karma Received | 15 |
| Member Since | 01-10-2021 |
Activity Feed
- Got Karma for Re: Creating Tokens in Splunk via GUI. 08-19-2022 01:40 AM
- Got Karma for Re: Creating Tokens in Splunk via GUI. 07-22-2022 07:03 AM
- Got Karma for Re: Account Creation Event ID 4720. 05-18-2022 08:42 AM
- Got Karma for Re: Creating Tokens in Splunk via GUI. 04-21-2022 02:35 PM
- Posted Re: Splunk VPC timestamp issue on Security. 07-14-2021 10:58 AM
- Posted Splunk VPC timestamp issue on Security. 07-14-2021 04:59 AM
- Posted Re: Aside from Alerts for Admins& Meta Woot! &MC what other Splunk apps are useful for daily chores & Ransom on Security. 07-14-2021 04:42 AM
- Got Karma for Re: Aside from Alerts for Admins& Meta Woot! &MC what other Splunk apps are useful for daily chores & Ransom. 07-09-2021 07:18 AM
- Posted Re: Aside from Alerts for Admins& Meta Woot! &MC what other Splunk apps are useful for daily chores & Ransom on Security. 07-05-2021 07:59 PM
- Got Karma for Re: How do I search for Technology Add-ons or hidden apps in Splunk. Thank u in advance. 07-05-2021 07:56 PM
- Posted Re: Search Results into a table on Splunk Search. 07-05-2021 07:52 PM
- Posted Re: How do I search for Technology Add-ons or hidden apps in Splunk. Thank u in advance on Knowledge Management. 07-05-2021 07:43 PM
- Posted Re: json SED problem on Getting Data In. 07-05-2021 09:57 AM
- Karma Re: json SED problem for kamlesh_vaghela. 07-05-2021 09:57 AM
- Posted json SED problem on Getting Data In. 07-05-2021 05:12 AM
- Posted Separate ES App "Incident Review Dashboard" on Splunk Enterprise Security. 05-20-2021 01:20 PM
- Tagged Separate ES App "Incident Review Dashboard" on Splunk Enterprise Security. 05-20-2021 01:20 PM
- Got Karma for Re: Syslog Data Reaching Forwarder?. 01-29-2021 05:26 AM
- Got Karma for Re: Multi tenancy support in Splunk cloud. 01-18-2021 08:06 PM
- Posted Re: Multi tenancy support in Splunk cloud on Splunk Cloud Platform. 01-18-2021 09:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-06-2024
10:28 AM
@richgalloway or @General_Talos How do we need to hide the app that is downloaded from Splunk base to be viewed by other customers through source control like Git? I see a file with default.meta where it says [] owner =admin access = read : [*], write : [ admin ] export = system Thanks
... View more
06-30-2022
07:46 AM
Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR. You have 3 possible options: 1. Use identity provider which supports Attribute Query (AQR) 2. Use Azure or Okta since Splunk has auth extensions for them out of the box 3. Create your own authentication extension. If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.
... View more
05-18-2022
08:45 AM
this post saved me so much time!!! Thank you note1: Only need EventCode=624 if you have Windows 2008 or older systems. note2: don't need this line, but the rest is perfect. | search CreatedBy=*
... View more
07-14-2021
04:42 AM
Yes, Splunk ES content update is different app https://splunkbase.splunk.com/app/3449/ +1 SA-Investigator for Enterprise Security : https://splunkbase.splunk.com/app/3749/
... View more
07-05-2021
11:58 PM
@splunknewbie81 Do you want to visually see the results in CSV format or export them? table/stats command just shows the information in tabular format visually underlying they are not CSV format. If you want the CSV format you shall export the results which you can find in search app itself. Same can be achieved using Splunk Rest API calls. --- An upvote would be appreciated if it helps!
... View more
07-05-2021
09:57 AM
Thanks @kamlesh Minor changes, resulted in required result. SEDCMD-unwantedfields=s/\}\}\}(.*)\}/g
... View more
05-20-2021
01:20 PM
Hey Splunkers, any possibility of having 2 separate incident review dashboard - 1st for production usecase - 2nd for Development/Test usecase
... View more
- Tags:
- enterprise
Labels
- Labels:
-
using Enterprise Security
01-20-2021
12:57 AM
Thanks for your response. I picked 1 of the IOC in the list and tried to search on Threat Artifacts which can be found. But both threat_group and threat_category is undefined. May I know if it will cause any problem?
