Short documentation reminder: https://docs.splunk.com/Documentation/DBX/3.18.2/DeployDBX/Prerequisites "KV store must also be active and working properly as of DB Connect version 3.10.0 and higher" ... View more

A small update to these link (the former is a repost of the latter). The former link/document was moved to https://www.invictus-ir.com/news/importing-windows-event-log-files-into-splunk  ... View more

Thank you for the link(s). Would be great if Splunk had included this important bit of information in their docs... ... View more

This is just to add some pieces of information. The Windows Event Log data is written to disk at least before and after a reboot or a restart of the "Windows Event Log" service. These files are then saved under C:\Windows\System32\winevt\Logs with names such as Application.evtx or Security.evtx These files are in a somehow "binary" format, but this format is known and there are tools to extract their data in text format. E.g. using the Python language there's a module named "python-evtx". I did not try using this module inside a Linux based Indexer to directly read the data from the files. Doing this is probably a bad idea for the standard Windows Event Logs as these are best read using the solution provided above, but in case of "standalone" event files, which other applications might create, using such tools is a way to go. ... View more

Thank you. Maybe that could be used as a workaround. I guess I have to to the extraction change/enhancement myself then 😉   ... View more

It's a bit older but it seems to be some confusion around: Your second example is completely different from the first one as you use double quotes, i.e.   | eval var_type = typeof("num")   "num" is a literal string which has nothing to do with your variable! Take care about using double quotes (for strings), single quotes (for field names, e.g. containing spaces (for whatever reason... 😉 )) or no quotes at all (also for field names). Besides that to me it seems that this `tostring` function is buggy. If I convert any number using `tostring(number)` that should(!) become a string, regardless of any "format"-argument. And the "typeof()" function should then return "String" for this string. ... View more

Yes, that's exactly the line for th 8.2.9 version although the sha256sum is different there. ... View more

Even this is now 1year old 😉 But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol  Just use ./splunk check-integrity -index [ index name ] [ -verbose ] to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets. ... View more

An older one, but... as said the `pem`-files under `distSearchKeys` are simply RSA-Private- and corresponding RSA-Public-Key files. These can be created (at least in a Linux environment) using the following commands: 1. Create private key file: `openssl genrsa -out private.pem 2048` 2. Create public key file from private key file: `openssl rsa -in private.pem -pubout -out trusted.pem` The `openssl` binary is located in Splunk's `bin` folder. If you want to create a trusted connection from e.g. a Cluster Master (CM) to an Indexer (IX) manually you just do the following: 1. create a new directory under `distServerKeys` named according to your CM-hostname 2. copy the `trusted.pem` file (i.e. the public key) from the CM's `distServerKeys` directory to the newly created directory on your IX 3. restart Splunk on both (in a cluster according to restart policy/rules) Under "Settings | Distributed search" on the CM you could then see if the connection between CM and IX is established: State = Up, Health status = Healthy If one of the above steps failed you get: State = Down, Health status = Sick (at least this was the output during my experiment I just ran) ... View more

Should this "day column" go on a row of its own? What if you have more than one data rows for a particular day? Maybe you want to have a look at the "bin" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin) to group your events by day with a "span=1d" parameter. ... View more

Is this for Enterprise Security? Maybe you get better results if you add the label accordingly. ... View more

What kind of data are you working on? Which input are you using? ... View more

What do you exactly mean with "all dates between my time picker"? What is the output of your SPL? What did you expect? Could you give some example data? ... View more

Just a friendly hint: you added your solution as comment what is good as everybody could see it. It would be even better if you convert it to/post it again as an answer - that's something different 😉 And as a last step you then accept this answer as a solution - so everybody could see right in the search results, that this question already HAS a solution. ... View more

@delewis13 could you please paste your corresponding dashboard code? ... View more

Have you checked the "ValueError: Invalid format string', 'event': 'Invalid format string'" (line 6) and "ValueError: Invalid format string" (line 15) messages? Maybe there's something wrong in some token.#.replacement string. ... View more

You are too late - this one was solved already four month ago 😉 But thank you for pointing this out - for some reason I thought, that putting single quotes around the password (see above) belongs to the syntax of the "--decrypt"-command. But of course - it's just the shell escape. ... View more

In the end it really doesn't matter, which team I give my points - it's all for supporting the corona studies, but... You are talking about two different teams here: a) Team: Splunk Folding@Home Research Labs (also referred to as "Buttercup Research Labs Team #: 238889) Link b) Team: Splunk Community Link Which one is "the one"? ... View more

At least today - e.g. in a Red Hat 7.6 environment - wildcard settings are used for the root user also. ... View more

This one is quite old - but still wrong - therefore the downvote. sysctl -p -command load kernel settings from /etc/sysctl.conf . That's different from the user-specific settings in /etc/security/limits.conf , which are not read by this command. Instead one has to logoff and logon again. ... View more

Yes, right, I read that Ubuntu 18.04 - and then immediately forgot it - my bad 😉 ... View more

Just an add-on: What kind of system do you have? E.g. RedHat currently uses firewalld by default - so you won't find any iptables -service. Maybe "the guy that have installed [...] this" is not that bad 😉 ... View more