We utilise Enterprise Security and have a large number of detections that we use.  We have recently put in some testing hardware that could trigger any one of these alerts and I am trying to find out if there is someway that we could suppress or exclude a device if that host potentially triggered these rules.  Is there a way to effectively do a global "ignore any alerts from xxxx" without having to edit every single rule? ... View more

I have a search similar to the following   (Index=myindex) or (index=otherindex) | eval user=coalesce(accountname, id) | mvexpand user | stats values(field1) as field1, values(field2) as field2 by user   This gives me my results that I want but I want to now take the results of this to enrich information from the output by pulling other events from another index.  This will then generate an alert so nit being done pin a dashboard.   I could schedule a report and then reference something like a lookup table that wpuld probably work but I am trying to make it a bit more dynamic. I would like to maybe use the result from this and enrich with an ldap query but I dont think I can do that. Join is out of the question (limitations etc.) and I cant coalesce any further with other fields as they are in no way similar of even available.   Thoughts and thanks in advance. ... View more

I am running SPLUNK version 8.0.10 with Lookup Editor version 3.4.6.  Noted that I have a problem in my CSV's wherein if I scroll using my mouse to the bottom of a long list (say 300 lines), the scroll bar jumps back to the top of the CSV.  I have to literally click on the side scroll bar and drag to the bottom to perform any edits (particularly if I want to add a new line).   I have seen there have been other bugs with 3.4.6 and the only version that is "supported" under 8.0 is 3.4.6.  3.5.0 which is available for download only supports 8.1+.     ... View more

I am using the Splunk Add-on for Microsoft Cloud Services to pull data from an Azure Event Hub.  What I would like to know is whether there are any known limitations that anyone has run into   * How many events can be pulled when the API call is made? The default is 300 per API connection * Whether these are any limits on how often it can be pulled? The default is 300 seconds, but can you say pull every 15 seconds or 30 seconds etc. * Whether there is a limit between how many events can be pulled based on the how often it is pulled?  Can I pull 3000 events every 10 seconds or is there a hard limit/ ... View more

We have our SPLUNK instance in a private AWS VPC.  We also have a separate HEC cluster in a private AWS VPC (logical separation).  I need to collect AWS Security Hub events into my HEC but reading through the notes, it indicates that I need to use Project Trumpet which will in turn use Kinesis Firehose.  Kinesis Firehose requires a public IP which is something that we don't want to do (we have been using older methods for pulling GuardDuty in for example).  Is there a way to use Trumpet and collect the same logs without having to expose the HEC to the internet (I know this can be segregated by way of Security Groups etc.) but I am trying to find a solution so that I don' t have to do this.   ... View more

I have a source type for multiple CSV files where it is configured as with a no_timestamp.  For now I have used this sourcetype as it does the parsing I need and I have been able to use source to look for the data I specifically want.  The problem of course is that as more CSV files get pulled in, the column names change and consequently I would need to write a seperate sourcetype for each source because if the column is different, the end result is that my fields and the associated values are no longer aligned.  For example I have 2 CSV's that have the same sourcetype (e.g. csv:notimestamp) but each source is different so say (csv:users and csv:workstations).  The files are configured to be monitored and are pulled in daily.  As I am using the source to differentiate my data. So in csv:workstations the field "IPv4Address" is correct, but when using the source for csv:users, this field is now showing the user's phone number for example.  This is obvious because the columns themselves will be in a specific order so it explains why the field is extracted where it is. What I would like to know, short of effectively copying the csv:notimestamp sourcetype and creating a new sourcetype called "csv:workstations" and then another sourcetype called "csv:users", is there a better way?  My problem is scaling over time, meaning that each new CSV that uses the same stanza configuration would need to have its own sourcetype meaning an update to the indexers on each new CSV file.   Is there a way to omit the above behaviour by referencing the source within SPL or am I forced to create a sourcetype per CSV type.  ... View more

We currently have a deployment server which manages our infrastructure quiye well. A change in our environment is coming where the requirement is to (due to minimal change) make the universal forwarders (these are Windows) unmanaged and for any future changes to be done via a powershell script. My obvious response is no but I wanted to see what other peoples experiences are with not using a deployment server to manage anywhere between 30-40 machines usong scripts such as Powershell. What cons have you found doing it this way when compared to a tried and trusted approach with DS? I can't see any pros with it but I will ask that to.  ... View more

I have a very basic dashboard that requires my users to put in text inputs.  These inputs are then outputted to a CSV file that can be referenced.  The basics of it are <input type="text" token="user"> <label>user</label> </input> <input type="text" token="hostname"> <label>Host Name</label> </input> <input type="text" token="switch"> <label>Switchingcommand</label> </input>   I have my form being submitted via a submit button at the top of the form that takes this information and outputs this to a csv file with an append <search> <query> | makeresults | eval user="$user$" | eval hostname="$hostname$" | eval switch="$switch$" | outputlookup tracking.csv append=true </query> </search>   The above works within the dashboard provided that there are no special characters.  Due to the nature of the value for "switch" above, it can contain a long string with various escape characters.  For example a string entered could be almost any special characters (for example it could contain "regex" or "#" or "=" or "$" or "[word]" etc. etc. etc.   I have tried modifying my search query as follows (adding in |s$) after the eval for switch <search> <query> | makeresults | eval user="$user$" | eval hostname="$hostname$" | eval switch="$switch$"|s$ | outputlookup tracking.csv append=true </query> </search>   however this doesn't appear to work and the input silently fails.  Have I used |s$ in the correct place or is this not possible?     ... View more

