@MdSantana, Could you try manually creating the suppression rule by adding it to your Splunk configuration's transforms.conf file? ... View more

There does not appear to be a way to enable SSL certificate validation @mkorn. One workaround I recommend is to use a proxy server that validates certificates and forwards traffic to the target endpoint. ... View more

Hi @MdSantana  Using the "!" character in the search expression could be the source of the problem with the search query. In Splunk, the "!" character is used to negate a search term, so "!exec: enable" would match events where the value of the "command" field does not contain the string "exec: enable". You could try escaping the "!" character by adding a backslash in front of it, as shown below: | from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\!exec: enable" If this does not solve the problem, try replacing the "!" character with the "!" sequence, as shown below: | from datamodel:"Change"."Network_Changes" | search dvc="17x.xx.x.*" command="\\!exec: enable" ... View more

Great question @MdSantana  You can effectively whitelist events in Splunk, such as excessive failed logins and unusual new processes, by using the following methods: Suppression rules: To suppress these events, create a suppression rule in Splunk. Whitelist of source IP addresses: For these events, you can create a whitelist of source IP addresses. Use of "ignore" or "exclusion" lists: For these events, you can create an ignore or exclusion list. Use of event types: These events can be assigned specific event types. It should be noted that these methods should be used with caution, as they can also conceal legitimate security events. I recommend reading the Splunk documentation for more information on suppression rules, whitelist, ignore or exclusion lists, and event types: Suppression Rules: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Suppressionrules Whitelist: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Whitelist Ignore or Exclusion Lists: https://docs.splunk.com/Documentation/ES/6.3.0/admin/Ignorelist Event Types: https://docs.splunk.com/Documentation/Splunk/7.3.3/Search/Abouteventtypes Let me know if you need help developing commands. ... View more

Interesting question, @aikn061, I read the document you hyperlinked in your post and did some further poking myself. Have you tried directly calling the Windows event log APIs from a script and sending the logs to Splunk via the HTTP Event Collector (HEC)? If not, here are the additional articles I looked at: Microsoft provides documentation on how to use the Windows Event Log API in the Microsoft Developer Network (MSDN) Library  Splunk provides a guide on how to forward Windows event logs to Splunk using the Windows Event Log API  Splunk provides official documentation on how to use the HTTP Event Collector in Splunk Let me know how you get on; I'd love to hear your thoughts. ... View more

In that case, @HemanthShekar, you must modify your Splunk search query to return the results as a single JSON object. Use the stats command to aggregate the results and return them as a single JSON object in your search query. Here's an example: GET /services/search/jobs/export?output_mode=json&search=search+index%3D*+earliest%3D-24h%40h+latest%3Dnow+|+stats+values(status_code)+by+status_code&count=1000 This will return the count of each status code value as a single JSON object, which your Java middleware can quickly parse. You can modify the search query to meet your specific needs. ... View more

To specify the response format, use the output mode parameter in your REST API call. When you set it to "JSON," the response is returned as a single JSON object that can be easily parsed. Here's an illustration: https://<host>:<port>/services/search/jobs/export?output_mode=json&search=<search query> Replace host> and port> with the values for your Splunk instance, and search query> with your desired search query. ... View more

The 1603 error code during an automatic Splunk Universal Forwarder installation is most likely caused by a failure in the SetAllUsers custom action. This could be due to a variety of factors, including, but not limited to, insufficient permissions, an earlier version of Splunk installed, or an issue with the installation package. You can try the following steps to resolve this issue: Check that the user account used for the automatic installation has adequate permissions. Uninstall any previous Splunk installations. Use a fresh installation package or download a new one from the Splunk website. If the problem persists, collect the MSI logs for further investigation. The logs can assist in determining the exact cause of the error and provide additional information for troubleshooting. The Splunk documentation contains information about the 1603 error. The official documentation can be found here: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/TroubleshoottheSplunkforwarderinstallation    ... View more