I honestly don't think you can the design of alert actions was to send the result to _internal its not a collection tool.  ... View more

I don't have a specific solution as you ask for but its a common practice to send events and receive results async so however you would collect events (file syslog hec) the response would come back over that method  ... View more

Looks like something is wrong on py2 I will try to get a look at it this month ... View more

Hi this is my app ,what version of Splunk are you using? ... View more

the original answer "no start TLS" is the correct answer. My response was to provide additional color to the reason for the question which is a vuln scanner is driving an incorrect response to "disable" ldaps. When the proper fix is simply to harden ldaps. ... View more

https://seckit.readthedocs.io/projects/splunk-ta-windows-seckit/en/latest/index.html ... View more

I generally use "appmsadmon" as the admon index ... View more

Because this is a new install I would suggest connecting with your SE who may recommend services time to assist in initial deployment. ... View more

You are asking multiple questions at once that are very vague. It would be helpful to have a question with each specific source you are working with allowing those with experience in specific technologies to help you. For the portion of your sources that happen to be syslog based connections you may want to check out the new Splunk Connect for Syslog https://splunk-connect-for-syslog.readthedocs.io/en/latest/sources/ ... View more

LDAPS as with most things (s) such as https the s stands for secure not SSL. The LDAP server configuration determines what crypto is offered and should be updated to only permit appropriately secure TLS options. "STARTTLS" is a potentially less secure choice where the server defaults to insecure communication and requires the client to request a step up to secure. This was a useful bridge for legacy communications such as LDAP, SMTP, and FTP but is not related to the need to remove support for older now less secure encryption protocols SSL* TLS 1.0 and TLS 1.1 Presuming your LDAP server is Microsoft Active Directory this vulnerability should be reviewed by your Active Directory admins to resolve. This may also be a great time to consider moving to SAML based authentication to reduce the risk of credential compromise via plain text bind. ... View more

Yes app developers are not able to proactivly ask cloud to approve if this version is useful to you then a ticket will be required ... View more

The client IP is based on what the tcp layer of the server sees, it could be the NAT or proxy address instead of the actual client ip. ... View more

the key proposition for Splunk is "native" or raw. If the source is natively producing json, xml or KV the best all things considered path is that raw form. Pre translation i.e. schema on write is very high risk and is the Achilles heal of other solutions identifying and rectifying data problems due to translation is difficult and often results in failure to monitor. If a new solution such as a business application was being implemented today and that solution was to log in a performant way to for example kafka or SNS I would use a minified json format, with a schema indicator. An example of this in use today is AWS cloud watch events. One example of things not to do is wrap a txt message in json for example packaging a Cisco ASA event inside of json requires escaping characters. Parsing fields from fields in json is very difficult. While a native Jason format is very easy to work with. ... View more