cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
aaron_gibby
Engager
Member since: ‎12-03-2019
‎03-31-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 53
Karma Received 0
Member Since ‎12-03-2019
Activity Feed
View All

Index Field Transform not Catching Every Event

by in Getting Data In
‎03-05-2021 01:29 PM
‎03-05-2021 01:29 PM
I'm running a simple transform to change the index from "tenable" to "tenable-dc" for one of my sourcetypes. Props.conf [tenable:sc:vuln] TRANSFORMS-~dcfilter = dcfilter Transforms.conf [dcfilter] REGEX = ([Dd][Cc]01) FORMAT = $0-dc DEST_KEY = _MetaData:Index   The problem that I'm having is that the transform is not catching every event. I have 164 events that the filter should catch, but only 156 events are indexed in the new index (tenable-dc). If I run the following search command, it catches all 164 events: index=tenable* sourcetype=tenable:sc:vuln | regex _raw = "([Dd][Cc]01)"   I can't find any similarities between the 8 "missed" events or differences between those events and the 156 "captured" events. My first thought was that the regex was wrong, but the search-time regex works.  Does anyone have any experience with index-time extractions missing events? ... View more
Labels

Re: Splunk with SAML authentication

by in Security
‎10-09-2020 10:35 AM
‎10-09-2020 10:35 AM
Is the AuthNRequest signed? For some reason, Splunk does not include the ACS URL in unsigned assertions. In your authentication.conf file, set the following attribute: [<saml-authSettings-key>] signAuthnRequest = true   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-31-2022 11:44 AM
Karma given to