About avajax0

avajax0 · ‎11-01-2021

Thank you, this appears to work well also. It's seems to be a little less efficient, but still gets the job done.

avajax0 · ‎11-01-2021

Thank you, this works like a charm. I see the logic, essentially just checking to see if a particular domain exists in both indexes (Threat_Intelligence and DNS), which would indicate a hit.

avajax0 · ‎10-28-2021

Greetings, I'm looking to craft a correlation that allows me to compare the results between two separate searches. Here's the use case: I have 2 indexes, one containing Threat Intelligence data (including domain names to be specific for this case). While the other index holds all DNS requests. I'm looking to craft a Splunk correlation that reads each domain within the DNS requests, which then compares each of those domains to the Threat Intelligence data and see if there's any matches. For instance, maybe something along the lines of the logic below: index=Threat_Intelligence | table DomainName | where DomainName IN [search index=DNS | table RequestedDomain] FYI: The latest Threat Intelligence feeds are pulled every single morning and is updated within Splunk. I thought about using lookup tables or KV Store lookups, but we're pulling in several files each morning, 2 of which are close to 1GB in size. It looks like Splunk Cloud caps the event limit of these lookups to 10,000 events by default, and I've read to be cautious about increasing this limit.

avajax0 · ‎09-23-2021

So to be clear, it's not an additional paid license to deploy a Heavy Forwarder, but we still have to contact Splunk Support to get another license for the Heavy Forwarder that way it doesn't revert back to a free license after 30 days? In other words, it doesn't cost any more? Truthfully, I'll probably continue with the current setup of using a Universal Forwarder to push data along to Splunk Cloud and upload my packaged apps there when custom field extractions and that stuff is needed. I'm asking now for sake of clarity. I run a test/dev Splunk instance via the Splunk docker image for testing and building custom apps. I'll use the "Splunk Add-on Builder" app to build and package custom apps for installation in Splunk Cloud where necessary.

avajax0 · ‎09-22-2021

Greetings, At my current company, we're using Splunk Cloud and I'm looking to deploy a new Heavy Forwarder to forward data along to the Cloud instance. The question is, what's the appropriate way to do this? From Splunk Cloud, I downloaded the Universal Forwarder package from "Apps > Universal Forwarder". I also downloaded the Credential package from there as well. Both have been installed on an internal host (which is intended to be the Heavy Forwarder) and I'm now forwarding data over to Splunk as expected. The only issue is that Splunk is picking it up as a Universal Forwarder when looking at the Cloud Monitoring Console (which makes sense being that I installed the Universal Package). But what I'm really looking to do is deploy a Heavy Forwarder. From what I've read thus far, it looks like I have to install a full Splunk Enterprise instance on the internal host and enable forwarding on it to make it a Heavy Forwarder. How would I best be able to do this, and would I need an additional License do do so? I'd like to manage the .conf files on the forwarder and create custom field extractions and all that good stuff from the host directly, rather than doing that through the Splunk Cloud UI. Looking for some additional insight. Thank you in advance!

Posts	5
Solutions	0
Karma Given	2
Karma Received	0
Member Since	‎09-15-2021

Online Status	Offline
Date Last Visited	‎11-11-2021 06:27 AM

Comparing Results from two seperate searches?

Splunk Cloud - Deploying a Heavy Forwarder

Re: Comparing Results from two seperate searches?

Re: Comparing Results from two seperate searches?

Comparing Results from two seperate searches?

Re: Splunk Cloud - Deploying a Heavy Forwarder

Splunk Cloud - Deploying a Heavy Forwarder