Hi, I also working on similar integration, and I have a question regarding CIM Normalization. There is a existing CyberArk addon available for On prem CyberArk CEF format logs. However, using this CyberArk Audit addon we will receive logs in JSON and I don't see any Splunk addon can help with normalization. Can you please tell me how did you manage to parse the logs? ... View more

Hi @Paaattt , Recently I have onboarded the Kiteworks logs using inbuilt Kiteworks syslog mechanism to forward the logs to Syslog server. There is no option to select the log category, it will just send all the logs to Syslog server. So, my question is how can we make those logs CIM compliant and map it o Splunk data models. Currently there is only one single App(Kiteworks CISO dashboard app) is available and it doesn't contain any props.conf for log extractions.  How did you manage those logs to map it to Splunk data models? could you please help here? ... View more

Hi , If you are sending logs from On prem Panorama consoles to Splunk and using Palo Alto addon. The logs will go to pan:traffic . However, if you are sending logs from Strata console via HEC the logs will be in Json format and the right sourcetype to use is pan:firewall_cloud.  ... View more

Hi, To resolve the issue find the HF in your environment then Go to the Splunk Web home screen. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner. Click on the Input tab. And there will be a enable and disable option . First disable the inputs and enable it back again.  There is nothing to do with the https://splunkbase.splunk.com/app/1739  Splunk app. The log collection will be happen with the help of addon. ... View more

If you are collecting logs from O365 app. Then try disable the inputs  and enable it back again in HF.  ... View more

Hi @VijaySrrie , I have given a sample config below. You can try like that. props.conf [mentionsourcetype] TRANSFORMS-acctmasking = mask-acctcode Transforms.conf [mask-acctcode] REGEX = (.*DetectedValues{}.Value=\d+).* DEST_KEY = _raw FORMAT = $1-XXXX ... View more

The config only helps to process multiple events at a time and send logs in a real time without much delay. If any use cases are configured to monitor those events . Then you can monitor the logs in real time. ... View more

Hi @PickleRick , In order to process the events faster you can try increasing the pipeline in the UF. But this will consume more resources from the UF server end. cd %SPLUNK_HOME%\etc\system\local [general] parallelIngestionPipelines = 2 https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configureaforwardertohandlemultiplepipelinesets     ... View more

Hi @Prakash23, You can remove the data from summary index using delete command. Add the | delete command to the end of the search string and run it again - for example: index=summary "exception message logs" | delete Note: To use a delete command you should have a additional capability to your role like "can_delete" . The delete command will not remove data from the index. But the data is not searchable. Instead Identify the reports which are sending duplicate logs to summary index. And use the dedup command to control it. If this answer helps you then upvote it. ... View more

Hi @johan, I have observed few things after installing and testing the Splunk Add-on for BMC Remedy with ITSI. Below is the list of my findings.​ ​The TA can be installed and used for Ticket creation and all the functionalities are working fine. The Assignee group will be taken by default by the Splunk TA. No control over the assignee group.​ It is because the Splunk TA WSDL Action(parameter) is using as PROCESS_EVENT for ticket creation. Whereas it supposed to be used Action as CREAT_INCIDENT for ticket creation.​ The CI information is not processing by TA correctly. So, we can't control the Assignee group.​ In order to proceed, you need to create the Custom Addon by using Splunk Add-on builder. Create a Separate WSDL and username and password in order to access Remedy. And develop a script to Pass the payload in XML format to remedy. Before passing the payload test the payload in the SOAP UI.   ... View more

Hi @Noorzai , There is no other way to download ITSI. Try contacting the sales option. ... View more

Hi @Azeemering , In the new Azure Addon version, the interface and settings have been changed. So if you are trying with the old local config like Passwords.conf&ta_ms_aad_settings.conf it will not work in the new version. Try to do a fresh config and erase all the old configs. ... View more

Hi @Marius732 ,   It is not a Splunk error it is your script error it is saying the Pycurl module unable to identify the curl attribute.  c = pycurl.Curl() AttributeError: module 'pycurl' has no attribute 'Curl' ... View more

HI @Marius732 , Try to create one Add-on for the custom alert action. And download the pycurl module package and place it inside the Addon. <Addon name>/bin/<Addon Name>/Place the pycurl module package  here And place the custom Alert action script inside  <Addon name>/bin/custom_alert_script.py and see if it works or not.   ... View more

yes.. ... View more

Hi @morethanyell , Try to give the full permissions to the script file and restart. And check the output. ... View more

Hi @anandhalagaras1 ,   What was your previous Splunk version? ... View more

Hi @anandhalagaras1 , Yes remove the Splunkforwarder package and keep only the Splunk package. In Linux, any Splunk command should run with (./) as a prefix. Whereas in windows you can run the Splunk commands without  (./) as a prefix. ... View more

Hi @Noorzai , Since ITSI is a premium app the download option will not be available for everyone. If your company buys the ITSI premium app then you can request Splunk to provide access for downloading the package. Then download option will be available to you. ... View more