The best practice is actually not sending syslog directly to splunk as you'll most likely lose data. You should instead use something like a syslog server (rsyslog, syslog-ng, etc.) to receive the data and then you have many options to send the data to splunk (e.g. Splunk UF).  Splunk has SC4S (Splunk Connect for Syslog) that can handle receiving and forwarding data to Splunk which is supported by Splunk. ... View more

Unless you install a valid license you can't get past the lock. Usually with other types of licenses there is a "reset license" that you can request from Splunk sales/support that resets the violation warnings but that not the case for the free license or the enterprise trial license. For more details please refer to the documentation regarding Splunk's licenses policies: https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/manage-splunk-licenses/about-license-violations ... View more

I made a pull request to fix this in the connector repo. Just waiting for it to be reviewed.  ... View more

I tested the app in splunk cloud 10.2.2510.13 with some of the sample queries provided by the app and it worked in simple xml but not in dashboard studio. ... View more

the screenshots in the splunkbase listing are from the app sample dashboards and they are in simple xml. ... View more

I had a look into the code again and I believe there is a bug there. The create ticket function uses another function to handle the query parameters. That function uses a "request_fields" list in the consts.py and iterate over it and "template" its not one of the fields.  These are the fields listed there: REQUEST_FIELDS = [ "subject", "description", "request_type", "impact", "status", "mode", "level", "urgency", "priority", "service_category", "requester", "assets", "site", "group", "technician", "category", "subcategory", "item", "email_ids_to_notify", "is_fcr", "resources", "udf_fields", "update_reason", ] The function: def get_query_params(self, param): request_fields = {} for field in consts.REQUEST_FIELDS: value = param.get(field, None) if value: if field in ["udf_fields", "template"]: request_fields[field] = f"{self.format_params(field, value)}" elif field not in consts.FIELDS_WITH_NAME or (value[0] == "{" and value[-1] == "}"): request_fields[field] = value else: request_fields[field] = {"name": value} return {"request": request_fields} The function itself has a clause to handle the "template" field but since it's not on the request_fields list it does not even get to that point in the code. This can probably be fixed just by adding "template" in the list. ... View more

They are both event-based detections where the diference is the output. One writes in the notables index and shows up in the analyst queue and the other writes to the risk index and does not show p in the analyst queue . Both leverage existing lookups (e.g. assets and identities lookups). Both can assign risk to assets or identities.  The reasoning behind this is, if you have something that when you detect it the analyst should do something or investigate it right away you most likely set it as a finding. On the other hand if that something isn't a big issue unless it's detected along side with other behavior then you can set it as an intermediate finding. As an example: If you have detected some host communication with a known C2 IP, you really want someone to act on it. This kind of detections where you have a high confidence and its high severity, these should be findings.  If you have detected someone accessing some sensitive files after-hours you probably don't need to have an analyst look into it right away, but you can still register that as an intermediate finding and give it some risk. The same logic can be applied to detecting a "usb device connected to a host" or "large volume of files download". Individually they might not be high severity and not worth to have an analyst look in to it right away, but when detected together you might be looking into data exfiltration. All the accumulated risk from these intermediate findings can push the total risk above your risk score threshold and trigger a finding based detection like the ones you can find out of the box in ES (e.g. "Finding Group - Entity Exceeded Threshold with Multiple Findings" or "Findings Risk Threshold Exceeded for Entity Over 24 Hour Period").    ... View more

I do not have a sample for Service Desk Plus but, based on the docs, your json doesn't seem to have any problem. Usually when I need to troubleshoot this kind of integrations I use postman to do the requests since you can get more details from the API response, than you get from the SOAR connector results since there might be some code logic to handle the response. If you test with postman and you get the same kind of problem, that rules out SOAR. From what I saw in the servidesk plus connector, I don't think the problem in it since there is no default. It just uses whatever you put in the  fields parameter. I would check if you need to include in your json the "id" field alongside with the "name" nested in the "template".  ... View more

"Intermediate Findings" is the equivalent of what you had as a risk event back in Splunk ES 7.x so it doesn't get written to the notable index. A "finding" is what used to be called a "notable" which is written in the Notable index.  The intermediate findings column is still available in the analyst queue and it will show the number of intermediate findings that contributed to a finding based detection (e.g. Findings Risk Threshold Exceeded for Entity Over 24 Hour Period) Check this presentation from last year by Splunk Security Product Specialist that explains the change in terminology: https://www.splunk.com/en_us/pdfs/infographics/splunk-enterprise-security-8-x-tech-talk-2025.pdf   ... View more

Is this TA hosted somewhere so we could have a better picture of what the complete python code looks like?  ... View more

Depending on how you set your authorization, you might end up with different permissions in the roles in each SH (e.g access to indexes). Check you roles to see what are the allowed indexes in each SH for the roles you have. ... View more

Since September 2021, Splunk does not include python 2. so you need to update your code if its not compatible with python 3. https://www.splunk.com/en_us/blog/platform/removing-python-2-from-new-splunk-cloud-and-splunk-enterprise-releases-starting-september-2021.html  ... View more

I dont think there is a connector for that purpose. If you want to follow the "develop your own solution" route i would recommend building a connector for SOAR instead of a function in the visual editor. IMO its more flexible on what you can do (e.g. include external libs) and its easily reusable and you can add multiple assets to use in the PBs. Also, the new app wizard makes it easier to get started and you have tons of "examples" if you look in the SOAR connector GitHub account.  ... View more

With the splunk_TA_windows you can index logs regarding windows update from the machines where you have a forwarder installed. With that you can check the packages that are installed in each machine. I dont think you can check which patches are missing unless you already have them installed somewhere. With these logs, you can also check for problems with windows update (check splunk lantern). ... View more

Splunk APM is part of the Observability Cloud and is available as a SaaS offering only. https://www.splunk.com/en_us/products/pricing/observability.html ... View more

You can use the grouping you explained with some splunk commands to accomplish that. | windbag | eval group = if(lang="Euro","groupA","groupB") | timechart count by group  This is just an example with random data that you can try in your environment . You can change your grouping conditions in the if statement to your field1=your unique value. ... View more

Congratulations to everyone that made it.  ... View more

You can use id that can be referenced by the css. Check this example dashboard (you can just copy/paste in to a new dashboard 😞 <dashboard version="1.1"> <label>css test</label> <row> <panel> <html> <style> #mycss table tr{ font-size:150% !important; font-weight: bold; width:150px !important; border: 1px solid black !important; text-align: right !important; background-color: #FF00FF !important; } </style></html> </panel> </row> <row> <panel> <table id="mycss"> <search> <query>index=_internal sourcetype IN (splunkd, splunk_python)| timechart span=1h count by sourcetype | table _time splunkd * | fillnull value=0 splunkd splunk_python mongod</query> <earliest>-4h@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> <panel> <table> <search> <query>index=_internal sourcetype IN (splunkd, splunk_python)| timechart span=1h count by sourcetype | table _time splunkd * | fillnull value=0 splunkd splunk_python mongod</query> <earliest>-4h@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </table> </panel> </row> </dashboard> Note that I added the mycss id to the css and to one of the tables. ... View more

You can create a stanza in props.conf with: [host::<host>] TZ=<TZ>   ... View more

Check the roles assigned to the user in question. ... View more