Activity Feed
- Posted Re: unable to access the webUI, and im getting this error in my splunkd.log..anyone know how to fix this? on Security. 07-04-2024 11:05 AM
- Posted Re: Azure Event Hub and Add-on for Microsoft Cloud Services Configuration Issues on Getting Data In. 04-05-2024 09:01 AM
- Posted Re: Reporting on Azure Security Group Membership Additions on All Apps and Add-ons. 03-19-2024 01:59 PM
- Posted Reporting on Azure Security Group Membership Additions on All Apps and Add-ons. 03-14-2024 10:31 AM
- Posted Re: Azure Event Hub and Add-on for Microsoft Cloud Services Configuration Issues on Getting Data In. 03-08-2024 10:09 AM
- Posted Azure Event Hub and Add-on for Microsoft Cloud Services Configuration Issues on Getting Data In. 03-08-2024 08:30 AM
- Posted Re: Microsoft Cloud Services post app upgrade for 8.0 no longer collecting logs on All Apps and Add-ons. 03-06-2024 10:06 AM
- Posted Re: Windows Security Logs not forwarding to Splunk Cloud on Getting Data In. 02-09-2024 10:58 AM
- Posted Windows Security Logs not forwarding to Splunk Cloud on Getting Data In. 02-08-2024 11:27 AM
- Posted Re: How to remove ::ffff: from the windows events logs at indexing time and in Search? on Getting Data In. 01-16-2024 07:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-04-2024
11:05 AM
Thanks so much. This 10 year old post helped me resolve my issue!
... View more
06-15-2024
01:21 PM
this removes null and uid from the target group.
| search operationName="Add member to group"
| stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time
``` removes uid ```
| regex properties.targetResources{}.modifiedProperties{}.newValue!=".{8}-.{4}-.{4}-.{4}-.{12}"
``` removes null value ```
| search NOT properties.targetResources{}.modifiedProperties{}.newValue="null"
| rename "properties.initiatedBy.user.userPrincipalName" as initiated_user, "properties.targetResources{}.userPrincipalName" as target_user, "properties.targetResources{}.modifiedProperties{}.newValue" as group_name
| eval group = replace(group_name, "\"", "")
| eval initiated_user = lower(initiated_user), target_user = lower(target_user)
... View more
04-05-2024
09:01 AM
The issue has been resolved. Turned out I fat-fingered the entry in Azure Event Hub Input configuration for the 'Event Hub Name' once that was corrected all errors have been resolved and data is ingesting as expected.
... View more
03-06-2024
10:06 AM
Curious, did you ever find a fix for this?
... View more
02-10-2024
01:01 AM
If everything else works OK (other logs are ingested properly), it seems to be a local permissions problem. You can try to check the _internal events from this forwarder but I don't remember if the eventlog access problems show up in the logs if you don't raise debugging levels.
... View more
01-16-2024
07:29 AM
What do you mean by the Indexer tier? Where would that be located in the file structure on a Windows syslog server?
... View more
