There is a saved search which has been orphaned. When I attempted to reassign it to another user like admin or nobody, it didn't let me and showed the below warning message. cannot change user and/or app context of a report that is embedded ... View more

Is there a way to skip hot buckets (local storage) and ingest/index data directly into smartstore (s3 buckets) ? ... View more

For Syslog, Splunk recommends using a dedicated syslog server. So, for Netflow data, is there any particular best practices for ingesting into Splunk ? Can I still continue using syslog server even for Netflow data or use Splunk stream app ? Please advise. Thanks. ... View more

Can someone please guide how I can collect the following logs from Linux systems ? changes to account privileges. unsuccessful login and log off events for privileged accounts. any access attempts using deactivated accounts Any help on this would be highly appreciated. ... View more

Looking to find what ES usecases are there that use Certificate and/or Alert datamodels ... View more

Some context here - When I go to ESCU app and filter down the analytical stories based on CIS control 4, it shows me 6 stories all of which specifically address a certain use case. But I am having trouble understanding how a usecase is relevant to CIS 4 control. Take for e.g. Spectre And Meltdown Vulnerabilities maps to control 4. The only relevant  sub-controls under 4 that can be detected using ES I found were: Log and Alert on Changes to Administrative Group Membership and Log and Alert on Unsuccessful Administrative Account Login. Can anyone please help understand how is the analytical story relevant to  ... View more

We have a massive Splunk environment and QA process is pretty stringent when it comes to data onboarding. As part of that, we also do check the magix six props.conf attributes but process to check is time consuming. Hence, wondering what approach others here are taking to make the process fast and efficient. Any help on this would be highly appreciated. Thanks! ... View more

Can anyone please share some best practise or your own preferred method for populating the watchlist field in the assets and identities lookup table in ES ? We are currently using Sailpoint data to populate the identities lookup. The only one reference i have got is someone using below logic by leveraging the ldapsearch command. | eval watchlist=if((userAccountControl % 4)>=2,"true","") ... View more

After accelerating the CIM Validation (S.o.S.) DM and upon checking the pivot for any of the datasets results in an error. Example below:   Datamodel 'Splunk_CIM_Validation.Authentication' had an invalid search, cannot get indexes to search    Upon checking the search.log, it states   ERROR DataModelEvaluator [3485 BatchSearch] - Data model 'Authentication' was not found. 01-04-2021 12:56:11.393 ERROR SearchOperator:datamodel [3485 BatchSearch] - Error in 'DataModelEvaluator': Data model 'Authentication' was not found. 01-04-2021 12:56:11.394 ERROR TsidxStats [3485 BatchSearch] - Error in 'SearchOperator:datamodel': Error in 'DataModelEvaluator': Data model 'Authentication' was not found. 01-04-2021 12:56:11.394 ERROR TsidxStats [3485 BatchSearch] - sid:etc.splunkcloud.com Datamodel 'Splunk_CIM_Validation.Authentication' had an invalid search, cannot get indexes to search   Update: I found some similar posts, where they mention this might be due to permission issue, but I have checked the permission for this DM and it is default to read for "Everyone". Other DMs with same permissions work well. Also, when acceleration is disabled, it seems shows data in pivot Can someone please help fix this ? ... View more

Pivot for Assets and Identities Data model -"Identity_Management" showing zero count. When running search - |tstats count from datamodel=Identity_Management by index   Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management The search job has failed due to an error. You may be able view the job in the Job Inspector.   12-14-2020 05:50:01.195 ERROR DataModelCache [33401 searchOrchestrator] - Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchPhaseGenerator [33401 searchOrchestrator] - Fallback to two phase search failed:Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchOrchestrator [33401 searchOrchestrator] - Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management 12-14-2020 05:50:01.195 ERROR SearchStatusEnforcer [33401 searchOrchestrator] - sid:1607925000.24084 Error in 'DataModelCache': Could not create search for invalid datamodel: Identity_Management   Pleasse advise! Thanks! ... View more

Given these fields (is_expected, should_timesync, requires_av and should_update in asset lookup of ES) dont dynamically come from any data source, I am keen to know what methods people use to populate these fields in asset lookup ? Do you mainly create and maintain a static asset list for such fields ? Is there any better way or process to create and update this list ? Any help on this would be highly appreciated. Thanks ... View more

Does ES also comes with SSE app features like Analytics Advisor, Content Recommendations, Data inventory, CIM compliance check etc ? I found these features really useful for data source assessment. ... View more