×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Didalready
Explorer
Member since: ‎06-27-2024
3 weeks ago
Community Statistics
Posts 5
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎06-27-2024
Activity Feed
View All

Re: Issues with Splunk Universal Forwarder Sending...

by in Splunk Enterprise
3 weeks ago
3 weeks ago
Adding this is case someone has the issue, I upgrader to forwarder to 9.4.4, not 10 but reading this sounds the same. The forwarder ran as system before now runs as local account SplunkForwarder, SplunkForwarder is part of everyone, Our ad audit policy rules had some with everyone on read of anything. this rule caused the security log to log 100k 4662 of splunkforwarder reading an object, that looped upon itself. This caused security events not to forward at times. Reset the forwarder fixed but only for a while. My fix was to change the AD audit policy to be for domain users not everyone.  My security events now are loaded timely. To see if this is your issues look in security logs for 4662, by account running the forwarder, if  you see thousands of events in a few seconds now and then, this was how I found my issue. Below someone posted to disable lookup which works but wasn't the solution for us because we delete and recreate computer objects all day.    Hope this helps someone as it took me awhile to find our issue.  ... View more

Re: Head not stopping the search

by SplunkTrust in Splunk Search
‎12-29-2025 03:07 PM
1 Karma
‎12-29-2025 03:07 PM
1 Karma
When I use the search below, the event is 25 days ago, set search to last 30 takes 10 seconds, set to 90 days takes 23 seconds. I thought head would stop the query? Server info: Splunk 9.4.4, deleted This is a misunderstanding of how head works.  From head: The head command is a centralized streaming command. See Command types. And from that reference: A streaming command operates on each event as the event is returned by a search. In other words, each returned event will go through head, just like how piped head works in Unix.  In general, SPL does not give subsequent pipe elements control over preceding elements; they simply process results from preceding pipe, just like in Unix.   Hope this helps. ... View more

Re: extract fields

by in Splunk Search
‎06-27-2024 12:11 PM
‎06-27-2024 12:11 PM
Got working, not way a wanted but works index=1087_m365 sourcetype="o365:management:activity" authentication_service=AzureActiveDirectory "Actor{}.ID"="Azure MFA StrongAuthenticationService" |eval Device =mvindex('ModifiedProperties{}.NewValue', 0) | rex field=Device "\"DeviceName\": \"(?<DeviceName>[^\"]+)\"" | rex field=Device "\"PhoneAppVersion\": \"(?<PhoneAppVersion>[^\"]+)\"" | rex field=Device "\"DeviceToken\": \"(?<DeviceToken>[^\"]+)\"" | table user DeviceName PhoneAppVersion DeviceToken ... View more
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Karma given to
View All