My scenario is that I am trying to alert in the event where a user has been provided to an application but that same user wasn't added to an Active Directory group .  So I have the following 2 indexes that provide me the information Application Access is in "index=myapp" Active Directory is in the "index=ad" My search for a new user being given access to the application is something such as   index=myapp Operation=Creation user_object="user*@mydomain.com"   My search for a user being added to an Active Directory group is   index=ad EventCode=4728 Group_Name="myapp_users"   I have tried the following searches that provide me with data but I can't figure out the next step to show where my objective is met (i.e. where the user didn't get added to the group but was given access to the app).     First Search    index=myapp Operation=Creation user_object="user*@mydomain.com" | dedup RID | eval dest_user=split(user_object,"@") | eval extracteduser=mvindex(dest_user,0) | join type=inner extracteduser [search index=ad EventCode=4728 | rex field=user "^(?extracteduser>[^\,]+)" | eval extracteduser=split(extracteduser,"=") | eval extracteduser=mvindex(extracteduser,1) | fields Group_Name, extracteduser]   In my example I will get 3 returned results.  USERA which was added to the application AND was added as a member to the AD group; USERB which was added to the application AND was added as a member to the AD group; and USERC which was added to the application but NOT added as a member to the AD group (myapp_users).  The problem becomes that in the results that are returned I see For the event returned for USERA and USERC, I see   Operation=Create user_object=USERA extracteduser=USERA Operation=Create user_object=USERB extracteduser=USERA   however for the USERC event, I see   Operation=Create user_object=USERC extracteduser=USERA   so I am getting the wrong extracteduser for the USERC event (no doubt because of the join).  I have then abandoned the join and moved to a multi-search Second Search    | multisearch [search index=myapp Operation=Creation user_object="user*@mydomain.com" | rename user_object as app_newuser] [search index=ad EventCode=4728" Group_Name="myapp_users" | rename user AS adperm_user] | rex field=adperm_user "^(?<extracteduser>[^\,]+)" | rex field=extracteduser "(?<CNAttrib>CN=(?<ad_user>.+))" | eval app_newuser=split(app_newuser,"@") | eval app_newuser=mvindex(app_newuser,0) | eval app_newuser=lower(app_newuser) | eval ad_user=lower(ad_user)   This gives me 2 fields that I now need to compare ad_user shows USERA and USERB <-- these users were added to the AD group AND the app app_newuser shows USERA, USERB, and USERC <-- these 3 users were added to the app   The result that I want in the end is to only show USERC as that was not a member of the AD group.  I have tried using something like the following but come up blank.   | where NOT app_newuser = ad_user | search NOT app_newuser = ad_user   I have probably made this more complicated than it needs to be, but am stuck now. ... View more

Firstly my indexer cluster consists of 2 Indexers (with a 6TB volume on each) and a Cluster Master to manage them.  For the most part CPU and Memory is where you expect it to be (CPU anywhere between 20-40% and memory around the same).  This is with 83 sources averaging around 150-200GB a day.   We have automated RHEL OS patching that occurs on a regular schedule and obviously this means that the environment is not in maintenance mode.  When the patching occurs, the indexers are patched at separate times to each other (for example 1 indexer will patch an hour after the last 1 is restarted).  Consequently after the 2nd one has been patched, I see that my indexers run hot (around 90%+) in CPU and running at RHEL cut out limit (28GB of 32GB) where RHEL protects the OS and kills the SPLUNKD service which then restarts.   This goes on for something like 6-8 hours before things settle back down to the normal 20-40% utilization until the next patching cycle.  Thankfully this doesn't impact us too greatly as everything eventually balances and things settle down and SPLUNK just keeps on working along (searches a little slower obviously) We are currently running on the 7.2 stream and would like to know what's the best way to reduce this high throughput and reduce how long it takes for the CPU/Memory to balance.  Would setting maintenance schedule before patching and then removing after or the next day reduce this?  I also noted that when an app is installed to the Indexers (so cluster deployment) that this also tends to cause the high CPU/Memory spike for almost as long (closer to 3-4 hours).  Currently I don't have scope to increase what resources I do have.   ... View more

I am having trouble on some monitored CSV's that get refreshed daily.  There are 5 CSV's in a common directory that I have a monitored input configured for.  The maximum columns for the 5 CSV's is 68 columns.  The file sizes are typically 1.5MB to 2MB with one file being 22MB.  The largest number of rows in one particular file is roughly 39000 rows with the smallest being 1500 rows.  I have noted that SPLUNK will ingest the CSV but caps out at around the 150th record for each file.  For the 22MB file (which has 39000 rows) it doesn't seem to read the file (this may be due to some columns that look weird so may be bombing out).  Checked limits.conf for column number for ingest and it is configured at around 200 (due to a reason I thought I might need it later down the track) but even with the default limits.conf, the number of columns is not exceeding the default value. ... View more