Actually, if a security/compliance auditor is looking at searches instead of actual permissions, there is something wrong with the scope of the audit. 😉 But yes. It's a relatively often appearing question (in this or similar form). And no, there is no general answer for it covering all possible scenarios (base searches, eventstats, macros, dynamic parameters...). ... View more

Since you post in the "Enterprise Security" section, I assume you're talking about Enterprise Security app. This is a premium app and as such is not available for free download. While the core Splunk Enterprise product is available with either limited Free License or a time-limited Trial License, there is no such version available of Enterprise Security. It is available for download only for paying customers (and even then - only for the person designated in the license contract). ... View more

This is a bit more complicated topic than it seems. You'd do best to consult it with your local Splunk representative and your local Splunk Partner (possibly a higher-tier one). As the names suggest, with ingest pricing you're paying a fee for the data you're ingesting but you have no limits imposed on the overall architecture of your environment, number of servers, redundamcy, number of sites and so on. So as long as you are within the ingestion size limit you can easily grow your environment if you expand your use cases, add more users and so on. With the workload pricing you're limited by the size of the main components (indexers and search heads) of your environment but can ingest as much data as the hardware can handle. So it is indeed naturally suited for high-volume, low-search environments. But there are obvious caveats - redundancy (especially multisite clustering) and generally horizontal scaling can quickly kill any savings since you need more indexers. Of course horizontal scaling is also obviously beneficial for search speed but here you're limited by your licensed environment size. To some extent you can mitigate the redundancy requirements by decoupling storage from indexers to smartstore but that's another advanced topic to discuss with your local Splunk staff/partner. BTW, I moved this thread to a more fitting section (assuming you talked about on-prem Splunk Enterpise). ... View more

Well, it's true that journald while being pushed on users isn't necessarily a logging tool of choice for many software authors so you can expect to have various pieces of software write directly to /var/log or send to local syslog daemon. You can indeed install rsyslog and have it read journald input. You can use journald in Splunk as well. And you don't have to specify single unit(s) in the input definition. If you don't filter, it should pick up all events. ... View more

1. What is the goal of those questions? You haven't just woken up one day and decided that you want to know "everything about Splunk" without actually learning Splunk. 2. Have you actually tried searching any of those things on your own? Where? What are your results? Do you have any doubts or don't understand something you'd already found? Also - I'm merging your two separate threads about the same subject. ... View more

To be honest, HEC is not supposed to be a full-fledged HTTP server and therefore it might not implement a very big set of features. Just what is needed for the input to work decently enough. 🙂 It does seem to work as described in the docs though and that's - again - good enough. (although an explicit list of "unworthy" clients would be useful). ... View more

What is your rsyslog omhttp action config? In my tests I don't see rsyslog sending "Connecton: Keep-alive" on its own.  If you add it as custom header it doesn't mean rsyslog will know how to handle the persistent connection. ... View more

You're 100% right. Since we want the rarest ones, we need to sort on count. It was late when I wrote this 😉 ... View more

You can't "add" fields to the results. It wouldn't make sense anyway since "rare" is a transforming command and does aggregation on the original data so other fields' values do not correspond 1:1 to the aggregations. What you might try doing instead is using stats (or eventstats but that's more limited). For example: index=abc source=xxx earliest=-60m EventRecType=xyz | stats count values(otherField) as otherField values(anotherField) as anotherField by runTime | sort runTime | head 5 EDIT: I'm not editing the search because @ITWhisperer 's remark will stop making sense but indeed - the sort is on runTime whereas it should be on count. ... View more

That will effectively cripple, if not completely break, the UF since it will have no openssl libraries to use. ... View more

Are you sure you're not running 32-bit distro? Or that you haven't downloaded the aarch64 version instead of amd64? (I'm not sure it would install but better to double check). ... View more

We had a similar question not long ago... What _exactly_ are you doing? UF ships with own openssl version which should be used within UF and only within UF. So systemctl trying to use openssl seems either like a bug or you are doing something wrong way. ... View more

Technically, as far as I remember, it's the license xml itself which tells Splunk whether the license is enforcing or not. Perpetual licenses are a bit unusual and are not covered by the normal docs so they might behave differently than your normal time-bound ones. I'm not sure Splunk issues perpetuals anymore so the license might have been issued back when there were different rules. ... View more

As I read the description to that option - if set to auto Splunk will enforce http/1.0 (possibly adding the Connection: close header for good measure or simply because it's easier to program it this way if there is no User-Agent header in the request. And as you've shown, there was no such header. Try setting the header to something. You're probably using the httpheaderkey and httpheadervalue parameters for passing the token so just use httpheaders option. I must test this myself as well. Might help in my future installations. ... View more

Technically, if you have a perpetual license without support, noone is obligated to do anything about your environment. If it works, it works. If it breaks, it breaks. You are allowed to use the software as per the license terms but you're not entitled to anything beyond that. Having said that, you might call out to your local Splunk sales representative for help but results may vary.   ... View more

So this is not RST. I think I saw rsyslog as client sending RSTs but that might have been over RELP then. What is your forceHttp10 value? forceHttp10 = [auto|never|always] * Whether or not the REST HTTP server forces clients that connect to it to use the HTTP 1.0 specification for web communications. * When set to "always", the REST HTTP server does not use some HTTP 1.1 features such as persistent connections or chunked transfer encoding. * When set to "auto", it does this only if the client did not send a User-Agent header, or if the user agent is known to have bugs in its support of HTTP/1.1. * When set to "never" it always allows HTTP 1.1, even to clients it suspects might be buggy. * Default: auto   ... View more

I think I might have seen this behaviour. Unfortunately if it's the client just sending RST (RST is not the same as FIN), no amount of server-side settings will help. You might want to: 1. Try to set up some dummy HTTP receiver to verify if omhttp does it with it as well. 2. Ask on rsyslog mailing list. As a partial walkaround you might want to use batch mode with the omhttp action so rsyslog sends bigger batches of data and doesn't waste as much bandwidth for http headers, tls negotiation and tcp handshake. omhttp can handle batches of decent sizes (like 256 or more) quite well.  ... View more

And Edge Processor is included in on-prem Splunk Enterprise from version 10.0 so no EP in 9.3 ... View more

What do you actually want to change colour of? A column? I suppose it is a row but you keep repeating "column" as if it was no mistake. ... View more

+1 on Rich's advice as to firstly check _why_ you're getting skipped searches. The most typical causes are: 1) Too little processing power and your hardware cannot handle all those searches you're throwing at it 2) Too many searches being spawned at the same time 3) Ineffectively written searches 4) Any combination of the three above. Switching to continuous scheduling can help in some cases but if your environment is constatntly overstressed you'll end up with searches getting run with more and more lag. ... View more

No. Please don't mislead others. _indextime has nothing to do with data retention. Period. Retention (and freezing order) is based on most recent event's _time in a bucket because data is managed on a per-bucket basis. But this recency is based only on _time, not on _indextime. ... View more

I'm sorry but has anyone of your "vulnerability management" team actually read the description of this "finding"? Has anyone bothered to ask what this is about and is there even a remote chance that the "vulnerable" functionality is used anywhere in your Splunk environment? Hey, has anyone bothered to even verify the finding instead of relying on the banner and assuming the library didn't get a backported fix? (relatively unprobable but still possible). Or is it just "oh, something's not green, let's make it all green!" approach? ... View more

I wouldn't expect the OP to answer, provided the question is 5 years old and OP's last activity was 3 years ago. Having said that - conf files are compared against the corresponding spec files. Somthe thing to do first is verify the presence and contents of those. ... View more