... View more
01-18-2021
09:11 AM
General_Talos, Thank you but I'm not looking to add a new lookup file. I am wanting to find out more details on my existing lookup file.
... View more
01-18-2021
09:08 AM
1 Karma
Splunk is not Supporting multi-tenancy until yet. You can have separate Splunk infrastructure for all you clients, an alternative is also mentioned https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-and-multitenancy.html (however this is just an suggestion and maynot achieve 100% of requirement).
... View more
01-18-2021
09:03 AM
If you are using "Splunk Cloud" Trail, I guess the answer is NO. If you want to perform testing for Azure/Event Hub, I would suggest to install "Splunk Enterprise" on your test machine Or create instance on "AWS/Azure". (this will give you flexibility to customize your configuration settings).
... View more
01-14-2021
06:47 AM
Thank you for the response, this worked , we tweaked it a little after trying your solution. the final query ended like this ( due to rows being added in original query) {My Search Criteria} PassedResult=0 | stats count by riskcheckName | rename riskcheckName as column | rename count as "row 1" | append [| search {My Search Criteria} PassedIAM=0 Golden_Key_Failed=Failed | dedup ID |stats count as “Golden Key Failed” | transpose] | append [search {My Search Criteria} PassedIAM=0 SN_Does_Not_Exist=Failed | dedup ID | stats count as " SN Does Not Exist" | transpose] | rename column as "Cause of Failure" | rename "row 1" as Count | sort "Cause of Failure"
... View more
01-14-2021
01:57 AM
Set up transforms.conf as described in the reference. First, extract the time field with REGEX and then set INGEST_EVAL. For eval, you can use the same one as in SPL.
... View more
01-13-2021
09:39 AM
I don't understand our requirement either. Having said that, I think you should dedup last. Also, if you are interested in months rather than dates you could try index = splunk sourcetype = splunk-sp
| spath
| rex field=m:properties_date "(?<ProdDate>\d{4}-\d{2})-\d{2}T"
| dedup ProdDate
| table ProdDate Do you then need to select current month, 3 months previous and next month from these results? Why can't you just generate these based on now()?
... View more
01-13-2021
04:16 AM
Hi @sarit_s, if you use "timechart count BY _key" you are grouping by _key, but the problem is that _key is a unique value so you'll always count=1. You have to find a different field for grouping. Ciao. Giuseppe
... View more
01-13-2021
03:48 AM
please find the attached file, error has been highligted
... View more
- Tags:
- General_Talos
01-13-2021
01:28 AM
Thanks I had similar thoughts but wasn't sure about it.
... View more
01-13-2021
12:06 AM
Expand tar/zip app file, you may see sub-directories. Check if your app having folder name "__MACOSX", if yes delete the folder, tar/zip is back and re-upload.
... View more
01-12-2021
11:56 PM
1. Is this query correct to know how long it is configured to go to frozen? | rest / services / data / indexes | fields title froz * | rename title as index -- Yes SPL is correct 2. If I need it not to store the logs for 6 years, which is the value that I see by default, and I need it to store the logs for 6 months, understanding that when the log reaches 6 months it would go to a frozen state and splunk would begin to eliminate the older data. -- https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Setaretirementandarchivingpolicy The maxTotalDataSizeMB and frozenTimePeriodInSecs attributes in indexes.conf help determine when buckets roll from cold to frozen. 3. I should create a file called indexes.conf in the "local" folder and set the value frozenTimePeriodInSecs = 15778800 -- Yes , 15778800 (seconds) means something near to 6 months (60*60*24*180) and for exact value is 15552000 (considering 30 days in each month). b Should I go to the bin and restart the splunk service for it to take the changes? -- Yes, if you are on "standalone infra" Splunk restart required and if you are on a "indexer cluster" a configuration push with rolling restart of all the peer nodes required. 4. Would this change immediately erase logs that are already 6 months old in seconds? or does it start from this moment? -- Its not very immediate, based on your infra may take 2-10 min (again its based on your Splunk infra).
... View more
01-12-2021
11:56 PM
Index abc | timechart per_second(count) Along with the above query I would like to get the response time for each transaction tps vs response time
... View more
01-12-2021
11:43 PM
If your IIS logs are getting stored on a Specific location/path on a system you can try installing a UF and perform "file and folder monitoring to that location/path. https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitorfilesanddirectorieswithinputs.conf https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Setupaddon
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-01-2023
04:52 AM
|
