Hi, I set up a Splunk lab on my Windows 10 laptop, where both the Splunk Forwarder and Splunk Server are installed on the same host. After installing the Splunk Add-on for Windows, I created an inputs.conf file in the local folder under etc/apps. ###### OS Logs ###### [WinEventLog://Application] disabled = 0 index = "windows_logs" start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=0 Despite this setup, I don't see any Windows logs in Splunk. ... View more

Hi, Could you pls let me know in what scenario would we use eventstats vs stats? ... View more

Hi, I want to setup a home lab like splunk Enterprise and splunk forwarder on the same os to pull the logs into splunk. Is it possible to setup in this way.   ... View more

Hi, I want to learn the Splunk Enterprise Security from scratch could anyone pls share the links? Thanks. ... View more

Hi, I want to go through the splunk fundamentals 1 where I can get this link?   ... View more

Hi,  I need an help with my windows security logs how we can create the lateral movement use case  ... View more

Hi, Could if anyone pls share the dashboard spl for the lateral movement in this YouTube video. https://youtu.be/bCCf9q2B4BM?si=P7FoduAwS--Hkgbw Thanks  ... View more

Hi, Could anyone please help me in fine tuning this search as it is raising lot of alerts | tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | rename Processes.* as * | eval firstTime = strftime(firstTime, "%F %T") | eval lastTime = strftime(lastTime, "%F %T") thanks ... View more

Hi, Could anyone pls guide me how we can detect an attacker moving laterally in the environment can be a challenge right, How we can write the correlation search is there any prerequisites  need to be followed. Thanks in advance ... View more

Hi, we had deployed cloud flare ta app on one of our sh,could anyone help me in fixing the logs parsing issue in splunk. App link splunkbase.splunk.com/app/5114 Thanks ... View more

Hi All, How we can modify the below search to get to see only the status enabled list of correlation searches which did not trigger a notable in past X days. | rest /services/saved/searches | search title="*Rule" action.notable=1 | fields title | eval has_triggered_notables = "false" | join type=outer title [ search index=notable search_name="*Rule" orig_action_name=notable | stats count by search_name | fields - count | rename search_name as title | eval has_triggered_notables = "true" ] Thanks..   ... View more

Hi all, help me extracting the field from the below two events System.Exception: Assertion violated: stream.ReadByteInto(bufferStream) == 0x03 System.Exception: An error was encountered while attempt to fetch proxy credentials for user 'xyz   system_exception=Assertion violated: stream.ReadByteInto                                      An error was encountered while attempt to fetch proxy credentials for user thanks ... View more

Hi all, In my AD computer account deletion correlation search, I use _time and subjectusername in throttling fields for grouping. Is adding _time to throttling the correct approach? Please correct me if I'm wrong. query  index=win sourcetype=XmlWinEventLog EventCode=4743 | bin _time span=5m | stats values(EventCode) as EventCode, values(signature) as EventDescription, values(TargetUserName) as deleted_computer,  dc(TargetUserName) as computeruser_count by _time SubjectUserName | where computeruser_count > 20 Time Range set to  Earliest Time 20m@m latest now cron schedule */15 * * * * Scheduling  set to Continuous Throttling  window duration 12 hours Fields to group by SubjectUserName , _time Thanks in Advance..   ... View more