Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rockb
rockb
Explorer
Member since:
05-11-2021
11-23-2022
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 05-11-2021 |
Activity Feed
- Posted Re: Cannot access Splunk from remote computes on Deployment Architecture. 11-23-2022 09:12 AM
- Posted Re: Cannot access Splunk from remote computes on Deployment Architecture. 11-15-2022 08:01 AM
- Posted Re: Cannot access Splunk from remote computes on Deployment Architecture. 11-15-2022 06:41 AM
- Posted Cannot access Splunk from remote computers? on Deployment Architecture. 11-14-2022 05:13 AM
- Karma Re: Why is Splunk not indexing? for richgalloway. 09-19-2022 11:03 AM
- Posted Re: Why is Splunk not indexing? on Getting Data In. 09-19-2022 11:02 AM
- Posted Re: Why is Splunk not indexing? on Getting Data In. 09-19-2022 09:50 AM
- Posted Why is Splunk not indexing? on Getting Data In. 09-19-2022 08:33 AM
- Posted Sort by event count on Dashboards & Visualizations. 11-18-2021 12:24 PM
- Posted Re: How to view status of indexing of evtx files in a folder on Getting Data In. 10-05-2021 12:28 PM
- Posted How to view status of indexing of evtx files in a folder on Getting Data In. 10-05-2021 11:34 AM
- Posted Number of events keeps going up on Splunk Search. 05-12-2021 10:20 AM
- Posted Re: Getting Data into Splunk on Splunk Search. 05-12-2021 10:13 AM
- Posted Re: Getting Data into Splunk on Splunk Search. 05-11-2021 08:55 AM
- Posted Getting Data into Splunk on Splunk Search. 05-11-2021 08:22 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-23-2022
09:12 AM
it is not a local firewall as I cannot access with the firewall disabled.
... View more
11-15-2022
08:01 AM
They are both plugged into the same switch (SOHO router). No intermediate firewalls.
... View more
11-15-2022
06:41 AM
Unable to connect via Telnet on 8000. I temporarily disabled the firewall and was still unable to connect via Telnet on 8000.
... View more
11-14-2022
05:13 AM
I have Splunk installed on a machine running Windows 10 that is compliant with all Windows 10 STIGs. I can access Splunk from that machine but no others. I can ping the Splunk box from other machines.
I have tried disabling the firewall but the symptoms persist.
I figure it is a setting associated with a STIG and am hoping someone here has run into this before and remembers what it is.
... View more
Labels
- Labels:
-
Windows
09-19-2022
11:02 AM
wineventlog was not found but that did get me there. The correct string is "preprocess-winevt". It is indexing now. Thank you .
... View more
09-19-2022
09:50 AM
I have done this before. I got everything set up and working then another employee took over the task. They then moved and took the computer with them. That employee recently moved to another position and UPS "lost" the computer, so I am now trying to get it set up on a new machine. I do remember when configuring the previous box I used WinEventLog somewhere in the process. I thought it was in the Source Type under operating system but all I see there now is windows_snare_syslog and that does not seem to work either.
... View more
09-19-2022
08:33 AM
I am trying to use Splunk to review windows logs that were exported from machines that are not on a network. I have copied the .evtx files to my Splunk machine.
Fresh install of Splunk 9.0.1
Below is the process I used to try to get the events indexed. I think this is the same process I have used in the past but for some reason no events are indexed.
1. Settings --> New Index 2. Enter Name for index 3. Save 4. Settings --> Data Inputs 5. Files and Directories 6. New Local File and Directory 7. Input Path of top level folder containing logs 8. Select Continuously Monitor 9. Next 10. Source Type: Automatic 11. App Context: Search and reporting 12. Select Constant Value 13. Host field name:* 14. Select Index Created in steps 1- 3 15. Review 16. Start Searching
The search results in 0 events listed. I delete everything from the search box except index="nameofindex" and still there are no events listed.
... View more
11-18-2021
12:24 PM
I have panel on a dashboard that lists events in a security log. I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top. If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field." <query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query> How do I get it to list them in descending order by count?
... View more
Labels
- Labels:
-
panel
10-05-2021
12:28 PM
Thank you for the reply. There are 18 evtx files in a single folder. Is there a way to get status of indexing of the entire folder?
... View more
10-05-2021
11:34 AM
I am using Splunk to review logs from disconnected systems. We have the users export the evtx files and send them to us. I then put them in a folder and Splunk indexes the new files. Is there an easy way to see the indexing process? Right now I just keep hitting refresh occasionally until nothing changes.
... View more
Labels
- Labels:
-
indexer
05-12-2021
10:20 AM
I am trying to use Splunk to review windows events that have been exported from disconnected systems. I have all the exported .evtx files located in a local folder. I add that folder to the data inputs and have disabled everything else in data inputs. In the search box I have source="c:\\Events\\*". Everything looks good but if I put the curser back at the end of the search string an press enter (not changing the search string at all) the number of events goes up. I can't figure out why this is happening since the .evtx files in that folder are not changing.
... View more
Labels
- Labels:
-
other
05-12-2021
10:13 AM
I figured it out. After the process is complete the Search window has host="xxxx" and sourcetype="preprocess-winevt". If I delete host="xxxx" and sourcetype="preprocess-winevt". events are shown.
... View more
05-11-2021
08:55 AM
kamlesh, I think you are saying to make sure that I am specifying to show all events not just events in a specific time period. I did not select any time period and if I understand the interface correctly it is saying it sees no events prior to today at 10:52 There are 8198 events listed when I open the evtx file in Windows event viewer.
... View more
05-11-2021
08:22 AM
I just installed splunk and imported my license. I have a series of Windows event viewer files that have been exported that I want to import. I have tried the following: Settings --> Add Data Upload Files From My computer Select the file. It reads the file. Next Select Preprocess-winevt Next Review Submit Start Searching No events are shown. What am I doing wrong?
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-23-2022
12:33 PM
|
