The ESCU searches are also part of Splunk Security Essentials , which you can see here https://docs.splunksecurityessentials.com/content-detail/ and also here https://research.splunk.com/detections/ Note that some of the searches are buggy - I've raised a few bugs in the last few days https://github.com/splunk/security_content/issues   ... View more

Hi @somesoni2 , Thanks for your reply I tried the spl that you gave but its condition Is always looking for the silent_hosts count is 2. where silent_hosts=2 Which in turn its ignoring the single host which is silent for more than 20 hours ( logs are coming from single host only for other index and sourcetype combinations from past 1 month onwards continuously) So this feeds the below query is discarding . I tried where silent_hosts>=1 then in this case its displaying the old stopped host1 . This should not display as we are getting the logs to same index and sourcetype from host2 ... View more

The time of the first event in the transaction is assigned to _time for the entire transaction. The transaction command automatically assigns a duration field to each transaction. You can eval the end time to be _time + duration. ... your search and transaction | eval First_Event_Time=_time|Table ........ ... View more

I go with scripted input as of now . Could you please help me about the configuration files . I have the Query with me now . If I place that query in a script , after a successful run of that script ,output will be redirected to a separate file . Now how to keep my config files in forwarder , at a time executing the script as well as reading the output file. New to scripted inputs. Thanks ... View more

@raj_mpl, It's worth to check with your mail admin of your organization to see if they have a rule added to distinguish between employee email and system emails. It's a wild guess though. ... View more

you can query splunk from your other machine see here: https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/ExportdatausingRESTAPI And more in detail here: https://docs.splunk.com/Documentation/Splunk/7.2.6/RESTTUT/RESTsearches#Get_search_results hope it helps ... View more

Ok @FrankVl , Thanks for your quick response Thank you 🙂 ... View more

What happens if we restart the splunk forwarder with a root user ? ... View more

See my answers here for background: https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html https://answers.splunk.com/answers/734599/how-to-compare-the-same-search-from-the-previous-d.html Start with this to create 2 fields with your data: index=YouShouldAlwaysSpecifyAnIndex AND (source=service1.log OR source=service2.log) earliest=-4h latest=now() | rex field=_raw "trackingId\":\s\"(?<trackingId>[\w-]+)\"" | eval ProducerTrackingID = if(source=="service1.log, trackingId, null()) | eval ConsumerTrackingID = if(source=="service1.log, null() trackingId) | stats values(*TrackingID) AS *TrackingID For run anywhere, try this: | makeresults | eval ProducerTrackingID="123 456 789", ConsumerTrackingID="456 789" | makemv ProducerTrackingID | makemv ConsumerTrackingID Then you can EITHER do this: | streamstats count AS _serial | multireport [| mvexpand ProducerTrackingID | where ConsumerTrackingID!=ProducerTrackingID | rename ProducerTrackingID AS ProducerTrackingID_only] [| mvexpand ConsumerTrackingID | where ConsumerTrackingID!=ProducerTrackingID | rename ConsumerTrackingID AS ConsumerTrackingID_only] | stats values(*) AS * BY _serial OR this: | nomv ConsumerTrackingID | nomv ProducerTrackingID | rex field=ConsumerTrackingID mode=sed "s/[\r\n\s]+/;/g" | rex field=ProducerTrackingID mode=sed "s/[\r\n\s]+/;/g" | eval setdiff = split(replace(replace(replace(replace(mvjoin(mvsort(mvappend(split(replace(ConsumerTrackingID, "(;|$)", "#1;"), ";"), split(replace(ProducerTrackingID, "(;|$)", "#0;"), ";"))), ";"), ";(\w+)#0\;\1#1", ""), ";\w+#1", ""), "#0", ""), ";(?!\w)|^;", ""), ";") ... View more

Can you please explain a bit , What actually it will perform ? ... View more

are the id & job_name repeating in your events ? Possible to share some sample events? ... View more

| rex "(?ms)^Unified: (?P.+?)Coherent: " The above regex will work , (by adding ?) Thank you ... View more

Yes , My event will start with a timestamp and some other information in first line so multikv forceheader=2 , worked for me 🙂 ... View more

Thank you @renjith.nair ... View more

Here you go which means Splunk is not parsing timestamp correctly. Best practice is while generating scripted output, every event should start with timestamp so that splunk will parse those events with correct date time. Additionally if require you can define TIME_PREFIX , TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD on Indexer/Heavy Forwarder for sourcetype my_st ... View more

Does it work now? ... View more

Thanks @cusello , Its very clear that you have explained here . ... View more

1) To run a scripted input you need either a Universal Forwarder or a Heavy Forwarder. You'll need the HF to run a Python script. 2) Most likely, yes. 3) See @mguhad's answer. 4) See http://docs.splunk.com/Documentation/Forwarder/7.2.1/Forwarder/Abouttheuniversalforwarder ... View more

This is the info that I am pulling into Splunk from SharePoint 2019 perfmon IIS logs ULS logs I am storing the IIS and ULS logs in a sharepoint index. I built out a correlation search dashboard so I don't have to use the Merge-SPLogFile cmdlet for PowerShell. Here are the inputs.conf, props.conf and transforms.conf IIS [monitor://L:\inetpub\logs\LogFiles**.log] index = sharepoint sourcetype = iis ignoreOlderThan = 1d ULS [monitor://L:\Diagnosticslog] index = sharepoint whitelist = .*-\d+-\d+.log$ sourcetype = MSSharePoint:2019:ULSAudit ignoreOlderThan = 1d PROPS.CONF [MSSharePoint:2019:ULSAudit] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false LINE_BREAKER = ([\r\n]+)\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{2}\s TRANSFORMS-ulscomment = uls_remove_comments SEDCMD-cleanup = s/(...([^*]+).*?...)//g TRANSFORMS.CONF [uls_remove_comments] REGEX = ^Timestamp DEST_KEY = queue FORMAT = nullQueue ... View more