Activity Feed
- Posted Check if latest logs contain IOC on Splunk Search. 08-24-2023 04:58 PM
- Posted Subsearch all events in another index on Splunk Search. 08-24-2023 03:09 PM
- Karma Re: Splunk Cloud on-boarding logs for richgalloway. 06-05-2020 12:51 AM
- Posted Re: Splunk Cloud on-boarding logs on Getting Data In. 04-10-2020 09:18 AM
- Posted Splunk Cloud on-boarding logs on Getting Data In. 04-10-2020 06:56 AM
- Tagged Splunk Cloud on-boarding logs on Getting Data In. 04-10-2020 06:56 AM
- Tagged Splunk Cloud on-boarding logs on Getting Data In. 04-10-2020 06:56 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-24-2023
04:58 PM
INDEX Name generated (10 million new records every day) INDEX Fields username, secret, key Lookup file secrets.csv with fields secret (128 bit string - 1 million static records) I am creating a report to check if any of secret is found within the secrets.csv list and flag it. index=generated [| inputlookup secrets.csv | fields secret] | table username, secret, key How does the check for secret if exists in both index generated is validated in inputlookup in the search string?
... View more
08-24-2023
03:09 PM
I have two indexes Index accounts: [user. payroll] Index employees: [user, emp_details, emp_information] I am trying to use a search to search all the 1 million users in index users to search for the corresponding details of the same user in different index which contains 20 million records. I tried something like index=accounts user=* | join type=left user [search index=employees | fields user, emp_details, emp_information] | table user, emp_details, emp_information But its not search all the users and joining all the users.
... View more
04-10-2020
09:18 AM
What I missed is running the command "splunk install app -auth :". After doing this it started working. Thanks for your help. 🙂
... View more
04-10-2020
06:56 AM
Hello, I deployed a free trial of Splunk Cloud instance to learn how to onboard logs into Splunk. I tried for hours but I am still unable onboard logs.
Here is what I did...
Spun up a Splunk Cloud instance (pretty straightforward).
Downloaded the Splunk Universal Forwarder (pretty straightforward).
Installed Splunk universal forwarder on my local windows machine 1. Unchecked Splunk on-prem as this is a cloud instance. 2. It asked to create a username and password, I created some crap login details and I don't know why these are for. 3. I chose a local installation not network or domain. 4. It asked for what logs do I need, I chose all except AD logs because mine is local. 5. Now I asked for the location of the deployment server and port. I used my deployment server and left port blank as it takes 8089. 6. Now I wasn't asked for any receiver server details here, which I say in youtube videos for others its asking for receiver server details. 7. Now, click on the install button and installation is successful.
Back to the Splunk cloud instance, I went to Data Inputs
Choose Windows Events and added my workstation hostname in there (it's displaying in here).
I picked to add to index main.
Now it says all done, start searching.
I tried searching and nothing comes up in the server for index=main or host=myhostname
I tried going to the forwarding and receiving section and there there is the only an option for configuring forwarding but there are no receiving options.
Also, in my windows I went to C:\Program Files\SplunkUniversalForwarder\etc\system\local and there is no outputs.conf file here.
There are deploymentclient.conf, authentication.conf, server.conf and input.conf files but there is no outputs.conf.
Can anyone tell me what I have done wrong? Why am I not able to onboard my logs?
I also temporarily disabled my firewall to see if my firewall is blocking but that's not the case and I am able to telnet to the splunk cloud instance.
... View more
Labels
- Labels:
-
universal forwarder
