Hi, We want to migrate from the ESXI VM to the Hyper-V: Our Initial approach: Fresh OS + Splunk installations on Hyper-V, then migrate Splunk configurations from the existing environment. Migrate 5 Splunk VMs: Universal Forwarder 01 Universal Forwarder 02 Heavy Forwarder 01 Cluster Master Deployment Serve what is the best practice or recommendation for that migration. ... View more

Hi Everyone, While using Syslog-NG to monitor network traffic and write it into file,  I want to ask about the Log file rotation policy: what is the best practice Hourly Or Daily? Is that affecting the UF ingestion performance? # High-volume Palo Alto → hourly /var/log/firewalls/PaloAlto/$SOURCEIP/$YEAR-$MONTH-$DAY-$HOUR.log # Lower-volume Fortigate → daily /var/log/firewalls/Fortigate/$SOURCEIP/$YEAR-$MONTH-$DAY.log ... View more

Hi All, I hope all is well. Kindly, anyone works with Guardium API Add-on for Splunk: https://splunkbase.splunk.com/app/8290 I have two questions: 1. The auth-token will be expire just in 3 hours, is this addon will refresh it I used this command to generate the token: grdapi register_oauth_client client_id=splunk_client2 grant_types="password" user="admin" password="<PASSWORD>" GetToken=1 Output: {"client_id":"splunk_client2","client_secret":"440cef5c-42a8-4fd5-9741-17266cxxxxx","grant_types":"password","scope":"read,write","redirect_uri":"https://someApp"} {"access_token":"token","token_type":"bearer","expires_in":10799,"scope":"read write"} 2. This command doesn't work properly as expected? url -k -X POST https://<guardium_host>:8443/restAPI/online_report \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"reportName":"SQL Activity","indexFrom":"1","fetchSize":30000}'   ... View more

Hi Everyone, We have integrated Crowdstrike falcon with splunk and we retrieved the IOC in index=cs_ioc. Using the below search to arrange table with ip description : index="cs_ioc" type="ip_address" deleted=false (malicious_confidence="high" OR malicious_confidence="medium") earliest=-30d@d latest=now | dedup indicator | rename indicator as ip | eval description="Imported from cs_ioc feed" | table ip description | outputlookup local_ip_intel append=f Verify the SPL works fine: Following this article to enrich the threat intel: https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.4/threat-intelligence/add-new-threat-intelligence-sources-in-splunk-enterprise-security#id_86f92bba_a555_43fa_8d67_f5e00459bfa6--en__Add_threat_intelligence_from_Splunk_events   You can also, write a search that produces a list of IP addresses that are testing a web server for vulnerabilities and add them to the local_ip_intel lookup to be processed by the modular input and added to the ip_intel KV Store collection. Verify the following SPL to ensure the IOCs moves from local_ip_intel into ip_intel: | inputlookup ip_intel There is no data Q:- I want to troubleshoot "Why this modular input doesnt work properly"? Note: ES Threat intel is Enabled ... View more

Hi Everyone, I hope all is good. Looking for TA-Addon: 1. Forcepoint Firewall. 2. Fidelis EDR. Looking for them at Splunk base, but I didnt see anything related to them. Thanks in advace! ... View more

Hi Everyone, Anyone integrated the Forcepoint DLP with splunk?   What is the proper method? is there any Add-on FP DLP? ... View more

Hi Everyone, I have a clustered SH (Install ES App) + Adhoc search head. I need to know what is the role of the adhoc SH and what is the apps should be installed on it? ... View more