Hi All,   Just wanted to know we have splunk ES and we use servicenow to triggered alert now my question is if there are few alert which I want to give Priority as P2 how can I do it in splunk as splunk by default priority is P3.    ... View more

Hi All,   Trust all is good on your end!! Recently moved to Splunk Mission Control and today I stumble upon one issue. There was few incident I works on 13th and on the same day itself I acknowledged & closed those incidents, now today I checked that incident ID and I found some are “in progress” or “new” state and the last updated day is showings today.s date I'm not getting how to fix this issue why there is some discrepancy.  Can someone please assist me to address this issue.    Thanks Debjit  ... View more

Hi All,    I wanted to onboard new device in Spunk which is sangfor firewall my question is how can I onboard it so that it also became a CIM compliant   My basic understand is    Team will configure syslog to sent logs to our syslog  From syslog -> UF -> IDX -> SH    I believe in idx I need to define the input.conf file for new FW now my question is does sangfor has any add-on (like paloalto which curve the data itself in proper name tag everything) if it has Can anyone please help me with the link and where I need to install this addon in search head or idx or UF to make my data CIM compliant.   Thanks ... View more

Hi All,    Need little help I need to find EPS/GB of my existing data.  How to find out that data do we have any SPL for this or how it this.   Thanks    ... View more

Hello All,    Hope you are doing good..   1. Can anyone please let me know what is the most stable version of Splunk is present 2. I have upgraded my splunk to the 9.0.2 version is this version stable as of now?  It would be great if anyone has any documents which will clear the doubts as of now I'm not getting any doc as such    Thanks        ... View more

Hi , After onboarding trendmicro XDR we are facing few issue.  1. Getting logs in JSON format  2. Data is not pursed.    Queries 1.Can you please help us out how to convert the data from JSON format to raw logs  2. How to purse the data not getting any add on.   Note: attaching snap  We are getting data and in below there is an option as show as raw text when we are clicking on it is coming in same line. Kindly help us out how to solve this issue   Thanks Debjit ... View more

Hi @gcusell, I have 2 double   1. How can I drop a source IP 10.0.0.0/24 subnet at indexer, I am aware of dropping a host at the indexer level but not this. 2. I'm getting duplicate data I.e. Duplicate data is being indexed. My query is how can know from which host the data is duplicate so that I can offboard those devices..    Kindly guide me for the above 2 solution.   Thanks Debjit ... View more

Hi All, Hope you are doing good!!  Basically we want to integrate trend micro vision one solution in our splunk. So before doing it I just wants to verify myself whether I know correct or not.   1. We need to install vision one application from splunk base. 2. After installation the app we need open that app and then click on configuration. 3. Then need to put url n authentication token. 4. Need to choose the log file type Then we will start receiving the data? Kindly let me know if my understanding is correct or not..   If my above understand is correct I want to know 1 things  How to create UC because we are using some 3D party software to onboard data now how we can write query and all, sorry im sounding armature but this is my first time..    Thanks Debjit   ... View more

Hi  hope you are doing good. im working on a use case which will trigger if any user is trying to connect from non business country.  attaching the snap for the query. my query  want to optimize it more if one user is trying is log in from more than 2-3 country than it will trigger. can you please help me with the query    thanks  debjit    ... View more

Hi,  Hope you are doing good just have 1 doubt.. On our Splunk windows, we have onboarded the security logs, so my doubt is does security logs also help to monitor NTFS    Thanks  Debjit  ... View more

Hi, im working on new use case, but was stuck in few things.  I want to create a use case logic to monitors whenever user/IP are trying to access to log in from non authorize country.    example a use is support to log in from Berlin but he or she is log in from Chicago.  My ask 1. Is it possible from Splunk end to implement such use case 2. If yes what kind of logs we need to monitor such activity, is FW logs are enough? 3. What will be the query    thanks  ... View more

Hi  Hope you are doing good.. I'm having a small query I want to check my license warning on my splunk with date I.e. On 26th of September we received 1 license warning. I'm using the below query to get the total license warming I have on my splunk till now  | rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | where warning_count>0 | eval pool=active_pool_ids | join type=outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | fields pool stack_id] | eval in_violation=if(warning_count>4 OR (warning_count>2 AND stack_id=="free"),"yes","no") | fields label, title, pool, warning_count, in_violation | fields - _timediff | rename label as "Slave" title as "GUID" pool as "Pool" warning_count as "Hard Warnings" in_violation AS "In Violation?" Kindly guide me how can I get the license warning with date.   Thanks   ... View more