It seems like you need to request your AD team to provide you access to the AD group which governs the authentication to your HF. Then you will be able to login. No need to change anything from the backend. ... View more

There isn't an inbuilt feature in Splunk, which can do this. You can build a custom app with external lookups (scripts) and use something like google translate or other services to do this and transform your data. To get started, you can disassemble this old app and then take it from there to build your own. https://splunkbase.splunk.com/app/1609 ... View more

The one issue that I see with this approach is the transfer of data buckets from Cluster A to Cluster B. Every indexer creates buckets with its unique uuid. Transferring those buckets to a new cluster where the cluster master has no idea as to who those buckets belong to would cause a massive headache for you. If you can re-ingest the data, that would solve your problem easily. Otherwise, I highly recommend involving Splunk support in this operation and get this guidance. ... View more

I can't seem to find anything in known issues that matches your problem on the version that your team is using. https://docs.splunk.com/Documentation/ES/6.6.2/RN/KnownIssues Restricting access to indexes should not affect the capability to make changes to the IR dashboard (unless the notable index has been restricted too). The one recommendation I have is to ask the Splunk admin to see if they are restricting the capability to edit notables in the custom roles that may have been developed for restricting access to indexes. Also, if possible if you could share the error that you encounter while editing the notables, it will help us to help you to find a solution. ... View more

Is this issue resolved now or do you need more help? This is the issue with the key of the certificate of KVstore. ... View more

Instead of looking in the app, please try clicking on Settings -> then click on Data Inputs and then look for Akamai​ Security Incident Event Manager API. Once you locate it, click on it and follow the instructions mentioned on this page: https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector ... View more

Splunk Add-on for Microsoft Office 365 provides the input for ingesting message trace logs into Splunk. Link: https://splunkbase.splunk.com/app/4055 Documentation: https://docs.splunk.com/Documentation/AddOns/released/MSO365/Configureinputmessagetrace ... View more

Hello @smanojkumar , Lookups can have millions of results, especially the KVStore lookup. Looks like the SPL that you wrote, whose' results you're trying to output to the lookup is truncating your results. Can be caused either by using the sort command or append, join or even subsearches. Could you share your SPL, masking sensitive information in it, so that we could try to identify the problem. ... View more

Could you please tell us bit more about what else does that search do apart from looking for LoginLimit > 30? Also, once the said duration is over, would you like to see the output in the form of an email or in a dashboard etc? The reason behind asking these questions is to better understand the requirement. If you'd like to see the output of the search after the duration is over in an email, then just scheduling the search with a targeted time range and cron can help you to run it automatically and the results of each iteration can be put into a static lookup. Then another search can be scheduled and configured after the event is over, which will basically pull the results of the lookup and send it to you over email. If the requirement is to do something else, then a solution for that can be designed accordingly. ... View more

Was this set up working before or did it never work/is this a new Splunk set up? Since there's not much information about your set up, I'd recommend checking the usual suspects like the SMTP server's details put in Splunk. If it's localhost, won't work. If it's a proper set of details, I'd recommend checking your firewall logs to see if the connections are getting denied. You can also always check with your SMTP server team to see if the credentials work or not or do they expect you to use SSL/TLS or no security. Maybe the SMTP server might not be available. You should also check the port that you are attempting to connect to is correct or not. ... View more

Splunk docs specify that you cannot monitor Windows event log (*.evt) files with a [monitor://] stanza as they are in binary format. The splunkd service monitors these binary files by using the appropriate APIs to read and index the data within the files. Not really sure if you can monitor the archived logs, but maybe try modifying the following stanza from the docs for the archived logs and see if it helps.  Use the Full Name log property in Event Viewer to specify complex Event Log channel names properly You can use the Full Name Event Log property in Event Viewer to ensure that you specify the correct Event Log channel in an inputs.conf stanza. For example, to monitor the Task Scheduler application log, Microsoft-Windows-TaskScheduler-Operational, do the following steps: Open Event Viewer. Expand Applications and Services Logs > Microsoft > Windows > TaskScheduler. Right-click Operational and select Properties. In the dialog that appears, copy the text in the Full Name field. Append this text into the WinEventLog:// stanza of inputs.conf as in the following example: [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 More information on the same: https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorWindowseventlogdata ... View more

