Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About marcusmartin
marcusmartin
Path Finder
Member since:
04-04-2011
02-22-2021
Community Statistics
| Posts | 19 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 2 |
| Member Since | 04-04-2011 |
Activity Feed
- Posted User Account Audit First and and last logoff events for a 3 month period. on IT Operations Discussions. 02-22-2021 01:49 AM
- Tagged User Account Audit First and and last logoff events for a 3 month period. on IT Operations Discussions. 02-22-2021 01:49 AM
- Karma Re: Help filter out unwanted data from indexing using nullqueue Please for scelikok. 02-12-2021 07:23 AM
- Posted Re: Help filter out unwanted data from indexing using nullqueue Please on Getting Data In. 02-12-2021 07:22 AM
- Posted Re: Help filter out unwanted data from indexing using nullqueue Please on Getting Data In. 02-12-2021 04:08 AM
- Posted Re: Help filter out unwanted data from indexing using nullqueue Please on Getting Data In. 02-12-2021 04:06 AM
- Posted Re: Help filter out unwanted data from indexing using nullqueue Please on Getting Data In. 02-12-2021 02:52 AM
- Karma Re: Help filter out unwanted data from indexing using nullqueue Please for scelikok. 02-12-2021 02:51 AM
- Posted Help filter out unwanted data from indexing using nullqueue Please on Getting Data In. 02-12-2021 01:00 AM
- Karma Re: Deployed Apps Question for gcusello. 11-06-2020 01:55 AM
- Posted Deployed Apps Question on All Apps and Add-ons. 11-05-2020 11:34 PM
- Posted Re: Windows infrastucture App to Much DATA! on All Apps and Add-ons. 11-02-2020 12:20 AM
- Posted Windows infrastucture App to Much DATA! on All Apps and Add-ons. 11-02-2020 12:19 AM
- Tagged Windows infrastucture App to Much DATA! on All Apps and Add-ons. 11-02-2020 12:19 AM
- Posted Re: Splunk App for Windows Infrastructure, Guided setup problems on All Apps and Add-ons. 11-02-2020 12:13 AM
- Karma Re: Splunk App for Windows Infrastructure, Guided setup problems for richgalloway. 11-02-2020 12:12 AM
- Karma Re: Splunk App for Windows Infrastructure, Guided setup problems for dangeloma. 11-02-2020 12:12 AM
- Got Karma for Re: Splunk App for Windows Infrastructure, Guided setup problems. 10-30-2020 06:38 AM
- Posted Re: Splunk App for Windows Infrastructure, Guided setup problems on All Apps and Add-ons. 10-30-2020 06:27 AM
- Posted Re: Splunk App for Windows Infrastructure, Guided setup problems on All Apps and Add-ons. 10-30-2020 06:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-12-2021
07:22 AM
blacklist5 = $XmlRegex="NT AUTHORITY\\SYSTEM" I used this in the end as i really wasnt bothered what event id it came from im not intrested in events from that particular system account. Seems to be working and yes you are right i just learned today that you have to escape any \ and put \\ for the regex to handle it. thanks again for your time its very much appreciated. Cuppa coffee to you. Regards
... View more
02-12-2021
04:08 AM
blacklist2 = $XmlRegex="<EventID>4634<\/EventID>.*<Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM" I just tried this but im thick when it comes to regex
... View more
02-12-2021
04:06 AM
Could I be a real pain How would you block TargetUserSid '> NT AUTHORITY \ SYSTEM using regex?
... View more
02-12-2021
02:52 AM
Perfect response, thankyou so much i would never have figured it out im sure. much respect.
