×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Araton71
Loves-to-Learn
Member since: ‎06-06-2023
‎05-07-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-06-2023
View All

Re: Blacklisting specific events on Universal Forw...

by in Getting Data In
‎08-30-2024 03:17 AM
‎08-30-2024 03:17 AM
I used [WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 blacklist1 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)" start_from = oldest but it stops all 4688,  like not process other information ... View more

Re: Error while adding new license : failed to par...

by in Installation
‎07-11-2023 12:14 AM
‎07-11-2023 12:14 AM
I've the same error When we generated NFR , it's impossible to modify expiration date, and now we can't generate a new one Already opened a support case ... View more

Re: Analytic Story: Domain Account Discovery With ...

by in Splunk Enterprise Security
‎06-07-2023 01:01 AM
‎06-07-2023 01:01 AM
Datamodel Endpoint has data inside, but it seems that only from security logs not from sysmon. How can implement? ... View more

Analytic Story: Domain Account Discovery With Net ...

by in Splunk Enterprise Security
‎06-06-2023 06:20 AM
‎06-06-2023 06:20 AM
I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN"  discovery on my  AD server. I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries [WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest   [WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"  I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational while If I use Analytic Story: Domain Account Discovery With Net App  that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security What I miss ? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-07-2025 03:43 AM