Let me interject here, @iamsahilshaiks  For regex-based whitelisting it's not as simple as just puting the regex on its own. See https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_allow_list_and_deny_list_formats - you have to 1. Provide a key which will be matched against the regex 2. Enclose the regex in delimiters of your choice. So your example of whitelist = (?m)^4624$|^4625$ is completely wrong. Additionally, if you're exporting events as XML (which is currently the preferred way because traditional format tends to have some problems with parsing), you use XmlRegex key for filtering. splunk list monitor only list - as the name says - monitor type inputs which read files from the disk. Windows event log sources are not of monitor type. Last time I checked, grep was neither a standard CMD-usable tool nor a standard powershell cmdlet. And Windows doesn't use the $ notation for environment variables. As far as I remember, the events from Security log are not recast to another sourcetype. And actually your input stanza matches the "old way" of ingesting windows logs, which hasn't been used for several years now. Currently, the sourcetype for all windows logs should be WinEventlog or XmlWinEventlog depending on whether you're rendering them to XML or not. It's the source field which specifies the point of origin.   ... View more

Since you apparently did a local connectivity test and it succeeded, there must be something external to Splunk itself preventing you from connecting. Your iptables rules seem to not be interfering (you don't have port 8000 explicitly open but the general policy is ACCEPT). So it points to something network-related. Routing? Filtering on some intermediate device? It's something best solved with your local admin staff since it doesn't seem to be related to Splunk as such. ... View more

You could try something like this | eval _raw=body | multikv forceheader=1 Although you may need to rename the fields afterwards ... View more

1. This is not your whole event since you're doing spath to get it. 2. Don't search for "*tanium*". Wildcards at the beginning of search term will make Splunk read all raw events. 3. We don't know your data. How can we know why your results are "wrong"? Maybe some of your extractions don't work and you get nulls. Dedups or mvzips on them will yield null results. 4. There are two typical ways of debugging SPL searches. One is to start from the start and add commands until their results stop making sense. Another is to start from the end and remove commands untill the results start making sense. ... View more

Thanks for sharing useful link but unfortunately after adding the CA-CERT Chain to the below two locations and restarting the splunk still i am receiving the same error. 1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<APP_FOLDER>/lib/certify   Any further suggestions please? ... View more

https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsoverview/ https://docs.splunk.com/Documentation/Splunk/latest/Data/Getdatafromscriptedinputs Writing a custom script would be of course up to you. Monitoring an intermediate file is just normal file ingestion so nothing extraordinary. ... View more

I suspect the issue lies with the line: | lookup EventCodes EventCode,LogName OUTPUTNEW desc I assume this is intended to use a lookup definition called EventCodes. Could you try using inputlookup on EventCodes in a separate search and see which, if any, columns appear? | inputlookup EventCodes If there are no results, then either EventCodes does not exist as a lookup definition or you have no permissions to view it. If there are columns but there are none called "EventCode","LogName" or "dest", then you'll need to adjust those column names in the lookup command. ... View more

I tried the given props.conf but no luck 😞 The events are not breaking after BREAK  Any suggestion further would be appreaciated . Thanks ... View more