... View more
02-12-2021
01:00 AM
Hi if someone could please help that would be great, I have events showing up in the indexer that are pushing me over my license, alot of it is useless to me information and i have been trying to wrap my head around filtering it out using regex but i just cant get my head around it. Below is a typical event i would like to rid my indexer of, i cant just block all the events with 4634 as some of them are valid, but i would like to block all events where the "Targetusersid" is similar to DOMAIN\ABC-12345$ Can anyone help < Event xmlns= ' http://schemas.microsoft.com/win/2004/08/events/event '>< System >< Provider Name= ' Microsoft-Windows-Security-Auditing ' Guid= '{ 54849625-5478-4994-A5BA-3E3B0328C30D }' / >< EventID > 4634 < /EventID >< Version > 0 < /Version >< Level > 0 < /Level >< Task > 12545 < /Task >< Opcode > 0 < /Opcode >< Keywords > 0x8020000000000000 < /Keywords >< TimeCreated SystemTime= ' 2021-02-12T08:24:29.977950700Z ' / >< EventRecordID > 314243098 < /EventRecordID >< Correlation/ >< Execution ProcessID= ' 852 ' ThreadID= ' 12388 ' / >< Channel > Security < /Channel >< Computer >domaincontoller.domainname < /Computer >< Security/ >< /System >< EventData >< Data Name= ' TargetUserSid '> DomainName\machine-name$ < /Data >< Data Name= ' TargetUserName '>Machine-Name $ < /Data >< Data Name= ' TargetDomainName '> DomainName < /Data >< Data Name= ' TargetLogonId '> 0x22b9251d < /Data >< Data Name= ' LogonType '> 3 < /Data >< /EventData >< /Event> Props.conf [XmlWinEventLog:Security] TRANSFORMS-xml = xmlnull REGEX=(?m)^EventCode="(4662|566)" Message="Object Type:(?!\s*groupPolicyContainer)" REGEX=(?m)^EventCode="(4656|4670|4663|4703|4658|4688)" Message="Account Name:(\W+\w+$)" REGEX=(?m)^EventCode="(4688|4689)" Message="%SplunkUniversalForwarder%" REGEX=(?m)^EventCode="6278" Message="Network Policy Server granted full access to a user because the host met the defined health policy." REGEX=(?m)^EventCode="(4624|4634|4627|4648)" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]" Transforms.conf [xmlnull] REGEX= NO idea 😞 DEST_KEY = queue FORMAT = nullQueue
... View more
Labels
- Labels:
-
props.conf
-
transforms.conf
11-05-2020
11:34 PM
Can someone tell me if when you change settings on a deployed app in your deployment server if the changes are propogated to the servers the app is deployed on or is there another step needed.
... View more
Labels
- Labels:
-
configuration
11-02-2020
12:20 AM
We only have a 7GB license so as you can imagin in 2 days we wont be able to search as the hard limit will have been hit
... View more
11-02-2020
12:19 AM
Good Morning, after finally getting the Windows infrastructure app to produce information i now have a new issue and that is that it is ingesting far to much data so much so that it is going over my license. Over the weekend it ingested quite a bit and i need to get it trimmed down quick smart. Before we only used to monitor logon and logoffs and some group policy changes. Does anyone have a trimmed down to bare bones input.conf for the app please. i went through it and disabled what i dont want but im not sure its working. also i read somewhere that this app doesnt need to be on all the domain controllers, is that right?
... View more
- Tags:
- config
Labels
- Labels:
-
configuration
11-02-2020
12:13 AM
Hi Good News, i have with your help got this fixed, had to creat the msad index as it did not exist. also i noticed in the inputs file that i hadnt enabled some settings.
... View more
10-30-2020
06:27 AM
1 Karma
So I went back and re read that link and noticed i hadnt changed the mode to single. I did that and now at least most of them seem to be coming through, the sourcetypes are there now. the MSAD one is the one i created the index for which i am now about to delete.
... View more
10-30-2020
06:11 AM
thanks i had created one of the indexes to see if that solved the issue but it hasnt i will create the others and see if that works
... View more
10-30-2020
06:09 AM
apologies for my lack of understanding of this product i can never seem to get a handle on how it works. i typed sourcetypes in the seach and the only matching terms are these
... View more
10-30-2020
06:06 AM
I am ingesting data from all my domain controllers, it was setup to get logons and logoffs and all group changes, i can see the data. I created the index MSAD but unfortunately no dice. I also copied the inputs.conf file into the local directory on the DC that i have the app deployed to.
... View more
10-30-2020
05:18 AM
Hi, banging my head against a wall with this, some background, Basically i have had to recreate a new indexer search head which is standalone to the version 8, i have managed to import the old data in after some head scratching. I want to use the splunk app for windows infrastructure but when going through the guided setup i get this All prereqs were passed I have followed the guide and deployed the Splunk_TA_Windows app to one of my DC's On further investigation and after restarting the splunk services i noticed all the indexes it is trying to search in the guided setup dont exist. Im obviously out of my depth with this and am going around in circles have what have i missed? Any help appreciated because im stumped. Regards M
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
10-01-2018
05:39 AM
Oooooooh I was so close, I had all the words just in the wrong order 🙂 thanks so much. Just need to truncate it now
... View more
10-01-2018
02:37 AM
I have this search which shows the total of bytes coming in for a particular time period. Can someone tell me how to change the search so i can have the value changed to MB? I understand i should maybe be using the eval function but, try as i might, i can't seem to get the output i want.
sourcetype="microsoft:forefront:tmg:proxy" | stats Sum(sc_bytes)
... View more
- Tags:
- search