Hello, Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂 ... View more

Hello, You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact.    ... View more

What does the following search tell you when you run it for the log source under question? The host value should give you the name of the HF. index=<your_index> sourcetype="your_sourcetype" | dedup host | table host   If this doesn't give you the desired result, then try the following (Ignore the name of the indexers in the search and focus on the others. You'll find the name of the HF): index=_internal "sourcetype_name" | dedup host | table host  ++If this helps, please consider accepting as an answer++ ... View more

Why not simplify by creating two serverclasses in the deployment server. 1. Create a serveclass, let's name it Splunk_TA_nix. You can add all the linux servers there to deploy the app Splunk_TA_nix and put the server serverXX in the blacklist so that this app doesn't reaches there. 2. Create another serverclass, let's call it Splunk_TA_nix_serverXX. You can put the other app Splunk_TA_nix_serverXX_inputs and put the server serverXX in its whitelist. 3. Then reload both the serverclasses using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" and once all linux servers phone home, they will pick your desired apps from the deployment server and give you the result that you need. ++If this helps, please consider accepting as an answer++ ... View more

My bad. Should have read the question and tags thoroughly. Based on my experience with Splunk, if you just pass along the requirement posted by Zscaler to them by filing a support case as the add-on is Splunk supported, they should be able to provide you the format of the packet that they are sending to the Zscaler API. That would be the best and fastest way to approach this problem. ... View more

Splunk enterprise uses cryptographic functions for many operations rigorously, so firing of these events seems to be an expected activity as you have the FIPS mode crypto selftests turned on. Do you have more Splunk servers which are exhibiting this behavior? I'd recommend filing support case with Splunk and providing the diag of the server where Splunk is installed but pretty sure they'll tell you the same thing.  ... View more

The screenshot itself tells you about point number regarding "Search peer SSL config check". For point number 2, you cannot configure MongoDB TLS on SplunkCloud yourself because you won't have the required access to server.conf to do that. You can open a support case with Splunk for further triaging as only they have the backend access. Same goes for DNS validation. Out of a customer' scope due to no backend access. Support case is the only way to go. ++If this helps, please consider accepting as an answer++ ... View more

Create your cron expression using Crontab guru. There are loads of examples already present to help you understand how it works. Or if you can just tell us as to how frequent do you want the input to run, we can help you make a cron expression. https://crontab.guru/ ++If this helps, please consider accepting as an answer++ ... View more

Which add-on are you using to get the data? As far as I can see, all the apps/add-ons for Zscaler on SplunkBase are built by Zscaler themselves and tagged as developer supported, which means that they should be answering the question about the body of the message that was sent to their API.  ... View more

Are you trying to execute the script remotely or on the server where Splunk resides itself? For executing a script on the server where Splunk resides based off the results of a search, you can create your custom alert action or a custom command, which will accept the output of the search, parse through the results and invoke the required PS script. "Run a script" alert action has officially been deprecated. You can still try and use it, but in the future releases of Splunk, it will be removed. May not even function as you expect.   To execute a script remotely, you are again dependent on a custom alert action or a custom command to invoke a script, which can connect with your remote server and run the PS script on it or perform the operations as per your requirements. ++If this helps, please consider accepting as an answer++ ... View more

Under $SPLUNK_HOME/etc/system/local/web.conf, maybe try using a different port which is free and restart Splunkd. [settings] httpport = <new_port>   ... View more

If you are looking at not ingesting the EventCode 6417 in Splunk, you can always blacklist it in inputs.conf.  In terms of doing something in the event viewer or server level, it is out of scope for Splunk. You can always try out of the box ideas like but not limited to looking at creating exclusion filters or develop a powershell script and have it run every 30 minutes to rotate the .evtx files, granted you have stored/ingested them somewhere like Splunk. ++If this helps, please consider accepting as an answer++ ... View more