Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Kitteh
Kitteh
Path Finder
Member since:
09-22-2017
06-05-2020
Community Statistics
| Posts | 38 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 09-22-2017 |
Activity Feed
- Karma Re: How do I use the latest value given to replace a field that is NULL but both event have one common value? for cmerriman. 06-05-2020 12:49 AM
- Posted Streamstats click into viewing raw Events shows older event instead of newer?! How to fix on Dashboards & Visualizations. 01-24-2018 06:24 AM
- Posted Re: Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-29-2017 11:19 PM
- Posted Whitelist Services? How on Getting Data In. 11-27-2017 10:32 PM
- Tagged Whitelist Services? How on Getting Data In. 11-27-2017 10:32 PM
- Tagged Whitelist Services? How on Getting Data In. 11-27-2017 10:32 PM
- Posted Windows NT to forward logs to Splunk Enterprise, how? on Getting Data In. 11-23-2017 03:21 AM
- Tagged Windows NT to forward logs to Splunk Enterprise, how? on Getting Data In. 11-23-2017 03:21 AM
- Tagged Windows NT to forward logs to Splunk Enterprise, how? on Getting Data In. 11-23-2017 03:21 AM
- Posted How to filter events on Linux Machine before forwarding them to Splunk? on Getting Data In. 11-22-2017 11:09 PM
- Tagged How to filter events on Linux Machine before forwarding them to Splunk? on Getting Data In. 11-22-2017 11:09 PM
- Tagged How to filter events on Linux Machine before forwarding them to Splunk? on Getting Data In. 11-22-2017 11:09 PM
- Tagged How to filter events on Linux Machine before forwarding them to Splunk? on Getting Data In. 11-22-2017 11:09 PM
- Tagged How to filter events on Linux Machine before forwarding them to Splunk? on Getting Data In. 11-22-2017 11:09 PM
- Posted Re: Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-21-2017 11:21 PM
- Posted Re: Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-21-2017 10:37 PM
- Posted Re: How do I use the latest value given to replace a field that is NULL but both event have one common value? on Splunk Search. 11-21-2017 12:33 AM
- Posted Re: Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-20-2017 05:46 PM
- Posted Re: Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-20-2017 05:45 PM
- Posted Windows XP, Splunk keeps converting User Account Name to some random ID, how to avoid the converting? on Getting Data In. 11-20-2017 01:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-24-2018
06:24 AM
Ok so basically for my current query it fetches the same process name and its change of state, like from Running to Stopped or Stopped to Running... First picture shows the changing state of time which is the newer event... But however, when I click on that event and click View events.... It actually shows the old raw event which is the Running state like in the second picture... How do I make it so that the clicking of View events will show the new raw event which is the Stopped state?
... View more
11-29-2017
11:19 PM
Yes the evt_resolve_ad_obj has been set to 1 but it is still in SID form instead of friendly naming... This happens for Windows 2000 and XP
... View more
11-27-2017
10:32 PM
How do you whitelist services you wish to monitor and not forward redundant ones to the Splunk Server....
I've done before on WinEventLog but however not sure how to use WinHostMon or WMI to whitelist, will apperciate if someone has working configuration that whitelist/blacklist services
... View more
11-23-2017
03:21 AM
I've been tasked to forward logs from Windows NT to Splunk Enterprise however, there is no Syslog inbuilt for Windows and also no Splunk Universal Forwarder.
Any idea how I should approach to this for corporate use?
... View more
11-22-2017
11:09 PM
Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these are forwarded but however, Splunk Server will keep receiving these events non-stop at the back end even if I filter it on the Splunk Server side since Cronjob is always running, I wish not to index data that I am not using before forwarding it to Splunk Server, how do I go about attempting this with props.conf or transform.conf.
At the end of the day, there will be many different Cronjobs, but I want to uniquely identify them by once and only the first one of each just by looking at the CMD parameter in the brackets ()
... View more
11-21-2017
11:21 PM
Installed the add-on and also turning value of evt_resolve_ad_obj into 1.
My new stanza:
[WinEventLog://Security]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist1 = 528, 529, 538, 540, 592 ,593, 624, 630, 636, 637
index = winsecurity
renderXml = false
However my result is still the same.
... View more
11-21-2017
10:37 PM
Its set to 1 but still getting the ID instead of the resolved one.
... View more
11-21-2017
12:33 AM
Yes I am still interested in exploring map command, do you mind replacing what my command is to what you are trying to type down? The amount of slash and money sign is confusing me
... View more
11-20-2017
05:46 PM
Is there a way to have the SIDs converted without having to create/manage database lookup?
... View more
11-20-2017
05:45 PM
The issue you pointed out on version is not the issue, I was using indeed newer forwarders but have already uninstalled and grab the version you stated and it still does not work.
... View more
11-20-2017
01:46 AM
[WinEventLog://Security]
disabled=0
start_from=oldest
current_only=0
evt_resolve_ad_obj=0
checkpointInterval=5
whitelist1=528, 529, 538, 592 ,593, 624, 630, 636, 637, 513
index = winsecurity
renderXml=false
Above is my configuration in inputs.conf. I suppose evt_resolve_ad_obj is to prevent any resolving of GUID etc? But however it doesn't work! How do I fix this, this is for Windows XP.
Left is the intended result I want it to be shown on Splunk but however it was converted which is what I do not want.
... View more
11-18-2017
10:56 PM
I have already appended my Splunk IP Address and UDP port in /etc/syslog.conf "(asterisk).(asterisk) (asterisk)192.168.0.1/9995", restarted syslog service too.
At the Splunk side, I also added a new data input UDP, to accept 9995 and restrict the host to only the CentOS machine which is 192.168.0.59 (ip of my centos) but to no avail, no data was sent to Splunk...
There is connection between two, checked via ping.
... View more
11-16-2017
05:09 PM
What do you mean to have splunk read the logs rsyslog is writing?
... View more
11-16-2017
04:29 PM
Hi I am trying to send logs files from Linux system to Splunk Indexers, is there a way to configure the syslog to do this? If so, how to do it?
Additionally, if older Linux uses Syslog, newer uses Rsyslog, can Syslog still send over to Rsyslog flexibly?
... View more
11-09-2017
05:10 PM
Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.
... View more
